Rather subtle bug in the ASN.1 parsing state machine that comes down to one area of code being unaware of an edge case in another.
Vulnerabilities (Page 5)
Slight race-condition in the Pritunl VPN client leading to a semi-controlled file-write as SYSTEM which could be leveraged into code execution as SYSTEM.
Somewhat traditional CE.TE request smuggling attack on a few of Apple’s domains.The main trick with this one was to place a
\n in the
Transfer-Encoding header name…
Server-Side Request Forgery with both server-side and client-sided impacts.
Cool little trick against the NodeBB oauth flow resulting in a CSRF that would associate an attackers third-party account with a victim NodeBB account.
tl;dr Two CVEs, one an integer overflow due to incorrectly assuming the compiler would optimize an
enum into a single byte, and the other some uninitialized kernel stack variables that could be exposed to userspace.
Follow-up to the December post which covered an int overflow in the CoreGraphics PDF parser for the JBIG2 image format, which implemented a weird machine / mini architecture to execute code. This post covers the sandbox escape that was chained with it, which unlike the first bug, is a logic issue rather than a memory corruption.
The title says it all, CSRF protection was disabled for a period of time on Stripe’s Dashboard.As the most sensitive actions required reentering the user’s password or solving a captcha the damage was limited but you could still change various account settings…
Sometimes vulnerabilities come from trying to be too generic/handle all the possibilities, this is one of those situations.What you have the Spring Framework letting users write simple Java classes with fields, getters/setters and setting those up as models for a particular endpoint…
Weak entropy in a password reset token, and an archive escape using symlinks to achieve code execution.