Java’s implementation of ECDSA signature validation deviated from the algorithm in two distinct ways that could allow any attacker to craft a valid signature for any key.
Vulnerabilities (Page 5)
UIBean tags the
name field was vulnerable to a double OGNL evaluation when there was no corresponding
value field which could lead to remote code execution.
Another case of different normalization routines resulting in smuggling a request to an endpoint blocked by a reverse proxy.
BlueZ would identify bluetooth controllers based purely on their self-reported
BD_ADDR (the bluetooth version of a MAC address). A malicious device could identify with an existing
BD_ADDR and obtain the link key for that device.
AWS provided a hot-patching service that would patch Java binaries against the Log4Shell vulnerability but that introduced a container escape.
An uninitalized “Fast Tracker” in the Window’s HTTP Protocol stack as used by IIS. Despite providing a bit of a crash analysis and a POC the post is missing information about the vulnerability as their primary focus was on building out the exploit.
Three part blog series by Connor Mcgarr which covers exploiting a type confusion in Chakra-based Edge. Part 1 covers environment setup and the vulnerability, part 2 the core exploitation primitives, and part 3 porting the exploit to Edge and bypassing Edge mitigations.
There is a good deal of complexity in the object structure that is detailed in the post that I’m going to gloss over.Effectively you have an array of entry objects, and each entry has a pointer to a
strcat was used in a callback to craft the
xpath for each element and it did this without any bounds checking.By nesting XML structures they could eventually overflow the memory region they were allocated in…
This one is a bit of a cross-user attack on the same machine, as
git when executed in a directory that doesn’t have a
.git folder, will traverse upward looking for the
.git/ of the repo.The problem is if one accidentally invokes
git while not in a repository it’ll look in some potentially untrusted locations as it traverses by defualt all the way to the root of the storage…