Vulnerabilities (Page 7)

ipc_kmsg_get_from_kernel, iOS 15.4 - root cause analysis

A fairly trivial OOB write in the XNU kernel that was introduced in an iOS 15.0 beta and patched in iOS 15.4.It seems ipc_kmsg_get_from_user() in conjunction with pre-allocated kmsgs (via mktimer) can receive sizes that are larger than the pre-allocated buffer…


Attacking Titan M with Only One Byte

The Titan-M is a security chip found on Google’s Pixel devices from Pixel 3 onwards.This post goes through some of the background and reversing they did on the chip, as well as exploring some fuzzing routes through blackbox as well as emulation via unicorn…


Parameter Smuggling across Golang Versions

A post by Oxeye which studies a desync attack based on Golang’s net/url package and some subtle changes that were made to it in Go v1.17, which patched a bug where the ParseQuery() method would consider semi-colons a valid separator.As per the RFC for the URL spec, while semi-colons are an accepted separator for the path, they aren’t for the query…


One-Click Account Hijacking in TikTok (Android)

Post by Microsoft’s 365 Defender research team on an access control issue in TikTok’s Android app.The problem focuses on WebViews and how they interact with deeplinks, which are special hyperlinks that Android supports that applications can setup hooks for…


[GitLab] Able to view hackerone reports attachments

Fairly simple vulnerability where GitLab had an internal endpoint for their own tracking of H1 reports on The researcher found one of these links and discovered the /a path which would dump all attachments keys, which you could use to re-construct the urls to download attachments.


Forwarding addresses is hard [CVE-2022-31813]

A vulnerability in Apache HTTPD’s mod_proxy reverse proxy module.The issue comes down to an interesting logic bug in ap_proxy_create_hdrbrgd() where it would clear hop-by-hop request headers via ap_proxy_clear_connection() after the x-forwarded header addition…