Escaping Parallels Desktop with Plist Injection
Two vulnerabilities in Parallels Desktop, a plist injection and a Time-of-Check Time-of-Use (TOCTOU) race.
Two vulnerabilities in Parallels Desktop, a plist injection and a Time-of-Check Time-of-Use (TOCTOU) race.
An attack that confuses security tooling into an insecure action.So, what is dependabot, if you’ve used GitHub you’ve probably seen it around…
OpenAI would provide some free credits to a user once they verify their phone number, and then to prevent abuse, ensure phone numbers are unique.Its a sane plan, but Checkmarx did find a way to bypass this…
Two issues came together here, the first one is the more “fun” issue in a file upload handler.
A fun little chain to get a one-click CSRF attack on a redacted domain.
This one is easy enough, missing a bounds check when handling nested messages allowed for sending a message with a bunch of nested messages that would be parsed and written out of bounds on a fixed size buffer.
A logic bug when dealing with the parsing of the git/.config file, which could be triggered via git submodules.The relevant function for the vuln here is git_config_copy_or_rename_section_in_file(), which would remove or rename configuration sections in-place in the config file…
CVE-2023-27322 - Local Privilege Escalation Through Parallels Service
Project zero found a complex bug in the Windows kernel registry subsystem which create type confusion situations.Windows supports the ability to rename registry keys in place, which is facilitated by the NtRenameKey() syscall…
A pretty classic string escaping bug in GhostScript, one common and buggy edge case when escaping characters in a buffer is to not properly account for escapes that happen at the very limit of the destination buffer.As was the case here, despite checking that the limit of the buffer was not reached on every iteration, when a character was found that should be escaped, it would write to the destination buffer write, first with the escape character (0x01) and then again with an XOR’d version of the character to be escaped…
A post-auth remote information disclosure in the SecurePoint UTM firewall.The bug in this case is the fact that a session ID can be sent in a response before the session is fully initialized and used…
A pretty straightforward out-of-bounds write (OOB write) in the Apple SPU kernel extension, which is used for managing drivers on macOS and iOS.The problem lies in the opcode handler for ALLOCATE_BUFFER messages sent to SPU via an IOUserClient…
Another file-write to code execution escalation strategy to be aware of. Similar to others we’ve covered it requires control over the file being written (duh) and partial control over the contents; the start of atleast one line is sufficient.
Orca Security presents a privilege escalation method in Azure environments, its nothing to crazy, but atleast worth taking note of.the first concept to understand are Azure Storage Account keys, when you first create a storage account, by default Azure generates a couple 512-bit storage account access keys that can be used to access the account…
Multiple symlink-style issues in the WindowsContainerController and HyperVController controllers in the Docker Desktop for Windows daemon (dockerd). When looking at the WindowsContainerController, they noted the start() and stop() methods as potentially interesting, as they would take start and stop request objects which were attacker-controlled input, and contained a DaemonJSON string, which pointed to the path of the configuration file for docker.