Vulnerabilities (Page 7)

NetBSD Coredump Kernel Refcount LPE

Fairly straightforward refcount leak bug in the coredump function of the kernel.It would take a reference on the process credentials to ensure they don’t get destroyed while in-use, but they don’t release the reference on the error exit path…


Integer Overflow in SQLite Leading to Stack-based Buffer Overflow

An integer overflow in SQLite’s sqlite3_str_vappendf, large inputs when dealing with q Q or w format specifiers (unique to SQLite’s implementation of printf used to escape quotes).In calculating the maximum buffer once escapes have been added the size may overflow to a negative value leading to SQLite using a 70byte (by default) stack allocated buffer…


[Chrome] heap-use-after-free in AccountSelectionBubbleView::OnAccountImageFetched

Callbacks can be tricky in memory-unsafe languages, here we have the Chrome Account Selection feature creating an image view and an image fetcher. Sets up a callback function to be called once the account’s image has been fetched and passes in the raw pointer to the created image_view, the problem being that the image view may be destroyed before the callback happens.


Google Data Studio Insecure Direct Object Reference

Straight forward IDOR, but the vulnerable feature is somewhat hidden. Within Google Data Studio you have an option to create a template and then perhaps add that template to the report, it is the process of persisting that template in a report that is vulnerable to IDOR.


Facebook SMS Captcha Was Vulnerable to CSRF Attack

Facebook’s SMS Captcha page would as you might expect, display a captcha, the user fills it out, and then it makes a POST request to the next page including the anti-CSRF token. The problem being that the next location was determined by the next url parameter which was entirely attacker controlled, and could be pointed to sensitive GraphQL endpoints.


Integer Overflow Leading to Buffer Overflow in "Official" SHA-3 Implementation

An integer overflow in the official SHA-3 implementation as used by PHP, Python, Ruby and I’m sure other places.When updating a block that already has some data in it, it will try to calculate if the new partial block bytes will go out of bounds, it makes the classic mistake of adding the current index and the length of new data, then just checking if it is lower than a bounding value…