Bit of an odd bug in the SecurityPoint UTM Firewall admin and user panels.During the normal login flow a user starts off with an empty sessionID value, once they authenticate successfully the server returns a filled in sessionID…
A local privileged escalation in bthport.sys the Windows bluetooth bus driver.The vulnerability exists in the Service Discovery Protocol (SDP)…
A fun bug, likely stemming from misunderstanding the return value from an snprintf call. Unfortunately (for us, good for security) only seems to be useful for a denial of service attack.
I thought this was an excellent post when it came to explaining the exploitation strategy, and has it dealt with encrypted pointers the exploitation was pretty cool to see documented. However I did have some problems following on the actual vulnerability details.
This article is about glitching the Wii-U’s read of One-Time Programmable (OTP) fuses into registers for verifying the boot process.Under normal circumstances, the boot ROM will verify the firmware stored in the NAND storage against a hash stored in fuses…
Nothing to crazy here, its well known that if someone can compromise something running within an AWS Elastic Kubernetes Service (EKS) pod, they can use that access to hit the AWS EC2 Metadata Service and gain the machine’s IAM token. There has been some prior research about performing a denial of service by removing a network interface with that token, but the author An Trinh here takes a look at going for a more significant privilege escalation.
A stupid auth bypass (for the app, great find by the researcher), and a service-side template injection in Pentaho.Starting with the SSTI, Pentaho has a few endpoints to configure and test LDAP connections, to do so it creates an XML-based bean definition and properties file containing all the user-provided data…
Code-generator gone bad! And another look at why its important to consider the context of what your escaping data for.In this case synthetics recorder could be used to generate playwright scripts (I think?) to replay a capture interaction…
At its core, this is pretty easy to understand, and isn’t especially novel, but it is an interesting area, stealing cars so worth covering.The core problem is simply that inside of a modern vehicle you have the Controller Area Network Bus (CAN Bus)…
A stack-based buffer overflow in SNI Proxy, in parsing Hostnames to determine where to redirect traffic to the application would The vulnerability exists when aprsing IPv6 blocks, it’ll calculate the source length by looking for the end ] character, and then copy those characters into the target buffer. While it does “limit” the copy, it limits it based on the source length rather than the destination buffer size allowing for an overflow.
A fairly straightforward double-free issue in the Samsung Neural Processing Unit (NPU) driver.At the time the NPU driver was also reachable from untrusted, and as such made the vuln highly impactful…
Multiple vulnerabilities that were found in the PS2 JIT emulator’s compiler process in PS4/PS5.The previous mast1c0re post we covered on episode #188 covered vulns and exploitation of the application process, which didn’t have direct JIT capability…
When using curl, if the --data-raw argument starts with a @ it will be treated as a filename and the file itself will be included as the data of the request. This sort of bug would be hard to exploit in the context of Burp and Chrome, requiring a victim to “Copy as cURL” a malicious request in the first place, and then run it…
A look at how logging attacker controlled data can be problematic in Azure Pipelines to potentially gain code execution and access to sensitive environment variables.
At its core, we have a simple mistake that can be made pretty easily on all of the cloud platforms though this post focuses in on Azure App Services and Azure Functions.Being able to easily add authentication to your apps on either is nice, but they can easily be misconfigured…