An object type confusion was discovered in the Microsoft Kernel Streaming Server (mskssrv.sys), which is used for virtualizing camera devices and allowing multiple applications to access camera streams.The driver uses two main object types for allowing userspace to acquire a context and send/receive data, a context and a stream…
Log injections are a class of bug that is often overlooked, both because it is difficult to spot during a black box engagement, and because the impact is difficult to determine.IN this case though the impact was easier to spot because the program processing the output logs was part of the same application…
An interesting vulnerability was found in confluence that allowed for calling semi-arbitrary methods chains on the Action class being executed.This reminds me a bit of deserialization attacks, but in this case you’ve got the Xwork2 framework providing a SafeParametersInterceptor class…
A straightforward path traversal issue in NodeJS.Node’s fs functions allow specifying paths in the form of either strings or Uint8Array objects…
Rapid Reset is a Denial of Service (DOS) attack that abuses the HTTP/2 RST_STREAM frames functionality.Where HTTP/1.1 is text-based with the more familiar header/body messages, HTTP/2 uses binary multiplexed streams, where frames are sent back and forth consisting of data and flow-control frames…
A two-part blog series by Rhino Security Labs that talks about common issues seen in deployments using AWS Cognito, and how they automated testing and attacking of said issues.AWS Cognito is a front-end solution by AWS for user auth and authorization, typically used for web and mobile apps…
Post from Man Yue Mo at GitHub Security Lab on an RCE in Chrome due to a bug in Chrome’s JIT compiler (TurboFan).As a bit of background, modern browsers will often compile code/functions that are deemed as ‘hotpaths’ (aka executed a lot)…
A buffer overflow vulnerability was introduced in a 2021 patch to glibc’s dynamic loader when processing GLIBC_TUNABLES environment variables.Tunables are basically configuration settings of the runtime that can be set via key/value pairs in the form of key=val…
A rather complex-bug to trigger that was found being exploited in the wild against libwebp’s VP8L compression and was reachable through an iMessage.
Writeup for exploiting an io_uring bug submitted to kCTF (before io_uring was disabled in kCTF).The vulnerability itself was extremely straightforward and was in the handling for IORING_OP_MSG_RING command for signaling another ring…