Vulnerabilities (Page 8)

Rather subtle bug in the ASN.1 parsing state machine that comes down to one area of code being unaware of an edge case in another.

Slight race-condition in the Pritunl VPN client leading to a semi-controlled file-write as SYSTEM which could be leveraged into code execution as SYSTEM.

Somewhat traditional CE.TE request smuggling attack on a few of Apple’s domains.The main trick with this one was to place a \n in the Transfer-Encoding header name…

Server-Side Request Forgery with both server-side and client-sided impacts.

Cool little trick against the NodeBB oauth flow resulting in a CSRF that would associate an attackers third-party account with a victim NodeBB account.

tl;dr Two CVEs, one an integer overflow due to incorrectly assuming the compiler would optimize an enum into a single byte, and the other some uninitialized kernel stack variables that could be exposed to userspace.

Follow-up to the December post which covered an int overflow in the CoreGraphics PDF parser for the JBIG2 image format, which implemented a weird machine / mini architecture to execute code. This post covers the sandbox escape that was chained with it, which unlike the first bug, is a logic issue rather than a memory corruption.

The title says it all, CSRF protection was disabled for a period of time on Stripe’s Dashboard.As the most sensitive actions required reentering the user’s password or solving a captcha the damage was limited but you could still change various account settings…

Sometimes vulnerabilities come from trying to be too generic/handle all the possibilities, this is one of those situations.What you have the Spring Framework letting users write simple Java classes with fields, getters/setters and setting those up as models for a particular endpoint…

Weak entropy in a password reset token, and an archive escape using symlinks to achieve code execution.