We have previously discussed this vulnerability, which provides a primitive to free adjacent memory.
Vulnerabilities (Page 9)
A UAF in the Common Logging File System (CLFS).Some background is needed on how this custom filesystem works to provide context for the bug…
An attack which extends upon branch target injection, which is an attack where you train the branch predictor on an indirect branch to speculatively execute a branch erroneously and side-channel the cache to leak data.One of the various mitigations introduced by Intel and ARM were Enhanced Indirect Branch Restricted Speculation (eIBRS) and CSV2 respectively…
A nice chain leading to unauthenticated RCE, a path traversal leading to server-side request forgery, used to hit the application’s API from localhost and leak administrative credentials, then an unescaped argument in a privileged-off task for command injection.
Azure Automation would run an internal service serving JWTs that could be accessed across tenant boundaries.
Escaping to the Node Virtual Machine
Two issues, first an XSS requiring two injection points to bypass the web-application firewall and a cache poisoning attack making it possible for the XSS to be stored.
The vulnerability here is just a straight forward case of reading a size from the attacker, and using it in a
memcpy into a fixed size destination buffer on the stack.
A lot of this post, as the title indicates goes into the difficulties in determining the real client-ip in a modern envrionment where reverse proxies are quite common and normal. Pointing out some common issues: