A fairly classic mobile issue, the McAfee Security: Antivirus VPN is a highly privileged app and it exports a fairly generic MainActivity.The MainActivity is rather dynamic in terms of what type content it’ll load, basically acting as a wrapper to load whatever the real intent was…
A high performance, but apparently low security library for some industrial software, root cause is the use of a signed comparison of a value that is then used as an unsigned size value in a memcpy. End result being a much too large copy, overflowing the destination buffer.
An exploit chain that targets Samsung’s TEEgris OS running in the ARM TrustZone secure world.TEEgris consists of a secure kernel and trustlets that run on the userspace side, which Android in the non-secure world can communicate with via Secure Monitor Calls (SMCs)…
A directory traversal vulnerability in Parallels Desktop for MacOS has been identified, leading to a guest-to-host VM escape.Parallels ToolGate, a virtual PCI device, facilitates communication between the guest and host operating systems…
Abuse ChatGPT and other language models for remote code execution, sounds great! This is quite literally just a case of determining how the AI is being leveraged in the backend and then engineering a prompt to ask the language model to respond with something malicious. The author has two examples on BoxCars:
The vulnerability is a Server-Side MIME Sniff issue in the answerdev/answer project (a Q&A platform) that leads to a stored XSS vulnerability. What is really interesting is that the bug primarily only appears when running the application under Docker.
Two CloudTrail logging vulnerabilities have been identified, involving endpoints/services that fail to log properly.
A curious account takeover and one-time-password (OTP) bypass vulnerability has been identified.During the signup process, users receive an OTP sent to their email address…
This was a fun authorization check bypass because when checking if higher privileges were needed the flag value was checked for equality with the two privileged actions.Later on however, when deciding what handler to use to handle to request, it used a bitwise operation to check if the specific bit is set…
Three hard to exploit (beyond denial of service) out-of-bounds read vulnerabilities in MIT Kerberos V5 but each with a bit of an interest cause.
Effectively, a double-fetch vulnerability in Intel SMM’s SMI handler that could allow a local attacker to escelate into System manage Mode.It recieves a CommBuffer that contains a Data pointer and a size value…
When using the ssrfFilter library in conjunction with the Request library in JavaScript there is a bug that can result in the SSRF filter being disabled.The way the anti-SSRF library, ssrfFilter works is that is creates its own object that cna be used in=place of Node’s default request agent for http/http requests…
Three vulns in Apollo Configuration Management System (two of which were recognized as CVEs).The first vuln (which isn’t acknowledged by the vendor) is a Spring Expression Language (SpEL) issue where various settings are merged with spring framework properties, allowing SpEL injection for RCE…
A few vulnerabilities in Azure Web Services via Kudu Git repo manager used for git deployments.Kudu exports a source control management (SCM) portal that can be accessed if you’re authenticated into the instance through Azure Active Directory (AAD), which allows you to manage your web app…
Solid post document some of the practical aspects of pulling off this attack, but the root issue was a change in Android’s parcel API, without going into details about parcels you can think about this as similar to just opening a file.You usually need to provide a mode, like w for write, or r for read access…