Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/fuchsia-os-printer-bugs-and-hacking-radare2.html Some silly issues in radare2, some printer hacking, some kernel vulnerabilities, and a look at exploiting Fuchsia OS on this weeks episode. Just as a reminder this will be our last episode until September. [00:00:40] Spot the Vuln - Size Matters [00:04:30] Multiple vulnerabilities in radare2 [00:10:08] The printer goes brrrrr!!! [00:17:25] A Kernel Hacker Meets Fuchsia OS [00:33:55] Finding Bugs in Windows Drivers, Part 1 - WDM [00:41:23] Chat Question: Learning Kernel Exploitation [00:50:25] Resources While We are Gone The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week:  Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.  The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.

Links and vulnerability summaries for this episode are available at: <a href="https://dayzerosec.com/podcast/fuchsia-os-printer-bugs-and-hacking-radare2.html" rel="nofollow" target="_blank">https://dayzerosec.com/podcast/fuchsia-os-printer-bugs-and-hacking-radare2.html</a> Some silly issues in radare2, some printer hacking, some kernel vulnerabilities, and a look at exploiting Fuchsia OS on this weeks episode. Just as a reminder this will be our last episode until September. [00:00:40] Spot the Vuln - Size Matters [00:04:30] Multiple vulnerabilities in radare2 [00:10:08] The printer goes brrrrr!!! [00:17:25] A Kernel Hacker Meets Fuchsia OS [00:33:55] Finding Bugs in Windows Drivers, Part 1 - WDM [00:41:23] Chat Question: Learning Kernel Exploitation [00:50:25] Resources While We are Gone The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: <ul> <li>Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities</li> <li>Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.</li> </ul> The Video archive can be found on our Youtube channel: <a href="https://www.youtube.com/c/dayzerosec" rel="nofollow" target="_blank">https://www.youtube.com/c/dayzerosec</a> You can also join our discord: <a href="https://discord.gg/daTxTK9" rel="nofollow" target="_blank">https://discord.gg/daTxTK9</a> Or follow us on Twitter (@dayzerosec) to know when new releases are coming.

[binary] Fuchsia OS, Printer Bugs, and Hacking Radare2

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/a-zoom-rce-vmware-auth-bypass-and-gitlab-stored-xss.html Last bounty episode before our summer vacation, and we are ending off with some cool issues. XML Stanza smuggling in Zoom for a MitM attack, an odd auth bypass, a Gitlab Stored XSS and gadget based CSP bypass, and an interesting technique to leverage a path traversal/desync against NGINX Plus [00:01:00] How I hacked CTX and PHPass Modules [00:10:55] [Zoom] Remote Code Execution with XMPP Stanza Smuggling [00:19:38] VMware Authentication Bypass Vulnerability [CVE-2022-22972] [00:23:05] Breaking Reverse Proxy Parser Logic [00:26:44] [GitLab] Stored XSS in Notes (with CSP bypass) [00:37:13] GhostTouch: Targeted Attacks on Touchscreens without Physical Touch [00:48:00] Resources While We Are Gone The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week:  Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.  The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.

Links and vulnerability summaries for this episode are available at: <a href="https://dayzerosec.com/podcast/a-zoom-rce-vmware-auth-bypass-and-gitlab-stored-xss.html" rel="nofollow" target="_blank">https://dayzerosec.com/podcast/a-zoom-rce-vmware-auth-bypass-and-gitlab-stored-xss.html</a> Last bounty episode before our summer vacation, and we are ending off with some cool issues. XML Stanza smuggling in Zoom for a MitM attack, an odd auth bypass, a Gitlab Stored XSS and gadget based CSP bypass, and an interesting technique to leverage a path traversal/desync against NGINX Plus [00:01:00] How I hacked CTX and PHPass Modules [00:10:55] [Zoom] Remote Code Execution with XMPP Stanza Smuggling [00:19:38] VMware Authentication Bypass Vulnerability [CVE-2022-22972] [00:23:05] Breaking Reverse Proxy Parser Logic [00:26:44] [GitLab] Stored XSS in Notes (with CSP bypass) [00:37:13] GhostTouch: Targeted Attacks on Touchscreens without Physical Touch [00:48:00] Resources While We Are Gone The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: <ul> <li>Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities</li> <li>Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.</li> </ul> The Video archive can be found on our Youtube channel: <a href="https://www.youtube.com/c/dayzerosec" rel="nofollow" target="_blank">https://www.youtube.com/c/dayzerosec</a> You can also join our discord: <a href="https://discord.gg/daTxTK9" rel="nofollow" target="_blank">https://discord.gg/daTxTK9</a> Or follow us on Twitter (@dayzerosec) to know when new releases are coming.

[bounty] A Zoom RCE, VMware Auth Bypass, and GitLab Stored XSS

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/pwn2own-parallels-desktop-and-an-appleavd-bug.html Just a couple vulnerabilities to talk about this week, but some interesting things to talk about in them. We also have some discussion about this year's pwn2own results and a couple things that caught out attention. [00:01:02] Spot the Vuln - NoSQL, No Problem [00:02:46] Pwn2Own Vancouver 2022 - The Results [00:16:14] CVE-2022-22675: AppleAVD Overflow in AVC_RBSP::parseHRD [00:23:16] Exploiting an Unbounded memcpy in Parallels Desktop The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week:  Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.  The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.

Links and vulnerability summaries for this episode are available at: <a href="https://dayzerosec.com/podcast/pwn2own-parallels-desktop-and-an-appleavd-bug.html" rel="nofollow" target="_blank">https://dayzerosec.com/podcast/pwn2own-parallels-desktop-and-an-appleavd-bug.html</a> Just a couple vulnerabilities to talk about this week, but some interesting things to talk about in them. We also have some discussion about this year's pwn2own results and a couple things that caught out attention. [00:01:02] Spot the Vuln - NoSQL, No Problem [00:02:46] Pwn2Own Vancouver 2022 - The Results [00:16:14] CVE-2022-22675: AppleAVD Overflow in AVC_RBSP::parseHRD [00:23:16] Exploiting an Unbounded memcpy in Parallels Desktop The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: <ul> <li>Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities</li> <li>Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.</li> </ul> The Video archive can be found on our Youtube channel: <a href="https://www.youtube.com/c/dayzerosec" rel="nofollow" target="_blank">https://www.youtube.com/c/dayzerosec</a> You can also join our discord: <a href="https://discord.gg/daTxTK9" rel="nofollow" target="_blank">https://discord.gg/daTxTK9</a> Or follow us on Twitter (@dayzerosec) to know when new releases are coming.

[binary] Pwn2Own, Parallels Desktop, and an AppleAVD Bug

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/stealing-dropbox-google-drive-tokens-a-gitlab-bug-and-macos-powerdir-vulnerability.html Kicking off the week with some discussion about DOJ's policy change before getting into some vulnerabilities: "powerdir" a macOS TCC bypass, an integer overflow on the web, and another attack against HelloSign and their Google Drive integration [00:02:12] DOJ’s New CFAA Policy is a Good Start But Does Not Go Far Enough to Protect Security Researchers [00:11:02] macOS Vulnerability "powerdir" could lead to unauthorized user data access [00:17:17] Arbitrary POST request as victim user from HTML injection in Jupyter notebooks [00:21:44] [Glovo] Integer overflow vulnerability  [00:25:11] Stealing Google Drive OAuth tokens from Dropbox [00:29:46] Privileged pod escalations in Kubernetes and GKE The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week:  Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.  The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.

Links and vulnerability summaries for this episode are available at: <a href="https://dayzerosec.com/podcast/stealing-dropbox-google-drive-tokens-a-gitlab-bug-and-macos-powerdir-vulnerability.html" rel="nofollow" target="_blank">https://dayzerosec.com/podcast/stealing-dropbox-google-drive-tokens-a-gitlab-bug-and-macos-powerdir-vulnerability.html</a> Kicking off the week with some discussion about DOJ's policy change before getting into some vulnerabilities: "powerdir" a macOS TCC bypass, an integer overflow on the web, and another attack against HelloSign and their Google Drive integration [00:02:12] DOJ’s New CFAA Policy is a Good Start But Does Not Go Far Enough to Protect Security Researchers [00:11:02] macOS Vulnerability "powerdir" could lead to unauthorized user data access [00:17:17] Arbitrary POST request as victim user from HTML injection in Jupyter notebooks [00:21:44] [Glovo] Integer overflow vulnerability [00:25:11] Stealing Google Drive OAuth tokens from Dropbox [00:29:46] Privileged pod escalations in Kubernetes and GKE The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: <ul> <li>Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities</li> <li>Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.</li> </ul> The Video archive can be found on our Youtube channel: <a href="https://www.youtube.com/c/dayzerosec" rel="nofollow" target="_blank">https://www.youtube.com/c/dayzerosec</a> You can also join our discord: <a href="https://discord.gg/daTxTK9" rel="nofollow" target="_blank">https://discord.gg/daTxTK9</a> Or follow us on Twitter (@dayzerosec) to know when new releases are coming.

[bounty] Stealing DropBox Google Drive Tokens, a GitLab Bug, and macOS "Powerdir" Vulnerability

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/python-3-uaf-and-ps4-ps5-pppoe-kernel-bug.html We have a couple normally low-impact bugs in Solana rBPF this week netting a $200k bounty, a Python 2.7+ Use-After-Free and a PS4 and PS5 remote kernel heap overflow along with some discussion about exploitability and usability for a jailbreak. [00:00:48] Spot the Vuln - Clowning Around [00:03:27] Earn $200K by fuzzing for a weekend [00:17:37] Exploiting a Use-After-Free for code execution in every version of Python 3 [00:26:21] [PlayStation] Remote kernel heap overflow The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week:  Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.  The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.

Links and vulnerability summaries for this episode are available at: <a href="https://dayzerosec.com/podcast/python-3-uaf-and-ps4-ps5-pppoe-kernel-bug.html" rel="nofollow" target="_blank">https://dayzerosec.com/podcast/python-3-uaf-and-ps4-ps5-pppoe-kernel-bug.html</a> We have a couple normally low-impact bugs in Solana rBPF this week netting a $200k bounty, a Python 2.7+ Use-After-Free and a PS4 and PS5 remote kernel heap overflow along with some discussion about exploitability and usability for a jailbreak. [00:00:48] Spot the Vuln - Clowning Around [00:03:27] Earn $200K by fuzzing for a weekend [00:17:37] Exploiting a Use-After-Free for code execution in every version of Python 3 [00:26:21] [PlayStation] Remote kernel heap overflow The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: <ul> <li>Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities</li> <li>Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.</li> </ul> The Video archive can be found on our Youtube channel: <a href="https://www.youtube.com/c/dayzerosec" rel="nofollow" target="_blank">https://www.youtube.com/c/dayzerosec</a> You can also join our discord: <a href="https://discord.gg/daTxTK9" rel="nofollow" target="_blank">https://discord.gg/daTxTK9</a> Or follow us on Twitter (@dayzerosec) to know when new releases are coming.

[binary] Python 3 UAF and PS4/PS5 PPPoE Kernel Bug

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/yanking-rubygems-big-ip-auth-bypass-and-a-priceline-account-takeover.html A lot of cool little bugs this week with some solid impact, Facebook and Priceline account takeovers, F5 iControl Authentication Bypass, and a couple other logic bugs. [00:01:55] rubygems CVE-2022-29176 explained [00:06:09] Multiple bugs chained to takeover Facebook Accounts which uses Gmail [00:15:16] [curl] curl removes wrong file on error [CVE-2022-27778] [00:18:33] [Priceline] Account takeover via Google OneTap [00:22:14] F5 iControl REST Endpoint Authentication Bypass Technical Deep Dive [00:29:02] The Underrated Bugs, Clickjacking, CSS Injection, Drag-Drop XSS, Cookie Bomb, Login+Logout CSRF… [00:30:20] Hunting evasive vulnerabilities The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week:  Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.  The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.

Links and vulnerability summaries for this episode are available at: <a href="https://dayzerosec.com/podcast/yanking-rubygems-big-ip-auth-bypass-and-a-priceline-account-takeover.html" rel="nofollow" target="_blank">https://dayzerosec.com/podcast/yanking-rubygems-big-ip-auth-bypass-and-a-priceline-account-takeover.html</a> A lot of cool little bugs this week with some solid impact, Facebook and Priceline account takeovers, F5 iControl Authentication Bypass, and a couple other logic bugs. [00:01:55] rubygems CVE-2022-29176 explained [00:06:09] Multiple bugs chained to takeover Facebook Accounts which uses Gmail [00:15:16] [curl] curl removes wrong file on error [CVE-2022-27778] [00:18:33] [Priceline] Account takeover via Google OneTap [00:22:14] F5 iControl REST Endpoint Authentication Bypass Technical Deep Dive [00:29:02] The Underrated Bugs, Clickjacking, CSS Injection, Drag-Drop XSS, Cookie Bomb, Login+Logout CSRF… [00:30:20] Hunting evasive vulnerabilities The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: <ul> <li>Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities</li> <li>Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.</li> </ul> The Video archive can be found on our Youtube channel: <a href="https://www.youtube.com/c/dayzerosec" rel="nofollow" target="_blank">https://www.youtube.com/c/dayzerosec</a> You can also join our discord: <a href="https://discord.gg/daTxTK9" rel="nofollow" target="_blank">https://discord.gg/daTxTK9</a> Or follow us on Twitter (@dayzerosec) to know when new releases are coming.

[bounty] Deleting Rubygems, BIG-IP Auth Bypass, and a Priceline Account Takeover

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/pwn2owning-routers-and-anker-eufy-bugs.html Just a few vulnerabilities this week, but we have some codeql discussion as its used to find several vulnerabilities in Accel-PPP VPN server, and a look at a bug submitted to Pwn2Own 2021. [00:00:33] Spot the Vuln - Is It Clear [00:05:13] Anker Eufy Homebase 2 libxm_av.so DemuxCmdInBuffer buffer overflow vulnerability [00:08:18] Hunting bugs in Accel-PPP with CodeQL [00:15:53] Competing in Pwn2Own 2021 Austin: Icarus at the Zenith The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week:  Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.  The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.

Links and vulnerability summaries for this episode are available at: <a href="https://dayzerosec.com/podcast/pwn2owning-routers-and-anker-eufy-bugs.html" rel="nofollow" target="_blank">https://dayzerosec.com/podcast/pwn2owning-routers-and-anker-eufy-bugs.html</a> Just a few vulnerabilities this week, but we have some codeql discussion as its used to find several vulnerabilities in Accel-PPP VPN server, and a look at a bug submitted to Pwn2Own 2021. [00:00:33] Spot the Vuln - Is It Clear [00:05:13] Anker Eufy Homebase 2 <a href="http://libxm_av.so" rel="nofollow" target="_blank">libxm_av.so</a> DemuxCmdInBuffer buffer overflow vulnerability [00:08:18] Hunting bugs in Accel-PPP with CodeQL [00:15:53] Competing in Pwn2Own 2021 Austin: Icarus at the Zenith The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: <ul> <li>Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities</li> <li>Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.</li> </ul> The Video archive can be found on our Youtube channel: <a href="https://www.youtube.com/c/dayzerosec" rel="nofollow" target="_blank">https://www.youtube.com/c/dayzerosec</a> You can also join our discord: <a href="https://discord.gg/daTxTK9" rel="nofollow" target="_blank">https://discord.gg/daTxTK9</a> Or follow us on Twitter (@dayzerosec) to know when new releases are coming.

[binary] Pwn2Owning Routers and Anker Eufy Bugs

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/cloudflare-pages-hacking-a-bank-and-attacking-price-oracles.html Some interesting vulnerabilities this week from a Cloudflare Pages container escape chain, to hacking a bank's web application with some neat tricks to get abuse a file-write in a hardened envrionment, and even another dumb smart-contract bug. [00:00:23] Cloudflare Pages, part 1: The fellowship of the secret [00:10:07] Ruby on Rails - Possible XSS Vulnerability in ActionView tag helpers [CVE-2022-27777] [00:15:01] Hacking a Bank by Finding a 0day in DotCMS [00:22:23] Aave V3’s Price Oracle Manipulation Vulnerability [00:33:53] [Reddit] Able to bypass email verification and change email to any other user email  The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week:  Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.  The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.

Links and vulnerability summaries for this episode are available at: <a href="https://dayzerosec.com/podcast/cloudflare-pages-hacking-a-bank-and-attacking-price-oracles.html" rel="nofollow" target="_blank">https://dayzerosec.com/podcast/cloudflare-pages-hacking-a-bank-and-attacking-price-oracles.html</a> Some interesting vulnerabilities this week from a Cloudflare Pages container escape chain, to hacking a bank's web application with some neat tricks to get abuse a file-write in a hardened envrionment, and even another dumb smart-contract bug. [00:00:23] Cloudflare Pages, part 1: The fellowship of the secret [00:10:07] Ruby on Rails - Possible XSS Vulnerability in ActionView tag helpers [CVE-2022-27777] [00:15:01] Hacking a Bank by Finding a 0day in DotCMS [00:22:23] Aave V3’s Price Oracle Manipulation Vulnerability [00:33:53] [Reddit] Able to bypass email verification and change email to any other user email The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: <ul> <li>Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities</li> <li>Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.</li> </ul> The Video archive can be found on our Youtube channel: <a href="https://www.youtube.com/c/dayzerosec" rel="nofollow" target="_blank">https://www.youtube.com/c/dayzerosec</a> You can also join our discord: <a href="https://discord.gg/daTxTK9" rel="nofollow" target="_blank">https://discord.gg/daTxTK9</a> Or follow us on Twitter (@dayzerosec) to know when new releases are coming.

[bounty] Cloudflare Pages, Hacking a Bank, and Attacking Price Oracles

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/nimbuspwn-a-clfs-vulnerability-and-dataflow.html A few vulnerabilities from a TOCTOU to an arbitrary free, and some research into using data-flow in your fuzzing. [00:00:18] Spot the Vuln - Where's it At? [00:03:44] Nimbuspwn - A Linux Elevation of Privilege [00:08:38] Windows Common Log File System (CLFS) Logical-Error Vulnerability [CVE-2022-24521] [00:15:32] Arbitrary Free in Accusoft ImageGear ioca_mys_rgb_allocate [00:25:31] Commit Level Vulnerability Dataset [00:28:44] DatAFLow - Towards a Data-Flow-Guided Fuzzer The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week:  Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.  The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.

Links and vulnerability summaries for this episode are available at: <a href="https://dayzerosec.com/podcast/nimbuspwn-a-clfs-vulnerability-and-dataflow.html" rel="nofollow" target="_blank">https://dayzerosec.com/podcast/nimbuspwn-a-clfs-vulnerability-and-dataflow.html</a> A few vulnerabilities from a TOCTOU to an arbitrary free, and some research into using data-flow in your fuzzing. [00:00:18] Spot the Vuln - Where's it At? [00:03:44] Nimbuspwn - A Linux Elevation of Privilege [00:08:38] Windows Common Log File System (CLFS) Logical-Error Vulnerability [CVE-2022-24521] [00:15:32] Arbitrary Free in Accusoft ImageGear ioca_mys_rgb_allocate [00:25:31] Commit Level Vulnerability Dataset [00:28:44] DatAFLow - Towards a Data-Flow-Guided Fuzzer The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: <ul> <li>Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities</li> <li>Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.</li> </ul> The Video archive can be found on our Youtube channel: <a href="https://www.youtube.com/c/dayzerosec" rel="nofollow" target="_blank">https://www.youtube.com/c/dayzerosec</a> You can also join our discord: <a href="https://discord.gg/daTxTK9" rel="nofollow" target="_blank">https://discord.gg/daTxTK9</a> Or follow us on Twitter (@dayzerosec) to know when new releases are coming.

[binary] NimbusPwn, a CLFS Vulnerability, and DatAFLow (Fuzzing)

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/xss-for-nfts-a-vmware-workspace-one-uem-ssrf-and-gitlab-ci-container-escape.html Some straight forward bugs this week with some interesting discussion around cryptographic protocols (VMWare Workspace), XSS in the Web3 world, and whether container escapes into a low-privileged VM matter. Along with a couple just note-worthy test-cases to keep in mind while bug hunting. [00:00:35] Wormable Cross-Site Scripting Vulnerability affecting Rarible’s NFT Marketplace [00:09:14] Encrypting our way to SSRF in VMWare Workspace One UEM [CVE-2021-22054] [00:14:29] How I Bypass 2FA while Resetting Password [00:16:41] Container escape on public GitLab CI Runners [00:30:39] [Nextcloud] Bypass the protection lock in andoid app The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week:   Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities  Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities  and exploits.  The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.

Links and vulnerability summaries for this episode are available at: <a href="https://dayzerosec.com/podcast/xss-for-nfts-a-vmware-workspace-one-uem-ssrf-and-gitlab-ci-container-escape.html" rel="nofollow" target="_blank">https://dayzerosec.com/podcast/xss-for-nfts-a-vmware-workspace-one-uem-ssrf-and-gitlab-ci-container-escape.html</a> Some straight forward bugs this week with some interesting discussion around cryptographic protocols (VMWare Workspace), XSS in the Web3 world, and whether container escapes into a low-privileged VM matter. Along with a couple just note-worthy test-cases to keep in mind while bug hunting. [00:00:35] Wormable Cross-Site Scripting Vulnerability affecting Rarible’s NFT Marketplace [00:09:14] Encrypting our way to SSRF in VMWare Workspace One UEM [CVE-2021-22054] [00:14:29] How I Bypass 2FA while Resetting Password [00:16:41] Container escape on public GitLab CI Runners [00:30:39] [Nextcloud] Bypass the protection lock in andoid app The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: <ul> <li>Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities</li> <li>Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities  and exploits.</li> </ul> The Video archive can be found on our Youtube channel: <a href="https://www.youtube.com/c/dayzerosec" rel="nofollow" target="_blank">https://www.youtube.com/c/dayzerosec</a> You can also join our discord: <a href="https://discord.gg/daTxTK9" rel="nofollow" target="_blank">https://discord.gg/daTxTK9</a> Or follow us on Twitter (@dayzerosec) to know when new releases are coming.

[bounty] XSS for NFTs, a VMWare Workspace ONE UEM SSRF, and GitLab CI Container Escape

A weekly podcast for bounty hunters, exploit developers or anyone interesting in the details of the latest disclosed vulnerabilities and exploits.

Love the show but the “heavy set” host seems to have an attitude and is rude to his cohost.

Heavy set host constantly interrupts Co host

Good Podcast

Day[0]

Start off with some discussions about Google, privacy, Rust, and entitlement within open-source software. Then we look at some of the big vulns of the past week including CurveBall, CabelHaunt, and an RDP RCE.    [00:00:27] Chromium Blog: Building a more private web: A path towards making third party cookies obsolete [00:07:05] WeLeakInfo.com Domain Name Seized [00:13:39] A sad day for Rust [00:25:38] GitHub - microsoft/verona: Research programming language for concurrent ownership https://github.com/microsoft/verona/blob/master/docs/explore.md [00:37:30] Montage: A Neural Network Language Model-Guided JavaScript Engine Fuzzer [00:47:16] Control Flow Integrity (CFI) in the Linux kernel [00:53:54] ADV200001 | Microsoft Guidance on Scripting Engine Memory Corruption Vulnerability (CVE-2020-0674) [00:57:19] Netgear TLS Private Key Disclosure through Device Firmware Images https://news.ycombinator.com/item?id=22048619 https://github.com/ollypwn/CVE-2020-0601/blob/master/main.rb [01:17:39] Cable Haunt [01:27:19] RDP to RCE: When Fragmentation Goes Wrong [01:31:46] Critical Auth Bypass Vulnerability In InfiniteWP Client And WP Time Capsule [01:37:48] cuck00 | Twenty-twenty, bugs aplenty!    Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@DAY[0])

Start off with some discussions about Google, privacy, Rust, and entitlement within open-source software. Then we look at some of the big vulns of the past week including CurveBall, CabelHaunt, and an RDP RCE. <ul> <li>[00:00:27] <a href="https://blog.chromium.org/2020/01/building-more-private-web-path-towards.html" rel="nofollow" target="_blank">Chromium Blog: Building a more private web: A path towards making third party cookies obsolete</a></li> <li>[00:07:05] <a href="https://www.justice.gov/usao-dc/pr/weleakinfocom-domain-name-seized" rel="nofollow" target="_blank">WeLeakInfo.com Domain Name Seized</a></li> <li>[00:13:39] <a href="https://words.steveklabnik.com/a-sad-day-for-rust" rel="nofollow" target="_blank">A sad day for Rust</a></li> <li>[00:25:38] <a href="https://github.com/microsoft/verona" rel="nofollow" target="_blank">GitHub - microsoft/verona: Research programming language for concurrent ownership</a></li> <ul><li><a href="https://github.com/microsoft/verona/blob/master/docs/explore.md" rel="nofollow" target="_blank">https://github.com/microsoft/verona/blob/master/docs/explore.md</a></li></ul> <li>[00:37:30] <a href="https://arxiv.org/abs/2001.04107v2" rel="nofollow" target="_blank">Montage: A Neural Network Language Model-Guided JavaScript Engine Fuzzer</a></li> <li>[00:47:16] <a href="https://outflux.net/slides/2020/lca/cfi.pdf" rel="nofollow" target="_blank">Control Flow Integrity (CFI) in the Linux kernel</a></li> <li>[00:53:54] <a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200001" rel="nofollow" target="_blank">ADV200001 | Microsoft Guidance on Scripting Engine Memory Corruption Vulnerability (CVE-2020-0674)</a></li> <li>[00:57:19] <a href="https://gist.github.com/nstarke/a611a19aab433555e91c656fe1f030a9" rel="nofollow" target="_blank">Netgear TLS Private Key Disclosure through Device Firmware Images</a></li> <ul><li><a href="https://news.ycombinator.com/item?id=22048619" rel="nofollow" target="_blank">https://news.ycombinator.com/item?id=22048619</a></li></ul> <ul><li><a href="https://github.com/ollypwn/CVE-2020-0601/blob/master/main.rb" rel="nofollow" target="_blank">https://github.com/ollypwn/CVE-2020-0601/blob/master/main.rb</a></li></ul> <li>[01:17:39] <a href="https://cablehaunt.com/" rel="nofollow" target="_blank">Cable Haunt</a></li> <li>[01:27:19] <a href="https://www.kryptoslogic.com/blog/2020/01/rdp-to-rce-when-fragmentation-goes-wrong/" rel="nofollow" target="_blank">RDP to RCE: When Fragmentation Goes Wrong</a></li> <li>[01:31:46] <a href="https://www.webarxsecurity.com/vulnerability-infinitewp-client-wp-time-capsule/" rel="nofollow" target="_blank">Critical Auth Bypass Vulnerability In InfiniteWP Client And WP Time Capsule</a></li> <li>[01:37:48] <a href="https://siguza.github.io/cuck00/" rel="nofollow" target="_blank">cuck00 | Twenty-twenty, bugs aplenty!</a></li> </ul> Watch the DAY[0] podcast live on <a href="https://www.twitch.tv/dayzerosec" rel="nofollow" target="_blank">Twitch (@dayzerosec)</a> every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on <a href="https://www.youtube.com/channel/UCXFC76FDHZRVes6_lZqwLBA" rel="nofollow" target="_blank">Youtube (@DAY[0])</a>

Project Verona, CurveBall, CableHaunt, and RCEs-a-plenty

Is the new OSCP worth-it? Can election apps be made secure? We'll talk about those questions and several kernel exploits and a few cool fuzzing innovations.    [00:00:23] PWK and the OSCP Certification | Offensive Security [00:16:24] Rescheduling Root KSK Ceremony 40 [00:20:15] The Ballot is Busted Before the Blockchain:A Security Analysis of Voatz https://blog.voatz.com/?p=1209 [00:49:26] Lateral movement via MSSQL: a tale of CLR and socket reuse [00:55:51] Fix for CVE-2018-12122 can be bypassed via keep-alive requests [01:00:28] A Trivial Privilege Escalation Bug in Windows Service Tracing (CVE-2020-0668) https://googleprojectzero.blogspot.com/2018/08/windows-exploitation-tricks-exploiting.html [01:05:01] Intel CSME Escalation of Privilege [01:07:41] Project Zero: A day^W^W Several months in the life of Project Zero [01:18:54] Project Zero: Mitigations are attack surface, too https://packetstormsecurity.com/files/156316/Samsung-Kernel-PROCA-Use-After-Free-Double-Free.html [01:33:42] Samsung SEND_FILE_WITH_HEADER Use-After-Free [01:35:52] Samsung /dev/tsmux Heap Out-Of-Bounds Write [01:39:55] Exploiting a Linux kernel vulnerability in the V4L2 subsystem (CVE-2019-18683) [01:45:10] KOOBE: Towards Facilitating Exploit Generation of Kernel Out-Of-Bounds Write Vulnerabilities [01:54:06] HotFuzz: Discovering Algorithmic Denial-of-Service Vulnerabilities Through Guided Micro-Fuzzing [01:58:14] HYPER-CUBE: High-Dimensional Hypervisor Fuzzing [02:02:21] FIDO2 Deep Dive: Attestations, Trust model and Security [02:03:04] Hypervisor Necromancy; Reanimating Kernel Protectors    Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@DAY[0])

Is the new OSCP worth-it? Can election apps be made secure? We'll talk about those questions and several kernel exploits and a few cool fuzzing innovations. <ul> <li>[00:00:23] <a href="https://www.offensive-security.com/pwk-oscp/" rel="nofollow" target="_blank">PWK and the OSCP Certification | Offensive Security</a></li> <li>[00:16:24] <a href="https://mm.icann.org/pipermail/root-dnssec-announce/2020/000121.html" rel="nofollow" target="_blank">Rescheduling Root KSK Ceremony 40</a></li> <li>[00:20:15] <a href="https://internetpolicy.mit.edu/wp-content/uploads/2020/02/SecurityAnalysisOfVoatz_Public.pdf" rel="nofollow" target="_blank">The Ballot is Busted Before the Blockchain:A Security Analysis of Voatz</a></li> <ul><li><a href="https://blog.voatz.com/?p=1209" rel="nofollow" target="_blank">https://blog.voatz.com/?p=1209</a></li></ul> <li>[00:49:26] <a href="https://www.blackarrow.net/mssqlproxy-pivoting-clr/" rel="nofollow" target="_blank">Lateral movement via MSSQL: a tale of CLR and socket reuse</a></li> <li>[00:55:51] <a href="https://hackerone.com/reports/453513" rel="nofollow" target="_blank">Fix for CVE-2018-12122 can be bypassed via keep-alive requests</a></li> <li>[01:00:28] <a href="https://itm4n.github.io/cve-2020-0668-windows-service-tracing-eop/" rel="nofollow" target="_blank">A Trivial Privilege Escalation Bug in Windows Service Tracing (CVE-2020-0668)</a></li> <ul><li><a href="https://googleprojectzero.blogspot.com/2018/08/windows-exploitation-tricks-exploiting.html" rel="nofollow" target="_blank">https://googleprojectzero.blogspot.com/2018/08/windows-exploitation-tricks-exploiting.html</a></li></ul> <li>[01:05:01] <a href="https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00307.html" rel="nofollow" target="_blank">Intel CSME Escalation of Privilege</a></li> <li>[01:07:41] <a href="https://googleprojectzero.blogspot.com/2020/02/several-months-in-life-of-part1.html" rel="nofollow" target="_blank">Project Zero: A day^W^W Several months in the life of Project Zero</a></li> <li>[01:18:54] <a href="https://googleprojectzero.blogspot.com/2020/02/mitigations-are-attack-surface-too.html" rel="nofollow" target="_blank">Project Zero: Mitigations are attack surface, too</a></li> <ul><li><a href="https://packetstormsecurity.com/files/156316/Samsung-Kernel-PROCA-Use-After-Free-Double-Free.html" rel="nofollow" target="_blank">https://packetstormsecurity.com/files/156316/Samsung-Kernel-PROCA-Use-After-Free-Double-Free.html</a></li></ul> <li>[01:33:42] <a href="https://packetstormsecurity.com/files/156317/Samsung-SEND_FILE_WITH_HEADER-Use-After-Free.html" rel="nofollow" target="_blank">Samsung SEND_FILE_WITH_HEADER Use-After-Free</a></li> <li>[01:35:52] <a href="https://packetstormsecurity.com/files/156334/GS20200213155604.tgz" rel="nofollow" target="_blank">Samsung /dev/tsmux Heap Out-Of-Bounds Write</a></li> <li>[01:39:55] <a href="https://a13xp0p0v.github.io/2020/02/15/CVE-2019-18683.html" rel="nofollow" target="_blank">Exploiting a Linux kernel vulnerability in the V4L2 subsystem (CVE-2019-18683)</a></li> <li>[01:45:10] <a href="http://www.cs.ucr.edu/~zhiyunq/pub/sec20_koobe.pdf" rel="nofollow" target="_blank">KOOBE: Towards Facilitating Exploit Generation of Kernel Out-Of-Bounds Write Vulnerabilities</a></li> <li>[01:54:06] <a href="https://arxiv.org/abs/2002.03416v1" rel="nofollow" target="_blank">HotFuzz: Discovering Algorithmic Denial-of-Service Vulnerabilities Through Guided Micro-Fuzzing</a></li> <li>[01:58:14] <a href="https://www.syssec.ruhr-uni-bochum.de/media/emma/veroeffentlichungen/2020/02/07/Hyper-Cube-NDSS20.pdf" rel="nofollow" target="_blank">HYPER-CUBE: High-Dimensional Hypervisor Fuzzing</a></li> <li>[02:02:21] <a href="https://research.kudelskisecurity.com/2020/02/12/fido2-deep-dive-attestations-trust-model-and-security/" rel="nofollow" target="_blank">FIDO2 Deep Dive: Attestations, Trust model and Security</a></li> <li>[02:03:04] <a href="http://www.phrack.org/papers/emulating_hypervisors_samsung_rkp.html" rel="nofollow" target="_blank">Hypervisor Necromancy; Reanimating Kernel Protectors</a></li> </ul> Watch the DAY[0] podcast live on <a href="https://www.twitch.tv/dayzerosec" rel="nofollow" target="_blank">Twitch (@dayzerosec)</a> every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on <a href="https://www.youtube.com/channel/UCXFC76FDHZRVes6_lZqwLBA" rel="nofollow" target="_blank">Youtube (@DAY[0])</a>

A New PWK/OSCP, Election Hacking, Kernel Exploits, and Fuzzing

Ok Google! Bypass authentication..and while we're at it, lets explot sudo and OpenSMPTD for root access. This week we dive into various code bases to explore several recent exploits that take advantage of some common yet subtle issues.  Correction: During the segment about the sudo (pwfeedback) exploit I incorrectly described the issue as a stack-based buffer overflow, however the buf variable is declared as static so it ends up in .bss and not on the stack. ~zi Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@DAY[0])    [00:00:22] Charges Dismissed Against Coalfire Employees [00:06:50] Avast to Commence Wind Down of Subsidiary Jumpshot [00:22:10] Say hello to OpenSK: a fully open-source security key implementation [00:28:25] Kraken Identifies Critical Flaw in Trezor Hardware Wallets [00:33:56] Zoom-Zoom: We Are Watching You [00:39:08] TeamViewer using encrypted passwords [00:47:43] Buffer overflow [in sudo] when pwfeedback is set in sudoers (CVE-2019-18634) https://github.com/sudo-project/sudo/commit/fa8ffeb17523494f0e8bb49a25e53635f4509078 https://github.com/sudo-project/sudo/blob/0fcb6471609969b5911db0b2917ced16c913676f/src/tgetpass.c#L413 [01:01:23] Opkg susceptible to MITM (CVE-2020-7982) https://git.openwrt.org/?p=project/opkg-lede.git;a=commitdiff;h=54cc7e3bd1f79569022aa9fc3d0e748c81e3bcd8 [01:07:18] LPE and RCE in OpenSMTPD (CVE-2020-7247) [01:14:13] PHP 7.0-7.4 disable_functions bypass 0day PoC https://github.com/mm0r1/exploits/blob/master/php7-backtrace-bypass/exploit.php [01:28:53] Remote Cloud Execution – Critical Vulnerabilities in Azure Cloud Infrastructure (Part I) https://research.checkpoint.com/2020/remote-cloud-execution-critical-vulnerabilities-in-azure-cloud-infrastructure-part-ii/ [01:40:22] OK Google: bypass the authentication! 

Ok Google! Bypass authentication..and while we're at it, lets explot sudo and OpenSMPTD for root access. This week we dive into various code bases to explore several recent exploits that take advantage of some common yet subtle issues. Correction: During the segment about the sudo (pwfeedback) exploit I incorrectly described the issue as a stack-based buffer overflow, however the buf variable is declared as static so it ends up in .bss and not on the stack. ~zi Watch the DAY[0] podcast live on <a href="https://www.twitch.tv/dayzerosec" rel="nofollow" target="_blank">Twitch (@dayzerosec)</a> every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on <a href="https://www.youtube.com/channel/UCXFC76FDHZRVes6_lZqwLBA" rel="nofollow" target="_blank">Youtube (@DAY[0])</a> <ul> <li>[00:00:22] <a href="https://www.coalfire.com/News-and-Events/Press-Releases/Charges-Dismissed-Against-Coalfire-Employees" rel="nofollow" target="_blank">Charges Dismissed Against Coalfire Employees</a></li> <li>[00:06:50] <a href="https://press.avast.com/avast-to-commence-wind-down-of-subsidiary-jumpshot" rel="nofollow" target="_blank">Avast to Commence Wind Down of Subsidiary Jumpshot</a></li> <li>[00:22:10] <a href="https://security.googleblog.com/2020/01/say-hello-to-opensk-fully-open-source.html" rel="nofollow" target="_blank">Say hello to OpenSK: a fully open-source security key implementation</a></li> <li>[00:28:25] <a href="https://blog.kraken.com/post/3662/kraken-identifies-critical-flaw-in-trezor-hardware-wallets/" rel="nofollow" target="_blank">Kraken Identifies Critical Flaw in Trezor Hardware Wallets</a></li> <li>[00:33:56] <a href="https://research.checkpoint.com/2020/zoom-zoom-we-are-watching-you/" rel="nofollow" target="_blank">Zoom-Zoom: We Are Watching You</a></li> <li>[00:39:08] <a href="https://whynotsecurity.com/blog/teamviewer/" rel="nofollow" target="_blank">TeamViewer using encrypted passwords</a></li> <li>[00:47:43] <a href="https://www.sudo.ws/alerts/pwfeedback.html" rel="nofollow" target="_blank">Buffer overflow [in sudo] when pwfeedback is set in sudoers (CVE-2019-18634)</a></li> <li><a href="https://github.com/sudo-project/sudo/commit/fa8ffeb17523494f0e8bb49a25e53635f4509078" rel="nofollow" target="_blank">https://github.com/sudo-project/sudo/commit/fa8ffeb17523494f0e8bb49a25e53635f4509078</a></li> <li><a href="https://github.com/sudo-project/sudo/blob/0fcb6471609969b5911db0b2917ced16c913676f/src/tgetpass.c#L413" rel="nofollow" target="_blank">https://github.com/sudo-project/sudo/blob/0fcb6471609969b5911db0b2917ced16c913676f/src/tgetpass.c#L413</a></li> <li>[01:01:23] <a href="https://lists.infradead.org/pipermail/openwrt-devel/2020-January/021544.html" rel="nofollow" target="_blank">Opkg susceptible to MITM (CVE-2020-7982)</a></li> <li><a href="https://git.openwrt.org/?p=project/opkg-lede.git;a=commitdiff;h=54cc7e3bd1f79569022aa9fc3d0e748c81e3bcd8" rel="nofollow" target="_blank">https://git.openwrt.org/?p=project/opkg-lede.git;a=commitdiff;h=54cc7e3bd1f79569022aa9fc3d0e748c81e3bcd8</a></li> <li>[01:07:18] <a href="https://www.openwall.com/lists/oss-security/2020/01/28/3" rel="nofollow" target="_blank">LPE and RCE in OpenSMTPD (CVE-2020-7247)</a></li> <li>[01:14:13] <a href="https://github.com/mm0r1/exploits/tree/master/php7-backtrace-bypass" rel="nofollow" target="_blank">PHP 7.0-7.4 disable_functions bypass 0day PoC</a></li> <li><a href="https://github.com/mm0r1/exploits/blob/master/php7-backtrace-bypass/exploit.php" rel="nofollow" target="_blank">https://github.com/mm0r1/exploits/blob/master/php7-backtrace-bypass/exploit.php</a></li> <li>[01:28:53] <a href="https://research.checkpoint.com/2020/remote-cloud-execution-critical-vulnerabilities-in-azure-cloud-infrastructure-part-i/" rel="nofollow" target="_blank">Remote Cloud Execution – Critical Vulnerabilities in Azure Cloud Infrastructure (Part I)</a></li> <li><a href="https://research.checkpoint.com/2020/remote-cloud-execution-critical-vulnerabilities-in-azure-cloud-infrastructure-part-ii/" rel="nofollow" target="_blank">https://research.checkpoint.com/2020/remote-cloud-execution-critical-vulnerabilities-in-azure-cloud-infrastructure-part-ii/</a></li> <li>[01:40:22] <a href="https://techblog.mediaservice.net/2020/01/ok-google-bypass-the-authentication/" rel="nofollow" target="_blank">OK Google: bypass the authentication!</a></li> </ul>

OK Google, sudo ./hacktheplanet

This week we look at 15 CVEs this week including the new MDS Attacks/Zombieload and GhostImage a cool attack against vision-based classification systems. We also have discussion about mobile vs desktop security. Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST)  [00:01:33] Pwn2Own Miami 2020 [00:06:32] Allegations that Saudi Crown Prince involved in hacking of Jeff Bezos’ phone https://twitter.com/dinodaizovi/status/1221324029841244161 [00:11:25] Chris Rohlf on Twitter: "...Mobile security was largely a success relative to the state of the desktop..." [00:25:49] More MDS Attacks: Intel Patching its Patch of the Patch for MDS/ZombieLoad Attacks https://blogs.intel.com/technology/2020/01/ipas-intel-sa-00329/#gs.upv68b [00:31:34] MDHex Vulnerabilities [00:42:55] JSSE Client Authentication Bypass (CVE-2020-2655) [00:55:37] Local Privilege Escalation in many Ricoh Printer Drivers for Windows (CVE-2019-19363) [00:58:34] ModSecurity Denial of Service (CVE-2019-19886) [01:02:47] GGvulnz - How I hacked hundreds of companies through Google Groups [01:09:14] Neowise CarbonFTP v1.4 / Insecure Proprietary Password Encryption (CVE-2020-6857) [01:14:40] arm64: uaccess: Ensure PAN is re-enabled after unhandled uaccess fault - Patchwork [01:18:54] Cisco Webex Meetings Suite and Cisco Webex Meetings Online Unauthenticated Meeting Join Vulnerability (CVE-2020-3142) [01:21:35] iGPU Leak: An Information Leakage Vulnerability on Intel Integrated GPU (CVE-2019-14615) [01:28:41] Information Leaks via Safari's Intelligent Tracking Prevention [01:39:02] GhostImage: Perception Domain Attacks against Vision-based Object Classification Systems [01:44:46] Nightmare - A collection of binary exploitation / reverse engineering challenges and writeups [01:49:26] The Life of a Bad Security Fix [01:51:22] macOS/iOS: ImageIO: heap corruption when processing malformed TIFF image

This week we look at 15 CVEs this week including the new MDS Attacks/Zombieload and GhostImage a cool attack against vision-based classification systems. We also have discussion about mobile vs desktop security. Watch the DAY[0] podcast live on <a href="https://www.twitch.tv/dayzerosec" rel="nofollow" target="_blank">Twitch (@dayzerosec)</a> every Monday afternoon at 12:00pm PST (3:00pm EST) <ul> <li>[00:01:33] <a href="https://www.zerodayinitiative.com/blog/2020/1/21/pwn2own-miami-2020-schedule-and-live-results" rel="nofollow" target="_blank">Pwn2Own Miami 2020</a></li> <li>[00:06:32] <a href="https://www.ohchr.org/EN/NewsEvents/Pages/DisplayNews.aspx?NewsID=25488" rel="nofollow" target="_blank">Allegations that Saudi Crown Prince involved in hacking of Jeff Bezos’ phone</a></li> <ul><li><a href="https://twitter.com/dinodaizovi/status/1221324029841244161" rel="nofollow" target="_blank">https://twitter.com/dinodaizovi/status/1221324029841244161</a></li></ul> <li>[00:11:25] <a href="https://twitter.com/chrisrohlf/status/1220482406345519104?s=19" rel="nofollow" target="_blank">Chris Rohlf on Twitter: "...Mobile security was largely a success relative to the state of the desktop..."</a></li> <li>[00:25:49] <a href="https://mdsattacks.com/#ridl-nng" rel="nofollow" target="_blank">More MDS Attacks: Intel Patching its Patch of the Patch for MDS/ZombieLoad Attacks</a></li> <ul><li><a href="https://blogs.intel.com/technology/2020/01/ipas-intel-sa-00329/#gs.upv68b" rel="nofollow" target="_blank">https://blogs.intel.com/technology/2020/01/ipas-intel-sa-00329/#gs.upv68b</a></li></ul> <li>[00:31:34] <a href="https://www.cybermdx.com/vulnerability-research-disclosures/cic-pro-and-other-ge-devices" rel="nofollow" target="_blank">MDHex Vulnerabilities</a></li> <li>[00:42:55] <a href="https://web-in-security.blogspot.com/2020/01/cve-2020-2655-jsse-client.html" rel="nofollow" target="_blank">JSSE Client Authentication Bypass (CVE-2020-2655)</a></li> <li>[00:55:37] <a href="https://www.pentagrid.ch/en/blog/local-privilege-escalation-in-ricoh-printer-drivers-for-windows-cve-2019-19363/" rel="nofollow" target="_blank">Local Privilege Escalation in many Ricoh Printer Drivers for Windows (CVE-2019-19363)</a></li> <li>[00:58:34] <a href="https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/modsecurity-denial-of-service-details-cve-2019-19886/" rel="nofollow" target="_blank">ModSecurity Denial of Service (CVE-2019-19886)</a></li> <li>[01:02:47] <a href="https://medium.com/@milanmagyar/ggvulnz-how-i-hacked-hundreds-of-companies-through-google-groups-b69c658c8924" rel="nofollow" target="_blank">GGvulnz - How I hacked hundreds of companies through Google Groups</a></li> <li>[01:09:14] <a href="https://seclists.org/fulldisclosure/2020/Jan/29" rel="nofollow" target="_blank">Neowise CarbonFTP v1.4 / Insecure Proprietary Password Encryption (CVE-2020-6857)</a></li> <li>[01:14:40] <a href="https://lore.kernel.org/patchwork/patch/1157641/" rel="nofollow" target="_blank">arm64: uaccess: Ensure PAN is re-enabled after unhandled uaccess fault - Patchwork</a></li> <li>[01:18:54] <a href="https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200124-webex-unauthjoin" rel="nofollow" target="_blank">Cisco Webex Meetings Suite and Cisco Webex Meetings Online Unauthenticated Meeting Join Vulnerability (CVE-2020-3142)</a></li> <li>[01:21:35] <a href="https://github.com/HE-Wenjian/iGPU-Leak" rel="nofollow" target="_blank">iGPU Leak: An Information Leakage Vulnerability on Intel Integrated GPU (CVE-2019-14615)</a></li> <li>[01:28:41] <a href="https://arxiv.org/abs/2001.07421v1" rel="nofollow" target="_blank">Information Leaks via Safari's Intelligent Tracking Prevention</a></li> <li>[01:39:02] <a href="https://arxiv.org/abs/2001.07792v1" rel="nofollow" target="_blank">GhostImage: Perception Domain Attacks against Vision-based Object Classification Systems</a></li> <li>[01:44:46] <a href="https://github.com/guyinatuxedo/nightmare" rel="nofollow" target="_blank">Nightmare - A collection of binary exploitation / reverse engineering challenges and writeups</a></li> <li>[01:49:26] <a href="https://grsecurity.net/the_life_of_a_bad_security_fix" rel="nofollow" target="_blank">The Life of a Bad Security Fix</a></li> <li>[01:51:22] <a href="https://bugs.chromium.org/p/project-zero/issues/detail?id=1952" rel="nofollow" target="_blank">macOS/iOS: ImageIO: heap corruption when processing malformed TIFF image</a></li></ul>

Return of the Zombieload, Bezos Hacked, and other exploits

Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@DAY[0])  [00:02:09] Thousands of hacked Disney+ accounts are already for sale [00:06:33] Faking an iVote decryption proof [00:16:20] "robot deployed at the famous Robot Hotels in Japan can be converted to offer anyone remote camera/mic access to all future guests." [00:30:13] "A stack-based buffer overflow could be triggered in WhatsApp by sending a specially crafted MP4 file" [00:35:42] HHVM Security Update [00:38:18] Symantec Endpoint Protection - Self-Defense Bypass - CVE-2019-12758 [00:38:27] McAfee - All Editions - Self-Defense Bypass - CVE-2019-3648 [00:43:26] Imperceptible Adversarial Attacks on Tabular Data [00:48:48] 5GReasoner: A Property-Directed Security and Privacy AnalysisFramework for 5G Cellular Network Protocol [00:55:26] Fuzzing Qualcomm Secure Execution Environment and CVE-2019-10574 [01:00:32] TPM-Fail [01:08:54] Mitigations for Jump Conditional Code Erratum [01:14:35] More MDS Attacks [01:22:55] Tianfu Cup [01:27:48] Protecting against code reuse in the Linux kernel with Shadow Call Stack [01:34:04] Security things in Linux v5.3 [01:50:36] A Security Perspective on Unikernels [01:54:26] Announcing GitHub Security Lab: securing the world's code, together [02:09:32] Huawei introduces new invite-only bug bounty program [02:12:37] Interpol plans to condemn encryption spread, citing predators, sources say https://www.youtube.com/watch?v=VPBH1eW28mo [02:17:33] How a turf war and a botched contract

Watch the DAY[0] podcast live on <a href="https://www.twitch.tv/dayzerosec" rel="nofollow" target="_blank">Twitch (@dayzerosec)</a> every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on <a href="https://www.youtube.com/channel/UCXFC76FDHZRVes6_lZqwLBA" rel="nofollow" target="_blank">Youtube (@DAY[0])</a> <ul> <li>[00:02:09] <a href="https://www.zdnet.com/article/thousands-of-hacked-disney-accounts-are-already-for-sale-on-hacking-forums/" rel="nofollow" target="_blank">Thousands of hacked Disney+ accounts are already for sale</a></li> <li>[00:06:33] <a href="https://people.eng.unimelb.edu.au/vjteague/iVoteDecryptionProofCheat.pdf" rel="nofollow" target="_blank">Faking an iVote decryption proof</a></li> <li>[00:16:20] <a href="https://twitter.com/lrvick/status/1182823213736161280" rel="nofollow" target="_blank">"robot deployed at the famous Robot Hotels in Japan can be converted to offer anyone remote camera/mic access to all future guests."</a></li> <li>[00:30:13] <a href="https://www.facebook.com/security/advisories/cve-2019-11931" rel="nofollow" target="_blank">"A stack-based buffer overflow could be triggered in WhatsApp by sending a specially crafted MP4 file"</a></li> <li>[00:35:42] <a href="https://hhvm.com/blog/2019/10/28/security-update.html" rel="nofollow" target="_blank">HHVM Security Update</a></li> <li>[00:38:18] <a href="https://safebreach.com/Post/Symantec-Endpoint-Protection-Self-Defense-Bypass-and-Potential-Usages-CVE-2019-12758" rel="nofollow" target="_blank">Symantec Endpoint Protection - Self-Defense Bypass - CVE-2019-12758</a></li> <li>[00:38:27] <a href="https://safebreach.com/Post/McAfee-All-Editions-MTP-AVP-MIS-Self-Defense-Bypass-and-Potential-Usages-CVE-2019-3648" rel="nofollow" target="_blank">McAfee - All Editions - Self-Defense Bypass - CVE-2019-3648</a></li> <li>[00:43:26] <a href="https://arxiv.org/pdf/1911.03274v1.pdf" rel="nofollow" target="_blank">Imperceptible Adversarial Attacks on Tabular Data</a></li> <li>[00:48:48] <a href="https://relentless-warrior.github.io/wp-content/uploads/2019/10/5GReasoner.pdf" rel="nofollow" target="_blank">5GReasoner: A Property-Directed Security and Privacy AnalysisFramework for 5G Cellular Network Protocol</a></li> <li>[00:55:26] <a href="https://research.checkpoint.com/the-road-to-qualcomm-trustzone-apps-fuzzing/" rel="nofollow" target="_blank">Fuzzing Qualcomm Secure Execution Environment and CVE-2019-10574</a></li> <li>[01:00:32] <a href="http://tpm.fail/" rel="nofollow" target="_blank">TPM-Fail</a></li> <li>[01:08:54] <a href="https://www.intel.com/content/dam/support/us/en/documents/processors/mitigations-jump-conditional-code-erratum.pdf" rel="nofollow" target="_blank">Mitigations for Jump Conditional Code Erratum</a></li> <li>[01:14:35] <a href="https://mdsattacks.com/" rel="nofollow" target="_blank">More MDS Attacks</a></li> <li>[01:22:55] <a href="http://www.tianfucup.com/" rel="nofollow" target="_blank">Tianfu Cup</a></li> <li>[01:27:48] <a href="https://security.googleblog.com/2019/10/protecting-against-code-reuse-in-linux_30.html" rel="nofollow" target="_blank">Protecting against code reuse in the Linux kernel with Shadow Call Stack</a></li> <li>[01:34:04] <a href="https://outflux.net/blog/archives/2019/11/14/security-things-in-linux-v5-3/" rel="nofollow" target="_blank">Security things in Linux v5.3</a></li> <li>[01:50:36] <a href="https://arxiv.org/abs/1911.06260v1" rel="nofollow" target="_blank">A Security Perspective on Unikernels</a></li> <li>[01:54:26] <a href="https://github.blog/2019-11-14-announcing-github-security-lab-securing-the-worlds-code-together/" rel="nofollow" target="_blank">Announcing GitHub Security Lab: securing the world's code, together</a></li> <li>[02:09:32] <a href="https://twitter.com/Fox0x01/status/1195738082819166208?s=20" rel="nofollow" target="_blank">Huawei introduces new invite-only bug bounty program</a></li> <li>[02:12:37] <a href="https://www.reuters.com/article/us-interpol-encryption-exclusive/exclusive-interpol-plans-to-condemn-encryption-spread-citing-predators-sources-say-idUSKBN1XR0S7" rel="nofollow" target="_blank">Interpol plans to condemn encryption spread, citing predators, sources say</a></li> <li><a href="https://www.youtube.com/watch?v=VPBH1eW28mo" rel="nofollow" target="_blank">https://www.youtube.com/watch?v=VPBH1eW28mo</a></li> <li>[02:17:33] <a href="https://arstechnica.com/information-technology/2019/11/how-a-turf-war-and-a-botched-contract-landed-2-pentesters-in-iowa-jail/" rel="nofollow" target="_blank">How a turf war and a botched contract</a></li></ul>

Election hacking, Kernel Security, MDS Attacks and Github's Security Lab

Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@DAY[0])    [00:02:08] Protecting users from government-backed hacking and disinformation [00:10:23] ENISA threat landscape for 5G Networks  [00:16:13] EU raises eyebrows at possible US encryption ban [00:24:16] You watch TV. Your TV watches back. [00:34:44] CWE - Top 25 https://cwe.mitre.org/top25/archive/2011/2011_cwe_sans_top25.html [00:46:58] LPE in K7 Security Anti-Virus (CVE-2019-16897) [00:47:09] Weak Crypto in Forinet Products [01:01:37] CVE-2019-11932 (double free in libpl_droidsonroids_gif) many apps vulnerable https://gist.github.com/wdormann/874198c1bd29c7dd2157d9fc1d858263 [01:04:32] Max Secure Anti Virus Plus - 19.0.4.020 / CVE-2019-19382 Insecure Permissions [01:10:41] Synology DSM Remote Command Injection [01:16:45] SpoC: Spoofing Camera Fingerprints [01:24:44] Defending Against Adversarial Machine Learning [01:34:21] Can Attention Masks Improve Adversarial Robustness? [01:38:58] Hidviz [01:41:05] IDA 7 Demo Release [01:47:54] Windows Terminal (Preview) 0.7 Release 

Watch the DAY[0] podcast live on <a href="https://www.twitch.tv/dayzerosec" rel="nofollow" target="_blank">Twitch (@dayzerosec)</a> every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on <a href="https://www.youtube.com/channel/UCXFC76FDHZRVes6_lZqwLBA" rel="nofollow" target="_blank">Youtube (@DAY[0])</a> <ul> <li>[00:02:08] <a href="https://blog.google/technology/safety-security/threat-analysis-group/protecting-users-government-backed-hacking-and-disinformation/" rel="nofollow" target="_blank">Protecting users from government-backed hacking and disinformation</a></li> <li>[00:10:23] <a href="https://www.enisa.europa.eu/publications/enisa-threat-landscape-for-5g-networks" rel="nofollow" target="_blank">ENISA threat landscape for 5G Networks </a></li> <li>[00:16:13] <a href="https://nakedsecurity.sophos.com/2019/11/27/eu-raises-eyebrows-at-possible-us-encryption-ban/" rel="nofollow" target="_blank">EU raises eyebrows at possible US encryption ban</a></li> <li>[00:24:16] <a href="https://www.washingtonpost.com/technology/2019/09/18/you-watch-tv-your-tv-watches-back/" rel="nofollow" target="_blank">You watch TV. Your TV watches back.</a></li> <li>[00:34:44] <a href="https://cwe.mitre.org/top25/archive/2019/2019_cwe_top25.html" rel="nofollow" target="_blank">CWE - Top 25</a></li> <ul><li><a href="https://cwe.mitre.org/top25/archive/2011/2011_cwe_sans_top25.html" rel="nofollow" target="_blank">https://cwe.mitre.org/top25/archive/2011/2011_cwe_sans_top25.html</a></li></ul> <li>[00:46:58] <a href="https://0x00sec.org/t/anti-virus-exploitation-local-privilege-escalation-in-k7-security-cve-2019-16897/17655" rel="nofollow" target="_blank">LPE in K7 Security Anti-Virus (CVE-2019-16897)</a></li> <li>[00:47:09] <a href="https://sec-consult.com/en/blog/advisories/weak-encryption-cipher-and-hardcoded-cryptographic-keys-in-fortinet-products/" rel="nofollow" target="_blank">Weak Crypto in Forinet Products</a></li> <li>[01:01:37] <a href="https://seclists.org/fulldisclosure/2019/Nov/27" rel="nofollow" target="_blank">CVE-2019-11932 (double free in libpl_droidsonroids_gif) many apps vulnerable</a></li> <ul><li><a href="https://gist.github.com/wdormann/874198c1bd29c7dd2157d9fc1d858263" rel="nofollow" target="_blank">https://gist.github.com/wdormann/874198c1bd29c7dd2157d9fc1d858263</a></li></ul> <li>[01:04:32] <a href="https://seclists.org/fulldisclosure/2019/Nov/33" rel="nofollow" target="_blank">Max Secure Anti Virus Plus - 19.0.4.020 / CVE-2019-19382 Insecure Permissions</a></li> <li>[01:10:41] <a href="https://ssd-disclosure.com/archives/4047/ssd-advisory-synology-dsm-remote-command-injection" rel="nofollow" target="_blank">Synology DSM Remote Command Injection</a></li> <li>[01:16:45] <a href="https://arxiv.org/abs/1911.12069v1" rel="nofollow" target="_blank">SpoC: Spoofing Camera Fingerprints</a></li> <li>[01:24:44] <a href="https://arxiv.org/abs/1911.11746v1" rel="nofollow" target="_blank">Defending Against Adversarial Machine Learning</a></li> <li>[01:34:21] <a href="https://arxiv.org/abs/1911.11946v1" rel="nofollow" target="_blank">Can Attention Masks Improve Adversarial Robustness?</a></li> <li>[01:38:58] <a href="https://github.com/ondrejbudai/hidviz/" rel="nofollow" target="_blank">Hidviz</a></li> <li>[01:41:05] <a href="https://out7.hex-rays.com/demo/request" rel="nofollow" target="_blank">IDA 7 Demo Release</a></li> <li>[01:47:54] <a href="https://devblogs.microsoft.com/commandline/windows-terminal-preview-v0-7-release/" rel="nofollow" target="_blank">Windows Terminal (Preview) 0.7 Release</a></li> </ul>

CWE Top 25, Hacking Anti-Viruses and Adversarial Machine Learning Attacks

Hack Twitter

Android, Bluetooth, Microsoft, NordVPN, Twitter, WhatsApp, Cisco, vulns for days impacting several big names and a couple new attack ideas, blind regex injection and GhostKnight a technique to breach data integrity using speculative execution.    [00:01:07] Updated re. Sudo Exploit [00:03:32] Charges Filed against Four Chinese PLA Hackers for part in 2017 Equifax Breach [00:06:06] Announcing a Targeted Incentive Program for Selected Trend Micro Products [00:11:01] Android Security Bulletin - February 2020 https://android.googlesource.com/kernel/common/+/5eeb2ca0 https://android.googlesource.com/kernel/common/+/5eeb2ca0%5E%21/#F0 [00:17:06] Critical Bluetooth Vulnerability in Android (CVE-2020-0022) [00:22:48] Dangerous Domain Corp.com Goes Up for Sale [00:37:43] NordVPN - IDOR allow access to payments data of any user https://hackerone.com/nordvpn [00:43:35] Twitter - Bypass Password Authentication for updating email and phone number [00:48:27] WhatsApp Desktop XSS to Local File read (CVE-2019-18426) [01:03:03] CDPwn: 5 Zero-Days in Cisco Discovery Protocol [01:15:07] A Rough Idea of Blind Regular Expression Injection Attack https://speakerdeck.com/lmt_swallow/revisiting-redos-a-rough-idea-of-data-exfiltration-by-redos-and-side-channel-techniques [01:20:45] GhostKnight: Breaching Data Integrity via Speculative Execution [01:26:00] BRIGHTNESS: Leaking Sensitive Data from Air-Gapped Workstations via Screen Brightness [01:30:27] Forging SWIFT MT Payment Messages for fun and pr... research! [01:35:22] Grooming the iOS Kernel Heap   Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@DAY[0])

Android, Bluetooth, Microsoft, NordVPN, Twitter, WhatsApp, Cisco, vulns for days impacting several big names and a couple new attack ideas, blind regex injection and GhostKnight a technique to breach data integrity using speculative execution. <ul> <li>[00:01:07] <a href="https://github.com/sudo-project/sudo/blob/0fcb6471609969b5911db0b2917ced16c913676f/src/tgetpass.c#L125" rel="nofollow" target="_blank">Updated re. Sudo Exploit</a></li> <li>[00:03:32] <a href="https://www.justice.gov/opa/press-release/file/1246891/download" rel="nofollow" target="_blank">Charges Filed against Four Chinese PLA Hackers for part in 2017 Equifax Breach</a></li> <li>[00:06:06] <a href="https://www.thezdi.com/blog/2020/2/9/announcing-a-targeted-incentive-program-for-selected-trend-micro-products" rel="nofollow" target="_blank">Announcing a Targeted Incentive Program for Selected Trend Micro Products</a></li> <li>[00:11:01] <a href="https://source.android.com/security/bulletin/2020-02-01.html" rel="nofollow" target="_blank">Android Security Bulletin - February 2020</a></li> <ul><li><a href="https://android.googlesource.com/kernel/common/+/5eeb2ca0" rel="nofollow" target="_blank">https://android.googlesource.com/kernel/common/+/5eeb2ca0</a></li></ul> <ul><li><a href="https://android.googlesource.com/kernel/common/+/5eeb2ca0%5E%21/#F0" rel="nofollow" target="_blank">https://android.googlesource.com/kernel/common/+/5eeb2ca0%5E%21/#F0</a></li></ul> <li>[00:17:06] <a href="https://android.googlesource.com/platform/system/bt/+/3cb7149d8fed2d7d77ceaa95bf845224c4db3baf" rel="nofollow" target="_blank">Critical Bluetooth Vulnerability in Android (CVE-2020-0022)</a></li> <li>[00:22:48] <a href="https://krebsonsecurity.com/2020/02/dangerous-domain-corp-com-goes-up-for-sale/" rel="nofollow" target="_blank">Dangerous Domain Corp.com Goes Up for Sale</a></li> <li>[00:37:43] <a href="https://hackerone.com/reports/751577" rel="nofollow" target="_blank">NordVPN - IDOR allow access to payments data of any user</a></li> <ul><li><a href="https://hackerone.com/nordvpn" rel="nofollow" target="_blank">https://hackerone.com/nordvpn</a></li></ul> <li>[00:43:35] <a href="https://hackerone.com/reports/770504" rel="nofollow" target="_blank">Twitter - Bypass Password Authentication for updating email and phone number</a></li> <li>[00:48:27] <a href="https://www.perimeterx.com/tech-blog/2020/whatsapp-fs-read-vuln-disclosure/" rel="nofollow" target="_blank">WhatsApp Desktop XSS to Local File read (CVE-2019-18426)</a></li> <li>[01:03:03] <a href="https://www.armis.com/cdpwn/" rel="nofollow" target="_blank">CDPwn: 5 Zero-Days in Cisco Discovery Protocol</a></li> <li>[01:15:07] <a href="https://diary.shift-js.info/blind-regular-expression-injection/" rel="nofollow" target="_blank">A Rough Idea of Blind Regular Expression Injection Attack</a></li> <ul><li><a href="https://speakerdeck.com/lmt_swallow/revisiting-redos-a-rough-idea-of-data-exfiltration-by-redos-and-side-channel-techniques" rel="nofollow" target="_blank">https://speakerdeck.com/lmt_swallow/revisiting-redos-a-rough-idea-of-data-exfiltration-by-redos-and-side-channel-techniques</a></li></ul> <li>[01:20:45] <a href="https://arxiv.org/abs/2002.00524v1" rel="nofollow" target="_blank">GhostKnight: Breaching Data Integrity via Speculative Execution</a></li> <li>[01:26:00] <a href="https://arxiv.org/abs/2002.01078v1" rel="nofollow" target="_blank">BRIGHTNESS: Leaking Sensitive Data from Air-Gapped Workstations via Screen Brightness</a></li> <li>[01:30:27] <a href="https://labs.f-secure.com/blog/forging-swift-mt-payment-messages" rel="nofollow" target="_blank">Forging SWIFT MT Payment Messages for fun and pr... research!</a></li> <li>[01:35:22] <a href="https://azeria-labs.com/grooming-the-ios-kernel-heap/" rel="nofollow" target="_blank">Grooming the iOS Kernel Heap</a></li> </ul> Watch the DAY[0] podcast live on <a href="https://www.twitch.tv/dayzerosec" rel="nofollow" target="_blank">Twitch (@dayzerosec)</a> every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on <a href="https://www.youtube.com/channel/UCXFC76FDHZRVes6_lZqwLBA" rel="nofollow" target="_blank">Youtube (@DAY[0])</a>

Hack Twitter, WhatsApp and all your Cisco phones (CDPwn) ft. GhostKnight

Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@DAY[0])    [00:00:35] SHA-1 is a Shambles https://www.youtube.com/watch?v=Gh6p7Y74m9A [00:14:50] Government-funded phones come pre-installed with unremovable malware [00:22:09] Security Vulnerabilities fixed in Firefox 72.0.1 and Firefox ESR 68.4.1 — Mozilla [00:27:02] CVE-2019-19781 - Vulnerability in Citrix Application Delivery Controller and Citrix Gateway https://github.com/projectzeroindia/CVE-2019-19781 https://www.mdsec.co.uk/2020/01/deep-dive-to-citrix-adc-remote-code-execution-cve-2019-19781/ https://twitter.com/GossiTheDog/status/1215785949709459456 [00:38:20] Project Zero: Policy and Disclosure: 2020 Edition https://googleprojectzero.blogspot.com/p/vulnerability-disclosure-faq.html [00:52:07] Privileged Access Never (PAN) - Another day, another broken mitigation. [00:57:43] Tik or Tok? Is TikTok secure enough? [01:18:33] Fortinet FortiSIEM Hardcoded SSH Key [01:22:58] Project Zero: Remote iPhone Exploitation Part 1: Poking Memory via iMessage and CVE-2019-8641 [01:32:00] WAF-A-MoLE: Evading Web Application Firewalls through Adversarial Machine Learning [01:36:00] QSOR: Quantum-Safe Onion Routing [01:45:09] Browser Games Aren't an Easy Target [01:46:31] Reverse engineering RNG in a GBA game https://en.wikipedia.org/wiki/Linear_congruential_generator#Parameters_in_common_use 

Watch the DAY[0] podcast live on <a href="https://www.twitch.tv/dayzerosec" rel="nofollow" target="_blank">Twitch (@dayzerosec)</a> every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on <a href="https://www.youtube.com/channel/UCXFC76FDHZRVes6_lZqwLBA" rel="nofollow" target="_blank">Youtube (@DAY[0])</a> <ul> <li>[00:00:35] <a href="https://sha-mbles.github.io/" rel="nofollow" target="_blank">SHA-1 is a Shambles</a></li> <ul><li><a href="https://www.youtube.com/watch?v=Gh6p7Y74m9A" rel="nofollow" target="_blank">https://www.youtube.com/watch?v=Gh6p7Y74m9A</a></li></ul> <li>[00:14:50] <a href="https://blog.malwarebytes.com/android/2020/01/united-states-government-funded-phones-come-pre-installed-with-unremovable-malware/" rel="nofollow" target="_blank">Government-funded phones come pre-installed with unremovable malware</a></li> <li>[00:22:09] <a href="https://www.mozilla.org/en-US/security/advisories/mfsa2020-03/" rel="nofollow" target="_blank">Security Vulnerabilities fixed in Firefox 72.0.1 and Firefox ESR 68.4.1 — Mozilla</a></li> <li>[00:27:02] <a href="https://support.citrix.com/article/CTX267027" rel="nofollow" target="_blank">CVE-2019-19781 - Vulnerability in Citrix Application Delivery Controller and Citrix Gateway</a></li> <ul><li><a href="https://github.com/projectzeroindia/CVE-2019-19781" rel="nofollow" target="_blank">https://github.com/projectzeroindia/CVE-2019-19781</a></li></ul> <ul><li><a href="https://www.mdsec.co.uk/2020/01/deep-dive-to-citrix-adc-remote-code-execution-cve-2019-19781/" rel="nofollow" target="_blank">https://www.mdsec.co.uk/2020/01/deep-dive-to-citrix-adc-remote-code-execution-cve-2019-19781/</a></li></ul> <ul><li><a href="https://twitter.com/GossiTheDog/status/1215785949709459456" rel="nofollow" target="_blank">https://twitter.com/GossiTheDog/status/1215785949709459456</a></li></ul> <li>[00:38:20] <a href="https://googleprojectzero.blogspot.com/2020/01/policy-and-disclosure-2020-edition.html" rel="nofollow" target="_blank">Project Zero: Policy and Disclosure: 2020 Edition</a></li> <ul><li><a href="https://googleprojectzero.blogspot.com/p/vulnerability-disclosure-faq.html" rel="nofollow" target="_blank">https://googleprojectzero.blogspot.com/p/vulnerability-disclosure-faq.html</a></li></ul> <li>[00:52:07] <a href="https://siguza.github.io/PAN/" rel="nofollow" target="_blank">Privileged Access Never (PAN) - Another day, another broken mitigation.</a></li> <li>[00:57:43] <a href="https://research.checkpoint.com/2020/tik-or-tok-is-tiktok-secure-enough/" rel="nofollow" target="_blank">Tik or Tok? Is TikTok secure enough?</a></li> <li>[01:18:33] <a href="https://seclists.org/fulldisclosure/2020/Jan/10" rel="nofollow" target="_blank">Fortinet FortiSIEM Hardcoded SSH Key</a></li> <li>[01:22:58] <a href="https://googleprojectzero.blogspot.com/2020/01/remote-iphone-exploitation-part-1.html" rel="nofollow" target="_blank">Project Zero: Remote iPhone Exploitation Part 1: Poking Memory via iMessage and CVE-2019-8641</a></li> <li>[01:32:00] <a href="https://arxiv.org/abs/2001.01952v1" rel="nofollow" target="_blank">WAF-A-MoLE: Evading Web Application Firewalls through Adversarial Machine Learning</a></li> <li>[01:36:00] <a href="https://arxiv.org/abs/2001.03418v1" rel="nofollow" target="_blank">QSOR: Quantum-Safe Onion Routing</a></li> <li>[01:45:09] <a href="http://jakob.space/blog/browser-games-aren-t-an-easy-target.html" rel="nofollow" target="_blank">Browser Games Aren't an Easy Target</a></li> <li>[01:46:31] <a href="https://xy2.dev/article/re-skgba/re-skgba.html" rel="nofollow" target="_blank">Reverse engineering RNG in a GBA game</a></li> <ul><li><a href="https://en.wikipedia.org/wiki/Linear_congruential_generator#Parameters_in_common_use" rel="nofollow" target="_blank">https://en.wikipedia.org/wiki/Linear_congruential_generator#Parameters_in_common_use</a></li></ul> </ul>

SHA-mbles, Shitrix, Responsible Disclosure, and wtf is TikTok doing?

Join Specter and zi at they discuss several named vulns (kr00k, Forgot2kEyXCHANGE, GhostCat), the benefits of DNS-over-HTTPS, and a a few vulns in some of our regular targets: Samsung drivers, NordVPN, OpenSMTPd.  [00:01:13] Facial-Recognition Company That Works With Law Enforcement Says Entire Client List Was Stolen  [00:06:13] Firefox continues push to bring DNS over HTTPS by default for US users https://github.com/curl/curl/wiki/DNS-over-HTTPS [00:19:07] Securing Memory at EPYC Scale  [00:26:30] How a Hacker's Mom Broke Into a Prison—and the Warden's Computer  [00:29:12]  kr00k | ESET  [00:33:14] CVE-2020-0688: Remote Code Execution on Microsoft Exchange Server Through Fixed Cryptographic Keys  [00:37:41] CVE-2020-1938: Ghostcat vulnerability  [00:46:16] LPE and RCE in OpenSMTPD's default install (CVE-2020-8794)  [00:55:43] Blind SSRF on debug.nordvpn.com due to misconfigured sentry instance https://hackerone.com/reports/374737 [01:00:30] x-request-id header reflected in server response without sanitization  [01:05:54] Malformed .BMP file in Counter-Strike 1.6 may cause shellcode injection https://hackerone.com/valve/hacktivity [01:12:56] Samsung Kernel /dev/hdcp2 hdcp_session_close() Race Condition  [01:14:59] Samsung Kernel Arbitrary /dev/vipx / /dev/vertex kfree  [01:18:34] Samsung Kernel /dev/vipx Pointer Leak  [01:22:21] HFL: Hybrid Fuzzing on the Linux Kernel – NDSS Symposium  [01:30:32] Et Tu Alexa? When Commodity WiFi Devices Turn into Adversarial Motion Sensors  [01:38:27] Evasion techniques  [01:39:31] Hacking Unicode Like a Boss  [01:43:05] Pwning VMware, Part 2: ZDI-19-421, a UHCI bug | nafod  [01:44:48] Intro to chrome's v8 from an exploit development angle  Watch Live on Twitch (@dayzerosec) at 3PM EST

Join Specter and zi at they discuss several named vulns (kr00k, Forgot2kEyXCHANGE, GhostCat), the benefits of DNS-over-HTTPS, and a a few vulns in some of our regular targets: Samsung drivers, NordVPN, OpenSMTPd. <ul> <li>[00:01:13] <a href="https://www.thedailybeast.com/clearview-ai-facial-recognition-company-that-works-with-law-enforcement-says-entire-client-list-was-stolen" rel="nofollow" target="_blank">Facial-Recognition Company That Works With Law Enforcement Says Entire Client List Was Stolen</a> </li> <li>[00:06:13] <a href="https://blog.mozilla.org/blog/2020/02/25/firefox-continues-push-to-bring-dns-over-https-by-default-for-us-users/" rel="nofollow" target="_blank">Firefox continues push to bring DNS over HTTPS by default for US users</a> <ul><li><a href="https://github.com/curl/curl/wiki/DNS-over-HTTPS" rel="nofollow" target="_blank">https://github.com/curl/curl/wiki/DNS-over-HTTPS</a></li></ul></li> <li>[00:19:07] <a href="https://blog.cloudflare.com/securing-memory-at-epyc-scale/" rel="nofollow" target="_blank">Securing Memory at EPYC Scale</a> </li> <li>[00:26:30] <a href="https://www.wired.com/story/hackers-mom-broke-into-prison-wardens-computer/" rel="nofollow" target="_blank">How a Hacker's Mom Broke Into a Prison—and the Warden's Computer</a> </li> <li>[00:29:12] <a href="https://www.eset.com/int/kr00k/" rel="nofollow" target="_blank"> kr00k | ESET</a> </li> <li>[00:33:14] <a href="https://www.zerodayinitiative.com/blog/2020/2/24/cve-2020-0688-remote-code-execution-on-microsoft-exchange-server-through-fixed-cryptographic-keys" rel="nofollow" target="_blank">CVE-2020-0688: Remote Code Execution on Microsoft Exchange Server Through Fixed Cryptographic Keys</a> </li> <li>[00:37:41] <a href="https://www.chaitin.cn/en/ghostcat" rel="nofollow" target="_blank">CVE-2020-1938: Ghostcat vulnerability</a> </li> <li>[00:46:16] <a href="https://www.qualys.com/2020/02/24/cve-2020-8794/lpe-rce-opensmtpd-default-install.txt" rel="nofollow" target="_blank">LPE and RCE in OpenSMTPD's default install (CVE-2020-8794)</a> </li> <li>[00:55:43] <a href="https://hackerone.com/reports/756149" rel="nofollow" target="_blank">Blind SSRF on debug.nordvpn.com due to misconfigured sentry instance</a> <ul><li><a href="https://hackerone.com/reports/374737" rel="nofollow" target="_blank">https://hackerone.com/reports/374737</a></li></ul></li> <li>[01:00:30] <a href="https://hackerone.com/reports/798686" rel="nofollow" target="_blank">x-request-id header reflected in server response without sanitization</a> </li> <li>[01:05:54] <a href="https://hackerone.com/reports/397545" rel="nofollow" target="_blank">Malformed .BMP file in Counter-Strike 1.6 may cause shellcode injection</a> <ul><li><a href="https://hackerone.com/valve/hacktivity" rel="nofollow" target="_blank">https://hackerone.com/valve/hacktivity</a></li></ul></li> <li>[01:12:56] <a href="https://packetstormsecurity.com/files/156560/GS20200228071051.tgz" rel="nofollow" target="_blank">Samsung Kernel /dev/hdcp2 hdcp_session_close() Race Condition</a> </li> <li>[01:14:59] <a href="https://packetstormsecurity.com/files/156558/GS20200228070705.tgz" rel="nofollow" target="_blank">Samsung Kernel Arbitrary /dev/vipx / /dev/vertex kfree</a> </li> <li>[01:18:34] <a href="https://packetstormsecurity.com/files/156557/GS20200228070551.tgz" rel="nofollow" target="_blank">Samsung Kernel /dev/vipx Pointer Leak</a> </li> <li>[01:22:21] <a href="https://www.ndss-symposium.org/ndss-paper/hfl-hybrid-fuzzing-on-the-linux-kernel/" rel="nofollow" target="_blank">HFL: Hybrid Fuzzing on the Linux Kernel – NDSS Symposium</a> </li> <li>[01:30:32] <a href="https://arxiv.org/abs/1810.10109" rel="nofollow" target="_blank">Et Tu Alexa? When Commodity WiFi Devices Turn into Adversarial Motion Sensors</a> </li> <li>[01:38:27] <a href="https://evasions.checkpoint.com/" rel="nofollow" target="_blank">Evasion techniques</a> </li> <li>[01:39:31] <a href="https://www.bugcrowd.com/blog/hacking-unicode-like-a-boss/" rel="nofollow" target="_blank">Hacking Unicode Like a Boss</a> </li> <li>[01:43:05] <a href="https://nafod.net/blog/2020/02/29/zdi-19-421-uhci.html" rel="nofollow" target="_blank">Pwning VMware, Part 2: ZDI-19-421, a UHCI bug | nafod</a> </li> <li>[01:44:48] <a href="https://sensepost.com/blog/2020/intro-to-chromes-v8-from-an-exploit-development-angle/" rel="nofollow" target="_blank">Intro to chrome's v8 from an exploit development angle</a> </li></ul> Watch Live on <a href="https://www.twitch.tv/dayzerosec" rel="nofollow" target="_blank">Twitch (@dayzerosec)</a> at 3PM EST

 kr00k, GhostCat, and more issues from NordVPN, Samsung, OpenSMTPd

A New AMD sidechannel, and an old intel CSME attack, a couple deserialization attacks, and a few clever but not terribly useful attacks, and some discussion about memory tagging on this weeks episode of DAY[0].  [00:00:21] Election Security 2020: Don't Let Disinformation Undermine Your Right to Vote  [00:06:52] Announcing Remote Participation in Pwn2Own Vancouver  [00:11:22] Revoking certain certificates on March 4  [00:19:40] FuzzBench: Fuzzer Benchmarking as a Service  [00:28:53] Intel x86 Root of Trust: loss of trust   [00:39:07] Take A Way: Exploring the Security Implications of AMD's Cache Way Predictors  [00:49:11] VU#782301 - pppd vulnerable to buffer overflow due to a flaw in EAP packet processing https://github.com/paulusmack/ppp/commit/8d45443bb5c9372b4c6a362ba2f443d41c5636afhttps://github.com/paulusmack/ppp/commit/8d7970b8f3db727fe798b65f3377fe6787575426 [00:55:11] MediaTek rootkit affecting millions of Android devices  [01:01:56] Zoho ManageEngine RCE  [01:11:25] RCE Through a Deserialization Bug in Oracle's WebLogic Server (CVE-2020-2555)  [01:14:22] Regex Vulnerabilities - parse-community/parse-server  [01:18:57] HTTP request smuggling using malformed Transfer-Encoding header  [01:27:20] [Nextcloud] Delete All Data of Any User  [01:30:36] Dismantling DST80-based Immobiliser Systems  [01:37:53] Exploring Backdoor Poisoning Attacks Against Malware Classifiers  [01:45:59] Code Renewability for Native Software Protection  [01:55:42] Security Analysis of Memory Tagging  [02:04:15] DangKiller: Eliminating Dangling Pointers Efficiently via Implicit Identifier   Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@DAY[0])

A New AMD sidechannel, and an old intel CSME attack, a couple deserialization attacks, and a few clever but not terribly useful attacks, and some discussion about memory tagging on this weeks episode of DAY[0]. <ul> <li>[00:00:21] <a href="https://www.bugcrowd.com/blog/election-security-disinformation/" rel="nofollow" target="_blank">Election Security 2020: Don't Let Disinformation Undermine Your Right to Vote</a> </li> <li>[00:06:52] <a href="https://www.thezdi.com/blog/2020/3/3/announcing-remote-participation-in-pwn2own-vancouver" rel="nofollow" target="_blank">Announcing Remote Participation in Pwn2Own Vancouver</a> </li> <li>[00:11:22] <a href="https://community.letsencrypt.org/t/revoking-certain-certificates-on-march-4/114864" rel="nofollow" target="_blank">Revoking certain certificates on March 4</a> </li> <li>[00:19:40] <a href="https://security.googleblog.com/2020/03/fuzzbench-fuzzer-benchmarking-as-service.html" rel="nofollow" target="_blank">FuzzBench: Fuzzer Benchmarking as a Service</a> </li> <li>[00:28:53] <a href="http://blog.ptsecurity.com/2020/03/intelx86-root-of-trust-loss-of-trust.html" rel="nofollow" target="_blank">Intel x86 Root of Trust: loss of trust </a> </li> <li>[00:39:07] <a href="https://mlq.me/download/takeaway.pdf" rel="nofollow" target="_blank">Take A Way: Exploring the Security Implications of AMD's Cache Way Predictors</a> </li> <li>[00:49:11] <a href="https://www.kb.cert.org/vuls/id/782301/" rel="nofollow" target="_blank">VU#782301 - pppd vulnerable to buffer overflow due to a flaw in EAP packet processing</a> <ul><li><a href="https://github.com/paulusmack/ppp/commit/8d45443bb5c9372b4c6a362ba2f443d41c5636af" rel="nofollow" target="_blank">https://github.com/paulusmack/ppp/commit/8d45443bb5c9372b4c6a362ba2f443d41c5636af</a></li><li><a href="https://github.com/paulusmack/ppp/commit/8d7970b8f3db727fe798b65f3377fe6787575426" rel="nofollow" target="_blank">https://github.com/paulusmack/ppp/commit/8d7970b8f3db727fe798b65f3377fe6787575426</a></li></ul></li> <li>[00:55:11] <a href="https://www.xda-developers.com/mediatek-su-rootkit-exploit/amp/" rel="nofollow" target="_blank">MediaTek rootkit affecting millions of Android devices</a> </li> <li>[01:01:56] <a href="https://srcincite.io/advisories/src-2020-0011/" rel="nofollow" target="_blank">Zoho ManageEngine RCE</a> </li> <li>[01:11:25] <a href="https://www.thezdi.com/blog/2020/3/5/cve-2020-2555-rce-through-a-deserialization-bug-in-oracles-weblogic-server" rel="nofollow" target="_blank">RCE Through a Deserialization Bug in Oracle's WebLogic Server (CVE-2020-2555)</a> </li> <li>[01:14:22] <a href="https://github.com/parse-community/parse-server/security/advisories/GHSA-h4mf-75hf-67w4" rel="nofollow" target="_blank">Regex Vulnerabilities - parse-community/parse-server</a> </li> <li>[01:18:57] <a href="https://hackerone.com/reports/735748" rel="nofollow" target="_blank">HTTP request smuggling using malformed Transfer-Encoding header</a> </li> <li>[01:27:20] <a href="https://hackerone.com/reports/220385" rel="nofollow" target="_blank">[Nextcloud] Delete All Data of Any User</a> </li> <li>[01:30:36] <a href="https://tches.iacr.org/index.php/TCHES/article/view/8546" rel="nofollow" target="_blank">Dismantling DST80-based Immobiliser Systems</a> </li> <li>[01:37:53] <a href="https://arxiv.org/abs/2003.01031v1" rel="nofollow" target="_blank">Exploring Backdoor Poisoning Attacks Against Malware Classifiers</a> </li> <li>[01:45:59] <a href="https://arxiv.org/abs/2003.00916v1" rel="nofollow" target="_blank">Code Renewability for Native Software Protection</a> </li> <li>[01:55:42] <a href="https://github.com/microsoft/MSRC-Security-Research/blob/master/papers/2020/Security%20analysis%20of%20memory%20tagging.pdf" rel="nofollow" target="_blank">Security Analysis of Memory Tagging</a> </li> <li>[02:04:15] <a href="https://arxiv.org/abs/2003.00916v1" rel="nofollow" target="_blank">DangKiller: Eliminating Dangling Pointers Efficiently via Implicit Identifier</a> </li> </ul> Watch the DAY[0] podcast live on <a href="https://www.twitch.tv/dayzerosec" rel="nofollow" target="_blank">Twitch (@dayzerosec)</a> every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on <a href="https://www.youtube.com/channel/UCXFC76FDHZRVes6_lZqwLBA" rel="nofollow" target="_blank">Youtube (@DAY[0])</a>

FuzzBench, MediaTek-su, Request Smuggling, and Memory Tagging

Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@DAY[0])    [00:02:59] Android Permanent DoS (CVE-2019-2232) [00:08:09] Inferring and hijacking VPN-tunneled TCP connections (CVE-2019-14899) [00:16:00] An Update on Android TLS Adoption [00:25:11] Mozilla and Opera remove Avast extensions from their add-on stores https://palant.de/2019/10/28/avast-online-security-and-avast-secure-browser-are-spying-on-you/ [00:43:05] Tron: Evolution SecuROM DRM expiration makes game unplayable 9 years after release [00:50:12] Millions of Americans at Risk After Huge Data and SMS Leak [00:54:14] Nebraska Medicine Breached by Rogue Employee [00:56:56] Practical Pentest Labs stores passwords in plaintext [01:05:07] Incident Report | 2019-11-24 Account Takeover via Disclosed Session Cookie [01:13:28] Authentication vulnerabilities in OpenBSD (CVE-2019-19521) [01:24:36] Symantec Endpoint Protection Local Privilege Escalation (CVE-2019-12750) [01:30:09] Omron PLC Denial-of-Service as a Feature https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H https://github.com/Ox6e3062306479/omron/blob/master/cj2m.fins.dos.py [01:38:35] FIRST CONTACT: New vulnerabilities in contactless payments  [01:46:39] Fuzzing Sega Genesis Emulators [01:50:30] Verifiable Voting Primer https://www.youtube.com/watch?v=LkH2r-sNjQs

Watch the DAY[0] podcast live on <a href="https://www.twitch.tv/dayzerosec" rel="nofollow" target="_blank">Twitch (@dayzerosec)</a> every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on <a href="https://www.youtube.com/channel/UCXFC76FDHZRVes6_lZqwLBA" rel="nofollow" target="_blank">Youtube (@DAY[0])</a> <ul> <li>[00:02:59] <a href="https://nvd.nist.gov/vuln/detail/CVE-2019-2232" rel="nofollow" target="_blank">Android Permanent DoS (CVE-2019-2232)</a></li> <li>[00:08:09] <a href="https://seclists.org/oss-sec/2019/q4/122" rel="nofollow" target="_blank">Inferring and hijacking VPN-tunneled TCP connections (CVE-2019-14899)</a></li> <li>[00:16:00] <a href="https://security.googleblog.com/2019/12/an-update-on-android-tls-adoption.html" rel="nofollow" target="_blank">An Update on Android TLS Adoption</a></li> <li>[00:25:11] <a href="https://palant.de/2019/12/03/mozilla-removes-avast-extensions-from-their-add-on-store-what-will-google-do/" rel="nofollow" target="_blank">Mozilla and Opera remove Avast extensions from their add-on stores</a></li> <ul><li><a href="https://palant.de/2019/10/28/avast-online-security-and-avast-secure-browser-are-spying-on-you/" rel="nofollow" target="_blank">https://palant.de/2019/10/28/avast-online-security-and-avast-secure-browser-are-spying-on-you/</a></li></ul> <li>[00:43:05] <a href="https://community.pcgamingwiki.com/topic/4476-tron-evolution-securom-drm-expiration-makes-game-unplayable-9-years-after-release" rel="nofollow" target="_blank">Tron: Evolution SecuROM DRM expiration makes game unplayable 9 years after release</a></li> <li>[00:50:12] <a href="https://www.vpnmentor.com/blog/report-truedialog-leak/?=truedialog-exposed-data" rel="nofollow" target="_blank">Millions of Americans at Risk After Huge Data and SMS Leak</a></li> <li>[00:54:14] <a href="https://threatpost.com/nebraska-medicine-breached-rogue-employee/150823/" rel="nofollow" target="_blank">Nebraska Medicine Breached by Rogue Employee</a></li> <li>[00:56:56] <a href="https://twitter.com/ppentestlabs/status/1202906268991664128" rel="nofollow" target="_blank">Practical Pentest Labs stores passwords in plaintext</a></li> <li>[01:05:07] <a href="https://hackerone.com/reports/745324" rel="nofollow" target="_blank">Incident Report | 2019-11-24 Account Takeover via Disclosed Session Cookie</a></li> <li>[01:13:28] <a href="https://www.openwall.com/lists/oss-security/2019/12/04/5" rel="nofollow" target="_blank">Authentication vulnerabilities in OpenBSD (CVE-2019-19521)</a></li> <li>[01:24:36] <a href="https://labs.nettitude.com/blog/cve-2019-12750-symantec-endpoint-protection-local-privilege-escalation-part-1/" rel="nofollow" target="_blank">Symantec Endpoint Protection Local Privilege Escalation (CVE-2019-12750)</a></li> <li>[01:30:09] <a href="https://ics.i3xplore.com/2019/12/06/omron-plc-denial-of-service-as-a-feature/" rel="nofollow" target="_blank">Omron PLC Denial-of-Service as a Feature</a></li> <ul><li><a href="https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" rel="nofollow" target="_blank">https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H</a></li></ul> <ul><li><a href="https://github.com/Ox6e3062306479/omron/blob/master/cj2m.fins.dos.py" rel="nofollow" target="_blank">https://github.com/Ox6e3062306479/omron/blob/master/cj2m.fins.dos.py</a></li></ul> <li>[01:38:35] <a href="https://drive.google.com/file/d/1CaRz41bEwWsDZ9bPgdcatcesloxTF6Kv/view?usp=sharing" rel="nofollow" target="_blank">FIRST CONTACT: New vulnerabilities in contactless payments </a></li> <li>[01:46:39] <a href="https://zznop.com/2019/12/08/fuzzing-sega-genesis-emulators/" rel="nofollow" target="_blank">Fuzzing Sega Genesis Emulators</a></li> <li>[01:50:30] <a href="https://rcoh.me/posts/verifiable-voting-primer/" rel="nofollow" target="_blank">Verifiable Voting Primer</a></li> <ul><li><a href="https://www.youtube.com/watch?v=LkH2r-sNjQs" rel="nofollow" target="_blank">https://www.youtube.com/watch?v=LkH2r-sNjQs</a></li></ul></ul>

Permanent DoS, HackerOne Hacked, and Wide-OpenBSD

Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@DAY[0])    [00:00:35] PagedOut #2  [00:07:38] Black Friday Deals to watch out for [00:17:59] Official Monero website is hacked to deliver currency-stealing malware [00:26:30] Managing Risk from Transport Lay Security Inspection [00:40:55] US student was allegedly building a custom Gentoo Linux distro for ISIS [00:48:41] Google Outlines Plans for Mainline Linux Kernel Support in Android [00:55:12] Introducing Flan Scan [00:59:44] Expanding Android Security Rewards [01:05:26] Updates to the Mozilla Web Security Bounty Program [01:07:59] XSS in GMail’s AMP4Email via DOM Clobbering [01:17:32] VNC Vulnerabilities (LibVNC, TightVNC, TurboVNC and UltraVNC) [01:26:22] Arbitrary file capture in Kaspersky Total Security 2019 [01:30:43] Bad binder: Android In-The-Wild Exploit [01:36:03] Building Fast Fuzzers https://github.com/gamozolabs/fzero_fuzzer [01:49:47] The Performance of Machine and Deep Learning Classifiers in Detecting Zero-Day Vulnerabilities [02:02:08] PARAM: A Microprocessor Hardened for Power Side-Channel Attack Resistance 

Watch the DAY[0] podcast live on <a href="https://www.twitch.tv/dayzerosec" rel="nofollow" target="_blank">Twitch (@dayzerosec)</a> every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on <a href="https://www.youtube.com/channel/UCXFC76FDHZRVes6_lZqwLBA" rel="nofollow" target="_blank">Youtube (@DAY[0])</a> <ul> <li>[00:00:35] <a href="https://pagedout.institute/" rel="nofollow" target="_blank">PagedOut #2 </a></li> <li>[00:07:38] <a href="https://dayzerosec.com/posts/black-friday-for-security-professionals/" rel="nofollow" target="_blank">Black Friday Deals to watch out for</a></li> <li>[00:17:59] <a href="https://www.getmonero.org/2019/11/19/warning-compromised-binaries.html" rel="nofollow" target="_blank">Official Monero website is hacked to deliver currency-stealing malware</a></li> <li>[00:26:30] <a href="https://media.defense.gov/2019/Nov/18/2002212783/-1/-1/0/MANAGING%20RISK%20FROM%20TLS%20INSPECTION_20191106.pdf" rel="nofollow" target="_blank">Managing Risk from Transport Lay Security Inspection</a></li> <li>[00:40:55] <a href="https://www.zdnet.com/article/us-student-was-allegedly-building-a-custom-gentoo-linux-distro-for-isis/" rel="nofollow" target="_blank">US student was allegedly building a custom Gentoo Linux distro for ISIS</a></li> <li>[00:48:41] <a href="https://arstechnica.com/gadgets/2019/11/google-outlines-plans-for-mainline-linux-kernel-support-in-android/" rel="nofollow" target="_blank">Google Outlines Plans for Mainline Linux Kernel Support in Android</a></li> <li>[00:55:12] <a href="https://blog.cloudflare.com/introducing-flan-scan/" rel="nofollow" target="_blank">Introducing Flan Scan</a></li> <li>[00:59:44] <a href="https://security.googleblog.com/2019/11/expanding-android-security-rewards.html" rel="nofollow" target="_blank">Expanding Android Security Rewards</a></li> <li>[01:05:26] <a href="https://blog.mozilla.org/security/2019/11/19/updates-to-the-mozilla-web-security-bounty-program/" rel="nofollow" target="_blank">Updates to the Mozilla Web Security Bounty Program</a></li> <li>[01:07:59] <a href="https://research.securitum.com/xss-in-amp4email-dom-clobbering/" rel="nofollow" target="_blank">XSS in GMail’s AMP4Email via DOM Clobbering</a></li> <li>[01:17:32] <a href="https://ics-cert.kaspersky.com/reports/2019/11/22/vnc-vulnerability-research/" rel="nofollow" target="_blank">VNC Vulnerabilities (LibVNC, TightVNC, TurboVNC and UltraVNC)</a></li> <li>[01:26:22] <a href="https://seclists.org/fulldisclosure/2019/Nov/21" rel="nofollow" target="_blank">Arbitrary file capture in Kaspersky Total Security 2019</a></li> <li>[01:30:43] <a href="https://googleprojectzero.blogspot.com/2019/11/bad-binder-android-in-wild-exploit.html" rel="nofollow" target="_blank">Bad binder: Android In-The-Wild Exploit</a></li> <li>[01:36:03] <a href="https://arxiv.org/pdf/1911.07707.pdf" rel="nofollow" target="_blank">Building Fast Fuzzers</a></li> <ul><li><a href="https://github.com/gamozolabs/fzero_fuzzer" rel="nofollow" target="_blank">https://github.com/gamozolabs/fzero_fuzzer</a></li></ul> <li>[01:49:47] <a href="https://arxiv.org/abs/1911.09586v1" rel="nofollow" target="_blank">The Performance of Machine and Deep Learning Classifiers in Detecting Zero-Day Vulnerabilities</a></li> <li>[02:02:08] <a href="https://arxiv.org/abs/1911.08813v1" rel="nofollow" target="_blank">PARAM: A Microprocessor Hardened for Power Side-Channel Attack Resistance</a></li> </ul>

What does the NSA say?

Keeping up our streak, we talk about some vulnerabilities in Cisco, NordVPN and Tesla, and about SlickWraps being hacked by a very dark, white-hat.  [00:02:32] Humble Book Bundle: Cybersecurity 2020 by Wiley  [00:11:31] Google Summer of Code 2020 https://radare.org/gsoc/2020/ [00:23:01] Critical Issue In ThemeGrill Demo Importer  [00:28:48] Cisco Security Advisory: Cisco Smart Software Manager On-Prem Static Default Credential Vulnerability  [00:32:19] nordvpn Linux Desktop executable application does not use pie / no ASLR  [00:40:57] Race condition (TOCTOU) in NordVPN can result in local privilege escalation  [00:49:17] Periscope android app deeplink leads to CSRF in follow action  [00:54:01] I hacked SlickWraps. This is how. - Lynx0x00 - Medium https://files.catbox.moe/fxn9r2.pdf [01:10:23] Model Hacking ADAS to Pave Safer Roads for Autonomous Vehicles   [01:18:31] Edge CVE-2020-0767 RCE POC  [01:22:02] GadgetProbe: Exploiting Deserialization to Brute-Force the Remote Classpath  [01:28:37] CopyCat: Controlled Instruction-Level Attacks on Enclaves for Maximal Key Extraction  [01:37:31] MEUZZ: Smart Seed Scheduling for Hybrid Fuzzing  [01:49:36] pwn.college BETA  [01:53:17] Microcontroller Readback Protection: Bypasses and Defenses  [01:54:00] Libxml2 Tutorial | AFLplusplus  [01:56:06] Booting iOS on QEMU Research Slides https://github.com/alephsecurity/confs/blob/master/OFFENSIVE20/offensive-20-ios-qemu.pdfhttps://github.com/alephsecurity/xnu-qemu-arm64  Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@DAY[0])

Keeping up our streak, we talk about some vulnerabilities in Cisco, NordVPN and Tesla, and about SlickWraps being hacked by a very dark, white-hat. <ul> <li>[00:02:32] <a href="https://www.humblebundle.com/books/cybersecurity-2020-wiley-books" rel="nofollow" target="_blank">Humble Book Bundle: Cybersecurity 2020 by Wiley</a> <ul></ul></li> <li>[00:11:31] <a href="https://summerofcode.withgoogle.com/organizations/?sp-category=security" rel="nofollow" target="_blank">Google Summer of Code 2020</a> <ul><li><a href="https://radare.org/gsoc/2020/" rel="nofollow" target="_blank">https://radare.org/gsoc/2020/</a></li></ul></li> <li>[00:23:01] <a href="https://www.webarxsecurity.com/critical-issue-in-themegrill-demo-importer/" rel="nofollow" target="_blank">Critical Issue In ThemeGrill Demo Importer</a> <ul></ul></li> <li>[00:28:48] <a href="https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-on-prem-static-cred-sL8rDs8" rel="nofollow" target="_blank">Cisco Security Advisory: Cisco Smart Software Manager On-Prem Static Default Credential Vulnerability</a> <ul></ul></li> <li>[00:32:19] <a href="https://hackerone.com/reports/771977" rel="nofollow" target="_blank">nordvpn Linux Desktop executable application does not use pie / no ASLR</a> <ul></ul></li> <li>[00:40:57] <a href="https://hackerone.com/reports/768110" rel="nofollow" target="_blank">Race condition (TOCTOU) in NordVPN can result in local privilege escalation</a> <ul></ul></li> <li>[00:49:17] <a href="https://hackerone.com/reports/583987" rel="nofollow" target="_blank">Periscope android app deeplink leads to CSRF in follow action</a> <ul></ul></li> <li>[00:54:01] <a href="https://archive.is/yEIJT" rel="nofollow" target="_blank">I hacked SlickWraps. This is how. - Lynx0x00 - Medium</a> <ul><li><a href="https://files.catbox.moe/fxn9r2.pdf" rel="nofollow" target="_blank">https://files.catbox.moe/fxn9r2.pdf</a></li></ul></li> <li>[01:10:23] <a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/model-hacking-adas-to-pave-safer-roads-for-autonomous-vehicles/" rel="nofollow" target="_blank">Model Hacking ADAS to Pave Safer Roads for Autonomous Vehicles </a> <ul></ul></li> <li>[01:18:31] <a href="https://github.com/phoenhex/files/blob/master/pocs/cve-2020-0767.js" rel="nofollow" target="_blank">Edge CVE-2020-0767 RCE POC</a> <ul></ul></li> <li>[01:22:02] <a href="https://know.bishopfox.com/research/gadgetprobe" rel="nofollow" target="_blank">GadgetProbe: Exploiting Deserialization to Brute-Force the Remote Classpath</a> <ul></ul></li> <li>[01:28:37] <a href="https://arxiv.org/abs/2002.08437v1" rel="nofollow" target="_blank">CopyCat: Controlled Instruction-Level Attacks on Enclaves for Maximal Key Extraction</a> <ul></ul></li> <li>[01:37:31] <a href="https://arxiv.org/abs/2002.08568v1" rel="nofollow" target="_blank">MEUZZ: Smart Seed Scheduling for Hybrid Fuzzing</a> <ul></ul></li> <li>[01:49:36] <a href="https://pwn.college/" rel="nofollow" target="_blank">pwn.college BETA</a> <ul></ul></li> <li>[01:53:17] <a href="https://research.nccgroup.com/2020/02/20/whitepaper-microcontroller-readback-protection-bypasses-and-defenses/" rel="nofollow" target="_blank">Microcontroller Readback Protection: Bypasses and Defenses</a> <ul></ul></li> <li>[01:54:00] <a href="https://aflplus.plus/docs/tutorials/libxml2_tutorial/" rel="nofollow" target="_blank">Libxml2 Tutorial | AFLplusplus</a> <ul></ul></li> <li>[01:56:06] <a href="https://github.com/alephsecurity/confs" rel="nofollow" target="_blank">Booting iOS on QEMU Research Slides</a> <ul><li><a href="https://github.com/alephsecurity/confs/blob/master/OFFENSIVE20/offensive-20-ios-qemu.pdf" rel="nofollow" target="_blank">https://github.com/alephsecurity/confs/blob/master/OFFENSIVE20/offensive-20-ios-qemu.pdf</a></li><li><a href="https://github.com/alephsecurity/xnu-qemu-arm64" rel="nofollow" target="_blank">https://github.com/alephsecurity/xnu-qemu-arm64</a></li></ul></li> </ul> Watch the DAY[0] podcast live on <a href="https://www.twitch.tv/dayzerosec" rel="nofollow" target="_blank">Twitch (@dayzerosec)</a> every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on <a href="https://www.youtube.com/channel/UCXFC76FDHZRVes6_lZqwLBA" rel="nofollow" target="_blank">Youtube (@DAY[0])</a>

A Dark White-Hat hacker? and various vulns ft. Cisco, Periscope, NordVPN and Tesla/EyeQ

Update: While we talk about Huawei Kernel Self Protection (HKSP) I make mention of the authors statement that he is unrelated to Huawei. Turns out this statement, despite a commit date of Friday wasn't pushed until Monday morning so it was not original. Further information has also come out showing that the author is a Huawei employee, so the relationship is much closer than I believe it to be. ~zi It was a busy week, Microsofts Github account was hacked, Centurylink Routers have no security, and multiple interactionless RCEs in Samsung phones.  [00:01:45] OpenOrbis PS4 Toolchain  [00:05:06] DEF CON 28 in-person conference is CANCELLED  [00:13:23] The Nintendo leak saga continues...  [00:18:40] Keybase joins Zoom  https://www.bleepingcomputer.com/news/security/microsofts-github-account-hacked-private-repositories-stolen/   [00:33:41] Azure Security Lab - Research Challenge  [00:42:38] Hijacking Centurylink Routers [CVE 2019-19639]  [00:46:24] DoS on Twitter App  [00:51:39] A tale of verbose error message and a JWT token  [01:00:29] Pentesting Cisco SD-WAN Part 2: Breaking routers  [01:04:21] Memory leak and Use After Free in Squid  [01:17:48] How a Deceptive Assert Caused a Critical Windows Kernel Vulnerability  [01:28:30] Samsung Android multiple interactionless RCE  https://github.com/googleprojectzero/SkCodecFuzzer   [01:38:25] Linux futex+VFS Use-After-Free  [01:45:03] Huawei HKSP Introduces Trivially Exploitable Vulnerability  [01:50:32] Ragnarok Stopper: development of a vaccine  [01:55:51] Understanding Memory and Thread Safety Practices and Issues in Real-World Rust Programs  [02:09:34] Analyzing a Trio of Remote Code Execution Bugs in Intel Wireless Adapters  [02:10:19] GitHub - JHUAPL/Beat-the-Machine: Reverse engineering basics in puzzle form  

Update: While we talk about Huawei Kernel Self Protection (HKSP) I make mention of the authors statement that he is unrelated to Huawei. Turns out this statement, despite a commit date of Friday wasn't pushed until Monday morning so it was not original. Further information has also come out showing that the author is a Huawei employee, so the relationship is much closer than I believe it to be. ~zi It was a busy week, Microsofts Github account was hacked, Centurylink Routers have no security, and multiple interactionless RCEs in Samsung phones. <ul> <li>[00:01:45] <a href="https://github.com/OpenOrbis/OpenOrbis-PS4-Toolchain" rel="nofollow" target="_blank">OpenOrbis PS4 Toolchain</a> </li> <li>[00:05:06] <a href="https://forum.defcon.org/node/232005" rel="nofollow" target="_blank">DEF CON 28 in-person conference is CANCELLED</a> </li> <li>[00:13:23] <a href="https://www.resetera.com/threads/the-nintendo-leak-saga-continues-biggest-nintendo-leak-in-history-full-source-code-design-files-for-wii-released-online.196683/" rel="nofollow" target="_blank">The Nintendo leak saga continues...</a> </li> <li>[00:18:40] <a href="https://keybase.io/blog/keybase-joins-zoom" rel="nofollow" target="_blank">Keybase joins Zoom</a> <ul> <li><a href="https://www.bleepingcomputer.com/news/security/microsofts-github-account-hacked-private-repositories-stolen/" rel="nofollow" target="_blank">https://www.bleepingcomputer.com/news/security/microsofts-github-account-hacked-private-repositories-stolen/</a></li> </ul> </li> <li>[00:33:41] <a href="https://www.microsoft.com/en-us/msrc/azure-security-lab" rel="nofollow" target="_blank">Azure Security Lab - Research Challenge</a> </li> <li>[00:42:38] <a href="https://www.lykosec.com/post/cve-2019-19639-hijacking-centurylink-routers" rel="nofollow" target="_blank">Hijacking Centurylink Routers [CVE 2019-19639]</a> </li> <li>[00:46:24] <a href="https://hackerone.com/reports/819088" rel="nofollow" target="_blank">DoS on Twitter App</a> </li> <li>[00:51:39] <a href="https://geleta.eu/2020/a-tale-of-verbose-error-message-and-jwt-token/" rel="nofollow" target="_blank">A tale of verbose error message and a JWT token</a> </li> <li>[01:00:29] <a href="https://www.synacktiv.com/posts/pentest/pentesting-cisco-sd-wan-part-2-breaking-routers.html" rel="nofollow" target="_blank">Pentesting Cisco SD-WAN Part 2: Breaking routers</a> </li> <li>[01:04:21] <a href="https://www.synacktiv.com/posts/exploit/memory-leak-and-use-after-free-in-squid.html" rel="nofollow" target="_blank">Memory leak and Use After Free in Squid</a> </li> <li>[01:17:48] <a href="https://www.zerodayinitiative.com/blog/2020/5/7/how-a-deceptive-assert-caused-a-critical-windows-kernel-vulnerability" rel="nofollow" target="_blank">How a Deceptive Assert Caused a Critical Windows Kernel Vulnerability</a> </li> <li>[01:28:30] <a href="https://bugs.chromium.org/p/project-zero/issues/detail?id=2002" rel="nofollow" target="_blank">Samsung Android multiple interactionless RCE</a> <ul> <li><a href="https://github.com/googleprojectzero/SkCodecFuzzer" rel="nofollow" target="_blank">https://github.com/googleprojectzero/SkCodecFuzzer</a></li> </ul> </li> <li>[01:38:25] <a href="https://packetstormsecurity.com/files/157621/GS20200508201435.tgz" rel="nofollow" target="_blank">Linux futex+VFS Use-After-Free</a> </li> <li>[01:45:03] <a href="https://grsecurity.net/huawei_hksp_introduces_trivially_exploitable_vulnerability" rel="nofollow" target="_blank">Huawei HKSP Introduces Trivially Exploitable Vulnerability</a> </li> <li>[01:50:32] <a href="https://www.blackarrow.net/ragnarok-malware-vaccine/" rel="nofollow" target="_blank">Ragnarok Stopper: development of a vaccine</a> </li> <li>[01:55:51] <a href="https://cseweb.ucsd.edu/~yiying/RustStudy-PLDI20.pdf" rel="nofollow" target="_blank">Understanding Memory and Thread Safety Practices and Issues in Real-World Rust Programs</a> </li> <li>[02:09:34] <a href="https://www.zerodayinitiative.com/blog/2020/5/4/analyzing-a-trio-of-remote-code-execution-bugs-in-intel-wireless-adapters" rel="nofollow" target="_blank">Analyzing a Trio of Remote Code Execution Bugs in Intel Wireless Adapters</a> </li> <li>[02:10:19] <a href="https://github.com/JHUAPL/Beat-the-Machine" rel="nofollow" target="_blank">GitHub - JHUAPL/Beat-the-Machine: Reverse engineering basics in puzzle form</a> </li> </ul>

Defcon is canceled, Microsoft was hacked, Rust has vulns

Authentication bypasses, SQL injection, command injection, and more in this web-exploit heavy episode.  [00:09:11] Facebook v. NSO Group  [00:18:14] Netsweeper PreAuth RCE  [00:25:49] SaltStack authorization bypass https://github.com/saltstack/salt/blob/0b2a5613b345f17339cb90e60b407199b3d26980/salt/master.py#L1139 [00:42:02] E-Learning Platforms Getting Schooled https://github.com/LearnPress/learnpress/commit/d6f818b5f65b007acbdf62236d4aa549fb33d24a?diff=split [01:03:54] Roblox - Subdomain Takeover  [01:08:09] Fix XSS issue in handling of CDATA in HTML messages · roundcube/roundcubemail@87e4cd0 · GitHub  [01:10:13] Stealing the Trello token by abusing a cross-iframe XSS on the Butler Plugin  [01:17:11] Gitlab - Arbitrary file read via the UploadsRewriter when moving and issue  [01:20:15]  Researching Polymorphic Images for XSS on Google Scholar  [01:27:41]  TP-LINK Cloud Cameras Multiple Vulnerabilities https://seclists.org/fulldisclosure/2020/May/3https://seclists.org/fulldisclosure/2020/May/4 [01:34:46] Remote Code Execution on Microsoft SharePoint Using TypeConverters [CVE-2020-0932]  [01:43:03] Firefox js::ReadableStreamCloseInternal Out-Of-Bounds Access  [01:51:56] Siguza - iOS &lt;13.5 sandbox escape/entitlement 0day  [02:03:16] Honeysploit: Exploiting the Exploiters  [02:15:13] Guy's 30 Reverse Engineering Tips &amp; Tricks  [02:16:45] Remote Code Execution on Nintendo 64 through Morita Shogi 64   Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@DAY[0])

Authentication bypasses, SQL injection, command injection, and more in this web-exploit heavy episode. <ul> <li>[00:09:11] <a href="https://www.theregister.co.uk/2020/05/01/nso_whatsapp_california/" rel="nofollow" target="_blank">Facebook v. NSO Group</a> </li> <li>[00:18:14] <a href="https://ssd-disclosure.com/ssd-advisory-netsweeper-preauth-rce/" rel="nofollow" target="_blank">Netsweeper PreAuth RCE</a> </li> <li>[00:25:49] <a href="https://labs.f-secure.com/advisories/saltstack-authorization-bypass" rel="nofollow" target="_blank">SaltStack authorization bypass</a> <ul><li><a href="https://github.com/saltstack/salt/blob/0b2a5613b345f17339cb90e60b407199b3d26980/salt/master.py#L1139" rel="nofollow" target="_blank">https://github.com/saltstack/salt/blob/0b2a5613b345f17339cb90e60b407199b3d26980/salt/master.py#L1139</a></li></ul></li> <li>[00:42:02] <a href="https://research.checkpoint.com/2020/e-learning-platforms-getting-schooled-multiple-vulnerabilities-in-wordpress-most-popular-learning-management-system-plugins/" rel="nofollow" target="_blank">E-Learning Platforms Getting Schooled</a> <ul><li><a href="https://github.com/LearnPress/learnpress/commit/d6f818b5f65b007acbdf62236d4aa549fb33d24a?diff=split" rel="nofollow" target="_blank">https://github.com/LearnPress/learnpress/commit/d6f818b5f65b007acbdf62236d4aa549fb33d24a?diff=split</a></li></ul></li> <li>[01:03:54] <a href="https://hackerone.com/reports/335330" rel="nofollow" target="_blank">Roblox - Subdomain Takeover</a> </li> <li>[01:08:09] <a href="https://github.com/roundcube/roundcubemail/commit/87e4cd0cf2c550e77586860b94e5c75d2b7686d0?a" rel="nofollow" target="_blank">Fix XSS issue in handling of CDATA in HTML messages · roundcube/roundcubemail@87e4cd0 · GitHub</a> </li> <li>[01:10:13] <a href="https://hethical.io/stealing-the-trello-token-by-abusing-a-cross-iframe-xss-on-the-butler-plugin/" rel="nofollow" target="_blank">Stealing the Trello token by abusing a cross-iframe XSS on the Butler Plugin</a> </li> <li>[01:17:11] <a href="https://hackerone.com/reports/827052" rel="nofollow" target="_blank">Gitlab - Arbitrary file read via the UploadsRewriter when moving and issue</a> </li> <li>[01:20:15] <a href="https://blog.doyensec.com/2020/04/30/polymorphic-images-for-xss.html" rel="nofollow" target="_blank"> Researching Polymorphic Images for XSS on Google Scholar</a> </li> <li>[01:27:41] <a href="https://seclists.org/fulldisclosure/2020/May/2" rel="nofollow" target="_blank"> TP-LINK Cloud Cameras Multiple Vulnerabilities</a> <ul><li><a href="https://seclists.org/fulldisclosure/2020/May/3" rel="nofollow" target="_blank">https://seclists.org/fulldisclosure/2020/May/3</a></li><li><a href="https://seclists.org/fulldisclosure/2020/May/4" rel="nofollow" target="_blank">https://seclists.org/fulldisclosure/2020/May/4</a></li></ul></li> <li>[01:34:46] <a href="https://www.zerodayinitiative.com/blog/2020/4/28/cve-2020-0932-remote-code-execution-on-microsoft-sharepoint-using-typeconverters" rel="nofollow" target="_blank">Remote Code Execution on Microsoft SharePoint Using TypeConverters [CVE-2020-0932]</a> </li> <li>[01:43:03] <a href="https://packetstormsecurity.com/files/157524/GS20200501135300.tgz" rel="nofollow" target="_blank">Firefox js::ReadableStreamCloseInternal Out-Of-Bounds Access</a> </li> <li>[01:51:56] <a href="https://github.com/Siguza/psychicpaper/blob/master/docs/index.md" rel="nofollow" target="_blank">Siguza - iOS &lt;13.5 sandbox escape/entitlement 0day</a> </li> <li>[02:03:16] <a href="https://medium.com/@curtbraz/exploiting-the-exploiters-46fd0d620fd8" rel="nofollow" target="_blank">Honeysploit: Exploiting the Exploiters</a> </li> <li>[02:15:13] <a href="https://blog.vastart.dev/2020/04/guys-30-reverse-engineering-tips-tricks.html" rel="nofollow" target="_blank">Guy's 30 Reverse Engineering Tips &amp; Tricks</a> </li> <li>[02:16:45] <a href="https://cturt.github.io/shogihax.html" rel="nofollow" target="_blank">Remote Code Execution on Nintendo 64 through Morita Shogi 64</a> </li> </ul> Watch the DAY[0] podcast live on <a href="https://www.twitch.tv/dayzerosec" rel="nofollow" target="_blank">Twitch (@dayzerosec)</a> every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on <a href="https://www.youtube.com/channel/UCXFC76FDHZRVes6_lZqwLBA" rel="nofollow" target="_blank">Youtube (@DAY[0])</a>

Auth Bypass, XSS, RCE and more

Since we forgot to cover it when it came out, we look at Relyze's new decompiler that is available on the free version. There is also some sandbox escaping, some crypto issues (AMD's SME/SEV) and even some IBM 0days.  [00:00:33] Relyze Decompiler  [00:22:06] Firefox's Bug Bounty in 2019 and into the Future  [00:30:29] Source code for both CS:GO and TF2 Leaked  [00:38:58] Fixing SQL injection vulnerability and malicious code execution in XG Firewall/SFOS  [00:44:34] MSI TrueColor Unquoted Service Path Vulnerability  [00:48:43] 1-click RCE on Keybase   [00:55:56] jQuery &lt; 3.5 Cross-Site Scripting (XSS) in html() https://xss.pwnfunction.com/challenges/ww3/ [01:01:37] Multiple 0 day vulnerabilities in IBM Data Risk Manager  [01:17:24] You Won't Believe what this One Line Change Did to the Chrome Sandbox https://docs.microsoft.com/en-us/archive/blogs/david_leblanc/practical-windows-sandboxing-part-1 [01:23:58] You’ve Got (0-click) Mail!  [01:31:29] Sharing a Logon Session a Little Too Much  [01:37:00] SEVurity: No Security Without Integrity - Breaking Integrity-Free Memory Encryption with Minimal Assumptions https://0x0539.net/play/fangorn/crypto_cookie [01:47:10] MarkUs: Drop-in Use-After-Free Prevention for Low-Level Languages  [01:54:37] Android 8.0-9.0 Bluetooth Zero-Click RCE [CVE-2020-0022]  [01:57:26] Patchguard: Detection of Hypervisor Based Introspection https://revers.engineering/patchguard-detection-of-hypervisor-based-instrospection-p2/ [01:59:37] HITB Lockdown Livestream Day 1   Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@DAY[0])

Since we forgot to cover it when it came out, we look at Relyze's new decompiler that is available on the free version. There is also some sandbox escaping, some crypto issues (AMD's SME/SEV) and even some IBM 0days. <ul> <li>[00:00:33] <a href="https://www.relyze.com/" rel="nofollow" target="_blank">Relyze Decompiler</a> </li> <li>[00:22:06] <a href="https://blog.mozilla.org/security/2020/04/23/bug-bounty-2019-and-future/" rel="nofollow" target="_blank">Firefox's Bug Bounty in 2019 and into the Future</a> </li> <li>[00:30:29] <a href="https://twitter.com/SteamDB/status/1252961862058205184" rel="nofollow" target="_blank">Source code for both CS:GO and TF2 Leaked</a> </li> <li>[00:38:58] <a href="https://community.sophos.com/kb/en-us/135412" rel="nofollow" target="_blank">Fixing SQL injection vulnerability and malicious code execution in XG Firewall/SFOS</a> </li> <li>[00:44:34] <a href="https://trioxsecurity.com/msi-truecolor-unquoted-service-path-vulnerability/" rel="nofollow" target="_blank">MSI TrueColor Unquoted Service Path Vulnerability</a> </li> <li>[00:48:43] <a href="https://www.shielder.it/blog/1-click-rce-on-keybase/" rel="nofollow" target="_blank">1-click RCE on Keybase </a> </li> <li>[00:55:56] <a href="https://github.com/marcinguy/jquery-xss-in-html" rel="nofollow" target="_blank">jQuery &lt; 3.5 Cross-Site Scripting (XSS) in html()</a> <ul><li><a href="https://xss.pwnfunction.com/challenges/ww3/" rel="nofollow" target="_blank">https://xss.pwnfunction.com/challenges/ww3/</a></li></ul></li> <li>[01:01:37] <a href="https://github.com/pedrib/PoC/blob/master/advisories/IBM/ibm_drm/ibm_drm_rce.md" rel="nofollow" target="_blank">Multiple 0 day vulnerabilities in IBM Data Risk Manager</a> </li> <li>[01:17:24] <a href="https://googleprojectzero.blogspot.com/2020/04/you-wont-believe-what-this-one-line.html" rel="nofollow" target="_blank">You Won't Believe what this One Line Change Did to the Chrome Sandbox</a> <ul><li><a href="https://docs.microsoft.com/en-us/archive/blogs/david_leblanc/practical-windows-sandboxing-part-1" rel="nofollow" target="_blank">https://docs.microsoft.com/en-us/archive/blogs/david_leblanc/practical-windows-sandboxing-part-1</a></li></ul></li> <li>[01:23:58] <a href="https://blog.zecops.com/vulnerabilities/youve-got-0-click-mail/" rel="nofollow" target="_blank">You’ve Got (0-click) Mail!</a> </li> <li>[01:31:29] <a href="https://www.tiraniddo.dev/2020/04/sharing-logon-session-little-too-much.html" rel="nofollow" target="_blank">Sharing a Logon Session a Little Too Much</a> </li> <li>[01:37:00] <a href="https://www.computer.org/csdl/proceedings-article/sp/2020/349700b746/1j2LgvKzg1q" rel="nofollow" target="_blank">SEVurity: No Security Without Integrity - Breaking Integrity-Free Memory Encryption with Minimal Assumptions</a> <ul><li><a href="https://0x0539.net/play/fangorn/crypto_cookie" rel="nofollow" target="_blank">https://0x0539.net/play/fangorn/crypto_cookie</a></li></ul></li> <li>[01:47:10] <a href="https://www.computer.org/csdl/proceedings-article/sp/2020/349700b214/1j2LgfBq2fS" rel="nofollow" target="_blank">MarkUs: Drop-in Use-After-Free Prevention for Low-Level Languages</a> </li> <li>[01:54:37] <a href="https://insinuator.net/2020/04/cve-2020-0022-an-android-8-0-9-0-bluetooth-zero-click-rce-bluefrag/" rel="nofollow" target="_blank">Android 8.0-9.0 Bluetooth Zero-Click RCE [CVE-2020-0022]</a> </li> <li>[01:57:26] <a href="https://revers.engineering/patchguard-detection-of-hypervisor-based-instrospection-p1/" rel="nofollow" target="_blank">Patchguard: Detection of Hypervisor Based Introspection</a> <ul><li><a href="https://revers.engineering/patchguard-detection-of-hypervisor-based-instrospection-p2/" rel="nofollow" target="_blank">https://revers.engineering/patchguard-detection-of-hypervisor-based-instrospection-p2/</a></li></ul></li> <li>[01:59:37] <a href="https://www.youtube.com/watch?v=krFHJx08dMo" rel="nofollow" target="_blank">HITB Lockdown Livestream Day 1</a> </li> </ul> Watch the DAY[0] podcast live on <a href="https://www.twitch.tv/dayzerosec" rel="nofollow" target="_blank">Twitch (@dayzerosec)</a> every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on <a href="https://www.youtube.com/channel/UCXFC76FDHZRVes6_lZqwLBA" rel="nofollow" target="_blank">Youtube (@DAY[0])</a>

Relyze Decompiler, jQuery XSS, Sandbox Escaping and 0-Click Mail RCE

Zoom vuln worth $500k? Probably not... What is worth $500k? Binary Ninja's new decompiler...okay probably not but it is exciting.We've also got some stupid issues and some interesting LPEs this episode.  [00:00:29] Cognizant suffers Maze Ransomware cyber attack [00:14:08] Hackers Are Selling a Critical Zoom Zero-Day Exploit for $500,000 [00:27:46] How I Reverse Engineered the LastPass CLI Tool [00:35:59] State of the Ninja: Episode 13 [01:02:18] Riot offering up to $100k n Bug Bounty [01:05:31] Research Grants to support Google VRP Bug Hunters during COVID-19 [01:09:08] Denial of service to WP-JSON API by cache poisoning [01:11:43] CSRF to RCE bug chain in Prestashop [01:21:16] Unintended disclosure of OTP [01:24:20] JSON Web Token Validation Bypass in Auth0 Authentication API [01:27:06] git: Newline injection in credential helper [01:31:20] How Misleading Documentation Led to a Broken Patch for a Windows Arbitrary File Disclosure Vulnerability [01:36:34] Pwning vCenter with CVE-2020-3952 [01:45:19] Oracle Solaris 11.x/10 whodo/w Buffer Overflow [01:51:22] Linux Kernel EoP via Improper eBPF Program Verification [CVE-2020-8835] [01:57:39] Multiple Kernel Vulnerabilities Affecting All Qualcomm Devices https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=c4f42c24e02ce82392d8f8fe215570568380c8ab [02:07:20] Ricerca Security: "SMBGhost pre-auth RCE https://blog.zecops.com/vulnerabilities/exploiting-smbghost-cve-2020-0796-for-a-local-privilege-escalation-writeup-and-poc/ [02:14:01] IJON: Exploring Deep State Spaces via Fuzzing [02:23:26] Pangolin: Incremental Hybrid Fuzzing with Polyhedral Path Abstraction [02:27:45] GitHub - wcventure/FuzzingPaper 

Zoom vuln worth $500k? Probably not... What is worth $500k? Binary Ninja's new decompiler...okay probably not but it is exciting.We've also got some stupid issues and some interesting LPEs this episode. <ul> <li>[00:00:29] <a href="https://www.bleepingcomputer.com/news/security/it-services-giant-cognizant-suffers-maze-ransomware-cyber-attack/" rel="nofollow" target="_blank">Cognizant suffers Maze Ransomware cyber attack</a> </li> <li>[00:14:08] <a href="https://www.vice.com/en_us/article/qjdqgv/hackers-selling-critical-zoom-zero-day-exploit-for-500000" rel="nofollow" target="_blank">Hackers Are Selling a Critical Zoom Zero-Day Exploit for $500,000</a> </li> <li>[00:27:46] <a href="http://adventures.michaelfbryan.com/posts/lastpass/" rel="nofollow" target="_blank">How I Reverse Engineered the LastPass CLI Tool</a> </li> <li>[00:35:59] <a href="https://binary.ninja/2020/04/16/state-of-the-ninja-ep13.html" rel="nofollow" target="_blank">State of the Ninja: Episode 13</a> </li> <li>[01:02:18] <a href="https://hackerone.com/riot/" rel="nofollow" target="_blank">Riot offering up to $100k n Bug Bounty</a> </li> <li>[01:05:31] <a href="https://security.googleblog.com/2020/04/research-grants-to-support-google-vrp_20.html" rel="nofollow" target="_blank">Research Grants to support Google VRP Bug Hunters during COVID-19</a> </li> <li>[01:09:08] <a href="https://hackerone.com/reports/591302" rel="nofollow" target="_blank">Denial of service to WP-JSON API by cache poisoning</a> </li> <li>[01:11:43] <a href="https://stazot.com/prestashop-csrf-to-rce-article/" rel="nofollow" target="_blank">CSRF to RCE bug chain in Prestashop</a> </li> <li>[01:21:16] <a href="https://hackerone.com/reports/777957" rel="nofollow" target="_blank">Unintended disclosure of OTP</a> </li> <li>[01:24:20] <a href="https://insomniasec.com/blog/auth0-jwt-validation-bypass" rel="nofollow" target="_blank">JSON Web Token Validation Bypass in Auth0 Authentication API</a> </li> <li>[01:27:06] <a href="https://bugs.chromium.org/p/project-zero/issues/detail?id=2021" rel="nofollow" target="_blank">git: Newline injection in credential helper</a> </li> <li>[01:31:20] <a href="https://research.nccgroup.com/2020/04/15/cve-2019-1381-and-cve-2020-0859/" rel="nofollow" target="_blank">How Misleading Documentation Led to a Broken Patch for a Windows Arbitrary File Disclosure Vulnerability</a> </li> <li>[01:36:34] <a href="https://www.guardicore.com/2020/04/pwning-vmware-vcenter-cve-2020-3952/" rel="nofollow" target="_blank">Pwning vCenter with CVE-2020-3952</a> </li> <li>[01:45:19] <a href="https://packetstormsecurity.com/files/157282/2020-07-solaris-whodo-w.txt" rel="nofollow" target="_blank">Oracle Solaris 11.x/10 whodo/w Buffer Overflow</a> </li> <li>[01:51:22] <a href="https://www.zerodayinitiative.com/blog/2020/4/8/cve-2020-8835-linux-kernel-privilege-escalation-via-improper-ebpf-program-verification" rel="nofollow" target="_blank">Linux Kernel EoP via Improper eBPF Program Verification [CVE-2020-8835]</a> </li> <li>[01:57:39] <a href="https://blog.zimperium.com/multiple-kernel-vulnerabilities-affecting-all-qualcomm-devices/" rel="nofollow" target="_blank">Multiple Kernel Vulnerabilities Affecting All Qualcomm Devices</a> <ul><li><a href="https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=c4f42c24e02ce82392d8f8fe215570568380c8ab" rel="nofollow" target="_blank">https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=c4f42c24e02ce82392d8f8fe215570568380c8ab</a></li></ul></li> <li>[02:07:20] <a href="https://ricercasecurity.blogspot.com/2020/04/ill-ask-your-body-smbghost-pre-auth-rce.html" rel="nofollow" target="_blank">Ricerca Security: "SMBGhost pre-auth RCE</a> <ul><li><a href="https://blog.zecops.com/vulnerabilities/exploiting-smbghost-cve-2020-0796-for-a-local-privilege-escalation-writeup-and-poc/" rel="nofollow" target="_blank">https://blog.zecops.com/vulnerabilities/exploiting-smbghost-cve-2020-0796-for-a-local-privilege-escalation-writeup-and-poc/</a></li></ul></li> <li>[02:14:01] <a href="https://www.syssec.ruhr-uni-bochum.de/media/emma/veroeffentlichungen/2020/02/27/IJON-Oakland20.pdf" rel="nofollow" target="_blank">IJON: Exploring Deep State Spaces via Fuzzing</a> </li> <li>[02:23:26] <a href="https://github.com/wcventure/FuzzingPaper#pangolin-incremental-hybrid-fuzzing-with-polyhedral-path-abstraction-sp-2020" rel="nofollow" target="_blank">Pangolin: Incremental Hybrid Fuzzing with Polyhedral Path Abstraction</a> </li> <li>[02:27:45] <a href="https://github.com/wcventure/FuzzingPaper" rel="nofollow" target="_blank">GitHub - wcventure/FuzzingPaper</a> </li> </ul>

 Binary Ninja's Decompiler, git credential leak, cross-platform LPEs

Starting off the week with a discussion about the disappointing IDA Home, before moving into a few easy command injections, code-reuse attacks applied to XSS, detecting trojaned hardware and ending with a subtle crypto-bug.  [00:00:45] DAY[0] Episode Transcripts now Available  [00:02:53] Microsoft Buys Corp.com to Keep It Safe from Hackers (Over $1.7 Million Deal)  [00:05:42] Hack for Good: Easily Donate Bounties to WHO’s COVID-19 Response Fund  [00:10:55] RetDec v4.0 is out  [00:17:33] IDA Home is coming https://www.sophia.re/Binary-Rockstar/index.htmlhttps://nostarch.com/GhidraBook [00:33:44]  Sandboxie Open Source Code is available https://github.com/xanasoft/Sandboxie [00:38:01] Exploiting the TP-Link Archer A7  [00:46:50] Exploiting the Starcraft 1 EUD Bug  [00:51:23] OhMyZsh dotenv Remote Code Execution  [00:56:19] Symantec Web Gateway 5.0.2.8 Remote Code Execution  [00:59:15] VMware vCenter Server Sensitive Information Disclosure [CVE-2020-3952]  [01:01:39] Bypassing modern XSS mitigations with code-reuse attacks  [01:07:49] Practical Data Poisoning Attack against Next-Item Recommendation  [01:11:40] Hardware Trojan Detection Using Controlled Circuit Aging  [01:16:18] A "Final" Security Bug  [01:27:05] RCEed version of computer malware / rootkit MyRTUs / Stuxnet. https://github.com/christian-roggia/open-myrtus/blob/master/rootkit/FastIo.chttps://xkcd.com/350/  Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@DAY[0])

Starting off the week with a discussion about the disappointing IDA Home, before moving into a few easy command injections, code-reuse attacks applied to XSS, detecting trojaned hardware and ending with a subtle crypto-bug. <ul> <li>[00:00:45] <a href="https://dayzerosec.com/transcript/episode-36/" rel="nofollow" target="_blank">DAY[0] Episode Transcripts now Available</a> </li> <li>[00:02:53] <a href="https://wccftech.com/microsoft-buys-corp-com-to-keep-it-safe-from-hackers/" rel="nofollow" target="_blank">Microsoft Buys Corp.com to Keep It Safe from Hackers (Over $1.7 Million Deal)</a> </li> <li>[00:05:42] <a href="https://www.hackerone.com/blog/hack-good-easily-donate-bounties-whos-covid-19-response-fund" rel="nofollow" target="_blank">Hack for Good: Easily Donate Bounties to WHO’s COVID-19 Response Fund</a> </li> <li>[00:10:55] <a href="https://engineering.avast.io/retdec-v4-0-is-out/" rel="nofollow" target="_blank">RetDec v4.0 is out</a> </li> <li>[00:17:33] <a href="https://www.hex-rays.com/products/ida-home-is-coming/" rel="nofollow" target="_blank">IDA Home is coming</a> <ul><li><a href="https://www.sophia.re/Binary-Rockstar/index.html" rel="nofollow" target="_blank">https://www.sophia.re/Binary-Rockstar/index.html</a></li><li><a href="https://nostarch.com/GhidraBook" rel="nofollow" target="_blank">https://nostarch.com/GhidraBook</a></li></ul></li> <li>[00:33:44] <a href="https://community.sophos.com/products/sandboxie/f/forum/119641/important-sandboxie-open-source-code-is-available-for-download" rel="nofollow" target="_blank"> Sandboxie Open Source Code is available</a> <ul><li><a href="https://github.com/xanasoft/Sandboxie" rel="nofollow" target="_blank">https://github.com/xanasoft/Sandboxie</a></li></ul></li> <li>[00:38:01] <a href="https://www.thezdi.com/blog/2020/4/6/exploiting-the-tp-link-archer-c7-at-pwn2own-tokyo" rel="nofollow" target="_blank">Exploiting the TP-Link Archer A7</a> </li> <li>[00:46:50] <a href="https://zeta-two.com/software/exploit/2020/04/05/exploiting-starcraft1.html" rel="nofollow" target="_blank">Exploiting the Starcraft 1 EUD Bug</a> </li> <li>[00:51:23] <a href="https://mazinahmed.net/blog/ohmyzsh-dotenv-rce/" rel="nofollow" target="_blank">OhMyZsh dotenv Remote Code Execution</a> </li> <li>[00:56:19] <a href="https://packetstormsecurity.com/files/157163/symantecwg5028-exec.pdf" rel="nofollow" target="_blank">Symantec Web Gateway 5.0.2.8 Remote Code Execution</a> </li> <li>[00:59:15] <a href="https://www.vmware.com/security/advisories/VMSA-2020-0006.html" rel="nofollow" target="_blank">VMware vCenter Server Sensitive Information Disclosure [CVE-2020-3952]</a> </li> <li>[01:01:39] <a href="https://blog.truesec.com/2020/04/03/bypassing-modern-xss-mitigations-with-code-reuse-attacks/" rel="nofollow" target="_blank">Bypassing modern XSS mitigations with code-reuse attacks</a> </li> <li>[01:07:49] <a href="https://arxiv.org/abs/2004.03728v1" rel="nofollow" target="_blank">Practical Data Poisoning Attack against Next-Item Recommendation</a> </li> <li>[01:11:40] <a href="https://arxiv.org/abs/2004.02997v2" rel="nofollow" target="_blank">Hardware Trojan Detection Using Controlled Circuit Aging</a> </li> <li>[01:16:18] <a href="https://arxiv.org/abs/2004.01403v1" rel="nofollow" target="_blank">A "Final" Security Bug</a> </li> <li>[01:27:05] <a href="https://github.com/christian-roggia/open-myrtus" rel="nofollow" target="_blank">RCEed version of computer malware / rootkit MyRTUs / Stuxnet.</a> <ul><li><a href="https://github.com/christian-roggia/open-myrtus/blob/master/rootkit/FastIo.c" rel="nofollow" target="_blank">https://github.com/christian-roggia/open-myrtus/blob/master/rootkit/FastIo.c</a></li><li><a href="https://xkcd.com/350/" rel="nofollow" target="_blank">https://xkcd.com/350/</a></li></ul></li> </ul> Watch the DAY[0] podcast live on <a href="https://www.twitch.tv/dayzerosec" rel="nofollow" target="_blank">Twitch (@dayzerosec)</a> every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on <a href="https://www.youtube.com/channel/UCXFC76FDHZRVes6_lZqwLBA" rel="nofollow" target="_blank">Youtube (@DAY[0])</a>

IDA...Go home, Sandboxie source, and some RCEs (TP-Link, Starcraft 1, OhMyZsh)

First, we talk about Facebook trying to buy some spyware, and then we feast upon a number of Zoom "vulns." Follow that up with some interesting vulnerabilities including a hyper-visor Guest-to-host escape, a complicated Safari permissions bypass, and a Gitlab Parser Differential.  [00:09:31] Facebook tried to buy NSO Group's iOS spyware to monitor iPhone users  [00:14:49] Move Fast &amp; Roll Your Own Crypto: A Quick Look at the Confidentiality of Zoom Meetings  [00:28:28] Security Vulnerabilities fixed in Firefox 74.0.1 and Firefox ESR 68.6.1  [00:33:20] Bug bounty platforms buy researcher silence, violate labor laws, critics say  [00:53:56] Zoom NTLM Hash Leak  [00:59:44] The 'S' in Zoom, Stands for Security  [01:05:52] Use-After-Free Vulnerability in the VMware Workstation DHCP Component [CVE-2020-3947] https://www.vmware.com/security/advisories/VMSA-2020-0004.htmlhttps://www.zerodayinitiative.com/advisories/ZDI-20-298/ [01:15:38] Exploiting SMBGhost for a Local Privilege Escalation [CVE-2020-0796]  [01:26:31] How to exploit parser differentials  [01:37:07] Unauthorized Camera access on iOS and macOS  [01:49:07] [Slack] Relative Path Vulnerability Results in Arbitrary Command Execution/Privilege Escalation  [01:54:21] Physically Realizable Adversarial Examples for LiDAR Object Detection  [02:01:39] Attack matrix for Kubernetes  [02:03:34] Project Zero: TFW you-get-really-excited-you-patch-diffed-a-0day-used-in-the-wild-but-then-find-out-it-is-the-wrong-vuln  [02:04:13] Tale of two hypervisor bugs - Escaping from FreeBSD bhyve  [02:08:21] So you want to be a web security researcher?   Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@DAY[0])

First, we talk about Facebook trying to buy some spyware, and then we feast upon a number of Zoom "vulns." Follow that up with some interesting vulnerabilities including a hyper-visor Guest-to-host escape, a complicated Safari permissions bypass, and a Gitlab Parser Differential. <ul> <li>[00:09:31] <a href="https://appleinsider.com/articles/20/04/03/facebook-tried-to-buy-nso-groups-ios-spyware-to-monitor-iphone-users" rel="nofollow" target="_blank">Facebook tried to buy NSO Group's iOS spyware to monitor iPhone users</a> </li> <li>[00:14:49] <a href="https://citizenlab.ca/2020/04/move-fast-roll-your-own-crypto-a-quick-look-at-the-confidentiality-of-zoom-meetings/" rel="nofollow" target="_blank">Move Fast &amp; Roll Your Own Crypto: A Quick Look at the Confidentiality of Zoom Meetings</a> </li> <li>[00:28:28] <a href="https://www.mozilla.org/en-US/security/advisories/mfsa2020-11/" rel="nofollow" target="_blank">Security Vulnerabilities fixed in Firefox 74.0.1 and Firefox ESR 68.6.1</a> </li> <li>[00:33:20] <a href="https://www.csoonline.com/article/3535888/bug-bounty-platforms-buy-researcher-silence-violate-labor-laws-critics-say.html" rel="nofollow" target="_blank">Bug bounty platforms buy researcher silence, violate labor laws, critics say</a> </li> <li>[00:53:56] <a href="https://twitter.com/_g0dmode/status/1242131019026874369" rel="nofollow" target="_blank">Zoom NTLM Hash Leak</a> </li> <li>[00:59:44] <a href="https://objective-see.com/blog/blog_0x56.html" rel="nofollow" target="_blank">The 'S' in Zoom, Stands for Security</a> </li> <li>[01:05:52] <a href="https://www.thezdi.com/blog/2020/4/1/cve-2020-3947-use-after-free-vulnerability-in-the-vmware-workstation-dhcp-component" rel="nofollow" target="_blank">Use-After-Free Vulnerability in the VMware Workstation DHCP Component [CVE-2020-3947]</a> <ul><li><a href="https://www.vmware.com/security/advisories/VMSA-2020-0004.html" rel="nofollow" target="_blank">https://www.vmware.com/security/advisories/VMSA-2020-0004.html</a></li><li><a href="https://www.zerodayinitiative.com/advisories/ZDI-20-298/" rel="nofollow" target="_blank">https://www.zerodayinitiative.com/advisories/ZDI-20-298/</a></li></ul></li> <li>[01:15:38] <a href="https://blog.zecops.com/vulnerabilities/exploiting-smbghost-cve-2020-0796-for-a-local-privilege-escalation-writeup-and-poc/" rel="nofollow" target="_blank">Exploiting SMBGhost for a Local Privilege Escalation [CVE-2020-0796]</a> </li> <li>[01:26:31] <a href="https://about.gitlab.com/blog/2020/03/30/how-to-exploit-parser-differentials/" rel="nofollow" target="_blank">How to exploit parser differentials</a> </li> <li>[01:37:07] <a href="https://www.ryanpickren.com/webcam-hacking" rel="nofollow" target="_blank">Unauthorized Camera access on iOS and macOS</a> </li> <li>[01:49:07] <a href="https://hackerone.com/reports/784714" rel="nofollow" target="_blank">[Slack] Relative Path Vulnerability Results in Arbitrary Command Execution/Privilege Escalation</a> </li> <li>[01:54:21] <a href="https://arxiv.org/pdf/2004.00543v2.pdf" rel="nofollow" target="_blank">Physically Realizable Adversarial Examples for LiDAR Object Detection</a> </li> <li>[02:01:39] <a href="https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/" rel="nofollow" target="_blank">Attack matrix for Kubernetes</a> </li> <li>[02:03:34] <a href="https://googleprojectzero.blogspot.com/2020/04/tfw-you-get-really-excited-you-patch.html" rel="nofollow" target="_blank">Project Zero: TFW you-get-really-excited-you-patch-diffed-a-0day-used-in-the-wild-but-then-find-out-it-is-the-wrong-vuln</a> </li> <li>[02:04:13] <a href="http://phrack.org/papers/escaping_from_freebsd_bhyve.html" rel="nofollow" target="_blank">Tale of two hypervisor bugs - Escaping from FreeBSD bhyve</a> </li> <li>[02:08:21] <a href="https://portswigger.net/research/so-you-want-to-be-a-web-security-researcher" rel="nofollow" target="_blank">So you want to be a web security researcher?</a> </li> </ul> Watch the DAY[0] podcast live on <a href="https://www.twitch.tv/dayzerosec" rel="nofollow" target="_blank">Twitch (@dayzerosec)</a> every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on <a href="https://www.youtube.com/channel/UCXFC76FDHZRVes6_lZqwLBA" rel="nofollow" target="_blank">Youtube (@DAY[0])</a>

Zoom-ers, VM Escapes, and Pegasus Resurfaces

Is there a shortcut to RCE? Well, on Windows .LNK files could be just that. We also talk about a few others vulnerabilities impacting Windows, Pi-Hole and Netflix. And end by looking at Window's new hardware enforced Shadow Stack and a proof-of-concept for fine-grained kASLR on Linux.  [00:01:18] The Netflix account compromise Bugcrowd doesn't want you to know about https://bugcrowd.com/netflix [00:16:21] Where is my Train : Tracking to Hacking  [00:22:59] Intel SGX removed from Rocket Skylake-S CPUs  [00:28:17] Type 1 Font Parsing Remote Code Execution Vulnerability  [00:33:41] Configuration Overwrite in IBM Cognos TM1 [CVE-2019-4716]  [00:42:19] Remote Code Execution Through .LNK Files [CVE-2020-0729]  [00:53:15] Pi-hole Remote Code Execution [CVE-2020-8816]  [01:03:14] NordVPN - Unauthorized User Can Delete Any User Account  [01:09:33] Smart Contracts Inside SGX Enclaves: Common Security Bug Patterns https://blockchain-ctf.securityinnovation.com/#/ [01:20:01] Smart Contracts Inside SGX Enclaves: Common Security Bug Patterns  [01:20:28] Understanding Hardware-enforced Stack Protection https://windows-internals.com/cet-on-windows/ [01:32:21] [RFC PATCH 00/11] Finer grained kernel address space randomization - Kristen Carlson Accardi https://www.kryptoslogic.com/blog/2020/03/another-look-at-two-linux-kaslr-patches/ [01:42:14] Slayer Labs  https://www.reddit.com/r/netsec/comments/fr8w8u/free_vpn_access_to_slayer_labs_networks/?sort=top  Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@DAY[0])

Is there a shortcut to RCE? Well, on Windows .LNK files could be just that. We also talk about a few others vulnerabilities impacting Windows, Pi-Hole and Netflix. And end by looking at Window's new hardware enforced Shadow Stack and a proof-of-concept for fine-grained kASLR on Linux. <ul> <li>[00:01:18] <a href="https://arstechnica.com/information-technology/2020/03/bugcrowd-tries-to-muzzle-hacker-who-found-netflix-account-compromise-weakness/" rel="nofollow" target="_blank">The Netflix account compromise Bugcrowd doesn't want you to know about</a> <ul><li><a href="https://bugcrowd.com/netflix" rel="nofollow" target="_blank">https://bugcrowd.com/netflix</a></li></ul></li> <li>[00:16:21] <a href="https://medium.com/@aniltom/where-is-my-train-tracking-to-hacking-d388e4b97225" rel="nofollow" target="_blank">Where is my Train : Tracking to Hacking</a> </li> <li>[00:22:59] <a href="https://videocardz.com/newz/exclusive-intel-rocket-lake-s-features-pci-express-4-0-xe-graphics" rel="nofollow" target="_blank">Intel SGX removed from Rocket Skylake-S CPUs</a> </li> <li>[00:28:17] <a href="https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/adv200006" rel="nofollow" target="_blank">Type 1 Font Parsing Remote Code Execution Vulnerability</a> </li> <li>[00:33:41] <a href="https://seclists.org/fulldisclosure/2020/Mar/44" rel="nofollow" target="_blank">Configuration Overwrite in IBM Cognos TM1 [CVE-2019-4716]</a> </li> <li>[00:42:19] <a href="https://www.zerodayinitiative.com/blog/2020/3/25/cve-2020-0729-remote-code-execution-through-lnk-files" rel="nofollow" target="_blank">Remote Code Execution Through .LNK Files [CVE-2020-0729]</a> </li> <li>[00:53:15] <a href="https://natedotred.wordpress.com/2020/03/28/cve-2020-8816-pi-hole-remote-code-execution/" rel="nofollow" target="_blank">Pi-hole Remote Code Execution [CVE-2020-8816]</a> </li> <li>[01:03:14] <a href="https://hackerone.com/reports/803141" rel="nofollow" target="_blank">NordVPN - Unauthorized User Can Delete Any User Account</a> </li> <li>[01:09:33] <a href="https://research.nccgroup.com/2020/03/24/smart-contracts-inside-sgx-enclaves-common-security-bug-patterns/" rel="nofollow" target="_blank">Smart Contracts Inside SGX Enclaves: Common Security Bug Patterns</a> <ul><li><a href="https://blockchain-ctf.securityinnovation.com/#/" rel="nofollow" target="_blank">https://blockchain-ctf.securityinnovation.com/#/</a></li></ul></li> <li>[01:20:01] <a href="https://research.nccgroup.com/2020/03/24/smart-contracts-inside-sgx-enclaves-common-security-bug-patterns/" rel="nofollow" target="_blank">Smart Contracts Inside SGX Enclaves: Common Security Bug Patterns</a> </li> <li>[01:20:28] <a href="https://techcommunity.microsoft.com/t5/windows-kernel-internals/understanding-hardware-enforced-stack-protection/ba-p/1247815" rel="nofollow" target="_blank">Understanding Hardware-enforced Stack Protection</a> <ul><li><a href="https://windows-internals.com/cet-on-windows/" rel="nofollow" target="_blank">https://windows-internals.com/cet-on-windows/</a></li></ul></li> <li>[01:32:21] <a href="https://lore.kernel.org/kernel-hardening/20200205223950.1212394-1-kristen@linux.intel.com/" rel="nofollow" target="_blank">[RFC PATCH 00/11] Finer grained kernel address space randomization - Kristen Carlson Accardi</a> <ul><li><a href="https://www.kryptoslogic.com/blog/2020/03/another-look-at-two-linux-kaslr-patches/" rel="nofollow" target="_blank">https://www.kryptoslogic.com/blog/2020/03/another-look-at-two-linux-kaslr-patches/</a></li></ul></li> <li>[01:42:14] <a href="https://slayerlabs.com/" rel="nofollow" target="_blank">Slayer Labs </a> <ul><li><a href="https://www.reddit.com/r/netsec/comments/fr8w8u/free_vpn_access_to_slayer_labs_networks/?sort=top" rel="nofollow" target="_blank">https://www.reddit.com/r/netsec/comments/fr8w8u/free_vpn_access_to_slayer_labs_networks/?sort=top</a></li></ul></li> </ul> Watch the DAY[0] podcast live on <a href="https://www.twitch.tv/dayzerosec" rel="nofollow" target="_blank">Twitch (@dayzerosec)</a> every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on <a href="https://www.youtube.com/channel/UCXFC76FDHZRVes6_lZqwLBA" rel="nofollow" target="_blank">Youtube (@DAY[0])</a>

A shortcut (.lnk) to RCE, Pi-Hole, Shadow Stacks, and fine-grained kASLR

The best podcast episodes about true crime. For any thrill seeking podcast listeners who just can't get enough of the captivating stories of murderers and criminals. This topic has all the best episodes from many different true crime podcasts.  Add episodes you're interested into your queue below!

Best True Crime Podcasts

The best episodes for anyone looking to learn more about topics such as happiness, fulfillment, depression and psychology/mental health in general. With interviews with industry experts, personal stories of individuals, this topic has lessons applicable to everyone. Add episodes you're interested into your queue below!