Day[0] - Zero Days for Day Zero

Is the new OSCP worth-it? Can election apps be made secure? We'll talk about those questions and several kernel exploits and a few cool fuzzing innovations.   [00:00:23] PWK and the OSCP Certification | Offensive Security [00:16:24] Rescheduling Root KSK Ceremony 40 [00:20:15] The Ballot is Busted Before the Blockchain:A Security Analysis of Voatz https://blog.voatz.com/?p=1209 [00:49:26] Lateral movement via MSSQL: a tale of CLR and socket reuse [00:55:51] Fix for CVE-2018-12122 can be bypassed via keep-alive requests [01:00:28] A Trivial Privilege Escalation Bug in Windows Service Tracing (CVE-2020-0668) https://googleprojectzero.blogspot.com/2018/08/windows-exploitation-tricks-exploiting.html [01:05:01] Intel CSME Escalation of Privilege [01:07:41] Project Zero: A day^W^W Several months in the life of Project Zero [01:18:54] Project Zero: Mitigations are attack surface, too https://packetstormsecurity.com/files/156316/Samsung-Kernel-PROCA-Use-After-Free-Double-Free.html [01:33:42] Samsung SEND_FILE_WITH_HEADER Use-After-Free [01:35:52] Samsung /dev/tsmux Heap Out-Of-Bounds Write [01:39:55] Exploiting a Linux kernel vulnerability in the V4L2 subsystem (CVE-2019-18683) [01:45:10] KOOBE: Towards Facilitating Exploit Generation of Kernel Out-Of-Bounds Write Vulnerabilities [01:54:06] HotFuzz: Discovering Algorithmic Denial-of-Service Vulnerabilities Through Guided Micro-Fuzzing [01:58:14] HYPER-CUBE: High-Dimensional Hypervisor Fuzzing [02:02:21] FIDO2 Deep Dive: Attestations, Trust model and Security [02:03:04] Hypervisor Necromancy; Reanimating Kernel Protectors   Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@DAY[0])

Android, Bluetooth, Microsoft, NordVPN, Twitter, WhatsApp, Cisco, vulns for days impacting several big names and a couple new attack ideas, blind regex injection and GhostKnight a technique to breach data integrity using speculative execution.   [00:01:07] Updated re. Sudo Exploit [00:03:32] Charges Filed against Four Chinese PLA Hackers for part in 2017 Equifax Breach [00:06:06] Announcing a Targeted Incentive Program for Selected Trend Micro Products [00:11:01] Android Security Bulletin - February 2020 https://android.googlesource.com/kernel/common/+/5eeb2ca0 https://android.googlesource.com/kernel/common/+/5eeb2ca0%5E%21/#F0 [00:17:06] Critical Bluetooth Vulnerability in Android (CVE-2020-0022) [00:22:48] Dangerous Domain Corp.com Goes Up for Sale [00:37:43] NordVPN - IDOR allow access to payments data of any user https://hackerone.com/nordvpn [00:43:35] Twitter - Bypass Password Authentication for updating email and phone number [00:48:27] WhatsApp Desktop XSS to Local File read (CVE-2019-18426) [01:03:03] CDPwn: 5 Zero-Days in Cisco Discovery Protocol [01:15:07] A Rough Idea of Blind Regular Expression Injection Attack https://speakerdeck.com/lmt_swallow/revisiting-redos-a-rough-idea-of-data-exfiltration-by-redos-and-side-channel-techniques [01:20:45] GhostKnight: Breaching Data Integrity via Speculative Execution [01:26:00] BRIGHTNESS: Leaking Sensitive Data from Air-Gapped Workstations via Screen Brightness [01:30:27] Forging SWIFT MT Payment Messages for fun and pr... research! [01:35:22] Grooming the iOS Kernel Heap Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@DAY[0])

Ok Google! Bypass authentication..and while we're at it, lets explot sudo and OpenSMPTD for root access. This week we dive into various code bases to explore several recent exploits that take advantage of some common yet subtle issues. Correction: During the segment about the sudo (pwfeedback) exploit I incorrectly described the issue as a stack-based buffer overflow, however the buf variable is declared as static so it ends up in .bss and not on the stack. ~zi Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@DAY[0])   [00:00:22] Charges Dismissed Against Coalfire Employees [00:06:50] Avast to Commence Wind Down of Subsidiary Jumpshot [00:22:10] Say hello to OpenSK: a fully open-source security key implementation [00:28:25] Kraken Identifies Critical Flaw in Trezor Hardware Wallets [00:33:56] Zoom-Zoom: We Are Watching You [00:39:08] TeamViewer using encrypted passwords [00:47:43] Buffer overflow [in sudo] when pwfeedback is set in sudoers (CVE-2019-18634) https://github.com/sudo-project/sudo/commit/fa8ffeb17523494f0e8bb49a25e53635f4509078 https://github.com/sudo-project/sudo/blob/0fcb6471609969b5911db0b2917ced16c913676f/src/tgetpass.c#L413 [01:01:23] Opkg susceptible to MITM (CVE-2020-7982) https://git.openwrt.org/?p=project/opkg-lede.git;a=commitdiff;h=54cc7e3bd1f79569022aa9fc3d0e748c81e3bcd8 [01:07:18] LPE and RCE in OpenSMTPD (CVE-2020-7247) [01:14:13] PHP 7.0-7.4 disable_functions bypass 0day PoC https://github.com/mm0r1/exploits/blob/master/php7-backtrace-bypass/exploit.php [01:28:53] Remote Cloud Execution – Critical Vulnerabilities in Azure Cloud Infrastructure (Part I) https://research.checkpoint.com/2020/remote-cloud-execution-critical-vulnerabilities-in-azure-cloud-infrastructure-part-ii/ [01:40:22] OK Google: bypass the authentication!

This week we look at 15 CVEs this week including the new MDS Attacks/Zombieload and GhostImage a cool attack against vision-based classification systems. We also have discussion about mobile vs desktop security. Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) [00:01:33] Pwn2Own Miami 2020 [00:06:32] Allegations that Saudi Crown Prince involved in hacking of Jeff Bezos’ phone https://twitter.com/dinodaizovi/status/1221324029841244161 [00:11:25] Chris Rohlf on Twitter: "...Mobile security was largely a success relative to the state of the desktop..." [00:25:49] More MDS Attacks: Intel Patching its Patch of the Patch for MDS/ZombieLoad Attacks https://blogs.intel.com/technology/2020/01/ipas-intel-sa-00329/#gs.upv68b [00:31:34] MDHex Vulnerabilities [00:42:55] JSSE Client Authentication Bypass (CVE-2020-2655) [00:55:37] Local Privilege Escalation in many Ricoh Printer Drivers for Windows (CVE-2019-19363) [00:58:34] ModSecurity Denial of Service (CVE-2019-19886) [01:02:47] GGvulnz - How I hacked hundreds of companies through Google Groups [01:09:14] Neowise CarbonFTP v1.4 / Insecure Proprietary Password Encryption (CVE-2020-6857) [01:14:40] arm64: uaccess: Ensure PAN is re-enabled after unhandled uaccess fault - Patchwork [01:18:54] Cisco Webex Meetings Suite and Cisco Webex Meetings Online Unauthenticated Meeting Join Vulnerability (CVE-2020-3142) [01:21:35] iGPU Leak: An Information Leakage Vulnerability on Intel Integrated GPU (CVE-2019-14615) [01:28:41] Information Leaks via Safari's Intelligent Tracking Prevention [01:39:02] GhostImage: Perception Domain Attacks against Vision-based Object Classification Systems [01:44:46] Nightmare - A collection of binary exploitation / reverse engineering challenges and writeups [01:49:26] The Life of a Bad Security Fix [01:51:22] macOS/iOS: ImageIO: heap corruption when processing malformed TIFF image

Start off with some discussions about Google, privacy, Rust, and entitlement within open-source software. Then we look at some of the big vulns of the past week including CurveBall, CabelHaunt, and an RDP RCE.   [00:00:27] Chromium Blog: Building a more private web: A path towards making third party cookies obsolete [00:07:05] WeLeakInfo.com Domain Name Seized [00:13:39] A sad day for Rust [00:25:38] GitHub - microsoft/verona: Research programming language for concurrent ownership https://github.com/microsoft/verona/blob/master/docs/explore.md [00:37:30] Montage: A Neural Network Language Model-Guided JavaScript Engine Fuzzer [00:47:16] Control Flow Integrity (CFI) in the Linux kernel [00:53:54] ADV200001 | Microsoft Guidance on Scripting Engine Memory Corruption Vulnerability (CVE-2020-0674) [00:57:19] Netgear TLS Private Key Disclosure through Device Firmware Images https://news.ycombinator.com/item?id=22048619 https://github.com/ollypwn/CVE-2020-0601/blob/master/main.rb [01:17:39] Cable Haunt [01:27:19] RDP to RCE: When Fragmentation Goes Wrong [01:31:46] Critical Auth Bypass Vulnerability In InfiniteWP Client And WP Time Capsule [01:37:48] cuck00 | Twenty-twenty, bugs aplenty!   Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@DAY[0])

Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@DAY[0])   [00:00:35] SHA-1 is a Shambles https://www.youtube.com/watch?v=Gh6p7Y74m9A [00:14:50] Government-funded phones come pre-installed with unremovable malware [00:22:09] Security Vulnerabilities fixed in Firefox 72.0.1 and Firefox ESR 68.4.1 — Mozilla [00:27:02] CVE-2019-19781 - Vulnerability in Citrix Application Delivery Controller and Citrix Gateway https://github.com/projectzeroindia/CVE-2019-19781 https://www.mdsec.co.uk/2020/01/deep-dive-to-citrix-adc-remote-code-execution-cve-2019-19781/ https://twitter.com/GossiTheDog/status/1215785949709459456 [00:38:20] Project Zero: Policy and Disclosure: 2020 Edition https://googleprojectzero.blogspot.com/p/vulnerability-disclosure-faq.html [00:52:07] Privileged Access Never (PAN) - Another day, another broken mitigation. [00:57:43] Tik or Tok? Is TikTok secure enough? [01:18:33] Fortinet FortiSIEM Hardcoded SSH Key [01:22:58] Project Zero: Remote iPhone Exploitation Part 1: Poking Memory via iMessage and CVE-2019-8641 [01:32:00] WAF-A-MoLE: Evading Web Application Firewalls through Adversarial Machine Learning [01:36:00] QSOR: Quantum-Safe Onion Routing [01:45:09] Browser Games Aren't an Easy Target [01:46:31] Reverse engineering RNG in a GBA game https://en.wikipedia.org/wiki/Linear_congruential_generator#Parameters_in_common_use

Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@DAY[0])   [00:00:40] CCC [00:14:58] Sunsetting Python 2 | Python.org https://www.python.org/blogs/ [00:19:11] Kali 2020.1 - Default Non-Root User https://www.kali.org/news/kali-default-non-root-user/ https://www.offensive-security.com/ [00:35:53] Caterpillar padlocks all use the same key [00:42:51] Shitcoin Wallet is a scam, says security researcher [00:47:13] Microsoft Edge (Chromium) - Elevation of Privilege to Potential Remote Code Execution [00:56:57] Exploiting Wi-Fi Stack on Tesla Model S | Keen Security Lab Blog [01:08:52] Spiderman 2000 - Buffer overflow in file loading routine [01:14:31] Alert Alarm SMS exploit [01:27:33] D-Link DIR-859 - Unauthenticated RCE (CVE-2019-17621) [01:33:20] Cisco Security Advisory: Cisco Data Center Network Manager Authentication Bypass Vulnerabilities https://tools.cisco.com/security/center/publicationListing.x https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200102-dcnm-path-trav [01:45:03] Starbuck's JumpCloud API Key leaked via Open Github Repository https://www.androidpolice.com/2020/01/06/uh-oh-xiaomi-camera-feed-showing-random-homes-on-a-google-nest-hub-including-still-images-of-sleeping-people/ [01:56:39] JackHammer: Efficient Rowhammer on Heterogeneous FPGA-CPU Platforms [02:02:28] Shadowclone: Thwarting and Detecting DOP Attacks with Stack Layout Randomization and Canary [02:15:21] Breaking PHP's mt_rand() with 2 values and no bruteforce

Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@DAY[0])   [00:01:18] Last Episode of the Year [00:01:36] Real-World Bug Hunting: A Field Guide to Web Hacking http://www.phrack.org/papers/attacking_javascript_engines.html [00:11:29] President's Cup [00:24:20] Better Password Protections [in Chrome] [00:30:18] Apple DMCA's SEP Key https://en.wikipedia.org/wiki/Illegal_number [00:36:59] Rosita: Towards Automatic Elimination of Power-Analysis Leakage in Ciphers [00:48:50] Camouflage: Hardware-assisted CFI for the ARM Linux kernel [01:00:37] Binary Planting with the npm CLI [01:04:55] Plundervolt [01:17:35] Local Privilege Escalation in OpenBSD's dynamic loader (CVE-2019-19726) [01:24:09] AirDoS: Remotely render any nearby iPhone or iPad unusable [01:26:24] Digital Lockpicking - Stealing Keys to the Kingdom (KeyWe Smart Lock) https://labs.f-secure.com/advisories/keywe-smart-lock-unauthorized-access-traffic-interception [01:31:44] SockPuppet: A Walkthrough of a Kernel Exploit for iOS 12.4 [01:39:05] Maddie Stone: Whatsup with WhatsApp: A Detailed Walk Through of Reverse Engineering CVE-2019-3568 [01:46:37] Client-side Vulnerabilities in Commercial VPNs [01:54:50] A Technical Review of Connected Toy Security https://www.which.co.uk/news/2019/12/kids-karaoke-machines-and-smart-toys-from-mattel-and-vtech-among-those-found-to-have-security-flaws-in-a-which-investigation/ [02:07:43] Interactive Buffer Overflow Exploitation https://github.com/bordplate/js86 https://nagarrosecurity.com/blog/interactive-rop-tutorial

Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@DAY[0])   [00:02:59] Android Permanent DoS (CVE-2019-2232) [00:08:09] Inferring and hijacking VPN-tunneled TCP connections (CVE-2019-14899) [00:16:00] An Update on Android TLS Adoption [00:25:11] Mozilla and Opera remove Avast extensions from their add-on stores https://palant.de/2019/10/28/avast-online-security-and-avast-secure-browser-are-spying-on-you/ [00:43:05] Tron: Evolution SecuROM DRM expiration makes game unplayable 9 years after release [00:50:12] Millions of Americans at Risk After Huge Data and SMS Leak [00:54:14] Nebraska Medicine Breached by Rogue Employee [00:56:56] Practical Pentest Labs stores passwords in plaintext [01:05:07] Incident Report | 2019-11-24 Account Takeover via Disclosed Session Cookie [01:13:28] Authentication vulnerabilities in OpenBSD (CVE-2019-19521) [01:24:36] Symantec Endpoint Protection Local Privilege Escalation (CVE-2019-12750) [01:30:09] Omron PLC Denial-of-Service as a Feature https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H https://github.com/Ox6e3062306479/omron/blob/master/cj2m.fins.dos.py [01:38:35] FIRST CONTACT: New vulnerabilities in contactless payments [01:46:39] Fuzzing Sega Genesis Emulators [01:50:30] Verifiable Voting Primer https://www.youtube.com/watch?v=LkH2r-sNjQs

Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@DAY[0])   [00:02:08] Protecting users from government-backed hacking and disinformation [00:10:23] ENISA threat landscape for 5G Networks [00:16:13] EU raises eyebrows at possible US encryption ban [00:24:16] You watch TV. Your TV watches back. [00:34:44] CWE - Top 25 https://cwe.mitre.org/top25/archive/2011/2011_cwe_sans_top25.html [00:46:58] LPE in K7 Security Anti-Virus (CVE-2019-16897) [00:47:09] Weak Crypto in Forinet Products [01:01:37] CVE-2019-11932 (double free in libpl_droidsonroids_gif) many apps vulnerable https://gist.github.com/wdormann/874198c1bd29c7dd2157d9fc1d858263 [01:04:32] Max Secure Anti Virus Plus - 19.0.4.020 / CVE-2019-19382 Insecure Permissions [01:10:41] Synology DSM Remote Command Injection [01:16:45] SpoC: Spoofing Camera Fingerprints [01:24:44] Defending Against Adversarial Machine Learning [01:34:21] Can Attention Masks Improve Adversarial Robustness? [01:38:58] Hidviz [01:41:05] IDA 7 Demo Release [01:47:54] Windows Terminal (Preview) 0.7 Release

Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@DAY[0])   [00:00:35] PagedOut #2 [00:07:38] Black Friday Deals to watch out for [00:17:59] Official Monero website is hacked to deliver currency-stealing malware [00:26:30] Managing Risk from Transport Lay Security Inspection [00:40:55] US student was allegedly building a custom Gentoo Linux distro for ISIS [00:48:41] Google Outlines Plans for Mainline Linux Kernel Support in Android [00:55:12] Introducing Flan Scan [00:59:44] Expanding Android Security Rewards [01:05:26] Updates to the Mozilla Web Security Bounty Program [01:07:59] XSS in GMail’s AMP4Email via DOM Clobbering [01:17:32] VNC Vulnerabilities (LibVNC, TightVNC, TurboVNC and UltraVNC) [01:26:22] Arbitrary file capture in Kaspersky Total Security 2019 [01:30:43] Bad binder: Android In-The-Wild Exploit [01:36:03] Building Fast Fuzzers https://github.com/gamozolabs/fzero_fuzzer [01:49:47] The Performance of Machine and Deep Learning Classifiers in Detecting Zero-Day Vulnerabilities [02:02:08] PARAM: A Microprocessor Hardened for Power Side-Channel Attack Resistance

Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@DAY[0]) [00:02:09] Thousands of hacked Disney+ accounts are already for sale [00:06:33] Faking an iVote decryption proof [00:16:20] "robot deployed at the famous Robot Hotels in Japan can be converted to offer anyone remote camera/mic access to all future guests." [00:30:13] "A stack-based buffer overflow could be triggered in WhatsApp by sending a specially crafted MP4 file" [00:35:42] HHVM Security Update [00:38:18] Symantec Endpoint Protection - Self-Defense Bypass - CVE-2019-12758 [00:38:27] McAfee - All Editions - Self-Defense Bypass - CVE-2019-3648 [00:43:26] Imperceptible Adversarial Attacks on Tabular Data [00:48:48] 5GReasoner: A Property-Directed Security and Privacy AnalysisFramework for 5G Cellular Network Protocol [00:55:26] Fuzzing Qualcomm Secure Execution Environment and CVE-2019-10574 [01:00:32] TPM-Fail [01:08:54] Mitigations for Jump Conditional Code Erratum [01:14:35] More MDS Attacks [01:22:55] Tianfu Cup [01:27:48] Protecting against code reuse in the Linux kernel with Shadow Call Stack [01:34:04] Security things in Linux v5.3 [01:50:36] A Security Perspective on Unikernels [01:54:26] Announcing GitHub Security Lab: securing the world's code, together [02:09:32] Huawei introduces new invite-only bug bounty program [02:12:37] Interpol plans to condemn encryption spread, citing predators, sources say https://www.youtube.com/watch?v=VPBH1eW28mo [02:17:33] How a turf war and a botched contract

Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@DAY[0])   [1573502643] Blog launched, stream schedule, discord [1573503151] Pwn2Own Tokyo 2019 [1573503418] Blog launched, stream schedule, discord [00:01:56] Pwn2Own Tokyo 2019 https://www.zerodayinitiative.com/Pwn2OwnTokyo2019Rules.html [00:07:22] Pwn2Own Tokyo 2019 [00:08:46] Google Begins Testing Extension manifest v3 in Chrome Canary [00:12:03] Rogue Trend Micro Employee Sold Customer Data for 68K Accounts [00:14:54] The DoJ charges former Twitter employees for allegedly accessing thousands of accounts on behalf of Saudi Arabia. [00:23:02] OpenTitan – Open sourcing transparent, trustworthy, and secure silicon https://arstechnica.com/information-technology/2019/11/newly-discovered-titanium-backdoor-employs-clever-ways-to-go-undetected/ [00:26:34] OpenTitan – Open sourcing transparent, trustworthy, and secure silicon [00:29:33] Sandboxie transitioning to open source https://arstechnica.com/information-technology/2019/11/newly-discovered-titanium-backdoor-employs-clever-ways-to-go-undetected/ https://securelist.com/titanium-the-platinum-group-strikes-again/94961/ https://arstechnica.com/information-technology/2019/11/newly-discovered-titanium-backdoor-employs-clever-ways-to-go-undetected/ [00:44:06] Facebook Groups API flaw exposed data to 100 developers [00:47:47] Laser-Based Audio Injection on Voice-Controllable Systems [00:54:07] Who is Real Bob? Adversarial Attacks on Speaker Recognition Systems [00:54:20] Laser-Based Audio Injection on Voice-Controllable Systems [00:57:11]

Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@DAY[0])   [00:05:23] Apple v. Corellium [00:12:04] Firefox to Discontinue Sideloaded Extensions [00:16:52] Delegated Credentials for TLS [00:23:02] North Korean Malware Found on Indian Nuclear Plant's Network [00:28:20] The Pirate Bay Downtime Caused by Malicious Search Queries [00:29:30] Web.com Breach (allegedly includes NetworkSolutions.com and Register.com) [00:32:28] BlueKeep attacks are happening, but it's not a worm https://www.kryptoslogic.com/blog/2019/11/bluekeep-cve-2019-0708-exploitation-spotted-in-the-wild/ [00:36:13] Untitled Goose Game - Insecure Deserialization [00:39:58] Two Chrome 0Days get Patched [00:42:45] NFC Beaming Bypasses Security Controls in Android [CVE-2019-2114] [00:45:43] Abusing HTTP Hop-by-hop Request Headers [00:50:54] Let's Make Windows Defender Angry: Antivirus Can be an Oracle! -icchy https://en.wikipedia.org/wiki/EICAR_test_file [00:56:54] rConfig v3.9.2 authenticated and unauthenticated RCE (CVE-2019-16663) and (CVE-2019-16662) [01:02:26] Making an Invisibility Cloak: Real World Adversarial Attacks on Object Detectors [01:07:26] Silhouette: Efficient Intra-Address Space Isolation for Protected Shadow Stacks on Embedded Systems [01:19:46] unfork(2) [01:23:51] Destroying x86_64 instruction decoders with differential fuzzing https://github.com/zyantific/zydis

Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@DAY[0])   [00:00:49] NordVPN's Response to Private Certificate Breach Discussed Last Week https://nordvpn.com/blog/security-plan/ [00:12:31] AWS Hit By major DDOS Attack https://status.digitalocean.com/incidents/1z3kmlvz69v6 [00:14:43] Seven Million Adobe Creative Cloud Accounts Exposed to the Public [00:25:24] Travel Reservations Platform Leaks US Government Personnel Data [00:30:09] Joe Rogan Experience #1368 - Edward Snowden [00:48:38] Technical Analysis of Checkm8 https://googleprojectzero.blogspot.com/2019/10/ktrw-journey-to-build-debuggable-iphone.html [00:55:51] Cache Poisoned Denial of Service (CPDoS) [01:08:27] CVE-2019-11043 - PHP-FPM (potential) RCE https://github.com/neex/phuip-fpizdam/blob/master/attack.go [01:20:44] Light Ears: Information Leakage via Smart Lights [01:27:57] Don’t open that XML: XXE to RCE in XML plugins for VS Code, Eclipse, Theia, … [01:33:28] Bringing ICS into the Pwn2Own World [01:37:39] Analysis of Qualcomm Secure Boot Chains [01:39:56] Microsoft Secured-Core PC [01:47:46] Guarding Against Physical Attacks: The Xbox One Story

Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@DAY[0])   [00:01:29] Sudo: CVE-2019-14287 [00:08:40] Buffer overflow in Realtek Wi-Fi chips [00:17:13] US Law Enforcement Traces Bitcoin Transfers to Nab ‘Largest’ Child Porn Site [00:39:45] Equifax Using admin:admin as Credentials for Sensitive Information [00:48:40] CenturyLink Data Leak of 2.8 Million Records [00:56:37] NordVPN Reportedly Compromised https://crt.sh/?q=nordvpn.com [00:59:07] NordVPN Reportedly Compromised https://twitter.com/hexdefined/status/1185974575214940161 https://nordvpn.com/ https://thatoneprivacysite.net/ [01:07:45] Pop_OS 19.10 [01:13:26] JSFuzz [01:19:08] Site Isolation improvement (and now on Android) [01:22:54] A New Memory Type Against Speculative Side Channel Attacks [01:30:06] oo7: Low-overhead Defense against Spectre Attacks via Program Analysis [01:38:37] UK Government to fund development of attack resistant Arm chips [01:46:59] Germany's Cyber Security Agency Recommends Firefox as Most Secure Browser [02:01:36] Facebook Expanding Bug Bountry Program to Third-Party Apps https://www.facebook.com/whitehat/info/ [02:04:14] ElectionGuard SDK Bug Bounty https://www.youtube.com/watch?v=w3_0x6oaDmI https://www.youtube.com/watch?v=BYRTvoZ3Rho https://www.microsoft.com/en-us/msrc/bounty-electionguard

Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube   [00:03:00] Critical Security Issue identified in iTerm2 as part of Mozilla Open Source Audit  iTerm2 Patch [00:11:24] Windows Error Reporting Manager arbitrary file move Elevation of Privilege (CVE-2019-1315)  James Forshaw  A Link To The Past.pdf [00:16:12] CVE-2019-8697: MacOS System Escalation via Disk Management  https://www.zerodayinitiative.com/blog/2019/10/3/cve-2019-8697-macos-system-escalation-via-disk-management [00:20:20] Apple Zero Day Exploited in Bitpaymer Campaign [00:25:50] BrokenStrokes: On the (in)Security of Wireless Keyboards [00:31:53] PS2 Yabasic Exploit  Exploit Writeup [00:40:12] Imperva Breach Report [00:49:23] EU-coordinated risk assessment of 5G network security  https://eeas.europa.eu/delegations/united-states-america/68637/eu-coordinated-risk-assessment-5g-network-security_me [00:55:11] Measuring Attack Surface Reduction in the Presence of Code (Re-)Randomization  https://arxiv.org/abs/1910.03034 [01:04:46] Finding Security Threats That Matter: An Industrial Case Study [01:16:47] An Extended Survey on Vehicle Security [01:21:56] Zydis 3.0 Released (x86-64 disassembler library)  https://github.com/zyantific/zydis [01:25:54] IDA 7.4 [01:28:38] Government interference in Australia's premier cybersecurity conference is a worry [01:33:16] uBlock dev build rejected [01:39:19] Ken Thompson's Unix Password [01:44:04] Humble Bundle

Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube [00:00:40] What happened while we were gone. ft. Defcon and Blackhat discussion [00:20:10] Checkm8 - iPhone bootROM exploit [00:28:52] iPhone A11 debug registers allow full-featured kernel debugging [00:32:52] Android: Use-After-Free in Binder driver https://groups.google.com/forum/#!msg/syzkaller-bugs/QyXdgUhAF50/g-FXVo1OAwAJ [00:39:36] PHP 7.0-7.3 disable_functions bypass https://bugs.php.net/bug.php?id=72530 [00:51:49] An Empirical Study of C++ Vulnerabilities in Crowd-Sourced Code Examples https://cwe.mitre.org/data/definitions/20.html [01:03:18] Signal RTP is processed before call is answered https://bugs.chromium.org/p/project-zero/issues/detail?id=1943 [01:08:47] Whatsapp RCE [01:14:58] Attacking CNN-based anti-spoofing face authentication in the physical domain [01:22:52] The Kernel Concurrency Sanitizer (KCSAN) [01:30:36] Eradicating Attacks on the Internal Network with Internal Network Policy [01:39:22] Analyzing Control Flow Integrity with LLVM-CFI

This will be our last episode until the fall, but once we are back you can catch the DAY[0] podcast on Twitch every Monday afternoon at 12:00pm PST (3:00pm EST) -- https://www.twitch.tv/dayzerosec [00:00:50] This will be our last episode until the fall. [00:02:50] Thoughts on the Advanced Web Attacks and Exploitation (AWAE) Course, and the Offensive Security Web Expert (OSWE) certification [00:32:05] r/AskNetsec - New windows LPE from non-admin :) - From SandboxEscaper [00:45:20] First American Financial Corp. compromise [00:53:48] Google admits storing G Suite user passwords in plain text for 14 years [01:02:27] Safety vs. Security: Attacking Avionic Systems with Humans in the Loop [01:17:30] Malware Guard Extension: Using SGX to Conceal Cache Attacks [01:25:04] Biometric Backdoors: A Poisoning Attack Against Unsupervised Template Updates [01:36:45] MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows [01:46:59] Hey Google, What Exactly Do Your Security Patches Tell Us?A Large-Scale Empirical Study on Android Patched Vulnerabilities [02:03:35] MAC OSX Gatekeeper Bypass [02:10:47] RCE Without Native Code: Exploitation of a Write-What-Where in Internet Explorer

Watch the DAY[0] podcast live on Twitch every Monday afternoon at 12:00pm PST (3:00pm EST) -- https://www.twitch.tv/dayzerosec [00:01:55] Frida 12.5 Released [00:08:17] Damn Vulnerable Crypto Wallet [00:16:40] Thangry Cat: https://😾😾😾.fm/ [00:23:11] Micro-Architectural Data Sampling Attacks ZombieLoad RIDL paper Fallout paper Red Hat Overview Video [00:56:24] Update to Security Incident [May 17, 2019] - Stack Overflow Blog [01:04:00] Global Takedown Shows the Anatomy of a Modern Cybercriminal Supply Chain [01:15:12] How Hackers Broke WhatsApp With Just a Phone Call CVE-2019-3568 [01:26:53] Over 25,000 Linksys Smart Wi-Fi Routers Vulnerable to Sensitive Information Disclosure [01:34:01] Prevent a worm by updating Remote Desktop Services (CVE-2019-0708)

Watch the DAY[0] podcast live on Twitch every Monday afternoon at 12:00pm PST (3:00pm EST) -- https://www.twitch.tv/dayzerosec [00:00:30] Unhackable: New chip stops attacks before they start [00:15:00] DeepCheck: A Non-intrusive Control-flow Integrity Checking based... [00:25:54] Queue the Hardening Enhancements [00:50:18] For Cybersecurity, Computer Science Must Rely on Strong Types [00:57:43] A Novel Side-Channel in Real-Time Schedulers [01:04:55] MAVSec: Securing the MAVLink Protocol [01:10:39] Domain Specific Code Smells in Smart Contracts [01:18:56] Over 275 Million Records Exposed by Unsecured MongoDB Database [01:38:02] Applied Risk :: Advisories [01:53:50] Alpine Linux Dockerimage contains a NULL root password [01:59:01] Linux Kernel Race Condition and UAF [02:05:44] Arbitrary file read vulnerability in HackerRank

Watch the DAY[0] podcast live on Twitch every Monday afternoon at 12:00pm PST (3:00pm EST) -- https://www.twitch.tv/dayzerosec [00:00:30]r/GlobalOffensive: PSA: Security issue regarding lobbies and games [00:11:30]Vita Exploit [00:20:05]Indie Game Removed From Switch eShop [00:34:40]Eight Devices, One Exploit [00:47:30]Remote Code Execution on most Dell computers [00:56:35]All Firefox extensions disabled due to expiration of intermediate signing cert [01:15:10]A hacker is wiping Git repositories and asking for a ransom | ZDNet [01:38:25]Typer vs. CAPTCHA: Private information based CAPTCHA to defend against crowdsourcing human cheating [01:50:50]36 Year old Kernel stack disclosure bug in UFS/FFS [02:00:52]You Only Propagate Once: Painless Adversarial Training [02:05:55]The Risks of WebGL: Analysis, Evaluation and Detection [02:18:55]InternalBlue: Bluetooth Binary Patching and Experimentation Framework [02:27:30]IRONHIDE: A Secure Multicore Architecture that Leverages Hardware Isolation Against Microarchitecture State Attacks Extra Links: - h-encore exploit (old Vita exploit) - InternalBlue CCC talk

Watch the DAY[0] podcast live on Twitch every Monday afternoon at 12:00pm PST (3:00pm EST) -- https://www.twitch.tv/dayzerosec [00:00:30] - Physical Adversarial Textures that Fool Visual Object Tracking [00:04:30] - DPatch: An Adversarial Patch Attack on Object Detectors [00:11:45] - Side-Channel Attack to Extract ECDSA Private Keys from Qualcom Hardware-Based Keystore [00:19:40] - For PayPal security team,“get user balances and transaction details" is not a vulnerability [00:26:05] - "CI Knew There Would Be Bugs Here" - Exploring Continuous Integration [00:40:10] - Hacker Finds They Can Kill Car Engines After Breaking Into GPS Tracking Device [00:50:25] - Security baseline (DRAFT) for Windows 10 v1903 [00:58:25] - Security Analysis of Near-Field Communication (NFC) Payments [01:12:10] - Docker Hub Hacked – 190k accounts, GitHub tokens revoked, Builds disabled [01:18:50] - eGobbler - malvertising campaign exploits zero-day Chrome bug [01:32:15] - New backdoor inspired by leaked NSA malware [01:39:60] - Mueller report: Russia hacked state databases and voting machines [01:54:10] - New Technique Uses Power Anomalies to ID Malware in Embedded Systems

[00:00:31] - https://blogs.grammatech.com/open-source-tools-for-binary-analysis-and-rewriting [00:05:31] - https://arxiv.org/abs/1904.07280 [00:13:51] - https://www.zdnet.com/article/security-researcher-malwaretech-pleads-guilty/ [00:21:12] - https://www.zdnet.com/article/facebook-admits-to-storing-plaintext-passwords-for-millions-of-instagram-users/ [00:25:34] - https://security.googleblog.com/2019/04/better-protection-against-man-in-middle.html [00:31:36] - https://pdfpiw.uspto.gov/.piw?docid=10262138&SectionNum=1&IDKey=0229F1C38B5D [00:39:02] - https://arxiv.org/abs/1904.07370 [00:53:05] - https://github.com/vusec/kmvx [01:04:45] - Discussion on valuation of an exploit [01:08:05] - https://arxiv.org/abs/1904.07550 [01:16:02] - https://arxiv.org/abs/1904.08653 [01:24:36] - https://blog.underdogsecurity.com/rce_in_origin_client/ [01:35:14] - https://threatpost.com/windows-zero-day-active-exploits/143820/ [01:40:18] - https://www.ghacks.net/2019/04/16/adblock-plus-filter-exploit-to-run-arbitrary-code-discovered/ [01:47:26] - https://krbtgt.pw/dacl-permissions-overwrite-privilege-escalation-cve-2019-0841/ [01:50:47] - https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190417-asr9k-exr

Watch the DAY[0] podcast live on Twitch every Monday afternoon at 12:00pm PST (3:00pm EST) -- https://www.twitch.tv/dayzerosec [00:00:37] - Huawei Cyber Security Evaluation Report [00:14:22] - Assange Arrest [00:24:55] - Matrix Compromise [00:32:20] - Outlook Compromise [00:43:39] - Ghidra Source Release [00:49:18] - Relyze 3 Beta (Another Free Decompiler) [00:56:30] - Fracker (New PHP Tool) [01:01:11] - Discussion about EncryptCTF and challenge design [01:25:24] - Dragonblood/WPA3 Vulnerabilities [01:32:21] - CVE-2019-0211 Apache Root Privilege Escalation [01:41:27] - Detailing of CVE-2019-1636 and CVE-2019-6739 in QT [01:49:47] - Splitting Atoms in XNU [02:06:39] - PostgreSQL is it a CVE? [02:11:41] - RELOAD+REFRESH: Abusing Cache Replacement Policies to Perform Stealthy Cache Attacks [02:26:45] - The ROP Needle: Hiding Trigger-based Injection Vectors via Code Reuse [02:29:30] - Assessing Unikernel Security

00:01:10 Sunshine CTF 00:10:27 Question Discussion: Opinions regarding CTF's vs. Real World Exploits 00:24:15 ENCRYPT CTF Discussion 00:31:25 Pwn2Own 2019 (P2O) and Tesla Hacking 00:41:25 Tricking Tesla Autopilot 00:56:45 Ghidra 9.0.1 Release 00:59:30 Commando VM 01:06:50 PoC||GTFO 0x19 01:13:20 ASUS Update Tool Backdoor 01:19:05 Windows Defender APC Code Injection Sensors 01:22:55 BSEA-1 - A Stream Cipher Backdooring Technique 01:32:40 LockerGoga Randomware Vaccination 01:37:40 Hearing your touch: A new acoustic side channel on smartphones 01:43:05 Keybase is not softer than TOFU 01:48:30 Exploitation Techniques and Defenses for Data-Oriented Attacks 01:56:00 Restricting Control Flow During Speculative Execution with Venkman Additional Links: Sunshine CTF Writeups Attacking Javascript Engines Phrack Article

00:00:50 Ghidra from XXE to RCE 00:08:50 Cutter (Radare2) Release 00:15:00 Daenerys IDA Pro and Ghidra Interoperability Framework 00:22:00 IDA Educational Release 00:39:35 Windows Defender on MacOS 00:59:20 A new Windows 10 KASLR Bypass 01:11:07 EVMFuzz Fuzzing Ethereum Virtual Machines 01:30:10 Researchers find 36 new security flaws in LTE Protocol 01:45:50 Facebook logging plaintext passwords Other Interesting Links: SecurityInnovation Blockchain CTF Analysis of a Chrome Zero-Day (CVE-2019-5786) Writeup

00:00:30 Steam Client (CSGO) RCE 00:04:44 CS 1.6 Trojan.Belonard Malware Campaign 00:11:55 WebKit Structure ID Randomness Mitigation 00:20:48 Reuse Gadget Counts Whitepaper (ROP) 00:31:50 DTrace on Windows 00:38:20 Backdoor Attack in CNN's 00:55:05 DARPA's $10m Open Source Voting System 01:13:30 Vulnerability in Swiss E-Voting System

00:00:00 Intro / General Discussion 00:00:55 Ghidra Overview (Pros, Cons) 00:30:20 Ghidra JDWP Debug Port 'Backdoor' Discussion 00:38:05 Ghidra and National Security 00:52:15 "Finding Unicorns: When The C++ Compiler Writes the Vuln" Discussion 01:06:15 "Windows 7 may insecurely load Dynamic Link Libraries" Discussion 01:21:40 "Exploiting Car Alarms" Discussion 01:45:05 XNU (Mac OS) Copy-on-Write Behavior Bypass Zero-Day Discussion 02:03:15 Chrome Zero-Day Discussion