Skip to main content
Day[0]

Day[0]

By dayzerosec
A weekly podcast for bounty hunters, exploit developers or anyone interesting in the details of the latest disclosed vulnerabilities and exploits.
Listen on
Where to listen
Apple Podcasts Logo

Apple Podcasts

Breaker Logo

Breaker

Google Podcasts Logo

Google Podcasts

Overcast Logo

Overcast

Pocket Casts Logo

Pocket Casts

RadioPublic Logo

RadioPublic

Spotify Logo

Spotify

[binary] NetUSB RCE, a Linux Kernel Heap Overflow, and an XNU Use-After-Free
Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/netusb-rce-a-kernel-heap-overflow-an-xnu-uaf.html Integer overflows and underflow this week, covering vulns from desktop Zoom clients, to kernel and some routers. [00:00:19] Spot the Vuln - One Verified JWT, Please [00:03:27] Zooming in on Zero-click Exploits [00:12:18] Zooming in on Zero-click Exploits [00:26:39] XNU kernel use-after-free in mach_msg [00:34:06] Linux kernel v5.1+ Heap buffer overflow in fs_context.c [00:36:03] Linux kernel v5.1+ Heap buffer overflow in fs_context.c [00:42:21] NetUSB RCE Flaw in Millions of End User Routers [CVE-2021-45608] [00:47:54] Humble Book Bundle: Cybersecurity by Wiley The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.
50:52
January 27, 2022
[bounty] Bypassing Box MFA and Bad AES Key Generation
Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/bypassing-box-mfa-bad-aes-key-generation.html A new security-related humble bundle, MFA bypass in Box, and a a few older style vulnerabilities: lfi2rce, allow-list bypass with an @ sign, and insecure random number seeds. [00:00:37] Humble Book Bundle: Cybersecurity by Wiley [00:08:18] CWP CentOS Web Panel - preauth RCE [CVE-2021-45467] [00:13:37] Stealing administrative JWT's through post auth SSRF [CVE-2021-22056] [00:17:27] Telenot Complex: Insecure AES Key Generation [00:25:12] Mixed Messages: Busting Box’s MFA Methods The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.
33:26
January 25, 2022
[binary] Pwning Camera and Overflowing your Integers
Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/pwning-camera-and-overflowing-your-integers.html Short episode this week, stack smashing, integer overflowing and a more logical issue. Ending off with a discussion about what to do when you're stuck on CTFs. [00:00:42] Spot the Vuln - One at a Time [00:04:15] Uniview PreAuth RCE [00:06:59] Adobe Acrobat Reader DC annotation gestures integer overflow vulnerability [00:12:31] Chrome: Interface ID reuse leading to memory corruption in IPC::ChannelAssociatedGroupController [00:18:31] Question: Unsuccessful getting into CTFs The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.
26:36
January 20, 2022
[bounty] Bad Code and Bad URLs
Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/bad-code-and-bad-urls.html This week is a shorter episode looking at some bad code in mermaid.js and Moodle's Shibboleth plugin, and a bit of research regarding URL parsing issues. [00:00:44] Orca Security Discovered Two AWS Vulnerabilities [00:06:44] Cross-Site Scripting (XSS) in mermaid.js [00:12:41] Pre-Auth RCE in Moodle Part II - Session Hijack in Moodle's Shibboleth [00:20:24] Exploiting URL Parsing Confusion Vulnerabilities The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.
36:49
January 18, 2022
[Binary] Rooting Ubuntu By Accident and Samsung Kernel Bugs
Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/rooting-ubuntu-by-accident-and-samsung-kernel-bugs.html We are back for the first 2022 binary episode, and its all kernel. Obtaining root through an hours long exploit process on Ubuntu thanks to an invalid free, use-after-free in XNU due to bad locking, and some terrible code in Samsung S20 DSP kernel driver with multiple integer overflows. [00:00:42] Getting root on Ubuntu through wishful thinking [00:19:21] XNU: heap-use-after-free in inm_merge [00:29:42] Kernel LPE in the Vision DSP Kernel Driver [CVE-2021-25467] [00:34:34] Kernel LPE in the Vision DSP Kernel Driver's ELF Linker [CVE-2021-25475] [00:37:16] Linux Heap Exploitation - Part 3 [00:38:37] PS4 CCP Crypto Bug The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.
42:56
January 13, 2022
[Bounty] RocketChat RCE, Flickr, and a Critical Smart Contract Bug
Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/rocketchat-rce-flickr-and-a-critical-smart-contract-bug.html More cases of developers make insecure assumptions and getting owned because of it. This week we've got a Flickr account takeover, escalating restricted SSRF into something more useful, and XSS to RCE in Rocket.Chat. [00:00:34] Rocket.Chat Client-side Remote Code Execution [00:10:14] Flickr Account Takeover [00:24:33] Turning bad SSRF to good SSRF: Websphere Portal [00:34:47] Polygon Lack Of Balance Check Bugfix Postmortem [00:45:22] Fuzzing for XSS via nested parsers condition [00:52:35] Cache Poisoning at Scale [00:54:48] Fixing the Unfixable: Story of a Google Cloud SSRF The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.
57:18
January 11, 2022
An Android Kernel Bug and a Chrome+Edge Bug [Binary Exploitation]
Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/an-android-kernel-bug-a-chrome-edge-exploit.html Hex-rays/Adobe cross-over as they move to a subscription model and we are not too happy about it, we also discuss a few interesting bugs this week from an odd optimization and a signedness bug in Chrome, to some mishandled null-bytes in runc, and a subtle object-state confusion in the Linux kernel [00:00:21] Spot the Vuln - Revenge of the Average [00:04:38] Hex-rays is moving to a Subscription model [00:32:49] Understanding the Root Cause of a Chrome Bug from Pwn2Own 2021 [CVE-2021-21220] [00:44:30] runc/libcontainer: insecure handling of null-bytes in bind mount sources [00:49:50] refcount increment on mid-destruction file [CVE-2021-1048] [00:56:30] Overview of V8 Exploitation The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.
58:15
December 16, 2021
Log4j RCE coming to a service near you and uBlock CSS Injection [Bounty]
Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/log4j-rce-coming-to-a-service-near-you-and-ublock-css-injection.html Log4Shell RCE spawns a lot of discussion this episode, but we also look at a W10 RCE, Google SSRF and some CSS injection in uBlock. [00:00:29] Apache Log4j2 jndi RCE [00:29:50] Windows 10 RCE: The exploit is in the link [00:46:00] SSRF vulnerability in AppSheet - Google VRP [00:52:43] uBlock, I exfiltrate: exploiting ad blockers with CSS The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.
01:08:03
December 15, 2021
MediaTek, Yet Another Chrome Bug, and BigSig [Binary Exploitation]
Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/mediatek-yet-another-chrome-bug-and-bigsig.html A few easy issues this week, but some discussion about fuzzing campaigns and measurements and bypassing modern mitigations. [00:00:20] Spot the Vuln - Just a Normal Walk [00:06:10] This shouldn't have happened: A vulnerability postmortem [00:22:52] Looking for vulnerabilities in MediaTek audio DSP [00:35:23] Exploiting CVE-2021-43267 The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.
48:39
December 09, 2021
Bypassing MFA, WebCache Poisoning, and AWS SageMaker [Bounty Hunting]
Some readily understood vulnerabilities, but with some interesting impacts, from escalating self-XSS to cross-account CSRF, data exfiltration with CSS, web-cache poisoning and MFA bypassing. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/bypassing-mfa-webcache-poisoning-and-aws-sagemaker.html [00:00:00] Introduction [00:00:34] Humble Book Bundle: Hacking by No Starch Press [00:05:50] AWS SageMaker Jupyter Notebook Instance Takeover [00:16:39] [Glassdoor] CSS injection via link tag whitelisted-domain bypass [00:21:15] [Symfony] Webcache Poisoning via X-Forwarded-Prefix and sub-request [00:25:47] Bypassing Box’s Time-based One-Time Password MFA [00:31:26] Exploring Container Security: A Storage Vulnerability Deep Dive [00:36:28] Hakluke: Creating the Perfect Bug Bounty Automation [00:37:10] Data Exfiltration via CSS + SVG Font The DAY[0] Podcast episodes are streamed live on Twitch twice a week: - Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities - Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The audio-only version of the podcast is available on: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming. #BugBounty #EthicalHacking #InfoSec #Podcast
39:04
December 07, 2021
KVM Bugs and an iOS IOMFB Kernel Exploit [Binary Exploitation]
Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/kvm-bugs-and-an-ios-iomfb-kernel-exploit.html Starting off this week with the new humble bundle and some discussion about hacking books. Then onto the vulns, some OOB access, uninitalized memory, and iOS exploit strategy. [00:00:17] Spot the Vuln - Counting Widgets [00:02:36] Humble Book Bundle: Hacking by No Starch Press [00:17:14] KVM: SVM: out-of-bounds read/write in sev_es_string_io [00:23:42] Anker Eufy Homebase 2 home_security CMD_DEVICE_GET_SERVER_LIST_REQUEST out-of-bounds write vulnerability [00:34:14] Apple ColorSync: use of uninitialized memory in CMMNDimLinear::Interpolate [00:40:16] Popping iOS
57:05
December 02, 2021
GitLab Prototype Pollution and Some Authentication Bypasses [Bounty Hunting]
Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/gitlab-prototype-pollution-and-some-authentication-bypasses.html Short but sweet episode this week, prototype pollution, crypto issues, SSRF and some weird authentication. [00:00:46] Arbitrary command execution in Gerapy [CVE-2021-32849] [00:06:03] [jitsi-meet] Authentication Bypass when using JWT w/ public keys [00:07:41] [jitsi-meet] Authentication Bypass when using JWT w/ public keys [00:10:24] [shopify] A non-privileged user may create an admin account in Stocky [00:13:21] [#0008] URL whitelist bypass in https://cxl-services.appspot.com [00:19:20] [GitLab] Stored XSS via Mermaid Prototype Pollution vulnerability The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.
26:40
November 30, 2021
Hacking Neural Nets, a Chrome WebRTC UAF and Pwning Windows [Binary Exploitation]
Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/hacking-neural-nets-a-chrome-webrtc-uaf-and-pwning-windows.html Some mroe kernel bugs this week as we look at bugs in Samsung's NPU driver (Android), Linux, and the WIndows Kernel. [00:00:17] Spot the Vuln - Once Again - Solution [00:03:12] Google Chrome WebRTC addIceCandidate use after free vulnerability [00:08:53] Linux: UAF read: SO_PEERCRED and SO_PEERGROUPS race with listen() (and connect()) [00:15:08] Fall of the machines: Exploiting the Qualcomm NPU (neural processing unit) kernel driver [00:31:13] POC2021 – Pwning the Windows 10 Kernel with NTFS and WNF Slides The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.
45:05
November 25, 2021
Big Bounties by Exploiting WebKit's CSP & Concrete CMS Bugs [Bounty Hunting]
Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/big-bounties-by-exploiting-webkit-s-csp-concrete-cms-bugs.html What happens when a vendor refused to fix your bug? Well you can go claim a bunch of bounties with it. We also talk about some novel request smuggling research on this episode. [00:00:58] Multiple Concrete CMS vulnerabilities ( part1 - RCE ) [00:12:02] Exploiting CSP in Webkit to Break Authentication & Authorization [00:24:57] T-Reqs: HTTP Request Smuggling with Differential Fuzzing [00:35:30] An Illustrated Guide to Elliptic Curve Cryptography Validation The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.
38:11
November 23, 2021
DDR4 Rowhammer, Azure Bugs, "Essential 0days", and Backdoored IDA [Binary Exploitation]
Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/ddr4-rowhammer-azure-bugs-essential-0days-and-backdoored-ida.html North Korea is at it again targeting researchers, 0day hoarding, breaching secure hardware, and fuzzing on this weeks episode. [00:01:15] Spot the Vuln - Beyond the Grave [00:03:50] ESET Research discovered a trojanized IDA Pro installer, distributed by the #Lazarus APT group [00:12:39] Why Zero-Days Are Essential to Security - Randori [00:29:32] Blacksmith - Rowhammer Returns [00:43:04] Fuzzing Microsoft's RDP Client using Virtual Channels: Overview & Methodology [00:57:45] Microsoft Azure Sphere Security Monitor SMSyscallCommitImageStaging stage-without-manifest denial of service vulnerability [01:04:53] Microsoft Azure Sphere Kernel GPIO_SET_PIN_CONFIG_IOCTL information disclosure vulnerability The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.
01:08:47
November 18, 2021
Rust in the Web? A Special Guest and some Bad Crypto [Bounty Hunting]
Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/rust-in-the-web-a-special-guest-and-some-bad-crypto.html We are joined by Bastian Gruber to start the episode with a discussion about Rust. Then we'll dive into a few interesting vulnerabilities this week including yet another ECDSA implementation issue and some header smuggling research. [00:00:40] Rust Discussion with Bastian Gruber (Use the code poddayzero21 for 35% off Manning books) [00:46:29] Arbitrary Signature Forgery in Stark Bank ECDSA Libraries [CVE-2021-43572, CVE-2021-43570, CVE-2021-43569, CVE-2021-43568, CVE-2021-43571] [01:02:37] Becoming A Super Admin In Someone Elses Gsuite Organization And Taking It Over [01:06:52] Private Blog Content Disclosed in Atom Feed [01:08:29] Practical HTTP Header Smuggling: Sneaking Past Reverse Proxies to Attack AWS and Beyond [01:17:01] IDOR through MongoDB Object IDs Prediction [01:18:45] History of Cross-Site History Leaking The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.
01:21:05
November 16, 2021
A too trusty TrustZone and a few Linux Kernel bugs [Binary Exploitation]
Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/a-too-trusty-trustzone-and-a-few-linux-kernel-bugs.html Some interesting vulnerability envrionments this week, some Trusted App issues, a couple Linux Kernel vulns, and a look at memory safety issues in unsafe Rust. [00:00:19] Spot The Vuln - Extract All The Things - Solution [00:03:43] Gerbv drill format T-code tool number out-of-bounds write vulnerability [00:13:27] Vulnerable tzdemuxerservice TA on Samsung TVs (J-series) [00:27:06] Remote Linux Kernel Heap Overflow | TIPC Module Allows Arbitrary Code Execution [CVE-2021-43267] [00:33:49] SLUB overflow [CVE-2021-42327] [00:43:50] Rudra: Finding Memory Safety Bugs in Rust at the Ecosystem Scale The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.
01:01:27
November 11, 2021
A MacOS SIP Bypass & an XSS Fiesta [Bounty Hunting]
Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/a-macos-sip-bypass-an-xss-fiesta.html A discussion heavy episode this week, starting off with the "new" Trojan Source attackers, and then talking about a handful of interesting vulnerabilities. [00:00:18] Trojan Source Attacks [00:24:07] [SmartStoreNET] Malicious Message leading to E-Commerce Takeover [00:34:24] [Chrome] Cross-Site Scripting in New-Tab Page [CVE-2021-37999] [00:39:48] [StreamLabs] Steal access_token via open redirect [00:43:18] Microsoft finds new macOS vulnerability, Shrootless, that could bypass System Integrity Protection [00:50:04] Android security checklist: WebView The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.
51:25
November 09, 2021
Type Confusion in Android NFC, PHP-FPM Local Privilege Escalation, and CallbackHell [Binary Exploitation]
Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/type-confusion-in-android-nfc-php-fpm-local-privilege-escalation-and-callbackhell.html This week we dive into PHP-FPM internals to look at escelating from a worker process to the root process, anotehr GDI bug, and a type confusion. [00:00:18] Spot the Vuln - Over the Edge - Solution [00:03:40] Trick & Treat! Paying Leets and Sweets for Linux Kernel privescs and k8s escapes [00:10:33] Android NFC: Type confusion due to race condition during tag type change [00:14:50] PHP-FPM local root vulnerability [00:28:26] GitHub - ly4k/CallbackHell: Exploit for CVE-2021-40449 - Win32k Elevation of Privilege Vulnerability (LPE) [00:29:54] GitHub - ly4k/CallbackHell: Exploit for CVE-2021-40449 - Win32k Elevation of Privilege Vulnerability (LPE) [00:36:39] This bug doesn’t exist on x86: Exploiting an ARM-only race condition The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.
47:40
November 04, 2021
Discourse SNS RCE, a Stored XSS in GitLab, and a Reddit Race Condition [Bug Hunting]
Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/discourse-sns-rce-a-stored-xss-in-gitlab-and-a-reddit-race-condition.html A couple unique vulns this week involving getting extra coins on Reddit, and bypassing certificate checking for a Discourse RCE. [00:00:40] Agent 007: Pre-Auth Takeover of Build Pipelines in GoCD [00:09:50] Race condition leads to Inflation of coins when bought via Google Play Store [00:15:11] [GitLab] Stored XSS in Mermaid when viewing Markdown files [00:33:28] Discourse SNS webhook RCE [00:47:28] [GitLab] Stored XSS in Mermaid when viewing Markdown files The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.
44:18
November 02, 2021
A Kernel Race, SuDump, and a Chrome Garbage Collector Bug [Exploit Dev/VR]
Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/a-kernel-race-sudump-and-a-chrome-garbage-collector-bug.html We start off this week with a look at in-the-wild 0days from the past seven years, before diving into some pretty awesome bugs this week including a OOB access in Squirrel (programming language), a couple Linux kernel issues and a Chrome garbage collector bug. [00:00:22] Spot The Vuln - Just Be Positive - Solution [00:06:42] Overview of 0days seen in the wild the last 7 years [00:18:33] Squirrel Sandbox Escape allows Code Execution in Games and Cloud Services [00:29:15] SuDump: Exploiting suid binaries through the kernel [00:38:09] How a simple Linux kernel memory corruption bug can lead to complete system compromise [00:55:46] Chrome in-the-wild bug analysis [CVE-2021-37975] [01:12:40] FuzzCon Europe 2021 The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.
01:16:08
October 28, 2021
A Slack Attack and a MySQL Scientific Notation Bug [Bug Hunting]
Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/a-slack-attack-and-a-mysql-scientific-notation-bug.html Just four bugs this week, but that all are somewhat interesting, from an Instagram 2FA removal, deanonymizing Slack users, a MySQL bug, and how to get cheap reddit coins. [00:00:31] How I was able to revoke your Instagram 2FA [00:10:02] Abusing Slack's file-sharing functionality to de-anonymise fellow workspace members [00:29:41] A Scientific Notation Bug in MySQL left AWS WAF Clients Vulnerable to SQL Injection [00:35:38] Reddit disclosed on HackerOne: IDOR to pay less for coin purchases... The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.
42:01
October 26, 2021
WebKit Bugs, a Windows Race, and House of IO Improved [Exploit Dev/VR]
Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/webkit-bugs-a-windows-race-and-house-of-io-improved.html Tianfu Cup happened this week, we also got some cool windows and webkit issues, along side an improvment to the House of IO attack [00:00:17] Spot The Vuln - Prepare To Inject - Solution [00:03:14] Tianfu Cup 2021 [00:09:10] Six Privilege Escalations and an Info Leak in Windows [Blackswan vulnerabilities] [00:25:16] nt!ObpCreateSymbolicLinkName Race Condition Write-Beyond-Boundary [00:31:37] CVE-2021-30858: Use-after-free in WebKit [00:44:53] WebKit: heap-use-after-free in DOMWindow::open [00:50:23] House of IO - Heap Reuse [01:02:06] Getting started in macOS security The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.
01:04:04
October 21, 2021
WebSocket Hijacking, GitHub review bypass and SQLi to RCE [Bug Hunting]
Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/websocket-hijacking-github-review-bypass-and-sqli-to-rce.html Just a handful of traditional vulns this week: IDOR, CSRF, SQLi, a logic vuln and zi's boomer side starts to show. [00:00:18] Remote Chaos Experience [00:03:30] [Concrete CMS] Stored unauth XSS in calendar event via CSRF [00:08:47] ‘Websocket Hijacking’ to steal Session_ID of victim users [00:14:17] IDOR + Account Takeover leads to PII leakage [00:27:27] Bypassing required reviews using GitHub Actions [00:33:20] How I Escalated a Time-Based SQL Injection to RCE The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.
45:47
October 19, 2021
HyperKit Bugs & an Open5GS Stack Overflow [Binary Exploitation]
Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/hyperkit-bugs-an-open5gs-stack-overflow.html Uninitialized variables everywhere in Hyperkit, and a Open5GS stack-based buffer overflow. [00:00:19] Spot The Vuln - Mind the Sign - Solution [00:00:51] Spot The Vuln - Mind the Sign - Solution [00:03:53] In EU no contract can prevent you from decompiling software you bought, if your goal is fixing a bug. [00:11:05] Open5GS Stack Buffer Overflow During PFCP Session Establishment on UPF [CVE-2021-41794] [00:14:00] Open5GS Stack Buffer Overflow During PFCP Session Establishment on UPF [CVE-2021-41794] [00:15:27] Code execution outside the virtualized guest in hyperkit [00:19:45] Disclosure of the host memory into the virtualized guest in hyperkit [CVE-2021-32847] [00:30:14] The Challenges of Fuzzing 5G Protocols The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.
32:17
October 14, 2021
SharePoint RCE & an Apache Path Traversal [Bug Hunting]
Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/sharepoint-rce-an-apache-path-traversal.html A simple to exploit path traversal in Apache...in 2021, a one-time-password defeat by having it be send to the attacker and victim, and more JWT issues. [00:00:24] critical: Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49 [00:07:47] [Zomato] Improper Validation at Partners Login [00:12:25] How did I earned 6000$ from tokens and scopes in one day [00:22:13] Remote Code Execution in SharePoint via Workflow Compilation [CVE-2021-26420] The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.
31:20
October 12, 2021
Chrome Exploits and a Firefox Update Bug [Binary Exploitation]
Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/chrome-exploits-and-a-firefox-update-bug.html This week we start off with a nice introduction to signedness issues before diving into a couple Chrome bugs (type confusion and use-after-free) [00:00:17] Spot the Vuln - I Can't Even (Solution) [00:03:46] Fixing a Security Bug by Changing a Function Signature [00:11:58] Chrome in-the-wild bug analysis: CVE-2021-30632 [00:21:25] GHSL-2021-124: Use After Free (UAF) in Chrome - CVE-2021-30528 [00:26:56] Phrack - Issue 70 The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.
31:56
October 07, 2021
Gatekeeper Bypass, Opera RCE, and Prototype Pollution [Bounty Hunting]
Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/gatekeeper-bypass-opera-rce-and-prototype-pollution.html A few interesting issues this week, ranging from a macOS Gatekeeper bypass, some oauth flow issues in Facebook, and even an RCE through the password field. [00:00:37] The discovery of Gatekeeper bypass CVE-2021-1810 [00:08:50] Multiple bugs allowed malicious Android Applications to takeover Facebook/Workplace accounts [00:22:50] Cisco Hyperflex: How We Got RCE Through Login Form and Other Findings [00:30:50] XSS to RCE in the Opera Browser [00:35:28] Prototype Pollution The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.
01:00:20
October 05, 2021
Kernel UAFs and a Parallels VM Escape [Binary Exploitation]
Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/kernel-uafs-and-a-parallels-vm-escape.html This week we we've got a couple Linux kernel Use-After-Frees and a Parallels guest to host escape. [00:00:18] Spot The Vuln - Solution [00:02:53] ChaffCTF [00:17:10] Kernel Vmalloc Use-After-Free in the ION Allocator [00:25:31] Linux Kernel: Exploitable vulnerability in io_uring [00:35:09] Parallels Desktop Guest to Host Escape [00:46:35] Igor: Crash Deduplication Through Root-Cause Clustering [00:51:10] Igor: Crash Deduplication Through Root-Cause Clustering [00:57:57] Deus x64: A Pwning Campaign | RET2 Systems The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.
59:44
September 30, 2021
iOS 0days, Apache Dubbo RCEs, and NPM bugs [Bounty Hunting]
Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/ios-0days-apache-dubbo-rces-and-npm-bugs.html Some of Apple's XPC services are leaking information, Finder has an RCE, and some CodeQL use to find many RCEs in Apache Dubbo. [00:00:38] macOS Finder RCE [00:06:11] AWS WorkSpaces Remote Code Execution [CVE-2021-38112] [00:10:09] Disclosure of three 0-day iOS vulnerabilities and critique of Apple Security Bounty program [00:26:51] 5 RCEs in npm for $15,000 [00:42:32] Apache Dubbo: All roads lead to RCE The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.
56:04
September 29, 2021
A Curl UAF, iPhone FORCEDENTRY, and a Crazy HP OMEN Driver [Binary Exploitation]
Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/a-curl-uaf-iphone-forcedentry-and-a-crazy-hp-omen-driver.html We start off the week with a crazy driver that exposes some powerful primitives, a use-after-free in curl, we speculate a bit about exploiting a 2-byte information disclosure, and talk about FORCEDENTRY. [00:00:20] Spot The Vuln - Minimax (Solution) [00:04:30] HP OMEN Gaming Hub Privilege Escalation Bug Hits Millions of Gaming Devices [CVE-2021-3437] [00:12:32] Nitro Pro PDF JavaScript document.flattenPages JSStackFrame stack-based use-after-free vulnerability [00:19:31] Microsoft Azure Sphere Security Monitor SMSyscallPeripheralAcquire information disclosure vulnerability [00:27:24] [curl] UAF and double-free in MQTT sending [CVE-2021-22945] [00:34:41] Analyzing Pegasus Spyware's Zero-Click iPhone Exploit ForcedEntry The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.
46:49
September 23, 2021
A Flickr CSRF, GitLab, & OMIGOD, Azure again? [Bounty Hunting]
Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/a-flickr-csrf-gitlab-omigod-azure-again.html Some high impact vulnerabilities this week, CSRF in account deletion, remote code execution as root, and an apache "0day" that discloses PHP source. [00:00:23] [Flickr] CSRF in Account Deletion feature [00:03:38] OMIGOD: Critical Vulnerabilities in OMI Affecting Countless Azure Customers [00:23:38] How I found my first Adobe Experience Manager related bug. [00:27:41] [GitLab] Stored XSS in main page of a project [00:31:01] [Mattermost] Privilege Escalation leading to post in channel without having privilege [00:34:15] Hacking CloudKit - How I accidentally deleted your Apple Shortcuts [00:48:52] Apache 0day bug, which still nobody knows of, and which was fixed accidentally The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.
56:53
September 21, 2021
NETGEAR smart switches, SpookJS, & Parallels Desktop [Binary Exploitation]
Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/netgear-smart-switches-spookjs-parallels-desktop.html This week we've got an awesome chain of attacks in NETGEAR smart switches, a speculative type confusion (Spook.js) and an integer overflow leading to HTTP Request Smuggling [00:03:40] Security researchers fed up with Apple’s bug bounty program [00:18:26] Demon's Cries vulnerability (some NETGEAR smart switches) [00:22:21] Draconian Fear vulnerability (some NETGEAR smart switches) [00:25:31] Seventh Inferno vulnerability (some NETGEAR smart switches) [00:34:33] Spook.js - Speculative Type Confusion [00:50:36] Critical vulnerability in HAProxy [00:55:45] Ribbonsoft dxflib DL_Dxf::handleLWPolylineData Heap-Based Buffer Overflow Vulnerability [01:03:43] Analysis of a Parallels Desktop Stack Clash Vulnerability and Variant Hunting using Binary Ninja The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.
01:12:44
September 16, 2021
Reused VMWare exploits & Escaping Azure Container Instances [Bounty Hunting]
Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/reused-vmware-exploits-escaping-azure-container-instances.html Some drama with the VMWare bounty program, and then a few straight forward vulnerabilities and a really cool Azure Container Instances escape and takeover. [00:01:51] Exploit Fired At VMWare leaked to Nuclei Project. [00:14:02] Bypassed! and uploaded a sweet reverse shell [00:18:51] Local File Read via Stored XSS in The Opera Browser [00:27:14] NETGEAR D7000 Authentication Bypass [00:33:34] GitHub Actions check-spelling community workflow - GITHUB_TOKEN leakage via advice.txt symlink [00:42:25] Create free Shopify application credits [00:47:24] Cross-Account Container Takeover in Azure Container Instances [00:58:59] IAM Vulnerable - An AWS IAM Privilege Escalation Playground The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.
01:01:29
September 14, 2021
Escaping the Bhyve, WhatsApp, & BrakTooth [Binary Exploitation]
A tricky to exploit WhatsApp vulnerability, but still an interesting bug, several Bhyve vulnerabilities, and a named bluetooth vuln (Braktooth) Links and summaries are available on our website: https://dayzerosec.com/podcast/escaping-the-bhyve-whatsapp-braktooth.html [00:00:00] Introduction + The Future [00:02:08] Spot The Vuln Solution [00:07:25] Replay-based attack on Honda and Acura vehicles [00:15:54] A Heap-based Buffer Overflow Bug in the MySQL InnoDB memcached Plugin [CVE-2021-2429] [00:25:44] Vulnerability in WhatsApp could have led to data exposure of users [00:32:26] Code execution outside the virtualized guest in bhyve [CVE-2021-29631] [00:40:59] Your vulnerability is in another OEM! [01:01:36] BrakTooth [01:09:00] HyperFuzzer: An Efficient Hybrid Fuzzer for Virtual CPUs The DAY[0] Podcast has two weekly episodes that are streamed live on Twitch (https://www.twitch.tv/dayzerosec) Mondays at 3pm Eastern we focus on vulnerabilities that would be of interest to bounty hunters, and on Tuesdays at 7:00pm Eastern we focus on low-level vulnerabilities. You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.
01:18:18
September 09, 2021
Takeover A Facebook, SnapChat or JetBrains Account [Bounty Hunting]
Multiple account takeover vulnerabilities in this episode with three  cross-origin communication vulnerabilities in Facebook, an odd OTP  endpoint in SnapChat and an open redirect in JetBrains leaking your JWT.     Links and summaries are available on our website: https://dayzerosec.com/podcast/takeover-a-facebook-snapchat-or-jetbrains-account.html  [00:00:00] Introduction + The Future [00:08:37] How MarkMonitor left 60,000 domains for the taking [00:17:21] Eye for an eye: Unusual single click JWT token takeover [00:25:20] How I found a primitive but critical broken access control vulnerability in YouTrack… [00:29:02] Ghost CMS 4.3.2 - Cross-Origin Admin Takeover [00:33:47] Tale of $126k worth of bugs that lead to Facebook Account Takeovers [00:47:15] Improper Authentication - any user can login as other user [00:53:35] Illogical Apps - Exploring and Exploiting Azure Logic Apps   The DAY[0] Podcast has two weekly episodes that are streamed live on Twitch (https://www.twitch.tv/dayzerosec) Mondays at 3pm Eastern we focus on vulnerabilities that would be of interest to bounty hunters, and on Tuesdays at 7:00pm Eastern we focus on low-level vulnerabilities. You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.
01:05:43
September 07, 2021
NoSQL Injection, Mobile Misconfigurations and a Wormable Windows Bug
Another short episode this week covering graphql attacks, a couple NoSQL injections, a few misconfigurations and a cool attack to reset monotonic counters on a Mifare card. [00:01:25] From CTFs to the Real World https://dayzerosec.com/tags/ctf-to-real-world/ [00:02:50] [GitHub] Exploits and Malware Policy Updates https://github.com/github/site-policy/pull/397https://github.com/github/site-policy/pull/397/files [00:07:37] Mobile app developers’ misconfiguration of third party services leave personal data of over 100 million exposed https://research.checkpoint.com/2021/mobile-app-developers-misconfiguration-of-third-party-services-leave-personal-data-of-over-100-million-exposed/ [00:13:49] QNAP MusicStation/MalwareRemover Pre-Auth RCE https://www.shielder.it/advisories/qnap-musicstation-malwareremover-pre-auth-remote-code-execution/ [00:17:45] 2FA Bypass via Forced Browsing https://infosecwriteups.com/2fa-bypass-via-forced-browsing-9e511dfdb8df [00:24:22] That single GraphQL issue that you keep missing https://blog.doyensec.com/2021/05/20/graphql-csrf.html [00:32:22] Remote code execution in squirrelly [CVE-2021-32819] https://securitylab.github.com/advisories/GHSL-2021-023-squirrelly/ [00:44:30] NoSQL Injections in Rocket.Chat https://blog.sonarsource.com/nosql-injections-in-rocket-chat/https://hackerone.com/reports/1130721 [00:49:15] RFID: Monotonic Counter Anti-Tearing Defeated https://blog.quarkslab.com/rfid-monotonic-counter-anti-tearing-defeated.html [00:56:24] A Wormable Code Execution Bug in HTTP.sys [CVE-2021-31166] https://www.zerodayinitiative.com/blog/2021/5/17/cve-2021-31166-a-wormable-code-execution-bug-in-httpsyshttps://github.com/0vercl0k/CVE-2021-31166 [01:04:15] Fuzzing iOS code on macOS at native speed https://googleprojectzero.blogspot.com/2021/05/fuzzing-ios-code-on-macos-at-native.html [01:05:07] RuhrSec 2018: "Keynote: Weird machines, exploitability and unexploitability", Thomas Dullien https://www.youtube.com/watch?v=1ynkWcfiwOk [01:07:58] Browser fuzzing at Mozilla https://blog.mozilla.org/attack-and-defense/2021/05/20/browser-fuzzing-at-mozilla/ Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@dayzerosec)
01:10:46
May 25, 2021
Cross-Browser Tracking, Frag Attacks, and Malicious Rust Macros
A shorter episode, but some really cool vulns none-the-less, from mitigation bypassing on D-Link routers, to a new set of WiFi protocol design flaws. [00:01:14] Security Vulnerability Detection Using Deep Learning Natural Language Processing https://arxiv.org/abs/2105.02388v1https://samate.nist.gov/SARD/ [00:08:12] Stealing secrets with Rust Macros proof-of-concept via VSCode https://github.com/lucky/bad_actor_poc [00:13:21] [GitLab] RCE when removing metadata with ExifTool https://hackerone.com/reports/1154542https://github.com/exiftool/exiftool/blob/11.70/lib/Image/ExifTool/DjVu.pm#L233 [00:19:47] Terminal escape injection in AWS CloudShell https://bugs.chromium.org/p/project-zero/issues/detail?id=2154https://github.com/c9/core/blob/master/plugins/c9.ide.terminal/aceterm/libterm.js#L1276 [00:23:54] Cross-browser tracking vulnerability in Tor, Safari, Chrome and Firefox https://fingerprintjs.com/blog/external-protocol-flooding/ [00:34:27] Fei Protocol Flashloan Vulnerability Postmortem https://medium.com/immunefi/fei-protocol-flashloan-vulnerability-postmortem-7c5dc001affbhttps://uniswap.org/docs/v2/smart-contract-integration/providing-liquidity/ [00:44:46] One-click reflected XSS on Instagram https://ysamm.com/?p=695 [00:47:24] D-Link Vulnerability [CVE-2021-27342] https://blog.whtaguy.com/2021/05/d-link-router-cve-2021-27342.html [00:51:52] Experimental Security Assessment of Mercedes-Benz Cars https://keenlab.tencent.com/en/2021/05/12/Tencent-Security-Keen-Lab-Experimental-Security-Assessment-on-Mercedes-Benz-Cars/https://keenlab.tencent.com/en/whitepapers/Mercedes_Benz_Security_Research_Report_Final.pdf [01:01:08] FragAttacks: Fragmentation & Aggregation Attacks https://github.com/vanhoefm/fragattackshttps://www.youtube.com/watch?v=OJ9nFeuitIU [01:10:57] Dell ‘dbutil_2_3.sys’ Kernel Exploit [CVE-2021-21551] https://connormcgarr.github.io/cve-2020-21551-sploit/ [01:11:45] googleprojectzero/Hyntrospect https://github.com/googleprojectzero/Hyntrospect [01:13:01] IDA Free w/ Cloud Decompiler Dropped https://www.hex-rays.com/ida-free/ Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@dayzerosec)
01:18:52
May 18, 2021
Fake Vulns, More Valve, and an AWS Cognito issue
Kicking off the week with some awesome vulns, an "almost" padding oracle in Azure Functions, a race-condition in AWS Cognito, some sound engine bugs, and a Foxit Reader Use-after-free. [00:00:52] Arbitrary Code Execution in the Universal Turing Machine [CVE-2021-32471] Our discussion of this topic was probably a bit premature and there does seem to be a bit more to it than the title implied. Still no real-world impact, but a bit more interesting of situation none-the-less. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32471 https://arxiv.org/abs/2105.02124 [00:03:18] Detecting and annoying Burp users https://dustri.org/b/detecting-and-annoying-burp-users.html https://www.youtube.com/watch?v=I3pNLB3Cq24 [00:08:08] Enabling Hardware-enforced Stack Protection (cetcompat) in Chrome https://security.googleblog.com/2021/05/enabling-hardware-enforced-stack.html [00:13:00] Password reset code brute-force vulnerability in AWS Cognito https://www.pentagrid.ch/en/blog/password-reset-code-brute-force-vulnerability-in-AWS-Cognito/ [00:16:52] ASUS GT-AC2900 Authentication Bypass [CVE-2021-32030] https://www.atredis.com/blog/2021/4/30/asus-authentication-bypass [00:20:10] The False Oracle - Azure Functions Padding Oracle Issue https://polarply.medium.com/the-false-oracle-azure-functions-padding-oracle-issue-2025e0e6b8a [00:25:30] How I Hacked Google App Engine: Anatomy of a Java Bytecode Exploit https://blog.polybdenum.com/2021/05/05/how-i-hacked-google-app-engine-anatomy-of-a-java-bytecode-exploit.html [00:38:01] Workplace by Facebook | Unauthorized access to companies environment https://mvinni.medium.com/workplace-by-facebook-unauthorized-access-to-companies-environment-27-5k-a593a57092f1 [00:42:39] Exploiting the Source Engine (Part 2) - Full-Chain Client RCE in Source using Frida https://ctf.re//source-engine/exploitation/2021/05/01/source-engine-2/ https://phoenhex.re/2018-08-26/csgo-fuzzing-bsp [00:53:11] [Valve] OOB reads in network message handlers leads to RCE https://hackerone.com/reports/807772 [01:01:07] Security probe of Qualcomm MSM data services https://research.checkpoint.com/2021/security-probe-of-qualcomm-msm/ [01:05:17] Foxit Reader FileAttachment annotation use-after-free vulnerability https://talosintelligence.com/vulnerability_reports/TALOS-2021-1287 [01:09:45] Attack llvmpipe Graphics Driver from Chromium https://insinuator.net/2021/05/attack-llvmpipe-graphics-driver-from-chromium/ [01:16:00] Privilege Escalation Via a Use After Free Vulnerability In win32k [CVE-2021-26900] https://www.zerodayinitiative.com/blog/2021/5/3/cve-2021-26900-privilege-escalation-via-a-use-after-free-vulnerability-in-win32k [01:26:25] 21Nails: Multiple vulnerabilities in Exim https://www.qualys.com/2021/05/04/21nails/21nails.txt [01:27:22] nRF52 Debug Resurrection (APPROTECT Bypass) https://limitedresults.com/2020/06/nrf52-debug-resurrection-approtect-bypass/ [01:28:56] Capture The Flag - Discussion Video https://www.youtube.com/watch?v=4u5MDsIfQM8 Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@dayzerosec)
01:30:18
May 11, 2021
Defcon Quals, Dead μops, BadAllocs, Wordpress XXE
Big episode this week, with a lot of discussion about CTFs, kernel drama, and Github's exploit policy. Then some really interesting exploit strategies on Tesla and Netgear, along with some simple, yet deadly issues in Wordpress and Composer. [00:00:32] An Update on the UMN Affair https://lwn.net/SubscriberLink/854645/334317047842b6c3/https://www-users.cs.umn.edu/%7Ekjlu/papers/full-disclosure.pdf [00:11:29] [GitHub] Exploits and Malware Policy Updates https://github.com/github/site-policy/pull/397https://github.com/github/site-policy/pull/397/commits/f220679709b60dd4d6b34465a56b89bb79efcfe6#diff-24d72c4cb9785e60d5cbf50905291a5e079f4efd8c03f67904077cc2af4b8412L34 [00:18:22] OOO - DEF CON CTF https://oooverflow.io/https://twitter.com/oooverflow/status/1388920554111987715 [00:34:23] BadAlloc - Memory Allocation Vulnerabilities https://msrc-blog.microsoft.com/2021/04/29/badalloc-memory-allocation-vulnerabilities-could-affect-wide-range-of-iot-and-ot-devices-in-industrial-medical-and-enterprise-networks/https://us-cert.cisa.gov/ics/advisories/icsa-21-119-04 [00:40:15] I See Dead μops: Leaking Secrets via Intel/AMDMicro-Op Caches http://www.cs.virginia.edu/venkat/papers/isca2021a.pdfhttps://comparch.org/2021/05/01/i-see-dead-uops-thoughts-on-the-latest-spectre-paper-targeting-uop-caches/ [00:54:43] Brave - Stealing your cookies remotely https://infosecwriteups.com/brave-stealing-your-cookies-remotely-1e09d1184675 [00:57:37] Facebook account takeover due to unsafe redirects after the OAuth flow https://ysamm.com/?p=667 [01:03:11] WordPress 5.7 XXE Vulnerability https://blog.sonarsource.com/wordpress-xxe-security-vulnerability/ [01:05:43] PHP Supply Chain Attack on Composer https://blog.sonarsource.com/php-supply-chain-attack-on-composer [01:10:25] Multiple Issues in Libre Wireless LS9 Modules https://www.iot-inspector.com/blog/advisory-multiple-issues-libre-wireless-ls9/ [01:14:50] macOS Gatekeeper Bypass https://objective-see.com/blog/blog_0x64.htmlhttps://cedowens.medium.com/macos-gatekeeper-bypass-2021-edition-5256a2955508 [01:19:28] Linux Kernel /proc/pid/syscall information disclosure vulnerability https://talosintelligence.com/vulnerability_reports/TALOS-2020-1211 [01:24:08] Remote Zero-Click Exploit in Tesla Automobiles https://kunnamon.io/tbone/ [01:31:00] NETGEAR Nighthawk R7000 httpd PreAuth RCE https://ssd-disclosure.com/ssd-advisory-netgear-nighthawk-r7000-httpd-preauth-rce/ [01:34:43] Parallels Desktop RDPMC Hypercall Interface and Vulnerabilities https://www.zerodayinitiative.com/blog/2021/4/26/parallels-desktop-rdpmc-hypercall-interface-and-vulnerabilities [01:39:24] Exploiting Undocumented Hardware Blocks in the LPC55S69 https://oxide.computer/blog/lpc55/ [01:40:05] python stdlib "ipaddress" - Improper Input Validation [CVE-2021-29921] https://sick.codes/sick-2021-014/ [01:40:35] Ham Hacks: Breaking Into Software-defined Radio https://labs.bishopfox.com/industry-blog/ham-hacks-breaking-into-software-defined-radio [01:41:59] gand3lf/heappy: A happy heap editor to support your exploitation process https://github.com/Gand3lf/heappy [01:43:38] LiveQL Episode II: The Rhino in the room https://securitylab.github.co
01:44:37
May 04, 2021
Bad Patches, Fuzzing Sockets, & 3DS Hacked by Super Mario
Some drama in the Linux Kernel and so many vulns resulting in code execution in Homebrew, GitLab, an air fryer, Source engine, Super Mario Maker, Adobe Reader and the Linux Kernel. [00:00:32] On the Feasibility of Stealthily Introducing Vulnerabilities in Open-Source Software via Hypocrite Commits https://github.com/QiushiWu/QiushiWu.github.io/blob/main/papers/OpenSourceInsecurity.pdf https://lore.kernel.org/linux-nfs/YH+zwQgBBGUJdiVK@unreal/ https://lore.kernel.org/linux-nfs/YH%2FfM%2FTsbmcZzwnX@kroah.com/ During this episode we speculated that the recent patches might be unrelated to the research. This seems to have been confirmed by U. Mn in an email we did not see before recording  https://lore.kernel.org/lkml/CAK8KejpUVLxmqp026JY7x5GzHU2YJLPU8SzTZUNXU2OXC70ZQQ@mail.gmail.com/ [00:15:18] Exploiting vulnerabilities in Cellebrite UFED and Physical Analyzer from an app's perspective https://signal.org/blog/cellebrite-vulnerabilities/ [00:22:30] [Ubuntu] OverlayFS LPE https://ssd-disclosure.com/ssd-advisory-overlayfs-pe/ [00:25:48] Synology DSM AppArmor synosearchagent misconfiguration https://talosintelligence.com/vulnerability_reports/TALOS-2020-1158 [00:28:22] [GitLab] RCE via unsafe inline Kramdown options https://hackerone.com/reports/1125425 [00:35:25] [Homebrew] Broken parsing of Git diff allows an attacker to inject arbitrary Ruby scripts to Casks on official taps https://hackerone.com/reports/1167608 https://blog.ryotak.me/post/homebrew-security-incident-en/ [00:41:52] Remote code execution vulnerabilities in Cosori smart air fryer https://blog.talosintelligence.com/2021/04/vuln-spotlight-co.html https://talosintelligence.com/vulnerability_reports/TALOS-2020-1217 https://talosintelligence.com/vulnerability_reports/TALOS-2020-1216 [00:48:54] Source engine remote code execution via game invites [CVE-2021-30481] https://secret.club/2021/04/20/source-engine-rce-invite.html [01:00:40] Discussion: Should programs be banned from Hackerone https://dayzerosec.com [01:08:54] [Nintendo|3DS] Buffer Overflow in Super Mario Maker level decompression https://hackerone.com/reports/687887 [01:15:12] PrusaSlicer Obj.cpp load_obj() out-of-bounds write vulnerability https://talosintelligence.com/vulnerability_reports/TALOS-2020-1219 [01:20:12] Analysis of a use-after-free Vulnerability in Adobe Acrobat Reader DC https://blog.exodusintel.com/2021/04/20/analysis-of-a-use-after-free-vulnerability-in-adobe-acrobat-reader-dc/ https://www.zerodayinitiative.com/blog/2021/4/22/cve-2021-20226-a-reference-counting-bug-in-the-linux-kernel-iouring-subsystem [01:31:21] Designing sockfuzzer, a network syscall fuzzer for XNU https://googleprojectzero.blogspot.com/2021/04/designing-sockfuzzer-network-syscall.html [01:37:26] gaasedelen/tenet: A Trace Explorer for Reverse Engineers https://github.com/gaasedelen/tenet [01:40:41] tmp.0ut https://tmpout.sh/1/ [01:44:35] Phœnix exploit / iOS 9.3.5 https://gist.github.com/Siguza/96ae6d6806e974199b1d44ffffca5331 [01:46:02] Experiences with Apple Security Bounty https://theevilbit.github.io/posts/experiences_with_asb/ Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the vide
01:49:51
April 27, 2021
Windows Bugs, Duo 2FA Bypass, and some Reverse Engineering
Authentication bypasses, a Duo 2FA bypass, RCEs, a VM escape, and some reverse engineering writeups. [00:00:26] Project Zero: Policy and Disclosure: 2021 Edition https://googleprojectzero.blogspot.com/2021/04/policy-and-disclosure-2021-edition.html [00:06:27] Remote exploitation of a man-in-the-disk vulnerability in WhatsApp [CVE-2021-24027] https://census-labs.com/news/2021/04/14/whatsapp-mitd-remote-exploitation-CVE-2021-24027/ [00:14:06] Allow arbitrary URLs, expect arbitrary code execution https://positive.security/blog/url-open-rce [00:18:29] GHSL-2020-340: log injection in SAP/Infrabox https://securitylab.github.com/advisories/GHSL-2020-340/ [00:22:21] Duo Two-factor Authentication Bypass https://sensepost.com/blog/2021/duo-two-factor-authentication-bypass/ [00:31:22] [Grammarly] Ability to DOS any organization's SSO and open up the door to account takeovers https://hackerone.com/reports/976603 [00:35:50] From 0 to RCE: Cockpit CMS https://swarm.ptsecurity.com/rce-cockpit-cms/?d [00:41:41] Big Bugs: Bitbucket Pipelines Kata Containers Build Container Escape https://www.bugcrowd.com/blog/big-bugs-cve-2020-28914/ [00:48:52] xscreensaver: raw socket leaked https://bugs.chromium.org/p/project-zero/issues/detail?id=2174 [00:51:31] Reverse-engineering tcpip.sys: mechanics of a packet of the death (CVE-2021-24086) https://doar-e.github.io/blog/2021/04/15/reverse-engineering-tcpipsys-mechanics-of-a-packet-of-the-death-cve-2021-24086/https://blog.quarkslab.com/analysis-of-a-windows-ipv6-fragmentation-vulnerability-cve-2021-24086.html [00:59:49] Exploiting System Mechanic Driver https://voidsec.com/exploiting-system-mechanic-driver/ [01:03:27] Zero-day vulnerability in Desktop Window Manager used in the wild [CVE-2021-28310] https://securelist.com/zero-day-vulnerability-in-desktop-window-manager-cve-2021-28310-used-in-the-wild/101898/ [01:08:33] Windows Defender mpengine remote code execution [CVE-2021-1647] https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-1647.html [01:13:55] ELECTRIC CHROME - CVE-2020-6418 on Tesla Model 3 https://leethax0.rs/2021/04/ElectricChrome/http://www.phrack.org/papers/attacking_javascript_engines.html [01:20:36] QEMU and U: Whole-system tracing with QEMU customization https://www.atredis.com/blog/qemu-and-u-whole-system-tracing-with-qemu-customization [01:21:31] Learning Resource - Hexterisk Blog https://hexterisk.github.io/blog/posts/ Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@dayzerosec)
01:23:50
April 20, 2021
Pwn2own, Linux Kernel Exploits, and Malicious Mail
MD5 is trending in 2021...a few kernel vulnerabilities, and some drama around pwn2own. [00:00:26] Update on git.php.net incident https://externals.io/message/113981 [00:06:38] Pwn2Own 2021 - Results https://www.zerodayinitiative.com/blog/2021/4/2/pwn2own-2021-schedule-and-live-results [00:18:53] CSGO exploit allows hackers to steal passwords, and Valve hasn't fixed it https://www.dexerto.com/csgo/csgo-exploit-allows-hackers-steal-passwords-valve-no-fix-1551056/?amp [00:26:20] I Built a TV That Plays All of Your Private YouTube Videos https://bugs.xdavidhu.me/google/2021/04/05/i-built-a-tv-that-plays-all-of-your-private-youtube-videos/ [00:33:27] Leak of all accounts mail login md5 pass https://hackerone.com/reports/514488 [00:37:11] What if you could deposit money into your Betting account for free? https://mikey96.medium.com/what-if-you-could-deposit-money-into-your-betting-account-for-free-24f6690aff46 [00:41:41] Zero click vulnerability in Apple’s macOS Mail https://mikko-kenttala.medium.com/zero-click-vulnerability-in-apples-macos-mail-59e0c14b106c [00:44:54] Stored XSS on the DuckDuckGo search results page https://monke.ie/duckduckgoxss/ [00:49:13] Breaking GitHub Private Pages for $35k https://robertchen.cc/blog/2021/04/03/github-pages-xss [00:57:03] Royal Flush: Privilege Escalation Vulnerability in Azure Functions https://www.intezer.com/blog/cloud-security/royal-flush-privilege-escalation-vulnerability-in-azure-functions/ [01:01:38] QNAP Pre-Auth CGI_Find_Parameter RCE https://ssd-disclosure.com/ssd-advisory-qnap-pre-auth-cgi_find_parameter-rce/ [01:04:14] Domain Time II Upgrade Attack https://blog.grimm-co.com/2021/04/time-for-upgrade.html [01:07:12] Four Bytes of Power: exploiting CVE-2021-26708 in the Linux kernel https://a13xp0p0v.github.io/2021/02/09/CVE-2021-26708.html [01:15:57] BleedingTooth: Linux Bluetooth Zero-Click Remote Code Execution https://google.github.io/security-research/pocs/linux/bleedingtooth/writeup.htmlhttps://a13xp0p0v.github.io/2020/02/15/CVE-2019-18683.html [01:28:05] BleedingTooth: Linux Bluetooth Zero-Click Remote Code Execution https://google.github.io/security-research/pocs/linux/bleedingtooth/writeup.html [01:29:07] Exploiting Windows RPC to bypass CFG mitigation https://iamelli0t.github.io/2021/04/10/RPC-Bypass-CFG.htmlhttps://medium.com/@mxatone/mitigation-bounty-from-read-write-anywhere-to-controllable-calls-ca1b9c7c0130#.9l7ejbkij [01:34:00] security things in Linux v5.9 https://outflux.net/blog/archives/2021/04/05/security-things-in-linux-v5-9/https://github.com/gcc-mirror/gcc/commit/d10f3e900b0377b4760a090b0f90371bcef01686https://twitter.com/kees_cook/status/1380271827281276928 Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@dayzerosec)
01:40:06
April 13, 2021
Speculation in Predictive Store Forwarding, Broken Fixes, and Owning Rocket.Chat
One episode and several failed attempts to fix vulnerabilities, an interesting Rocket.Chat XSS and an exploitable TXT file abusing some weird features. [00:00:46] nOtWASP bottom 10: vulnerabilities that make you cry https://portswigger.net/research/notwasp-bottom-10-vulnerabilities-that-make-you-cry [00:07:28] Click here for free TV! - Chaining bugs to takeover Wind Vision accounts https://labs.f-secure.com/blog/wind-vision-writeup/ [00:15:28] Elevate Yourself to Admin in Umbraco CMS 8.9.0 (CVE-2020-29454) https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/elevate-yourself-to-admin-in-umb-cms-890-cve-2020-29454/ [00:23:19] "netmask" npm package vulnerable to octal input data [CVE-2021-28918] https://sick.codes/universal-netmask-npm-package-used-by-270000-projects-vulnerable-to-octal-input-data-server-side-request-forgery-remote-file-inclusion-local-file-inclusion-and-more-cve-2021-28918/ [00:28:38] [HackerOne] Jira integration plugin Leaked JWT https://hackerone.com/reports/1103582 [00:33:20] [Kaspersky] A vulnerability in KAVKIS 2020 products family allows full disabling of protection https://hackerone.com/reports/870615 [00:38:06] [Rocket.Chat] Account takeover via XSS https://hackerone.com/reports/735638 [00:43:18] This man thought opening a TXT file is fine, he thought wrong. macOS [CVE-2019-8761] https://www.paulosyibelo.com/2021/04/this-man-thought-opening-txt-file-is.html [00:52:41] Who Contains the Containers? https://googleprojectzero.blogspot.com/2021/04/who-contains-containers.html [01:06:11] Getting Code Execution on Apache Druid [CVE-2021-25646] https://www.thezdi.com/blog/2021/3/25/cve-2021-25646-getting-code-execution-on-apache-druid [01:12:59] Security Analysis of AMD Predictive Store Forwarding https://www.amd.com/system/files/documents/security-analysis-predictive-store-forwarding.pdf [01:19:58] Pluralsight free for April https://www.pluralsight.com/ [01:21:54] Pwn2Own 2021 https://www.zerodayinitiative.com/blog/2021/4/2/pwn2own-2021-schedule-and-live-results Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@dayzerosec)
01:25:04
April 06, 2021
Google exposes an APT campaign, PHP owned, and Several Auth Issues
Long episode this week as we talk about Google's decision to thwart a western intelligence operation (by fixing vulns), multiple authorization and authentication issues, and of course some memory corruption. [00:00:46] Google's unusual move to shut down an active counterterrorism operation being conducted by a Western democracy https://www.technologyreview.com/2021/03/26/1021318/google-security-shut-down-counter-terrorist-us-ally/ [00:21:48] PHP Git Compromised https://news-web.php.net/php.internals/113838https://github.com/php/php-src/commit/2b0f239b211c7544ebc7a4cd2c977a5b7a11ed8a [00:32:24] [Google Chrome] File System Access API vulnerabilities https://github.com/Puliczek/CVE-2021-21123-PoC-Google-Chrome [00:37:58] Indexing of urls on the "External link warning" pages discloses many vulnerable endpoints from the past and unlisted videos/photos https://hackerone.com/reports/1034257 [00:42:05] GHSL-2020-323: Template injection in a GitHub workflow of geek-cookbook https://securitylab.github.com/advisories/GHSL-2020-323-geek-cookbook-workflow/ [00:47:58] H2C Smuggling in the Wild https://blog.assetnote.io/2021/03/18/h2c-smuggling/https://labs.bishopfox.com/tech-blog/h2c-smuggling-request-smuggling-via-http/2-cleartext-h2c [00:53:27] H2C Smuggling in the Wild https://blog.assetnote.io/2021/03/18/h2c-smuggling/ [00:57:18] Multiple Authorization bypass issues in Google's Richmedia Studio https://www.ehpus.com/post/multiple-authorization-bypass-issues-in-google-s-richmedia-studio [01:06:15] DD-WRT UPNP Buffer Overflow https://ssd-disclosure.com/ssd-advisory-dd-wrt-upnp-buffer-overflow/https://github.com/mirror/dd-wrt/commit/da1d65a2ec471f652c77ae0067544994cdaf5e27 [01:10:36] GHSL-2021-045: Integer Overflow in GLib - [CVE-2021-27219] https://securitylab.github.com/advisories/GHSL-2021-045-g_bytes_new/ [01:14:12] Qualcomm IPQ40xx: Analysis of Critical QSEE Vulnerabilities https://raelize.com/blog/qualcomm-ipq40xx-analysis-of-critical-qsee-vulnerabilities/ [01:22:50] One day short of a full chain: Part 3 - Chrome renderer RCE https://securitylab.github.com/research/one_day_short_of_a_fullchain_renderer/ [01:35:37] Chat Question: Where to learn about Windows Heap exploitation https://dayzerosec.com [01:39:44] Adobe Reader CoolType arbitrary stack manipulation in Type 1/Multiple Master othersubrs 14-18 https://bugs.chromium.org/p/project-zero/issues/detail?id=2131 [01:46:26] Eliminating XSS from WebUI with Trusted Types https://microsoftedge.github.io/edgevr/posts/eliminating-xss-with-trusted-types/ [01:54:19] Hidden OAuth attack vectors https://portswigger.net/research/hidden-oauth-attack-vectors [02:03:05] The Future of C Code Review https://research.nccgroup.com/2021/03/23/the-future-of-c-code-review/ [02:15:03] Microsoft Exchange Server-Side Request Forgery [CVE-2021-26855] https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-26855.html Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@dayzerosec)
02:16:35
March 30, 2021
Fast Fuzzing, Malicious Pull Requests, and Rust in my kernel?!
Time to rewrite Linux in Rust? Probably not, but it has landed in linux-next which we talked about. We also look at a couple interesting GitHub vulns, and talk about fuzzing. [00:00:28] Rust in the Linux Kernel https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/rust?id=c77c8025525c36c9d2b9d82e4539403701276a1dhttps://www.youtube.com/watch?v=FFjV9f_Ub9o&t=2066shttps://lkml.org/lkml/2020/7/9/952https://lkml.org/lkml/2020/7/10/1261 [00:13:40] Two Undocumented Instructions to Update Microcode Discovered https://twitter.com/_markel___/status/1373059797155778562 [00:19:06] DuckDuckGo Privacy Essentials vulnerabilities: Insecure communication and Universal XSS https://palant.info/2021/03/15/duckduckgo-privacy-essentials-vulnerabilities-insecure-communication-and-universal-xss/ [00:26:46] Abusing VoIPmonitor for Remote Code Execution https://www.rtcsec.com/post/2021/03/bug-discovery-diaries-abusing-voipmonitor-for-remote-code-execution/ [00:32:18] Stealing arbitrary GitHub Actions secrets https://blog.teddykatz.com/2021/03/17/github-actions-write-access.html [00:40:29] How we found and fixed a rare race condition in our session handling https://github.blog/2021-03-18-how-we-found-and-fixed-a-rare-race-condition-in-our-session-handling/ [00:49:05] GitLab - Ability To Delete User(s) Account Without User Interaction https://hackerone.com/reports/928255 [00:52:49] New Old Bugs in the Linux Kernel https://blog.grimm-co.com/2021/03/new-old-bugs-in-linux-kernel.htmlhttps://github.com/grimm-co/NotQuite0DayFriday/tree/trunk/2021.03.12-linux-iscsi [01:00:33] Fuzzing: FastStone Image Viewer [CVE-2021-26236] https://voidsec.com/fuzzing-faststone-image-viewer-cve-2021-26236/ [01:06:53] A Replay-Style Deserialization Attack Against SharePoint [CVE-2021-27076] https://www.thezdi.com/blog/2021/3/17/cve-2021-27076-a-replay-style-deserialization-attack-against-sharepoint [01:12:38] One day short of a full chain: Part 2 - Chrome sandbox escape https://securitylab.github.com/research/one_day_short_of_a_fullchain_sbx [01:18:58] Code execution in Wireshark via non-http(s) schemes in URL fields https://gitlab.com/wireshark/wireshark/-/issues/17232 [01:21:59] Attacking and Defending OAuth 2.0 (Part 2 of 2: Attacking OAuth 2.0 Authorization Servers) https://www.praetorian.com/blog/attacking-and-defending-oauth-2/ [01:30:37] Fast Coverage-guided Fuzzing with Honeybee and Intel Processor Trace https://blog.trailofbits.com/2021/03/19/un-bee-lievable-performance-fast-coverage-guided-fuzzing-with-honeybee-and-intel-processor-trace/ [01:42:00] Pulling Bits From ROM Silicon Die Images: Unknown Architecture https://ryancor.medium.com/pulling-bits-from-rom-silicon-die-images-unknown-architecture-b73b6b0d4e5d [01:42:28] 0dayfans.com https://0dayfans.com/https://github.com/dayzerosec/feedgenhttps://shop.spreadshirt.com/dayzerosec/ Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@dayzerosec)
01:45:13
March 23, 2021
Hacking Cameras, Stealing Logins, and Breaking Git
RCE while cloning a Git repo, injecting video into network cameras, and stealing logins with HTML injection when XSS isn't possible. [00:00:32] Critics fume after Github removes exploit code for Exchange vulnerabilities https://arstechnica.com/gadgets/2021/03/critics-fume-after-github-removes-exploit-code-for-exchange-vulnerabilities/https://borncity.com/win/2021/03/14/gab-es-beim-exchange-massenhack-ein-leck-bei-microsoft/ [00:09:21] CCTV: Now You See Me, Now You Don't https://research.aurainfosec.io/v380-ip-camera/ [00:13:47] CSRF to RCE Chain in Zabbix [CVE-2021-27927] https://www.horizon3.ai/disclosures/zabbix-csrf-to-rce [00:19:44] Stealing Froxlor login credentials using dangling markup [CVE-2020-29653] https://labs.detectify.com/2021/03/10/cve-2020-29653-stealing-froxlor-login-credentials-dangling-markup/ [00:25:29] git: malicious repositories can execute remote code while cloning https://www.openwall.com/lists/oss-security/2021/03/09/3https://github.com/gitster/git/commit/684dd4c2b414bcf648505e74498a608f28de4592 [00:30:49] git: malicious repositories can execute remote code while cloning https://www.openwall.com/lists/oss-security/2021/03/09/3https://bugs.chromium.org/p/project-zero/issues/detail?id=2021 [00:33:37] Dell OpenManage Server Administrator File Read [CVE-2020-5377] https://rhinosecuritylabs.com/research/cve-2020-5377-dell-openmanage-server-administrator-file-read/ [00:38:55] Windows Containers: ContainerUser has Elevated Privileges https://bugs.chromium.org/p/project-zero/issues/detail?id=2127 [00:40:18] Windows Containers: Host Registry Virtual Registry Provider Bypass EoP https://bugs.chromium.org/p/project-zero/issues/detail?id=2129 [00:42:34] F5 Big IP - ASM stack-based buffer overflow in is_hdr_criteria_matches https://bugs.chromium.org/p/project-zero/issues/detail?id=2132 [00:48:59] F5 Big IP - TMM uri_normalize_host infoleak and out-of-bounds write https://bugs.chromium.org/p/project-zero/issues/detail?id=2126 [00:59:37] One day short of a full chain: Part 1 - Android Kernel arbitrary code execution https://securitylab.github.com/research/one_day_short_of_a_fullchain_android [01:08:07] Exploiting a “Simple” Vulnerability, Part 2 – What If We Made Exploitation Harder? https://windows-internals.com/exploiting-a-simple-vulnerability-part-2-what-if-we-made-exploitation-harder/?utm_source=rss&utm_medium=rss&utm_campaign=exploiting-a-simple-vulnerability-part-2-what-if-we-made-exploitation-harder [01:09:11] Playing in the (Windows) Sandbox https://research.checkpoint.com/2021/playing-in-the-windows-sandbox/ [01:09:39] Regexploit: DoS-able Regular Expressions https://blog.doyensec.com/2021/03/11/regexploit.html Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@dayzerosec)
01:11:35
March 16, 2021
Buggy Browsers, Heap Grooming, and Broken RSA?
This week we get to take a look into some basic heap grooming techniques as we examine multiple heap overflows. We also briefly discuss the hand-on (by the DoD and Synack) assessment of the "unhackable" morpheus chip, and briefly discuss the new-ish paper claiming to defeat RSA. [00:00:53] "This destroys the RSA cryptosystem." - Fast Factoring Integers by SVP Algorithms https://eprint.iacr.org/2021/232https://github.com/lducas/SchnorrGate [00:06:55] DARPA pitted 500+ hackers against this computer chip. The chip won. https://cse.engin.umich.edu/stories/morpheus-vs-everybodyhttps://www.reddit.com/r/HowToHack/comments/bl9qo3/morpheus_chip/empsclt/?context=10 [00:18:10] SaltStack API vulnerabilities https://dozer.nz/posts/saltapi-vulnshttps://github.com/saltstack/salt/blob/08fe46365f92583ea875f9e4a8b2cb5305b34e4b/salt/client/ssh/client.py#L72 [00:22:57] An Interesting Feature in the Samsung DSP Driver https://www.synacktiv.com/en/publications/an-interesting-feature-in-the-samsung-dsp-driver.html [00:30:50] Pre-Auth Remote Code Execution in VMware ESXi [CVE-2020-3992 CVE-2021-21974] https://www.thezdi.com/blog/2021/3/1/cve-2020-3992-amp-cve-2021-21974-pre-auth-remote-code-execution-in-vmware-esxi [00:39:05] Defeating the TP-Link AC1750 https://www.synacktiv.com/en/publications/pwn2own-tokyo-2020-defeating-the-tp-link-ac1750.html [00:44:52] Anatomy of an Exploit: RCE with CVE-2020-1350 SIGRed https://www.graplsecurity.com/post/anatomy-of-an-exploit-rce-with-cve-2020-1350-sigred [00:57:11] Yet another RenderFrameHostImpl UAF https://microsoftedge.github.io/edgevr/posts/yet-another-uaf/ [01:03:16] Webkit AudioSourceProviderGStreamer use-after-free vulnerability https://talosintelligence.com/vulnerability_reports/TALOS-2020-1172 Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@dayzerosec)
01:07:59
March 09, 2021
BlackHat USA, Pre-Auth RCEs, and JSON Smuggling
This week we talk a bit about newly released Black Hat 2020 and NDSS 2021 presentation videos, before jumping into several pre-auth RCEs, and some interesting exploitation research to bring a PAC enforced Shadow Stack to ARM and an examination of JSON parser interoperability issues. [00:00:41] Microsoft open sources CodeQL queries used to hunt for Solorigate activity https://www.microsoft.com/security/blog/2021/02/25/microsoft-open-sources-codeql-queries-used-to-hunt-for-solorigate-activity/https://github.com/github/codeql/pull/5083/commits/5e1e27c2b6b3429623b66531d4fe0b090e70638a [00:04:16] Black Hat USA 2020 https://www.youtube.com/playlist?list=PLH15HpR5qRsXE_4kOSy_SXwFkFQre4AV_https://www.youtube.com/c/NDSSSymposium/search?query=NDSS+2021 [00:13:56] Cookie poisoning leads to DOS and Privacy Violation https://hackerone.com/reports/1067809 [00:16:37] Unauthorized RCE in VMware vCenter https://swarm.ptsecurity.com/unauth-rce-vmware/ [00:20:01] A Fifteen-Year-Old RCE Bug Returns in ISC BIND Server [CVE-2020-8625] https://www.thezdi.com/blog/2021/2/24/cve-2020-8625-a-fifteen-year-old-rce-bug-returns-in-isc-bind-server [00:25:42] Arbitrary File Write on packagecontrol.io (Sublime Text) https://bugs.chromium.org/p/project-zero/issues/detail?id=2163 [00:30:31] [Uber] PreAuth RCE on Palo Alto GlobalProtect https://hackerone.com/reports/540242http://blog.orange.tw/2019/07/attacking-ssl-vpn-part-1-preauth-rce-on-palo-alto.html [00:35:26] The little bug that couldn't: Securing OpenSSL https://github.blog/2021-02-25-the-little-bug-that-couldnt-securing-openssl/ [00:41:49] PACStack: an Authenticated Call Stack https://www.usenix.org/conference/usenixsecurity21/presentation/liljestrand [00:56:29] An Exploration of JSON Interoperability Vulnerabilities https://labs.bishopfox.com/tech-blog/an-exploration-of-json-interoperability-vulnerabilities [01:03:59] Top 10 web hacking techniques of 2020 https://portswigger.net/research/top-10-web-hacking-techniques-of-2020 [01:05:50] OST 2.0 Beta Spots Open https://twitter.com/XenoKovah/status/1366224804639031299 Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@dayzerosec)
01:09:45
March 02, 2021
PDF Exploits, GPGME Making Mistakes EZ and Favicon Tracking
A couple privacy violations, PDF exploits, and a complicated API being misused by developers. [00:00:48] Brave browser leaks onion addresses in DNS traffic https://ramble.pw/f/privacy/2387 [00:07:05] Tales of Favicons and Caches: Persistent Tracking in Modern Browsers https://www.ndss-symposium.org/ndss-paper/tales-of-favicons-and-caches-persistent-tracking-in-modern-browsers/ [00:18:12] Shadow Attacks: Hiding and Replacing Content in Signed PDFs https://www.ndss-symposium.org/ndss-paper/shadow-attacks-hiding-and-replacing-content-in-signed-pdfs/ [00:28:20] Getting Information Disclosure in Adobe Reader Through the ID Tag https://www.thezdi.com/blog/2021/2/17/zdi-21-171-getting-information-disclosure-in-adobe-reader-through-the-id-tag [00:32:42] Middleware everywhere and lots of misconfigurations to fix https://labs.detectify.com/2021/02/18/middleware-middleware-everywhere-and-lots-of-misconfigurations-to-fix/ [00:43:05] GPGme used confusion, it's super effective ! https://www.synacktiv.com/en/publications/gpgme-used-confusion-its-super-effective.html [00:51:58] Bypassing the PIN in non-Visa Cards by Using Them for Visa Transactions https://emvrace.github.io [01:01:11] Hunting for bugs in Telegram's animated stickers remote attack surface https://www.shielder.it/blog/2021/02/hunting-for-bugs-in-telegrams-animated-stickers-remote-attack-surface/ [01:08:03] Expected Exploitability: Predicting the Development of Functional Vulnerability Exploits https://arxiv.org/abs/2102.07869v1 [01:20:27] Model Skewing Attacks on Machine Learning Models https://payatu.com/blog/nikhilj/sec4ml-machine-learning-model-skewing-data-poisoning [01:21:37] Future of Exploit Development - 2021 and Beyond https://www.youtube.com/watch?v=o_hk9nh8S1M Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@dayzerosec)
01:24:30
February 23, 2021
Industrial Control Fails and a Package disguised in your own supply
"Beg Bounty" hunters, dependency confusion, iOS kernel vuln, and how not to respond to security research. [00:00:59] Florida Water Treatment Facility Hacked https://twitter.com/Bing_Chris/status/1358873543623274499 [00:09:19] Have a domain name? "Beg bounty" hunters may be on their way https://news.sophos.com/en-us/2021/02/08/have-a-domain-name-beg-bounty-hunters-may-be-on-their-way/amp/ [00:20:14] FootFallCam and MetaTechnology Drama https://twitter.com/_MG_/status/1359582048260743169 [00:28:33] Telegram privacy fails [CVE-2021-27204] [CVE-2021-27205] https://www.inputzero.io/2020/12/telegram-privacy-fails-again.html [00:36:43] Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610 [00:44:33] Exploiting a Second-Order SQL Injection in LibreNMS [CVE-2020-35700] https://www.horizon3.ai/disclosures/librenms-second-order-sqli [00:50:46] Swarm of Palo Alto PAN-OS vulnerabilities https://swarm.ptsecurity.com/swarm-of-palo-alto-pan-os-vulnerabilities/ [00:56:25] Advantech iView Missing Authentication RCE [CVE-2021-22652] https://blog.rapid7.com/2021/02/11/cve-2021-22652-advantech-iview-missing-authentication-rce-fixed/ [01:02:30] Windows kernel zero-day exploit [CVE-2021-1732] https://ti.dbappsecurity.com.cn/blog/index.php/2021/02/10/windows-kernel-zero-day-exploit-is-used-by-bitter-apt-in-targeted-attack/ [01:08:50] Analysis and exploitation of the iOS kernel vulnerability [CVE-2021-1782] https://www.synacktiv.com/publications/analysis-and-exploitation-of-the-ios-kernel-vulnerability-cve-2021-1782 [01:20:10] Misusing Service Workers for Privacy Leakage https://www.ndss-symposium.org/ndss-paper/awakening-the-webs-sleeper-agents-misusing-service-workers-for-privacy-leakage/ [01:27:53] security things in Linux v5.8 https://outflux.net/blog/archives/2021/02/08/security-things-in-linux-v5-8/ [01:40:42] Linux Heap Exploitation - Part 2 https://www.udemy.com/course/linux-heap-exploitation-part-2/ Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@dayzerosec)
01:44:41
February 16, 2021
MediaTek BootROM Broken, Free Coffee, and an iOS Kernel Exploit
A lot of discussion this week about OSS security and security processes, an iOS kernel type confusion and MediaTek Bootloader bypass impacting everything since atleast 2014. [00:04:54] Know, Prevent, Fix: A framework for shifting the discussion around vulnerabilities in open source https://security.googleblog.com/2021/02/know-prevent-fix-framework-for-shifting.html [00:15:18] Launching OSV - Better vulnerability triage for open source https://security.googleblog.com/2021/02/launching-osv-better-vulnerability.html [00:22:38] Most Common Bugs of 2021 So Far https://www.bugcrowd.com/blog/common-bugs-of-2021/ [00:31:59] Exploiting the Nespresso smart cards for fun and coffee https://pollevanhoof.be/nuggets/smart_cards/nespresso [00:39:10] Spoofing and Attacking With Skype https://blog.thecybersecuritytutor.com/spoofing-and-attacking-with-skype/ [00:45:01] Getting root on webOS https://blog.recurity-labs.com/2021-02-03/webOS_Pt1.html [00:51:31] Applying Offensive Reverse Engineering to Facebook Gameroom https://spaceraccoon.dev/applying-offensive-reverse-engineering-to-facebook-gameroom [00:59:36] Major Vulnerabilities Discovered in Realtek RTL8195A Wi-Fi Module https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered [01:06:32] MTK Bypass Universal https://megafon929.github.io/mtk [01:14:13] Project Zero: iOS Kernel privesc with turnstiles [CVE-2020-27932] https://googleprojectzero.blogspot.com/p/rca-cve-2020-27932.htmlhttps://googleprojectzero.blogspot.com/p/rca.html [01:21:41] Why Security Defects Go Unnoticed during Code Reviews? http://amiangshu.com/papers/paul-ICSE-2021.pdf Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@dayzerosec)
01:34:15
February 09, 2021
OSED, North Korean hackers, NAT Slipstream 2.0, and PGP (in)security
Starting with a long discussion about the North Korean hackers targeting security reseachers, and some thoughts (rants) about the newly released Windows exploit dev course from Offensive Security before getting into some real exploits including NAT Slipstreaming 2.0 and a new Sudo vuln. [00:00:52] About the security content of iOS 14.4 and iPadOS 14.4 https://support.apple.com/en-us/HT212146 [00:02:42] New campaign targeting security researchers https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/https://www.microsoft.com/security/blog/2021/01/28/zinc-attacks-against-security-researchers/https://twitter.com/pwn_expoit/status/1354024291398950913https://twitter.com/chris_salls/status/1353989045617975297 [00:44:45] New Exploit Dev Course: EXP-301 https://www.offensive-security.com/offsec/new-course-exp301/https://wargames.ret2.systems/ [01:04:53] Linksys WRT160NL – Authenticated Command Injection [CVE-2021-25310] https://research.nccgroup.com/2021/01/28/technical-advisory-linksys-wrt160nl-authenticated-command-injection-cve-2021-25310/ [01:07:13] Vulnerabilities within TikTok Friend-Finder https://research.checkpoint.com/2021/tiktok-fixes-privacy-issue-discovered-by-check-point-research/ [01:14:07] BitLocker touch-device lockscreen bypass https://secret.club/2021/01/29/touch-lockscreen-bypass.html [01:20:53] NAT Slipstreaming v2.0 https://www.armis.com/resources/iot-security-blog/nat-slipstreaming-v2-0-new-attack-variant-can-expose-all-internal-network-devices-to-the-internet/https://samy.pl/slipstream/ [01:26:35] [Security fix] Libgcrypt 1.9.1 released https://lists.gnupg.org/pipermail/gnupg-announce/2021q1/000456.htmlhttps://dev.gnupg.org/rC512c0c75276949f13b6373b5c04f7065af750b08 [01:30:44] Baron Samedit: Heap-based buffer overflow in Sudo [CVE-2021-3156] https://www.openwall.com/lists/oss-security/2021/01/26/3https://github.com/sudo-project/sudo/commit/1f8638577d0c80a4ff864a2aad80a0d95488e9a8https://github.com/lockedbyte/CVE-Exploits/tree/master/CVE-2021-3156 [01:44:49] Exploiting a “Simple” Vulnerability – Part 1.5 – The Info Leak https://windows-internals.com/exploiting-a-simple-vulnerability-part-1-5-the-info-leak/ [01:50:53] Windows Kernel DoS/Privilege Escalation via a NULL Pointer Deref https://www.thezdi.com/blog/2021/1/27/zdi-can-12671-windows-kernel-dosprivilege-escalation-via-a-null-pointer-deref [01:56:31] XS-Leaks in redirect flows https://docs.google.com/presentation/d/1rlnxXUYHY9CHgCMckZsCGH4VopLo4DYMvAcOltma0og/edit#slide=id.g63e29d5a06_0_0 [02:02:13] Keeping your GitHub Actions and workflows secure: Untrusted input https://securitylab.github.com/research/github-actions-untrusted-input [02:08:04] iOS Security Tutorial - Patching ASLR in the Kernel https://www.youtube.com/watch?v=Gszvbi8AU68 [02:08:58] Project Zero: A Look at iMessage in iOS 14 https://googleprojectzero.blogspot.com/2021/01/a-look-at-imessage-in-ios-14.html [02:09:37] Effectively Fuzzing the IPC Layer in Firefox https://blog.mozilla.org/attack-and-defense/2021/01/27/effectively-fuzzing-the-ipc-layer-in-firefox/ Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on
02:11:16
February 02, 2021
Snooping YouTube History and Breaking State Machines
This week is a shorter episode, but still some solid bugs to look at. From a full chain Chrome exploit, to a Kindle chain from remote to root and a eBPF incorrect calculation leading to OOB read/write. [00:00:41] Albicla launch clusterfuck https://www.reddit.com/r/programminghorror/comments/l25ppk/albicla_launch_clusterfuck/ [00:04:41] [NordVPN] RCE through Windows Custom Protocol on Windows client https://hackerone.com/reports/1001255 [00:09:00] Chaining Multiple bugs for Unauthenticated RCE in the SolarWinds Orion Platform https://www.thezdi.com/blog/2021/1/20/three-bugs-in-orions-belt-chaining-multiple-bugs-for-unauthenticated-rce-in-the-solarwinds-orion-platform [00:18:50] The Embedded YouTube Player Told Me What You Were Watching (and more) https://bugs.xdavidhu.me/google/2021/01/18/the-embedded-youtube-player-told-me-what-you-were-watching-and-more/ [00:24:27] The State of State Machines https://googleprojectzero.blogspot.com/2021/01/the-state-of-state-machines.htmlhttps://bugs.chromium.org/p/project-zero/issues/detail?id=2085 [00:34:21] KindleDrip - From Your Kindle’s Email Address to Using Your Credit Card https://medium.com/realmodelabs/kindledrip-from-your-kindles-email-address-to-using-your-credit-card-bb93dbfb2a08 [00:44:00] New campaign targeting security researchers https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/ [00:44:42] An Incorrect Calculation Bug in the Linux Kernel eBPF Verifier https://www.thezdi.com/blog/2021/1/18/zdi-20-1440-an-incorrect-calculation-bug-in-the-linux-kernel-ebpf-verifier [00:49:18] Chat Question: What do we think of HackTheBox https://hackthebox.eu [00:53:51] Bad Pods: Kubernetes Pod Privilege Escalation https://labs.bishopfox.com/tech-blog/bad-pods-kubernetes-pod-privilege-escalation [00:53:24] [Linux Kernel Exploitation 0x2] Controlling RIP and Escalating privileges via Stack Overflow https://blog.k3170makan.com/2021/01/linux-kernel-exploitation-0x2.htmlhttps://pwn.college/modules/kernel Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@dayzerosec)
57:42
January 26, 2021
Breaking Lock Screens & The Great Vbox Escape
Several lockscreen-related vulnerabilities this week, a cross-site leak,  and the hijacking of all .cd domains.   One important thing to mention about this weeks episode that was  neglected during the discussion is that the BitLocker Lockscreen Bypass  is a lockscreen bypass. It does not necessarily provide access to data  Bitlocker protects. If Bitlocker is being run in "transparent operation  mode" where the ability to login is all that is necessary to decrypt  data, then this vulnerability can grant access to encrypted data. [00:00:00] Introduction https://dayzerosec.com/ [00:00:59] Slayer Labs https://slayerlabs.com/ [00:12:03] BugTraq Shutdown https://seclists.org/bugtraq/2021/Jan/0 [00:17:22] Data Security on Mobile Devices https://securephones.io/ [00:27:08] Running a fake power plant on the internet for a month https://grimminck.medium.com/running-a-fake-power-plant-on-the-internet-for-a-month-4a624f685aaa [00:33:43] BitLocker Lockscreen bypass https://secret.club/2021/01/15/bitlocker-bypass.html [00:39:30] [Linux Mint] Screensaver lock by-pass via the virtual keyboard https://github.com/linuxmint/cinnamon-screensaver/issues/354 [00:43:02] [NextCloud] Bypassing Passcode/Device credentials https://hackerone.com/reports/747726 [00:51:02] How I hijacked the top-level domain of a sovereign state https://labs.detectify.com/2021/01/15/how-i-hijacked-the-top-level-domain-of-a-sovereign-state/ [01:00:28] Laravel
01:24:33
January 19, 2021
Universal Deserialization, Stealing Youtube Videos, and CTFs
A new universal deserialization gadget for Ruby, a Rocket.Chat SAML auth bypass, and some heap exploitation research. [00:00:36] Cybersecurity Knowledge and Skills Taught in Capture the Flag Challenges https://arxiv.org/pdf/2101.01421v1.pdf [00:10:36] Universal Deserialisation Gadget for Ruby 2.x-3.x https://devcraft.io/2021/01/07/universal-deserialisation-gadget-for-ruby-2-x-3-x.html [00:13:54] Stealing Your Private YouTube Videos, One Frame at a Time https://bugs.xdavidhu.me/google/2021/01/11/stealing-your-private-videos-one-frame-at-a-time/ [00:21:43] Rocket.chat - SAML authentication bypass https://hackerone.com/reports/1049375 [00:25:49] curl is vulnerable to SSRF due to improperly parsing the host component of the URL https://hackerone.com/reports/704621 [00:31:02] Issue 2095: Node.js: use-after-free in TLSWrap https://bugs.chromium.org/p/project-zero/issues/detail?id=2095 [00:35:28] Preventing Use-After-Free Attacks with Fast Forward Allocation https://gts3.org/assets/papers/2021/wickman:ffmalloc.pdf [00:49:38] Automatic Techniques to Systematically Discover New Heap Exploitation Primitives https://www.usenix.org/system/files/sec20fall_yun_prepub.pdf [00:59:50] A Samsung RKP Compendium https://blog.longterm.io/samsung_rkp.html [01:11:32] Analyzing CVE-2020-16040 https://faraz.faith/2021-01-07-cve-2020-16040-analysis/ [01:13:51] HexLasso Online https://suszter.com/hexlasso-online/ [01:15:30] A Side Journey to Titan https://ninjalab.io/a-side-journey-to-titan/ Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@dayzerosec)
01:17:34
January 12, 2021
Hacking Nintendo 3DS, Apple vs Corellium, and Android Bugs
An update on Apple v. Corellium, some 3DS vulnerabilities, and some drama on this weeks episode. [00:00:34] Remote Chaos Experience https://media.ccc.de/c/rc3 [00:20:06] Apple Inc. v. Corellium, LLC https://www.courtlistener.com/docket/16064642/784/apple-inc-v-corellium-llc/ [00:28:17] The Great Suspender - New maintainer is probably malicious https://github.com/greatsuspender/thegreatsuspender/issues/1263 [00:36:59] An HTML Injection Worth 600$ Dollars https://medium.com/bugbountywriteup/a-html-injection-worth-600-dollars-5f065be0ab49 [00:44:06] Zoom Meeting Connector Post-Auth Remote Root https://packetstormsecurity.com/files/160736/zoomer.py.txt [00:46:21] Hijacking Google Docs Screenshots https://blog.geekycat.in/google-vrp-hijacking-your-screenshots/ [00:49:49] Nintendo 3DS - Improper certificate validation allows an attacker to perform MitM attacks https://hackerone.com/reports/894922 [00:52:02] Nintendo 3DS - Unchecked number of audio channels in Mobiclip SDK leads to RCE in eShop movie player https://hackerone.com/reports/897606https://twitter.com/forestillusion/status/1341230631913541633https://news.ycombinator.com/item?id=25508782 [00:55:45] Apple macOS 6LowPAN Vulnerability [CVE-2020-9967] https://alexplaskett.github.io/CVE-2020-9967/ [01:01:24] An iOS hacker tries Android https://googleprojectzero.blogspot.com/2020/12/an-ios-hacker-tries-android.html [01:14:29] Turning Imprisonment to Advantage in the FreeBSD ftpd chroot Jail [CVE-2020-7468] https://www.thezdi.com/blog/2020/12/21/cve-2020-7468-turning-imprisonment-to-advantage-in-the-freebsd-ftpd-chroot-jail [01:18:36] Cross Layer Attacks and How to Use Them (for DNS Cache Poisoning, Device Tracking and More) https://arxiv.org/abs/2012.07432 [01:27:17] Helping secure DOMPurify (part 1) https://research.securitum.com/helping-secure-dompurify-part-1/ [01:28:23] A WIP "Vulnerable by Design" kext for iOS/macOS to play & learn *OS kernel exploitation https://github.com/ant4g0nist/Vulnerable-Kext [01:30:01] PS4 7.02 WebKit + Kernel Chain Implementation https://github.com/ChendoChap/ps4-ipv6-uaf/tree/7.00-7.02 Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@dayzerosec)
01:31:55
January 05, 2021
Fireeye, PS4 exploit, and MacOS LPE
Big news this week as several government agencies and contractors may have been compromised. We also have a number of great writeups this week covering everything from a PS4 webkit exploit, MacOS, and Windows. [00:00:25] CISA issues emergency directive for SolarWinds Orion products compromise https://twitter.com/CISAgov/status/1338348931571445762https://www.sec.gov/ix?doc=/Archives/edgar/data/1739942/000162828020017451/swi-20201214.htmhttps://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.htmlhttps://twitter.com/KimZetter/status/1338305089597964290https://twitter.com/mamah1987/status/1338369455177523201https://www.cisa.gov/news/2020/12/13/cisa-issues-emergency-directive-mitigate-compromise-solarwinds-orion-network [00:26:53] Finding Critical Open Source Projects https://opensource.googleblog.com/2020/12/finding-critical-open-source-projects.htmlhttps://github.com/ossf/criticality_score [00:33:46] Vulnerabilities in McAfee ePolicy Orchestrator https://swarm.ptsecurity.com/vulnerabilities-in-mcafee-epolicy-orchestrator/ [00:39:20] Chat Question: How to get good at exploit dev [00:44:34] Novel Abuses On Wi-Fi Direct Mobile File Transfers https://blog.doyensec.com//2020/12/10/novel-abuses-wifi-direct-mobile-file-transfers.html [00:47:55] PsExec Local Privilege Escalation https://medium.com/tenable-techblog/psexec-local-privilege-escalation-2e8069adc9c8 [00:52:31] Windows: WOF FSCTL_SET_REPARSE_POINT_EX Cached Signing Level SFB https://bugs.chromium.org/p/project-zero/issues/detail?id=2088 [01:01:07] This is for the Pwners: Exploiting a WebKit 0-day in PlayStation 4 https://www.synacktiv.com/en/publications/this-is-for-the-pwners-exploiting-a-webkit-0-day-in-playstation-4.html [01:08:51] Game On - Finding vulnerabilities in Valve’s "Steam Sockets" https://research.checkpoint.com/2020/game-on-finding-vulnerabilities-in-valves-steam-sockets/ [01:14:57] Apple macOS Kernel OOB Write Privilege Escalation Vulnerability [CVE-2020-27897] https://www.thezdi.com/blog/2020/12/9/cve-2020-27897-apple-macos-kernel-oob-write-privilege-escalation-vulnerability [01:17:22] ABSTRACT SHIMMER: Host Networking is root-Equivalent, Again [CVE-2020-15257] https://research.nccgroup.com/2020/12/10/abstract-shimmer-cve-2020-15257-host-networking-is-root-equivalent-again/ [01:24:41] Now you C me, now you don't, part two: exploiting the in-between https://securitylab.github.com/research/now-you-c-me-part-two [01:36:04] Portable Data exFiltration: XSS for PDFs https://portswigger.net/research/portable-data-exfiltration [01:45:27] HackerOne's 12 Days of Hacky Holidays https://hackerone.com/h1-ctf?type=team [01:47:55] The 2020 SANS Holiday Hack Challenge https://holidayhackchallenge.com/2020/ Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@dayzerosec)
01:50:48
December 15, 2020