Skip to main content
Day[0]

Day[0]

By dayzerosec
Weekly podcast about reverse engineering, exploit development, and related news.
Listen on
Where to listen
Apple Podcasts Logo

Apple Podcasts

Breaker Logo

Breaker

Google Podcasts Logo

Google Podcasts

Overcast Logo

Overcast

Pocket Casts Logo

Pocket Casts

RadioPublic Logo

RadioPublic

Spotify Logo

Spotify

PDF Exploits, GPGME Making Mistakes EZ and Favicon Tracking
A couple privacy violations, PDF exploits, and a complicated API being misused by developers. [00:00:48] Brave browser leaks onion addresses in DNS traffic https://ramble.pw/f/privacy/2387 [00:07:05] Tales of Favicons and Caches: Persistent Tracking in Modern Browsers https://www.ndss-symposium.org/ndss-paper/tales-of-favicons-and-caches-persistent-tracking-in-modern-browsers/ [00:18:12] Shadow Attacks: Hiding and Replacing Content in Signed PDFs https://www.ndss-symposium.org/ndss-paper/shadow-attacks-hiding-and-replacing-content-in-signed-pdfs/ [00:28:20] Getting Information Disclosure in Adobe Reader Through the ID Tag https://www.thezdi.com/blog/2021/2/17/zdi-21-171-getting-information-disclosure-in-adobe-reader-through-the-id-tag [00:32:42] Middleware everywhere and lots of misconfigurations to fix https://labs.detectify.com/2021/02/18/middleware-middleware-everywhere-and-lots-of-misconfigurations-to-fix/ [00:43:05] GPGme used confusion, it's super effective ! https://www.synacktiv.com/en/publications/gpgme-used-confusion-its-super-effective.html [00:51:58] Bypassing the PIN in non-Visa Cards by Using Them for Visa Transactions https://emvrace.github.io [01:01:11] Hunting for bugs in Telegram's animated stickers remote attack surface https://www.shielder.it/blog/2021/02/hunting-for-bugs-in-telegrams-animated-stickers-remote-attack-surface/ [01:08:03] Expected Exploitability: Predicting the Development of Functional Vulnerability Exploits https://arxiv.org/abs/2102.07869v1 [01:20:27] Model Skewing Attacks on Machine Learning Models https://payatu.com/blog/nikhilj/sec4ml-machine-learning-model-skewing-data-poisoning [01:21:37] Future of Exploit Development - 2021 and Beyond https://www.youtube.com/watch?v=o_hk9nh8S1M Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@dayzerosec)
01:24:30
February 23, 2021
Industrial Control Fails and a Package disguised in your own supply
"Beg Bounty" hunters, dependency confusion, iOS kernel vuln, and how not to respond to security research. [00:00:59] Florida Water Treatment Facility Hacked https://twitter.com/Bing_Chris/status/1358873543623274499 [00:09:19] Have a domain name? "Beg bounty" hunters may be on their way https://news.sophos.com/en-us/2021/02/08/have-a-domain-name-beg-bounty-hunters-may-be-on-their-way/amp/ [00:20:14] FootFallCam and MetaTechnology Drama https://twitter.com/_MG_/status/1359582048260743169 [00:28:33] Telegram privacy fails [CVE-2021-27204] [CVE-2021-27205] https://www.inputzero.io/2020/12/telegram-privacy-fails-again.html [00:36:43] Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610 [00:44:33] Exploiting a Second-Order SQL Injection in LibreNMS [CVE-2020-35700] https://www.horizon3.ai/disclosures/librenms-second-order-sqli [00:50:46] Swarm of Palo Alto PAN-OS vulnerabilities https://swarm.ptsecurity.com/swarm-of-palo-alto-pan-os-vulnerabilities/ [00:56:25] Advantech iView Missing Authentication RCE [CVE-2021-22652] https://blog.rapid7.com/2021/02/11/cve-2021-22652-advantech-iview-missing-authentication-rce-fixed/ [01:02:30] Windows kernel zero-day exploit [CVE-2021-1732] https://ti.dbappsecurity.com.cn/blog/index.php/2021/02/10/windows-kernel-zero-day-exploit-is-used-by-bitter-apt-in-targeted-attack/ [01:08:50] Analysis and exploitation of the iOS kernel vulnerability [CVE-2021-1782] https://www.synacktiv.com/publications/analysis-and-exploitation-of-the-ios-kernel-vulnerability-cve-2021-1782 [01:20:10] Misusing Service Workers for Privacy Leakage https://www.ndss-symposium.org/ndss-paper/awakening-the-webs-sleeper-agents-misusing-service-workers-for-privacy-leakage/ [01:27:53] security things in Linux v5.8 https://outflux.net/blog/archives/2021/02/08/security-things-in-linux-v5-8/ [01:40:42] Linux Heap Exploitation - Part 2 https://www.udemy.com/course/linux-heap-exploitation-part-2/ Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@dayzerosec)
01:44:41
February 16, 2021
MediaTek BootROM Broken, Free Coffee, and an iOS Kernel Exploit
A lot of discussion this week about OSS security and security processes, an iOS kernel type confusion and MediaTek Bootloader bypass impacting everything since atleast 2014. [00:04:54] Know, Prevent, Fix: A framework for shifting the discussion around vulnerabilities in open source https://security.googleblog.com/2021/02/know-prevent-fix-framework-for-shifting.html [00:15:18] Launching OSV - Better vulnerability triage for open source https://security.googleblog.com/2021/02/launching-osv-better-vulnerability.html [00:22:38] Most Common Bugs of 2021 So Far https://www.bugcrowd.com/blog/common-bugs-of-2021/ [00:31:59] Exploiting the Nespresso smart cards for fun and coffee https://pollevanhoof.be/nuggets/smart_cards/nespresso [00:39:10] Spoofing and Attacking With Skype https://blog.thecybersecuritytutor.com/spoofing-and-attacking-with-skype/ [00:45:01] Getting root on webOS https://blog.recurity-labs.com/2021-02-03/webOS_Pt1.html [00:51:31] Applying Offensive Reverse Engineering to Facebook Gameroom https://spaceraccoon.dev/applying-offensive-reverse-engineering-to-facebook-gameroom [00:59:36] Major Vulnerabilities Discovered in Realtek RTL8195A Wi-Fi Module https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered [01:06:32] MTK Bypass Universal https://megafon929.github.io/mtk [01:14:13] Project Zero: iOS Kernel privesc with turnstiles [CVE-2020-27932] https://googleprojectzero.blogspot.com/p/rca-cve-2020-27932.htmlhttps://googleprojectzero.blogspot.com/p/rca.html [01:21:41] Why Security Defects Go Unnoticed during Code Reviews? http://amiangshu.com/papers/paul-ICSE-2021.pdf Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@dayzerosec)
01:34:15
February 9, 2021
OSED, North Korean hackers, NAT Slipstream 2.0, and PGP (in)security
Starting with a long discussion about the North Korean hackers targeting security reseachers, and some thoughts (rants) about the newly released Windows exploit dev course from Offensive Security before getting into some real exploits including NAT Slipstreaming 2.0 and a new Sudo vuln. [00:00:52] About the security content of iOS 14.4 and iPadOS 14.4 https://support.apple.com/en-us/HT212146 [00:02:42] New campaign targeting security researchers https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/https://www.microsoft.com/security/blog/2021/01/28/zinc-attacks-against-security-researchers/https://twitter.com/pwn_expoit/status/1354024291398950913https://twitter.com/chris_salls/status/1353989045617975297 [00:44:45] New Exploit Dev Course: EXP-301 https://www.offensive-security.com/offsec/new-course-exp301/https://wargames.ret2.systems/ [01:04:53] Linksys WRT160NL – Authenticated Command Injection [CVE-2021-25310] https://research.nccgroup.com/2021/01/28/technical-advisory-linksys-wrt160nl-authenticated-command-injection-cve-2021-25310/ [01:07:13] Vulnerabilities within TikTok Friend-Finder https://research.checkpoint.com/2021/tiktok-fixes-privacy-issue-discovered-by-check-point-research/ [01:14:07] BitLocker touch-device lockscreen bypass https://secret.club/2021/01/29/touch-lockscreen-bypass.html [01:20:53] NAT Slipstreaming v2.0 https://www.armis.com/resources/iot-security-blog/nat-slipstreaming-v2-0-new-attack-variant-can-expose-all-internal-network-devices-to-the-internet/https://samy.pl/slipstream/ [01:26:35] [Security fix] Libgcrypt 1.9.1 released https://lists.gnupg.org/pipermail/gnupg-announce/2021q1/000456.htmlhttps://dev.gnupg.org/rC512c0c75276949f13b6373b5c04f7065af750b08 [01:30:44] Baron Samedit: Heap-based buffer overflow in Sudo [CVE-2021-3156] https://www.openwall.com/lists/oss-security/2021/01/26/3https://github.com/sudo-project/sudo/commit/1f8638577d0c80a4ff864a2aad80a0d95488e9a8https://github.com/lockedbyte/CVE-Exploits/tree/master/CVE-2021-3156 [01:44:49] Exploiting a “Simple” Vulnerability – Part 1.5 – The Info Leak https://windows-internals.com/exploiting-a-simple-vulnerability-part-1-5-the-info-leak/ [01:50:53] Windows Kernel DoS/Privilege Escalation via a NULL Pointer Deref https://www.thezdi.com/blog/2021/1/27/zdi-can-12671-windows-kernel-dosprivilege-escalation-via-a-null-pointer-deref [01:56:31] XS-Leaks in redirect flows https://docs.google.com/presentation/d/1rlnxXUYHY9CHgCMckZsCGH4VopLo4DYMvAcOltma0og/edit#slide=id.g63e29d5a06_0_0 [02:02:13] Keeping your GitHub Actions and workflows secure: Untrusted input https://securitylab.github.com/research/github-actions-untrusted-input [02:08:04] iOS Security Tutorial - Patching ASLR in the Kernel https://www.youtube.com/watch?v=Gszvbi8AU68 [02:08:58] Project Zero: A Look at iMessage in iOS 14 https://googleprojectzero.blogspot.com/2021/01/a-look-at-imessage-in-ios-14.html [02:09:37] Effectively Fuzzing the IPC Layer in Firefox https://blog.mozilla.org/attack-and-defense/2021/01/27/effectively-fuzzing-the-ipc-layer-in-firefox/ Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on
02:11:16
February 2, 2021
Snooping YouTube History and Breaking State Machines
This week is a shorter episode, but still some solid bugs to look at. From a full chain Chrome exploit, to a Kindle chain from remote to root and a eBPF incorrect calculation leading to OOB read/write. [00:00:41] Albicla launch clusterfuck https://www.reddit.com/r/programminghorror/comments/l25ppk/albicla_launch_clusterfuck/ [00:04:41] [NordVPN] RCE through Windows Custom Protocol on Windows client https://hackerone.com/reports/1001255 [00:09:00] Chaining Multiple bugs for Unauthenticated RCE in the SolarWinds Orion Platform https://www.thezdi.com/blog/2021/1/20/three-bugs-in-orions-belt-chaining-multiple-bugs-for-unauthenticated-rce-in-the-solarwinds-orion-platform [00:18:50] The Embedded YouTube Player Told Me What You Were Watching (and more) https://bugs.xdavidhu.me/google/2021/01/18/the-embedded-youtube-player-told-me-what-you-were-watching-and-more/ [00:24:27] The State of State Machines https://googleprojectzero.blogspot.com/2021/01/the-state-of-state-machines.htmlhttps://bugs.chromium.org/p/project-zero/issues/detail?id=2085 [00:34:21] KindleDrip - From Your Kindle’s Email Address to Using Your Credit Card https://medium.com/realmodelabs/kindledrip-from-your-kindles-email-address-to-using-your-credit-card-bb93dbfb2a08 [00:44:00] New campaign targeting security researchers https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/ [00:44:42] An Incorrect Calculation Bug in the Linux Kernel eBPF Verifier https://www.thezdi.com/blog/2021/1/18/zdi-20-1440-an-incorrect-calculation-bug-in-the-linux-kernel-ebpf-verifier [00:49:18] Chat Question: What do we think of HackTheBox https://hackthebox.eu [00:53:51] Bad Pods: Kubernetes Pod Privilege Escalation https://labs.bishopfox.com/tech-blog/bad-pods-kubernetes-pod-privilege-escalation [00:53:24] [Linux Kernel Exploitation 0x2] Controlling RIP and Escalating privileges via Stack Overflow https://blog.k3170makan.com/2021/01/linux-kernel-exploitation-0x2.htmlhttps://pwn.college/modules/kernel Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@dayzerosec)
57:42
January 26, 2021
Breaking Lock Screens & The Great Vbox Escape
Several lockscreen-related vulnerabilities this week, a cross-site leak,  and the hijacking of all .cd domains.   One important thing to mention about this weeks episode that was  neglected during the discussion is that the BitLocker Lockscreen Bypass  is just that; a lockscreen bypass. It does not compromise any of the  data encrypted by BitLocker. [00:00:00] Introduction https://dayzerosec.com/ [00:00:59] Slayer Labs https://slayerlabs.com/ [00:12:03] BugTraq Shutdown https://seclists.org/bugtraq/2021/Jan/0 [00:17:22] Data Security on Mobile Devices https://securephones.io/ [00:27:08] Running a fake power plant on the internet for a month https://grimminck.medium.com/running-a-fake-power-plant-on-the-internet-for-a-month-4a624f685aaa [00:33:43] BitLocker Lockscreen bypass https://secret.club/2021/01/15/bitlocker-bypass.html [00:39:30] [Linux Mint] Screensaver lock by-pass via the virtual keyboard https://github.com/linuxmint/cinnamon-screensaver/issues/354 [00:43:02] [NextCloud] Bypassing Passcode/Device credentials https://hackerone.com/reports/747726 [00:51:02] How I hijacked the top-level domain of a sovereign state https://labs.detectify.com/2021/01/15/how-i-hijacked-the-top-level-domain-of-a-sovereign-state/ [01:00:28] Laravel
01:24:33
January 19, 2021
Universal Deserialization, Stealing Youtube Videos, and CTFs
A new universal deserialization gadget for Ruby, a Rocket.Chat SAML auth bypass, and some heap exploitation research. [00:00:36] Cybersecurity Knowledge and Skills Taught in Capture the Flag Challenges https://arxiv.org/pdf/2101.01421v1.pdf [00:10:36] Universal Deserialisation Gadget for Ruby 2.x-3.x https://devcraft.io/2021/01/07/universal-deserialisation-gadget-for-ruby-2-x-3-x.html [00:13:54] Stealing Your Private YouTube Videos, One Frame at a Time https://bugs.xdavidhu.me/google/2021/01/11/stealing-your-private-videos-one-frame-at-a-time/ [00:21:43] Rocket.chat - SAML authentication bypass https://hackerone.com/reports/1049375 [00:25:49] curl is vulnerable to SSRF due to improperly parsing the host component of the URL https://hackerone.com/reports/704621 [00:31:02] Issue 2095: Node.js: use-after-free in TLSWrap https://bugs.chromium.org/p/project-zero/issues/detail?id=2095 [00:35:28] Preventing Use-After-Free Attacks with Fast Forward Allocation https://gts3.org/assets/papers/2021/wickman:ffmalloc.pdf [00:49:38] Automatic Techniques to Systematically Discover New Heap Exploitation Primitives https://www.usenix.org/system/files/sec20fall_yun_prepub.pdf [00:59:50] A Samsung RKP Compendium https://blog.longterm.io/samsung_rkp.html [01:11:32] Analyzing CVE-2020-16040 https://faraz.faith/2021-01-07-cve-2020-16040-analysis/ [01:13:51] HexLasso Online https://suszter.com/hexlasso-online/ [01:15:30] A Side Journey to Titan https://ninjalab.io/a-side-journey-to-titan/ Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@dayzerosec)
01:17:34
January 12, 2021
Hacking Nintendo 3DS, Apple vs Corellium, and Android Bugs
An update on Apple v. Corellium, some 3DS vulnerabilities, and some drama on this weeks episode. [00:00:34] Remote Chaos Experience https://media.ccc.de/c/rc3 [00:20:06] Apple Inc. v. Corellium, LLC https://www.courtlistener.com/docket/16064642/784/apple-inc-v-corellium-llc/ [00:28:17] The Great Suspender - New maintainer is probably malicious https://github.com/greatsuspender/thegreatsuspender/issues/1263 [00:36:59] An HTML Injection Worth 600$ Dollars https://medium.com/bugbountywriteup/a-html-injection-worth-600-dollars-5f065be0ab49 [00:44:06] Zoom Meeting Connector Post-Auth Remote Root https://packetstormsecurity.com/files/160736/zoomer.py.txt [00:46:21] Hijacking Google Docs Screenshots https://blog.geekycat.in/google-vrp-hijacking-your-screenshots/ [00:49:49] Nintendo 3DS - Improper certificate validation allows an attacker to perform MitM attacks https://hackerone.com/reports/894922 [00:52:02] Nintendo 3DS - Unchecked number of audio channels in Mobiclip SDK leads to RCE in eShop movie player https://hackerone.com/reports/897606https://twitter.com/forestillusion/status/1341230631913541633https://news.ycombinator.com/item?id=25508782 [00:55:45] Apple macOS 6LowPAN Vulnerability [CVE-2020-9967] https://alexplaskett.github.io/CVE-2020-9967/ [01:01:24] An iOS hacker tries Android https://googleprojectzero.blogspot.com/2020/12/an-ios-hacker-tries-android.html [01:14:29] Turning Imprisonment to Advantage in the FreeBSD ftpd chroot Jail [CVE-2020-7468] https://www.thezdi.com/blog/2020/12/21/cve-2020-7468-turning-imprisonment-to-advantage-in-the-freebsd-ftpd-chroot-jail [01:18:36] Cross Layer Attacks and How to Use Them (for DNS Cache Poisoning, Device Tracking and More) https://arxiv.org/abs/2012.07432 [01:27:17] Helping secure DOMPurify (part 1) https://research.securitum.com/helping-secure-dompurify-part-1/ [01:28:23] A WIP "Vulnerable by Design" kext for iOS/macOS to play & learn *OS kernel exploitation https://github.com/ant4g0nist/Vulnerable-Kext [01:30:01] PS4 7.02 WebKit + Kernel Chain Implementation https://github.com/ChendoChap/ps4-ipv6-uaf/tree/7.00-7.02 Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@dayzerosec)
01:31:55
January 5, 2021
Fireeye, PS4 exploit, and MacOS LPE
Big news this week as several government agencies and contractors may have been compromised. We also have a number of great writeups this week covering everything from a PS4 webkit exploit, MacOS, and Windows. [00:00:25] CISA issues emergency directive for SolarWinds Orion products compromise https://twitter.com/CISAgov/status/1338348931571445762https://www.sec.gov/ix?doc=/Archives/edgar/data/1739942/000162828020017451/swi-20201214.htmhttps://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.htmlhttps://twitter.com/KimZetter/status/1338305089597964290https://twitter.com/mamah1987/status/1338369455177523201https://www.cisa.gov/news/2020/12/13/cisa-issues-emergency-directive-mitigate-compromise-solarwinds-orion-network [00:26:53] Finding Critical Open Source Projects https://opensource.googleblog.com/2020/12/finding-critical-open-source-projects.htmlhttps://github.com/ossf/criticality_score [00:33:46] Vulnerabilities in McAfee ePolicy Orchestrator https://swarm.ptsecurity.com/vulnerabilities-in-mcafee-epolicy-orchestrator/ [00:39:20] Chat Question: How to get good at exploit dev [00:44:34] Novel Abuses On Wi-Fi Direct Mobile File Transfers https://blog.doyensec.com//2020/12/10/novel-abuses-wifi-direct-mobile-file-transfers.html [00:47:55] PsExec Local Privilege Escalation https://medium.com/tenable-techblog/psexec-local-privilege-escalation-2e8069adc9c8 [00:52:31] Windows: WOF FSCTL_SET_REPARSE_POINT_EX Cached Signing Level SFB https://bugs.chromium.org/p/project-zero/issues/detail?id=2088 [01:01:07] This is for the Pwners: Exploiting a WebKit 0-day in PlayStation 4 https://www.synacktiv.com/en/publications/this-is-for-the-pwners-exploiting-a-webkit-0-day-in-playstation-4.html [01:08:51] Game On - Finding vulnerabilities in Valve’s "Steam Sockets" https://research.checkpoint.com/2020/game-on-finding-vulnerabilities-in-valves-steam-sockets/ [01:14:57] Apple macOS Kernel OOB Write Privilege Escalation Vulnerability [CVE-2020-27897] https://www.thezdi.com/blog/2020/12/9/cve-2020-27897-apple-macos-kernel-oob-write-privilege-escalation-vulnerability [01:17:22] ABSTRACT SHIMMER: Host Networking is root-Equivalent, Again [CVE-2020-15257] https://research.nccgroup.com/2020/12/10/abstract-shimmer-cve-2020-15257-host-networking-is-root-equivalent-again/ [01:24:41] Now you C me, now you don't, part two: exploiting the in-between https://securitylab.github.com/research/now-you-c-me-part-two [01:36:04] Portable Data exFiltration: XSS for PDFs https://portswigger.net/research/portable-data-exfiltration [01:45:27] HackerOne's 12 Days of Hacky Holidays https://hackerone.com/h1-ctf?type=team [01:47:55] The 2020 SANS Holiday Hack Challenge https://holidayhackchallenge.com/2020/ Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@dayzerosec)
01:50:48
December 15, 2020
Rooting iOS, Hacking with cURL, and the end of Use-After-Free
Some solid exploit development talk in this episode as we look at an iOS vuln, discuss the exploitability of a cURL buffer overflow and examine a new kernel UAF mitigation. [00:00:43] Improving open source security during the Google summer internship program https://security.googleblog.com/2020/12/improving-open-source-security-during.html [00:03:35] Justices seem wary of breadth of federal computer fraud statute https://www.scotusblog.com/2020/12/argument-analysis-justices-seem-wary-of-breadth-of-federal-computer-fraud-statute/ [00:11:37] Update regarding Snapchat SSRF https://hackerone.com/reports/530974 [00:12:53] A 3D Printed Shell https://www.securifera.com/blog/2020/12/02/a-3d-printed-shell/ [00:20:19] Site Wide CSRF on Glassdoor https://blog.witcoat.com/2020/12/03/site-wide-csrf-on-glassdoor/ [00:24:24] [GitLab] Stored-XSS in error message of build-dependencies https://hackerone.com/reports/950190 [00:27:44] Playstation Now RCE https://hackerone.com/reports/873614 [00:32:29] MS Teams RCE (Important, Spoofing) https://github.com/oskarsve/ms-teams-rce/ [00:38:34] An iOS zero-click radio proximity exploit odyssey https://googleprojectzero.blogspot.com/2020/12/an-ios-zero-click-radio-proximity.htmlhttps://bugs.chromium.org/p/project-zero/issues/detail?id=1982 [00:54:58] [curl] heap-based buffer overrun in /lib/urlapi.c https://hackerone.com/reports/547630 [01:02:51] Google Duo: Race condition can cause callee to leak video packets from unanswered call https://bugs.chromium.org/p/project-zero/issues/detail?id=2085 [01:05:35] Linux kernel heap quarantine versus use-after-free exploits https://a13xp0p0v.github.io/2020/11/30/slab-quarantine.htmlhttps://lore.kernel.org/kernel-hardening/CAG48ez1tNU_7n8qtnxTYZ5qt-upJ81Fcb0P2rZe38ARK=iyBkA@mail.gmail.com/T/#u [01:13:23] Hey Alexa what did I just type? Decoding smartphone sounds with a voice assistant https://arxiv.org/abs/2012.00687 [01:22:57] XS-Leaks Wiki https://xsleaks.dev/https://security.googleblog.com/2020/12/fostering-research-on-new-web-security.html [01:27:14] Hacking 101 by No Starch Press https://www.humblebundle.com/books/hacking-101-no-starch-press-books [01:33:40] Gamozo Labs FuzzOS https://gamozolabs.github.io/fuzzing/2020/12/06/fuzzos.html Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@dayzerosec)
01:35:38
December 8, 2020
Bad Blocklists, Legal News, and Windows Vulns
More SD-PWN, more Tesla hacks, potential RCE in Drupal, and a couple windows vulns. [00:00:27] Congress unanimously passes federal IoT security law https://blog.rapid7.com/2020/11/18/congress-unanimously-passes-federal-iot-security-law/ [00:06:52] The Supreme Court will hear its first big CFAA case https://www.scotusblog.com/2020/11/case-preview-justices-to-consider-breadth-of-federal-computer-fraud-statute/ [00:13:35] How much is unauthorized access sold for? https://xorl.wordpress.com/2020/08/26/how-much-is-unauthorized-access-sold-for/ [00:20:10] Getting Banned for Security Research https://nedwill.github.io/blog/jekyll/update/2020/11/25/banned-for-research.html [00:33:11] SD-PWN Part 3 - Cisco vManage https://medium.com/realmodelabs/sd-pwn-part-3-cisco-vmanage-another-day-another-network-takeover-15731a4d75b7 [00:36:10] SD-PWN Part 4 - VMware VeloCloud https://medium.com/realmodelabs/sd-pwn-part-4-vmware-velocloud-the-last-takeover-a7016f9a9175 [00:40:39] CVE-2020-7378: OpenCRX Unverified Password Change (FIXED) https://blog.rapid7.com/2020/11/24/cve-2020-7378-opencrx-unverified-password-change/ https://github.com/opencrx/opencrx/commit/389ff0e22851407560091dfd25b25fee0b384eed?branch=389ff0e22851407560091dfd25b25fee0b384eed&diff=split#diff-2bb58016ce7d5cdb2f11bdb60d4aa7dd5c2e2cb816c9120a7f36ac93d0b64f33L702 [00:43:54] Multiple vulnerabilities through filename manipulation (CVE-2020-28948 and CVE-2020-28949) https://github.com/pear/Archive_Tar/issues/33 https://www.drupal.org/sa-core-2020-013 [00:47:14] SSRFs caused by bad RegEx in "private-ip" https://johnjhacking.com/blog/cve-2020-28360/ [00:53:13] [SnapChat] Server-Side Request Forgery using Javascript allows to exfill data from Google Metadata https://hackerone.com/reports/530974 [00:57:50] Serious flaws in Tesla Model X keyless entry system https://www.imec-int.com/en/press/belgian-security-researchers-ku-leuven-and-imec-demonstrate-serious-flaws-tesla-model-x [01:03:48] Windows Print Spooler Vulnerability https://www.accenture.com/us-en/blogs/cyber-defense/discovering-exploiting-shutting-down-dangerous-windows-print-spooler-vulnerability [01:08:30] Exploiting a “Simple” Vulnerability - In 35 Easy Steps or Less! https://windows-internals.com/exploiting-a-simple-vulnerability-in-35-easy-steps-or-less/ https://twitter.com/gabe_k/status/1330966182543777792 There was previously a link to br0vvnn here, this blog has been shown to be part of an attempt to compromise security researchers. https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers [01:17:55] Hitcon2020 Challenge Files + Solutions https://github.com/david942j/ctf-writeups/tree/master/hitcon-2020 Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@dayzerosec)
01:20:33
December 1, 2020
Jailbreaks, Stealing Playstation Accounts, and Automatic Exploit Generation
This week we talk a bit about some Black Friday deals before jumping into another SD-WAN pwn, some jailbreaks, and research into automatic exploit generation. [00:00:40] Black Friday is coming... VMWare - Usually ~35% off Shodan - $5 lifetime, last year they ran the deal before and after Black Friday so pay attention. Pluralsight - 40% off INE - 40% off (access to all eLearnSecurity courses) Cybrary.it - $600 off PentesterLab - Last year was 13.37% off NoStarchPress - Last year was 42% off O'Reilly Online Learning - $199/year (normally $500/yr) Pentester Academy - 70% off (covid "perma-deal") [00:10:03] Oracle Security Alert - CVE-2020-14750 https://twitter.com/chybeta/status/1323220987442208769 [00:13:34] FileZilla "Scale Factor" field is vulnerable of Buffer Overflow [00:21:33] Playstation Access Token Stealing https://hackerone.com/reports/826394 [00:27:54] SD-PWN Part 2 - Citrix SD-WAN Center - Another Network Takeover [00:37:19] Exploiting dynamic rendering engines to take control of web apps [00:42:34] Privileged Container Escape - Control Groups release_agent [00:47:23] Modern attacks on the Chrome browser [00:58:57] Jailbreaks Never Die - Exploiting iOS 13.7 [01:08:27] Kernel Exploitation with a File System Fuzzer [01:13:57] Greybox Automatic Exploit Generation for Heap Overflows in Language Interpreters Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@DAY[0])
01:30:43
November 24, 2020
Hacking Voatz and Rooting Ubuntu
Some interesting tips and tricks as we look at multiple privileges escalations from XNU to Ubuntu, Bitdefender, and Dropbox (HelloSign). [00:01:31] Apple allegedly not crediting researchers [00:10:26] Response to Voatz's Supreme Court Amicus Brief [00:23:45] Standing up for developers: youtube-dl is back [00:30:05] HelloSign SSRF leads to AWS private key disclosure [00:38:02] Silver Peak Unity Orchestrator RCE [00:42:51] Get root by pretending nobody's /home [00:48:20] Project Zero: Oops, I missed it again! [00:55:12] Bitdefender: UPX Unpacking Featuring Ten Memory Corruptions [01:01:07] Sleep Attack: Intel Bootguard vulnerability waking from S3 [01:05:56] SAD DNS Explained [01:12:02] Cache-in-the-Middle (CITM) Attacks: Manipulating Sensitive Data in Isolated Execution Envrionments [01:23:33] A Systematic Study of Elastic Objects in Kernel Exploitation Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@DAY[0])
01:33:14
November 17, 2020
Pwn2Own, Tianfu Cup, and Other Hacks
A Facebook DOM-based XSS, Rocket.chat and Github Actions RCEs, and a Brave Browser information disclosure in this week's episode. [00:00:50] Pwn2Own Tokyo (Live from Toronto) - Schedule and Results https://www.zerodayinitiative.com/blog/2020/7/28/announcing-pwn2own-tokyo-2020-live-from-toronto [00:12:00] Tianfu Cup - Results [00:16:28] Unlimited Chase Ultimate Rewards Points [00:26:09] Github: Widespread injection vulnerabilities in Actions [00:36:37] About the security content of iOS 14.2 and iPadOS 14.2 https://twitter.com/ShaneHuntley/status/1324431104187670529 [00:42:04] Rocket.Chat Desktop RCE [00:44:44] git-lfs RCE [00:46:46] Attack of the clones: Git clients remote code execution [00:48:17] YOURLS 1.5 - 1.7.10, Multiple Stored XSS Vulnerabilities in Admin Panel [00:53:23] Company forced to change name that could be used to hack websites [00:57:12] Facebook DOM Based XSS using postMessage [01:03:00] SQL Injection and Reflected XSS in Oracle Communications Diameter Signaling Router [01:06:00] Re-discovering a JWT Authentication Bypass in ServiceStack https://docs.servicestack.net/releases/v5.9#v592-patch-release-notes [01:10:45] How I found a Tor vulnerability in Brave Browser, reported it, watched it get patched, got a CVE (CVE-2020-8276) and a small bounty, all in one working day [01:18:12] Exploiting Microsoft Store Games [CVE-2020-16877] [01:26:21] Fuzzing for eBPF JIT bugs in the Linux kernel [01:41:18] Capture the Bot: Using Adversarial Examples to Improve CAPTCHA Robustness to Bot Attacks Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@DAY[0])
01:51:39
November 10, 2020
A Look At OSEP, Hacking Metasploit and the Legal Risks of Research
This week we are joined by CTS to discuss fuzzing. We also take at PEN-300/OSEP. Before jumping into this weeks exploits, from NAT Slipstreaming to a Metasploit command injection and plenty in between. [00:01:06] Cybersecurity as we know it will be 'a thing of the past in the next decade,' says Cloudflare's COO [00:05:51] A Researcher’s Guide to Some Legal Risks of Security Research [00:10:57] Exploit Developer Spotlight: The Story of PlayBit [00:17:25] New Pentesting Course: PEN-300 (OSEP) https://www.offensive-security.com/awe-osee/ [00:28:20] Vulnonym: Stop the Naming Madness! https://twitter.com/vulnonym [00:30:55] DeFuzz: Deep Learning Guided Directed Fuzzing [00:59:32] NAT Slipstreaming [01:08:10] GitLab CVE-2020-13294 [01:13:17] Attacking Roku sticks for fun and profit [01:16:48] Tiki Wiki - Authentication Bypass [CVE-2020-15906] [01:20:12] Metasploit framework template command injection - CVE-2020-7384 [01:23:43] Wormable remote code execution in Alien Swarm [01:29:50] Pulse Connect Secure - RCE via Uncontrolled Gzip Extraction [CVE-2020-8260] [01:32:55] The story of three CVE's in Ubuntu Desktop [01:41:31] CVE-2020-16939: Windows Group Policy DACL Overwrite Privilege Escalation [01:46:36] Windows Kernel cng.sys pool-based buffer overflow [01:54:21] Vector35 releases all Binary Ninja core architecture plugins [01:55:33] How Debuggers Work: Getting and Setting x86 Registers, Part 1 [01:56:12] CodeQL U-Boot Challenge (C/C++) [01:59:14] Fundamentals of Software Exploitation Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@DAY[0])
02:07:54
November 3, 2020
Low-cost Penetration Testing, High Performance Fuzzing and Github RCEs
A lot to cover in this episode, from high performance fuzzing on GPUs, to low-cost pentesters, and APT groups. And, of course many vulns from GitHub RCEs to VMWare Workstation race conditions. [00:01:21] Youtube-dl Cease and Desist [00:14:33] Let’s build a high-performance fuzzer with GPUs! https://gamozolabs.github.io/2020/10/23/some_thoughts_on_gpu_fuzzing.html [00:29:07] Samsung S20 - RCE via Samsung Galaxy Store App [00:33:24] Jitsi Meet Electron - Arbitrary Client Remote Code Execution [CVE-2020-27162] https://github.com/jitsi/jitsi-meet-electron/blob/40866232594442ea77d5144deebcd38ed3d362be/main.js#L126 [00:39:14] 2FA Disable With Wrong Password - Response Tampering. [00:41:22] HTTP Request Smuggling due to CR-to-Hyphen conversion https://hackerone.com/nodejs?type=team [00:46:56] GitHub Gist - Account takeover via open redirect [00:53:19] GitHub - RCE via git option injection (almost) [00:56:36] GitHub Pages - Multiple RCEs via insecure Kramdown configuration [01:01:38] Gateway2Hell - Multiple Privilege Escalation Vulnerabilities in Citrix Gateway Plug-In [01:09:02] Remote code execution on Symfony based websites [01:18:40] Detailing Two VMware Workstation TOCTOU Vulnerabilities [01:25:15] Linksys WRT160NL – Authenticated Remote Buffer Overflow [CVE-2020-26561] [01:32:03] The FreeType Project - Heap buffer overflow due to integer truncation [01:38:54] Uncovering the Hidden Dangers: Finding Unsafe Go Code in the Wild [01:45:15] NSA Warns Chinese State-Sponsored Malicious Cyber Actors Exploiting 25 CVEs [01:57:15] Penetration Testing and Low-Cost Freelancing [02:23:24] WPScan.io "XSS" [02:28:24] MITRE - Adversarial Threat Matrix [02:29:16] Shoutout to Alh4zr3d Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@DAY[0])
02:31:05
October 27, 2020
Some Discord, a Bad Neighbor and a BleedingTooth
It has been a while since we had an exploit extravaganza but here we are. Several binary-level issues from Bad Neighbor on Windows to BleedingTooth on Linux, and several vulns in Qualcomm SoCs, even a Discord RCE. [00:00:57] Introducing Edge Vulnerability Research [00:06:57] Cache Partitioning in Chrome [00:10:29] Magma: A Ground-Truth Fuzzing Benchmark [00:25:27] "Bits Please!" - CVE-2020-16938 [00:29:50] ContainerDrip [CVE-2020-15157] [00:40:01] Discord Desktop app RCE [00:52:34] Time Based SQLi via referrer header https://www.fedscoop.com/hack-the-army-2-results/ [00:57:35] PyYAML 0day [01:09:24] Phantom of the ADAS [01:15:03] Rollback Attack in Mozilla Maintenance Service [01:19:33] Glitching The MediaTek BootROM [01:25:05] AssaultCube RCE: Technical Analysis [01:32:27] CVE-2020-12928 - Privilege Escalation in AMD Ryzen Master [01:35:38] Major Vulnerabilities in Qualcomm QCMAP [01:42:58] Bad Neighbor - RCE in Windows ICMPv6 Router Advertisement [01:51:16] DOS2RCE: A New Technique to Exploit V8 NULL Pointer Dereference Bug (see: https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers) [01:56:34] BleedingTooth - Linux Bluetooth Zero-Click RCE https://github.com/google/security-research/security/advisories/GHSA-h637-c88j-47wq https://github.com/google/security-research/security/advisories/GHSA-7mh3-gq28-gfrq https://github.com/google/security-research/security/advisories/GHSA-ccx2-w2r4-x649 [02:07:25] shmdt doesn't check the tag of pointers [02:12:29] Security Analysis of the CHERI ISA [02:13:18] Evading defences using VueJS script gadgets [02:14:32] Sega Master System Architecture - A Practical Analysis [02:14:52] IPC scripts for access to Intel CRBUS Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on
02:16:27
October 20, 2020
Breaking into HashiCorp Vault, Apple and Google
Its a web-exploit heavy episode impacing Apple, Hasicorp, Azure, Google, and even a DOMPurify Bypass. Then we end-off with a look into benchmarking fuzzers, and a look at the House of Muney heap exploitation technique. [00:00:49] Fuzzing internships for Open Source Software [00:03:15] CET Updates – CET on Xanax [00:09:07] Binary Ninja - Open Source Architectures [00:14:03] Memory Safe 'curl' for a More Secure Internet https://daniel.haxx.se/blog/2020/10/09/rust-in-curl-with-hyper/ [00:17:25] We Hacked Apple for 3 Months: Here’s What We Found [00:25:46] Race condition while removing the love react in community files [00:30:11] Enter the Vault: Authentication Issues in HashiCorp Vault [00:46:39] Kud I Enter Your Server? New Vulnerabilities in Microsoft Azure [00:51:11] Password Reset Link Leaked In Refer Header [00:57:37] The mass CSRFing of *.google.com/* products. [01:06:02] A brief encounter with Leostream Connect Broker [01:15:47] Bypassing DOMPurify again with mutation XSS https://research.securitum.com/mutation-xss-via-mathml-mutation-dompurify-2-0-17-bypass/https://github.com/marcinguy/jquery-xss-in-html [01:22:10] Apache Struts OGNL Remote Code Execution [CVE-2019-0230] [01:28:11] UNIFUZZ: A Holistic, Pragmatic Metrics-Driven Platform for Evaluating Fuzzers https://github.com/unifuzz/unibenchhttps://github.com/unifuzz [01:47:15] House of Muney - Leakless Heap Exploitation Technique https://github.com/mdulin2/house-of-muney Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@DAY[0])
01:54:47
October 13, 2020
Fingerprinting Exploit Devs, BLURtooth and Punking Punkbuster
Every wondering how you might fingerprint and trace exploit devs in the wild? Wondered what a backdoor in a D-Link router looks like? Want to hack Facebook (for Android)? We have all of that and more! [00:00:43] Google: Android Partner Vulnerability Initiative https://bugs.chromium.org/p/apvi/issues/list?q=&can=1 [00:02:55] Project Zero: Announcing the Fuzzilli Research Grant Program [00:08:40] GitHub: Code scanning is now available [00:16:39] Hunting for exploits by looking for the author's fingerprints [00:22:26] Forcing Firefox to Execute XSS Payloads during 302 Redirects [00:27:10] Exploiting fine-grained AWS IAM permissions for total cloud compromise https://medium.com/bugbountywriteup/aws-iam-explained-for-red-and-blue-teams-2dda8b20fbf7 [00:38:04] BLURtooth (the BLUR attacks) [00:44:25] Arbitrary code execution on Facebook for Android [00:51:44] [stripo] Public and secret api key leaked in JavaScript source [01:00:14] [GitLab] Unvalidated Oauth email results in accounts takeovers on 3rd parties [01:06:03] Hacking Grindr Accounts with Copy and Paste [01:16:37] Exploiting Other Remote Protocols in IBM WebSphere https://portswigger.net/web-security/deserialization/exploiting [01:25:57] The Anatomy of a Bug Door: Dissecting Two D-Link Router Authentication Bypasses [01:38:36] Hacking Punkbuster. [01:43:26] Race Condition in handling of PID by apport [CVE-2020-15702] [01:57:24] Hardware Hacking Experiments [01:59:11] How I automated McDonalds mobile game to win free iPhones [01:59:42] Voyager - A Hyper-V Hacking Framework For Windows 10 x64 (AMD & Intel) [02:00:28] zznop/sploit: Go package that aids in binary analysis and exploitation Watch
02:04:57
October 6, 2020
Instagram Hacks, Half-life 1 Exploits, and Gaslighting Android
Lets go back in time to look at the leaked WinXP source, and a Half-Life 1 exploit. And, while we are at it a couple Instagram vulns and a cheap hardware attack against Android. [00:00:50] Windows XP Source Leak https://twitter.com/vxunderground/status/1309231131313737735https://twitter.com/dangeredwolf/status/1310067935902343170 [00:12:49] "I'm not a fan of critical bugs" [00:28:01] API Keys leaked via Solana BBP github repo [00:36:34] Exploiting Tiny Tiny RSS [00:45:28] HackerOne Reflected XSS [00:50:37] Steam Arbitrary File Overwrite [00:55:23] Half-Life 1 Code Execution with malformed map name [00:59:09] uTorrent Vulnerability [CVE-2020-8437] https://raw.githubusercontent.com/guywhataguy/uTorrent-CVE-2020-8437/master/malicious.torrent [01:09:26] $25K Instagram Almost XSS Filter Link [01:14:57] #Instagram_RCE [01:26:44] Kernel exploitation: weaponizing [CVE-2020-17382] [01:34:07] Bypass Android MDM [01:41:17] XSS without arbitrary JavaScript [01:48:40] security things in Linux v5.7 [01:56:48] Code Review 101 Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@DAY[0])
02:04:30
September 29, 2020
Bhyves and Evil LEDs (+Roulette)
A "trivial" Bhyve VM escape, a BitWarden "RCE", a ModSecurity "Denial of Service" and more scare quotes for your enjoyment in this week's episode. [00:00:33] Patient Dies After Ransomware Attack [00:08:05] Zerologon [CVE-2020-1472] [00:14:29] BitWarden Blind HTTP GET SSRF https://github.com/bitwarden/server/pull/812/commits/f094b76b6638932b13bb5ed2d9295185c54ce332https://github.com/bitwarden/desktop/issues/552 [00:23:40] Apache + PHP under v7.4.10 open_basedir bypass [00:29:59] ModSecurity v3 Affected By DoS (Severity HIGH) [CVE-2020-15598] [00:38:09] Bhyve VM Escape https://bsdsec.net/articles/freebsd-announce-freebsd-security-advisory-freebsd-sa-20-29-bhyve_svm [00:42:59] Webkit aboutBlankURL() code execution vulnerability [00:48:28] CVE-2020-9964 - An iOS infoleak [00:51:44] Online Casino Roulette - A guideline for pen testers [00:56:40] Light Can Hack Your Face! Black-box Backdoor Attack on Face Recognition [01:03:06] UniFuzz: Optimizing Distributed Fuzzing via Dynamic Centralized Task Scheduling [01:12:07] FANS: Fuzzing Android Native System Services via Automated Interface Analysis https://github.com/iromise/fans [01:19:52] OneFuzz framework, an open source developer tool to find and fix bugs at scale https://github.com/microsoft/onefuzz [01:28:35] Finding Australian Prime Minister Tony Abbott's passport number [01:34:08] ARM64 Reversing and Exploitation [01:37:25] Hypervisor Exploitation Compiled Research List https://github.com/bitwarden/server/pull/812/commits/f094b76b6638932b13bb5ed2d9295185c54ce332 Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@DAY[0])
01:39:26
September 22, 2020
Raccoons, Incomplete fixes and Kernel Exploits
Leading off this week's discussion is the news about the now remote CCC and Offensive Security's plans to retire OSCE. On the exploit side of things, this week we have a few recent bug bounties including a Google Maps XSS, a FreeBSD TOCTOU, and a couple of Linux kernel vulnerabilities. [00:02:30] CCC going remote this year due to pandemic [00:09:44] NVIDIA to Acquire Arm for $40 Billion [00:20:36] OSCE being retired https://ringzer0.training/ [00:34:21] Giggle; laughable security [00:44:51] Raccoon Attack https://portswigger.net/daily-swig/researchers-exploit-http-2-wpa3-protocols-to-stage-highly-efficient-timeless-timing-attacks [00:53:34] Executing arbitrary code on NVIDIA GeForce NOW VMs [01:02:07] Cache poisoning via X-Forwarded-Host [01:08:56] Team object in GraphQL disclosed private_comment [01:14:08] XSS->Fix->Bypass: 10000$ bounty in Google Maps [01:28:33] Microsoft Sharepoint and Exchange Server Vulnerabilities [01:45:35] Short story of 1 Linux Kernel Use-After-Free and 2 CVEs [01:53:25] FreeBSD Kernel Privilege Escalation [CVE-2020-7460] [02:02:47] WSL 2.0 dxgkrnl Driver Memory Corruption [02:10:46] Project Zero: Attacking the Qualcomm Adreno GPU [02:16:03] GoogleCTF 2020 Challenge Source + Exploits Release [02:20:08] IDA Pro Tips to Add to Your Bag of Tricks [02:20:48] Reverse Engineering: Marvel's Avengers - Developing a Server Emulator Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@DAY[0])
02:22:40
September 15, 2020
Zoom E2E, 15 year old bugs, and killing 20 year old attacks
The DAY[0] podcast will be on break until September 14, 2020 A quick chat about E2E Crypto and Zoom, followed by a few noteworth exploits including Bluetooth impersonation, a 15-year old qmail CVE, NordVPN, and an RCE in Google [00:00:50] Adventures of porting MUSL to PS4 [00:01:55] End-to-End Encryption for Zoom Meetings [00:13:16] Memory safety - The Chromium Projects [00:21:17] First 0d iOS jailbreak in 6 years [00:24:11] BIAS: Bluetooth Impersonation AttackS https://little-canada.org/pdf/web/viewer.html?file=antonioli-20-bias.pdfhttps://francozappa.github.io/about-bias/talk/bias-snp/ [00:33:13] 15 years later: Remote Code Execution in qmail (CVE-2005-1513) http://tukan.farm/2016/07/27/munmap-madness/https://cr.yp.to/qmail/guarantee.htmlhttp://www.guninski.com/where_do_you_want_billg_to_go_today_4.html [00:48:01] Privilege Escalation in Parallels Desktop via VGA Device [CVE-2020-8871] https://twitter.com/matalaz/status/580600098092105728 [00:55:50] Multiple vulnerabilities in Dovecot IMAP server [00:59:05] Yet another arbitrary delete EoP [CVE-2020–1088] [01:06:29] Vulnerabilities chain leading to privilege escalation [NordVPN] [01:09:27] Race condition in activating email resulting in infinite amount of diamonds received [01:12:23] RCE in Google Cloud Deployment Manager [01:28:17] QNAP Pre-Auth Root RCE [01:37:07] Safe-Linking - Eliminating a 20 year-old malloc() exploit primitive [01:47:37] Not So Fast: Understanding and Mitigating Negative Impacts of Compiler Optimizations on Code Reuse Gadget Sets [02:05:43] Precise XSS detection and mitigation with Client-side Templates [02:17:53] Documenting the impossible: Unexploitable XSS labs DAY[0] will be on break until September but you can find the video archive on on Youtube (@DAY[0])
02:21:45
May 26, 2020
iOS 0days are worthless, PrintDemon, and a takeover of hackerone
Are iOS 0days now worthless? Can you hack a satellite...or hackerone? Are WAFs worthwhile? And more on a fairly discussion heavy episode of DAY[0]. [00:00:52] [UPDATE] Huawei HKSP Introduces Trivially Exploitable Vulnerability https://github.com/cloudsec/aksp/blob/master/hksp.patch [00:11:59] iOS one-click chains prices likely to drop https://www.hackasat.com/ [00:33:30] Defcon Quals 2020 https://hxp.io/blog/72/DEFCON-CTF-Quals-2020-notbefoooled/ [00:46:33] vBulletin 5.6.1 SQL Injection [00:52:52] Subdomain takeover of resources.hackerone.com [01:01:11] MyLittleAdmin PreAuth RCE [01:06:13] DOM-Based XSS at accounts.google.com by Google Voice Extension. [01:16:47] Playing with GZIP: RCE in GLPI [CVE-2020-11060] [01:36:24] Reverse RDP - The Path Not Taken [01:44:19] PrintDemon: Print Spooler Privilege Escalation, Persistence & Stealth [CVE-2020-1048] https://twitter.com/VbScrub/status/1260598344650539009 [01:53:34] Security Flaws in Adobe Acrobat Reader Allow Malicious Program to Gain Root on macOS Silently [02:00:29] Cloud WAF Comparison Using Real-World Attacks https://medium.com/fraktal/cloud-waf-comparison-part-2-e6e2d25f558chttps://en.wikipedia.org/wiki/Server_Side_Includes [02:18:20] Fuzzing TLS certificates from their ASN.1 grammar [02:22:25] DHS CISA and FBI share list of top 10 most exploited vulnerabilities Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@DAY[0])
02:32:02
May 19, 2020
Defcon is canceled, Microsoft was hacked, Rust has vulns
Update: While we talk about Huawei Kernel Self Protection (HKSP) I make mention of the authors statement that he is unrelated to Huawei. Turns out this statement, despite a commit date of Friday wasn't pushed until Monday morning so it was not original. Further information has also come out showing that the author is a Huawei employee, so the relationship is much closer than I believe it to be. ~zi It was a busy week, Microsofts Github account was hacked, Centurylink Routers have no security, and multiple interactionless RCEs in Samsung phones. [00:01:45] OpenOrbis PS4 Toolchain [00:05:06] DEF CON 28 in-person conference is CANCELLED [00:13:23] The Nintendo leak saga continues... [00:18:40] Keybase joins Zoom https://www.bleepingcomputer.com/news/security/microsofts-github-account-hacked-private-repositories-stolen/ [00:33:41] Azure Security Lab - Research Challenge [00:42:38] Hijacking Centurylink Routers [CVE 2019-19639] [00:46:24] DoS on Twitter App [00:51:39] A tale of verbose error message and a JWT token [01:00:29] Pentesting Cisco SD-WAN Part 2: Breaking routers [01:04:21] Memory leak and Use After Free in Squid [01:17:48] How a Deceptive Assert Caused a Critical Windows Kernel Vulnerability [01:28:30] Samsung Android multiple interactionless RCE https://github.com/googleprojectzero/SkCodecFuzzer [01:38:25] Linux futex+VFS Use-After-Free [01:45:03] Huawei HKSP Introduces Trivially Exploitable Vulnerability [01:50:32] Ragnarok Stopper: development of a vaccine [01:55:51] Understanding Memory and Thread Safety Practices and Issues in Real-World Rust Programs [02:09:34] Analyzing a Trio of Remote Code Execution Bugs in Intel Wireless Adapters [02:10:19] GitHub - JHUAPL/Beat-the-Machine: Reverse engineering basics in puzzle form
02:17:21
May 12, 2020
Auth Bypass, XSS, RCE and more
Authentication bypasses, SQL injection, command injection, and more in this web-exploit heavy episode. [00:09:11] Facebook v. NSO Group [00:18:14] Netsweeper PreAuth RCE [00:25:49] SaltStack authorization bypass https://github.com/saltstack/salt/blob/0b2a5613b345f17339cb90e60b407199b3d26980/salt/master.py#L1139 [00:42:02] E-Learning Platforms Getting Schooled https://github.com/LearnPress/learnpress/commit/d6f818b5f65b007acbdf62236d4aa549fb33d24a?diff=split [01:03:54] Roblox - Subdomain Takeover [01:08:09] Fix XSS issue in handling of CDATA in HTML messages · roundcube/roundcubemail@87e4cd0 · GitHub [01:10:13] Stealing the Trello token by abusing a cross-iframe XSS on the Butler Plugin [01:17:11] Gitlab - Arbitrary file read via the UploadsRewriter when moving and issue [01:20:15] Researching Polymorphic Images for XSS on Google Scholar [01:27:41] TP-LINK Cloud Cameras Multiple Vulnerabilities https://seclists.org/fulldisclosure/2020/May/3https://seclists.org/fulldisclosure/2020/May/4 [01:34:46] Remote Code Execution on Microsoft SharePoint Using TypeConverters [CVE-2020-0932] [01:43:03] Firefox js::ReadableStreamCloseInternal Out-Of-Bounds Access [01:51:56] Siguza - iOS
02:20:34
May 5, 2020
Relyze Decompiler, jQuery XSS, Sandbox Escaping and 0-Click Mail RCE
Since we forgot to cover it when it came out, we look at Relyze's new decompiler that is available on the free version. There is also some sandbox escaping, some crypto issues (AMD's SME/SEV) and even some IBM 0days. [00:00:33] Relyze Decompiler [00:22:06] Firefox's Bug Bounty in 2019 and into the Future [00:30:29] Source code for both CS:GO and TF2 Leaked [00:38:58] Fixing SQL injection vulnerability and malicious code execution in XG Firewall/SFOS [00:44:34] MSI TrueColor Unquoted Service Path Vulnerability [00:48:43] 1-click RCE on Keybase [00:55:56] jQuery < 3.5 Cross-Site Scripting (XSS) in html() https://xss.pwnfunction.com/challenges/ww3/ [01:01:37] Multiple 0 day vulnerabilities in IBM Data Risk Manager [01:17:24] You Won't Believe what this One Line Change Did to the Chrome Sandbox https://docs.microsoft.com/en-us/archive/blogs/david_leblanc/practical-windows-sandboxing-part-1 [01:23:58] You’ve Got (0-click) Mail! [01:31:29] Sharing a Logon Session a Little Too Much [01:37:00] SEVurity: No Security Without Integrity - Breaking Integrity-Free Memory Encryption with Minimal Assumptions https://0x0539.net/play/fangorn/crypto_cookie [01:47:10] MarkUs: Drop-in Use-After-Free Prevention for Low-Level Languages [01:54:37] Android 8.0-9.0 Bluetooth Zero-Click RCE [CVE-2020-0022] [01:57:26] Patchguard: Detection of Hypervisor Based Introspection https://revers.engineering/patchguard-detection-of-hypervisor-based-instrospection-p2/ [01:59:37] HITB Lockdown Livestream Day 1 Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@DAY[0])
02:04:42
April 28, 2020
Binary Ninja's Decompiler, git credential leak, cross-platform LPEs
Zoom vuln worth $500k? Probably not... What is worth $500k? Binary Ninja's new decompiler...okay probably not but it is exciting.We've also got some stupid issues and some interesting LPEs this episode. [00:00:29] Cognizant suffers Maze Ransomware cyber attack [00:14:08] Hackers Are Selling a Critical Zoom Zero-Day Exploit for $500,000 [00:27:46] How I Reverse Engineered the LastPass CLI Tool [00:35:59] State of the Ninja: Episode 13 [01:02:18] Riot offering up to $100k n Bug Bounty [01:05:31] Research Grants to support Google VRP Bug Hunters during COVID-19 [01:09:08] Denial of service to WP-JSON API by cache poisoning [01:11:43] CSRF to RCE bug chain in Prestashop [01:21:16] Unintended disclosure of OTP [01:24:20] JSON Web Token Validation Bypass in Auth0 Authentication API [01:27:06] git: Newline injection in credential helper [01:31:20] How Misleading Documentation Led to a Broken Patch for a Windows Arbitrary File Disclosure Vulnerability [01:36:34] Pwning vCenter with CVE-2020-3952 [01:45:19] Oracle Solaris 11.x/10 whodo/w Buffer Overflow [01:51:22] Linux Kernel EoP via Improper eBPF Program Verification [CVE-2020-8835] [01:57:39] Multiple Kernel Vulnerabilities Affecting All Qualcomm Devices https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=c4f42c24e02ce82392d8f8fe215570568380c8ab [02:07:20] Ricerca Security: "SMBGhost pre-auth RCE https://blog.zecops.com/vulnerabilities/exploiting-smbghost-cve-2020-0796-for-a-local-privilege-escalation-writeup-and-poc/ [02:14:01] IJON: Exploring Deep State Spaces via Fuzzing [02:23:26] Pangolin: Incremental Hybrid Fuzzing with Polyhedral Path Abstraction [02:27:45] GitHub - wcventure/FuzzingPaper
02:30:39
April 21, 2020
IDA...Go home, Sandboxie source, and some RCEs (TP-Link, Starcraft 1, OhMyZsh)
Starting off the week with a discussion about the disappointing IDA Home, before moving into a few easy command injections, code-reuse attacks applied to XSS, detecting trojaned hardware and ending with a subtle crypto-bug. [00:00:45] DAY[0] Episode Transcripts now Available [00:02:53] Microsoft Buys Corp.com to Keep It Safe from Hackers (Over $1.7 Million Deal) [00:05:42] Hack for Good: Easily Donate Bounties to WHO’s COVID-19 Response Fund [00:10:55] RetDec v4.0 is out [00:17:33] IDA Home is coming https://www.sophia.re/Binary-Rockstar/index.htmlhttps://nostarch.com/GhidraBook [00:33:44] Sandboxie Open Source Code is available https://github.com/xanasoft/Sandboxie [00:38:01] Exploiting the TP-Link Archer A7 [00:46:50] Exploiting the Starcraft 1 EUD Bug [00:51:23] OhMyZsh dotenv Remote Code Execution [00:56:19] Symantec Web Gateway 5.0.2.8 Remote Code Execution [00:59:15] VMware vCenter Server Sensitive Information Disclosure [CVE-2020-3952] [01:01:39] Bypassing modern XSS mitigations with code-reuse attacks [01:07:49] Practical Data Poisoning Attack against Next-Item Recommendation [01:11:40] Hardware Trojan Detection Using Controlled Circuit Aging [01:16:18] A "Final" Security Bug [01:27:05] RCEed version of computer malware / rootkit MyRTUs / Stuxnet. https://github.com/christian-roggia/open-myrtus/blob/master/rootkit/FastIo.chttps://xkcd.com/350/ Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@DAY[0])
01:30:01
April 14, 2020
Zoom-ers, VM Escapes, and Pegasus Resurfaces
First, we talk about Facebook trying to buy some spyware, and then we feast upon a number of Zoom "vulns." Follow that up with some interesting vulnerabilities including a hyper-visor Guest-to-host escape, a complicated Safari permissions bypass, and a Gitlab Parser Differential. [00:09:31] Facebook tried to buy NSO Group's iOS spyware to monitor iPhone users [00:14:49] Move Fast & Roll Your Own Crypto: A Quick Look at the Confidentiality of Zoom Meetings [00:28:28] Security Vulnerabilities fixed in Firefox 74.0.1 and Firefox ESR 68.6.1 [00:33:20] Bug bounty platforms buy researcher silence, violate labor laws, critics say [00:53:56] Zoom NTLM Hash Leak [00:59:44] The 'S' in Zoom, Stands for Security [01:05:52] Use-After-Free Vulnerability in the VMware Workstation DHCP Component [CVE-2020-3947] https://www.vmware.com/security/advisories/VMSA-2020-0004.htmlhttps://www.zerodayinitiative.com/advisories/ZDI-20-298/ [01:15:38] Exploiting SMBGhost for a Local Privilege Escalation [CVE-2020-0796] [01:26:31] How to exploit parser differentials [01:37:07] Unauthorized Camera access on iOS and macOS [01:49:07] [Slack] Relative Path Vulnerability Results in Arbitrary Command Execution/Privilege Escalation [01:54:21] Physically Realizable Adversarial Examples for LiDAR Object Detection [02:01:39] Attack matrix for Kubernetes [02:03:34] Project Zero: TFW you-get-really-excited-you-patch-diffed-a-0day-used-in-the-wild-but-then-find-out-it-is-the-wrong-vuln [02:04:13] Tale of two hypervisor bugs - Escaping from FreeBSD bhyve [02:08:21] So you want to be a web security researcher? Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@DAY[0])
02:10:24
April 7, 2020
A shortcut (.lnk) to RCE, Pi-Hole, Shadow Stacks, and fine-grained kASLR
Is there a shortcut to RCE? Well, on Windows .LNK files could be just that. We also talk about a few others vulnerabilities impacting Windows, Pi-Hole and Netflix. And end by looking at Window's new hardware enforced Shadow Stack and a proof-of-concept for fine-grained kASLR on Linux. [00:01:18] The Netflix account compromise Bugcrowd doesn't want you to know about https://bugcrowd.com/netflix [00:16:21] Where is my Train : Tracking to Hacking [00:22:59] Intel SGX removed from Rocket Skylake-S CPUs [00:28:17] Type 1 Font Parsing Remote Code Execution Vulnerability [00:33:41] Configuration Overwrite in IBM Cognos TM1 [CVE-2019-4716] [00:42:19] Remote Code Execution Through .LNK Files [CVE-2020-0729] [00:53:15] Pi-hole Remote Code Execution [CVE-2020-8816] [01:03:14] NordVPN - Unauthorized User Can Delete Any User Account [01:09:33] Smart Contracts Inside SGX Enclaves: Common Security Bug Patterns https://blockchain-ctf.securityinnovation.com/#/ [01:20:01] Smart Contracts Inside SGX Enclaves: Common Security Bug Patterns [01:20:28] Understanding Hardware-enforced Stack Protection https://windows-internals.com/cet-on-windows/ [01:32:21] [RFC PATCH 00/11] Finer grained kernel address space randomization - Kristen Carlson Accardi https://www.kryptoslogic.com/blog/2020/03/another-look-at-two-linux-kaslr-patches/ [01:42:14] Slayer Labs https://www.reddit.com/r/netsec/comments/fr8w8u/free_vpn_access_to_slayer_labs_networks/?sort=top Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@DAY[0])
01:48:20
March 31, 2020
Pwn2Own Results, Voatz (again), some web-exploits and a code-reuse mitigation
More discussion about election hacking with Voatz undergoing a more complete security assessment, we also discuss a few interesting web attacks and end with a good discussion about a new code-reuse mitigation: Hurdle. [00:00:20] Learn Exploit Development While Not Dying [00:02:10] Exploit Education [00:07:32] Pwn2Own Results https://www.zerodayinitiative.com/blog/2020/3/19/pwn2own-2020-day-one-results [00:16:19] DEF CON CTF 2020 QUALS COVID-19 DELAY [00:22:30] Software Engineer - Jobs at Apple [00:30:56] Tesla Model 3 Denial of Service Vulnerability [CVE-2020-10558] [00:36:26] Trail of Bits - Voatz Security Review [01:01:49] XXE-scape through the front door: circumventing the firewall with HTTP request smuggling [01:08:12] Don't Clone That Repo: Visual Studio Code^2 Execution https://github.com/doyensec/VSCode_PoC_Oct2019/https://github.com/doyensec/VSCode_PoC_Oct2019/blob/master/.vscode/settings.jsonhttps://github.com/doyensec/VSCode_PoC_Oct2019/commit/19b4687259bd5d1821525a3ebbe6aa76618359c3#diff-62b00de1d62bb867ef03dec7057712f1R50 [01:14:22] [Hacker101] Race Condition leads to undeletable group member [01:19:58] JavaScript without parentheses using DOMMatrix https://portswigger.net/web-security/cross-site-scripting/contexts/lab-javascript-url-some-characters-blocked [01:24:21] Hurdle: Securing Jump Instructions Against Code Reuse Attacks https://www.youtube.com/watch?v=qFWTZ2zZ1XQhttp://se.ri0.us/2020-03-23-110829182-9e1b1.png Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@DAY[0])
01:40:07
March 24, 2020
How to Hack a CTF and more (LVI, TRRespass and some web-exploits)
Start off by looking at a few Google Cloud attacks, a couple named vulns (LVI: Load Value Injection, and TRRespass) and then into some web-focused exploits including how to hack a CTF. [00:00:15] P2O Vancouver now remote-only [00:04:10] Announcing our first GCP VRP Prize winner and updates to 2020 program https://offensi.com/2019/12/16/4-google-cloud-shell-bugs-explained-introduction/ [00:18:36] Whisper has exposed all user information [00:28:10] LVI: Hijacking Transient Execution with Load Value Injection [00:39:13] TRRespass: Exploiting the Many Sides ofTarget Row Refresh [00:47:17] The unexpected Google wide domain check bypass [00:56:34] Facebook OAuth Framework Vulnerability [01:06:36] JSON CSRF with method override technique [01:13:20] Breaking the Competition [01:23:26] [Slack] TURN server allows TCP and UDP proxying to internal network [01:26:08] [Slack] HTTP Request Smuggling to steal session cookies [01:30:46] [Slack] DTLS uses a private key that is in the public domain [01:32:55] [htmr] DOM-based XSS [01:42:08] A Compiler Assisted Scheduler for Detecting and Mitigating Cache-Based Side Channel Attacks [01:50:00] Bypassing memory safety mechanisms through speculative control flow hijacks Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@DAY[0])
01:57:16
March 17, 2020
FuzzBench, MediaTek-su, Request Smuggling, and Memory Tagging
A New AMD sidechannel, and an old intel CSME attack, a couple deserialization attacks, and a few clever but not terribly useful attacks, and some discussion about memory tagging on this weeks episode of DAY[0]. [00:00:21] Election Security 2020: Don't Let Disinformation Undermine Your Right to Vote [00:06:52] Announcing Remote Participation in Pwn2Own Vancouver [00:11:22] Revoking certain certificates on March 4 [00:19:40] FuzzBench: Fuzzer Benchmarking as a Service [00:28:53] Intel x86 Root of Trust: loss of trust [00:39:07] Take A Way: Exploring the Security Implications of AMD's Cache Way Predictors [00:49:11] VU#782301 - pppd vulnerable to buffer overflow due to a flaw in EAP packet processing https://github.com/paulusmack/ppp/commit/8d45443bb5c9372b4c6a362ba2f443d41c5636afhttps://github.com/paulusmack/ppp/commit/8d7970b8f3db727fe798b65f3377fe6787575426 [00:55:11] MediaTek rootkit affecting millions of Android devices [01:01:56] Zoho ManageEngine RCE [01:11:25] RCE Through a Deserialization Bug in Oracle's WebLogic Server (CVE-2020-2555) [01:14:22] Regex Vulnerabilities - parse-community/parse-server [01:18:57] HTTP request smuggling using malformed Transfer-Encoding header [01:27:20] [Nextcloud] Delete All Data of Any User [01:30:36] Dismantling DST80-based Immobiliser Systems [01:37:53] Exploring Backdoor Poisoning Attacks Against Malware Classifiers [01:45:59] Code Renewability for Native Software Protection [01:55:42] Security Analysis of Memory Tagging [02:04:15] DangKiller: Eliminating Dangling Pointers Efficiently via Implicit Identifier Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@DAY[0])
02:14:29
March 10, 2020
kr00k, GhostCat, and more issues from NordVPN, Samsung, OpenSMTPd
Join Specter and zi at they discuss several named vulns (kr00k, Forgot2kEyXCHANGE, GhostCat), the benefits of DNS-over-HTTPS, and a a few vulns in some of our regular targets: Samsung drivers, NordVPN, OpenSMTPd. [00:01:13] Facial-Recognition Company That Works With Law Enforcement Says Entire Client List Was Stolen [00:06:13] Firefox continues push to bring DNS over HTTPS by default for US users https://github.com/curl/curl/wiki/DNS-over-HTTPS [00:19:07] Securing Memory at EPYC Scale [00:26:30] How a Hacker's Mom Broke Into a Prison—and the Warden's Computer [00:29:12] kr00k | ESET [00:33:14] CVE-2020-0688: Remote Code Execution on Microsoft Exchange Server Through Fixed Cryptographic Keys [00:37:41] CVE-2020-1938: Ghostcat vulnerability [00:46:16] LPE and RCE in OpenSMTPD's default install (CVE-2020-8794) [00:55:43] Blind SSRF on debug.nordvpn.com due to misconfigured sentry instance https://hackerone.com/reports/374737 [01:00:30] x-request-id header reflected in server response without sanitization [01:05:54] Malformed .BMP file in Counter-Strike 1.6 may cause shellcode injection https://hackerone.com/valve/hacktivity [01:12:56] Samsung Kernel /dev/hdcp2 hdcp_session_close() Race Condition [01:14:59] Samsung Kernel Arbitrary /dev/vipx / /dev/vertex kfree [01:18:34] Samsung Kernel /dev/vipx Pointer Leak [01:22:21] HFL: Hybrid Fuzzing on the Linux Kernel – NDSS Symposium [01:30:32] Et Tu Alexa? When Commodity WiFi Devices Turn into Adversarial Motion Sensors [01:38:27] Evasion techniques [01:39:31] Hacking Unicode Like a Boss [01:43:05] Pwning VMware, Part 2: ZDI-19-421, a UHCI bug | nafod [01:44:48] Intro to chrome's v8 from an exploit development angle Watch Live on Twitch (@dayzerosec) at 3PM EST
01:46:52
March 3, 2020
A Dark White-Hat hacker? and various vulns ft. Cisco, Periscope, NordVPN and Tesla/EyeQ
Keeping up our streak, we talk about some vulnerabilities in Cisco, NordVPN and Tesla, and about SlickWraps being hacked by a very dark, white-hat. [00:02:32] Humble Book Bundle: Cybersecurity 2020 by Wiley [00:11:31] Google Summer of Code 2020 https://radare.org/gsoc/2020/ [00:23:01] Critical Issue In ThemeGrill Demo Importer [00:28:48] Cisco Security Advisory: Cisco Smart Software Manager On-Prem Static Default Credential Vulnerability [00:32:19] nordvpn Linux Desktop executable application does not use pie / no ASLR [00:40:57] Race condition (TOCTOU) in NordVPN can result in local privilege escalation [00:49:17] Periscope android app deeplink leads to CSRF in follow action [00:54:01] I hacked SlickWraps. This is how. - Lynx0x00 - Medium https://files.catbox.moe/fxn9r2.pdf [01:10:23] Model Hacking ADAS to Pave Safer Roads for Autonomous Vehicles [01:18:31] Edge CVE-2020-0767 RCE POC [01:22:02] GadgetProbe: Exploiting Deserialization to Brute-Force the Remote Classpath [01:28:37] CopyCat: Controlled Instruction-Level Attacks on Enclaves for Maximal Key Extraction [01:37:31] MEUZZ: Smart Seed Scheduling for Hybrid Fuzzing [01:49:36] pwn.college BETA [01:53:17] Microcontroller Readback Protection: Bypasses and Defenses [01:54:00] Libxml2 Tutorial | AFLplusplus [01:56:06] Booting iOS on QEMU Research Slides https://github.com/alephsecurity/confs/blob/master/OFFENSIVE20/offensive-20-ios-qemu.pdfhttps://github.com/alephsecurity/xnu-qemu-arm64 Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@DAY[0])
02:00:52
February 25, 2020
A New PWK/OSCP, Election Hacking, Kernel Exploits, and Fuzzing
Is the new OSCP worth-it? Can election apps be made secure? We'll talk about those questions and several kernel exploits and a few cool fuzzing innovations.   [00:00:23] PWK and the OSCP Certification | Offensive Security [00:16:24] Rescheduling Root KSK Ceremony 40 [00:20:15] The Ballot is Busted Before the Blockchain:A Security Analysis of Voatz https://blog.voatz.com/?p=1209 [00:49:26] Lateral movement via MSSQL: a tale of CLR and socket reuse [00:55:51] Fix for CVE-2018-12122 can be bypassed via keep-alive requests [01:00:28] A Trivial Privilege Escalation Bug in Windows Service Tracing (CVE-2020-0668) https://googleprojectzero.blogspot.com/2018/08/windows-exploitation-tricks-exploiting.html [01:05:01] Intel CSME Escalation of Privilege [01:07:41] Project Zero: A day^W^W Several months in the life of Project Zero [01:18:54] Project Zero: Mitigations are attack surface, too https://packetstormsecurity.com/files/156316/Samsung-Kernel-PROCA-Use-After-Free-Double-Free.html [01:33:42] Samsung SEND_FILE_WITH_HEADER Use-After-Free [01:35:52] Samsung /dev/tsmux Heap Out-Of-Bounds Write [01:39:55] Exploiting a Linux kernel vulnerability in the V4L2 subsystem (CVE-2019-18683) [01:45:10] KOOBE: Towards Facilitating Exploit Generation of Kernel Out-Of-Bounds Write Vulnerabilities [01:54:06] HotFuzz: Discovering Algorithmic Denial-of-Service Vulnerabilities Through Guided Micro-Fuzzing [01:58:14] HYPER-CUBE: High-Dimensional Hypervisor Fuzzing [02:02:21] FIDO2 Deep Dive: Attestations, Trust model and Security [02:03:04] Hypervisor Necromancy; Reanimating Kernel Protectors   Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@DAY[0])
02:05:13
February 18, 2020
Hack Twitter, WhatsApp and all your Cisco phones (CDPwn) ft. GhostKnight
Android, Bluetooth, Microsoft, NordVPN, Twitter, WhatsApp, Cisco, vulns for days impacting several big names and a couple new attack ideas, blind regex injection and GhostKnight a technique to breach data integrity using speculative execution.   [00:01:07] Updated re. Sudo Exploit [00:03:32] Charges Filed against Four Chinese PLA Hackers for part in 2017 Equifax Breach [00:06:06] Announcing a Targeted Incentive Program for Selected Trend Micro Products [00:11:01] Android Security Bulletin - February 2020 https://android.googlesource.com/kernel/common/+/5eeb2ca0 https://android.googlesource.com/kernel/common/+/5eeb2ca0%5E%21/#F0 [00:17:06] Critical Bluetooth Vulnerability in Android (CVE-2020-0022) [00:22:48] Dangerous Domain Corp.com Goes Up for Sale [00:37:43] NordVPN - IDOR allow access to payments data of any user https://hackerone.com/nordvpn [00:43:35] Twitter - Bypass Password Authentication for updating email and phone number [00:48:27] WhatsApp Desktop XSS to Local File read (CVE-2019-18426) [01:03:03] CDPwn: 5 Zero-Days in Cisco Discovery Protocol [01:15:07] A Rough Idea of Blind Regular Expression Injection Attack https://speakerdeck.com/lmt_swallow/revisiting-redos-a-rough-idea-of-data-exfiltration-by-redos-and-side-channel-techniques [01:20:45] GhostKnight: Breaching Data Integrity via Speculative Execution [01:26:00] BRIGHTNESS: Leaking Sensitive Data from Air-Gapped Workstations via Screen Brightness [01:30:27] Forging SWIFT MT Payment Messages for fun and pr... research! [01:35:22] Grooming the iOS Kernel Heap Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@DAY[0])
01:38:42
February 11, 2020
OK Google, sudo ./hacktheplanet
Ok Google! Bypass authentication..and while we're at it, lets explot sudo and OpenSMPTD for root access. This week we dive into various code bases to explore several recent exploits that take advantage of some common yet subtle issues. Correction: During the segment about the sudo (pwfeedback) exploit I incorrectly described the issue as a stack-based buffer overflow, however the buf variable is declared as static so it ends up in .bss and not on the stack. ~zi Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@DAY[0])   [00:00:22] Charges Dismissed Against Coalfire Employees [00:06:50] Avast to Commence Wind Down of Subsidiary Jumpshot [00:22:10] Say hello to OpenSK: a fully open-source security key implementation [00:28:25] Kraken Identifies Critical Flaw in Trezor Hardware Wallets [00:33:56] Zoom-Zoom: We Are Watching You [00:39:08] TeamViewer using encrypted passwords [00:47:43] Buffer overflow [in sudo] when pwfeedback is set in sudoers (CVE-2019-18634) https://github.com/sudo-project/sudo/commit/fa8ffeb17523494f0e8bb49a25e53635f4509078 https://github.com/sudo-project/sudo/blob/0fcb6471609969b5911db0b2917ced16c913676f/src/tgetpass.c#L413 [01:01:23] Opkg susceptible to MITM (CVE-2020-7982) https://git.openwrt.org/?p=project/opkg-lede.git;a=commitdiff;h=54cc7e3bd1f79569022aa9fc3d0e748c81e3bcd8 [01:07:18] LPE and RCE in OpenSMTPD (CVE-2020-7247) [01:14:13] PHP 7.0-7.4 disable_functions bypass 0day PoC https://github.com/mm0r1/exploits/blob/master/php7-backtrace-bypass/exploit.php [01:28:53] Remote Cloud Execution – Critical Vulnerabilities in Azure Cloud Infrastructure (Part I) https://research.checkpoint.com/2020/remote-cloud-execution-critical-vulnerabilities-in-azure-cloud-infrastructure-part-ii/ [01:40:22] OK Google: bypass the authentication!
01:49:41
February 4, 2020
Return of the Zombieload, Bezos Hacked, and other exploits
This week we look at 15 CVEs this week including the new MDS Attacks/Zombieload and GhostImage a cool attack against vision-based classification systems. We also have discussion about mobile vs desktop security. Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) [00:01:33] Pwn2Own Miami 2020 [00:06:32] Allegations that Saudi Crown Prince involved in hacking of Jeff Bezos’ phone https://twitter.com/dinodaizovi/status/1221324029841244161 [00:11:25] Chris Rohlf on Twitter: "...Mobile security was largely a success relative to the state of the desktop..." [00:25:49] More MDS Attacks: Intel Patching its Patch of the Patch for MDS/ZombieLoad Attacks https://blogs.intel.com/technology/2020/01/ipas-intel-sa-00329/#gs.upv68b [00:31:34] MDHex Vulnerabilities [00:42:55] JSSE Client Authentication Bypass (CVE-2020-2655) [00:55:37] Local Privilege Escalation in many Ricoh Printer Drivers for Windows (CVE-2019-19363) [00:58:34] ModSecurity Denial of Service (CVE-2019-19886) [01:02:47] GGvulnz - How I hacked hundreds of companies through Google Groups [01:09:14] Neowise CarbonFTP v1.4 / Insecure Proprietary Password Encryption (CVE-2020-6857) [01:14:40] arm64: uaccess: Ensure PAN is re-enabled after unhandled uaccess fault - Patchwork [01:18:54] Cisco Webex Meetings Suite and Cisco Webex Meetings Online Unauthenticated Meeting Join Vulnerability (CVE-2020-3142) [01:21:35] iGPU Leak: An Information Leakage Vulnerability on Intel Integrated GPU (CVE-2019-14615) [01:28:41] Information Leaks via Safari's Intelligent Tracking Prevention [01:39:02] GhostImage: Perception Domain Attacks against Vision-based Object Classification Systems [01:44:46] Nightmare - A collection of binary exploitation / reverse engineering challenges and writeups [01:49:26] The Life of a Bad Security Fix [01:51:22] macOS/iOS: ImageIO: heap corruption when processing malformed TIFF image
01:55:32
January 27, 2020
Project Verona, CurveBall, CableHaunt, and RCEs-a-plenty
Start off with some discussions about Google, privacy, Rust, and entitlement within open-source software. Then we look at some of the big vulns of the past week including CurveBall, CabelHaunt, and an RDP RCE.   [00:00:27] Chromium Blog: Building a more private web: A path towards making third party cookies obsolete [00:07:05] WeLeakInfo.com Domain Name Seized [00:13:39] A sad day for Rust [00:25:38] GitHub - microsoft/verona: Research programming language for concurrent ownership https://github.com/microsoft/verona/blob/master/docs/explore.md [00:37:30] Montage: A Neural Network Language Model-Guided JavaScript Engine Fuzzer [00:47:16] Control Flow Integrity (CFI) in the Linux kernel [00:53:54] ADV200001 | Microsoft Guidance on Scripting Engine Memory Corruption Vulnerability (CVE-2020-0674) [00:57:19] Netgear TLS Private Key Disclosure through Device Firmware Images https://news.ycombinator.com/item?id=22048619 https://github.com/ollypwn/CVE-2020-0601/blob/master/main.rb [01:17:39] Cable Haunt [01:27:19] RDP to RCE: When Fragmentation Goes Wrong [01:31:46] Critical Auth Bypass Vulnerability In InfiniteWP Client And WP Time Capsule [01:37:48] cuck00 | Twenty-twenty, bugs aplenty!   Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@DAY[0])
01:47:05
January 21, 2020
SHA-mbles, Shitrix, Responsible Disclosure, and wtf is TikTok doing?
Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@DAY[0])   [00:00:35] SHA-1 is a Shambles https://www.youtube.com/watch?v=Gh6p7Y74m9A [00:14:50] Government-funded phones come pre-installed with unremovable malware [00:22:09] Security Vulnerabilities fixed in Firefox 72.0.1 and Firefox ESR 68.4.1 — Mozilla [00:27:02] CVE-2019-19781 - Vulnerability in Citrix Application Delivery Controller and Citrix Gateway https://github.com/projectzeroindia/CVE-2019-19781 https://www.mdsec.co.uk/2020/01/deep-dive-to-citrix-adc-remote-code-execution-cve-2019-19781/ https://twitter.com/GossiTheDog/status/1215785949709459456 [00:38:20] Project Zero: Policy and Disclosure: 2020 Edition https://googleprojectzero.blogspot.com/p/vulnerability-disclosure-faq.html [00:52:07] Privileged Access Never (PAN) - Another day, another broken mitigation. [00:57:43] Tik or Tok? Is TikTok secure enough? [01:18:33] Fortinet FortiSIEM Hardcoded SSH Key [01:22:58] Project Zero: Remote iPhone Exploitation Part 1: Poking Memory via iMessage and CVE-2019-8641 [01:32:00] WAF-A-MoLE: Evading Web Application Firewalls through Adversarial Machine Learning [01:36:00] QSOR: Quantum-Safe Onion Routing [01:45:09] Browser Games Aren't an Easy Target [01:46:31] Reverse engineering RNG in a GBA game https://en.wikipedia.org/wiki/Linear_congruential_generator#Parameters_in_common_use
01:56:03
January 14, 2020
First Edge bounty, Hacking Tesla via Wi-Fi, Cisco advisories, and Shadow Clones
Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@DAY[0])   [00:00:40] CCC [00:14:58] Sunsetting Python 2 | Python.org https://www.python.org/blogs/ [00:19:11] Kali 2020.1 - Default Non-Root User https://www.kali.org/news/kali-default-non-root-user/ https://www.offensive-security.com/ [00:35:53] Caterpillar padlocks all use the same key [00:42:51] Shitcoin Wallet is a scam, says security researcher [00:47:13] Microsoft Edge (Chromium) - Elevation of Privilege to Potential Remote Code Execution [00:56:57] Exploiting Wi-Fi Stack on Tesla Model S | Keen Security Lab Blog [01:08:52] Spiderman 2000 - Buffer overflow in file loading routine [01:14:31] Alert Alarm SMS exploit [01:27:33] D-Link DIR-859 - Unauthenticated RCE (CVE-2019-17621) [01:33:20] Cisco Security Advisory: Cisco Data Center Network Manager Authentication Bypass Vulnerabilities https://tools.cisco.com/security/center/publicationListing.x https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200102-dcnm-path-trav [01:45:03] Starbuck's JumpCloud API Key leaked via Open Github Repository https://www.androidpolice.com/2020/01/06/uh-oh-xiaomi-camera-feed-showing-random-homes-on-a-google-nest-hub-including-still-images-of-sleeping-people/ [01:56:39] JackHammer: Efficient Rowhammer on Heterogeneous FPGA-CPU Platforms [02:02:28] Shadowclone: Thwarting and Detecting DOP Attacks with Stack Layout Randomization and Canary [02:15:21] Breaking PHP's mt_rand() with 2 values and no bruteforce
02:20:30
January 8, 2020
PlunderVolt, Real-World Bug Hunting, Presidents Cup CTF, SockPuppet and more
Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@DAY[0])   [00:01:18] Last Episode of the Year [00:01:36] Real-World Bug Hunting: A Field Guide to Web Hacking http://www.phrack.org/papers/attacking_javascript_engines.html [00:11:29] President's Cup [00:24:20] Better Password Protections [in Chrome] [00:30:18] Apple DMCA's SEP Key https://en.wikipedia.org/wiki/Illegal_number [00:36:59] Rosita: Towards Automatic Elimination of Power-Analysis Leakage in Ciphers [00:48:50] Camouflage: Hardware-assisted CFI for the ARM Linux kernel [01:00:37] Binary Planting with the npm CLI [01:04:55] Plundervolt [01:17:35] Local Privilege Escalation in OpenBSD's dynamic loader (CVE-2019-19726) [01:24:09] AirDoS: Remotely render any nearby iPhone or iPad unusable [01:26:24] Digital Lockpicking - Stealing Keys to the Kingdom (KeyWe Smart Lock) https://labs.f-secure.com/advisories/keywe-smart-lock-unauthorized-access-traffic-interception [01:31:44] SockPuppet: A Walkthrough of a Kernel Exploit for iOS 12.4 [01:39:05] Maddie Stone: Whatsup with WhatsApp: A Detailed Walk Through of Reverse Engineering CVE-2019-3568 [01:46:37] Client-side Vulnerabilities in Commercial VPNs [01:54:50] A Technical Review of Connected Toy Security https://www.which.co.uk/news/2019/12/kids-karaoke-machines-and-smart-toys-from-mattel-and-vtech-among-those-found-to-have-security-flaws-in-a-which-investigation/ [02:07:43] Interactive Buffer Overflow Exploitation https://github.com/bordplate/js86 https://nagarrosecurity.com/blog/interactive-rop-tutorial
02:13:06
December 17, 2019
Permanent DoS, HackerOne Hacked, and Wide-OpenBSD
Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@DAY[0])   [00:02:59] Android Permanent DoS (CVE-2019-2232) [00:08:09] Inferring and hijacking VPN-tunneled TCP connections (CVE-2019-14899) [00:16:00] An Update on Android TLS Adoption [00:25:11] Mozilla and Opera remove Avast extensions from their add-on stores https://palant.de/2019/10/28/avast-online-security-and-avast-secure-browser-are-spying-on-you/ [00:43:05] Tron: Evolution SecuROM DRM expiration makes game unplayable 9 years after release [00:50:12] Millions of Americans at Risk After Huge Data and SMS Leak [00:54:14] Nebraska Medicine Breached by Rogue Employee [00:56:56] Practical Pentest Labs stores passwords in plaintext [01:05:07] Incident Report | 2019-11-24 Account Takeover via Disclosed Session Cookie [01:13:28] Authentication vulnerabilities in OpenBSD (CVE-2019-19521) [01:24:36] Symantec Endpoint Protection Local Privilege Escalation (CVE-2019-12750) [01:30:09] Omron PLC Denial-of-Service as a Feature https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H https://github.com/Ox6e3062306479/omron/blob/master/cj2m.fins.dos.py [01:38:35] FIRST CONTACT: New vulnerabilities in contactless payments [01:46:39] Fuzzing Sega Genesis Emulators [01:50:30] Verifiable Voting Primer https://www.youtube.com/watch?v=LkH2r-sNjQs
02:14:23
December 10, 2019
CWE Top 25, Hacking Anti-Viruses and Adversarial Machine Learning Attacks
Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@DAY[0])   [00:02:08] Protecting users from government-backed hacking and disinformation [00:10:23] ENISA threat landscape for 5G Networks [00:16:13] EU raises eyebrows at possible US encryption ban [00:24:16] You watch TV. Your TV watches back. [00:34:44] CWE - Top 25 https://cwe.mitre.org/top25/archive/2011/2011_cwe_sans_top25.html [00:46:58] LPE in K7 Security Anti-Virus (CVE-2019-16897) [00:47:09] Weak Crypto in Forinet Products [01:01:37] CVE-2019-11932 (double free in libpl_droidsonroids_gif) many apps vulnerable https://gist.github.com/wdormann/874198c1bd29c7dd2157d9fc1d858263 [01:04:32] Max Secure Anti Virus Plus - 19.0.4.020 / CVE-2019-19382 Insecure Permissions [01:10:41] Synology DSM Remote Command Injection [01:16:45] SpoC: Spoofing Camera Fingerprints [01:24:44] Defending Against Adversarial Machine Learning [01:34:21] Can Attention Masks Improve Adversarial Robustness? [01:38:58] Hidviz [01:41:05] IDA 7 Demo Release [01:47:54] Windows Terminal (Preview) 0.7 Release
01:55:35
December 3, 2019
What does the NSA say?
Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@DAY[0])   [00:00:35] PagedOut #2 [00:07:38] Black Friday Deals to watch out for [00:17:59] Official Monero website is hacked to deliver currency-stealing malware [00:26:30] Managing Risk from Transport Lay Security Inspection [00:40:55] US student was allegedly building a custom Gentoo Linux distro for ISIS [00:48:41] Google Outlines Plans for Mainline Linux Kernel Support in Android [00:55:12] Introducing Flan Scan [00:59:44] Expanding Android Security Rewards [01:05:26] Updates to the Mozilla Web Security Bounty Program [01:07:59] XSS in GMail’s AMP4Email via DOM Clobbering [01:17:32] VNC Vulnerabilities (LibVNC, TightVNC, TurboVNC and UltraVNC) [01:26:22] Arbitrary file capture in Kaspersky Total Security 2019 [01:30:43] Bad binder: Android In-The-Wild Exploit [01:36:03] Building Fast Fuzzers https://github.com/gamozolabs/fzero_fuzzer [01:49:47] The Performance of Machine and Deep Learning Classifiers in Detecting Zero-Day Vulnerabilities [02:02:08] PARAM: A Microprocessor Hardened for Power Side-Channel Attack Resistance
02:19:14
November 26, 2019
Election hacking, Kernel Security, MDS Attacks and Github's Security Lab
Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@DAY[0]) [00:02:09] Thousands of hacked Disney+ accounts are already for sale [00:06:33] Faking an iVote decryption proof [00:16:20] "robot deployed at the famous Robot Hotels in Japan can be converted to offer anyone remote camera/mic access to all future guests." [00:30:13] "A stack-based buffer overflow could be triggered in WhatsApp by sending a specially crafted MP4 file" [00:35:42] HHVM Security Update [00:38:18] Symantec Endpoint Protection - Self-Defense Bypass - CVE-2019-12758 [00:38:27] McAfee - All Editions - Self-Defense Bypass - CVE-2019-3648 [00:43:26] Imperceptible Adversarial Attacks on Tabular Data [00:48:48] 5GReasoner: A Property-Directed Security and Privacy AnalysisFramework for 5G Cellular Network Protocol [00:55:26] Fuzzing Qualcomm Secure Execution Environment and CVE-2019-10574 [01:00:32] TPM-Fail [01:08:54] Mitigations for Jump Conditional Code Erratum [01:14:35] More MDS Attacks [01:22:55] Tianfu Cup [01:27:48] Protecting against code reuse in the Linux kernel with Shadow Call Stack [01:34:04] Security things in Linux v5.3 [01:50:36] A Security Perspective on Unikernels [01:54:26] Announcing GitHub Security Lab: securing the world's code, together [02:09:32] Huawei introduces new invite-only bug bounty program [02:12:37] Interpol plans to condemn encryption spread, citing predators, sources say https://www.youtube.com/watch?v=VPBH1eW28mo [02:17:33] How a turf war and a botched contract
02:32:43
November 19, 2019
Rogue Employees, Lasers, Fuzzing, and an iOS Exploit (checkra1n)
Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@DAY[0])   [1573502643] Blog launched, stream schedule, discord [1573503151] Pwn2Own Tokyo 2019 [1573503418] Blog launched, stream schedule, discord [00:01:56] Pwn2Own Tokyo 2019 https://www.zerodayinitiative.com/Pwn2OwnTokyo2019Rules.html [00:07:22] Pwn2Own Tokyo 2019 [00:08:46] Google Begins Testing Extension manifest v3 in Chrome Canary [00:12:03] Rogue Trend Micro Employee Sold Customer Data for 68K Accounts [00:14:54] The DoJ charges former Twitter employees for allegedly accessing thousands of accounts on behalf of Saudi Arabia. [00:23:02] OpenTitan – Open sourcing transparent, trustworthy, and secure silicon https://arstechnica.com/information-technology/2019/11/newly-discovered-titanium-backdoor-employs-clever-ways-to-go-undetected/ [00:26:34] OpenTitan – Open sourcing transparent, trustworthy, and secure silicon [00:29:33] Sandboxie transitioning to open source https://arstechnica.com/information-technology/2019/11/newly-discovered-titanium-backdoor-employs-clever-ways-to-go-undetected/ https://securelist.com/titanium-the-platinum-group-strikes-again/94961/ https://arstechnica.com/information-technology/2019/11/newly-discovered-titanium-backdoor-employs-clever-ways-to-go-undetected/ [00:44:06] Facebook Groups API flaw exposed data to 100 developers [00:47:47] Laser-Based Audio Injection on Voice-Controllable Systems [00:54:07] Who is Real Bob? Adversarial Attacks on Speaker Recognition Systems [00:54:20] Laser-Based Audio Injection on Voice-Controllable Systems [00:57:11]
01:34:28
November 13, 2019
A Bit of everything: 0days, Breaches, Lawsuits, Attacking AI, and some insecure
Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@DAY[0])   [00:05:23] Apple v. Corellium [00:12:04] Firefox to Discontinue Sideloaded Extensions [00:16:52] Delegated Credentials for TLS [00:23:02] North Korean Malware Found on Indian Nuclear Plant's Network [00:28:20] The Pirate Bay Downtime Caused by Malicious Search Queries [00:29:30] Web.com Breach (allegedly includes NetworkSolutions.com and Register.com) [00:32:28] BlueKeep attacks are happening, but it's not a worm https://www.kryptoslogic.com/blog/2019/11/bluekeep-cve-2019-0708-exploitation-spotted-in-the-wild/ [00:36:13] Untitled Goose Game - Insecure Deserialization [00:39:58] Two Chrome 0Days get Patched [00:42:45] NFC Beaming Bypasses Security Controls in Android [CVE-2019-2114] [00:45:43] Abusing HTTP Hop-by-hop Request Headers [00:50:54] Let's Make Windows Defender Angry: Antivirus Can be an Oracle! -icchy https://en.wikipedia.org/wiki/EICAR_test_file [00:56:54] rConfig v3.9.2 authenticated and unauthenticated RCE (CVE-2019-16663) and (CVE-2019-16662) [01:02:26] Making an Invisibility Cloak: Real World Adversarial Attacks on Object Detectors [01:07:26] Silhouette: Efficient Intra-Address Space Isolation for Protected Shadow Stacks on Embedded Systems [01:19:46] unfork(2) [01:23:51] Destroying x86_64 instruction decoders with differential fuzzing https://github.com/zyantific/zydis
01:34:07
November 5, 2019
NordVPN Again, Snowden, CPDoS, a PHP-RCE, and some console hacking
Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@DAY[0])   [00:00:49] NordVPN's Response to Private Certificate Breach Discussed Last Week https://nordvpn.com/blog/security-plan/ [00:12:31] AWS Hit By major DDOS Attack https://status.digitalocean.com/incidents/1z3kmlvz69v6 [00:14:43] Seven Million Adobe Creative Cloud Accounts Exposed to the Public [00:25:24] Travel Reservations Platform Leaks US Government Personnel Data [00:30:09] Joe Rogan Experience #1368 - Edward Snowden [00:48:38] Technical Analysis of Checkm8 https://googleprojectzero.blogspot.com/2019/10/ktrw-journey-to-build-debuggable-iphone.html [00:55:51] Cache Poisoned Denial of Service (CPDoS) [01:08:27] CVE-2019-11043 - PHP-FPM (potential) RCE https://github.com/neex/phuip-fpizdam/blob/master/attack.go [01:20:44] Light Ears: Information Leakage via Smart Lights [01:27:57] Don’t open that XML: XXE to RCE in XML plugins for VS Code, Eclipse, Theia, … [01:33:28] Bringing ICS into the Pwn2Own World [01:37:39] Analysis of Qualcomm Secure Boot Chains [01:39:56] Microsoft Secured-Core PC [01:47:46] Guarding Against Physical Attacks: The Xbox One Story
01:59:18
October 28, 2019
Linux Exploits, Secure Credentials, Side-Channels and Election(SDK) hacking
Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@DAY[0])   [00:01:29] Sudo: CVE-2019-14287 [00:08:40] Buffer overflow in Realtek Wi-Fi chips [00:17:13] US Law Enforcement Traces Bitcoin Transfers to Nab ‘Largest’ Child Porn Site [00:39:45] Equifax Using admin:admin as Credentials for Sensitive Information [00:48:40] CenturyLink Data Leak of 2.8 Million Records [00:56:37] NordVPN Reportedly Compromised https://crt.sh/?q=nordvpn.com [00:59:07] NordVPN Reportedly Compromised https://twitter.com/hexdefined/status/1185974575214940161 https://nordvpn.com/ https://thatoneprivacysite.net/ [01:07:45] Pop_OS 19.10 [01:13:26] JSFuzz [01:19:08] Site Isolation improvement (and now on Android) [01:22:54] A New Memory Type Against Speculative Side Channel Attacks [01:30:06] oo7: Low-overhead Defense against Spectre Attacks via Program Analysis [01:38:37] UK Government to fund development of attack resistant Arm chips [01:46:59] Germany's Cyber Security Agency Recommends Firefox as Most Secure Browser [02:01:36] Facebook Expanding Bug Bountry Program to Third-Party Apps https://www.facebook.com/whitehat/info/ [02:04:14] ElectionGuard SDK Bug Bounty https://www.youtube.com/watch?v=w3_0x6oaDmI https://www.youtube.com/watch?v=BYRTvoZ3Rho https://www.microsoft.com/en-us/msrc/bounty-electionguard
02:13:44
October 21, 2019
When your errors have errors...
Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube   [00:03:00] Critical Security Issue identified in iTerm2 as part of Mozilla Open Source Audit  iTerm2 Patch [00:11:24] Windows Error Reporting Manager arbitrary file move Elevation of Privilege (CVE-2019-1315)  James Forshaw  A Link To The Past.pdf [00:16:12] CVE-2019-8697: MacOS System Escalation via Disk Management  https://www.zerodayinitiative.com/blog/2019/10/3/cve-2019-8697-macos-system-escalation-via-disk-management [00:20:20] Apple Zero Day Exploited in Bitpaymer Campaign [00:25:50] BrokenStrokes: On the (in)Security of Wireless Keyboards [00:31:53] PS2 Yabasic Exploit  Exploit Writeup [00:40:12] Imperva Breach Report [00:49:23] EU-coordinated risk assessment of 5G network security  https://eeas.europa.eu/delegations/united-states-america/68637/eu-coordinated-risk-assessment-5g-network-security_me [00:55:11] Measuring Attack Surface Reduction in the Presence of Code (Re-)Randomization  https://arxiv.org/abs/1910.03034 [01:04:46] Finding Security Threats That Matter: An Industrial Case Study [01:16:47] An Extended Survey on Vehicle Security [01:21:56] Zydis 3.0 Released (x86-64 disassembler library)  https://github.com/zyantific/zydis [01:25:54] IDA 7.4 [01:28:38] Government interference in Australia's premier cybersecurity conference is a worry [01:33:16] uBlock dev build rejected [01:39:19] Ken Thompson's Unix Password [01:44:04] Humble Bundle
01:48:40
October 14, 2019
Exploits-galore iOS (checkm8), Android, Signal, Whatsapp, PHP and more
Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube [00:00:40] What happened while we were gone. ft. Defcon and Blackhat discussion [00:20:10] Checkm8 - iPhone bootROM exploit [00:28:52] iPhone A11 debug registers allow full-featured kernel debugging [00:32:52] Android: Use-After-Free in Binder driver https://groups.google.com/forum/#!msg/syzkaller-bugs/QyXdgUhAF50/g-FXVo1OAwAJ [00:39:36] PHP 7.0-7.3 disable_functions bypass https://bugs.php.net/bug.php?id=72530 [00:51:49] An Empirical Study of C++ Vulnerabilities in Crowd-Sourced Code Examples https://cwe.mitre.org/data/definitions/20.html [01:03:18] Signal RTP is processed before call is answered https://bugs.chromium.org/p/project-zero/issues/detail?id=1943 [01:08:47] Whatsapp RCE [01:14:58] Attacking CNN-based anti-spoofing face authentication in the physical domain [01:22:52] The Kernel Concurrency Sanitizer (KCSAN) [01:30:36] Eradicating Attacks on the Internal Network with Internal Network Policy [01:39:22] Analyzing Control Flow Integrity with LLVM-CFI
01:50:56
October 7, 2019
Offensive Security's OSWE/AWAE, Massive Security failures, and a handful of cool attacks
This will be our last episode until the fall, but once we are back you can catch the DAY[0] podcast on Twitch every Monday afternoon at 12:00pm PST (3:00pm EST) -- https://www.twitch.tv/dayzerosec [00:00:50] This will be our last episode until the fall. [00:02:50] Thoughts on the Advanced Web Attacks and Exploitation (AWAE) Course, and the Offensive Security Web Expert (OSWE) certification [00:32:05] r/AskNetsec - New windows LPE from non-admin :) - From SandboxEscaper [00:45:20] First American Financial Corp. compromise [00:53:48] Google admits storing G Suite user passwords in plain text for 14 years [01:02:27] Safety vs. Security: Attacking Avionic Systems with Humans in the Loop [01:17:30] Malware Guard Extension: Using SGX to Conceal Cache Attacks [01:25:04] Biometric Backdoors: A Poisoning Attack Against Unsupervised Template Updates [01:36:45] MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows [01:46:59] Hey Google, What Exactly Do Your Security Patches Tell Us?A Large-Scale Empirical Study on Android Patched Vulnerabilities [02:03:35] MAC OSX Gatekeeper Bypass [02:10:47] RCE Without Native Code: Exploitation of a Write-What-Where in Internet Explorer
02:15:47
May 27, 2019
Intel has done it again, ft. Zombies, Cats, and Windows exploits
Watch the DAY[0] podcast live on Twitch every Monday afternoon at 12:00pm PST (3:00pm EST) -- https://www.twitch.tv/dayzerosec [00:01:55] Frida 12.5 Released [00:08:17] Damn Vulnerable Crypto Wallet [00:16:40] Thangry Cat: https://😾😾😾.fm/ [00:23:11] Micro-Architectural Data Sampling Attacks ZombieLoad RIDL paper Fallout paper Red Hat Overview Video [00:56:24] Update to Security Incident [May 17, 2019] - Stack Overflow Blog [01:04:00] Global Takedown Shows the Anatomy of a Modern Cybercriminal Supply Chain [01:15:12] How Hackers Broke WhatsApp With Just a Phone Call CVE-2019-3568 [01:26:53] Over 25,000 Linksys Smart Wi-Fi Routers Vulnerable to Sensitive Information Disclosure [01:34:01] Prevent a worm by updating Remote Desktop Services (CVE-2019-0708)
01:44:51
May 20, 2019
The Unhackable Morpheus chip and other exploit mitigations
Watch the DAY[0] podcast live on Twitch every Monday afternoon at 12:00pm PST (3:00pm EST) -- https://www.twitch.tv/dayzerosec [00:00:30] Unhackable: New chip stops attacks before they start [00:15:00] DeepCheck: A Non-intrusive Control-flow Integrity Checking based... [00:25:54] Queue the Hardening Enhancements [00:50:18] For Cybersecurity, Computer Science Must Rely on Strong Types [00:57:43] A Novel Side-Channel in Real-Time Schedulers [01:04:55] MAVSec: Securing the MAVLink Protocol [01:10:39] Domain Specific Code Smells in Smart Contracts [01:18:56] Over 275 Million Records Exposed by Unsecured MongoDB Database [01:38:02] Applied Risk :: Advisories [01:53:50] Alpine Linux Dockerimage contains a NULL root password [01:59:01] Linux Kernel Race Condition and UAF [02:05:44] Arbitrary file read vulnerability in HackerRank
02:18:23
May 13, 2019
Another CSG0-day, Ransomware? and a 36 year old vuln
Watch the DAY[0] podcast live on Twitch every Monday afternoon at 12:00pm PST (3:00pm EST) -- https://www.twitch.tv/dayzerosec [00:00:30]r/GlobalOffensive: PSA: Security issue regarding lobbies and games [00:11:30]Vita Exploit [00:20:05]Indie Game Removed From Switch eShop [00:34:40]Eight Devices, One Exploit [00:47:30]Remote Code Execution on most Dell computers [00:56:35]All Firefox extensions disabled due to expiration of intermediate signing cert [01:15:10]A hacker is wiping Git repositories and asking for a ransom | ZDNet [01:38:25]Typer vs. CAPTCHA: Private information based CAPTCHA to defend against crowdsourcing human cheating [01:50:50]36 Year old Kernel stack disclosure bug in UFS/FFS [02:00:52]You Only Propagate Once: Painless Adversarial Training [02:05:55]The Risks of WebGL: Analysis, Evaluation and Detection [02:18:55]InternalBlue: Bluetooth Binary Patching and Experimentation Framework [02:27:30]IRONHIDE: A Secure Multicore Architecture that Leverages Hardware Isolation Against Microarchitecture State Attacks Extra Links: - h-encore exploit (old Vita exploit) - InternalBlue CCC talk
02:37:21
May 6, 2019
Docker, Government Attacks, and Best Practices
Watch the DAY[0] podcast live on Twitch every Monday afternoon at 12:00pm PST (3:00pm EST) -- https://www.twitch.tv/dayzerosec [00:00:30] - Physical Adversarial Textures that Fool Visual Object Tracking [00:04:30] - DPatch: An Adversarial Patch Attack on Object Detectors [00:11:45] - Side-Channel Attack to Extract ECDSA Private Keys from Qualcom Hardware-Based Keystore [00:19:40] - For PayPal security team,“get user balances and transaction details" is not a vulnerability [00:26:05] - "CI Knew There Would Be Bugs Here" - Exploring Continuous Integration [00:40:10] - Hacker Finds They Can Kill Car Engines After Breaking Into GPS Tracking Device [00:50:25] - Security baseline (DRAFT) for Windows 10 v1903 [00:58:25] - Security Analysis of Near-Field Communication (NFC) Payments [01:12:10] - Docker Hub Hacked – 190k accounts, GitHub tokens revoked, Builds disabled [01:18:50] - eGobbler - malvertising campaign exploits zero-day Chrome bug [01:32:15] - New backdoor inspired by leaked NSA malware [01:39:60] - Mueller report: Russia hacked state databases and voting machines [01:54:10] - New Technique Uses Power Anomalies to ID Malware in Embedded Systems
02:02:55
April 29, 2019
Fun Malware, Fun AI Tricks, and General Fun
[00:00:31] - https://blogs.grammatech.com/open-source-tools-for-binary-analysis-and-rewriting [00:05:31] - https://arxiv.org/abs/1904.07280 [00:13:51] - https://www.zdnet.com/article/security-researcher-malwaretech-pleads-guilty/ [00:21:12] - https://www.zdnet.com/article/facebook-admits-to-storing-plaintext-passwords-for-millions-of-instagram-users/ [00:25:34] - https://security.googleblog.com/2019/04/better-protection-against-man-in-middle.html [00:31:36] - https://pdfpiw.uspto.gov/.piw?docid=10262138&SectionNum=1&IDKey=0229F1C38B5D [00:39:02] - https://arxiv.org/abs/1904.07370 [00:53:05] - https://github.com/vusec/kmvx [01:04:45] - Discussion on valuation of an exploit [01:08:05] - https://arxiv.org/abs/1904.07550 [01:16:02] - https://arxiv.org/abs/1904.08653 [01:24:36] - https://blog.underdogsecurity.com/rce_in_origin_client/ [01:35:14] - https://threatpost.com/windows-zero-day-active-exploits/143820/ [01:40:18] - https://www.ghacks.net/2019/04/16/adblock-plus-filter-exploit-to-run-arbitrary-code-discovered/ [01:47:26] - https://krbtgt.pw/dacl-permissions-overwrite-privilege-escalation-cve-2019-0841/ [01:50:47] - https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190417-asr9k-exr
01:53:33
April 22, 2019
Compromises, Challenge Design, and 0days
Watch the DAY[0] podcast live on Twitch every Monday afternoon at 12:00pm PST (3:00pm EST) -- https://www.twitch.tv/dayzerosec [00:00:37] - Huawei Cyber Security Evaluation Report [00:14:22] - Assange Arrest [00:24:55] - Matrix Compromise [00:32:20] - Outlook Compromise [00:43:39] - Ghidra Source Release [00:49:18] - Relyze 3 Beta (Another Free Decompiler) [00:56:30] - Fracker (New PHP Tool) [01:01:11] - Discussion about EncryptCTF and challenge design [01:25:24] - Dragonblood/WPA3 Vulnerabilities [01:32:21] - CVE-2019-0211 Apache Root Privilege Escalation [01:41:27] - Detailing of CVE-2019-1636 and CVE-2019-6739 in QT [01:49:47] - Splitting Atoms in XNU [02:06:39] - PostgreSQL is it a CVE? [02:11:41] - RELOAD+REFRESH: Abusing Cache Replacement Policies to Perform Stealthy Cache Attacks [02:26:45] - The ROP Needle: Hiding Trigger-based Injection Vectors via Code Reuse [02:29:30] - Assessing Unikernel Security
02:40:02
April 16, 2019
CTFs, Backdoors, and Control Flow Integrity
00:01:10 Sunshine CTF 00:10:27 Question Discussion: Opinions regarding CTF's vs. Real World Exploits 00:24:15 ENCRYPT CTF Discussion 00:31:25 Pwn2Own 2019 (P2O) and Tesla Hacking 00:41:25 Tricking Tesla Autopilot 00:56:45 Ghidra 9.0.1 Release 00:59:30 Commando VM 01:06:50 PoC||GTFO 0x19 01:13:20 ASUS Update Tool Backdoor 01:19:05 Windows Defender APC Code Injection Sensors 01:22:55 BSEA-1 - A Stream Cipher Backdooring Technique 01:32:40 LockerGoga Randomware Vaccination 01:37:40 Hearing your touch: A new acoustic side channel on smartphones 01:43:05 Keybase is not softer than TOFU 01:48:30 Exploitation Techniques and Defenses for Data-Oriented Attacks 01:56:00 Restricting Control Flow During Speculative Execution with Venkman Additional Links: Sunshine CTF Writeups Attacking Javascript Engines Phrack Article
02:08:38
April 2, 2019
RE Tools, Ethereum, and Plaintext Passwords
00:00:50 Ghidra from XXE to RCE 00:08:50 Cutter (Radare2) Release 00:15:00 Daenerys IDA Pro and Ghidra Interoperability Framework 00:22:00 IDA Educational Release 00:39:35 Windows Defender on MacOS 00:59:20 A new Windows 10 KASLR Bypass 01:11:07 EVMFuzz Fuzzing Ethereum Virtual Machines 01:30:10 Researchers find 36 new security flaws in LTE Protocol 01:45:50 Facebook logging plaintext passwords Other Interesting Links: SecurityInnovation Blockchain CTF Analysis of a Chrome Zero-Day (CVE-2019-5786) Writeup
02:01:19
March 26, 2019
CSG0-Days, Exploit Mitigations, and Voting Systems
00:00:30 Steam Client (CSGO) RCE 00:04:44 CS 1.6 Trojan.Belonard Malware Campaign 00:11:55 WebKit Structure ID Randomness Mitigation 00:20:48 Reuse Gadget Counts Whitepaper (ROP) 00:31:50 DTrace on Windows 00:38:20 Backdoor Attack in CNN's 00:55:05 DARPA's $10m Open Source Voting System 01:13:30 Vulnerability in Swiss E-Voting System
01:39:15
March 18, 2019
Zero-Days, Ghidra, and Questionable CVE's
00:00:00 Intro / General Discussion 00:00:55 Ghidra Overview (Pros, Cons) 00:30:20 Ghidra JDWP Debug Port 'Backdoor' Discussion 00:38:05 Ghidra and National Security 00:52:15 "Finding Unicorns: When The C++ Compiler Writes the Vuln" Discussion 01:06:15 "Windows 7 may insecurely load Dynamic Link Libraries" Discussion 01:21:40 "Exploiting Car Alarms" Discussion 01:45:05 XNU (Mac OS) Copy-on-Write Behavior Bypass Zero-Day Discussion 02:03:15 Chrome Zero-Day Discussion
02:16:11
March 11, 2019