Day[0]

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/gitlab-prototype-pollution-and-some-authentication-bypasses.html Short but sweet episode this week, prototype pollution, crypto issues, SSRF and some weird authentication. [00:00:46] Arbitrary command execution in Gerapy [CVE-2021-32849] [00:06:03] [jitsi-meet] Authentication Bypass when using JWT w/ public keys [00:07:41] [jitsi-meet] Authentication Bypass when using JWT w/ public keys [00:10:24] [shopify] A non-privileged user may create an admin account in Stocky [00:13:21] [#0008] URL whitelist bypass in https://cxl-services.appspot.com [00:19:20] [GitLab] Stored XSS via Mermaid Prototype Pollution vulnerability The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/hacking-neural-nets-a-chrome-webrtc-uaf-and-pwning-windows.html Some mroe kernel bugs this week as we look at bugs in Samsung's NPU driver (Android), Linux, and the WIndows Kernel. [00:00:17] Spot the Vuln - Once Again - Solution [00:03:12] Google Chrome WebRTC addIceCandidate use after free vulnerability [00:08:53] Linux: UAF read: SO_PEERCRED and SO_PEERGROUPS race with listen() (and connect()) [00:15:08] Fall of the machines: Exploiting the Qualcomm NPU (neural processing unit) kernel driver [00:31:13] POC2021 – Pwning the Windows 10 Kernel with NTFS and WNF Slides The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/big-bounties-by-exploiting-webkit-s-csp-concrete-cms-bugs.html What happens when a vendor refused to fix your bug? Well you can go claim a bunch of bounties with it. We also talk about some novel request smuggling research on this episode. [00:00:58] Multiple Concrete CMS vulnerabilities ( part1 - RCE ) [00:12:02] Exploiting CSP in Webkit to Break Authentication & Authorization [00:24:57] T-Reqs: HTTP Request Smuggling with Differential Fuzzing [00:35:30] An Illustrated Guide to Elliptic Curve Cryptography Validation The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/ddr4-rowhammer-azure-bugs-essential-0days-and-backdoored-ida.html North Korea is at it again targeting researchers, 0day hoarding, breaching secure hardware, and fuzzing on this weeks episode. [00:01:15] Spot the Vuln - Beyond the Grave [00:03:50] ESET Research discovered a trojanized IDA Pro installer, distributed by the #Lazarus APT group [00:12:39] Why Zero-Days Are Essential to Security - Randori [00:29:32] Blacksmith - Rowhammer Returns [00:43:04] Fuzzing Microsoft's RDP Client using Virtual Channels: Overview & Methodology [00:57:45] Microsoft Azure Sphere Security Monitor SMSyscallCommitImageStaging stage-without-manifest denial of service vulnerability [01:04:53] Microsoft Azure Sphere Kernel GPIO_SET_PIN_CONFIG_IOCTL information disclosure vulnerability The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/rust-in-the-web-a-special-guest-and-some-bad-crypto.html We are joined by Bastian Gruber to start the episode with a discussion about Rust. Then we'll dive into a few interesting vulnerabilities this week including yet another ECDSA implementation issue and some header smuggling research. [00:00:40] Rust Discussion with Bastian Gruber (Use the code poddayzero21 for 35% off Manning books) [00:46:29] Arbitrary Signature Forgery in Stark Bank ECDSA Libraries [CVE-2021-43572, CVE-2021-43570, CVE-2021-43569, CVE-2021-43568, CVE-2021-43571] [01:02:37] Becoming A Super Admin In Someone Elses Gsuite Organization And Taking It Over [01:06:52] Private Blog Content Disclosed in Atom Feed [01:08:29] Practical HTTP Header Smuggling: Sneaking Past Reverse Proxies to Attack AWS and Beyond [01:17:01] IDOR through MongoDB Object IDs Prediction [01:18:45] History of Cross-Site History Leaking The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/a-too-trusty-trustzone-and-a-few-linux-kernel-bugs.html Some interesting vulnerability envrionments this week, some Trusted App issues, a couple Linux Kernel vulns, and a look at memory safety issues in unsafe Rust. [00:00:19] Spot The Vuln - Extract All The Things - Solution [00:03:43] Gerbv drill format T-code tool number out-of-bounds write vulnerability [00:13:27] Vulnerable tzdemuxerservice TA on Samsung TVs (J-series) [00:27:06] Remote Linux Kernel Heap Overflow | TIPC Module Allows Arbitrary Code Execution [CVE-2021-43267] [00:33:49] SLUB overflow [CVE-2021-42327] [00:43:50] Rudra: Finding Memory Safety Bugs in Rust at the Ecosystem Scale The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/a-macos-sip-bypass-an-xss-fiesta.html A discussion heavy episode this week, starting off with the "new" Trojan Source attackers, and then talking about a handful of interesting vulnerabilities. [00:00:18] Trojan Source Attacks [00:24:07] [SmartStoreNET] Malicious Message leading to E-Commerce Takeover [00:34:24] [Chrome] Cross-Site Scripting in New-Tab Page [CVE-2021-37999] [00:39:48] [StreamLabs] Steal access_token via open redirect [00:43:18] Microsoft finds new macOS vulnerability, Shrootless, that could bypass System Integrity Protection [00:50:04] Android security checklist: WebView The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/type-confusion-in-android-nfc-php-fpm-local-privilege-escalation-and-callbackhell.html This week we dive into PHP-FPM internals to look at escelating from a worker process to the root process, anotehr GDI bug, and a type confusion. [00:00:18] Spot the Vuln - Over the Edge - Solution [00:03:40] Trick & Treat! Paying Leets and Sweets for Linux Kernel privescs and k8s escapes [00:10:33] Android NFC: Type confusion due to race condition during tag type change [00:14:50] PHP-FPM local root vulnerability [00:28:26] GitHub - ly4k/CallbackHell: Exploit for CVE-2021-40449 - Win32k Elevation of Privilege Vulnerability (LPE) [00:29:54] GitHub - ly4k/CallbackHell: Exploit for CVE-2021-40449 - Win32k Elevation of Privilege Vulnerability (LPE) [00:36:39] This bug doesn’t exist on x86: Exploiting an ARM-only race condition The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/discourse-sns-rce-a-stored-xss-in-gitlab-and-a-reddit-race-condition.html A couple unique vulns this week involving getting extra coins on Reddit, and bypassing certificate checking for a Discourse RCE. [00:00:40] Agent 007: Pre-Auth Takeover of Build Pipelines in GoCD [00:09:50] Race condition leads to Inflation of coins when bought via Google Play Store [00:15:11] [GitLab] Stored XSS in Mermaid when viewing Markdown files [00:33:28] Discourse SNS webhook RCE [00:47:28] [GitLab] Stored XSS in Mermaid when viewing Markdown files The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/a-kernel-race-sudump-and-a-chrome-garbage-collector-bug.html We start off this week with a look at in-the-wild 0days from the past seven years, before diving into some pretty awesome bugs this week including a OOB access in Squirrel (programming language), a couple Linux kernel issues and a Chrome garbage collector bug. [00:00:22] Spot The Vuln - Just Be Positive - Solution [00:06:42] Overview of 0days seen in the wild the last 7 years [00:18:33] Squirrel Sandbox Escape allows Code Execution in Games and Cloud Services [00:29:15] SuDump: Exploiting suid binaries through the kernel [00:38:09] How a simple Linux kernel memory corruption bug can lead to complete system compromise [00:55:46] Chrome in-the-wild bug analysis [CVE-2021-37975] [01:12:40] FuzzCon Europe 2021 The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.