Day[0]

FortiJump Higher, Pishi, and Breaking Control Flow Flattening Nov 18, 2024

This week, we dive into some changes to V8CTF, the FortiJump Higher bug in Fortinet's FortiManager, as well as some coverage instrumentation on blackbox macOS binaries via Pishi.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/263.html

[00:00:00] Introduction

[00:00:25] V8 Sandbox Bypass Rewards

[00:25:39] Hop-Skip-FortiJump-FortiJump-Higher - Fortinet FortiManager [CVE-2024-47575]

[00:38:07] Pishi: Coverage guided macOS KEXT fuzzing.

[00:44:20] Breaking Control Flow Flattening: A Deep Technical Analysis

[00:55:10] Firefox Animation CVE-2024-9680 - Dimitri Fourny

[00:57:13] Internship Offers for the 2024-2025 Season

Podcast episodes are available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

Static Analysis, LLMs, and In-The-Wild Exploit Chains Nov 11, 2024

Methodology is the theme of this week's episode. We cover posts about static analysis via CodeQL, as well as a novel blackbox binary querying language called QueryX. Project Zero also leverages Large Language Models to successfully find a SQLite vulnerability. Finally, we wrap up with some discussion on Hexacon and WOOT talks, with a focus on Clem1's In-The-Wild exploit chains insights via Google's Threat Analysis Group.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/262.html

[00:00:00] Introduction

[00:00:35] Discovering Hidden Vulnerabilities in Portainer with CodeQL

[00:18:12] Finding Vulnerabilities in Firmware with Static Analysis Platform QueryX

[00:28:25] From Naptime to Big Sleep: Using Large Language Models To Catch Vulnerabilities In Real-World Code

[00:50:00] Hexacon2024 - Caught in the Wild, Past, Present and Future by Clem1

[01:06:34] Hexacon 2024 Videos

[01:11:34] WOOT 2024 Videos

[01:18:38] Securing the open source supply chain: The essential role of CVEs

[01:20:19] A New Era of macOS Sandbox Escapes: Diving into an Overlooked Attack Surface and Uncovering 10+ New Vulnerabilities

Podcast episodes are available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

Attacking Browser Extensions and CyberPanel Nov 04, 2024

In this week's episode, we talk a little bit about LLMs and how they can be used with static analysis. We also cover GitHub Security Blog's post on attacking browser extensions, as well as a somewhat controversial CyberPanel Pre-Auth RCE that was disclosed.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/261.html

[00:00:00] Introduction

[00:01:56] Autonomous Discovery of Critical Zero-Days

[00:14:43] Attacking browser extensions

[00:25:26] What Are My OPTIONS? CyberPanel v2.3.6 pre-auth RCE

[00:52:15] Security research on Private Cloud Compute

[01:01:02] Bluetooth Low Energy GATT Fuzzing

Podcast episodes are available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

Hardwear.IO NL, DEF CON 32, and Filesystem Exploitation Oct 29, 2024

In this week's episode, Specter recaps his experiences at Hardwear.IO and a PS5 hypervisor exploit chain presented there. We also cover some of the recently released DEF CON 32 talks. After the conference talk, we get into some filesystem exploit tricks and how arbitrary file write can be taken to code execution in read-only environments.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/260.html

[00:00:00] Introduction

[00:00:27] Hardwear.io NL 2024

[00:14:27] Byepervisor - Breaking the PS5 Hypervisor Security

[00:26:38] DEF CON 32 Main Stage Talks

[00:51:16] The Missing Guide to Filesystem Security

[01:00:51] Why Code Security Matters - Even in Hardened Environments

[01:09:12] How I Defeated An MMO Game Hack Author

Podcast episodes are available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

Zendesk's Email Fiasco and Rooting Linux with a Lighter Oct 16, 2024

In this week's episode, we cover the fiasco of a vulnerability in Zendesk that could allow intrusion into multiple fortune 500 companies. We also discuss a project zero blogpost that talks about fuzzing Dav1d and the challenges of fuzzing, as well as rooting Linux via EMFI with a lighter.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/259.html

[00:00:00] Introduction

[00:00:57] 1 bug, $50,000+ in bounties, how Zendesk intentionally left a backdoor in hundreds of Fortune 500 companies

[00:27:10] Effective Fuzzing: A Dav1d Case Study

[00:40:15] Can You Get Root With Only a Cigarette Lighter?

Podcast episodes are available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

Summer Recap: Phrack, Off-by-One, and RCEs Oct 08, 2024

In our summer recap, we discuss Phrack's latest issue and talks from the new Off-by-One conference. We also cover some interesting bugs, such as a factorio lua RCE and another RCE via iconv.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/258.html

[00:00:00] Introduction

[00:01:06] Getting Started with Exploit Development

[00:14:07] Bytecode Breakdown: Unraveling Factorio's Lua Security Flaws

[00:24:35] Iconv, set the charset to RCE: Exploiting the glibc to hack the PHP engine (part 1)

[00:43:29] Off-by-One Conference 2024

Podcast episodes are available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

Attack of the CUPS and Exploiting Web Views via HSTS Sep 30, 2024

In this week's episode, we cover an attack utilizing HSTS for exploiting Android WebViews and abusing YouTube embeds in Google Slides for clickjacking. We also talk about the infamous CUPS attack, and the nuances that seem to be left behind in much of the discussion around it.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/257.html

[00:00:00] Introduction

[00:01:30] Exploiting Android Client WebViews with Help from HSTS

[00:09:08] Using YouTube to steal your files

[00:18:43] Attacking UNIX Systems via CUPS, Part I

Podcast episodes are available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

Future of the Windows Kernel and Encryption Nonce Reuse Sep 23, 2024

In this week's episode, we discuss Microsoft's summit with vendors on their intention to lock down the Windows kernel from endpoint security drivers and possibly anti-cheats. We also talk cryptography and about the problems of nonce reuse.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/256.html

[00:00:00] Introduction

[00:01:12] Friends don’t let friends reuse nonces

[00:13:22] Serious Cryptography, 2nd Edition

[00:14:30] Taking steps that drive resiliency and security for Windows customers

Podcast episodes are available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

Iterating Exploits & Extracting SGX Keys Sep 16, 2024

We are back and testing out a new episode format focusing more on discussion than summaries. We start talking a bit about the value of learning hacking by iterating on the same exploit and challenging yourself as a means of practicing the creative parts of exploitation. Then we dive into the recent Intel SGX fuse key leak, talk a bit about what it means, how it happened.

We are seeking feedback on this format. Particularly interested in those of you with more of a bug bounty or higher-level focus if an episode like this would still be appealing? If you want to share any feedback feel free to DM us (@__zi or @specterdev) or email us at media [at] dayzerosec.com

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/255.html

[00:00:00] Introduction

[00:04:55] Exploiting CVE-2024-20017 4 different ways

[00:22:26] Intel SGX Fuse Keys Extracted

[00:51:01] Introducing the URL validation bypass cheat sheet

Podcast episodes are available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

Memory Corruption: Best Tackled with Mitigations or Safe-Languages May 17, 2024

Memory corruption is a difficult problem to solve, but many such as CISA are pushing for moves to memory safe languages. How viable is rewriting compared to mitigating?

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/254.html

[00:00:00] Introduction

[00:01:12] Clarifying Scope & Short/Long Term

[00:04:28] Mitigations

[00:15:37] Safe Languages Are Falliable

[00:21:20] Weaknesses & Evolution of Mitigations

[00:29:19] Rewriting and the Iterative Process

[00:34:55] The Rewriting Scalability Argument

[00:41:43] System vs App Bugs

[00:48:46] Mitigations & Rewriting Are Not Mutually Exclusive

[00:50:25] Corporate vs Open Source

[00:54:12] Generational Change

[00:56:18] Conclusion

Podcast episodes are available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

[discussion] A Retrospective and Future Look Into DAY[0] Apr 19, 2024

Change is in the air for the DAY[0] podcast! In this episode, we go into some behind the scenes info on the history of the podcast, how it's evolved, and what our plans are for the future.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/253.html

[00:00:00] Introduction [00:01:30] Early days of the DAY[0] podcast [00:14:10] Split into bounty and binary episodes [00:21:50] Novelty focus on topic selection [00:30:47] Difficulties with the current format [00:40:18] Change [00:48:02] New direction for content [00:57:42] Conclusions & Feedback

Podcast episodes are available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

[binary] Bypassing KASLR and a FortiGate RCE Mar 20, 2024

Bit of a lighter episode this week with a Linux Kernel ASLR bypass and a clever exploit to RCE FortiGate SSL VPN.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/252.html

[00:00:00] Introduction

[00:00:29] KASLR bypass in privilege-less containers

[00:13:13] Two Bytes is Plenty: FortiGate RCE with CVE-2024-21762

[00:19:32] Making Mojo Exploits More Difficult

[00:22:57] Robots Dream of Root Shells

[00:27:02] Gaining kernel code execution on an MTE-enabled Pixel 8

[00:28:23] SMM isolation - Security policy reporting (ISSR)

Podcast episodes are available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

[bounty] RCE'ing Mailspring and a .NET CRLF Injection Mar 19, 2024

In this week's bounty episode, an attack takes an XSS to RCE on Mailspring, a simple MFA bypass is covered, and a .NET CRLF injection is detailed in its FTP functionality.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/251.html

[00:00:00] Introduction

[00:00:20] Making Desync attacks easy with TRACE

[00:16:01] Reply to calc: The Attack Chain to Compromise Mailspring

[00:35:29] $600 Simple MFA Bypass with GraphQL

[00:38:38] Microsoft .NET CRLF Injection Arbitrary File Write/Deletion Vulnerability [CVE-2023-36049]

Podcast episodes are available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

[binary] Future of Exploit Development Followup Mar 13, 2024

In the 250th episode, we have a follow-up discussion to our "Future of Exploit Development" video from 2020. Memory safety and the impacts of modern mitigations on memory corruption are the main focus.

[bounty] libXPC to Root and Digital Lockpicking Mar 12, 2024

In this episode we have an libXPC root privilege escalation, a run-as debuggability check bypass in Android, and digital lockpicking on smart locks.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/249.html

[00:00:00] Introduction

[00:00:21] Progress OpenEdge Authentication Bypass Deep-Dive [CVE-2024-1403]

[00:05:19] xpcroleaccountd Root Privilege Escalation [CVE-2023-42942]

[00:10:50] Bypassing the “run-as” debuggability check on Android via newline injection

[00:18:09] Say Friend and Enter: Digitally lockpicking an advanced smart lock (Part 2: discovered vulnerabilities)

[00:43:06] Using form hijacking to bypass CSP

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

-- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

-- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.

We are also available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

[binary] Binary Ninja Free and K-LEAK Mar 06, 2024

In this week's binary episode, Binary Ninja Free releases along with Binja 4.0, automated infoleak exploit generation for the Linux kernel is explored, and Nintendo sues Yuzu.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/248.html

[00:00:00] Introduction

[00:00:31] Binary Ninja Free

[00:10:25] K-LEAK: Towards Automating the Generation of Multi-Step Infoleak Exploits against the Linux Kernel

[00:19:53] Glitching in 3D: Low Cost EMFI Attacks

[00:22:08] Nintendo vs. Yuzu

[00:38:32] Finding Gadgets for CPU Side-Channels with Static Analysis Tools

[00:40:12] ThinkstScapes Research Roundup - Q4 - 2023

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

-- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

-- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.

We are also available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

[bounty] Hacking Google AI and SAML Mar 05, 2024

A shorter episode this week, featuring some vulnerabilities impacting Google's AI and a SAML auth bypass.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/247.html

[00:00:00] Introduction

[00:00:31] We Hacked Google A.I. for $50,000

[00:17:26] SAML authentication bypass vulnerability in RobotsAndPencils/go-saml [CVE-2023-48703]

[00:22:17] Exploiting CSP Wildcards for Google Domains

[00:26:11] ReqsMiner: Automated Discovery of CDN Forwarding Request Inconsistencies and DoS Attacks with Grammar-based Fuzzing

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

-- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

-- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.

We are also available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

[binary] Rust Memory Corruption??? Feb 28, 2024

VirtualBox has a very buggy driver, PostgreSQL has an Out of Bounds Access, and lifetime issues are demonstrated in Rust in "safe" code.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/246.html

[00:00:00] Introduction

[00:00:22] cve-rs

[00:18:28] Oracle VM VirtualBox: Intra-Object Out-Of-Bounds Write in virtioNetR3CtrlVlan

[00:32:30] PostgreSQL: Array Set Element Memory Corruption

[00:35:06] Analyzing the Google Chrome V8 CVE-2024-0517 Out-of-Bounds Code Execution Vulnerability

[00:37:15] Continuously fuzzing Python C extensions

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

-- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

-- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.

We are also available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

[bounty] A PHP and Joomla Bug and some DOM Clobbering Feb 27, 2024

This week's episode features a cache deception issue, Joomla inherits a PHP bug, and a DOM clobbering exploit. Also covered is a race condition in Chrome's extension API published by project zero.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/245.html

[00:00:00] Introduction

[00:00:21] Cache Deception Without Path Confusion

[00:07:15] Hello Lucee! Let us hack Apple again?

[00:14:41] Joomla: PHP Bug Introduces Multiple XSS Vulnerabilities

[00:26:37] Go Go XSS Gadgets: Chaining a DOM Clobbering Exploit in the Wild

[00:38:23] chrome.pageCapture.saveAsMHTML() extension API can be used on blocked origins due to racy access check

[00:42:28] 🎮 Diving Back into Games-related Bugs!

[00:44:43] Exploiting Empire C2 Framework

[00:46:19] iMessage with PQ3: The new state of the art in quantum-secure messaging at scale

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

-- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

-- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.

We are also available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

[binary] Linux Burns Down CVEs Feb 21, 2024

Linux becomes a CNA and takes a stance on managing CVEs for themselves, and underutilized fuzzing strategies are discussed.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/244.html

[00:00:00] Introduction

[00:00:14] What to do about CVE numbers

- The first article we bring up is the 2019 LWN article able Greg's talk back then. The topic itself is a more recent change actually moving forward.

[00:26:50] Bug - Double free on `dcm_dataset_insert` · Issue #82 · ImagingDataCommons/libdicom

[00:31:48] Buffer Overflow Vulnerabilities in KiTTY Start Duplicated Session Hostname (CVE-2024-25003) & Username (CVE-2024-25004) Variables

[00:38:35] Underutilized Fuzzing Strategies for Modern Software Testing

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

-- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

-- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.

We are also available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

[bounty] GhostCMS, ClamAV, and the Top Web Hacking Techniques of 2023 Feb 20, 2024

In this bounty episode, some straightforward bugs were disclosed in GhostCMS and ClamAV, and Portswigger publishes their top 10 list of web hacking techniques from 2023.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/243.html

[00:00:00] Introduction

[00:02:15] Ghost CMS Stored XSS Leading to Owner Takeover [CVE-2024-23724]

[00:16:07] ClamAV Not So Calm [CVE-2024-20328]

[00:21:00] Top 10 web hacking techniques of 2023

[00:44:46] Hacking a Smart Home Device

[00:48:15] Cloud cryptography demystified: Amazon Web Services

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

-- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

-- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.

We are also available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

[binary] kCTF Changes, LogMeIn, and wlan VFS Bugs Feb 14, 2024

Google makes some changes to their kCTF competition, and a few kernel bugs shake out of the LogMeIn and wlan VFS drivers.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/242.html

[00:00:00] Introduction

[00:00:29] Netfilter Tables Removed from kCTF

[00:20:23] LogMeIn / GoTo LMIInfo.sys Handle Duplication

[00:27:20] Several wlan VFS read handlers don't check buffer size leading to userland memory corruption

[00:32:35] International Journal of Proof-of-Concept or Get The Fuck Out (PoC||GTFO) - 0x22

[00:34:15] Exploring AMD Platform Secure Boot

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

-- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

-- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.

We are also available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

[bounty] The End of a DEFCON Era and Flipper Zero Woes Feb 13, 2024

DEF CON moves venues, the Canadian government moves to ban Flipper Zero, and some XSS issues affect Microsoft Whiteboard and Meta's Excalidraw.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/241.html

[00:00:00] Introduction

[00:00:33] DEF CON was canceled.

[00:16:42] Federal action on combatting auto theft

[00:39:03] Jenkins Arbitrary File Leak Vulnerability, CVE-2024-23897, Can Lead To RCE

[00:43:27] Back to the (Clip)board with Microsoft Whiteboard and Excalidraw in Meta (CVE-2023-26140)

[00:52:26] SSRF on a Headless Browser Becomes Critical!

[00:59:04] ChatGPT Account Takeover - Wildcard Web Cache Deception

[01:05:14] Differential testing and fuzzing of HTTP servers and proxies

[01:10:14] Hunting for Vulnerabilities that are ignored by most of the Bug Bounty Hunters

[01:19:38] Analyzing AI Application Threat Models

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

-- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

-- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.

We are also available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

[binary] The Syslog Special Feb 07, 2024

Libfuzzer goes into maintenance-only mode and syslog vulnerabilities plague some vendors in this week's episode.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/240.html

[00:00:00] Introduction

[00:00:20] LibFuzzer in Maintainence-only Mode

[00:11:41] Heap-based buffer overflow in the glibc's syslog() [CVE-2023-6246]

[00:26:33] Hunting for ~~Un~~authenticated n-days in Asus Routers

[00:34:44] Inside the LogoFAIL PoC: From Integer Overflow to Arbitrary Code Execution

[00:35:51] Chaos Communication Congress (37C3) recap

[00:36:51] GitHub - google/oss-fuzz-gen: LLM powered fuzzing via OSS-Fuzz.

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

-- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

-- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.

We are also available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

[bounty] Public Private Android Keys and Docker Escapes Feb 06, 2024

This week we have a crazy crypto fail where some Android devices had updates signed by publicly available private keys, as well as some Docker container escapes.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/239.html

[00:00:00] Introduction

[00:00:22] Missing signs: how several brands forgot to secure a key piece of Android

[00:13:37] ModSecurity: Path Confusion and really easy bypass on v2 and v3

[00:21:24] runc process.cwd & leaked fds container breakout [CVE-2024-21626]

[00:24:23] Buildkit GRPC SecurityMode Privilege Check [CVE-2024-23653]

[00:27:49] Jumpserver Preauth RCE Exploit Chain

[00:43:49] 500$: MFA bypass By Race Condition

[00:49:52] HTTP Downgrade attacks with SmuggleFuzz

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

-- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

-- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.

We are also available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

[binary] Busted ASLR, PixieFail, and Bypassing HVCI Jan 31, 2024

This week's binary episode features a range of topics from discussion on Pwn2Own's first automotive competition to an insane bug that broke ASLR on various Linux systems. At the lower level, we also have some bugs in UEFI, including one that can be used to bypass Windows Hypervisor Code Integrity mitigation.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/238.html

[00:00:00] Introduction

[00:02:40]

37C3: Unlocked

- media.ccc.de

[00:08:15] Zero Day Initiative — Pwn2Own Automotive 2024 - Day One Results

[00:16:35] ASLRn’t: How memory alignment broke library ASLR

[00:22:47] Unleashing ksmbd: remote exploitation of the Linux kernel (ZDI-23-979, ZDI-23-980)

[00:26:33] PixieFail: Nine vulnerabilities in Tianocore's EDK II IPv6 network stack.

[00:31:10] Hunting down the HVCI bug in UEFI

[00:35:51] A Deep Dive into V8 Sandbox Escape Technique Used in In-The-Wild Exploit

[00:37:32] Google Chrome V8 CVE-2024-0517 Out-of-Bounds Write Code Execution - Exodus Intelligence

[00:38:38] OffSec EXP-401 Advanced Windows Exploitation (AWE) - Course Review

[00:44:56] Dumping GBA ROMs from Sound

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

-- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

-- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.

We are also available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

[bounty] Reborn Homograph Attacks and Ransacking Passwords Jan 30, 2024

A packed episode this week as we cover recent vulnerabilities from the last two weeks, including some IDORs, auth bypasses, and a HackerOne bug. Some fun attacks such as a resurface of IDN Homograph Attacks and timing attacks also appear.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/237.html

[00:00:00] Introduction

[00:02:59]

37C3: Unlocked

- media.ccc.de

[00:09:00] Ivanti's Pulse Connect Secure Auth Bypass and RCE

[00:19:47] [HackerOne] View Titles of Private Reports with pending email invitation

[00:23:58] 1 Program, 4 Business Logic Bugs and Cashing in 2300$.

[00:33:32] Global site selector authentication bypass

[00:42:55] IDN Homograph Attack - Reborn of the Rare Case

[00:50:53] PII Disclosure At `theperfumeshop.com/register/forOrder`

[00:54:40] [darkhttpd] timing attack and local leak of HTTP basic auth credentials

[01:02:42] Ransacking your password reset tokens

[01:08:11] Worse than SolarWinds: Three Steps to Hack Blockchains, GitHub, and ML through GitHub Actions

[01:10:41] Crypto Gotchas!

[01:13:37] Web LLM attacks

[01:15:13] Improving LLM Security Against Prompt Injection

[01:16:17] Sys:All: How A Simple Loophole in Google Kubernetes Engine Puts Clusters at Risk of Compromise

[01:17:37] Kubernetes Scheduling And Secure Design

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

-- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

-- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.

We are also available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

[binary] Bypassing Chromecast Secure-Boot and Exploiting Factorio Jan 17, 2024

A bit of a game special this week, with a Counter-Strike: Global Offensive vulnerability and an exploit for Factorio. We also have a Linux kernel bug and a Chromecast secure-boot bypass with some hardware hacking mixed in.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/236.html

[00:00:00] Introduction

[00:00:25] Exploring Counter-Strike: Global Offensive Attack Surface

[00:26:22] Exploiting a Factorio Buffer Overflow

[00:31:46] io_uring: __io_uaddr_map() handles multi-page region dangerously

[00:39:25] Chromecast with Google TV (1080P) Secure-Boot Bypass

[00:51:58] exploits.club

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

-- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

-- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.

We are also available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

[bounty] A GitLab Account Takeover and a Coldfusion RCE Jan 16, 2024

A short bounty episode featuring some logical bugs in Apache OFBiz, a GitLab Account Takeover, and an unauthenticated RCE in Adobe Coldfusion.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/235.html

[00:00:00] Introduction

[00:00:20] SonicWall Discovers Critical Apache OFBiz Zero-day

[00:11:40] [GitLab] Account Takeover via password reset without user interactions

[00:24:05] Unauthenticated RCE in Adobe Coldfusion [CVE-2023-26360]

[00:35:08] No new iPhone? No secure iOS: Looking at an unfixed iOS vulnerability

[00:36:45] How we made $120k bug bounty in a year with good automation

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

-- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

-- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.

We are also available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

[binary] Allocator MTE, libwebp, and Operation Triangulation Jan 10, 2024

This week's highly technical episode has discussion around the exploitation of a libwebp vulnerability we covered previously, memory tagging (MTE) implementation with common allocators, and an insane iPhone exploit chain that targeted researchers.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/234.html

[00:00:00] Introduction

[00:02:35] PagedOut Issue 3

[00:05:14] GPSd NTRIP Stream Parsing access violation vulnerability

[00:08:25] Exploiting the libwebp Vulnerability, Part 1: Playing with Huffman Code

[00:30:01] Strengthening the Shield: MTE in Heap Allocators

[00:37:40] Operation Triangulation - What you get when you attack iPhones of Researchers

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

-- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

-- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.

We are also available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

[bounty] Spoofing Emails, PandoraFMS, and Keycloak Jan 09, 2024

Kicking off 2024 with a longer episode as we talk about some auditing desktop applications (in the context of some bad reports to Edge). Then we've got a couple fun issues with a client-side path traversal, and a information disclosure due to a HTTP 307 redirect. A bunch of issues in PandoraFSM, and finally some research about parser differentials in SMTP leading to SMTP smuggling (for effective email spoofing).

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/233.html

[00:00:00] Introduction

[00:10:25] Browser Security Bugs that Aren’t - #1: Local Attacks

[00:22:10] The power of Client-Side Path Traversal: How I found and escalated 2 bugs through “../”

[00:32:30] instipod DuoUniversalKeycloakAuthenticator challenge information disclosure vulnerability

[00:38:25] Technical Advisory – Multiple Vulnerabilities in PandoraFMS Enterprise

[00:45:07] SMTP Smuggling - Spoofing E-Mails Worldwide

[01:16:20] Catching OpenSSL misuse using CodeQL

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

-- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

-- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.

We are also available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

[binary] RetSpill, A Safari Vuln, and Steam RCE Dec 22, 2023

A bit of a rambling episode to finish off 2023, we talk about some Linux kernel exploitation research (RetSpill) then get into several vulnerabilities. A type confusion in QNAP QTS5, a JavaScriptCore bug in Safari, and several issues in Steam's Remote Play protocol.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/232.html

[00:00:00] Introduction

[00:02:00] RetSpill - Igniting User-Controlled Data to Burn Away Linux Kernel Protections

[00:12:23] QNAP QTS5 – /usr/lib/libqcloud.so JSON parsing leads to RCE

[00:19:53] Safari, Hold Still for NaN Minutes!

[00:31:00] Achieving Remote Code Execution in Steam: a journey into the Remote Play protocol

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

-- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

-- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.

We are also available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

[bounty] IOT Issues and DNS Rebinding Dec 19, 2023

A mix of issues this week, not traditionally bounty topics, but there are some lessons that can be applied. First is a feature, turned vulnerability in VS Code which takes a look at just abusing intentional functionality. Several XOS bugs with a web-console. A Sonos Era 100 jailbreak which involves causing a particular call to fail, a common bug path we've seen before, and some discussion about doing fast DNS rebinding attacks against Chrome and Safari.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/231.html

[00:00:00] Introduction

[00:01:00] It’s not a Feature, It’s a Vulnerability

[00:13:40] Multiple Vulnerabilities In Extreme Networks ExtremeXOS

[00:24:06] Shooting Yourself in the .flags – Jailbreaking the Sonos Era 100

[00:30:08] Tricks for Reliable Split-Second DNS Rebinding in Chrome and Safari

[00:46:02] Apache Struts2 文件上传漏洞分析（CVE-2023-50164） - 先知社区

[00:48:49] Blind CSS Exfiltration: exfiltrate unknown web pages

[00:51:11] Finding that one weird endpoint, with Bambdas

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

-- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

-- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.

We are also available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

[binary] Samsung Baseband and GPU Vulns Dec 06, 2023

A Samsung special this week, starting off with two Samsung specific vulnerabilities, one in the baseband chip for code execution. And a stack based overflow in the RILD service handler parsing IPC calls from the baseband chip for a denial of service. Lastly a Mali GPU driver use-after-free. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/230.html [00:00:00] Introduction [00:00:27] Humble Tech Book Bundle: Hacking 2023 by No Starch [00:08:15] CVE-2023-21517: Samsung Baseband LTE ESM TFT Heap Buffer Overflow [00:18:10] CVE-2023-30644: Samsung RIL Stack Buffer Overflow [00:24:58] Arm Mali r44p0: UAF by freeing waitqueue with elements on it [00:31:55] A Detailed Look at Pwn2Own Automotive EV Charger Hardware The DAY[0] Podcast episodes are streamed live on Twitch twice a week: -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. We are also available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

[bounty] Buggy Cookies and a macOS TCC Bypass Dec 05, 2023

This week brings up a pretty solid variety of issues. Starting off with some cookie smuggling (and other cookie attacks) which presents some interesting research I hadn't really looked for before that has some potential. Then an AI alignment evasion to leak training data. Not the most interesting attack but it appears to open up some other ideas for further research. A MacOS desktop issue (for a $30k bounty), and some home assistant issues.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/229.html

[00:00:00] Introduction

[00:00:25] Humble Tech Book Bundle: Hacking 2023 by No Starch

[00:06:58] Cookie Bugs - Smuggling & Injection

[00:17:21] Extracting Training Data from ChatGPT

[00:32:22] lateralus (CVE-2023-32407) - a macOS TCC bypass

[00:37:35] Securing our home labs: Home Assistant code review

[00:45:16] TRAP; RESET; POISON; - Taking over a country Kaminsky style

[00:47:04] Exploiting XPath Injection Weaknesses

[00:47:42] Deep dive into the new Amazon EKS Pod Identity feature

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

-- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

-- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.

We are also available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

[binary] Hypervisor Bugs and a FAR-out iOS bug Nov 29, 2023

This week kicks off with a a V8 misoptimization leading to out-of-bounds access, an unprotected MSR in Microsoft's Hypervisor allowing corruption of Hypervisor code. We also take a quick look at a 2021 CVE with an integer underflow leading to an overflow in the Windows Kernel low-fragmentation heap, and finally an interesting information leak due to the kernel not clearing a sensitive register.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/228.html

[00:00:00] Introduction

[00:00:56] Spot the Vuln - Beyond the Grave

[00:04:00] Chrome V8 Hole Exploit

[00:15:57] How I found Microsoft Hypervisor bugs as a by-product of learning

[00:33:13] Exploitation of a kernel pool overflow from a restrictive chunk size [CVE-2021-31969]

[00:44:13] That's FAR-out, Man

[00:47:38] Money Tree

[00:50:21] How to voltage fault injection

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

-- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

-- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.

We are also available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

[bounty] Kubernetes Code Exec and There Is No Spoon Nov 28, 2023

This week we've got a few relatively simple bugs to talk about along with a discussion about auditing and manually analysis for vulnerabilities.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/227.html

[00:00:00] Introduction

[00:00:23] Introducing the Microsoft Defender Bounty Program

[00:04:26] Tapping into a telecommunications company’s office cameras

[00:07:47] CrushFTP Critical Vulnerability CVE-2023-43177 Unauthenticated Remote Code Execution

[00:17:22] [Kubernetes] Ingress nginx annotation injection causes arbitrary command execution

[00:24:38] Testing for audits: there is no spoon

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

-- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

-- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.

We are also available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

[binary] A Heap of Linux Bugs Nov 22, 2023

Last week we brought you several Windows bugs, this week we are talking Linux kernel vulnerabilities and exploitation. We start off looking at a weird but cool CPU bug, Reptar, then we get into nftables, io_uring, and talk about a newer mitigations hitting Linux 6.6 that randomizes the caches allocations end up in.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/226.html

[00:00:00] Introduction

[00:00:21] Reptar

[00:11:56] One shot, Triple kill: Pwning all three Google kernelCTF instances with a single 1-day Linux vulnerability

[00:31:09] Conquering the memory through io_uring - Analysis of CVE-2023-2598

[00:38:00] Exploring Linux's New Random Kmalloc Caches

[00:48:09] ThinkstScapes Quarterly - 2023.Q3

[00:49:34] CacheWarp

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

-- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

-- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.

We are also available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

[bounty] Prompting for Secrets and Malicious Extensions Nov 21, 2023

This week has an interesting mix of issues, starting with a pretty standard template inject. Then we get into a Windows desktop issue, a TOCTOU in how the Mark-of-the-Web would be applied to file extracted from an archive, a privilege escalation from a Chrome extension, and a bit of a different spin on what you could do with a prompt injection.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/225.html

[00:00:00] Introduction

[00:00:26] Magento Template Engine, a story of CVE-2022-24086

[00:06:57] In-Depth Analysis of July 2023 Exploit Chain Featuring CVE-2023-36884 and CVE-2023-36584

[00:24:50] Google Cloud Vertex AI - Data Exfiltration Vulnerability Fixed in Generative AI Studio

[00:30:40] Uncovering a crazy privilege escalation from Chrome extensions

[00:47:49] Content Providers and the potential weak spots they can have

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

-- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

-- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.

We are also available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

[binary] A Bundle of Windows Bugs Nov 15, 2023

We've got a few Windows bugs this week, but first a fun off-by-one null-byte write. Then we jump into a containerized registry escape, a browser escape with a very simple bug buried deep in the browser, and a kernel bug.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/224.html

[00:00:00] Introduction

[00:00:20] Spot the Vuln - Minimax

[00:05:00] Weston Embedded uC-HTTP HTTP Server Host header parsing memory corruption vulnerability

[00:14:49] Windows Kernel containerized registry escape through integer overflows in VrpBuildKeyPath and other weaknesses

[00:20:04] Escaping the sandbox: A bug that speaks for itself

[00:37:07] Exploiting Windows Kernel Wild Copy With User Fault Handling [CVE-2023–28218]

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

-- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

-- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.

We are also available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

[bounty] Usurping Mastodon and Broken Signature Schemes Nov 13, 2023

Just a few issues this week, a Mastodon normalization issue leading to the potential to impersonate another account. Then we have a more complex chain starting again with a normalization leading to a fairly interesting request smuggling (CL.0 via malformed content-type header) and cache poisoning to leak credentials. Finally a crypto issue with a signature not actually being a signature.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/223.html

[00:00:00] Introduction

[00:00:23] Usurping Mastodon instances - mastodon.so/cial [CVE-2023-42451]

[00:09:59] From Akamai to F5 to NTLM... with love.

[00:33:36] Our Pwn2Own journey against time and randomness (part 2)

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

-- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

-- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.

We are also available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

[binary] MTE Debuts, DNS Client Exploits, and iTLB Multihit Nov 08, 2023

As memory tagging (MTE) finally comes to a consumer device, we talk about how it may impact vulnerability research and exploit development going forward. Then we get into a few vulnerabilities including a DNS response parsing bug on the Wii U, an Adobe Acrobat bug that was exploited by a North Korean APT, and a CPU bug (iTLB Multihit).

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/222.html

[00:00:00] Introduction

[00:00:23] Hexacon 2023 Talks

[00:02:48] First handset with MTE on the market

[00:24:15] Exploiting DNS response parsing on the Wii U

[00:33:11] Adobe Acrobat PDF Reader RCE when processing TTF fonts [CVE-2023-26369

[00:46:18] iTLB multihit

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

-- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

-- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.

We are also available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

[bounty] Attacking OAuth, Citrix, and some P2O Drama Nov 07, 2023

Kicking off the week with a bit of Pwn2Own drama, then taking a look at an OAuth attack against Grammarly and a couple other sites, a fun little polyglot file based attack, and Citrix Bleed, a snprintf information disclosure vulnerability on the web.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/221.html

[00:00:00] Introduction

[00:01:24] Wyze Cam v3 - Pwn2Own Drama

[00:17:57] Oh-Auth - Abusing OAuth to take over millions of accounts

[00:30:55] Exploiting Healthcare Servers with Polyglot Files [CVE-2023-33466]

[00:41:06] Citrix Bleed: Leaking Session Tokens with CVE-2023-4966

[00:49:25] Hacking a Silent Disco

[00:50:43] DOM-based race condition: racing in the browser for fun

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

-- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

-- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.

We are also available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

[binary] Windows Kernel Bugs, Safari Integer Underflow, and CONSTIFY Oct 24, 2023

Diving right into some binary exploitation issues this week. Starting wtih a look at a rare sort of curl vulnerability where a malicious server could compromise a curl user. Then we take a look at a pretty straight-forward type confusion in Windows kernel code, and an integer underflow in Safari with some questionable exploitation. Ending the episode with some thoughts on how impactful grsecurity's "constify" mitigation could be.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/220.html

[00:00:00] Introduction

[00:00:14] How I made a heap overflow in curl

[00:17:32] Critically close to zero (day): Exploiting Microsoft Kernel streaming service

[00:30:34] Story of an innocent Apple Safari copyWithin gone (way) outside [CVE-2023-38600]

[00:38:10] CONSTIFY: Fast Defenses for New Exploits

[00:46:53] An analysis of an in-the-wild iOS Safari WebContent to GPU Process exploit

[00:47:40] Getting RCE in Chrome with incomplete object initialization in the Maglev compiler

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

-- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

-- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.

We are also available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

[bounty] Rapid Reset, Attacking AWS Cognito, and Confluence Bugs Oct 22, 2023

We've got a mix of topics this week, started with a bit of discussion around the recent Rapid Reset denial of service attack, before diving into a few vulnerabilities. A Node "permissions" module escape due to having a fail-open condition when unexpected but supported types are passed in. Then we talk about some common AWS Cognito issues, a fun little privilege escalation in Confluence, and a log injection bug leading to RCE.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/219.html

[00:00:00] Introduction

[00:00:15] HTTP/2 Rapid Reset Attack [CVE-2023-44487]

[00:04:35] [Node] Path traversal through path stored in Uint8Array

[00:09:44] Attacking AWS Cognito with Pacu

[00:14:33] Privilege Escalation Vulnerability in Confluence Data Center and Server [CVE-2023-22515]

[00:21:15] Not Your Stdout Bug - RCE in Cosmos SDK

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

-- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

-- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.

We are also available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

[binary] A Chrome RCE, WebP 0day, and glibc LPE Oct 11, 2023

Some complex and confusing vulnerabilities as we talk about the recent WebP 0day and the complexities of huffman coding. A data-only exploit to escape a kCTF container, the glibc LPE LOONY_TUNABLES, and a Chrome TurboFan RCE.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/218.html

[00:00:00] Introduction

[00:00:40] Expanding our exploit reward program to Chrome and Cloud

[00:06:10] The WebP 0day

- We do somewhat downplay this issue due to the difficulty of exploiting it. But to be clear, it was exploited in the wild on Apple devices, so it exploitable. We're more downplaying the panic that came up around it. It is still a serious issue that should be patched.

[00:34:00] Escaping the Google kCTF Container with a Data-Only Exploit

[00:44:49] Local Privilege Escalation in the glibc's ld.so [CVE-2023-4911]

[01:01:27] Getting RCE in Chrome with incorrect side effect in the JIT compiler

[01:08:03] Behind the Shield: Unmasking Scudo's Defenses

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

-- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

-- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.

We are also available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

[bounty] Insecure Firewalls, MyBB, and Winning with WinRAR Oct 10, 2023

This week we've got some fun issues, including a WinRAR processing bug that results in code execution due (imo) to a filename adjustment when extracting that isn't performed consistently. A MyBB admin-panel RCE, fairly privileged bug but I think the bug pattern could appear elsewhere and is something to watch out for, And several silly issues in a "next-gen" firewall, including source disclosures and RCEs from the login page.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/217.html

[00:00:00] Introduction

[00:01:17] Analysis of CVE-2023-38831 Zero-Day vulnerability in WinRAR

[00:13:32] Yet More Unauth Remote Command Execution Vulns in Firewalls

[00:29:02] MyBB Admin Panel RCE [CVE-2023-41362]

[00:44:55] How to build custom scanners for web security research automation

[00:46:33] Exploiting HTTP Parsers Inconsistencies

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

-- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

-- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.

We are also available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

[binary] Busted Stack Protectors, MTE, and AI Powered Fuzzing Sep 27, 2023

A binary summer-recap episode, looking at some vulnerabilities and research put out over the summer. Talking about what TPM really offers when it comes to full-disk encryption, some thoughts on AI in the fuzzing loop. Then into some cool bugs, kicking off with some ARM Memory Tagging Extension vulnerabilities, a `-fstack-protector` implementation failure and bypass, and then a look at a Android exploit that was found in-the-wild.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/216.html

[00:00:00] Introduction

[00:01:50] Spot the Vuln - Only One Domain

[00:04:46] AI-Powered Fuzzing: Breaking the Bug Hunting Barrier

[00:15:00] Summary: MTE As Implemented

[00:38:21] TPM provides zero practical security

[00:47:30] CVE-2023-4039: GCC’s -fstack-protector fails to guard dynamic stack allocations on ARM64

[00:55:30] Analyzing a Modern In-the-wild Android Exploit

[01:07:31] Various Vulnerabilities in Huawei Trustlets

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

-- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

-- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.

We are also available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

[bounty] DEF CON, HardwearIO, Broken Caching, and Dropping Headers Sep 26, 2023

We are back, and talking about our summer with a lengthy discussion about our DEF CON experiences before getting into some favorite issues from the summer. Including a neat twist on a PHP security feature that might be using in your bug bounty chains. A look at classic crypto issue (unauthenticated encrypted blobs), and an easily missed caching issue.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/215.html

[00:00:00] Introduction

[00:02:15] Summer Recap - HardwearIO

[00:11:51] Summer Recap - DEF CON

[00:49:20] CVE-2020-19909 is everything that is wrong with CVEs

[00:58:40] PHP servers drop any header if the header has "\r" [@OctagonNetworks]

[01:03:10] Encrypted Doesn't Mean Authenticated: ShareFile RCE [CVE-2023-24489]

[01:11:40] How Private Cache Can Lead to Mass Account Takeover

[01:15:20] From Terminal Output to Arbitrary Remote Code Execution

[01:16:37] Mashing Enter to bypass full disk encryption with TPM, Clevis, dracut and systemd

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

-- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

-- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.

We are also available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

#BugBounty #BugHunting #InfoSec #CyberSec #Podcast

Continue? (y/N) n

2023/09/26 00:57:09 [1] Set Start Time and Offset

2023/09/26 00:57:09 [2] Download and Convert Episode

2023/09/26 00:57:09 [3] Youtube Stuff

2023/09/26 00:57:09 [4] Print Episode

2023/09/26 00:57:09 [5] Create Blog Post

Selection: 4

2023/09/26 00:57:11 215 - DEF CON, HardwearIO, Broken Caching, and Dropping Headers [Bug Bounty Podcast]

[bounty] DEF CON, HardwearIO, Broken Caching, and Dropping Headers

============================================