Summer Recap: Phrack, Off-by-One, and RCEs

This week's episode contains some LLM hacking and attacks on classifiers, as well as the renewal of DMA attacks with SD Express and the everlasting problems of null bytes. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/266.html [00:00:00] Introduction [00:00:31] Hacking 2024 by No Starch [00:09:18] Announcing the Adaptive Prompt Injection Challenge (LLMail-Inject) [00:14:37] Breaking Down Adversarial Machine Learning Attacks Through Red Team Challenges [00:25:49] Null problem! Or: the dangers of an invisible byte [00:36:32] New dog, old tricks: DaMAgeCard attack targets memory directly thru SD card reader Podcast episodes are available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

A short episode this week, featuring Keyhole which abuses a logic bug in Windows Store DRM, an OAuth flow issue, and a CSRF protection bypass. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/265.html [00:00:00] Introduction [00:00:16] Attacking Hypervisors From KVM to Mobile Security Platforms [00:02:30] Keyhole [00:10:12] Drilling the redirect_uri in OAuth [00:18:00] Cross-Site POST Requests Without a Content-Type Header [00:24:03] New AMSI Bypss Technique Modifying CLR.DLL in Memory Podcast episodes are available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

Linux userspace is still a mess and has some bad bugs in root utilities, and Vaultwarden has an interesting auth bypass attack. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/264.html [00:00:00] Introduction [00:00:29] LPEs in needrestart [Ubuntu] [00:18:41] Vulnerability Disclosure: Authentication Bypass in Vaultwarden versions < 1.32.5 [00:31:50] From an Android Hook to RCE [00:43:34] Simple macOS kernel extension fuzzing in userspace with IDA and TinyInst Podcast episodes are available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

This week, we dive into some changes to V8CTF, the FortiJump Higher bug in Fortinet's FortiManager, as well as some coverage instrumentation on blackbox macOS binaries via Pishi. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/263.html [00:00:00] Introduction [00:00:25] V8 Sandbox Bypass Rewards [00:25:39] Hop-Skip-FortiJump-FortiJump-Higher - Fortinet FortiManager [CVE-2024-47575] [00:38:07] Pishi: Coverage guided macOS KEXT fuzzing. [00:44:20] Breaking Control Flow Flattening: A Deep Technical Analysis [00:55:10] Firefox Animation CVE-2024-9680 - Dimitri Fourny [00:57:13] Internship Offers for the 2024-2025 Season Podcast episodes are available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

Methodology is the theme of this week's episode. We cover posts about static analysis via CodeQL, as well as a novel blackbox binary querying language called QueryX. Project Zero also leverages Large Language Models to successfully find a SQLite vulnerability. Finally, we wrap up with some discussion on Hexacon and WOOT talks, with a focus on Clem1's In-The-Wild exploit chains insights via Google's Threat Analysis Group. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/262.html [00:00:00] Introduction [00:00:35] Discovering Hidden Vulnerabilities in Portainer with CodeQL [00:18:12] Finding Vulnerabilities in Firmware with Static Analysis Platform QueryX [00:28:25] From Naptime to Big Sleep: Using Large Language Models To Catch Vulnerabilities In Real-World Code [00:50:00] Hexacon2024 - Caught in the Wild, Past, Present and Future by Clem1 [01:06:34] Hexacon 2024 Videos [01:11:34] WOOT 2024 Videos [01:18:38] Securing the open source supply chain: The essential role of CVEs [01:20:19] A New Era of macOS Sandbox Escapes: Diving into an Overlooked Attack Surface and Uncovering 10+ New Vulnerabilities Podcast episodes are available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

In this week's episode, we talk a little bit about LLMs and how they can be used with static analysis. We also cover GitHub Security Blog's post on attacking browser extensions, as well as a somewhat controversial CyberPanel Pre-Auth RCE that was disclosed. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/261.html [00:00:00] Introduction [00:01:56] Autonomous Discovery of Critical Zero-Days [00:14:43] Attacking browser extensions [00:25:26] What Are My OPTIONS? CyberPanel v2.3.6 pre-auth RCE [00:52:15] Security research on Private Cloud Compute [01:01:02] Bluetooth Low Energy GATT Fuzzing Podcast episodes are available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

In this week's episode, Specter recaps his experiences at Hardwear.IO and a PS5 hypervisor exploit chain presented there. We also cover some of the recently released DEF CON 32 talks. After the conference talk, we get into some filesystem exploit tricks and how arbitrary file write can be taken to code execution in read-only environments. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/260.html [00:00:00] Introduction [00:00:27] Hardwear.io NL 2024 [00:14:27] Byepervisor - Breaking the PS5 Hypervisor Security [00:26:38] DEF CON 32 Main Stage Talks [00:51:16] The Missing Guide to Filesystem Security [01:00:51] Why Code Security Matters - Even in Hardened Environments [01:09:12] How I Defeated An MMO Game Hack Author Podcast episodes are available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

In this week's episode, we cover the fiasco of a vulnerability in Zendesk that could allow intrusion into multiple fortune 500 companies. We also discuss a project zero blogpost that talks about fuzzing Dav1d and the challenges of fuzzing, as well as rooting Linux via EMFI with a lighter. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/259.html [00:00:00] Introduction [00:00:57] 1 bug, $50,000+ in bounties, how Zendesk intentionally left a backdoor in hundreds of Fortune 500 companies [00:27:10] Effective Fuzzing: A Dav1d Case Study [00:40:15] Can You Get Root With Only a Cigarette Lighter? Podcast episodes are available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

In our summer recap, we discuss Phrack's latest issue and talks from the new Off-by-One conference. We also cover some interesting bugs, such as a factorio lua RCE and another RCE via iconv. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/258.html [00:00:00] Introduction [00:01:06] Getting Started with Exploit Development [00:14:07] Bytecode Breakdown: Unraveling Factorio's Lua Security Flaws [00:24:35] Iconv, set the charset to RCE: Exploiting the glibc to hack the PHP engine (part 1) [00:43:29] Off-by-One Conference 2024 Podcast episodes are available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

In this week's episode, we cover an attack utilizing HSTS for exploiting Android WebViews and abusing YouTube embeds in Google Slides for clickjacking. We also talk about the infamous CUPS attack, and the nuances that seem to be left behind in much of the discussion around it. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/257.html [00:00:00] Introduction [00:01:30] Exploiting Android Client WebViews with Help from HSTS [00:09:08] Using YouTube to steal your files [00:18:43] Attacking UNIX Systems via CUPS, Part I Podcast episodes are available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9