[binary] Bypassing KASLR and a FortiGate RCE

Change is in the air for the DAY[0] podcast! In this episode, we go into some behind the scenes info on the history of the podcast, how it's evolved, and what our plans are for the future. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/253.html [00:00:00] Introduction [00:01:30] Early days of the DAY[0] podcast [00:14:10] Split into bounty and binary episodes [00:21:50] Novelty focus on topic selection [00:30:47] Difficulties with the current format [00:40:18] Change [00:48:02] New direction for content [00:57:42] Conclusions & Feedback Podcast episodes are available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

Bit of a lighter episode this week with a Linux Kernel ASLR bypass and a clever exploit to RCE FortiGate SSL VPN. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/252.html [00:00:00] Introduction [00:00:29] KASLR bypass in privilege-less containers [00:13:13] Two Bytes is Plenty: FortiGate RCE with CVE-2024-21762 [00:19:32] Making Mojo Exploits More Difficult [00:22:57] Robots Dream of Root Shells [00:27:02] Gaining kernel code execution on an MTE-enabled Pixel 8 [00:28:23] SMM isolation - Security policy reporting (ISSR) Podcast episodes are available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

In this week's bounty episode, an attack takes an XSS to RCE on Mailspring, a simple MFA bypass is covered, and a .NET CRLF injection is detailed in its FTP functionality. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/251.html [00:00:00] Introduction [00:00:20] Making Desync attacks easy with TRACE [00:16:01] Reply to calc: The Attack Chain to Compromise Mailspring [00:35:29] $600 Simple MFA Bypass with GraphQL [00:38:38] Microsoft .NET CRLF Injection Arbitrary File Write/Deletion Vulnerability [CVE-2023-36049] Podcast episodes are available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

In the 250th episode, we have a follow-up discussion to our "Future of Exploit Development" video from 2020. Memory safety and the impacts of modern mitigations on memory corruption are the main focus.

In this episode we have an libXPC root privilege escalation, a run-as debuggability check bypass in Android, and digital lockpicking on smart locks. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/249.html [00:00:00] Introduction [00:00:21] Progress OpenEdge Authentication Bypass Deep-Dive [CVE-2024-1403] [00:05:19] xpcroleaccountd Root Privilege Escalation [CVE-2023-42942] [00:10:50] Bypassing the “run-as” debuggability check on Android via newline injection [00:18:09] Say Friend and Enter: Digitally lockpicking an advanced smart lock (Part 2: discovered vulnerabilities) [00:43:06] Using form hijacking to bypass CSP The DAY[0] Podcast episodes are streamed live on Twitch twice a week: -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. We are also available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

In this week's binary episode, Binary Ninja Free releases along with Binja 4.0, automated infoleak exploit generation for the Linux kernel is explored, and Nintendo sues Yuzu. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/248.html [00:00:00] Introduction [00:00:31] Binary Ninja Free [00:10:25] K-LEAK: Towards Automating the Generation of Multi-Step Infoleak Exploits against the Linux Kernel [00:19:53] Glitching in 3D: Low Cost EMFI Attacks [00:22:08] Nintendo vs. Yuzu [00:38:32] Finding Gadgets for CPU Side-Channels with Static Analysis Tools [00:40:12] ThinkstScapes Research Roundup - Q4 - 2023 The DAY[0] Podcast episodes are streamed live on Twitch twice a week: -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. We are also available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

A shorter episode this week, featuring some vulnerabilities impacting Google's AI and a SAML auth bypass. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/247.html [00:00:00] Introduction [00:00:31] We Hacked Google A.I. for $50,000 [00:17:26] SAML authentication bypass vulnerability in RobotsAndPencils/go-saml [CVE-2023-48703] [00:22:17] Exploiting CSP Wildcards for Google Domains [00:26:11] ReqsMiner: Automated Discovery of CDN Forwarding Request Inconsistencies and DoS Attacks with Grammar-based Fuzzing The DAY[0] Podcast episodes are streamed live on Twitch twice a week: -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. We are also available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

VirtualBox has a very buggy driver, PostgreSQL has an Out of Bounds Access, and lifetime issues are demonstrated in Rust in "safe" code. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/246.html [00:00:00] Introduction [00:00:22] cve-rs [00:18:28] Oracle VM VirtualBox: Intra-Object Out-Of-Bounds Write in virtioNetR3CtrlVlan [00:32:30] PostgreSQL: Array Set Element Memory Corruption [00:35:06] Analyzing the Google Chrome V8 CVE-2024-0517 Out-of-Bounds Code Execution Vulnerability [00:37:15] Continuously fuzzing Python C extensions The DAY[0] Podcast episodes are streamed live on Twitch twice a week: -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. We are also available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

This week's episode features a cache deception issue, Joomla inherits a PHP bug, and a DOM clobbering exploit. Also covered is a race condition in Chrome's extension API published by project zero. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/245.html [00:00:00] Introduction [00:00:21] Cache Deception Without Path Confusion [00:07:15] Hello Lucee! Let us hack Apple again? [00:14:41] Joomla: PHP Bug Introduces Multiple XSS Vulnerabilities [00:26:37] Go Go XSS Gadgets: Chaining a DOM Clobbering Exploit in the Wild [00:38:23] chrome.pageCapture.saveAsMHTML() extension API can be used on blocked origins due to racy access check [00:42:28] 🎮 Diving Back into Games-related Bugs! [00:44:43] Exploiting Empire C2 Framework [00:46:19] iMessage with PQ3: The new state of the art in quantum-secure messaging at scale The DAY[0] Podcast episodes are streamed live on Twitch twice a week: -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. We are also available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

Linux becomes a CNA and takes a stance on managing CVEs for themselves, and underutilized fuzzing strategies are discussed. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/244.html [00:00:00] Introduction [00:00:14] What to do about CVE numbers - The first article we bring up is the 2019 LWN article able Greg's talk back then. The topic itself is a more recent change actually moving forward. [00:26:50] Bug - Double free on `dcm_dataset_insert` · Issue #82 · ImagingDataCommons/libdicom [00:31:48] Buffer Overflow Vulnerabilities in KiTTY Start Duplicated Session Hostname (CVE-2024-25003) & Username (CVE-2024-25004) Variables [00:38:35] Underutilized Fuzzing Strategies for Modern Software Testing The DAY[0] Podcast episodes are streamed live on Twitch twice a week: -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. We are also available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9