The PS5 has a vulnerable version of WebKit to a use after free (UAF) bug in the IPv6 stack. The Github repo is an implementation of the exploit to gain a read/write primitive. The PS5 has an...
uClibC and uClibC-ng are both standalone replacements for glibc that are extremely lightweight. These are commonly used on embedded platforms. When creating threads on the platform, the thread...
In the previous two posts, they got root access to the system by breaking the update functionality. So, now what? Let's build some software! ccOS(Connected Car Operating System) is an OS developed...
Each file is encrypted individually, with the name being enc_{OriginalName}. There is a configuration file with the file name and the SHA224 hash. The hash of the configuration file is signed....
The author simply wants to pwn his car! They bought a 2021 Hyundai Ioniq SEL to drive and play with. The author wanted to target In-Vehicle Infotainment (IVI) system. Additionally, there is a mode...
DomPDF is an HTML to PDF converter for PHP. In the past, a vulnerability was found that allowed for code execution in PHP. CSS font can be remotely loaded with any extension, leading to code...
While fuzzing a web application, the authors of the post noticed something weird. When putting one single quote (') in a field for time, a 400 error occurred. However, when putting two single...
Impacted organization discovered that long-lived AWS creds had leaked. Initially alerted to the following suspicious activity:Follow-up investigation into CloudTrail logs showed compromise of...
Unisoc is a semiconductor company that is commonly put on Android smart phones. The authors decided to review the Boot process of these chips. The first step is extracting the BootROM in order to...
Crow is an HTTP server written in a C++. While triaging a different vulnerability, they stumbled across an issue that required nothing special! If a file was smaller than 16KB, then the request...
Crow is an async C++ HTTP/WebSocket library for creating flash web services. The framework implemented pipelining, which is async HTTP. This allows for different workers to get multiple HTTP...
Timestamps (block.timestamp) are used for logic. Actions such as sending ETH and entropy are common uses for timestamps because they create some randomness. Block timestamps are quite flexible,...
New Free DAO is a DeFi project hosted by the Binance Smart Chain (BSC). The New Free DAO contracts are not open source, making them hard to audit but a determined attacker could hit it still. The...
Wintermute is an Automated Market Maker (AMM). The hack wasn't anything that Wintermute actually did wrong. This time, it was a Vanity wallet generator called Profanity. Using this, it can...
The solution Aurora has built as an EVM implementation on NEAR is called the Aurora Engine, and it is implemented as a smart contract on the NEAR blockchain. This allows for EVM compatible...
I built some infrastructure that you could deploy and use to easily tunnel from arbitrary sources over a proxy such as SOCKS, using anything that can run WireGuard. This is convenient in cases...
The UMAS protocol, in its implementation prior to the version in which the CVE-2021-22779 vulnerability was fixed, had significant shortcomings that had a critical effect on the security of...
Firecracker is an open source Virtual Machine Monitor (VMM) by AWS written in Rust. The purpose of this project is to allow for multi-tenant services to run on one machine. Firecracker is built on...
The Tesla charge port is vulnerable to a simple replay attack. The author of this post analyzed the signal deeper. Using GQRX, they captured the signal. From reading the FCC ID, this runs at...
The Titan M chip was put onto Pixels in 2018. This chips main purpose is to reduce the attack surface for attackers. This chip is on a separate SoC that runs its own special firmware and...
The package shell-quote's whole existence is around handling commands securely on the server-side. The main way the escaping was done, was via regex. The Regex had a hilarious bug in it. It was...
Noah Heckman // Windows Vista didn’t have many fans in the Windows community (to put it lightly). It beaconed in a new user interface, file structure, and a bunch of […] The post Why You Really...
Carrie Roberts // PowerShell’s Constrained Language (CLM) mode limits the functionality available to users to reduce the attack surface. It is meant to be used in conjunction with application...
On 2022-09-26, an incident was reported, involving an unknown actor, gaining initial access via Unknown, to achieve Data exfiltration.
Fast Company took its website offline after its content management system (CMS) was hacked to display stories and push out Apple News notifications containing obscene and racist comments.A...
The PS5 has a major bug bounty program. The author decided to look into this device, being a legend in the playstation hacking scene. After looking at the attack surface, they decided to look at...
Bitbucket is a service similar to Github. The authors of this post were after an RCE bug. Since they know that many platforms will end up with calls to git, they wanted a way to trace this. To...
OneSev is a self-hosted Git server with many other features like CI/CD, code search and many other things. Since it is open source, this was a good target for an audit. A user is allowed to set...
Roulette is an over the board game that is similar to Wheel of Fortune. Since these are spun by hand of the person running the board, the author asked "is this good randomness?" In the game, there...
FreeBSD supports asynchronous I/O (AIO) with POSIX syscalls. Naturally, with asynchronous actions, reference counts are important to make sure objects aren't deleted too early. The code path used...