![Day[0]](https://cdn.radoxo.com/images/podcasts/12515-day0.webp?v=1780429247)
Day[0]
A weekly podcast for bounty hunters, exploit developers or anyone interested in the details of the latest disclosed vulnerabilities and exploits.
Episodes
The Future
After 283 episodes, this will be the final episode of the DAY[0] podcast.We started the podcast on a hopeful note in the days following Ghidra's release. Now, to end it off we've got another discussion about how we see the future of vulnerability research and exploit development going. We recorded this episode before all the hype around "Mythos" and Project Glasswing so it doesn&
Exploiting VS Code with Control Characters
A quick episode this week, which includes attacking VS Code with ASCII control characters, as well as a referrer leak and SCIM hunting.Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/282.html[00:00:00] Introduction[00:00:57] Attacking Hypervisors - Training Update[00:06:20] Drag and Pwnd: Leverage ASCII characters to exploit VS Code[00:12:12] Ful
Mitigating Browser Hacking - Interview with John Carse (SquareX Field CISO)
A special episode this week, featuring an interview with John Carse, Chief Information Security Officer (CISO) of SquareX. John speaks about his background in the security industry, grants insight into attacks on browsers, and talks about the work his team at SquareX is doing to detect and mitigate browser-based attacks.
Pulling Gemini Secrets and Windows HVPT
A long episode this week, featuring an attack that can leak secrets from Gemini's Python sandbox, banks abusing private iOS APIs, and Windows new Hypervisor-enforced Paging Translation (HVPT).Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/280.html[00:00:00] Introduction[00:00:18] Doing the Due Diligence - Analyzing the Next.js Middleware Byp
Session-ception and User Namespaces Strike Again
API hacking and bypassing Ubuntu's user namespace restrictions feature in this week's episode, as well as a bug in CimFS for Windows and revisiting the infamous NSO group WebP bug.Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/279.html[00:00:00] Introduction[00:00:28] Next.js and the corrupt middleware: the authorizing artifact[00:06:15]
Extracting YouTube Creator Emails and Spilling Azure Secrets
This episode features some game exploitation in Neverwinter Nights, weaknesses in mobile implementation for PassKeys, and a bug that allows disclosure of the email addresses of YouTube creators. We also cover some research on weaknesses in Azure.Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/278.html[00:00:00] Introduction[00:00:35] Exploiting N
ESP32 Backdoor Drama and SAML Auth Bypasses
Discussion this week starts with the ESP32 "backdoor" drama that circled the media, with some XML-based vulnerabilities in the mix. Finally, we cap off with a post on reviving modprobe_path for Linux exploitation, and some discussion around an attack chain against China that was attributed to the NSA.Links and vulnerability summaries for this episode are available at: https://dayzerosec.
Exploiting Xbox 360 Hypervisor and Microcode Hacking
A very technical episode this week, featuring some posts on hacking the xbox 360 hypervisor as well as AMD microcode hacking.Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/276.html[00:00:00] Introduction[00:00:15] Reversing Samsung's H-Arx Hypervisor Framework - Part 1[00:10:34] Hacking the Xbox 360 Hypervisor Part 1: System Overview[00:21:18] H
Path Confusion and Mixing Public/Private Keys
This week's episode features a variety of vulnerabilities, including a warning on mixing up public and private keys in OpenID Connect deployments, as well as path confusion with an nginx+apache setup.Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/275.html[00:00:00] Introduction[00:19:00] The OOB Read zi Introduced[00:16:55] Mixing up Public
ZDI's Triaging Troubles and LibreOffice Exploits
We discuss an 0day that was dropped on Parallels after 7 months of no fix from the vendor, as well as ZDI's troubles with responses to researchers and reproducing bugs. Also included are a bunch of filesystem issues, and an insanely technical linux kernel exploit chain.Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/274.html[00:00:00] Introdu
Recycling Exploits in MacOS and Pirating Audiobooks
We cover a comical saga of vulnerabilities and variants from incomplete fixes in macOS, as well as a bypass of Chrome's miraclePtr mitigation against Use-After-Frees (UAFs). We also discuss an attack that abuses COM hijacking to elevate to SYSTEM through AVG Antivirus, and a permissions issue that allows unauthorized access to DRM'd audiobooks.Links and vulnerability summaries for this episode are
Top 10 Web Hacking Techniques and Windows Shadow Stacks
In this episode, we discuss the US government discloses how many 0ds were reported to vendors in a first-ever report. We also cover PortSwigger's top 10 web hacking techniques of 2024, as well as a deep dive on how kernel mode shadow stacks are implemented on Windows by Connor McGarr.Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/272.html[00
Unicode Troubles, Bypassing CFG, and Racey Pointer Updates
On the web side, we cover a portswigger post on ways of abusing unicode mishandling to bypass firewalls and a doyensec guide to OAuth vulnerabilities. We also get into a Windows exploit for a use-after-free in the telephony service that bypasses Control Flow Guard, and a data race due to non-atomic writes in the macOS kernel.
Links and vulnerability summaries for this episode are available at: ht
Deanonymization with CloudFlare and Subaru's Security Woes
Zero Day Initiative posts their trends and observations from their threat hunting highlights of 2024, macOS has a sysctl bug, and a technique leverages CloudFlare to deanonymize users on messaging apps. PortSwigger also publishes a post on the Cookie Sandwich technique, and Subaru's weak admin panel security allows tracking and controlling other people's vehicles.
Links and vulnerability
Excavating Exploits and PHP Footguns
This week features a mix of topics, from polyglot PDF/JSON to android kernel vulnerabilities. Project Zero also publishes a post about excavating an exploit strategy from crash logs of an In-The-Wild campaign.
Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/269.html
[00:00:00] Introduction
[00:07:48] Attacking Hypervisors - From KVM to Mobile S
WhatsApp vs. NSO and CCC Talks
Specter and zi discuss their winter break, cover some interesting CCC talks, and discuss the summary judgement in the WhatsApp vs. NSO Group case.
Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/268.html
[00:00:00] Introduction
[00:09:53] 38C3: Illegal Instructions
[00:35:38] WhatsApp v. NSO Group
[01:04:06] Vulnerability Research Highlights 20
Buggy Operating Systems Are Coming to Town
In our last episode of 2024, we delve into some operating system bugs in both Windows and Linux, as well as some bugs that are not bugs but rather AI slop.
Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/267.html
[00:00:00] Introduction
[00:06:48] Buffer Overflow Risk in Curl_inet_ntop and inet_ntop4
[00:19:20] Bypassing WAFs with the phantom $
Machine Learning Attacks and Tricky Null Bytes
This week's episode contains some LLM hacking and attacks on classifiers, as well as the renewal of DMA attacks with SD Express and the everlasting problems of null bytes.
Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/266.html
[00:00:00] Introduction
[00:00:31] Hacking 2024 by No Starch
[00:09:18] Announcing the Adaptive Prompt Injection Chal
A Windows Keyhole and Buggy OAuth
A short episode this week, featuring Keyhole which abuses a logic bug in Windows Store DRM, an OAuth flow issue, and a CSRF protection bypass.
Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/265.html
[00:00:00] Introduction
[00:00:16] Attacking Hypervisors From KVM to Mobile Security Platforms
[00:02:30] Keyhole
[00:10:12] Drilling the redirect
Linux Is Still a Mess and Vaultwarden Auth Issues
Linux userspace is still a mess and has some bad bugs in root utilities, and Vaultwarden has an interesting auth bypass attack.
Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/264.html
[00:00:00] Introduction
[00:00:29] LPEs in needrestart [Ubuntu]
[00:18:41] Vulnerability Disclosure: Authentication Bypass in Vaultwarden versions < 1.32.5
[0
FortiJump Higher, Pishi, and Breaking Control Flow Flattening
This week, we dive into some changes to V8CTF, the FortiJump Higher bug in Fortinet's FortiManager, as well as some coverage instrumentation on blackbox macOS binaries via Pishi.
Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/263.html
[00:00:00] Introduction
[00:00:25] V8 Sandbox Bypass Rewards
[00:25:39] Hop-Skip-FortiJump-FortiJump-Higher -
Static Analysis, LLMs, and In-The-Wild Exploit Chains
Methodology is the theme of this week's episode. We cover posts about static analysis via CodeQL, as well as a novel blackbox binary querying language called QueryX. Project Zero also leverages Large Language Models to successfully find a SQLite vulnerability. Finally, we wrap up with some discussion on Hexacon and WOOT talks, with a focus on Clem1's In-The-Wild exploit chains insights via Google'
Attacking Browser Extensions and CyberPanel
In this week's episode, we talk a little bit about LLMs and how they can be used with static analysis. We also cover GitHub Security Blog's post on attacking browser extensions, as well as a somewhat controversial CyberPanel Pre-Auth RCE that was disclosed.
Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/261.html
[00:00:00] Introduction
[00:01:
Hardwear.IO NL, DEF CON 32, and Filesystem Exploitation
In this week's episode, Specter recaps his experiences at Hardwear.IO and a PS5 hypervisor exploit chain presented there. We also cover some of the recently released DEF CON 32 talks. After the conference talk, we get into some filesystem exploit tricks and how arbitrary file write can be taken to code execution in read-only environments.
Links and vulnerability summaries for this episode are ava
Zendesk's Email Fiasco and Rooting Linux with a Lighter
In this week's episode, we cover the fiasco of a vulnerability in Zendesk that could allow intrusion into multiple fortune 500 companies. We also discuss a project zero blogpost that talks about fuzzing Dav1d and the challenges of fuzzing, as well as rooting Linux via EMFI with a lighter.
Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/259.html
Summer Recap: Phrack, Off-by-One, and RCEs
In our summer recap, we discuss Phrack's latest issue and talks from the new Off-by-One conference. We also cover some interesting bugs, such as a factorio lua RCE and another RCE via iconv.
Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/258.html
[00:00:00] Introduction
[00:01:06] Getting Started with Exploit Development
[00:14:07] Bytecode Br
Attack of the CUPS and Exploiting Web Views via HSTS
In this week's episode, we cover an attack utilizing HSTS for exploiting Android WebViews and abusing YouTube embeds in Google Slides for clickjacking. We also talk about the infamous CUPS attack, and the nuances that seem to be left behind in much of the discussion around it.
Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/257.html
[00:00:00]
Future of the Windows Kernel and Encryption Nonce Reuse
In this week's episode, we discuss Microsoft's summit with vendors on their intention to lock down the Windows kernel from endpoint security drivers and possibly anti-cheats. We also talk cryptography and about the problems of nonce reuse.
Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/256.html
[00:00:00] Introduction
[00:01:12] Friend
Iterating Exploits & Extracting SGX Keys
We are back and testing out a new episode format focusing more on discussion than summaries. We start talking a bit about the value of learning hacking by iterating on the same exploit and challenging yourself as a means of practicing the creative parts of exploitation. Then we dive into the recent Intel SGX fuse key leak, talk a bit about what it means, how it happened.
We are seeking feedback o
Memory Corruption: Best Tackled with Mitigations or Safe-Languages
Memory corruption is a difficult problem to solve, but many such as CISA are pushing for moves to memory safe languages. How viable is rewriting compared to mitigating?
Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/254.html
[00:00:00] Introduction
[00:01:12] Clarifying Scope & Short/Long Term
[00:04:28] Mitigations
[00:15:37] Safe Languag
[discussion] A Retrospective and Future Look Into DAY[0]
Change is in the air for the DAY[0] podcast! In this episode, we go into some behind the scenes info on the history of the podcast, how it's evolved, and what our plans are for the future.
Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/253.html
[00:00:00] Introduction
[00:01:30] Early days of the DAY[0] podcast
[00:14:10] Split into bounty
[binary] Bypassing KASLR and a FortiGate RCE
Bit of a lighter episode this week with a Linux Kernel ASLR bypass and a clever exploit to RCE FortiGate SSL VPN.
Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/252.html
[00:00:00] Introduction
[00:00:29] KASLR bypass in privilege-less containers
[00:13:13] Two Bytes is Plenty: FortiGate RCE with CVE-2024-21762
[00:19:32] Making Mojo Exploits
[bounty] RCE'ing Mailspring and a .NET CRLF Injection
In this week's bounty episode, an attack takes an XSS to RCE on Mailspring, a simple MFA bypass is covered, and a .NET CRLF injection is detailed in its FTP functionality.
Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/251.html
[00:00:00] Introduction
[00:00:20] Making Desync attacks easy with TRACE
[00:16:01] Reply to calc: The Attack Cha
[binary] Future of Exploit Development Followup
In the 250th episode, we have a follow-up discussion to our "Future of
Exploit Development" video from 2020. Memory safety and the impacts of
modern mitigations on memory corruption are the main focus.
[bounty] libXPC to Root and Digital Lockpicking
In this episode we have an libXPC root privilege escalation, a run-as debuggability check bypass in Android, and digital lockpicking on smart locks.
Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/249.html
[00:00:00] Introduction
[00:00:21] Progress OpenEdge Authentication Bypass Deep-Dive [CVE-2024-1403]
[00:05:19] xpcroleaccountd Root Privile
[binary] Binary Ninja Free and K-LEAK
In this week's binary episode, Binary Ninja Free releases along with Binja 4.0, automated infoleak exploit generation for the Linux kernel is explored, and Nintendo sues Yuzu.
Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/248.html
[00:00:00] Introduction
[00:00:31] Binary Ninja Free
[00:10:25] K-LEAK: Towards Automating the Generation of
[bounty] Hacking Google AI and SAML
A shorter episode this week, featuring some vulnerabilities impacting Google's AI and a SAML auth bypass.
Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/247.html
[00:00:00] Introduction
[00:00:31] We Hacked Google A.I. for $50,000
[00:17:26] SAML authentication bypass vulnerability in RobotsAndPencils/go-saml [CVE-2023-48703]
[00:22:17] Ex
[binary] Rust Memory Corruption???
VirtualBox has a very buggy driver, PostgreSQL has an Out of Bounds Access, and lifetime issues are demonstrated in Rust in "safe" code.
Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/246.html
[00:00:00] Introduction
[00:00:22] cve-rs
[00:18:28] Oracle VM VirtualBox: Intra-Object Out-Of-Bounds Write in virtioNetR3CtrlVlan
[00:32:30]
[bounty] A PHP and Joomla Bug and some DOM Clobbering
This week's episode features a cache deception issue, Joomla inherits a PHP bug, and a DOM clobbering exploit. Also covered is a race condition in Chrome's extension API published by project zero.
Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/245.html
[00:00:00] Introduction
[00:00:21] Cache Deception Without Path Confusion
[00:07:15]
[binary] Linux Burns Down CVEs
Linux becomes a CNA and takes a stance on managing CVEs for themselves, and underutilized fuzzing strategies are discussed.
Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/244.html
[00:00:00] Introduction
[00:00:14] What to do about CVE numbers
- The first article we bring up is the 2019 LWN article able Greg's talk back then. The topic it
[bounty] GhostCMS, ClamAV, and the Top Web Hacking Techniques of 2023
In this bounty episode, some straightforward bugs were disclosed in GhostCMS and ClamAV, and Portswigger publishes their top 10 list of web hacking techniques from 2023.
Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/243.html
[00:00:00] Introduction
[00:02:15] Ghost CMS Stored XSS Leading to Owner Takeover [CVE-2024-23724]
[00:16:07] ClamAV No
[binary] kCTF Changes, LogMeIn, and wlan VFS Bugs
Google makes some changes to their kCTF competition, and a few kernel bugs shake out of the LogMeIn and wlan VFS drivers.
Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/242.html
[00:00:00] Introduction
[00:00:29] Netfilter Tables Removed from kCTF
[00:20:23] LogMeIn / GoTo LMIInfo.sys Handle Duplication
[00:27:20] Several wlan VFS read handler
[bounty] The End of a DEFCON Era and Flipper Zero Woes
DEF CON moves venues, the Canadian government moves to ban Flipper Zero, and some XSS issues affect Microsoft Whiteboard and Meta's Excalidraw.
Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/241.html
[00:00:00] Introduction
[00:00:33] DEF CON was canceled.
[00:16:42] Federal action on combatting auto theft
[00:39:03] Jenkins Arbitrary File
[binary] The Syslog Special
Libfuzzer goes into maintenance-only mode and syslog vulnerabilities plague some vendors in this week's episode.
Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/240.html
[00:00:00] Introduction
[00:00:20] LibFuzzer in Maintainence-only Mode
[00:11:41] Heap-based buffer overflow in the glibc's syslog() [CVE-2023-6246]
[00:26:33] Hunting
[bounty] Public Private Android Keys and Docker Escapes
This week we have a crazy crypto fail where some Android devices had updates signed by publicly available private keys, as well as some Docker container escapes.
Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/239.html
[00:00:00] Introduction
[00:00:22] Missing signs: how several brands forgot to secure a key piece of Android
[00:13:37] ModSecu
[binary] Busted ASLR, PixieFail, and Bypassing HVCI
This week's binary episode features a range of topics from discussion on Pwn2Own's first automotive competition to an insane bug that broke ASLR on various Linux systems. At the lower level, we also have some bugs in UEFI, including one that can be used to bypass Windows Hypervisor Code Integrity mitigation.
Links and vulnerability summaries for this episode are available at: https://dayz
[bounty] Reborn Homograph Attacks and Ransacking Passwords
A packed episode this week as we cover recent vulnerabilities from the last two weeks, including some IDORs, auth bypasses, and a HackerOne bug. Some fun attacks such as a resurface of IDN Homograph Attacks and timing attacks also appear.
Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/237.html
[00:00:00] Introduction
[00:02:59]
37C3: Unlocked
[binary] Bypassing Chromecast Secure-Boot and Exploiting Factorio
A bit of a game special this week, with a Counter-Strike: Global Offensive vulnerability and an exploit for Factorio. We also have a Linux kernel bug and a Chromecast secure-boot bypass with some hardware hacking mixed in.
Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/236.html
[00:00:00] Introduction
[00:00:25] Exploring Counter-Strike: Globa
[bounty] A GitLab Account Takeover and a Coldfusion RCE
A short bounty episode featuring some logical bugs in Apache OFBiz, a GitLab Account Takeover, and an unauthenticated RCE in Adobe Coldfusion.
Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/235.html
[00:00:00] Introduction
[00:00:20] SonicWall Discovers Critical Apache OFBiz Zero-day
[00:11:40] [GitLab] Account Takeover via password reset with
[binary] Allocator MTE, libwebp, and Operation Triangulation
This week's highly technical episode has discussion around the exploitation of a libwebp vulnerability we covered previously, memory tagging (MTE) implementation with common allocators, and an insane iPhone exploit chain that targeted researchers.
Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/234.html
[00:00:00] Introduction
[00:02:35] Pa
[bounty] Spoofing Emails, PandoraFMS, and Keycloak
Kicking off 2024 with a longer episode as we talk about some auditing desktop applications (in the context of some bad reports to Edge). Then we've got a couple fun issues with a client-side path traversal, and a information disclosure due to a HTTP 307 redirect. A bunch of issues in PandoraFSM, and finally some research about parser differentials in SMTP leading to SMTP smuggling (for effecti
[binary] RetSpill, A Safari Vuln, and Steam RCE
A bit of a rambling episode to finish off 2023, we talk about some Linux kernel exploitation research (RetSpill) then get into several vulnerabilities. A type confusion in QNAP QTS5, a JavaScriptCore bug in Safari, and several issues in Steam's Remote Play protocol.
Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/232.html
[00:00:00] Introdu
[bounty] IOT Issues and DNS Rebinding
A mix of issues this week, not traditionally bounty topics, but there are some lessons that can be applied. First is a feature, turned vulnerability in VS Code which takes a look at just abusing intentional functionality. Several XOS bugs with a web-console. A Sonos Era 100 jailbreak which involves causing a particular call to fail, a common bug path we've seen before, and some discussion abou
[binary] Samsung Baseband and GPU Vulns
A Samsung special this week, starting off with two Samsung specific
vulnerabilities, one in the baseband chip for code execution. And a
stack based overflow in the RILD service handler parsing IPC calls from
the baseband chip for a denial of service. Lastly a Mali GPU driver
use-after-free.
Links and vulnerability summaries for this episode are available at:
https://dayzerosec.com/podcast/23
[bounty] Buggy Cookies and a macOS TCC Bypass
This week brings up a pretty solid variety of issues. Starting off with some cookie smuggling (and other cookie attacks) which presents some interesting research I hadn't really looked for before that has some potential. Then an AI alignment evasion to leak training data. Not the most interesting attack but it appears to open up some other ideas for further research. A MacOS desktop issue (for
[binary] Hypervisor Bugs and a FAR-out iOS bug
This week kicks off with a a V8 misoptimization leading to out-of-bounds access, an unprotected MSR in Microsoft's Hypervisor allowing corruption of Hypervisor code. We also take a quick look at a 2021 CVE with an integer underflow leading to an overflow in the Windows Kernel low-fragmentation heap, and finally an interesting information leak due to the kernel not clearing a sensitive register
[bounty] Kubernetes Code Exec and There Is No Spoon
This week we've got a few relatively simple bugs to talk about along with a discussion about auditing and manually analysis for vulnerabilities.
Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/227.html
[00:00:00] Introduction
[00:00:23] Introducing the Microsoft Defender Bounty Program
[00:04:26] Tapping into a telecommunications company’s
[binary] A Heap of Linux Bugs
Last week we brought you several Windows bugs, this week we are talking Linux kernel vulnerabilities and exploitation. We start off looking at a weird but cool CPU bug, Reptar, then we get into nftables, io_uring, and talk about a newer mitigations hitting Linux 6.6 that randomizes the caches allocations end up in.
Links and vulnerability summaries for this episode are available at: https://dayze
[bounty] Prompting for Secrets and Malicious Extensions
This week has an interesting mix of issues, starting with a pretty standard template inject. Then we get into a Windows desktop issue, a TOCTOU in how the Mark-of-the-Web would be applied to file extracted from an archive, a privilege escalation from a Chrome extension, and a bit of a different spin on what you could do with a prompt injection.
Links and vulnerability summaries for this episode a
[binary] A Bundle of Windows Bugs
We've got a few Windows bugs this week, but first a fun off-by-one null-byte write. Then we jump into a containerized registry escape, a browser escape with a very simple bug buried deep in the browser, and a kernel bug.
Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/224.html
[00:00:00] Introduction
[00:00:20] Spot the Vuln - Minimax
[00:0
[bounty] Usurping Mastodon and Broken Signature Schemes
Just a few issues this week, a Mastodon normalization issue leading to the potential to impersonate another account. Then we have a more complex chain starting again with a normalization leading to a fairly interesting request smuggling (CL.0 via malformed content-type header) and cache poisoning to leak credentials. Finally a crypto issue with a signature not actually being a signature.
Links an
[binary] MTE Debuts, DNS Client Exploits, and iTLB Multihit
As memory tagging (MTE) finally comes to a consumer device, we talk about how it may impact vulnerability research and exploit development going forward. Then we get into a few vulnerabilities including a DNS response parsing bug on the Wii U, an Adobe Acrobat bug that was exploited by a North Korean APT, and a CPU bug (iTLB Multihit).
Links and vulnerability summaries for this episode are availa
[bounty] Attacking OAuth, Citrix, and some P2O Drama
Kicking off the week with a bit of Pwn2Own drama, then taking a look at an OAuth attack against Grammarly and a couple other sites, a fun little polyglot file based attack, and Citrix Bleed, a snprintf information disclosure vulnerability on the web.
Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/221.html
[00:00:00] Introduction
[00:01:24] Wyz
[binary] Windows Kernel Bugs, Safari Integer Underflow, and CONSTIFY
Diving right into some binary exploitation issues this week. Starting wtih a look at a rare sort of curl vulnerability where a malicious server could compromise a curl user. Then we take a look at a pretty straight-forward type confusion in Windows kernel code, and an integer underflow in Safari with some questionable exploitation. Ending the episode with some thoughts on how impactful grsecurity&
[bounty] Rapid Reset, Attacking AWS Cognito, and Confluence Bugs
We've got a mix of topics this week, started with a bit of discussion around the recent Rapid Reset denial of service attack, before diving into a few vulnerabilities. A Node "permissions" module escape due to having a fail-open condition when unexpected but supported types are passed in. Then we talk about some common AWS Cognito issues, a fun little privilege escalation in Confluen
[binary] A Chrome RCE, WebP 0day, and glibc LPE
Some complex and confusing vulnerabilities as we talk about the recent WebP 0day and the complexities of huffman coding. A data-only exploit to escape a kCTF container, the glibc LPE LOONY_TUNABLES, and a Chrome TurboFan RCE.
Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/218.html
[00:00:00] Introduction
[00:00:40] Expanding our exploit reward
[bounty] Insecure Firewalls, MyBB, and Winning with WinRAR
This week we've got some fun issues, including a WinRAR processing bug that results in code execution due (imo) to a filename adjustment when extracting that isn't performed consistently. A MyBB admin-panel RCE, fairly privileged bug but I think the bug pattern could appear elsewhere and is something to watch out for, And several silly issues in a "next-gen" firewall, including s
[binary] Busted Stack Protectors, MTE, and AI Powered Fuzzing
A binary summer-recap episode, looking at some vulnerabilities and research put out over the summer. Talking about what TPM really offers when it comes to full-disk encryption, some thoughts on AI in the fuzzing loop. Then into some cool bugs, kicking off with some ARM Memory Tagging Extension vulnerabilities, a `-fstack-protector` implementation failure and bypass, and then a look at a Android ex
[bounty] DEF CON, HardwearIO, Broken Caching, and Dropping Headers
We are back, and talking about our summer with a lengthy discussion about our DEF CON experiences before getting into some favorite issues from the summer. Including a neat twist on a PHP security feature that might be using in your bug bounty chains. A look at classic crypto issue (unauthenticated encrypted blobs), and an easily missed caching issue.
Links and vulnerability summaries for this ep
[binary] Exploiting VMware Workstation and the Return of CSG0-Days
This week we've got a handful of low-level vulns, VM-escape, Windows EoP, and a single IPv6 packet leading to a kernel panic/denial of service, and one higher-level issue with a bug chain in CS:GO.
This is our final episode until September 25th as we will be heading off on our regular summer break.
Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/po
[bounty] Jellyfin Exploits and TOCTOU Spellcasting
Another bug bounty podcast, another set of vulnerabilities. Starting off with a desktop info-disclosure in KeePass2 that discloses master passwords to attackers (with a high-level of access). A couple Jellyfin bugs resulting in an RCE chain, and a pretty classic crypto issue that allowed for renting luxury cars for extremely cheap.
Links and vulnerability summaries for this episode are available
[binary] Attacking VirtualBox and Malicious Chess
This week we we've got a neat little printer corruption, a probably unexploitable stockfish bug, though we speculate about exploitation a bit. Then into a VirtualBox escape bug, and an Andreno "vulnerability".
Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/212.html
[00:00:00] Introduction
[00:01:31] Spot the Vuln - To Upload or N
[bounty] OverlayFS to Root and Parallels Desktop Escapes
More bug bounty style bugs, but you'd be forgiven reading that title thinking we had a low-level focus this episode. We got some awesome bugs this week though from tricking Dependabot and abusing placeholder values, an IIS auth bypass. Ending off with a kernel bug (OverlayFS) and a VM escape (Parallels Desktop)
Links and vulnerability summaries for this episode are available at: https://dayze
[binary] TPMs and Baseband Bugs
This week we go a bit deeper than normal and look at some low level TPM attacks to steal keys. We've got a cool attack that lets us leak a per-chip secret out of the TPM one byte at a time, and a post about reading Bitlocker's secret off the SPI bus. Then we talk about several Shannon baseband bugs disclosed by Google's Project Zero.
Links and vulnerability summaries for this episode
[bounty] Bad Ordering, Free OpenAI Credits, and Goodbye Passwords?
We open up this weeks bug bounty podcast with a discussion about Google's recent support for passkeys, tackling some misunderstanding about what they are and how open the platform is. Also some talk towards the end about potential vulnerabilities to look out for. Then we dive into the vulnerabilities for the week, involving bypassing phone validation in OpenAI, a bad origin check enabling abus
[binary] A Timing Side-Channel for Kernel Exploitation and VR in the wake of Rust
Not a lot of interesting binary exploitation topics for this week, we've got a DHCPv6 service vuln, and a fun idea to use a timing side-channel to improve exploit stability. Then we end with a discussion about Rust coming the Windows operating system, what Rust means for the future of exploit development and vulnerability research and the value of memory corruption in Windows.
Links and vulne
[bounty] Git Config Injection and a Sophos Pre-Auth RCE
On this weeks bug bounty podcast we take a look at a few interesting issues. While they are all patched, there is reason to believe they'd all creep up in other applications too. First up is an RCE due to nested use of an escaped string. Second a fgets loop that doesn't account for long lines. A XML signature verification tool with a deceptive interface, and last a look at how Bash's p
[binary] A Ghostscript RCE and a Windows Registry Bug
This week's binary exploitation episode has some pretty solid bugs.A string escaping routine that goes out of bounds, a web-based information disclosure. And a couple kernel issues, one in the Windows registry, a logical bug leading to memory corruption, and an AppleSPU out of bounds access.
Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/20
[bounty] SecurePoint UTM, Chfn, and Docker Named Pipe Vulns
For this week's bug bounty podcast We start off with a bit of a unique auth bypass in a firewall admin panel. We've also got a couple desktop-based software bugs, with a Docker Desktop privilege escalation on windows, and a chfn bug. We've also got a couple escalation techniques, one for Azure environments, and another trick for exploiting semi-controlled file-writes.
Links and vulner
[binary] Glitching the Wii-U and Integer Overflows
We start with a hardware/glitching attack against the Wii U, then lets talk about integer overflows. We've got three integer overflows this week that lead to buffer overflows in different ways.
Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/204.html
[00:00:00] Introduction
[00:00:19] Spot the Vuln - Easy as ABC
[00:06:18] de_Fuse, the One
