Specter and zi discuss their winter break, cover some interesting CCC talks, and discuss the summary judgement in the WhatsApp vs. NSO Group case.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/268.html

[00:00:00] Introduction

[00:09:53] 38C3: Illegal Instructions

[00:35:38] WhatsApp v. NSO Group

[01:04:06] Vulnerability Research Highlights 2024

[01:08:45] Debugging memory corruption: Who wrote ‘2’ into my stack?!

[01:16:46] HardBreak

[01:20:14] Announcing CodeQL Community Packs

Podcast episodes are available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

In our last episode of 2024, we delve into some operating system bugs in both Windows and Linux, as well as some bugs that are not bugs but rather AI slop.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/267.html

[00:00:00] Introduction

[00:06:48] Buffer Overflow Risk in Curl_inet_ntop and inet_ntop4

[00:19:20] Bypassing WAFs with the phantom $Version cookie

[00:27:51] Windows Sockets: From Registered I/O to SYSTEM Privileges

[00:34:02] ksthunk.sys Integer Overflow (PE)

[00:38:20] Linux Kernel: TOCTOU in Exec System

Podcast episodes are available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

This week's episode contains some LLM hacking and attacks on classifiers, as well as the renewal of DMA attacks with SD Express and the everlasting problems of null bytes.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/266.html

[00:00:00] Introduction

[00:00:31] Hacking 2024 by No Starch

[00:09:18] Announcing the Adaptive Prompt Injection Challenge (LLMail-Inject)

[00:14:37] Breaking Down Adversarial Machine Learning Attacks Through Red Team Challenges

[00:25:49] Null problem! Or: the dangers of an invisible byte

[00:36:32] New dog, old tricks: DaMAgeCard attack targets memory directly thru SD card reader

Podcast episodes are available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

A short episode this week, featuring Keyhole which abuses a logic bug in Windows Store DRM, an OAuth flow issue, and a CSRF protection bypass.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/265.html

[00:00:00] Introduction

[00:00:16] Attacking Hypervisors From KVM to Mobile Security Platforms

[00:02:30] Keyhole

[00:10:12] Drilling the redirect_uri in OAuth

[00:18:00] Cross-Site POST Requests Without a Content-Type Header

[00:24:03] New AMSI Bypss Technique Modifying CLR.DLL in Memory

Podcast episodes are available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

Linux userspace is still a mess and has some bad bugs in root utilities, and Vaultwarden has an interesting auth bypass attack.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/264.html

[00:00:00] Introduction

[00:00:29] LPEs in needrestart [Ubuntu]

[00:18:41] Vulnerability Disclosure: Authentication Bypass in Vaultwarden versions < 1.32.5

[00:31:50] From an Android Hook to RCE

[00:43:34] Simple macOS kernel extension fuzzing in userspace with IDA and TinyInst

Podcast episodes are available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

This week, we dive into some changes to V8CTF, the FortiJump Higher bug in Fortinet's FortiManager, as well as some coverage instrumentation on blackbox macOS binaries via Pishi.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/263.html

[00:00:00] Introduction

[00:00:25] V8 Sandbox Bypass Rewards

[00:25:39] Hop-Skip-FortiJump-FortiJump-Higher - Fortinet FortiManager [CVE-2024-47575]

[00:38:07] Pishi: Coverage guided macOS KEXT fuzzing.

[00:44:20] Breaking Control Flow Flattening: A Deep Technical Analysis

[00:55:10] Firefox Animation CVE-2024-9680 - Dimitri Fourny

[00:57:13] Internship Offers for the 2024-2025 Season

Podcast episodes are available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

Methodology is the theme of this week's episode. We cover posts about static analysis via CodeQL, as well as a novel blackbox binary querying language called QueryX. Project Zero also leverages Large Language Models to successfully find a SQLite vulnerability. Finally, we wrap up with some discussion on Hexacon and WOOT talks, with a focus on Clem1's In-The-Wild exploit chains insights via Google's Threat Analysis Group.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/262.html

[00:00:00] Introduction

[00:00:35] Discovering Hidden Vulnerabilities in Portainer with CodeQL

[00:18:12] Finding Vulnerabilities in Firmware with Static Analysis Platform QueryX

[00:28:25] From Naptime to Big Sleep: Using Large Language Models To Catch Vulnerabilities In Real-World Code

[00:50:00] Hexacon2024 - Caught in the Wild, Past, Present and Future by Clem1

[01:06:34] Hexacon 2024 Videos

[01:11:34] WOOT 2024 Videos

[01:18:38] Securing the open source supply chain: The essential role of CVEs

[01:20:19] A New Era of macOS Sandbox Escapes: Diving into an Overlooked Attack Surface and Uncovering 10+ New Vulnerabilities

Podcast episodes are available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

In this week's episode, we talk a little bit about LLMs and how they can be used with static analysis. We also cover GitHub Security Blog's post on attacking browser extensions, as well as a somewhat controversial CyberPanel Pre-Auth RCE that was disclosed.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/261.html

[00:00:00] Introduction

[00:01:56] Autonomous Discovery of Critical Zero-Days

[00:14:43] Attacking browser extensions

[00:25:26] What Are My OPTIONS? CyberPanel v2.3.6 pre-auth RCE

[00:52:15] Security research on Private Cloud Compute

[01:01:02] Bluetooth Low Energy GATT Fuzzing

Podcast episodes are available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

In this week's episode, Specter recaps his experiences at Hardwear.IO and a PS5 hypervisor exploit chain presented there. We also cover some of the recently released DEF CON 32 talks. After the conference talk, we get into some filesystem exploit tricks and how arbitrary file write can be taken to code execution in read-only environments.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/260.html

[00:00:00] Introduction

[00:00:27] Hardwear.io NL 2024

[00:14:27] Byepervisor - Breaking the PS5 Hypervisor Security

[00:26:38] DEF CON 32 Main Stage Talks

[00:51:16] The Missing Guide to Filesystem Security

[01:00:51] Why Code Security Matters - Even in Hardened Environments

[01:09:12] How I Defeated An MMO Game Hack Author

Podcast episodes are available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

In this week's episode, we cover the fiasco of a vulnerability in Zendesk that could allow intrusion into multiple fortune 500 companies. We also discuss a project zero blogpost that talks about fuzzing Dav1d and the challenges of fuzzing, as well as rooting Linux via EMFI with a lighter.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/259.html

[00:00:00] Introduction

[00:00:57] 1 bug, $50,000+ in bounties, how Zendesk intentionally left a backdoor in hundreds of Fortune 500 companies

[00:27:10] Effective Fuzzing: A Dav1d Case Study

[00:40:15] Can You Get Root With Only a Cigarette Lighter?

Podcast episodes are available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9