Day[0]

In this week's episode, we cover an attack utilizing HSTS for exploiting Android WebViews and abusing YouTube embeds in Google Slides for clickjacking. We also talk about the infamous CUPS attack, and the nuances that seem to be left behind in much of the discussion around it.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/257.html

[00:00:00] Introduction

[00:01:30] Exploiting Android Client WebViews with Help from HSTS

[00:09:08] Using YouTube to steal your files

[00:18:43] Attacking UNIX Systems via CUPS, Part I

Podcast episodes are available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

In this week's episode, we discuss Microsoft's summit with vendors on their intention to lock down the Windows kernel from endpoint security drivers and possibly anti-cheats. We also talk cryptography and about the problems of nonce reuse.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/256.html

[00:00:00] Introduction

[00:01:12] Friends don’t let friends reuse nonces

[00:13:22] Serious Cryptography, 2nd Edition

[00:14:30] Taking steps that drive resiliency and security for Windows customers

Podcast episodes are available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

We are back and testing out a new episode format focusing more on discussion than summaries. We start talking a bit about the value of learning hacking by iterating on the same exploit and challenging yourself as a means of practicing the creative parts of exploitation. Then we dive into the recent Intel SGX fuse key leak, talk a bit about what it means, how it happened.

We are seeking feedback on this format. Particularly interested in those of you with more of a bug bounty or higher-level focus if an episode like this would still be appealing? If you want to share any feedback feel free to DM us (@__zi or @specterdev) or email us at media [at] dayzerosec.com

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/255.html

[00:00:00] Introduction

[00:04:55] Exploiting CVE-2024-20017 4 different ways

[00:22:26] Intel SGX Fuse Keys Extracted

[00:51:01] Introducing the URL validation bypass cheat sheet

Podcast episodes are available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

Memory corruption is a difficult problem to solve, but many such as CISA are pushing for moves to memory safe languages. How viable is rewriting compared to mitigating?

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/254.html

[00:00:00] Introduction

[00:01:12] Clarifying Scope & Short/Long Term

[00:04:28] Mitigations

[00:15:37] Safe Languages Are Falliable

[00:21:20] Weaknesses & Evolution of Mitigations

[00:29:19] Rewriting and the Iterative Process

[00:34:55] The Rewriting Scalability Argument

[00:41:43] System vs App Bugs

[00:48:46] Mitigations & Rewriting Are Not Mutually Exclusive

[00:50:25] Corporate vs Open Source

[00:54:12] Generational Change

[00:56:18] Conclusion

Podcast episodes are available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

Change is in the air for the DAY[0] podcast! In this episode, we go into some behind the scenes info on the history of the podcast, how it's evolved, and what our plans are for the future.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/253.html

[00:00:00] Introduction

Podcast episodes are available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

Bit of a lighter episode this week with a Linux Kernel ASLR bypass and a clever exploit to RCE FortiGate SSL VPN.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/252.html

[00:00:00] Introduction

[00:00:29] KASLR bypass in privilege-less containers

[00:13:13] Two Bytes is Plenty: FortiGate RCE with CVE-2024-21762

[00:19:32] Making Mojo Exploits More Difficult

[00:22:57] Robots Dream of Root Shells

[00:27:02] Gaining kernel code execution on an MTE-enabled Pixel 8

[00:28:23] SMM isolation - Security policy reporting (ISSR)

Podcast episodes are available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

In this week's bounty episode, an attack takes an XSS to RCE on Mailspring, a simple MFA bypass is covered, and a .NET CRLF injection is detailed in its FTP functionality.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/251.html

[00:00:00] Introduction

[00:00:20] Making Desync attacks easy with TRACE

[00:16:01] Reply to calc: The Attack Chain to Compromise Mailspring

[00:35:29] $600 Simple MFA Bypass with GraphQL

[00:38:38] Microsoft .NET CRLF Injection Arbitrary File Write/Deletion Vulnerability [CVE-2023-36049]

Podcast episodes are available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

In the 250th episode, we have a follow-up discussion to our "Future of

In this episode we have an libXPC root privilege escalation, a run-as debuggability check bypass in Android, and digital lockpicking on smart locks.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/249.html

[00:00:00] Introduction

[00:00:21] Progress OpenEdge Authentication Bypass Deep-Dive [CVE-2024-1403]

[00:05:19] xpcroleaccountd Root Privilege Escalation [CVE-2023-42942]

[00:10:50] Bypassing the “run-as” debuggability check on Android via newline injection

[00:18:09] Say Friend and Enter: Digitally lockpicking an advanced smart lock (Part 2: discovered vulnerabilities)

[00:43:06] Using form hijacking to bypass CSP

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

-- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

-- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.

We are also available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

In this week's binary episode, Binary Ninja Free releases along with Binja 4.0, automated infoleak exploit generation for the Linux kernel is explored, and Nintendo sues Yuzu.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/248.html

[00:00:00] Introduction

[00:00:31] Binary Ninja Free

[00:10:25] K-LEAK: Towards Automating the Generation of Multi-Step Infoleak Exploits against the Linux Kernel

[00:19:53] Glitching in 3D: Low Cost EMFI Attacks

[00:22:08] Nintendo vs. Yuzu

[00:38:32] Finding Gadgets for CPU Side-Channels with Static Analysis Tools

[00:40:12] ThinkstScapes Research Roundup - Q4 - 2023

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

-- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

-- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.

We are also available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9