Day[0]

By dayzerosec

A weekly podcast for bounty hunters, exploit developers or anyone interesting in the details of the latest disclosed vulnerabilities and exploits.... more

· Technology

4

1010 ratings

Download on the App Store

Download on the App Store

Get it on Google Play

FAQs about Day[0]:

How many episodes does Day[0] have?

The podcast currently has 282 episodes available.

Day[0] episodes:

November 10, 2020Pwn2Own, Tianfu Cup, and Other Hacks
A Facebook DOM-based XSS, Rocket.chat and Github Actions RCEs, and a Brave Browser information disclosure in this week's episode.
[00:00:50] Pwn2Own Tokyo (Live from Toronto) - Schedule and Results
https://www.zerodayinitiative.com/blog/2020/7/28/announcing-pwn2own-tokyo-2020-live-from-toronto
[00:12:00] Tianfu Cup - Results

[00:16:28] Unlimited Chase Ultimate Rewards Points

[00:26:09] Github: Widespread injection vulnerabilities in Actions

[00:36:37] About the security content of iOS 14.2 and iPadOS 14.2
https://twitter.com/ShaneHuntley/status/1324431104187670529
[00:42:04] Rocket.Chat Desktop RCE

[00:44:44] git-lfs RCE

[00:46:46] Attack of the clones: Git clients remote code execution

[00:48:17] YOURLS 1.5 - 1.7.10, Multiple Stored XSS Vulnerabilities in Admin Panel

[00:53:23] Company forced to change name that could be used to hack websites

[00:57:12] Facebook DOM Based XSS using postMessage

[01:03:00] SQL Injection and Reflected XSS in Oracle Communications Diameter Signaling Router

[01:06:00] Re-discovering a JWT Authentication Bypass in ServiceStack
https://docs.servicestack.net/releases/v5.9#v592-patch-release-notes
[01:10:45] How I found a Tor vulnerability in Brave Browser, reported it, watched it get patched, got a CVE (CVE-2020-8276) and a small bounty, all in one working day

[01:18:12] Exploiting Microsoft Store Games [CVE-2020-16877]

[01:26:21] Fuzzing for eBPF JIT bugs in the Linux kernel

[01:41:18] Capture the Bot: Using Adversarial Examples to Improve CAPTCHA Robustness to Bot Attacks

Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST)
Or the video archive on Youtube (@DAY[0])
...more
1h 52min
November 03, 2020A Look At OSEP, Hacking Metasploit and the Legal Risks of Research
This week we are joined by CTS to discuss fuzzing. We also take at PEN-300/OSEP. Before jumping into this weeks exploits, from NAT Slipstreaming to a Metasploit command injection and plenty in between.
[00:01:06] Cybersecurity as we know it will be 'a thing of the past in the next decade,' says Cloudflare's COO

[00:05:51] A Researcher’s Guide to Some Legal Risks of Security Research

[00:10:57] Exploit Developer Spotlight: The Story of PlayBit

[00:17:25] New Pentesting Course: PEN-300 (OSEP)
https://www.offensive-security.com/awe-osee/
[00:28:20] Vulnonym: Stop the Naming Madness!
https://twitter.com/vulnonym
[00:30:55] DeFuzz: Deep Learning Guided Directed Fuzzing

[00:59:32] NAT Slipstreaming

[01:08:10] GitLab CVE-2020-13294

[01:13:17] Attacking Roku sticks for fun and profit

[01:16:48] Tiki Wiki - Authentication Bypass [CVE-2020-15906]

[01:20:12] Metasploit framework template command injection - CVE-2020-7384

[01:23:43] Wormable remote code execution in Alien Swarm

[01:29:50] Pulse Connect Secure - RCE via Uncontrolled Gzip Extraction [CVE-2020-8260]

[01:32:55] The story of three CVE's in Ubuntu Desktop

[01:41:31] CVE-2020-16939: Windows Group Policy DACL Overwrite Privilege Escalation

[01:46:36] Windows Kernel cng.sys pool-based buffer overflow

[01:54:21] Vector35 releases all Binary Ninja core architecture plugins

[01:55:33] How Debuggers Work: Getting and Setting x86 Registers, Part 1

[01:56:12] CodeQL U-Boot Challenge (C/C++)

[01:59:14] Fundamentals of Software Exploitation

Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST)
Or the video archive on Youtube (@DAY[0])
...more
2h 8min
October 27, 2020Low-cost Penetration Testing, High Performance Fuzzing and Github RCEs
A lot to cover in this episode, from high performance fuzzing on GPUs, to low-cost pentesters, and APT groups. And, of course many vulns from GitHub RCEs to VMWare Workstation race conditions.
[00:01:21] Youtube-dl Cease and Desist

[00:14:33] Let’s build a high-performance fuzzer with GPUs!
https://gamozolabs.github.io/2020/10/23/some_thoughts_on_gpu_fuzzing.html
[00:29:07] Samsung S20 - RCE via Samsung Galaxy Store App

[00:33:24] Jitsi Meet Electron - Arbitrary Client Remote Code Execution [CVE-2020-27162]
https://github.com/jitsi/jitsi-meet-electron/blob/40866232594442ea77d5144deebcd38ed3d362be/main.js#L126
[00:39:14] 2FA Disable With Wrong Password - Response Tampering.

[00:41:22] HTTP Request Smuggling due to CR-to-Hyphen conversion
https://hackerone.com/nodejs?type=team
[00:46:56] GitHub Gist - Account takeover via open redirect

[00:53:19] GitHub - RCE via git option injection (almost)

[00:56:36] GitHub Pages - Multiple RCEs via insecure Kramdown configuration

[01:01:38] Gateway2Hell - Multiple Privilege Escalation Vulnerabilities in Citrix Gateway Plug-In

[01:09:02] Remote code execution on Symfony based websites

[01:18:40] Detailing Two VMware Workstation TOCTOU Vulnerabilities

[01:25:15] Linksys WRT160NL – Authenticated Remote Buffer Overflow [CVE-2020-26561]

[01:32:03] The FreeType Project - Heap buffer overflow due to integer truncation

[01:38:54] Uncovering the Hidden Dangers: Finding Unsafe Go Code in the Wild

[01:45:15] NSA Warns Chinese State-Sponsored Malicious Cyber Actors Exploiting 25 CVEs

[01:57:15] Penetration Testing and Low-Cost Freelancing

[02:23:24] WPScan.io "XSS"

[02:28:24] MITRE - Adversarial Threat Matrix

[02:29:16] Shoutout to Alh4zr3d

Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST)
Or the video archive on Youtube (@DAY[0])
...more
2h 32min
October 20, 2020Some Discord, a Bad Neighbor and a BleedingTooth
It has been a while since we had an exploit extravaganza but here we are. Several binary-level issues from Bad Neighbor on Windows to BleedingTooth on Linux, and several vulns in Qualcomm SoCs, even a Discord RCE.
[00:00:57] Introducing Edge Vulnerability Research

[00:06:57] Cache Partitioning in Chrome

[00:10:29] Magma: A Ground-Truth Fuzzing Benchmark

[00:25:27] "Bits Please!" - CVE-2020-16938

[00:29:50] ContainerDrip [CVE-2020-15157]

[00:40:01] Discord Desktop app RCE

[00:52:34] Time Based SQLi via referrer header
https://www.fedscoop.com/hack-the-army-2-results/
[00:57:35] PyYAML 0day

[01:09:24] Phantom of the ADAS

[01:15:03] Rollback Attack in Mozilla Maintenance Service

[01:19:33] Glitching The MediaTek BootROM

[01:25:05] AssaultCube RCE: Technical Analysis

[01:32:27] CVE-2020-12928 - Privilege Escalation in AMD Ryzen Master

[01:35:38] Major Vulnerabilities in Qualcomm QCMAP

[01:42:58] Bad Neighbor - RCE in Windows ICMPv6 Router Advertisement

[01:51:16] DOS2RCE: A New Technique to Exploit V8 NULL Pointer Dereference Bug (see: https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers)

[01:56:34] BleedingTooth - Linux Bluetooth Zero-Click RCE
https://github.com/google/security-research/security/advisories/GHSA-h637-c88j-47wq

https://github.com/google/security-research/security/advisories/GHSA-7mh3-gq28-gfrq

https://github.com/google/security-research/security/advisories/GHSA-ccx2-w2r4-x649

[02:07:25] shmdt doesn't check the tag of pointers

[02:12:29] Security Analysis of the CHERI ISA

[02:13:18] Evading defences using VueJS script gadgets

[02:14:32] Sega Master System Architecture - A Practical Analysis

[02:14:52] IPC scripts for access to Intel CRBUS

Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST)
Or the video archive on
...more
2h 17min
October 13, 2020Breaking into HashiCorp Vault, Apple and Google
Its a web-exploit heavy episode impacing Apple, Hasicorp, Azure, Google, and even a DOMPurify Bypass. Then we end-off with a look into benchmarking fuzzers, and a look at the House of Muney heap exploitation technique.
[00:00:49] Fuzzing internships for Open Source Software

[00:03:15] CET Updates – CET on Xanax

[00:09:07] Binary Ninja - Open Source Architectures

[00:14:03] Memory Safe 'curl' for a More Secure Internet
https://daniel.haxx.se/blog/2020/10/09/rust-in-curl-with-hyper/
[00:17:25] We Hacked Apple for 3 Months: Here’s What We Found

[00:25:46] Race condition while removing the love react in community files

[00:30:11] Enter the Vault: Authentication Issues in HashiCorp Vault

[00:46:39] Kud I Enter Your Server? New Vulnerabilities in Microsoft Azure

[00:51:11] Password Reset Link Leaked In Refer Header

[00:57:37] The mass CSRFing of *.google.com/* products.

[01:06:02] A brief encounter with Leostream Connect Broker

[01:15:47] Bypassing DOMPurify again with mutation XSS
https://research.securitum.com/mutation-xss-via-mathml-mutation-dompurify-2-0-17-bypass/

https://github.com/marcinguy/jquery-xss-in-html
[01:22:10] Apache Struts OGNL Remote Code Execution [CVE-2019-0230]

[01:28:11] UNIFUZZ: A Holistic, Pragmatic Metrics-Driven Platform for Evaluating Fuzzers
https://github.com/unifuzz/unibench

https://github.com/unifuzz
[01:47:15] House of Muney - Leakless Heap Exploitation Technique
https://github.com/mdulin2/house-of-muney
Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST)
Or the video archive on Youtube (@DAY[0])
...more
1h 55min
October 06, 2020Fingerprinting Exploit Devs, BLURtooth and Punking Punkbuster
Every wondering how you might fingerprint and trace exploit devs in the wild? Wondered what a backdoor in a D-Link router looks like? Want to hack Facebook (for Android)? We have all of that and more!
[00:00:43] Google: Android Partner Vulnerability Initiative
https://bugs.chromium.org/p/apvi/issues/list?q=&can=1
[00:02:55] Project Zero: Announcing the Fuzzilli Research Grant Program

[00:08:40] GitHub: Code scanning is now available

[00:16:39] Hunting for exploits by looking for the author's fingerprints

[00:22:26] Forcing Firefox to Execute XSS Payloads during 302 Redirects

[00:27:10] Exploiting fine-grained AWS IAM permissions for total cloud compromise
https://medium.com/bugbountywriteup/aws-iam-explained-for-red-and-blue-teams-2dda8b20fbf7
[00:38:04] BLURtooth (the BLUR attacks)

[00:44:25] Arbitrary code execution on Facebook for Android

[00:51:44] [stripo] Public and secret api key leaked in JavaScript source

[01:00:14] [GitLab] Unvalidated Oauth email results in accounts takeovers on 3rd parties

[01:06:03] Hacking Grindr Accounts with Copy and Paste

[01:16:37] Exploiting Other Remote Protocols in IBM WebSphere
https://portswigger.net/web-security/deserialization/exploiting
[01:25:57] The Anatomy of a Bug Door: Dissecting Two D-Link Router Authentication Bypasses

[01:38:36] Hacking Punkbuster.

[01:43:26] Race Condition in handling of PID by apport [CVE-2020-15702]

[01:57:24] Hardware Hacking Experiments

[01:59:11] How I automated McDonalds mobile game to win free iPhones

[01:59:42] Voyager - A Hyper-V Hacking Framework For Windows 10 x64 (AMD & Intel)

[02:00:28] zznop/sploit: Go package that aids in binary analysis and exploitation

Watch
...more
2h 5min
September 29, 2020Instagram Hacks, Half-life 1 Exploits, and Gaslighting Android
Lets go back in time to look at the leaked WinXP source, and a Half-Life 1 exploit. And, while we are at it a couple Instagram vulns and a cheap hardware attack against Android.
[00:00:50] Windows XP Source Leak
https://twitter.com/vxunderground/status/1309231131313737735

https://twitter.com/dangeredwolf/status/1310067935902343170
[00:12:49] "I'm not a fan of critical bugs"

[00:28:01] API Keys leaked via Solana BBP github repo

[00:36:34] Exploiting Tiny Tiny RSS

[00:45:28] HackerOne Reflected XSS

[00:50:37] Steam Arbitrary File Overwrite

[00:55:23] Half-Life 1 Code Execution with malformed map name

[00:59:09] uTorrent Vulnerability [CVE-2020-8437]
https://raw.githubusercontent.com/guywhataguy/uTorrent-CVE-2020-8437/master/malicious.torrent
[01:09:26] $25K Instagram Almost XSS Filter Link

[01:14:57] #Instagram_RCE

[01:26:44] Kernel exploitation: weaponizing [CVE-2020-17382]

[01:34:07] Bypass Android MDM

[01:41:17] XSS without arbitrary JavaScript

[01:48:40] security things in Linux v5.7

[01:56:48] Code Review 101

Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST)
Or the video archive on Youtube (@DAY[0])
...more
2h 5min
September 22, 2020Bhyves and Evil LEDs (+Roulette)
A "trivial" Bhyve VM escape, a BitWarden "RCE", a ModSecurity "Denial of Service" and more scare quotes for your enjoyment in this week's episode.
[00:00:33] Patient Dies After Ransomware Attack

[00:08:05] Zerologon [CVE-2020-1472]

[00:14:29] BitWarden Blind HTTP GET SSRF
https://github.com/bitwarden/server/pull/812/commits/f094b76b6638932b13bb5ed2d9295185c54ce332

https://github.com/bitwarden/desktop/issues/552
[00:23:40] Apache + PHP under v7.4.10 open_basedir bypass

[00:29:59] ModSecurity v3 Affected By DoS (Severity HIGH) [CVE-2020-15598]

[00:38:09] Bhyve VM Escape
https://bsdsec.net/articles/freebsd-announce-freebsd-security-advisory-freebsd-sa-20-29-bhyve_svm
[00:42:59] Webkit aboutBlankURL() code execution vulnerability

[00:48:28] CVE-2020-9964 - An iOS infoleak

[00:51:44] Online Casino Roulette - A guideline for pen testers

[00:56:40] Light Can Hack Your Face! Black-box Backdoor Attack on Face Recognition

[01:03:06] UniFuzz: Optimizing Distributed Fuzzing via Dynamic Centralized Task Scheduling

[01:12:07] FANS: Fuzzing Android Native System Services via Automated Interface Analysis
https://github.com/iromise/fans
[01:19:52] OneFuzz framework, an open source developer tool to find and fix bugs at scale
https://github.com/microsoft/onefuzz
[01:28:35] Finding Australian Prime Minister Tony Abbott's passport number

[01:34:08] ARM64 Reversing and Exploitation

[01:37:25] Hypervisor Exploitation Compiled Research List
https://github.com/bitwarden/server/pull/812/commits/f094b76b6638932b13bb5ed2d9295185c54ce332
Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST)
Or the video archive on Youtube (@DAY[0])
...more
1h 40min
September 15, 2020Raccoons, Incomplete fixes and Kernel Exploits
Leading off this week's discussion is the news about the now remote CCC and Offensive Security's plans to retire OSCE. On the exploit side of things, this week we have a few recent bug bounties including a Google Maps XSS, a FreeBSD TOCTOU, and a couple of Linux kernel vulnerabilities.
[00:02:30] CCC going remote this year due to pandemic

[00:09:44] NVIDIA to Acquire Arm for $40 Billion

[00:20:36] OSCE being retired
https://ringzer0.training/
[00:34:21] Giggle; laughable security

[00:44:51] Raccoon Attack
https://portswigger.net/daily-swig/researchers-exploit-http-2-wpa3-protocols-to-stage-highly-efficient-timeless-timing-attacks
[00:53:34] Executing arbitrary code on NVIDIA GeForce NOW VMs

[01:02:07] Cache poisoning via X-Forwarded-Host

[01:08:56] Team object in GraphQL disclosed private_comment

[01:14:08] XSS->Fix->Bypass: 10000$ bounty in Google Maps

[01:28:33] Microsoft Sharepoint and Exchange Server Vulnerabilities
[01:45:35] Short story of 1 Linux Kernel Use-After-Free and 2 CVEs

[01:53:25] FreeBSD Kernel Privilege Escalation [CVE-2020-7460]

[02:02:47] WSL 2.0 dxgkrnl Driver Memory Corruption

[02:10:46] Project Zero: Attacking the Qualcomm Adreno GPU

[02:16:03] GoogleCTF 2020 Challenge Source + Exploits Release

[02:20:08] IDA Pro Tips to Add to Your Bag of Tricks

[02:20:48] Reverse Engineering: Marvel's Avengers - Developing a Server Emulator

Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST)
Or the video archive on Youtube (@DAY[0])
...more
2h 23min
May 26, 2020Zoom E2E, 15 year old bugs, and killing 20 year old attacks
The DAY[0] podcast will be on break until September 14, 2020
A quick chat about E2E Crypto and Zoom, followed by a few noteworth exploits including Bluetooth impersonation, a 15-year old qmail CVE, NordVPN, and an RCE in Google
[00:00:50] Adventures of porting MUSL to PS4

[00:01:55] End-to-End Encryption for Zoom Meetings

[00:13:16] Memory safety - The Chromium Projects

[00:21:17] First 0d iOS jailbreak in 6 years

[00:24:11] BIAS: Bluetooth Impersonation AttackS
https://little-canada.org/pdf/web/viewer.html?file=antonioli-20-bias.pdf

https://francozappa.github.io/about-bias/talk/bias-snp/
[00:33:13] 15 years later: Remote Code Execution in qmail (CVE-2005-1513)
http://tukan.farm/2016/07/27/munmap-madness/

https://cr.yp.to/qmail/guarantee.html

http://www.guninski.com/where_do_you_want_billg_to_go_today_4.html
[00:48:01] Privilege Escalation in Parallels Desktop via VGA Device [CVE-2020-8871]
https://twitter.com/matalaz/status/580600098092105728
[00:55:50] Multiple vulnerabilities in Dovecot IMAP server

[00:59:05] Yet another arbitrary delete EoP [CVE-2020–1088]

[01:06:29] Vulnerabilities chain leading to privilege escalation [NordVPN]

[01:09:27] Race condition in activating email resulting in infinite amount of diamonds received

[01:12:23] RCE in Google Cloud Deployment Manager

[01:28:17] QNAP Pre-Auth Root RCE

[01:37:07] Safe-Linking - Eliminating a 20 year-old malloc() exploit primitive

[01:47:37] Not So Fast: Understanding and Mitigating Negative Impacts of Compiler Optimizations on Code Reuse Gadget Sets

[02:05:43] Precise XSS detection and mitigation with Client-side Templates

[02:17:53] Documenting the impossible: Unexploitable XSS labs

DAY[0] will be on break until September but you can find the video archive on on Youtube (@DAY[0])
...more
2h 22min

FAQs about Day[0]:

How many episodes does Day[0] have?

The podcast currently has 282 episodes available.

More shows like Day[0]

Critical Thinking - Bug Bounty Podcast by Justin Gardner (Rhynorater) & Joseph Thacker (Rez0)

Critical Thinking - Bug Bounty Podcast

56 Listeners