Day[0]

By dayzerosec

A weekly podcast for bounty hunters, exploit developers or anyone interesting in the details of the latest disclosed vulnerabilities and exploits.... more

· Technology

4

1010 ratings

Download on the App Store

Download on the App Store

Get it on Google Play

FAQs about Day[0]:

How many episodes does Day[0] have?

The podcast currently has 282 episodes available.

Day[0] episodes:

May 19, 2020iOS 0days are worthless, PrintDemon, and a takeover of hackerone
Are iOS 0days now worthless? Can you hack a satellite...or hackerone? Are WAFs worthwhile? And more on a fairly discussion heavy episode of DAY[0].
[00:00:52] [UPDATE] Huawei HKSP Introduces Trivially Exploitable Vulnerability
https://github.com/cloudsec/aksp/blob/master/hksp.patch
[00:11:59] iOS one-click chains prices likely to drop
https://www.hackasat.com/
[00:33:30] Defcon Quals 2020
https://hxp.io/blog/72/DEFCON-CTF-Quals-2020-notbefoooled/
[00:46:33] vBulletin 5.6.1 SQL Injection

[00:52:52] Subdomain takeover of resources.hackerone.com

[01:01:11] MyLittleAdmin PreAuth RCE

[01:06:13] DOM-Based XSS at accounts.google.com by Google Voice Extension.

[01:16:47] Playing with GZIP: RCE in GLPI [CVE-2020-11060]

[01:36:24] Reverse RDP - The Path Not Taken

[01:44:19] PrintDemon: Print Spooler Privilege Escalation, Persistence & Stealth [CVE-2020-1048]
https://twitter.com/VbScrub/status/1260598344650539009
[01:53:34] Security Flaws in Adobe Acrobat Reader Allow Malicious Program to Gain Root on macOS Silently

[02:00:29] Cloud WAF Comparison Using Real-World Attacks
https://medium.com/fraktal/cloud-waf-comparison-part-2-e6e2d25f558c

https://en.wikipedia.org/wiki/Server_Side_Includes
[02:18:20] Fuzzing TLS certificates from their ASN.1 grammar

[02:22:25] DHS CISA and FBI share list of top 10 most exploited vulnerabilities

Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST)
Or the video archive on Youtube (@DAY[0])
...more
2h 33min
May 12, 2020Defcon is canceled, Microsoft was hacked, Rust has vulns
Update: While we talk about Huawei Kernel Self Protection (HKSP) I make mention of the authors statement that he is unrelated to Huawei. Turns out this statement, despite a commit date of Friday wasn't pushed until Monday morning so it was not original. Further information has also come out showing that the author is a Huawei employee, so the relationship is much closer than I believe it to be. ~zi
It was a busy week, Microsofts Github account was hacked, Centurylink Routers have no security, and multiple interactionless RCEs in Samsung phones.
[00:01:45] OpenOrbis PS4 Toolchain

[00:05:06] DEF CON 28 in-person conference is CANCELLED

[00:13:23] The Nintendo leak saga continues...

[00:18:40] Keybase joins Zoom
https://www.bleepingcomputer.com/news/security/microsofts-github-account-hacked-private-repositories-stolen/

[00:33:41] Azure Security Lab - Research Challenge

[00:42:38] Hijacking Centurylink Routers [CVE 2019-19639]

[00:46:24] DoS on Twitter App

[00:51:39] A tale of verbose error message and a JWT token

[01:00:29] Pentesting Cisco SD-WAN Part 2: Breaking routers

[01:04:21] Memory leak and Use After Free in Squid

[01:17:48] How a Deceptive Assert Caused a Critical Windows Kernel Vulnerability

[01:28:30] Samsung Android multiple interactionless RCE
https://github.com/googleprojectzero/SkCodecFuzzer

[01:38:25] Linux futex+VFS Use-After-Free

[01:45:03] Huawei HKSP Introduces Trivially Exploitable Vulnerability

[01:50:32] Ragnarok Stopper: development of a vaccine

[01:55:51] Understanding Memory and Thread Safety Practices and Issues in Real-World Rust Programs

[02:09:34] Analyzing a Trio of Remote Code Execution Bugs in Intel Wireless Adapters

[02:10:19] GitHub - JHUAPL/Beat-the-Machine: Reverse engineering basics in puzzle form
...more
2h 18min
May 05, 2020Auth Bypass, XSS, RCE and more
Authentication bypasses, SQL injection, command injection, and more in this web-exploit heavy episode.
[00:09:11] Facebook v. NSO Group

[00:18:14] Netsweeper PreAuth RCE

[00:25:49] SaltStack authorization bypass
https://github.com/saltstack/salt/blob/0b2a5613b345f17339cb90e60b407199b3d26980/salt/master.py#L1139
[00:42:02] E-Learning Platforms Getting Schooled
https://github.com/LearnPress/learnpress/commit/d6f818b5f65b007acbdf62236d4aa549fb33d24a?diff=split
[01:03:54] Roblox - Subdomain Takeover

[01:08:09] Fix XSS issue in handling of CDATA in HTML messages · roundcube/roundcubemail@87e4cd0 · GitHub

[01:10:13] Stealing the Trello token by abusing a cross-iframe XSS on the Butler Plugin

[01:17:11] Gitlab - Arbitrary file read via the UploadsRewriter when moving and issue

[01:20:15] Researching Polymorphic Images for XSS on Google Scholar

[01:27:41] TP-LINK Cloud Cameras Multiple Vulnerabilities
https://seclists.org/fulldisclosure/2020/May/3

https://seclists.org/fulldisclosure/2020/May/4
[01:34:46] Remote Code Execution on Microsoft SharePoint Using TypeConverters [CVE-2020-0932]

[01:43:03] Firefox js::ReadableStreamCloseInternal Out-Of-Bounds Access

[01:51:56] Siguza - iOS <13.5 sandbox escape/entitlement 0day

[02:03:16] Honeysploit: Exploiting the Exploiters

[02:15:13] Guy's 30 Reverse Engineering Tips & Tricks

[02:16:45] Remote Code Execution on Nintendo 64 through Morita Shogi 64

Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST)
Or the video archive on Youtube (@DAY[0])
...more
2h 21min
April 28, 2020Relyze Decompiler, jQuery XSS, Sandbox Escaping and 0-Click Mail RCE
Since we forgot to cover it when it came out, we look at Relyze's new decompiler that is available on the free version. There is also some sandbox escaping, some crypto issues (AMD's SME/SEV) and even some IBM 0days.
[00:00:33] Relyze Decompiler

[00:22:06] Firefox's Bug Bounty in 2019 and into the Future

[00:30:29] Source code for both CS:GO and TF2 Leaked

[00:38:58] Fixing SQL injection vulnerability and malicious code execution in XG Firewall/SFOS

[00:44:34] MSI TrueColor Unquoted Service Path Vulnerability

[00:48:43] 1-click RCE on Keybase

[00:55:56] jQuery < 3.5 Cross-Site Scripting (XSS) in html()
https://xss.pwnfunction.com/challenges/ww3/
[01:01:37] Multiple 0 day vulnerabilities in IBM Data Risk Manager

[01:17:24] You Won't Believe what this One Line Change Did to the Chrome Sandbox
https://docs.microsoft.com/en-us/archive/blogs/david_leblanc/practical-windows-sandboxing-part-1
[01:23:58] You’ve Got (0-click) Mail!

[01:31:29] Sharing a Logon Session a Little Too Much

[01:37:00] SEVurity: No Security Without Integrity - Breaking Integrity-Free Memory Encryption with Minimal Assumptions
https://0x0539.net/play/fangorn/crypto_cookie
[01:47:10] MarkUs: Drop-in Use-After-Free Prevention for Low-Level Languages

[01:54:37] Android 8.0-9.0 Bluetooth Zero-Click RCE [CVE-2020-0022]

[01:57:26] Patchguard: Detection of Hypervisor Based Introspection
https://revers.engineering/patchguard-detection-of-hypervisor-based-instrospection-p2/
[01:59:37] HITB Lockdown Livestream Day 1

Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST)
Or the video archive on Youtube (@DAY[0])
...more
2h 5min
April 21, 2020Binary Ninja's Decompiler, git credential leak, cross-platform LPEs
Zoom vuln worth $500k? Probably not... What is worth $500k? Binary Ninja's new decompiler...okay probably not but it is exciting.We've also got some stupid issues and some interesting LPEs this episode.
[00:00:29] Cognizant suffers Maze Ransomware cyber attack
[00:14:08] Hackers Are Selling a Critical Zoom Zero-Day Exploit for $500,000
[00:27:46] How I Reverse Engineered the LastPass CLI Tool
[00:35:59] State of the Ninja: Episode 13
[01:02:18] Riot offering up to $100k n Bug Bounty
[01:05:31] Research Grants to support Google VRP Bug Hunters during COVID-19
[01:09:08] Denial of service to WP-JSON API by cache poisoning
[01:11:43] CSRF to RCE bug chain in Prestashop
[01:21:16] Unintended disclosure of OTP
[01:24:20] JSON Web Token Validation Bypass in Auth0 Authentication API
[01:27:06] git: Newline injection in credential helper
[01:31:20] How Misleading Documentation Led to a Broken Patch for a Windows Arbitrary File Disclosure Vulnerability
[01:36:34] Pwning vCenter with CVE-2020-3952
[01:45:19] Oracle Solaris 11.x/10 whodo/w Buffer Overflow
[01:51:22] Linux Kernel EoP via Improper eBPF Program Verification [CVE-2020-8835]
[01:57:39] Multiple Kernel Vulnerabilities Affecting All Qualcomm Devices
https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=c4f42c24e02ce82392d8f8fe215570568380c8ab
[02:07:20] Ricerca Security: "SMBGhost pre-auth RCE
https://blog.zecops.com/vulnerabilities/exploiting-smbghost-cve-2020-0796-for-a-local-privilege-escalation-writeup-and-poc/
[02:14:01] IJON: Exploring Deep State Spaces via Fuzzing
[02:23:26] Pangolin: Incremental Hybrid Fuzzing with Polyhedral Path Abstraction
[02:27:45] GitHub - wcventure/FuzzingPaper
...more
2h 31min
April 14, 2020IDA...Go home, Sandboxie source, and some RCEs (TP-Link, Starcraft 1, OhMyZsh)
Starting off the week with a discussion about the disappointing IDA Home, before moving into a few easy command injections, code-reuse attacks applied to XSS, detecting trojaned hardware and ending with a subtle crypto-bug.
[00:00:45] DAY[0] Episode Transcripts now Available

[00:02:53] Microsoft Buys Corp.com to Keep It Safe from Hackers (Over $1.7 Million Deal)

[00:05:42] Hack for Good: Easily Donate Bounties to WHO’s COVID-19 Response Fund

[00:10:55] RetDec v4.0 is out

[00:17:33] IDA Home is coming
https://www.sophia.re/Binary-Rockstar/index.html

https://nostarch.com/GhidraBook
[00:33:44] Sandboxie Open Source Code is available
https://github.com/xanasoft/Sandboxie
[00:38:01] Exploiting the TP-Link Archer A7

[00:46:50] Exploiting the Starcraft 1 EUD Bug

[00:51:23] OhMyZsh dotenv Remote Code Execution

[00:56:19] Symantec Web Gateway 5.0.2.8 Remote Code Execution

[00:59:15] VMware vCenter Server Sensitive Information Disclosure [CVE-2020-3952]

[01:01:39] Bypassing modern XSS mitigations with code-reuse attacks

[01:07:49] Practical Data Poisoning Attack against Next-Item Recommendation

[01:11:40] Hardware Trojan Detection Using Controlled Circuit Aging

[01:16:18] A "Final" Security Bug

[01:27:05] RCEed version of computer malware / rootkit MyRTUs / Stuxnet.
https://github.com/christian-roggia/open-myrtus/blob/master/rootkit/FastIo.c

https://xkcd.com/350/
Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST)
Or the video archive on Youtube (@DAY[0])
...more
1h 30min
April 07, 2020Zoom-ers, VM Escapes, and Pegasus Resurfaces
First, we talk about Facebook trying to buy some spyware, and then we feast upon a number of Zoom "vulns." Follow that up with some interesting vulnerabilities including a hyper-visor Guest-to-host escape, a complicated Safari permissions bypass, and a Gitlab Parser Differential.
[00:09:31] Facebook tried to buy NSO Group's iOS spyware to monitor iPhone users

[00:14:49] Move Fast & Roll Your Own Crypto: A Quick Look at the Confidentiality of Zoom Meetings

[00:28:28] Security Vulnerabilities fixed in Firefox 74.0.1 and Firefox ESR 68.6.1

[00:33:20] Bug bounty platforms buy researcher silence, violate labor laws, critics say

[00:53:56] Zoom NTLM Hash Leak

[00:59:44] The 'S' in Zoom, Stands for Security

[01:05:52] Use-After-Free Vulnerability in the VMware Workstation DHCP Component [CVE-2020-3947]
https://www.vmware.com/security/advisories/VMSA-2020-0004.html

https://www.zerodayinitiative.com/advisories/ZDI-20-298/
[01:15:38] Exploiting SMBGhost for a Local Privilege Escalation [CVE-2020-0796]

[01:26:31] How to exploit parser differentials

[01:37:07] Unauthorized Camera access on iOS and macOS

[01:49:07] [Slack] Relative Path Vulnerability Results in Arbitrary Command Execution/Privilege Escalation

[01:54:21] Physically Realizable Adversarial Examples for LiDAR Object Detection

[02:01:39] Attack matrix for Kubernetes

[02:03:34] Project Zero: TFW you-get-really-excited-you-patch-diffed-a-0day-used-in-the-wild-but-then-find-out-it-is-the-wrong-vuln

[02:04:13] Tale of two hypervisor bugs - Escaping from FreeBSD bhyve

[02:08:21] So you want to be a web security researcher?

Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST)
Or the video archive on Youtube (@DAY[0])
...more
2h 11min
March 31, 2020A shortcut (.lnk) to RCE, Pi-Hole, Shadow Stacks, and fine-grained kASLR
Is there a shortcut to RCE? Well, on Windows .LNK files could be just that. We also talk about a few others vulnerabilities impacting Windows, Pi-Hole and Netflix. And end by looking at Window's new hardware enforced Shadow Stack and a proof-of-concept for fine-grained kASLR on Linux.
[00:01:18] The Netflix account compromise Bugcrowd doesn't want you to know about
https://bugcrowd.com/netflix
[00:16:21] Where is my Train : Tracking to Hacking

[00:22:59] Intel SGX removed from Rocket Skylake-S CPUs

[00:28:17] Type 1 Font Parsing Remote Code Execution Vulnerability

[00:33:41] Configuration Overwrite in IBM Cognos TM1 [CVE-2019-4716]

[00:42:19] Remote Code Execution Through .LNK Files [CVE-2020-0729]

[00:53:15] Pi-hole Remote Code Execution [CVE-2020-8816]

[01:03:14] NordVPN - Unauthorized User Can Delete Any User Account

[01:09:33] Smart Contracts Inside SGX Enclaves: Common Security Bug Patterns
https://blockchain-ctf.securityinnovation.com/#/
[01:20:01] Smart Contracts Inside SGX Enclaves: Common Security Bug Patterns

[01:20:28] Understanding Hardware-enforced Stack Protection
https://windows-internals.com/cet-on-windows/
[01:32:21] [RFC PATCH 00/11] Finer grained kernel address space randomization - Kristen Carlson Accardi
https://www.kryptoslogic.com/blog/2020/03/another-look-at-two-linux-kaslr-patches/
[01:42:14] Slayer Labs
https://www.reddit.com/r/netsec/comments/fr8w8u/free_vpn_access_to_slayer_labs_networks/?sort=top
Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST)
Or the video archive on Youtube (@DAY[0])
...more
1h 49min
March 24, 2020Pwn2Own Results, Voatz (again), some web-exploits and a code-reuse mitigation
More discussion about election hacking with Voatz undergoing a more complete security assessment, we also discuss a few interesting web attacks and end with a good discussion about a new code-reuse mitigation: Hurdle.
[00:00:20] Learn Exploit Development While Not Dying

[00:02:10] Exploit Education

[00:07:32] Pwn2Own Results
https://www.zerodayinitiative.com/blog/2020/3/19/pwn2own-2020-day-one-results
[00:16:19] DEF CON CTF 2020 QUALS COVID-19 DELAY

[00:22:30] Software Engineer - Jobs at Apple

[00:30:56] Tesla Model 3 Denial of Service Vulnerability [CVE-2020-10558]

[00:36:26] Trail of Bits - Voatz Security Review

[01:01:49] XXE-scape through the front door: circumventing the firewall with HTTP request smuggling

[01:08:12] Don't Clone That Repo: Visual Studio Code^2 Execution
https://github.com/doyensec/VSCode_PoC_Oct2019/

https://github.com/doyensec/VSCode_PoC_Oct2019/blob/master/.vscode/settings.json

https://github.com/doyensec/VSCode_PoC_Oct2019/commit/19b4687259bd5d1821525a3ebbe6aa76618359c3#diff-62b00de1d62bb867ef03dec7057712f1R50
[01:14:22] [Hacker101] Race Condition leads to undeletable group member

[01:19:58] JavaScript without parentheses using DOMMatrix
https://portswigger.net/web-security/cross-site-scripting/contexts/lab-javascript-url-some-characters-blocked
[01:24:21] Hurdle: Securing Jump Instructions Against Code Reuse Attacks
https://www.youtube.com/watch?v=qFWTZ2zZ1XQ

http://se.ri0.us/2020-03-23-110829182-9e1b1.png
Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST)
Or the video archive on Youtube (@DAY[0])
...more
1h 41min
March 17, 2020How to Hack a CTF and more (LVI, TRRespass and some web-exploits)
Start off by looking at a few Google Cloud attacks, a couple named vulns (LVI: Load Value Injection, and TRRespass) and then into some web-focused exploits including how to hack a CTF.
[00:00:15] P2O Vancouver now remote-only

[00:04:10] Announcing our first GCP VRP Prize winner and updates to 2020 program
https://offensi.com/2019/12/16/4-google-cloud-shell-bugs-explained-introduction/
[00:18:36] Whisper has exposed all user information

[00:28:10] LVI: Hijacking Transient Execution with Load Value Injection

[00:39:13] TRRespass: Exploiting the Many Sides ofTarget Row Refresh

[00:47:17] The unexpected Google wide domain check bypass

[00:56:34] Facebook OAuth Framework Vulnerability

[01:06:36] JSON CSRF with method override technique

[01:13:20] Breaking the Competition

[01:23:26] [Slack] TURN server allows TCP and UDP proxying to internal network

[01:26:08] [Slack] HTTP Request Smuggling to steal session cookies

[01:30:46] [Slack] DTLS uses a private key that is in the public domain

[01:32:55] [htmr] DOM-based XSS

[01:42:08] A Compiler Assisted Scheduler for Detecting and Mitigating Cache-Based Side Channel Attacks

[01:50:00] Bypassing memory safety mechanisms through speculative control flow hijacks

Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST)
Or the video archive on Youtube (@DAY[0])
...more
1h 58min

FAQs about Day[0]:

How many episodes does Day[0] have?

The podcast currently has 282 episodes available.

More shows like Day[0]

Critical Thinking - Bug Bounty Podcast by Justin Gardner (Rhynorater) & Joseph Thacker (Rez0)

Critical Thinking - Bug Bounty Podcast

56 Listeners