Day[0] dayzerosec
-
- Tecnología
A weekly podcast for bounty hunters, exploit developers or anyone interesting in the details of the latest disclosed vulnerabilities and exploits.
-
Memory Corruption: Best Tackled with Mitigations or Safe-Languages
Memory corruption is a difficult problem to solve, but many such as CISA are pushing for moves to memory safe languages. How viable is rewriting compared to mitigating?
Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/254.html
[00:00:00] Introduction
[00:01:12] Clarifying Scope & Short/Long Term
[00:04:28] Mitigations
[00:15:37] Safe Languages Are Falliable
[00:21:20] Weaknesses & Evolution of Mitigations
[00:29:19] Rewriting and the Iterative Process
[00:34:55] The Rewriting Scalability Argument
[00:41:43] System vs App Bugs
[00:48:46] Mitigations & Rewriting Are Not Mutually Exclusive
[00:50:25] Corporate vs Open Source
[00:54:12] Generational Change
[00:56:18] Conclusion
Podcast episodes are available on the usual podcast platforms:
-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063
-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt
-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz
-- Other audio platforms can be found at https://anchor.fm/dayzerosec
You can also join our discord: https://discord.gg/daTxTK9 -
[discussion] A Retrospective and Future Look Into DAY[0]
Change is in the air for the DAY[0] podcast! In this episode, we go into some behind the scenes info on the history of the podcast, how it's evolved, and what our plans are for the future.
Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/253.html
[00:00:00] Introduction
[00:01:30] Early days of the DAY[0] podcast
[00:14:10] Split into bounty and binary episodes
[00:21:50] Novelty focus on topic selection
[00:30:47] Difficulties with the current format
[00:40:18] Change
[00:48:02] New direction for content
[00:57:42] Conclusions & Feedback
Podcast episodes are available on the usual podcast platforms:
-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063
-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt
-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz
-- Other audio platforms can be found at https://anchor.fm/dayzerosec
You can also join our discord: https://discord.gg/daTxTK9 -
[binary] Bypassing KASLR and a FortiGate RCE
Bit of a lighter episode this week with a Linux Kernel ASLR bypass and a clever exploit to RCE FortiGate SSL VPN.
Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/252.html
[00:00:00] Introduction
[00:00:29] KASLR bypass in privilege-less containers
[00:13:13] Two Bytes is Plenty: FortiGate RCE with CVE-2024-21762
[00:19:32] Making Mojo Exploits More Difficult
[00:22:57] Robots Dream of Root Shells
[00:27:02] Gaining kernel code execution on an MTE-enabled Pixel 8
[00:28:23] SMM isolation - Security policy reporting (ISSR)
Podcast episodes are available on the usual podcast platforms:
-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063
-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt
-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz
-- Other audio platforms can be found at https://anchor.fm/dayzerosec
You can also join our discord: https://discord.gg/daTxTK9 -
[bounty] RCE'ing Mailspring and a .NET CRLF Injection
In this week's bounty episode, an attack takes an XSS to RCE on Mailspring, a simple MFA bypass is covered, and a .NET CRLF injection is detailed in its FTP functionality.
Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/251.html
[00:00:00] Introduction
[00:00:20] Making Desync attacks easy with TRACE
[00:16:01] Reply to calc: The Attack Chain to Compromise Mailspring
[00:35:29] $600 Simple MFA Bypass with GraphQL
[00:38:38] Microsoft .NET CRLF Injection Arbitrary File Write/Deletion Vulnerability [CVE-2023-36049]
Podcast episodes are available on the usual podcast platforms:
-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063
-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt
-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz
-- Other audio platforms can be found at https://anchor.fm/dayzerosec
You can also join our discord: https://discord.gg/daTxTK9 -
[binary] Future of Exploit Development Followup
In the 250th episode, we have a follow-up discussion to our "Future of
Exploit Development" video from 2020. Memory safety and the impacts of
modern mitigations on memory corruption are the main focus. -
[bounty] libXPC to Root and Digital Lockpicking
In this episode we have an libXPC root privilege escalation, a run-as debuggability check bypass in Android, and digital lockpicking on smart locks.
Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/249.html
[00:00:00] Introduction
[00:00:21] Progress OpenEdge Authentication Bypass Deep-Dive [CVE-2024-1403]
[00:05:19] xpcroleaccountd Root Privilege Escalation [CVE-2023-42942]
[00:10:50] Bypassing the “run-as” debuggability check on Android via newline injection
[00:18:09] Say Friend and Enter: Digitally lockpicking an advanced smart lock (Part 2: discovered vulnerabilities)
[00:43:06] Using form hijacking to bypass CSP
The DAY[0] Podcast episodes are streamed live on Twitch twice a week:
-- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities
-- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.
We are also available on the usual podcast platforms:
-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063
-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt
-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz
-- Other audio platforms can be found at https://anchor.fm/dayzerosec
You can also join our discord: https://discord.gg/daTxTK9