This week we've got a handful of low-level vulns, VM-escape, Windows EoP, and a single IPv6 packet leading to a kernel panic/denial of service, and one higher-level issue with a bug chain in CS:GO. This is our final episode until September 25th as we will be heading off on our regular summer break. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/214.html [00:00:00] Introduction [00:01:12] Spot the Vuln - Reference Check [00:06:56] Exploiting VMware Workstation at Pwn2Own Vancouver [CVE-2023-20869/20870] [00:17:44] CS:GO: From Zero to 0-day [00:30:27] CVE-2022-41073: Windows Activation Contexts EoP [00:38:37] Linux IPv6 Route of Death 0day [00:46:36] Google Chrome V8 ArrayShift Race Condition Remote Code Execution [00:47:46] Specter Will Give Hardwear.IO PS5 Talk [00:49:11] Resources while we are on bread The DAY[0] Podcast episodes are streamed live on Twitch twice a week: -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. We are also available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

Another bug bounty podcast, another set of vulnerabilities. Starting off with a desktop info-disclosure in KeePass2 that discloses master passwords to attackers (with a high-level of access). A couple Jellyfin bugs resulting in an RCE chain, and a pretty classic crypto issue that allowed for renting luxury cars for extremely cheap. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/213.html [00:00:00] Introduction [00:02:48] KeePass2 Password Disclosure [00:10:10] Peanut Butter Jellyfin Time [00:19:14] Abusing Time-Of-Check Time-Of-Use (TOCTOU) Race Condition Vulnerabilities in Games, Harry Potter Style [00:22:19] Discovering a Hidden Security Loophole: Rent luxury Cars for a Single Dollar [00:27:00] Bug bounties are broken – the story of “i915” bug, ChromeOS + Intel bounty programs, and beyond [00:35:28] Resources while we are on break The DAY[0] Podcast episodes are streamed live on Twitch twice a week: -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. We are also available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

This week we we've got a neat little printer corruption, a probably unexploitable stockfish bug, though we speculate about exploitation a bit. Then into a VirtualBox escape bug, and an Andreno "vulnerability". Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/212.html [00:00:00] Introduction [00:01:31] Spot the Vuln - To Upload or Not To Upload [00:05:25] The printer goes brrrrr, again! [00:09:34] [Stockfish] Increase MAX_MOVES to prevent buffer overflow and stack corruption [00:27:53] Analysis of VirtualBox CVE-2023-21987 and CVE-2023-21991 [00:37:09] Qualcomm Adreno/KGSL: secure buffers are addressable by all GPU users [00:43:37] RET2ASLR - Leaking ASLR from return instructions [00:46:13] Apple Fails to Fully Reboot iOS Simulator Copyright Case The DAY[0] Podcast episodes are streamed live on Twitch twice a week: -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. We are also available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

More bug bounty style bugs, but you'd be forgiven reading that title thinking we had a low-level focus this episode. We got some awesome bugs this week though from tricking Dependabot and abusing placeholder values, an IIS auth bypass. Ending off with a kernel bug (OverlayFS) and a VM escape (Parallels Desktop) Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/211.html [00:00:00] Introduction [00:00:28] Dependabot Confusion: Gaining Access to Private GitHub Repositories using Dependabot [00:12:39] Placeholder for Dayzzz: Abusing placeholders to extract customer informations [00:19:40] Bypass IIS Authorisation with this One Weird Trick - Three RCEs and Two Auth Bypasses in Sitecore 9.3 [00:33:44] PwnAssistant - Controlling /home's via a Home Assistant RCE [00:39:26] The OverlayFS vulnerability [CVE-2023-0386] [00:44:01] Escaping Parallels Desktop with Plist Injection The DAY[0] Podcast episodes are streamed live on Twitch twice a week: -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. We are also available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 #BugBounty #BugHunting #InfoSec #CyberSec #Podcast

This week we go a bit deeper than normal and look at some low level TPM attacks to steal keys. We've got a cool attack that lets us leak a per-chip secret out of the TPM one byte at a time, and a post about reading Bitlocker's secret off the SPI bus. Then we talk about several Shannon baseband bugs disclosed by Google's Project Zero. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/210.html [00:00:00] Introduction [00:01:14] Spot the Vuln - Sanitize Now or Later [00:03:50] faulTPM: Exposing AMD fTPMs’ Deepest Secret [00:18:33] Stealing the Bitlocker key from a TPM [00:24:01] Shannon Baseband: Integer overflow when reassembling IPv4 fragments The DAY[0] Podcast episodes are streamed live on Twitch twice a week: -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. We are also available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9