Fake Vulns, More Valve, and an AWS Cognito issue

Kicking off the week with some awesome vulns, an "almost" padding oracle in Azure Functions, a race-condition in AWS Cognito, some sound engine bugs, and a Foxit Reader Use-after-free.

[00:00:52] Arbitrary Code Execution in the Universal Turing Machine [CVE-2021-32471]

• Our discussion of this topic was probably a bit premature and there does seem to be a bit more to it than the title implied. Still no real-world impact, but a bit more interesting of situation none-the-less.
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32471
• https://arxiv.org/abs/2105.02124

[00:03:18] Detecting and annoying Burp users

• https://dustri.org/b/detecting-and-annoying-burp-users.html
• https://www.youtube.com/watch?v=I3pNLB3Cq24

[00:08:08] Enabling Hardware-enforced Stack Protection (cetcompat) in Chrome

• https://security.googleblog.com/2021/05/enabling-hardware-enforced-stack.html

[00:13:00] Password reset code brute-force vulnerability in AWS Cognito

• https://www.pentagrid.ch/en/blog/password-reset-code-brute-force-vulnerability-in-AWS-Cognito/

[00:16:52] ASUS GT-AC2900 Authentication Bypass [CVE-2021-32030]

• https://www.atredis.com/blog/2021/4/30/asus-authentication-bypass

[00:20:10] The False Oracle - Azure Functions Padding Oracle Issue

• https://polarply.medium.com/the-false-oracle-azure-functions-padding-oracle-issue-2025e0e6b8a

[00:25:30] How I Hacked Google App Engine: Anatomy of a Java Bytecode Exploit

• https://blog.polybdenum.com/2021/05/05/how-i-hacked-google-app-engine-anatomy-of-a-java-bytecode-exploit.html

[00:38:01] Workplace by Facebook | Unauthorized access to companies environment

• https://mvinni.medium.com/workplace-by-facebook-unauthorized-access-to-companies-environment-27-5k-a593a57092f1

[00:42:39] Exploiting the Source Engine (Part 2) - Full-Chain Client RCE in Source using Frida

• https://ctf.re//source-engine/exploitation/2021/05/01/source-engine-2/
• https://phoenhex.re/2018-08-26/csgo-fuzzing-bsp

[00:53:11] [Valve] OOB reads in network message handlers leads to RCE

• https://hackerone.com/reports/807772

[01:01:07] Security probe of Qualcomm MSM data services

• https://research.checkpoint.com/2021/security-probe-of-qualcomm-msm/

[01:05:17] Foxit Reader FileAttachment annotation use-after-free vulnerability

• https://talosintelligence.com/vulnerability_reports/TALOS-2021-1287

[01:09:45] Attack llvmpipe Graphics Driver from Chromium

• https://insinuator.net/2021/05/attack-llvmpipe-graphics-driver-from-chromium/

[01:16:00] Privilege Escalation Via a Use After Free Vulnerability In win32k [CVE-2021-26900]

• https://www.zerodayinitiative.com/blog/2021/5/3/cve-2021-26900-privilege-escalation-via-a-use-after-free-vulnerability-in-win32k

[01:26:25] 21Nails: Multiple vulnerabilities in Exim

• https://www.qualys.com/2021/05/04/21nails/21nails.txt

[01:27:22] nRF52 Debug Resurrection (APPROTECT Bypass)

• https://limitedresults.com/2020/06/nrf52-debug-resurrection-approtect-bypass/

[01:28:56] Capture The Flag - Discussion Video

• https://www.youtube.com/watch?v=4u5MDsIfQM8

Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST)

Or the video archive on Youtube (@dayzerosec)