A special episode this week, featuring an interview with John Carse, Chief Information Security Officer (CISO) of SquareX. John speaks about his background in the security industry, grants insight into attacks on browsers, and talks about the work his team at SquareX is doing to detect and mitigate browser-based attacks.…

A long episode this week, featuring an attack that can leak secrets from Gemini's Python sandbox, banks abusing private iOS APIs, and Windows new Hypervisor-enforced Paging Translation (HVPT). Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/280.html [00:00:00] Introduction [00:00:18] Doing the Due…

API hacking and bypassing Ubuntu's user namespace restrictions feature in this week's episode, as well as a bug in CimFS for Windows and revisiting the infamous NSO group WebP bug. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/279.html [00:00:00] Introduction [00:00:28] Next.js and the corrupt m…

This episode features some game exploitation in Neverwinter Nights, weaknesses in mobile implementation for PassKeys, and a bug that allows disclosure of the email addresses of YouTube creators. We also cover some research on weaknesses in Azure. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/278…

Discussion this week starts with the ESP32 "backdoor" drama that circled the media, with some XML-based vulnerabilities in the mix. Finally, we cap off with a post on reviving modprobe_path for Linux exploitation, and some discussion around an attack chain against China that was attributed to the NSA. Links and vulnerability summaries for this epis…

A very technical episode this week, featuring some posts on hacking the xbox 360 hypervisor as well as AMD microcode hacking. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/276.html [00:00:00] Introduction [00:00:15] Reversing Samsung's H-Arx Hypervisor Framework - Part 1 [00:10:34] Hacking the X…

This week's episode features a variety of vulnerabilities, including a warning on mixing up public and private keys in OpenID Connect deployments, as well as path confusion with an nginx+apache setup. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/275.html [00:00:00] Introduction [00:19:00] The O…

We discuss an 0day that was dropped on Parallels after 7 months of no fix from the vendor, as well as ZDI's troubles with responses to researchers and reproducing bugs. Also included are a bunch of filesystem issues, and an insanely technical linux kernel exploit chain. Links and vulnerability summaries for this episode are available at: https://da…

We cover a comical saga of vulnerabilities and variants from incomplete fixes in macOS, as well as a bypass of Chrome's miraclePtr mitigation against Use-After-Frees (UAFs). We also discuss an attack that abuses COM hijacking to elevate to SYSTEM through AVG Antivirus, and a permissions issue that allows unauthorized access to DRM'd audiobooks. Lin…

In this episode, we discuss the US government discloses how many 0ds were reported to vendors in a first-ever report. We also cover PortSwigger's top 10 web hacking techniques of 2024, as well as a deep dive on how kernel mode shadow stacks are implemented on Windows by Connor McGarr. Links and vulnerability summaries for this episode are available…

On the web side, we cover a portswigger post on ways of abusing unicode mishandling to bypass firewalls and a doyensec guide to OAuth vulnerabilities. We also get into a Windows exploit for a use-after-free in the telephony service that bypasses Control Flow Guard, and a data race due to non-atomic writes in the macOS kernel. Links and vulnerabilit…

Zero Day Initiative posts their trends and observations from their threat hunting highlights of 2024, macOS has a sysctl bug, and a technique leverages CloudFlare to deanonymize users on messaging apps. PortSwigger also publishes a post on the Cookie Sandwich technique, and Subaru's weak admin panel security allows tracking and controlling other pe…

This week features a mix of topics, from polyglot PDF/JSON to android kernel vulnerabilities. Project Zero also publishes a post about excavating an exploit strategy from crash logs of an In-The-Wild campaign. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/269.html [00:00:00] Introduction [00:07:…

Specter and zi discuss their winter break, cover some interesting CCC talks, and discuss the summary judgement in the WhatsApp vs. NSO Group case. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/268.html [00:00:00] Introduction [00:09:53] 38C3: Illegal Instructions [00:35:38] WhatsApp v. NSO Group…

In our last episode of 2024, we delve into some operating system bugs in both Windows and Linux, as well as some bugs that are not bugs but rather AI slop. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/267.html [00:00:00] Introduction [00:06:48] Buffer Overflow Risk in Curl_inet_ntop and inet_nt…

This week's episode contains some LLM hacking and attacks on classifiers, as well as the renewal of DMA attacks with SD Express and the everlasting problems of null bytes. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/266.html [00:00:00] Introduction [00:00:31] Hacking 2024 by No Starch [00:09:1…

A short episode this week, featuring Keyhole which abuses a logic bug in Windows Store DRM, an OAuth flow issue, and a CSRF protection bypass. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/265.html [00:00:00] Introduction [00:00:16] Attacking Hypervisors From KVM to Mobile Security Platforms [00…

Linux userspace is still a mess and has some bad bugs in root utilities, and Vaultwarden has an interesting auth bypass attack. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/264.html [00:00:00] Introduction [00:00:29] LPEs in needrestart [Ubuntu] [00:18:41] Vulnerability Disclosure: Authenticati…

This week, we dive into some changes to V8CTF, the FortiJump Higher bug in Fortinet's FortiManager, as well as some coverage instrumentation on blackbox macOS binaries via Pishi. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/263.html [00:00:00] Introduction [00:00:25] V8 Sandbox Bypass Rewards […

Methodology is the theme of this week's episode. We cover posts about static analysis via CodeQL, as well as a novel blackbox binary querying language called QueryX. Project Zero also leverages Large Language Models to successfully find a SQLite vulnerability. Finally, we wrap up with some discussion on Hexacon and WOOT talks, with a focus on Clem1…

In this week's episode, we talk a little bit about LLMs and how they can be used with static analysis. We also cover GitHub Security Blog's post on attacking browser extensions, as well as a somewhat controversial CyberPanel Pre-Auth RCE that was disclosed. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/…

In this week's episode, Specter recaps his experiences at Hardwear.IO and a PS5 hypervisor exploit chain presented there. We also cover some of the recently released DEF CON 32 talks. After the conference talk, we get into some filesystem exploit tricks and how arbitrary file write can be taken to code execution in read-only environments. Links and…

In this week's episode, we cover the fiasco of a vulnerability in Zendesk that could allow intrusion into multiple fortune 500 companies. We also discuss a project zero blogpost that talks about fuzzing Dav1d and the challenges of fuzzing, as well as rooting Linux via EMFI with a lighter. Links and vulnerability summaries for this episode are avail…

In our summer recap, we discuss Phrack's latest issue and talks from the new Off-by-One conference. We also cover some interesting bugs, such as a factorio lua RCE and another RCE via iconv. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/258.html [00:00:00] Introduction [00:01:06] Getting Started…

In this week's episode, we cover an attack utilizing HSTS for exploiting Android WebViews and abusing YouTube embeds in Google Slides for clickjacking. We also talk about the infamous CUPS attack, and the nuances that seem to be left behind in much of the discussion around it. Links and vulnerability summaries for this episode are available at: htt…

In this week's episode, we discuss Microsoft's summit with vendors on their intention to lock down the Windows kernel from endpoint security drivers and possibly anti-cheats. We also talk cryptography and about the problems of nonce reuse. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/256.html […

We are back and testing out a new episode format focusing more on discussion than summaries. We start talking a bit about the value of learning hacking by iterating on the same exploit and challenging yourself as a means of practicing the creative parts of exploitation. Then we dive into the recent Intel SGX fuse key leak, talk a bit about what it …

Memory corruption is a difficult problem to solve, but many such as CISA are pushing for moves to memory safe languages. How viable is rewriting compared to mitigating? Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/254.html [00:00:00] Introduction [00:01:12] Clarifying Scope & Short/Long Term [0…

Change is in the air for the DAY[0] podcast! In this episode, we go into some behind the scenes info on the history of the podcast, how it's evolved, and what our plans are for the future. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/253.html [00:00:00] Introduction[00:01:30] Early days of the …

Bit of a lighter episode this week with a Linux Kernel ASLR bypass and a clever exploit to RCE FortiGate SSL VPN. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/252.html [00:00:00] Introduction [00:00:29] KASLR bypass in privilege-less containers [00:13:13] Two Bytes is Plenty: FortiGate RCE with…

In this week's bounty episode, an attack takes an XSS to RCE on Mailspring, a simple MFA bypass is covered, and a .NET CRLF injection is detailed in its FTP functionality. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/251.html [00:00:00] Introduction [00:00:20] Making Desync attacks easy with TR…

In the 250th episode, we have a follow-up discussion to our "Future of Exploit Development" video from 2020. Memory safety and the impacts of modern mitigations on memory corruption are the main focus.

In this episode we have an libXPC root privilege escalation, a run-as debuggability check bypass in Android, and digital lockpicking on smart locks. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/249.html [00:00:00] Introduction [00:00:21] Progress OpenEdge Authentication Bypass Deep-Dive [CVE-20…

In this week's binary episode, Binary Ninja Free releases along with Binja 4.0, automated infoleak exploit generation for the Linux kernel is explored, and Nintendo sues Yuzu. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/248.html [00:00:00] Introduction [00:00:31] Binary Ninja Free [00:10:25] K…

A shorter episode this week, featuring some vulnerabilities impacting Google's AI and a SAML auth bypass. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/247.html [00:00:00] Introduction [00:00:31] We Hacked Google A.I. for $50,000 [00:17:26] SAML authentication bypass vulnerability in RobotsAndPe…

VirtualBox has a very buggy driver, PostgreSQL has an Out of Bounds Access, and lifetime issues are demonstrated in Rust in "safe" code. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/246.html [00:00:00] Introduction [00:00:22] cve-rs [00:18:28] Oracle VM VirtualBox: Intra-Object Out-Of-Bounds Wr…

This week's episode features a cache deception issue, Joomla inherits a PHP bug, and a DOM clobbering exploit. Also covered is a race condition in Chrome's extension API published by project zero. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/245.html [00:00:00] Introduction [00:00:21] Cache Dec…

Linux becomes a CNA and takes a stance on managing CVEs for themselves, and underutilized fuzzing strategies are discussed. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/244.html [00:00:00] Introduction [00:00:14] What to do about CVE numbers - The first article we bring up is the 2019 LWN artic…

In this bounty episode, some straightforward bugs were disclosed in GhostCMS and ClamAV, and Portswigger publishes their top 10 list of web hacking techniques from 2023. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/243.html [00:00:00] Introduction [00:02:15] Ghost CMS Stored XSS Leading to Owne…

Google makes some changes to their kCTF competition, and a few kernel bugs shake out of the LogMeIn and wlan VFS drivers. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/242.html [00:00:00] Introduction [00:00:29] Netfilter Tables Removed from kCTF [00:20:23] LogMeIn / GoTo LMIInfo.sys Handle Dupl…

DEF CON moves venues, the Canadian government moves to ban Flipper Zero, and some XSS issues affect Microsoft Whiteboard and Meta's Excalidraw. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/241.html [00:00:00] Introduction [00:00:33] DEF CON was canceled. [00:16:42] Federal action on combatting …

Libfuzzer goes into maintenance-only mode and syslog vulnerabilities plague some vendors in this week's episode. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/240.html [00:00:00] Introduction [00:00:20] LibFuzzer in Maintainence-only Mode [00:11:41] Heap-based buffer overflow in the glibc's sysl…

This week we have a crazy crypto fail where some Android devices had updates signed by publicly available private keys, as well as some Docker container escapes. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/239.html [00:00:00] Introduction [00:00:22] Missing signs: how several brands forgot to …

This week's binary episode features a range of topics from discussion on Pwn2Own's first automotive competition to an insane bug that broke ASLR on various Linux systems. At the lower level, we also have some bugs in UEFI, including one that can be used to bypass Windows Hypervisor Code Integrity mitigation. Links and vulnerability summaries for th…

A packed episode this week as we cover recent vulnerabilities from the last two weeks, including some IDORs, auth bypasses, and a HackerOne bug. Some fun attacks such as a resurface of IDN Homograph Attacks and timing attacks also appear. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/237.html [0…

A bit of a game special this week, with a Counter-Strike: Global Offensive vulnerability and an exploit for Factorio. We also have a Linux kernel bug and a Chromecast secure-boot bypass with some hardware hacking mixed in. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/236.html [00:00:00] Introdu…

A short bounty episode featuring some logical bugs in Apache OFBiz, a GitLab Account Takeover, and an unauthenticated RCE in Adobe Coldfusion. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/235.html [00:00:00] Introduction [00:00:20] SonicWall Discovers Critical Apache OFBiz Zero-day [00:11:40] […

This week's highly technical episode has discussion around the exploitation of a libwebp vulnerability we covered previously, memory tagging (MTE) implementation with common allocators, and an insane iPhone exploit chain that targeted researchers. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/23…

Kicking off 2024 with a longer episode as we talk about some auditing desktop applications (in the context of some bad reports to Edge). Then we've got a couple fun issues with a client-side path traversal, and a information disclosure due to a HTTP 307 redirect. A bunch of issues in PandoraFSM, and finally some research about parser differentials …

A bit of a rambling episode to finish off 2023, we talk about some Linux kernel exploitation research (RetSpill) then get into several vulnerabilities. A type confusion in QNAP QTS5, a JavaScriptCore bug in Safari, and several issues in Steam's Remote Play protocol. Links and vulnerability summaries for this episode are available at: https://dayzer…