Nice write-up of CVE-2021-22986 (F5 iControl REST) from wvu

https://attackerkb.com/topics/J6pWeg5saG/k03009991-icontrol-rest-unauthenticated-remote-command-execution-vulnerability-cve-2021-22986

1-Click RCE in TikTok for Android by @dPhoeniixx

Bugs:
1. Universal XSS on TikTok WebView
2. Another XSS on AddWikiActivity
3. Start Arbitrary Components
4. Zip Slip in TmaTestActivity
5. RCE!

https://medium.com/@dPhoeniixx/tiktok-for-android-1-click-rce-240266e78105

"H2C Smuggling in the Wild" by @seanyeoh takes a look at real world waf, routing, and access control bypasses in different cloud environments.

Contents:
• HTTP2 Over Cleartext (H2C)
• Exploitation
• Cloudflare
• Azure
• Google Cloud Platform
• Other Cloud Providers
• Takeaways on Security Research
• Assetnote

https://blog.assetnote.io/2021/03/18/h2c-smuggling/

Three brand new OAuth2 and OpenID Connect vulnerabilities discovered by @artsploit with demos on MITREid Сonnect and ForgeRock OpenAM implementations.

Contents:
• Dynamic Client Registration - SSRF by design (CVE-2021-26715)
• "redirect_uri" Session Poisoning (CVE-2021-27582)
• "/.well-known/webfinger" makes all user names well-known

https://portswigger.net/research/hidden-oauth-attack-vectors

Rocket.Chat fixed a persistent XSS found by our researcher Igor Sak-Sakovskiy.

The vulnerability was triggered by sending a text message, resulting in an arbitrary file read or RCE on the recipient's desktop system.

https://hackerone.com/reports/1014459

This blog post will describe a class of vulnerability detected in several SSO services assessed by NCC Group, specifically affecting Security Assertion Markup Language (SAML) implementations. The flaw could allow an attacker to modify SAML responses generated by an Identity Provider, and thereby gain unauthorized access to arbitrary user accounts, or to escalate privileges within an application.

Exploit techniques:
• Attribute injections – where the injection occurs in a SAML attribute associated with the account in the Identity Provider.
• InResponseTo injections – where the injection affects the “InResponseTo” attribute of the SAML response.

https://research.nccgroup.com/2021/03/29/saml-xml-injection/

VMware fixed CVE-2021-21975 and CVE-2021-21983, which when chained together lead to an unauth RCE in vRealize Operations.

The vulnerabilities were found by our researcher Egor Dimitrenko.

Advisory: https://www.vmware.com/security/advisories/VMSA-2021-0004.html

VMWare fixed an authentication bypass (CVE-2021-21982) in Carbon Black Cloud Workload appliance found by our researcher Egor Dimitrenko.

CVSS: 9.1

Advisory: https://www.vmware.com/security/advisories/VMSA-2021-0005.html

Wormable 0-click macOS Mail arbitrary file write by @Turmio_; Allowed the modification of victim's Mail configuration e.g. setting mail redirects for password recovery, sensitive information disclosure, self propagation via signature.

https://mikko-kenttala.medium.com/zero-click-vulnerability-in-apples-macos-mail-59e0c14b106c

"Who Contains the Containers" - @tiraniddo discovered 4 Windows Server Container jailbreaks; Microsoft to NOT support them as a security boundry.

Contents:
• Windows Containers Background
• Origins of the Research
• Research Process
• A Little Bit of Reverse Engineering
• Chaining the Exploits
• Getting the Issues Fixed
• Conclusions

https://googleprojectzero.blogspot.com/2021/04/who-contains-containers.html

Youtube private & unlisted video leak bug-bounty claimed by @xdavidhu. All of the juicy technical details bound together with the thought process behind finding this bug:

https://bugs.xdavidhu.me/google/2021/04/05/i-built-a-tv-that-plays-all-of-your-private-youtube-videos/

Contextual Content Discovery, presented at BSides Canberra, 2021.

The Assetnote team revealed their research into a novel approach to content discovery, complete with a new wordlist and a new tool.

Contents:
• Overview
• What’s wrong with content discovery?
• Content discovery tools over the years
• The lightbulb moment
• Data collection
• Finding APIs worth bruteforcing
• Preliminary results
• How do I use the tool?
• Conclusion
• Credits

https://blog.assetnote.io/2021/04/05/contextual-content-discovery/

ELECTRIC CHROME - CVE-2020-6418 on Tesla Model 3

@HawaiiFive0day got RCE on his brand new Tesla due to chrome's patch gap via porting an @Exodusintel google chrome exploit. A sandbox escape is in the works!

Contents:
• Identifying and building the vulnerable V8
• Sidebar: Changing commits
• Running the exploit
• Why doesn’t it work?
• Troubleshooting with git bisect
• Pointer Compression
• Starting from scratch
• Building fakeobj
• Expanding to arbitrary read/write
• Disassembling a JIT-compiled function, with a surprise
• Running shellcode via WebAssembly
• Further Improvements
• Conclusion

https://leethax0.rs/2021/04/ElectricChrome/

New article "From 0 to RCE: Cockpit CMS" by our researcher Nikita Petrov.

The story of discovering an unauth NoSQL injection and abusing it to retrieve admin hashes, change passwords, and execute commands!

https://swarm.ptsecurity.com/rce-cockpit-cms/

Windows non-interactive remote BSOD via NULL dereference in tcpip!Ipv6pReassembleDatagram (CVE-2021-24086), from patch diffing and reversing tcpip.sys to PoC, by @doar_e.

Contents:
• Introduction
• TL;DR
• Recon
• Diffing Microsoft patches in 2021
• Reverse-engineering tcpip.sys
• Baby steps
• High level overview
• Zooming out
• NET_BUFFER & NET_BUFFER_LIST
• The mechanics of parsing an IPv6 packet
• The mechanics of IPv6 fragmentation
• Theory vs practice: Ipv6pReceiveFragment
• Hiding in plain sight
• Manufacturing a packet of the death: chasing phantoms
• Manufacturing a packet of the death: leap of faith
• Conclusion
• Bonus: CVE-2021-24074

https://doar-e.github.io/blog/2021/04/15/reverse-engineering-tcpipsys-mechanics-of-a-packet-of-the-death-cve-2021-24086/

1-Click RCE on Telegram, Nextcloud, VLC, Libre-/OpenOffice, Bitcoin/Dogecoin Wallets, Wireshark and Mumble via user supplied URLs by @positive_sec.

Contents:
• Introduction
• Root cause: user-supplied URLs opened by the OS
• Finding vulnerable features is straightforward
• Operating systems and desktop environments have different URL opening behaviors
• Windows 10 19042
• Xubuntu 20.04
• Other Linux Operating Systems + Snap
• Mac (Catalina 10.15.6)
• Vulnerabilities
• Nextcloud
• Telegram
• VLC
• Open-/LibreOffice
• Mumble
• Bitcoin/Dogecoin Wallets
• Wireshark
• Bonus-Vulnerability: WinSCP
• Systematic mitigation requires contributions from OS, Framework, and Application maintainers
• Conclusion

https://positive.security/blog/url-open-rce

Remote exploitation of a man-in-the-disk vulnerability in WhatsApp (CVE-2021-24027).

TL;DR: Leak External Storage (/sdcard), remotely collect TLS cryptographic material, MitM WhatsApp communications, RCE on victim device, extract keys used for end-to-end encrypted user communications.

Contents:
• Intro
• The Android Media Store Content Provider
• The Chrome CVE-2020-6516 Same-Origin-Policy bypass
• Session Resumption and Pre-Shared Keys in TLS 1.3
• Session Resumption and the Master Secret in TLS 1.2
• The WhatsApp TLS Man-in-the-Disk Vulnerabilities
• From TLS secrets collection to Remote Code Execution
• Stealing the victim's Noise protocol key pair
• Conclusion and future work
• References

https://census-labs.com/news/2021/04/14/whatsapp-mitd-remote-exploitation-CVE-2021-24027/

"Exploiting vulnerabilities in Cellebrite UFED and Physical Analyzer from an app's perspective" by @moxie.

What happens when a data extraction application falls under security scrutiny? Multiple exploits challenging the product's business model, possible copyright infringement, and a sassy tongue-in-cheek narration of events.

Contents:
• The background
• The rite place at the Celleb…rite time
• The software
• The exploits
• The copyright
• The completely unrelated

https://signal.org/blog/cellebrite-vulnerabilities/

"All Your Macs are belong to us" by @objective_see - how and why an unsigned, unnotarized, script-based proof of concept application could trivially and reliably sidestep all of macOS’s relevant security mechanisms (File Quarantine, Gatekeeper, and Notarization Requirements) … even on a fully patched M1 macOS system, reverting protection from running malicious code to a pre-2007 era.

Contents:
• Outline
• Background
• File Quarantine
• Gatekeeper
• Notarization Requirements
• Quarantine Attribute
• Problem(s) In Paradise
• Root Cause Analysis
• To The Logs!
• To The Disassembler & Debugger!
• A Recap
• In the Wild
• The Patch
• Protections
• Detections
• Conclusions

https://objective-see.com/blog/blog_0x64.html

Cisco fixed an Unauth DoS in Adaptive Security Appliance and Firepower Threat Defense found by our researcher Nikita Abramov.

Assigned CVEs: CVE-2021-1445, CVE-2021-1504

Advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-ftd-vpn-dos-fpBcpEcD

"Detecting and annoying Burp users" by @dustriorg

Some fun and innovative ways to keep pesky Burp users at bay.

Contents:
• Detecting Burp users
• Detecting the web interface
• Detecting the TLS man-in-the-middle
• TLS ciphers support
• JA3
• Infinitely chunked responses
• Detecting the Burp browser extension recording
• Brotli compression
• User-agent of the embedded browser
• Hackvector
• Breaking stuff in Burp
• Breaking the crawler
• Confusing Burp's active scan
• Breaking the decoding
• Breaking the Intruder

https://www.dustri.org/b/detecting-and-annoying-burp-users.html