VMware fixed CVE-2021-21975 and CVE-2021-21983, which when chained together lead to an unauth RCE in vRealize Operations.

The vulnerabilities were found by our researcher Egor Dimitrenko.

Advisory: https://www.vmware.com/security/advisories/VMSA-2021-0004.html

VMWare fixed an authentication bypass (CVE-2021-21982) in Carbon Black Cloud Workload appliance found by our researcher Egor Dimitrenko.

CVSS: 9.1

Advisory: https://www.vmware.com/security/advisories/VMSA-2021-0005.html

Wormable 0-click macOS Mail arbitrary file write by @Turmio_; Allowed the modification of victim's Mail configuration e.g. setting mail redirects for password recovery, sensitive information disclosure, self propagation via signature.

https://mikko-kenttala.medium.com/zero-click-vulnerability-in-apples-macos-mail-59e0c14b106c

"Who Contains the Containers" - @tiraniddo discovered 4 Windows Server Container jailbreaks; Microsoft to NOT support them as a security boundry.

Contents:
• Windows Containers Background
• Origins of the Research
• Research Process
• A Little Bit of Reverse Engineering
• Chaining the Exploits
• Getting the Issues Fixed
• Conclusions

https://googleprojectzero.blogspot.com/2021/04/who-contains-containers.html

Youtube private & unlisted video leak bug-bounty claimed by @xdavidhu. All of the juicy technical details bound together with the thought process behind finding this bug:

https://bugs.xdavidhu.me/google/2021/04/05/i-built-a-tv-that-plays-all-of-your-private-youtube-videos/

Contextual Content Discovery, presented at BSides Canberra, 2021.

The Assetnote team revealed their research into a novel approach to content discovery, complete with a new wordlist and a new tool.

Contents:
• Overview
• What’s wrong with content discovery?
• Content discovery tools over the years
• The lightbulb moment
• Data collection
• Finding APIs worth bruteforcing
• Preliminary results
• How do I use the tool?
• Conclusion
• Credits

https://blog.assetnote.io/2021/04/05/contextual-content-discovery/

ELECTRIC CHROME - CVE-2020-6418 on Tesla Model 3

@HawaiiFive0day got RCE on his brand new Tesla due to chrome's patch gap via porting an @Exodusintel google chrome exploit. A sandbox escape is in the works!

Contents:
• Identifying and building the vulnerable V8
• Sidebar: Changing commits
• Running the exploit
• Why doesn’t it work?
• Troubleshooting with git bisect
• Pointer Compression
• Starting from scratch
• Building fakeobj
• Expanding to arbitrary read/write
• Disassembling a JIT-compiled function, with a surprise
• Running shellcode via WebAssembly
• Further Improvements
• Conclusion

https://leethax0.rs/2021/04/ElectricChrome/

New article "From 0 to RCE: Cockpit CMS" by our researcher Nikita Petrov.

The story of discovering an unauth NoSQL injection and abusing it to retrieve admin hashes, change passwords, and execute commands!

https://swarm.ptsecurity.com/rce-cockpit-cms/

Windows non-interactive remote BSOD via NULL dereference in tcpip!Ipv6pReassembleDatagram (CVE-2021-24086), from patch diffing and reversing tcpip.sys to PoC, by @doar_e.

Contents:
• Introduction
• TL;DR
• Recon
• Diffing Microsoft patches in 2021
• Reverse-engineering tcpip.sys
• Baby steps
• High level overview
• Zooming out
• NET_BUFFER & NET_BUFFER_LIST
• The mechanics of parsing an IPv6 packet
• The mechanics of IPv6 fragmentation
• Theory vs practice: Ipv6pReceiveFragment
• Hiding in plain sight
• Manufacturing a packet of the death: chasing phantoms
• Manufacturing a packet of the death: leap of faith
• Conclusion
• Bonus: CVE-2021-24074

https://doar-e.github.io/blog/2021/04/15/reverse-engineering-tcpipsys-mechanics-of-a-packet-of-the-death-cve-2021-24086/

1-Click RCE on Telegram, Nextcloud, VLC, Libre-/OpenOffice, Bitcoin/Dogecoin Wallets, Wireshark and Mumble via user supplied URLs by @positive_sec.

Contents:
• Introduction
• Root cause: user-supplied URLs opened by the OS
• Finding vulnerable features is straightforward
• Operating systems and desktop environments have different URL opening behaviors
• Windows 10 19042
• Xubuntu 20.04
• Other Linux Operating Systems + Snap
• Mac (Catalina 10.15.6)
• Vulnerabilities
• Nextcloud
• Telegram
• VLC
• Open-/LibreOffice
• Mumble
• Bitcoin/Dogecoin Wallets
• Wireshark
• Bonus-Vulnerability: WinSCP
• Systematic mitigation requires contributions from OS, Framework, and Application maintainers
• Conclusion

https://positive.security/blog/url-open-rce

Remote exploitation of a man-in-the-disk vulnerability in WhatsApp (CVE-2021-24027).

TL;DR: Leak External Storage (/sdcard), remotely collect TLS cryptographic material, MitM WhatsApp communications, RCE on victim device, extract keys used for end-to-end encrypted user communications.

Contents:
• Intro
• The Android Media Store Content Provider
• The Chrome CVE-2020-6516 Same-Origin-Policy bypass
• Session Resumption and Pre-Shared Keys in TLS 1.3
• Session Resumption and the Master Secret in TLS 1.2
• The WhatsApp TLS Man-in-the-Disk Vulnerabilities
• From TLS secrets collection to Remote Code Execution
• Stealing the victim's Noise protocol key pair
• Conclusion and future work
• References

https://census-labs.com/news/2021/04/14/whatsapp-mitd-remote-exploitation-CVE-2021-24027/

"Exploiting vulnerabilities in Cellebrite UFED and Physical Analyzer from an app's perspective" by @moxie.

What happens when a data extraction application falls under security scrutiny? Multiple exploits challenging the product's business model, possible copyright infringement, and a sassy tongue-in-cheek narration of events.

Contents:
• The background
• The rite place at the Celleb…rite time
• The software
• The exploits
• The copyright
• The completely unrelated

https://signal.org/blog/cellebrite-vulnerabilities/

"All Your Macs are belong to us" by @objective_see - how and why an unsigned, unnotarized, script-based proof of concept application could trivially and reliably sidestep all of macOS’s relevant security mechanisms (File Quarantine, Gatekeeper, and Notarization Requirements) … even on a fully patched M1 macOS system, reverting protection from running malicious code to a pre-2007 era.

Contents:
• Outline
• Background
• File Quarantine
• Gatekeeper
• Notarization Requirements
• Quarantine Attribute
• Problem(s) In Paradise
• Root Cause Analysis
• To The Logs!
• To The Disassembler & Debugger!
• A Recap
• In the Wild
• The Patch
• Protections
• Detections
• Conclusions

https://objective-see.com/blog/blog_0x64.html

Cisco fixed an Unauth DoS in Adaptive Security Appliance and Firepower Threat Defense found by our researcher Nikita Abramov.

Assigned CVEs: CVE-2021-1445, CVE-2021-1504

Advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-ftd-vpn-dos-fpBcpEcD

"Detecting and annoying Burp users" by @dustriorg

Some fun and innovative ways to keep pesky Burp users at bay.

Contents:
• Detecting Burp users
• Detecting the web interface
• Detecting the TLS man-in-the-middle
• TLS ciphers support
• JA3
• Infinitely chunked responses
• Detecting the Burp browser extension recording
• Brotli compression
• User-agent of the embedded browser
• Hackvector
• Breaking stuff in Burp
• Breaking the crawler
• Confusing Burp's active scan
• Breaking the decoding
• Breaking the Intruder

https://www.dustri.org/b/detecting-and-annoying-burp-users.html

Cisco fixed two Unauth RCEs and an Arbitrary File Upload in HyperFlex HX Data Platform found by our researchers Nikita Abramov and Mikhail Klyuchnikov.

CVE-2021-1497
CVE-2021-1498
CVE-2021-1499

Advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-hyperflex-rce-TjjNrkpR

VMware fixed an Unauth RCE in vRealize Business for Cloud (CVE-2021-21984) found by our researcher Egor Dimitrenko.

Advisory: https://www.vmware.com/security/advisories/VMSA-2021-0007.html

New article "How we bypassed bytenode and decompiled Node.js (V8) bytecode in Ghidra" by our researcher Sergey Fedonin.

https://swarm.ptsecurity.com/how-we-bypassed-bytenode-and-decompiled-node-js-bytecode-in-ghidra/

ExifTool CVE-2021-22204 - Arbitrary Code Execution discovered by @vakzz.

The story of finding an ImageTragick-esque vulnerability, originally in gitlab. Go down the rabbit hole of image parsing with perl!

Contents:
• Background
• The Bug
• Additional Formats
• Bonus Formats
• References

https://devcraft.io/2021/05/04/exiftool-arbitrary-code-execution-cve-2021-22204.html

NoSQL Injections in Rocket.Chat 3.12.1: How A Small Leak Grounds A Rocket by Paul Gerste

RCE on Rocket.Chat servers via MongoDB noSQLi. Valid account required.

Contents:
• Impact
• Technical Details
• MongoDB Injection Primer
• NoSQL Injection #1: Taking Over a Regular User
• NoSQL Injection #2: Elevating Privileges
• From Admin to Remote Code Execution
• Mitigation
• Timeline
• Summary

https://blog.sonarsource.com/nosql-injections-in-rocket-chat/

New article: Decompiling Node.js in Ghidra by our researcher Vladimir Kononovich.

This is the second article in the series dedicated to covering the technical details of our plugin to decompile bytenode JSC files (serialized Node.js bytecode).

https://swarm.ptsecurity.com/decompiling-node-js-in-ghidra/