Youtube private & unlisted video leak bug-bounty claimed by @xdavidhu. All of the juicy technical details bound together with the thought process behind finding this bug:

https://bugs.xdavidhu.me/google/2021/04/05/i-built-a-tv-that-plays-all-of-your-private-youtube-videos/

Contextual Content Discovery, presented at BSides Canberra, 2021.

The Assetnote team revealed their research into a novel approach to content discovery, complete with a new wordlist and a new tool.

Contents:
• Overview
• What’s wrong with content discovery?
• Content discovery tools over the years
• The lightbulb moment
• Data collection
• Finding APIs worth bruteforcing
• Preliminary results
• How do I use the tool?
• Conclusion
• Credits

https://blog.assetnote.io/2021/04/05/contextual-content-discovery/

ELECTRIC CHROME - CVE-2020-6418 on Tesla Model 3

@HawaiiFive0day got RCE on his brand new Tesla due to chrome's patch gap via porting an @Exodusintel google chrome exploit. A sandbox escape is in the works!

Contents:
• Identifying and building the vulnerable V8
• Sidebar: Changing commits
• Running the exploit
• Why doesn’t it work?
• Troubleshooting with git bisect
• Pointer Compression
• Starting from scratch
• Building fakeobj
• Expanding to arbitrary read/write
• Disassembling a JIT-compiled function, with a surprise
• Running shellcode via WebAssembly
• Further Improvements
• Conclusion

https://leethax0.rs/2021/04/ElectricChrome/

New article "From 0 to RCE: Cockpit CMS" by our researcher Nikita Petrov.

The story of discovering an unauth NoSQL injection and abusing it to retrieve admin hashes, change passwords, and execute commands!

https://swarm.ptsecurity.com/rce-cockpit-cms/

Windows non-interactive remote BSOD via NULL dereference in tcpip!Ipv6pReassembleDatagram (CVE-2021-24086), from patch diffing and reversing tcpip.sys to PoC, by @doar_e.

Contents:
• Introduction
• TL;DR
• Recon
• Diffing Microsoft patches in 2021
• Reverse-engineering tcpip.sys
• Baby steps
• High level overview
• Zooming out
• NET_BUFFER & NET_BUFFER_LIST
• The mechanics of parsing an IPv6 packet
• The mechanics of IPv6 fragmentation
• Theory vs practice: Ipv6pReceiveFragment
• Hiding in plain sight
• Manufacturing a packet of the death: chasing phantoms
• Manufacturing a packet of the death: leap of faith
• Conclusion
• Bonus: CVE-2021-24074

https://doar-e.github.io/blog/2021/04/15/reverse-engineering-tcpipsys-mechanics-of-a-packet-of-the-death-cve-2021-24086/

1-Click RCE on Telegram, Nextcloud, VLC, Libre-/OpenOffice, Bitcoin/Dogecoin Wallets, Wireshark and Mumble via user supplied URLs by @positive_sec.

Contents:
• Introduction
• Root cause: user-supplied URLs opened by the OS
• Finding vulnerable features is straightforward
• Operating systems and desktop environments have different URL opening behaviors
• Windows 10 19042
• Xubuntu 20.04
• Other Linux Operating Systems + Snap
• Mac (Catalina 10.15.6)
• Vulnerabilities
• Nextcloud
• Telegram
• VLC
• Open-/LibreOffice
• Mumble
• Bitcoin/Dogecoin Wallets
• Wireshark
• Bonus-Vulnerability: WinSCP
• Systematic mitigation requires contributions from OS, Framework, and Application maintainers
• Conclusion

https://positive.security/blog/url-open-rce

Remote exploitation of a man-in-the-disk vulnerability in WhatsApp (CVE-2021-24027).

TL;DR: Leak External Storage (/sdcard), remotely collect TLS cryptographic material, MitM WhatsApp communications, RCE on victim device, extract keys used for end-to-end encrypted user communications.

Contents:
• Intro
• The Android Media Store Content Provider
• The Chrome CVE-2020-6516 Same-Origin-Policy bypass
• Session Resumption and Pre-Shared Keys in TLS 1.3
• Session Resumption and the Master Secret in TLS 1.2
• The WhatsApp TLS Man-in-the-Disk Vulnerabilities
• From TLS secrets collection to Remote Code Execution
• Stealing the victim's Noise protocol key pair
• Conclusion and future work
• References

https://census-labs.com/news/2021/04/14/whatsapp-mitd-remote-exploitation-CVE-2021-24027/

"Exploiting vulnerabilities in Cellebrite UFED and Physical Analyzer from an app's perspective" by @moxie.

What happens when a data extraction application falls under security scrutiny? Multiple exploits challenging the product's business model, possible copyright infringement, and a sassy tongue-in-cheek narration of events.

Contents:
• The background
• The rite place at the Celleb…rite time
• The software
• The exploits
• The copyright
• The completely unrelated

https://signal.org/blog/cellebrite-vulnerabilities/

"All Your Macs are belong to us" by @objective_see - how and why an unsigned, unnotarized, script-based proof of concept application could trivially and reliably sidestep all of macOS’s relevant security mechanisms (File Quarantine, Gatekeeper, and Notarization Requirements) … even on a fully patched M1 macOS system, reverting protection from running malicious code to a pre-2007 era.

Contents:
• Outline
• Background
• File Quarantine
• Gatekeeper
• Notarization Requirements
• Quarantine Attribute
• Problem(s) In Paradise
• Root Cause Analysis
• To The Logs!
• To The Disassembler & Debugger!
• A Recap
• In the Wild
• The Patch
• Protections
• Detections
• Conclusions

https://objective-see.com/blog/blog_0x64.html

Cisco fixed an Unauth DoS in Adaptive Security Appliance and Firepower Threat Defense found by our researcher Nikita Abramov.

Assigned CVEs: CVE-2021-1445, CVE-2021-1504

Advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-ftd-vpn-dos-fpBcpEcD

"Detecting and annoying Burp users" by @dustriorg

Some fun and innovative ways to keep pesky Burp users at bay.

Contents:
• Detecting Burp users
• Detecting the web interface
• Detecting the TLS man-in-the-middle
• TLS ciphers support
• JA3
• Infinitely chunked responses
• Detecting the Burp browser extension recording
• Brotli compression
• User-agent of the embedded browser
• Hackvector
• Breaking stuff in Burp
• Breaking the crawler
• Confusing Burp's active scan
• Breaking the decoding
• Breaking the Intruder

https://www.dustri.org/b/detecting-and-annoying-burp-users.html

Cisco fixed two Unauth RCEs and an Arbitrary File Upload in HyperFlex HX Data Platform found by our researchers Nikita Abramov and Mikhail Klyuchnikov.

CVE-2021-1497
CVE-2021-1498
CVE-2021-1499

Advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-hyperflex-rce-TjjNrkpR

VMware fixed an Unauth RCE in vRealize Business for Cloud (CVE-2021-21984) found by our researcher Egor Dimitrenko.

Advisory: https://www.vmware.com/security/advisories/VMSA-2021-0007.html

New article "How we bypassed bytenode and decompiled Node.js (V8) bytecode in Ghidra" by our researcher Sergey Fedonin.

https://swarm.ptsecurity.com/how-we-bypassed-bytenode-and-decompiled-node-js-bytecode-in-ghidra/

ExifTool CVE-2021-22204 - Arbitrary Code Execution discovered by @vakzz.

The story of finding an ImageTragick-esque vulnerability, originally in gitlab. Go down the rabbit hole of image parsing with perl!

Contents:
• Background
• The Bug
• Additional Formats
• Bonus Formats
• References

https://devcraft.io/2021/05/04/exiftool-arbitrary-code-execution-cve-2021-22204.html

NoSQL Injections in Rocket.Chat 3.12.1: How A Small Leak Grounds A Rocket by Paul Gerste

RCE on Rocket.Chat servers via MongoDB noSQLi. Valid account required.

Contents:
• Impact
• Technical Details
• MongoDB Injection Primer
• NoSQL Injection #1: Taking Over a Regular User
• NoSQL Injection #2: Elevating Privileges
• From Admin to Remote Code Execution
• Mitigation
• Timeline
• Summary

https://blog.sonarsource.com/nosql-injections-in-rocket-chat/

New article: Decompiling Node.js in Ghidra by our researcher Vladimir Kononovich.

This is the second article in the series dedicated to covering the technical details of our plugin to decompile bytenode JSC files (serialized Node.js bytecode).

https://swarm.ptsecurity.com/decompiling-node-js-in-ghidra/

HTTP Request Smuggling via higher HTTP versions by @emil_lerner as presented at PHDays 2021.

HTTP request smuggling reinvented with multiple novel approaches implemented in a new tool http2smugl.

Contents:
• HTTP Request Smuggling basic concepts
• HTTP Request Smuggling exploitation scenarios
• HTTP/2 body transfer
• content-length conflicts actual length
• no content-length forwarding
• content-length conflicting transfer-encoding
• HTTP/2 header validation
• new lines in headers
• less strict validation
• Detection ideas
• False positive
• Varnish
• RFC 8441
• Haproxy & nghttp2
• Open problem
• H2O http3 (QUIC)
• Automation
• Further research

Slideshow: https://www.slideshare.net/neexemil/http-request-smuggling-via-higher-http-versions

Video Presentation: https://standoff365.com/phdays10/schedule/tech/http-request-smuggling-via-higher-http-versions/

We continue our series of articles dedicated to decompiling Node.js bytecode with a new article by Natalya Tlyapova: Creating a Ghidra processor module in SLEIGH using V8 bytecode as an example.

https://swarm.ptsecurity.com/creating-a-ghidra-processor-module-in-sleigh-using-v8-bytecode-as-an-example/

"13 Nagios Vulnerabilities, #7 will SHOCK you!" by Samir Ghanem

Gaining access to Nagios XI server results in upstream compromise of management server, i.e. every other customer monitored. Exploitation facilitated with soygun tool.

Contents:
• TL;DR
• Why Nagios?
• What is Nagios?
• The Code
• Challenge Accepted
• What are we trying to achieve?
• Step 1: RCE on Nagios XI server from low privilege Nagios XI user (CVE-2020-28648)
• Step 2: Elevate privileges to ‘root’ on Nagios XI server (CVE-2020-28910)
• Step 3: Trigger XSS by tainting data returned to Nagios Fusion from XI (CVE-2020-28903)
• Step 4: Authenticated remote code execution on Nagios Fusion (CVE-2020-28905)
• Step 5: Elevate privileges from apache to root using the ‘cmd_subsys.php’ (CVE-2020-28902)
• Step 6: Get list of “fused” XI servers and exploit them using Step 1 and 2
• PoC or Attack Platform
• SoyGun
• Command & Control (C2)
• SoyGun Implant
• DeadDrop
• Demo
• Disclosure and Afterthoughts
• Full Vulnerabilities List

https://skylightcyber.com/2021/05/20/13-nagios-vulnerabilities-7-will-shock-you/

Fortinet fixed a Post-Auth RCE in FortiWeb (CVE-2021-22123) found by our researcher Andrey Medov.

This vulnerability was part of an Unauth RCE chain submitted together with CVE-2020-29015 (Unauth SQL Injection), which was fixed by Fortinet earlier.

Advisory: https://www.fortiguard.com/psirt/FG-IR-20-120

Subscribe to the PT SWARM Twitter to get updates about all of the latest vulnerabilities discovered by us.