CVE-2026-44321

free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's SMF mounts the UPI management route group without inbound OAuth2 middleware. The POST /upi/v1/upNodesLinks create-or-update handler accepts attacker-controlled JSON and passes it directly into...

CVE-2022-46415

DJI Spark 01.00.0900 allows remote attackers to prevent legitimate terminal connections by exhausting the DHCP IP address pool. To accomplish this, the attacker would first need to connect to the device's internal Wi-Fi network e.g., by guessing the password. Then, the attacker would need to send...

Requests-Ip-Rotator - A Python Library To Utilize AWS API Gateway's Large IP Pool As A Proxy To Generate Pseudo-Infinite IPs For Web Scraping And Brute Forcing

A Python library to utilize AWS API Gateway's large IP pool as a proxy to generate pseudo-infinite IPs for web scraping and brute forcing. This library will allow the user to bypass IP-based rate-limits for sites and services. X-Forwarded-For headers are automatically randomised and applied unles...

Palo Alto Software: DNS Miconfiguration Leads to Subdomain Takeover - max1.liveplan.com

Summary The issue happens due to using EC2 public DNS instead of using Elastic IPs as CNAME record. This report is simliar to report 1069795 Misconfiguration - DNS Records json "host": "max1.liveplan.com", "resolver": "1.0.0.1:53" , "a": "54.68.121.128" , "cname":...

Trident - Automated Password Spraying Tool

The Trident project is an automated password spraying tool developed to meet the following requirements: the ability to be deployed on several cloud platforms/execution providers the ability to schedule spraying campaigns in accordance with a target’s account lockout policy the ability to increas...

Uber: Subdomain takeover on mta1a1.spmail.uber.com

A dangling AWS record on mta1a1.spmail.uber.com allowed a complete DNS zone takeover, giving an adversary access to mta1a1.spmail.uber.com-scoped cookies and CORS, which could facilitate phishing attacks. Thanks again, @0x3c3e! It's so called IP-use-after-free attack. I was able to obtain an IP...

Update Rollup 8 for System Center 2016 Virtual Machine Manager

Update Rollup 8 for System Center 2016 Virtual Machine Manager Introduction This article describes the issues that are fixed in Update Rollup 8 for Microsoft System Center 2016 Virtual Machine Manager. Two updates are available for Virtual Machine Manager, one for the Virtual Machine Manager serv...

Junos OS: authd allows assignment of IP address requested by DHCP subscriber logging in with Option 50 (Requested IP Address)

On MX Series and M120/M320 platforms configured in a Broadband Edge BBE environment, subscribers logging in with DHCP Option 50 to request a specific IP address will be assigned the requested IP address, even if there is a static MAC to IP address binding in the access profile. In the problem...

[Cross-Post] Fishing the AWS IP Pool for Dangling Domains

Hey guys, If you’ve ever pointed your DNS to an EC2 instance or other Amazon service, you might wanna read this piece of research I did while work at Bishop Fox that shows how attackers can take over your domains by drawing from Amazon’s IP pool: Cross-Post Fishing the AWS IP Pool for Dangling...

broadcast-dhcp-discover NSE Script

Sends a DHCP request to the broadcast address 255.255.255.255 and reports the results. By default, the script uses a static MAC address DE:AD:CO:DE:CA:FE in order to prevent IP pool exhaustion. The script reads the response using pcap by opening a listening pcap socket on all available ethernet...