Cross Site Request Forgery (CSRF)

phpmyadmin is vulnerable to cross site request forgery CSRF. When an authenticated user is tricked into visiting a malicious web page, an attacker is able to perform unwanted actions on behalf of the victim such as rename databases, create new tables/routines, delete designer pages, add/delete...

[SECURITY] Fedora 28 Update: polkit-0.115-2.fc28

polkit is a toolkit for defining and handling authorizations. It is used for allowing unprivileged processes to speak to privileged processes...

McAfee True Key - McAfee.TrueKey.Service Privilege Escalation

McAfee True Key - McAfee.TrueKey.Service Privilege Escalation McAfee True Key: Multiple Issues with McAfee.TrueKey.Service Implementation Platform: Version 5.1.173.1 on Windows 10 1809. Class: Elevation of Privilege Summary: There are multiple issues in the implementation of the...

McAfee True Key - McAfee.TrueKey.Service Privilege Escalation

McAfee True Key: Multiple Issues with McAfee.TrueKey.Service Implementation Platform: Version 5.1.173.1 on Windows 10 1809. Class: Elevation of Privilege Summary: There are multiple issues in the implementation of the McAfee.TrueKey.Service which can result in privilege escalation through executi...

Injecting Code into Windows Protected Processes using COM - Part 2

Posted by James Forshaw, Project Zero In my previous blog I discussed a technique which combined numerous issues I’ve previously reported to Microsoft to inject arbitrary code into a PPL-WindowsTCB process. The techniques presented don’t work for exploiting the older, stronger Protected Processes...

kubernetes: authentication/authorization bypass in the handling of non-101 responses

A privilege escalation vulnerability exists in OpenShift Container Platform which allows for compromise of pods running co-located on a compute node. This access could include access to all secrets, pods, environment variables, running pod/container processes, and persistent volumes, including in...

Memory corruption

pkg/sentry/kernel/shm/shm.go in Google gVisor before 2018-11-01 allows attackers to overwrite memory locations in processes running as root but not escape the sandbox via vectors involving IPCRMID shmctl calls, because reference counting is mishandled...

CVE-2018-19333

pkg/sentry/kernel/shm/shm.go in Google gVisor before 2018-11-01 allows attackers to overwrite memory locations in processes running as root but not escape the sandbox via vectors involving IPCRMID shmctl calls, because reference counting is mishandled...

CVE-2018-6080

Lack of access control checks in Instrumentation in Google Chrome prior to 65.0.3325.146 allowed a remote attacker who had compromised the renderer process to obtain memory metadata from privileged processes...

Design/Logic Flaw

Lack of access control checks in Instrumentation in Google Chrome prior to 65.0.3325.146 allowed a remote attacker who had compromised the renderer process to obtain memory metadata from privileged processes...

CVE-2018-6080

Removed by vendor...

Advanced tools: Process Hacker

Process Hacker is a very valuable tool for advanced users. It can help them to troubleshoot problems or learn more about specific processes that are running on a certain system. It can help identify malicious processes and tell us more about what they are trying to do. Background information...

Memory Man in the Middle: MemITM

The MemITM Mem In The Middle tool has been developed in order to easily intercept “messages” in Windows processes memory. We developed a lot of custom memory interception tools in order to capture network messages before encryption, or IPC messages, and to be able to inspect them or alter them to...

(Pwn2Own) Apple macOS task_set_special_port Port Overwrite Privilege Escalation Vulnerability

This vulnerability allows local attackers to escalate privileges on vulnerable installations of Apple macOS. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the handling of Mach...

CVE-2018-18850

In Octopus Deploy 2018.8.0 through 2018.9.x before 2018.9.1, an authenticated user with permission to modify deployment processes could upload a maliciously crafted YAML configuration, potentially allowing for remote execution of arbitrary code, running in the same context as the Octopus Server f...

PostgreSQL: Multiple vulnerabilities

Background PostgreSQL is an open source object-relational database management system. Description Multiple vulnerabilities have been discovered in PostgreSQL. Please review the referenced CVE identifiers for details. In addition it was discovered that Gentoo’s PostgreSQL installation suffered fro...

Injecting Code into Windows Protected Processes using COM - Part 1

Posted by James Forshaw, Google Project Zero At Recon Montreal 2018 I presented “Unknown Known DLLs and other Code Integrity Trust Violations” with Alex Ionescu. We described the implementation of Microsoft Windows’ Code Integrity mechanisms and how Microsoft implemented Protected Processes PP. A...

A Hybrid Solution to Taming SOC Alert Overload

The moving assembly line was one of the greatest innovations of the Industrial Revolution. Prior to 1913, when Henry Ford installed the first moving assembly line in his factory, cars were built by humans performing manual, mundane tasks. Imagine humans hand painting cars on the factory floor –...

Starbucks: Unauthorized access to a system used for CI/CD processes

@k3m reported a vulnerability allowing unauthorized access to a system used for CI/CD processes. Our teams quickly restricted access and fixed the vulnerability. Thank you @k3m for a detailed report...

Mac App Store apps are stealing user data

There is a concerning trend lately in the Mac App Store. Several security researchers have independently found different apps that are collecting sensitive user data and uploading it to servers controlled by the developer. This is referred to as exfiltrating the data. Some of this data is actuall...