Diving right into some binary exploitation issues this week. Starting wtih a look at a rare sort of curl vulnerability where a malicious server could compromise a curl user. Then we take a look at a pretty straight-forward type confusion in Windows kernel code, and an integer underflow in Safari with some questionable exploitation. Ending the episode with some thoughts on how impactful grsecurity's "constify" mitigation could be.
Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/220.html
[00:00:00] Introduction
[00:00:14] How I made a heap overflow in curl
[00:17:32] Critically close to zero (day): Exploiting Microsoft Kernel streaming service
[00:30:34] Story of an innocent Apple Safari copyWithin gone (way) outside [CVE-2023-38600]
[00:38:10] CONSTIFY: Fast Defenses for New Exploits
[00:46:53] An analysis of an in-the-wild iOS Safari WebContent to GPU Process exploit
[00:47:40] Getting RCE in Chrome with incomplete object initialization in the Maglev compiler
The DAY[0] Podcast episodes are streamed live on Twitch twice a week:
-- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities
-- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.
We are also available on the usual podcast platforms:
-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063
-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt
-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz
-- Other audio platforms can be found at https://anchor.fm/dayzerosec
You can also join our discord: https://discord.gg/daTxTK9