Over the next few months, we'll be gradually publishing some of our internal security research.
Starting with a bug chain that turns Nginx-Rift + Nginx-PoolSlip into full RCE.
More to come.
#Nginx#1day#RCE
https://t.co/tqQMFAoX9P
This weekend, I gave a talk on web browser security research at a student-organized conference. I tried to make the talk reasonably beginner-friendly, so the slides (linked here) could hopefully be useful to someone as a learning resource. https://t.co/23xCj2AvTN
🚨 BREAKING: Wiz Research discovered Remote Code Execution on https://t.co/SvN2lGsnbO with a single git push
The flaw in @github allowed unauthorized access to millions of repositories belonging to other users and organizations 🤯
The cat's out of the bag! My latest book, "The Secret Life of Circuits", is available in early access:
https://t.co/ormpiPwapu
It's what I wish I had when I was starting out. Electrons to embedded systems, 290+ color illustrations and 420+ pages of well-explained theory.
We've published a new blog post by RyotaK @ryotkak !
He exploited a directory deletion race condition in Google Cloud's Looker, leading to full RCE and K8s privilege escalation.
Read the technical details here:
https://t.co/3eFBt0tKbk
Want to see what top-notch security research looks like?
Look no further than @j_domeracki's latest research, a standout contributor to the Google Cloud VRP! 🪲💪
https://t.co/lEsYWZuQMf
A $100k bounty! That is a good resource for learning about Chromium exploitation. I will write a summary, but please don't take it as absolute truth, as I may have made mistakes. I am just trying to understand it.
Essentially, the code sets a flag to true. During the connection cleanup process, if this flag is set, the system doesn't close the connection. The developers assumed this was safe because the object was about to be destroyed anyway. While it is destroyed, a reference to the Connection object remains.
To exploit this, you trigger a race condition: you must open a connection immediately after the flag is set to true, but before Chromium frees the object. If successful, you are left with a dangling pointer as soon as the cleanup functions run. You now get a pointer referencing a memory space that the OS and Chromium consider free. That is dangerous, though not yet a vulnerability.
Next, you must occupy that freed space with malicious data. You want to write to that memory location and control exactly what is stored there. The researcher got this using heap spraying, aka allocating a large number of objects of a specific size to increase the chances of filling that specific slot. With the dangling pointer still active, the browser treats the new data as the original Connection object, effectively tricking it because the attacker wrote a string there. He made this because it's easy to control the string's data.
The browser thinks, "This pointer leads to a Connection object. I can trust the data here." In reality, the attacker has filled that spot with a "fake object." When the browser attempts to use that pointer to call a function, it reads the data at that address to determine where to go.
From there, the researcher proceeds to standard ROP exploitation, abusing C++ vtables and some interesting JS specific quirks to achieve RCE.
It was pretty interesting to explore this report. It gave me FOMO because I feel like I could find these, but at the same time, I can see there are many years of exploitation experience involved.
In 2024, I interacted a lot with Extensions.
I decided to create a resource that will help with a basic understanding of extensions and key attacks.
P.S. I tried to make everything as clear as possible and hope it won’t feel too overwhelming anywhere.
https://t.co/mnI255djn8
Imagine opening a Discord message and suddenly your computer is hacked.
We discovered a bug that made this possible and earned a $5,000 bounty for it.
Here's the story and a beginner-friendly deep dive into V8 exploit development.
Watch: https://t.co/QtAro4fj4t
Bug bounty hunters: What’s your advice for someone who’s trying to make their first $100,000 in 2025? What should they do/learn? What should they avoid?