EPISODE · Oct 27, 2020 · 2H 31M
Low-cost Penetration Testing, High Performance Fuzzing and Github RCEs
from Day[0] · host dayzerosec
A lot to cover in this episode, from high performance fuzzing on GPUs, to low-cost pentesters, and APT groups. And, of course many vulns from GitHub RCEs to VMWare Workstation race conditions. [00:01:21] Youtube-dl Cease and Desist [00:14:33] Let’s build a high-performance fuzzer with GPUs! https://gamozolabs.github.io/2020/10/23/some_thoughts_on_gpu_fuzzing.html [00:29:07] Samsung S20 - RCE via Samsung Galaxy Store App [00:33:24] Jitsi Meet Electron - Arbitrary Client Remote Code Execution [CVE-2020-27162] https://github.com/jitsi/jitsi-meet-electron/blob/40866232594442ea77d5144deebcd38ed3d362be/main.js#L126 [00:39:14] 2FA Disable With Wrong Password - Response Tampering. [00:41:22] HTTP Request Smuggling due to CR-to-Hyphen conversion https://hackerone.com/nodejs?type=team [00:46:56] GitHub Gist - Account takeover via open redirect [00:53:19] GitHub - RCE via git option injection (almost) [00:56:36] GitHub Pages - Multiple RCEs via insecure Kramdown configuration [01:01:38] Gateway2Hell - Multiple Privilege Escalation Vulnerabilities in Citrix Gateway Plug-In [01:09:02] Remote code execution on Symfony based websites [01:18:40] Detailing Two VMware Workstation TOCTOU Vulnerabilities [01:25:15] Linksys WRT160NL – Authenticated Remote Buffer Overflow [CVE-2020-26561] [01:32:03] The FreeType Project - Heap buffer overflow due to integer truncation [01:38:54] Uncovering the Hidden Dangers: Finding Unsafe Go Code in the Wild [01:45:15] NSA Warns Chinese State-Sponsored Malicious Cyber Actors Exploiting 25 CVEs [01:57:15] Penetration Testing and Low-Cost Freelancing [02:23:24] WPScan.io "XSS" [02:28:24] MITRE - Adversarial Threat Matrix [02:29:16] Shoutout to Alh4zr3d Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@DAY[0])
What this episode covers
A lot to cover in this episode, from high performance fuzzing on GPUs, to low-cost pentesters, and APT groups. And, of course many vulns from GitHub RCEs to VMWare Workstation race conditions. [00:01:21] Youtube-dl Cease and Desist [00:14:33] Let’s build a high-performance fuzzer with GPUs! https://gamozolabs.github.io/2020/10/23/some_thoughts_on_gpu_fuzzing.html [00:29:07] Samsung S20 - RCE via Samsung Galaxy Store App [00:33:24] Jitsi Meet Electron - Arbitrary Client Remote Code Execution [CVE-2020-27162] https://github.com/jitsi/jitsi-meet-electron/blob/40866232594442ea77d5144deebcd38ed3d362be/main.js#L126 [00:39:14] 2FA Disable With Wrong Password - Response Tampering. [00:41:22] HTTP Request Smuggling due to CR-to-Hyphen conversion https://hackerone.com/nodejs?type=team [00:46:56] GitHub Gist - Account takeover via open redirect [00:53:19] GitHub - RCE via git option injection (almost) [00:56:36] GitHub Pages - Multiple RCEs via insecure Kramdown configuration [01:01:38] Gateway2Hell - Multiple Privilege Escalation Vulnerabilities in Citrix Gateway Plug-In [01:09:02] Remote code execution on Symfony based websites [01:18:40] Detailing Two VMware Workstation TOCTOU Vulnerabilities [01:25:15] Linksys WRT160NL – Authenticated Remote Buffer Overflow [CVE-2020-26561] [01:32:03] The FreeType Project - Heap buffer overflow due to integer truncation [01:38:54] Uncovering the Hidden Dangers: Finding Unsafe Go Code in the Wild [01:45:15] NSA Warns Chinese State-Sponsored Malicious Cyber Actors Exploiting 25 CVEs [01:57:15] Penetration Testing and Low-Cost Freelancing [02:23:24] WPScan.io "XSS" [02:28:24] MITRE - Adversarial Threat Matrix [02:29:16] Shoutout to Alh4zr3d Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@DAY[0])
NOW PLAYING
Low-cost Penetration Testing, High Performance Fuzzing and Github RCEs
No transcript for this episode yet
Similar Episodes
Sep 22, 2023 ·20m
Sep 22, 2023 ·20m
Sep 22, 2023 ·27m
Sep 22, 2023 ·14m
Sep 22, 2023 ·24m
Sep 22, 2023 ·22m