š± 1-click RCE in the YTDLnis Android app!
On Android, turning file writes into RCE is usually quite hard, but here the app had a nice gadget for us. Check out the details in our latest blog post:
www.sonarsource.com/blog/ytdlnis...
#appsec #security #vulnerability
Using SonarQube to solve a CTF challenge? Done! ā
Learn how we detected a 0-day vulnerability during #KalmarCTF, making us first to solve the challenge! From Zip Slip to RCE, using lazy class loading:
www.sonarsource.com/blog/code-se...
#appsec #CTF #vulnerability
šā« After compromising every endpoint within an organization, our āCaught in the FortiNetā blog series comes to an end with one more thing.
Read more about FortiClient's XPC mistake that allows local privilege escalation to root on macOS:
www.sonarsource.com/blog/caught-...
#appsec #security
š§ A fixed vulnerability that comes back to life?
This could have happened in GitHub Actions until yesterday! Learn how attackers could have exploited seemingly fixed workflow vulnerabilities:
www.sonarsource.com/blog/zombie-...
#appsec #security #vulnerability
A fun gadget I found recently! The .NET JIT compiler makes sure there are no rwx pages by using a memfd, but that turns file writes into straight shellcode execution š
This was pretty fun to exploit! Even though I didn't manage to pwn the version used for Pwn2Own Berlin, I still learned a ton about LLMs. Maybe I can get my revenge in future competitions š¤
Pwning PostgreSQL was quite fun, excited to share our research at OffensiveCon!
www.offensivecon.org/speakers/202...
Discover a vulnerability our researchers found in the Android app YTDLnis, allowing attackers to execute code on victim devices.
www.sonarsource.com
www.sonarsource.com
In the last blog of this series, we will focus back on FortiClient and learn how the inner workings of this application work, and what crucial mistake happened that led to us uncovering a local privil...
My TROOPERS25 talk has been uploaded! If you ever wondered if "style-src: 'unsafe-line'" in your CSP is bad, this one is for you.
Scriptless Attacks: Why CSS is My Favorite Programming Language
www.youtube.com/watch?v=Owp-...
Offensivecon's talks are now available on our YouTube channel!
š buff.ly/g63xgm5
pspaul
pspaul
pspaul
pspaul
From bit flip to RCE in Ollama! š¦
Our latest blog post explains how a file parsing bug led to an interesting out-of-bounds write primitive. Learn how it could have been exploited in Ollama, a tool to run LLMs locally:
www.sonarsource.com/blog/ollama-...
#security #vulnerability #llm #ai
SELECT shell FROM postgres: Digging up a 20-year-old bug for ZeroDay.Cloud by @pspaul95.bsky.social and Moritz Sanft
Shellcode execution as a service!
To exploit an argument injection in Jellyfin, we searched and found a gadget in the .NET runtime to turn file writes into code execution. Learn about the bug and this new technique in our blog post:
www.sonarsource.com/blog/jellyfi...
#appsec #vulnerability
www.sonarsource.com
SonarResearch
OffensiveCon
OffensiveCon
Explore a Jellyfin remote code execution flaw where inconsistent validation enables FFmpeg argument injection and unauthenticated code execution.
