DAY[0] Episode 36 – Zoom-ers, VM Escapes, and Pegasus Resurfaces
TTS
First, we talk about Facebook trying to buy some spyware, and then we feast upon a number of Zoom "vulns." Follow that up with some interesting vulnerabilities including a hyper-visor Guest-to-host escape, a complicated Safari permissions bypass, and a Gitlab Parser Differential.
The DAY[0] podcast is streamed live on Twitch every Monday afternoon at 3:pm EST -- https://www.twitch.tv/dayzerosec
The audio-only version of the podcast is available on:
-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt
-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063
-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz
-- Other audio platforms can be found at https://anchor.fm/dayzerosec
You can also join our discord: https://discord.gg/daTxTK9
Or follow us on Twitter (@dayzerosec) to know when new releases are coming.
[00:09:39] Facebook tried to buy NSO Group's iOS spyware to monitor iPhone users
https://appleinsider.com/articles/20/04/03/facebook-tried-to-buy-nso-groups-ios-spyware-to-monitor-iphone-users
[00:14:57] Move Fast & Roll Your Own Crypto: A Quick Look at the Confidentiality of Zoom Meetings
Move Fast and Roll Your Own Crypto: A Quick Look at the Confidentiality of Zoom Meetings
[00:28:36] Security Vulnerabilities fixed in Firefox 74.0.1 and Firefox ESR 68.6.1
https://www.mozilla.org/en-US/security/advisories/mfsa2020-11/
[00:33:28] Bug bounty platforms buy researcher silence, violate labor laws, critics say
https://www.csoonline.com/article/3535888/bug-bounty-platforms-buy-researcher-silence-violate-labor-laws-critics-say.html
[00:54:04] Zoom NTLM Hash Leak
#Zoom chat allows you to post links such as \x.x.x.xxyz to attempt to capture Net-NTLM hashes if clicked by other users.
— Mitch (@_g0dmode) March 23, 2020
[00:59:52] The 'S' in Zoom, Stands for Security
https://objective-see.com/blog/blog_0x56.html
[01:06:00] Use-After-Free Vulnerability in the VMware Workstation DHCP Component [CVE-2020-3947]
https://www.thezdi.com/blog/2020/4/1/cve-2020-3947-use-after-free-vulnerability-in-the-vmware-workstation-dhcp-component
https://www.vmware.com/security/advisories/VMSA-2020-0004.html
https://www.zerodayinitiative.com/advisories/ZDI-20-298/
[01:15:46] Exploiting SMBGhost for a Local Privilege Escalation [CVE-2020-0796]
Exploiting SMBGhost (CVE-2020-0796) for a Local Privilege Escalation: Writeup + POC
[01:26:39] How to exploit parser differentials
https://about.gitlab.com/blog/2020/03/30/how-to-exploit-parser-differentials/
[01:37:15] Unauthorized Camera access on iOS and macOS
https://www.ryanpickren.com/webcam-hacking
[01:49:15] [Slack] Relative Path Vulnerability Results in Arbitrary Command Execution/Privilege Escalation
https://hackerone.com/reports/784714
[01:54:29] Physically Realizable Adversarial Examples for LiDAR Object Detection
https://arxiv.org/pdf/2004.00543v2.pdf
[02:01:47] Attack matrix for Kubernetes
https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
[02:03:42] Project Zero: TFW you-get-really-excited-you-patch-diffed-a-0day-used-in-the-wild-but-then-find-out-it-is-the-wrong-vuln
https://googleprojectzero.blogspot.com/2020/04/tfw-you-get-really-excited-you-patch.html
[02:04:21] Tale of two hypervisor bugs - Escaping from FreeBSD bhyve
http://phrack.org/papers/escaping_from_freebsd_bhyve.html
[02:08:29] So you want to be a web security researcher?
https://portswigger.net/research/so-you-want-to-be-a-web-security-researcher
source
Gloss