2019-08-13 | Taviso goes down the rabbit hole, Orange’s Pre-auth RCE on Twitter VPN, and Web cache poisoning by albinowax

Tuesday, August 13, 2019

Took a bit of a break for security summer camp, back at it this week for a jam-packed Zero Daily for ya. 

TOP STORY

• From @taviso: I’m publishing some research today, a major design flaw in Windows that's existed for almost *two decades*. I wrote a blog post on the story of the discovery all the way through to exploitation. Repo of code and tools used. 

HACKTIVITY HIGHLIGHTS

• Potential pre-auth RCE on Twitter VPN [288 upvotes] - $20,160 bounty for this report by Twitter by @Orange. 

• SQL Injection Extracts Starbucks Enterprise Accounting, Financial, Payroll Database [263 upvotes] - $4,000 bounty for this report to Starbucks by @spaceracoon

• Stored XSS on [redacted] and Bypass for #488147 enables stored XSS on [redacted] again. About $40K in bounties for two reports to PayPal by @albinowax around web cache poisoning attack. See his full writeup on the Portswigger blog.  

OTHER ARTICLES WE’RE READING

• Apple getting a bit chummier with security researchers with the iOS security research device program, giving dev devices to top hackers in their bug bounty program. About time. 

• MSFT upping bug bounty awards and launched Azure Security Lab

• Filedescriptor and EdOverflow published a blog in PagedOut about bug hunting (see page 52)

• Owning the clout through SSRF and PDF generators - slides from @nahamsec and @daeken’s DEF CON talk. See also, the automatic HTTP+DNS rebinding attack tool referenced in the talk. 

• HackerOne’s h1-702 live hacking event concluded on Sunday morning, having paid out hackers $1.9M over 3 days. What a ride.

ABOUT ZERO DAILY

Zero Daily is a daily newsletter that highlights application security, bug bounty, and hacker focused topics. The content is curated with love by @luketucker and brought to you by HackerOne. 

Friends don’t keep good things to themselves - forward this to your homies and co-workers. BTW, want to see who runs bug bounties?

Have a news tip / story to highlight? We’d love to hear about it. Email: zerodaily@hackerone.com
 

Hi, we have cracked the admin hash and got the root shell. This is definitely a Pre-auth RCE on your SSL VPN server

Orange Tsai