[bounty] IOT Issues and DNS Rebinding

Published: Dec. 19, 2023, 1 p.m.

A mix of issues this week, not traditionally bounty topics, but there are some lessons that can be applied. First is a feature, turned vulnerability in VS Code which takes a look at just abusing intentional functionality. Several XOS bugs with a web-console. A Sonos Era 100 jailbreak which involves causing a particular call to fail, a common bug path we've seen before, and some discussion about doing fast DNS rebinding attacks against Chrome and Safari.

\n


\n

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/231.html

\n


\n

[00:00:00] Introduction

\n

[00:01:00] It\u2019s not a Feature, It\u2019s a Vulnerability

\n

[00:13:40] Multiple Vulnerabilities In Extreme Networks ExtremeXOS

\n

[00:24:06] Shooting Yourself in the .flags \u2013 Jailbreaking the Sonos Era 100

\n

[00:30:08] Tricks for Reliable Split-Second DNS Rebinding in Chrome and Safari

\n

[00:46:02] Apache Struts2 \u6587\u4ef6\u4e0a\u4f20\u6f0f\u6d1e\u5206\u6790\uff08CVE-2023-50164\uff09 - \u5148\u77e5\u793e\u533a

\n

[00:48:49] Blind CSS Exfiltration: exfiltrate unknown web pages

\n

[00:51:11] Finding that one weird endpoint, with Bambdas

\n


\n

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

\n

-- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

\n

-- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.

\n


\n

We are also available on the usual podcast platforms:

\n

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

\n

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

\n

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

\n

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

\n


\n

You can also join our discord: https://discord.gg/daTxTK9

\n