Added a few bugs/expoits of my own#4
Open
Unrealisedd wants to merge 56 commits into
Open
Conversation
Document multiple high-severity vulnerabilities in Discord Desktop that allow remote code execution and other security risks through various attack vectors.
Updated the title formatting for the Wazuh stack buffer overflow documentation.
Documented a vulnerability in Nextcloud's SSRF protection that allows bypass via IPv4-compatible and NAT64 IPv6 addresses. Provided a detailed proof of concept and attack scenario demonstrating the exploit.
Documented the authenticated SSRF vulnerability via OAuth2 Dynamic Client Registration in n8n, detailing the impact, affected versions, and proof of concept.
Document vulnerabilities in Fluent Bit's collectd parser, including an infinite loop DoS and an out-of-bounds heap read triggered by a zero-length part.
Added detailed information on kernel vulnerabilities in ovpn-dco-win, including use-after-free, and information disclosure issues. Suggested fixes for each vulnerability are also included.
Simplified PoC that races KeyLen=33 IOCTL_NEW_KEY against WSK RX to trigger use-after-free on freed BCRYPT_KEY_HANDLE. Reliable BSOD.
…EM32 SvcRebootToFlashingMode has no access check on desktop SKUs. Any std user triggers SYSTEM to load SprintCSP.dll from writable machine PATH.
…efender freeze) NULL deref via IOCTL 0x226014, confused deputy adds any process to DAM job objects via 0x22A01C, freeze control via 0x22A008. All from non-admin.
Added a statement about the repo being a fork and clarified the author's contributions.
Credit bikini as original author. Split contents table into "My Additions" and "Original Contents (by bikini)" so it's clear what I contributed vs what was already here.
Woodpecker CI: pipeline RCE via carriage return (\r) bypass of newline sanitization in EnvVarSubst(). YAML parser treats \r as line break, attacker injects pipeline steps via commit message. RetroArch libchdr: integer overflow in map allocation (sizeof(map_entry) * totalhunks) on 32-bit platforms. Crafted CHD file causes undersized malloc followed by massive OOB write.
…jection Discovered newline injection in UserSid field → log content injection → batch file command execution chain. UserSid is embedded in registry key paths logged by RegistryConfiguration.TrySet. Embedded newlines create standalone command lines in .bat files written via the ServiceLogFilePath primitive. Combined with GP startup scripts + gpupdate trigger = full standard-user-to-SYSTEM LPE. Batch injection confirmed locally. CVSS 7.8 → 8.8.
Remove Attribution section, restore bikini's first-person voice, rename 'My Additions' to 'Contributed Research (by Unrealisedd)', and 'Original Contents (by bikini)' back to 'Contents'.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
I've added a few writeups that I'd been sitting on. I previously tried reporting them, but they were ignored, so I thought they might be a good fit for this repository instead. I really like the work you've been doing here, and I figured these could be a useful addition to the collection :).