Intigriti

Bug Bytes #135 – Code review for bug hunters, Zoom $200K RCE & Breaking HTTP/2 and Exchange

By Anna Hammond

August 25, 2021

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.

CLICK HERE TO SUBSCRIBE

This issue covers the week from August 2 to 23.

Intigriti News

Intigriti launches fast lane program to incentivise cybersecurity research

Welcome to the 1337-club for Q3 2021, @oct0pus7, @bug_dutch, @kapytein & @mase289!

Our favorite 5 hacking items

1. Conference of the week

DEF CON 29 Main Stage Presentations & Media Server
Recon Village, AppSec Village & Red Team Village CTF: Day 1

There are so many amazing talks and new research in this DEF CON edition! So, I’m only going to mention two of the most notable ones:

2. Writeups of the week

Sophos UTM Preauth RCE: A Deep Dive into CVE-2020-25223
Zoom RCE from Pwn2Own 2021 (Zoom, $200,000)

@jstnkndy came across CVE-2020-25223 in a pentest and didn’t find any public exploit. So, he reverse engineered the vulnerability’s patch to develop his own proof of concept. The writeup is very well written and explains the methodology in great detail.

The second writeup is about a 0-click RCE via heap buffer overflow found in Zoom. Thijs Alkemade & Daan Keuper demonstrated the bug during Pwn2Own and share details on this impressive and lucrative finding.

3. Webinar of the week

How to do Code Review – The Offensive Security Way

If you’re interested in learning source code review to get a leverage as a bug hunter, this is a must-watch. @infosec_au shares insightful techniques for obtaining source code in the context of bug bounties, plus interesting bug examples and tips for both beginners and experienced code reviewers.

4. Video of the week

Working with HTTP/2 in Burp Suite & Blog post

Since @albinowax‘s talk on HTTP/2 desync attacks, Burp Suite was updated to enhance HTTP/2 support. This video demonstrates these new changes and how to use Burp to test for HTTP/2-exclusive vulnerabilities.

5. Tools of the week

Malicious PDF Generator
apk-recon.yaml, api-linkfinder.sh, Links & parameters wordlists extracted from the top 55 mobile apps

Malicious PDF Generator is a Python script that generates 10 different malicious PDF files and supports Burp for receiving out-of-band requests. @jonasl created it for Web app testers to automate several known attacks.

The other tools are a Nuclei template and a Bash script that @nullenc0de uses to extract parameters and links from APKs and API documentation. The regexes they use can also be tweaked if you need to dump more/different information.

SHARE ON TWITTER

Other amazing things we stumbled upon this week

Videos

Podcasts

Webinars

Conferences

Slides & Workshop material

Tutorials

Medium to advanced

Beginners corner

Writeups

Challenge writeups

Pentest writeups

Responsible(ish) disclosure writeups

0-day & N-day vulnerabilities

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

Tools

  • WARCannon: High speed/Low cost CommonCrawl RegExp in Node.js

  • CAIDO: A lightweight web security auditing toolkit

  • PaperChaser: A Google Drive/Docs/Sheets/Slides Enumeration Spider

  • dirtywords & Intro: A targeted word list generation tool

  • GoKart & Intro: A static analysis tool for securing Go code

Tips & Tweets

Misc. pentest & bug bounty resources

Challenges

Articles

Bug bounty & Pentest news

Non technical

You may also like