A technical deep dive into the discovery of an unauthenticated zero-day vulnerability in the Ninja Forms - File Uploads WordPress extension, which allows arbitrary file uploads, remote code execution, and full server compromise.

This article reveals a privilege escalation vulnerability affecting PHP-FPM.

This articles intends to bring an exploitation scenario encountered during a common penetration test.

Exploitation and mitigation bypasses for the new Drupal 8 RCE (SA-CORE-2019-003, CVE-2019-6340), targeting the REST module.

The first article covers an in-depth CVE/bug analysis, designs an attack scenario and starts implementing a PoC in ring-0 with SystemTap. The core concept section focuses on file/socket related data structures, netlink and refcounters.

In the second article, a ring-3 PoC is built by removing each SystemTap script line one-by-one. It explains how to find and tailor syscalls to force the kernel into particular code paths as well as unconditionally win the race condition. The core concept section focuses on the scheduler subsystem (task states and wait queues).