Seclog - #185
In this week's Seclog, the dominant story is the collision of AI and offensive security with the classic web-vulnerability grind. On the AI front, autonomous tooling matured sharply: an LLM-driven hackbot logged 126 findings in five months, Claude Opus was walked through a full V8 Chrome exploit chain, and a TOCTOU race showed that computer-use agents can be tricked into clicking something other than what they "see." The rapidly expanding MCP ecosystem emerged as a first-class attack surface, with open Dynamic Client Registration abuse and a Google-assigned CVE (CVE-2026-11719) bypassing scope enforcement via protocol-version selection. Meanwhile, tried-and-true bugs dominated real-world impact โ three SQL injections (Control Web Panel, Front Gate Tickets, and a PostgreSQL dollar-quote bypass), stored XSS through storage content-type override, a zero-click CSS oracle exfiltrating Slack DMs, and origin-validation bypasses via IP normalization. Cloud and supply-chain infrastructure took hits too, including unauthenticated RCE in Argo CD (found with CodeQL) and OS command injection in aws-cdk-lib. The throughline: AI is compressing both exploit development and mass discovery, even as fundamental input-validation and access-control flaws remain the bugs that actually get owned.
๐ SecMisc #
Portable Cloud Malware Analysis Lab on AWS - viuleeenz.github.io
Moves a malware analysis environment off fragile local VMs and into AWS to solve snapshot staleness, host slowdown, and "is this box still clean?" uncertainty โ a pain point amplified on Apple Silicon where emulation makes local detonation heavy. The rapid-deploy, disposable model gives analysts a known-clean, reproducible environment on demand and scales beyond a single laptop. Practical blueprint for anyone standing up repeatable detonation/sandbox infra in the cloud.
๐ฐ SecLinks #
Control Web Panel userRes SQL Injection - karmainsecurity.com
Egidio Romano (EgiX) discloses a SQL injection in Control Web Panel (CWP) โค 0.9.8.1224 via the
userResparameter. CWP is a widely deployed hosting/server control panel, so DB compromise here is high-value and often a stepping stone toward fuller server takeover. Operators should patch/upgrade CWP instances immediately and restrict panel exposure.
Google Messages Leaks Contact Photos Without Permission - blog.devploit.dev
A confused-deputy bug: an app holding no
READ_CONTACTSpermission coerces the privileged Google Messages app into loading contact photos on its behalf viaAvatarContentProvider. This bypasses Android's permission model to exfiltrate contact avatar data through a pre-installed, over-trusted ContentProvider. A reminder to audit exported/privileged ContentProviders for caller-permission enforcement.
TOCTOU Race Tricks Computer-Use Agents - embracethered.com
Reproduces a time-of-check/time-of-use race against computer-use AI agents (in the spirit of the ChatGPT Operator bug) where the UI state the agent evaluates differs from the state at click time. Enables silent redirection/deception of autonomous agents into unintended actions. Argues agentic browsing needs atomic verify-then-act and human confirmation on sensitive operations.
Autonomous Hackbot Finds 126 Vulnerabilities - josephthacker.com
rez0 and xssdoctor detail an autonomous hackbot that surfaced 126 vulnerabilities across five months, evidencing that AI-driven bug discovery now scales meaningfully. The takeaway for defenders: expect higher-volume, automated testing against your assets and treat bounty programs as increasingly essential intake. For hunters, it signals a shift toward orchestrating agents rather than manual-only recon.
MCP Dynamic Client Registration Is a New Attack Surface - blog.voorivex.team
Open Dynamic Client Registration (DCR) on MCP servers exposes a fresh, under-scrutinized surface enabling XSS, OAuth token theft, SSRF, and direct access to "AI-only" tools. As MCP adoption accelerates, loosely-scoped or unauthenticated registration endpoints hand attackers a foothold into LLM tool infrastructure. Lock down DCR, validate redirect URIs, and tightly scope issued tokens.
response-content-type Turns Public Objects Into Stored XSS - blog.voorivex.team
A single
response-content-typequery parameter on public bucket objects flips a forcedimage/pngintotext/html, yielding stored XSS on the target's own origin. MinIO grants it directly; S3 needs one extra step. Any app serving user-controlled bucket content from its own origin is an XSS sink โ serve untrusted files from an isolated, sandboxed domain.
Unauthenticated SQL Injection in Front Gate Tickets - ian.sh
Sam Curry finds unauthenticated SQLi in Front Gate Tickets, the Live Nation/Ticketmaster subsidiary handling ticketing/payments for EDC, Bonnaroo, Outside Lands and more. Because many festivals funnel back to the same aging FGT domains, one legacy backend becomes a single point of mass PII/payment exposure. Textbook consolidated-legacy-infrastructure risk in the events industry.
Unauthenticated RCE in Argo CD Found via CodeQL - synacktiv.com
Synacktiv chains an unauthenticated remote code execution in Argo CD, surfaced using CodeQL static analysis. As core GitOps CD infrastructure with cluster-level privileges, a pre-auth RCE here equals full Kubernetes cluster compromise. Doubles as a demonstration of CodeQL's value for deep Go-codebase auditing โ patch Argo CD and restrict its network exposure.
Zero-Click CSS Oracle Exfiltrates Slack DMs - iglu.blog
A Slack Block Kit validation bypass via
salesforce_recordreaches unsanitized client-side sinks, enabling a blind CSS oracle that leaks private DM attributes with zero user interaction. Shows that CSS injection remains a potent exfiltration primitive even in hardened, mature chat platforms. Validation bypass plus a client sink is enough for silent data theft โ sanitize rendered attributes and constrain Block Kit inputs.
Dollar-Quote Bypass for Blind PostgreSQL Injection - jrbusiness.github.io
Combines PostgreSQL dollar-quoting to evade quote-based filters, scalar subquery injection, and zero-knowledge blind extraction against PL/pgSQL. Adds a concrete WAF/sanitizer-evasion technique tailored to Postgres backends. Valuable for testers facing quote-focused input filtering, and a reminder that parameterization โ not quote escaping โ is the real fix.
LLM Writes a Full V8 Chrome Exploit Chain - hacktron.ai
The author drove Claude Opus to build a full V8 exploit chain against Discord's bundled Chrome (v138, nine versions behind) using a Chrome 146 V8 OOB, ultimately popping calc. Cost: ~2.3B tokens, ~$2,283, and ~20 hours of human unsticking โ heavy but declining guidance. Two lessons: LLMs are nearing practical browser-exploit development, and outdated bundled Chromium in Electron apps stays dangerously exploitable.
Google MCP Toolbox scopesRequired Authorization Bypass - skypoc.wordpress.com
CVE-2026-11719 (CWE-862) is an authenticated authorization bypass / vertical privilege escalation in Google's MCP Toolbox for Databases, where selecting an older protocol version sidesteps
scopesRequiredenforcement. Another concrete example of MCP access-control gaps emerging as the ecosystem grows. Updatemcp-toolboxand ensure scope checks are enforced uniformly across every supported protocol version.
IP Normalization Bypasses postMessage targetOrigin - lab.ctbb.show
An integer/decimal-encoded IP host slips past a subdomain-matching regex, redirecting
postMessagedata to an attacker-controlled origin. Demonstrates that regex-based origin validation is bypassable through alternate IP representations. ValidatetargetOriginagainst an exact allowlist of canonical origins rather than pattern matching.
OS Command Injection in aws-cdk-lib - hackerone.com
← All SeclogsAn AWS VDP report discloses a High-severity OS command injection (CWE-78) in the
aws-cdk-libnpm package. Injection in such widely-used Infrastructure-as-Code tooling can execute commands in developer workstation and CI/CD contexts, making it a supply-chain-adjacent risk. Updateaws-cdk-liband audit CDK usage in build pipelines for untrusted input reaching command execution.