Black box discovery of memory corruption RCE on box.com
http://scarybeastsecurity.blogspot.com/2017/03/black-box-discovery-of-memory.html [scarybeastsecurity.blogspot.com]
2017-03-30 17:46
Very quickly, I found that Box will thumbnail tons of weird and wacky formats.
And then the murders began.
With some additional commentary about how not to confirm a bug report.
Some further followup:
https://scarybeastsecurity.blogspot.com/2017/05/proving-missing-aslr-on-dropboxcom-and.html
https://scarybeastsecurity.blogspot.com/2017/05/0day-proving-boxcom-fixed-aslr-via.html