Security Review #184

In this post, we will try to debug and explain CVE-2023-4911, a buffer overflow in the glibc loader

CVE-2021-31969 initially appears challenging to exploit due to its restrictive nature. However, by manipulating the paged pool, it is feasible to elevate a seemingly isolated pool overflow into a comprehensive arbitrary read/write scenario. This exploit grants elevated access, allowing the attainment of a shell as SYSTEM.

In this deep dive, we're not just discussing ETW's functionalities; we're exploring how ETW works internally so you can conduct novel research or forensic analysis on a system.

This is a non-technical post on how I found two Microsoft Hypervisor-related vulnerabilities I reported this summer. Specifically, this post discusses CVE-2023-36427, memory corruption at arbitrary physical addresses from the root partition.

A short analysis of NetSupport RAT (Remote Access Trojan), a type of software that allows unauthorized remote access and control over a victim's computer or network. It typically provides attackers with a wide range of capabilities, including remote control, data theft, and surveillance, making it a significant security threat.

I wanted to dedicate some time to investigating and understanding how to prevent Evilginx and other Man-In-The-Middle (MITM) style attacks based on personal experience. This guide is designed not only to prevent these attacks but also to cover other mitigation techniques commonly employed in Business Email Compromises (BEC).

In this blog post, I look at new JA4+ network fingerprinting methods and examples of what they can detect. We look at the use cases for these fingerprints and compare them with existing methods.

In this part of the series we will apply our understanding of syscalls and the chain from application to Native Windows API and really implement the bypass by making use of Direct Syscalls.

This blog entry provides a technical analysis of malicious operations involving abuse of Node.js to act as a platform for the backdoor, Extended Validation (EV) Code Signing for defense evasion, and possibly Google Colab to host search engine-optimized download sites.

In this article, we will be covering a method of hooking SYSCALL in a PG-compliant manner. This method has been tested from early Windows 10 to latest Windows 11 23h2.

All flavors of .NET rely on a runtime component called the Common Language Runtime (CLR). In this blog post, we will detail a cross-session privilege escalation through DLL loading by the CLR.

In this paper we introduce a new method for restricting kernel address leaks to user mode. This method is implemented with a new flag passed to ExIsRestrictedCaller. In particular, this flag is used to determine whether the process can receive information about the loaded kernel modules and determine what kernel data can be returned to the user-mode caller.

THis is an in-depth analysis of the LostTrust ransomware. The encryptor has similar characteristcs to the MetaEncryptor ransomware family including code flow and strings which indicates that the encryptor is a variant from the original MetaEncryptor source.

This blog post introduces IceKube, an open-source tool that enumerates a cluster and generates a graph database of resource configurations and the relationships between different resources that could be used by an attacker to compromise the cluster and associated workloads.

In mid-2023 we noticed a kernel infoleak which led to the discovery of quite an interesting bug. The infoleak was caused by the access of an uninitialised value in the FAR_EL1 register, which was copied unconditionally by XNU's exception handler. Not only can we use this bug to leak data from the kernel, but we can actually leak data from any task on the system.

In recent weeks, numerous threat actors have been exploiting CVE-2023-46604 to disseminate diverse strains of malware. Our analysis has unveiled the emergence of a newly discovered Golang-based botnet named GoTitan and a .NET program called "PrCtrl Rat," equipped with remote control capabilities. This article will detail the exploitation and provide insights into the malware associated with these recent attacks.

Threat intelligence reports are an essential source to be able to identify and mitigate security threats. However, the process of converting the information in these reports into actionable queries can be challenging. In this blog post, we will explore the steps involved in going from a threat intelligence report to a KQL hunting query.

In this blog post, we describe how we implement continuous testing for the Mythic C2 framework. We leverage GitLab CI/CD pipelines to automatically run these tests after each code change, and it enables iterative development and rapid validation of updates to Mythic and other agents.

This post is going to present a slightly new method for bypassing endpoint detection and response (EDR ) products, commonly known as CreateThreadPoolWait. However, instead of using kernel32.dll we will use ntdll.dll.

We researched the attack surface of DICOM, a critical healthcare communication protocol, and have uncovered a number of vulnerabilities in different DICOM implementations from leading medical device manufacturers. Successful exploits of these security flaws could result in denial-of-service and remote code execution attacks against these imaging devices.

In this blog post, we will review the steps to perform a manual analysis of Cobalt Strike Shellcode with Ghidra, identifying function calls and resolving API hashing.

In this article i will present the follow-back-algorithm, an alternative to common static code analyzers that aims at automatically detecting vulnerabilities in the PHP codebase at the bytecode level.

This blog post will cover using an EEPROM Programmer to read the flash memory of a TrendNet-731BRv1 router via reading flash memory from the PCB vs downloading the firmware from TrendNet's website.

Algorithms that can solve discrete logarithms in polynomial time. This raises an important question: Do Schnorr signatures have any realization that makes sense in this future post-quantum world? And can we understand it? That's where I intend to go in this post.

A technical deep dive on how to poison the DNS name resolution of an entire country.

We present our deep-dive into CVE-2023-49103, a critical vulnerability in ownCloud's Graph API. We discuss the exploit, its impact on Docker installations, and our comprehensive testing process. We also discuss the role of Apache s mod_rewrite and the htaccess.RewriteBase rule in mitigating the vulnerability.

The Linux containers in Azure Function Apps utilize an encrypted start up context file hosted in Azure Storage Accounts. We worked on a function that could be added to a Linux container-based Function App to decrypt this context. As we got further into building the function, we found that the decrypted startup context disclosed more information than we had previously realized.

The Lenovo System Update application is designed to allow non-administrators to check for and apply updates to their workstation. During the process of checking for updates, the privileged Lenovo system Update application attempts to utilize a file which doesn't exist on the filesystem. This allows for an arbitrary file write primitive, thus resulting in elevation of privilege to NT AUTHORITY\SYSTEM.

In this article we detail a mechanism that allows an elevated malicious program wishing to perform nefarious actions (process injection, LSASS dumping, process hollowing, etc.), to carefully disable related telemetry before doing it, removing critical evidence from EDR monitoring, thus greatly improving its chances of not being detected.

In this series, I will explore the techniques used in the field to bypass Antivirus and EDR systems using Windows (native) APIs. This first part will introduce system calls and where are they used for. We will also see what are User and kernel mode. We will also explain how shellcode can be executed by making use of Windows APIs.

This blog will focus on techniques used in the field to bypass the dynamic analysis of malware by making use of Virtualization/Sandbox evasion techniques.

In this post, we will show how the Ghidra Debugger integrates with the ghidra Code Browser, allowing you to step through the pseudo-code of the program you are debugging. We show how this works and why this is impressive, and hope for what's to come in the future.

If you query data that contains IP addresses this blog is something for you! We will discuss some basic network related operations, before diving into useful network related KQL functions.

In this blog, we will explore how an attacker can exploit CVE-2023-46604 to execute arbitrary code from ActiveMQ's memory, therefore avoiding most detections.

In this post we will discuss the motivation of signature schemes, and specifically the Schnorr signature, as well as some related schemes like ECDSA and Dilithium. We will start from the very basic building blocks (including the basic concept of an identification protocol ) and then work our way gradually towards an abstract framework.

In this blog, I will show you how to create prompts that can efficiently extract information from large blobs of text, such as text files, PDFs, Excel spreadsheets, JSON files. It is meant to encourage you to start thinking of how to use similar prompts or refine the ones discussed in this blog.

I decided to take a swing at exposing the fraudster of a common scam on the other end of the line and see what kind of end game they had in mind for me. What resulted was a wild OSINT and social engineering ride I'll never forget!

In this post we will share how we have researched different Kerberos-based attacks and how we have used multiple events to gain better understanding for defensive purposes. These approaches are not widely used, and we consider them relatively novel.

This post is a a quick paced introduction to the shiniest features of Ghidra. It should be enough to start looking at binaries of interest, but by no means is this a complete reference.

Learn about the process of initial reverse engineering the pinout of unknown ASICs by using moderate methods. The two described ICs are good examples out of many industry-solutions and have been chosen to demonstrate how design decisions from vendors are made. The exploited potential leak of the supply-chain can be leveraged by a hardware reverse engineer to extract internal information about such systems.