Security Review #185

This post is the first in a two-part series on DNS rebinding in web browsers. Here, I'll talk about a DNS rebinding exploit against our own platform which allowed me to extract low-privileged AWS credentials. In the next post, I'll share new techniques to reliably achieve split-second DNS rebinding in Chrome, Edge, and Safari, as well as to bypass Chrome's restrictions on requests to private networks.

We introduce Tricard, a tool that eventually found efficient at fingerprinting sandboxes deployed across an infratsructure.

A look at some deceptive tactics used by malware authors in an effort to evade analysis.

In this blog post, we will look into the gaps with respect to endpoint detection and response (EDR ) tools and how you can use them effectively during an incident to deploy your other DFIR tools.

Resource-Based Constrained Delegation abuse is a privilege escalation technique which can be visible and detectable! Where do we start for detectability?

In this writeup, we discuss string obfuscation techniques and implement a classic string obfuscation technique, XOR, using modern CPU features to bypass emulation and analysis by Mandiant's FLOSS and CAPA.

In this paper we examine the attack vectors on Outlook for typical enterprise environments. We assume the position of an average user - we click and double-click on things on Outlook - as our daily work requires, and we analyze the security risks they may introduce from a security research perspective.

This report documents a local elevation of privilege vulnerability in Active Directory Certificate Services (AD CS ). The vulnerability is caused by a race condition vulnerability when Certsrv creates CRL files.

In this article we detail the steps to automate and streamline the process of sending spoofed Slack messages, phishing links, files, and search for secrets leaked in slack with EvilSlackbot.

The protocol associated with the Remote Play technology recently introduced by Valve is elaborate enough to give rise to stimulating attack scenarios, and in the past its surface has scarcely been ventured into. In this post, we will cover the reverse engineering of the protocol and its implementations within Steam (client and server), before going through a few vulnerabilities that were found.

Microsoft offers some Developer Tenants for O365. Those tenants can be used to set up a fishing infrastructure within minutes, emails will make it to almost all inboxes, specially in O365 environments.

We present a simplified code review workflow that demonstrates the key components of a successful DevSecOps pipeline using Python.

In this post, we detail a design flaw in Google Workspace's Domain-Wide delegation feature, which results in misuse of existing delegations, potentially enabling privilege escalation and unauthorized access to Workspace APIs without Super Admin privileges.

In this article we will details 5 vulnerabilities found in Extreme Networks' Extreme Operating System (EXOS), including unauthenticated file read, privilege escalation, CSRF and arbitrary file write.

In this post we'll recap known techniques to extract data with attribute selectors and then show you a novel technique with the brand new :has selector. To achieve extraction of the majority of form elements and anchor tags with just CSS.

This blog post is a technical analysis of the newly discovered "Turtle" ransomware.

In ntdissector, we have implemented the support of the AD Lightweight Directory Services (LDS) instance, a stripped down version of AD DS to only store data the same way you would with AD DS but without all the additional features.

An authentication bypass and multiple blind command injections vulnerabilities were found in some Zyxel NAS devices. By leveraging the blind OS command injection vulnerabilities chained together with the authentication bypass vulnerability, an unauthenticated, remote attacker could perform unauthorized actions in the context of the root user.

In this post, I introduce new techniques for achieving reliable, split-second DNS rebinding in Chrome, Edge, and Safari when IPv6 is available, as well as a technique for bypassing the local network restrictions applied to the fetch API in Chromium-based browsers. This post assumes you have a basic understanding of DNS rebinding.

In this blog post we will see some of the ways we can pivot through a Windows host.

LibAFL is a great library that can let us quickly adapt a fuzzer to our specific target. Not every target fits nicely into the "Command-line program that parses a file" category, so LibAFL lets us craft fuzzers for our specific situations. This adaptability opens up the power of fuzzing for a wider range of targets.

We explored the viability of using Windows thread pools - as a novel attack vector for process injection. In the process, we discovered eight new process injection techniques we dubbed Pool Party variants that were able to trigger malicious execution as a result of a completely legitimate action. The techniques were proven to be fully undetectable when tested against five leading EDR solutions.

In this blog post, we detail 2 vulnerabilities on owncloud: a phpinfo leak and a privilege escalation (with remote code execution).

We built Fuzzomatic, an automated fuzz target generator and bug finder for Rust projects, written in Python. Fuzzomatic is capable of generating fuzz targets that successfully build for a Rust project, completely from scratch. We used the OpenAI API to generate and fix fuzz targets in our approaches.

In this blog, we will dive into another technique that can be used to unhook the ntdll.dll. We will investigate remapping by loading ntdll from disk and validate how this can be noticed by an EDR. This technique is not new but it is important to uncover the inner workings of older techniques and write down the different steps to get the best understanding.

In this series of posts, I will try to cover all the common knowledge you would need to create your PE bin2bin obfuscator. This first part will cover the common info about obfuscators and will write my first own obfuscator.

WSUS and ADCS can lead to a domain computer compromise when they are both misconfigured and when MITM is possible by any ways. In this blog post we will demonstrate another way (not new) to escalate privileges on a machine/computer by abusing WSUS server misconfiguration.

We examine an attack surface in DNS that has been rarely researched, and is exposed by a seemingly harmless DHCP feature. By using it, we found several different ways that attackers could spoof DNS records on Microsoft DNS servers, including an unauthenticated arbitrary DNS record overwrite. We also describe in detail the inner workings of a Microsoft DHCP server, its interaction with DNS and Active Directory, and how to properly secure these interfaces.

This article provides a technical analysis of the ransomware created by the Qilin group. It is a highly configurable malware family making use of the local ESXi tooling to increase the success rate of encrypting and ransoming their victim.

In this post, we will investigate a Vidar Malware sample containing suspicious encrypted strings. We will use Ghidra cross references to analyse the strings and identify the location where they are used. Using this we will locate a string decryption function, and utilise a debugger to intercept input and output to obtain decrypted strings. We will then semi-automate the process, obtaining a full list of decoded strings that can be used to fix the previously obfuscated Ghidra database.

Using CVE-2023-43641 as an example, I'll explain how to develop an exploit for a memory corruption vulnerability on Linux. The exploit has to bypass several mitigations to achieve code execution.

In this post, we look at the attack surface of the Ubiquiti Connect EV Station, a weatherproof Level 2 electric vehicle charging station designed for organizations. We cover the most obvious areas a threat actor would explore when attempting to compromise the device.

In this blog post we introduce a new kind of attack against embedded systems relying on XiP (eXecute in Place) that exploits TOCTOU at hardware level in order to bypass secure boot. This attack exploits the temporal gap between the verification of the firmware integrity and the actual execution of code during the boot process.

In this post we detail a weakness in Azure Kubernetes Service (AKS) that allows Guest users or third-party apps to access the AKS API without getting assigned any specific roles.

In this post we will try to solve a common challenge for AD administrators: how can we (as defenders) make Domain Admins (and like groups) more difficult to enumerate and discover?

In this post, which is an introduction to deceptive operations regarding service accounts, we will review Kerberos, Service accounts, and related attacks.

Module stomping is a technique used to hide the origin of an API call so as to not point back to our implant in memory. The purpose of this post is to discuss and demonstrate both benefits and indicators of compromise (IOCs) that Module Stomping and some of its variants brings to our implants.

This blog post will first give a brief overview of obfuscation based on Mixed-Boolean-Arithmetic (MBA), how it has historically been attacked and what are the known limitations. The main focus will then shift to an extension of the oracle-based synthesis approach, detailing how combining program synthesis with the equality saturation technique produces significantly more simplification opportunities. Finally, a set of examples spanning from different MBA categories over unsolved limitations up to future work ideas will hopefully serve as food for thoughts to the reader.