Each problem that I solve becomes a rule which serves afterwards to solve other problems
New Articles
Frigate code review
12/11/2023This blog post describes two linked vulnerabilities found in Frigate, an AI-powered security camera manager, that could have enabled an attacker to silently gain remote code execution.
Windows Defender places malicious files into quarantine upon detection. Reverse engineering mpengine.dll resulted in finding previously undocumented metadata in the Windows Defender quarantine folder that can be used for digital forensics and incident response.
Supply chain attacks continue to evolve in sophistication with new TTPs emerging every few months. In this article we highlight some of the most recently observed TTPs and our recommendations for investigating and mitigating them in your environments.
In this blog post, I aim to shed light on the target tables in Log Analytics, specifically for non-Azure server logs. I'll concentrate on Windows and Linux servers that are either equipped with the Azure Monitor Agent (AMA) or don't use any agent.
WordPress for Security Audit
12/14/2023WordPress is a major player in the CMS market, powering around 40% of websites today. In this article, we will study in detail its core architecture: project structure, authorizations mechanisms, hooks, routing system, APIs and plugins.
Google OAuth is broken (sort of)
12/14/2023I'm publicizing a Google OAuth vulnerability that allows employees at companies to retain indefinite access to applications like Slack and Zoom, after they're off-boarded and removed from their company's Google organization. The vulnerability is easy for a non-technical audience to understand and exploit.
Spamming Microsoft 365 Like It's 1995
12/12/2023In this blog post, I will cover some default anti-spam protections provided by Microsoft, show my research methodology, land some spoofed device code phishing emails in a default tenant inbox, and discuss mitigations.
npm search RCE? - Escape Sequence Injection
12/12/2023In this post we will focus on a vulnerability in CLI applications that allowed code execution in the shell by leveraging escape sequences in the output of a command.
In this blog post we will demonstrate a technique that efficiently escapes Chrome V8 sandbox, leveraging opcodes generated by Liftoff, the v8's WebAssembly compiler.
In this article, we detail an indirect prompt injection attack against writer.com that allows attackers to steal a user's private documents by manipulating the language model used for content generation.
Business Email Compromises (BEC) within the Microsoft 365 environment are a large threat. Attackers are targeting both company and personal email accounts. It's important to understand how attackers are accessing mailboxes and learn the best ways to protect yourself.
Bad Zip and new Packer for Android/BianLian
12/12/2023In this article we analyze a sample of Android/BianLian botnet using 2 advanced ant-reversing techniques: an intentionally malformed ZIP and a new packer which loads dynamically the payload via loadClass() which is far less visible than DexClassLoader.
Two vulnerabilities in Microsoft Windows can be chained together to create a full, zero-click remote code execution (RCE) exploit against Outlook clients. In this first post we wil detail the first vulnerability, that lies in the parsing of a path by the MapUrlToZone function (CVE-2023-35384)
In this second part we investigate a vulnerability (CVE-2023-36710) in the Audio Compression Manager (ACM). This vulnerability is exploited when the downloaded sound file is autoplayed, and it can lead to code execution on the victim machine.
SMTP Smuggling - Spoofing E-Mails Worldwide
12/17/2023By exploiting interpretation differences of the SMTP protocol, it is possible to smuggle/send spoofed e-mails - hence SMTP smuggling - while still passing SPF alignment checks. During this research, two types of SMTP smuggling, outbound and inbound, were discovered. These allowed sending spoofed e-mails from millions of domains to millions of receiving SMTP servers.
In this first part of the series we will detail the Kerberoasting attack and show how it can be implemented. We will also provide guidelines for detection of such malicious behaviour.
In this introduction article of the series, we will review the key principles of Kerberos and how it is implemented in Windows environments.
We came across an open directory that included more than a year of historical threat actor activity. By analyzing tools, logs and artifacts left open to the internet, we were able to profile the threat actor and their victims.
Terrapin Attack
12/17/2023Terrapin is a prefix truncation attack targeting the SSH protocol. More precisely, Terrapin breaks the integrity of SSH's secure channel. By carefully adjusting the sequence numbers during the handshake, an attacker can remove an arbitrary amount of messages sent by the client or server at the beginning of the secure channel without the client or server noticing it.
Malicious actors often acquire a large number of domain names to set up their infrastructure in an automated fashion. Automation employed by attackers can leave traces of information about their campaigns in various data sources. Leveraging these crumbs of information, we built a detector to identify stockpiled domains.
Frinet: reverse-engineering made easier
12/17/2023By combining Frida with an enhanced version of Tenet, Frinet facilitates the study of large programs, vulnerability research and root-cause analysis on iOS, Android, Windows and most architectures.
Synthetic Recollections
12/17/2023This blog post presents plausible scenarios where prompt injection techniques might be used to transform a ReAct-style LLM agent into a "Confused Deputy". This involves two sub-categories of attacks. These attacks not only compromise the integrity of the agent's operations but can also lead to unintended outcomes that could benefit the attacker or harm legitimate users.
In this blog post, we present a process injection detection technique using network anomaly detection. Our technique focuses on the process's network behavior - something that is much harder to hide than host artifacts like API calls or filesystem changes, to detect malware, lateral movement, data exfiltration, and other types of attacks.
Azure Workload Identity Federation
12/17/2023In this article, we will detail how to configure, setup and use Azure Workload Identity Federation for GitHub Actions and Azure DevOps
In this introduction article, we will cover the internals of the Common Log File System (CLFS) driver and its design flaws.
Ghidriff: Ghidra Binary Diffing Engine
12/18/2023In this post we present ghidriff, a new open-source Python package that offers a command-line binary diffing capability leveraging the power of the Ghidra Software Reverse Engineering (SRE) Framework with a fresh take on the standard patch diffing workflow.
In this second blog post, we aim to elaborate on some of the technical details that are required to spoof DNS records on Microsoft DNS servers. We will detail the methods used to collect all the necessary information to conduct the attacks, describe some attack limitations, and explore how we can spoof multiple DNS records by abusing an interesting DHCP server behavior.
Writing a decent win32 keylogger - Part 1
12/20/2023In this first part, after a brief introduction introducing the concepts of scan codes, virtual keys, characters and glyphs, we describe three different ways to capture keystrokes (GetKeyState, SetWindowsHookEx, GetRawInputData) and the differences between those techniques.
A redirect chain
12/19/2023Some programs still do not apply Mark-of-the-Web (MotW), so we can build a quite annoying chain involving custom protocol header, Windows search, WebDAV and Java or some other techniques for the final kick. This results in a Zero Warning, yet several clicks, chain for initial access.
Still Recent
Exploring Linux's New Random Kmalloc Caches
11/01/2023This post is going to be taking a look at the state of contemporary kernel heap exploitation and how the new opt-in hardening feature added in the 6.6 Linux kernel, RANDOM_KMALLOC_CACHES, looks to address that.
Privileged Identity Management (PIM) is part of broader identity governance features, and is most known for enabling just-in-time admin rights. Intuitive as PIM may appear, there are some gotchas you need to be aware of. This blog covers five of the common misconfigurations and misunderstandings.
Oldies but Goodies
When a program wants to relay a message to the terminal it embeds it in the output, and perhaps more importantly, when the terminal wants to relay a message to the program it embeds it in the input. Yes, the user input.
Understanding Crucial Windows Processes: Differentiating Normal Operations from Red Flags
08/25/2023Having a look at the running processes on a Windows operating system can be quite overwhelming to get an understanding of at first glance, so the aim of this blog post is to give you a better understanding of what's "not normal".
Unearthed Arcana
In this post, we will learn together how to write a basic malware program that does a reverse shell connection (using shellcode) and analyze our own compiled malware. We'll play around with C code using Visual Studio IDE and MSVenom for the creation of the shellcode.