Security Review #188

Callander is a new tool for sandboxing x86-64 and ARM64 Linux programs by using binary analysis to automatically generate and enforce the list of allowed operations. This post describes how it works at a high level and walks through a demo to show how it can help us sandbox programs in practice.

his paper reflects work done in late 2022 and 2023 to audit for vulnerabilities in terminal emulators, with a focus on open source software. The results of this work were 10 CVEs against terminal emulators that could result in Remote Code Execution (RCE), in addition various other bugs and hardening opportunities were found.

IAWS IAM Identity Center exchanges third-party OIDC tokens for Identity Center-issued tokens. Identity Center relies on the jti claim in the third-party tokens to prevent replay attacks. We found that a token with a jti claim and without an exp claim could be replayed after >24 hours had passed.

We observed a significant evolution in TA544 group TTPS, involving the adoption of new cyber weapons in all its infection chain such as IDAT Loader, and the delivery of other malware payloads, likes Remcos and SystemBC, passing through a massive abuse the DLL sideloading. In the case under observation, the goal of the infection is to lead to the execution of RemCosRAT.

MkDocs is vulnerable to an unsafe deserialization of configuration files when parsing configuration files may lead to remote command execution ( RCE ).

This article about the umpteenth DCOM-based lateral movement method you'll see, this time targeting that blessing that populates any company: developers. Dreaded users whose machines are often found on quite a few exclusion lists to avoid the myriad of false positives they generate in their work.

In this article we discuss the practical engineering challenges of developing a low-footprint virtual machine interpreter ( VM ). The main goal of this article is to understand the practical aspects of developing an embeddable virtual machine, without having to deal with binary rewriting/lifting or write our own compiler.

Whilst EDR hooks may vary slightly from vendor to vendor, the principal is still the same, and all share the same weakness: they're located in user mode. Since both the hooks and the EDR's DLL have to be placed inside every process's address space, a malicious process can tamper with them. There are a multitude of ways to bypass EDR hooks, so I'll cover just the main ones.

BDF allows you to hook DLL exports. This means that you can hook a DLL export and execute your own code. This is useful for a number of reasons, but the most common is to patch a DLL to do something it wasn't intended to do.

Trusted execution environments (TEE) such as secure enclaves are becoming more popular to secure assets in the cloud. However, they can lead to a strong attacker model, where the entity interacting with the enclave can be the attacker. In this blog post, we will examine one way that cryptography can fail in this setting, by using the Forbidden attack on AES-GCM to flip bits on a private key shard, we can iteratively recover the private key.

In this blog post, I'll explain the vulnerability in GWT ("Google Web Toolkit"), show you how to exploit a vulnerable GWT web application, show you how to set up an intentionally vulnerable GWT web application to test against, determine if your own GWT-based application is vulnerable, and discuss potential mitigations.

We have developed five CodeQL queries that catch potentially potent bugs in the OpenSSL libcrypto API, a widely adopted but often unforgiving API that can be misused to cause memory leaks, authentication bypasses, and other subtle cryptographic issues in implementations.

We dive into adversarial Lightweight Directory Access Protocol (LDAP) tradecraft. This blog outlines the results of our research, provides a tool for exposing LDAP telemetry, and offers guidance on detecting malicious LDAP activity.

I undertook independent research on Google Drive File Stream so analysts could investigate its artifacts to determine the impact of its unauthorized usage, and I have decided to share my findings thus far along with the automation tool I developed.

We present a new way for threat actors to sneakily access visual information from your graphics card while you're online and browsing certain websites. In testing, we found the technique could be used to steal sensitive visual data such as usernames and passwords from a target, without the user being aware of what was happening.

In early December, a number of malicious Python packages captured our attention, not just because of their malicious nature but for the cleverness of their deployment strategy. In this blog, we will explain the various combined tactics the attacker used to make these packages stand out.

Recent incident investigation revealed suspicious executions as part of a more significant cyber-threat incident that resulted in double extortion: the encryption of customer data, followed by ransomware deployment and a threat to publicly release the data. This report details that activity so that security teams can become familiar with the TTPs.

This post is a complete methodology to build a Reflective DLL injection from scratch. We will go through the PE structure, concept of position independent code (PIC) and build a DLL loader and an injector.

This post analyzes attack campaigns where SSH scanner malware is installed on poorly managed SSH servers, in addition to DDoS bots and CoinMiners. This post provides an analysis of attack cases where these malware were installed.

The Apple Endpoint Security (ES) API provides a number of different process ID's that can be used in our day to day threat hunting. This blog posts visits the various pids provided by the Apple Endpoint Security API. These pids are provided within every exec event that occurs on the system each providing it's own type of visibility.

This is a technical analysis of an Android backdoor implemented with Xamarin that tries to gain accessibility privileges then downloads a second-stage payload. The payload takes full control of the device and potentially performs fraudulent actions such as clicking on ads, installing apps among other actions financially motivated without user consent.

How do we make the mapping between virtual and physical addresses? Mistakes can be costly and result in BSODs. That's what we're exploring in this blog post. We will document a technique that relies on a Windows feature referred to as "Superfetch".

QTS's JSON parsing functionality is vulnerable to type confusion due to a failure to properly check the type of the json-object->data field. The bug allows an attacker to hijack control flow, and is accessible via the /cgi-bin/qid/qidRequestV2.cgi binary.

The focus of this report is to shed light on the high-risk configuration of telecommunications systems, specifically examining the misuse of tel:// links in SMS messages. Remote attackers can exploit these links to initiate unauthorised call forwarding with minimal user interaction.

CVE-2023-43177 is a critical vulnerability in CrushFTP. The vulnerability could potentially allow unauthenticated attackers with network access to the CrushFTP Instance to write files in the local file system and eventually in some versions could allow the executing of arbitrary system commands.

Prompt injections in artificial intelligence (AI ) chatbots have recently been ranked Number 1 in the OWASP LLM Top 10. In this article, we will explore the nuances of this threat and the countermeasures available to mitigate it.

System privileges are one of the Windows OS components that you see used for various purposes but not a lot of great understanding of why it is being used. SeDebugPrivilege is a great example of this. This post is meant to guide what access checks SeDebugPrivilege bypasses, and which are still validated against.

In this series, we present a new approach to the problem of detecting hidden (secret) information in code. This first part reviews the current techniques used and their limitations.

This is the second part of our journey, where we are trying to improve secrets detection. In this part we unveil a new approach based on SAST technique.

A quick review of the different vulnerabilities found in the SHA-1 hash algorithm since 1995.