Security Review #189

While analyzing a heavily obfuscated native library, a good emulation framework is a must-have tool in a reverse engineer's arsenal. Having said that, recently, I have been on a quest to find a good emulation framework for emulating native libraries of an APK, and while I was at it, I stumbled upon Qiling. Hence this blog.

In this article we explore different techniques to call a hooked function, but do it in such a way that the EDR isn't able to properly inspect the call parameters. We end up with two ways to bypass EDR detection without bypassing EDR hooks.

You currently have all these security keys these days that allow you to securely store your ssh private keys on a device to prevent them from being stolen. But what if you could use your face to unlock your ssh keys? Well, you can! And it's pretty easy to set up.

When the search-ms URI handler is used in Microsoft Edge in order to search a file in a target web server this will enforce Windows explorer to start in order to list the results. This behavior can be used in conjunction with phishing in order to enforce target users to visit arbitrary URL's hosting malicious files in order to get initial access.

Signal tagging is a feature introduced in Circom 2.1.0 that allows developers to specify and enforce ad hoc preconditions and postconditions on templates that require proof of authentication whenever either of two values is nonzero. In this post, we introduce the feature and provide four simple rules for incorporating signal tags into your development process, which will help protect you from common bugs and facilitate auditing of your codebase.

We present a review of the implementation of the Memory Tagging Extension (MTE ) in partitionAlloc in Chrome, Ptmalloc in Glibc, and Scudo in Android. The purpose is to evaluate the actual impact of MTE on real software security. To discuss this topic, heap allocators provide an excellent starting point.

In this report we provide a technical analysis of the Sandman APT, including victimology overlaps, cohabitation of Lua-based malware LuaDream and the KEYPLUG backdoor, and sharing C2 infrastructure control and management practices.

"SHA-256 is secure". But what if we consider a weakened version? How much weaker do we have to make it before we can generate collisions? There's more than one way to weaken a hash, but in this article we'll consider truncation: throwing away some portion of the hash digits.

The Service Location Protocol (SLP ) is being exploited to launch reflection/amplification attacks. In this blogpost, we look into how threat actors are abusing SLP to launch reflection/amplification DDoS attacks, their evolution, and what targets are they focused on at the moment.

In this second part of the series, we detail how Windows stores keyboard layouts information in the kbd*.dll and how to parse them.

We report the discovery of an arbitrary object dereference vulnerability in the dwmcore.dll library that can be leveraged to leak a heap address within the Desktop Window Manager process and execute shellcode with Window Manager\DWM user privilege.

While analyzing the SonicWall WXA appliance image we identified a chain of vulnerabilities which we could leverage to achieve arbitrary code execution as the root user account.

In this third and last part, we go through the process of using the extracted information to convert scan codes into characters and all the tricky cases presented by different layouts, such as ligatures, dead keys, extra shift-states and SGCAPS.

This article is an introduction to KubeHound, a toolkit for visualizing attack paths in a Kubernetes cluster and mapping these to existing vulnerabilities in your environment.