Security Review #191

A dependency confusion attack is a supply chain attack where an attacker is able to poison the build by forcing the build system to retrieve his malicious dependency somewhere on the internet instead of the legitimate internal dependency. In this article we show how to prevent this from happening.

During this blog post we will explore the Visual Studio VSStandardCollectorService150 service which used for diagnostic purposes by Visual Studio and is running in NT AUTHORITY\SYSTEM context, and how it can be abused to perform arbitrary file DACL reset in order to escalate privileges.

We have taken an in-depth look into the DarkGate malware family to gain insights into the inner workings of this malware family as well as to improve detection and configuration extraction. In this blog post, we want to specifically highlight the interesting way by which DarkGate accomplishes executing malicious native code via AutoIt scripts.

We detail the steps to reproduce multiple vulnerabilities in AirSpot 5410: XSS, RCE, arbitrary file upload and access to a hidden system command webpage.

In this article we detail how the Teams external participant splash screen can be bypassed despite the recent patch from Microsoft, thus leading to interesting phishing opportunities.

Using a combination of Cloudflare and HTML Obfuscation, it is possible to protect your Evilginx server from being flagged as deceptive and so increase your chances of success on Red Team and Social Engineering engagements.

CVE-2023-43208 is a pre-authenticated remote code execution vulnerability affecting NextGen Mirth Connect. This post dives into the technical details behind this vulnerability, which is ultimately related to insecure usage of the Java XStream library for unmarshalling XML payloads.

This post is a deep dive into the technical details behind CVE-2023-39143, a critical vulnerability that affects Windows installs of the PaperCut NG/MF print management software. Attackers can exploit this vulnerability to download and delete arbitrary files, and in certain configurations upload files, leading to remote code execution.

In this post we will focus on Internal Proxies which are a sub-technique of Proxy. We will cover how to leverage internal proxies while navigating around a target network for lateral movement, firewall evasion, trust exploitation, and defense evasion. Additionally, we will demonstrate two techniques: netsh interface portproxy and TCP redirectors using adversary code.

Using unit testing frameworks as a vulnerability scanner is one of the best ways to exploit vulnerabilities across multiple targets in different configurations. In this article, we show how to use xUnit as a vulnerability scanner.

We detail an attack chain against Ivanty appliances, with CVE-2023-46805 allowing an unauthenticated Internet-based attacker to elevate to execute administrative functionality (bypass authentication), and CVE-2024-21887 allowing Command Execution, facilitating a full-device compromise and takeover.

I would like to take up the topic of vectored exception handling, an alternative way to implement direct and indirect syscalls, in the context of shellcode execution and take a closer look at the code required for this.

This is the first post of a series that aims at detailing different Event Log manipulation techniques. In this article, we will focus on time slipping: altering the system's clock or adjusting the dates of files, to disrupt the sequence of logged events, complicating incident analysis and forensics.

In this article we will discuss an alternative way for running shellcodes in macros, with limitations. Although I have a reliable way to find the pointer to hijack, if I execute other stuff previously in the same process sometimes the pointer I abuse is misplaced and I overwrite other that has no effect or it crashes the process.

This is a write-up of vulnerability CVE-2023-36003. The vulnerability is caused by a lack of security checks in the InitializeXamlDiagnosticsEx API and allows a non-elevated process to inject a DLL into an elevated or otherwise inaccessible process, allowing for privilege escalation.

We present LDAP Watchdog, a real-time LDAP monitoring script which detects additions, deletions, and changes in an LDAP directory. It provides visibility for those curious to see what's going on in an LDAP-based environment.

In this second part, we will carry out a full investigation using dissect to dig into sysinternals generated logs. We will identify the root cause, defender evasion, execution time, dropped files, persistence and malicious activities.

In case you've been developing custom detection content for a while, you likely know what is one of the most critical steps during the design of a detection rule: schedule and time-sensitive parameters.

It looks like Atomic Stealer was updated, its developers introduced payload encryption in an effort to bypass detection rules. In this blog post, we will review the latest changes with Atomic Stealer and the recent distribution with malicious ads via the Google search engine.

It turns out, on Linux distro's releases, with kernel versions >=5.18, library ASLR is literally broken for 32-bit libraries of at least 2MB in size, exploits can be deterministicly hijack pointers using large library addresses. Also, ASLR's entropy on 64-bit libraries that are at least 2MB is significantly reduced.

This blog delves into the Phemedrone Stealer campaign's exploitation of CVE-2023-36025, the Windows Defender SmartScreen Bypass vulnerability, for its defense evasion and investigates the malware's payload.

The following blog post describes our approach on voltage glitching and how we try to make it more accessible and usable during security assessments. To do this, we started tinkering with the widely used STM32 microcontroller series.

In this blog post, we will discuss how Visual Studio provides an opportunity for lateral movement via the Development Tools Environment (DTE).

In this article, I will focus on the Direct System Call technique and show you how to create a Direct System Call shellcode dropper step-by-step. I will start with a dropper that only uses the Windows APIs, then the dropper undergoes its first development and the Windows APIs are replaced by Native APIs, and last, the Native APIs are replaced by Direct System Calls.

This blog post provides an overview of the concept of entropy and its role in detecting web shells and deeper dives into ShellScan, ShellCSV, and ShellSweep, three utilities designed to hunt down and flag potential web shells lurking in your web servers.

We discovered techniques that allowed the AWS WAF to be bypassed using a specialized DOM event. In this blog post, we will analyze one of the most commonly used Web Application Firewalls, the AWS WAF, and explain ways that allowed it to be bypassed.

We decided to reverse engineer Android-based POS devices made by the worldwide known company PAX Technology. In this article, we present technical details of 6 vulnerabilities, which were assigned CVEs.

In this article we details common misconfigurations in Nginx web server and provide a step-by-step guide to harden path configurations.

In this article, we review several mistakes that can turn a red team operation into a disaster.

This is mostly a beginner guide which explains step-by-step how you can tackle custom encrypted strings inside an Android ARM64 app.

GitHub Actions is vulnerable to a command injection. Since the CI/CD contained the vulnerability, an attacker could leverage it to backdoor the actions themselves. The vulnerability itself is a fairly routine injection vulnerability, but the potential for pivoting and attacking others is the more interesting part of this blog post.

What we aim to achieve in the next couple of blog posts is to help describe our hardware implants we use in real-world Red Team operations. In this first post, we will detail the bill-of-material (BoM) and exemplify the build process.

This article illustrates how custom command and control (C2) implants can circumvent network monitoring systems and security measures by piggybacking on Microsoft Teams traffic.

We are disclosing LeftoverLocals: a vulnerability that allows recovery of data from GPU local memory created by another process on Apple, Qualcomm, AMD, and Imagination GPUs. LeftoverLocals impacts the security posture of GPU applications as a whole, with particular significance to LLMs and ML models.

This vulnerability allows unprivileged users with physical access to a computer to bypass the password protection feature of the GRUB boot manager on many (but not all) UEFI-based computers. In some uncommon setups, no unprivileged access is required (so, physical access without an ability to log in into an operating system is enough).

In this blog post, I'll explore various artificial intelligence (AI) methods and their evolving roles in cybersecurity. A key aspect of this exploration is understanding how these AI methods integrate into the incident response life cycle, an essential framework in cybersecurity.

This blog post provides details about nine vulnerabilities affecting the IPv6 network protocol stack of EDK II, TianoCore's open source reference implementation of UEFI.

We discovered two security vulnerabilities in X.Org libX11: CVE-2023-43786 and CVE-2023-43787. In this first post we will provide some background on libX11 and the Xpm image format, and walk through CVE-2023-43786 that causes a denial of service.

An Eicher Motors premium calculator website exposed Microsoft corporate cloud credentials: the email sending API returned sending logs to the client, which contained the email account's password.

This is a technical analysis of Atlantida, a stealer that collects a wide range of login information of softwares like Telegram, Steam, several offline cryptocurrency wallets data, browser stored data as well as cryptocurrency wallets browser extension data. It also captures the victim's screen and collects hardware data.

We discovered package called 'sellpass-sdk' that followed a burst of other dummy malicious packages, most likely posted as tests by the same author. The package distributes "Blank-Grabber" infostealer malware and exfiltrates the victim's data via a specific Discord Canary link.

This article provides a victimology overview and a technical analysis of Medusa ransomware TTPs.

In this article, we will learn how to get a reverse in a few easy steps. Usually, the problem when reverse shell commands is to remember its long and complicating syntax. But due to growing AI of our digital world, this problem tackled and dealt with. Let's see how it is done through this article.

We discovered a malicious NPM package, oscompatible, that contained a few strange binaries. After reversing the executable we uncovered the deployment of RAT through a relatively complicated process that convincingly masqueraded as a standard Microsoft update process.

This post details the story and technical details of the non-secure Hypervisor-Protected Code Integrity (HVCI) configuration vulnerability disclosed and fixed with the January 9th update on Windows. This vulnerability, CVE-2024-21305, allowed arbitrary kernel-mode code execution, effectively bypassing HVCI within the root partition.

In this blog post, we document the process of reverse engineering the CVE-2023-46805 (Authentication Bypass) & CVE-2024-21887 (Remote Command Execution) in Ivanti Pulse Connect Secure. We will also review potential gaps in other detection mechanisms and exploit payloads that were published.

We found a series of CI/CD misconfigurations that could lead to a supply chain compromise of TensorFlow releases on GitHub and PyPi. In this blog, we will discuss our methodology for identifying the vulnerability, walk through the underlying issues that caused the bug, and explain the steps an attacker could take to compromise TensorFlow releases.

Following a brief introduction to the RBI (Remote Browser Isolation) technology, we share our firsthand experiences when encountering RBI solutions, and techniques we have employed for establishing command and control (C2) to systems that proxy traffic through RBI products.

We discovered a new Outlook vulnerability (CVE-2023-35636) among three new ways to access NTLM v2 hashed passwords by exploiting Outlook, Windows Performance Analyzer (WPA), and Windows File Explorer. With access to these passwords, attackers can attempt an offline brute-force attack or an authentication relay attack to compromise an account and gain access.

We detail an unauthenticated file access and file upload (CVE-2023-36846) vulnerabilities in the PHP interface of several Juniper products.

This blog is a detailed analysis of DarkGate, a malware that provides remote code execution, data exfiltration, crytpocurrency mining, privilege escalation and persistence.

We introduce SSH-Snake, a post exploitation tool that gathers SSH private keys on compromised systems, find remote systems that the keys are accepted on, SSH into the discovered host and start again the process.

We review the operating mode of the Scheduled Task Tampering persistence technique through the GhostTask PoC and provide guidelines to setup proper detection.

QUIC supports connection migration, allowing the client to migrate an established QUIC connection from one path to the other. QUIC's path validation mechanism can be used to attack the peer and make it consume an unbounded amount of memory.

This is the story of how I discovered and exploited a Critical misconfiguration vulnerability and reported it to GitHub. The vulnerability provided access to internal GitHub infrastructure as well as secrets. There was also a very high likelihood that this access could be used to insert malicious code into all of GitHub's runner base images - allowing an attacker to conduct a supply chain attack against every GitHub customer that used hosted runners.

Following a system compromise, it becomes crucial to retrieve forensically significant data. RAM, being volatile, has a transient nature. In this blog post, we will show in practice how to detect process injection via memory forensics.

Malware authors check indicators that a malware analyst is conducting a manual inspection, which also impede the analyst's ability to reverse-engineer the malware code. In this blog, we will show how to bypass Anti-Debugging trick of our simple malware written in C/C++.

In this first, part we will hammer out an approach to pulling out a mini-timeline using dissect to get a bird's-eye view for the 3 minutes surrounding a download event.

In this blog, we explain how bad actors could create a false sense of security with Lockdown Mode by post-exploit tampering.

In this post, I will give you a few examples of funny misconfigurations in various MLOps systems that are easy to find and often have a critical impact. Specifically we will focus on Prefect, Flowise and Omniboard.

In this article I want to look at the concept of the x86 Inline Assembly MSVC in the context of shellcode execution. The main points of this article are the basics of compilation and x86 (inline) assembly. We will also reinforce the basics with two assembly code examples. Finally, we will rewrite a high-level API dropper.

I thought a good way to introduce people to very basic C programming would be to take very basic techniques and make a simple yet powerful security related program, namely a malicious shared library rootkit.