Security Review #197

This post discusses Fuzzing Python C extensions. We see that it may uncover memory errors, data races, undefined behavior, and other classes of bugs. Side effects include: memory corruption, remote code execution, and, more generally, all the headaches we've come to know and love about C.

ADAudit Plus is found to be vulnerable to an arbitrary directory traversal and file manipulation attack, assigned the CVE identifier CVE-2023-50438. This vulnerability exposes organizations to significant risks, potentially allowing attackers to execute malicious actions such as unauthorized access to sensitive files, data leakage, and even compromise of the entire system.

I detail 2 vulnerabilities found in API calls of Tableau server: an SSRF and NTLM credentials leaks that can be used in relay attacks.

I discovered a Cross-Site Scripting (XSS) chain that incorporated several interesting methods. In this post you will see the story of the initial discovery, roadblocks, and finding ways to continue increasing impact to achieve our goal.

ConnectWise indicated there were two vulnerabilities in ScreenConnect: authentication bypass (CVE-2024-1709) and path traversal (CVE-2024-1708). This write-up will discuss our analysis efforts and the technical details behind these vulnerabilities, which we're coining as "SlashAndGrab".

We provide technical details regarding an intrusion that was initiated by a user downloading and executing a file from a SEO-poisoned search result, leading to a Gootloader infection.

This article focuses on Deep Links. It analyzes the implementation and security risks of Deep Links in Android apps, including Loading URLs in WebViews vulnerabilities and File Access Through WebViews.

When attempting to classify a process' binary as benign or malicious, one of the tasks is to parse it. In this blog post, we'll show that one of the foundational APIs related to parsing such binaries is fundamentally broken. And while this bug isn't exploitable, per se, it still has security implications, especially in the context of detecting malware!

In this blog, we will delve into how the attacker exploits several Linux vulnerabilities and misconfigurations to launch a campaign targeting Apache big-data stack. We will illustrate the various phases of the campaign, and highlight the differences observed throughout its operation.

We have encountered a novel malware campaign targeting Redis for initial access. Whilst Redis is no stranger to exploitation by Linux and cloud-focused attackers, this particular campaign involves the use of a number of novel system weakening techniques against the data store itself.

Dynamic-link library (DLL) hijacking is one of the oldest techniques that both threat actors and offensive security professionals continue to use today. At its core, DLL hijacking tricks an operating system into running a malicious binary instead of a legitimate DLL. This article explains how threat actors use DLL hijacking in malware attacks.

In this article, we'll delve into what eavesdropping attacks are and how cybercriminals can listen in on your discussions. Further in the article, we'll explore tangible ways to combat network eavesdropping.

This report provides an overview of the Scattered Spider evolution, its modus operandi and the toolset leveraged over the past years. Additionally, it delves into the Scattered Spider Techniques and Tactics and Procedures (TTPs).

We discovered an issue that led to multiple XSS vulnerabilities in Joomla. The issue discovered affects Joomla's core filter component and is tracked as CVE-2024-21726. Attackers can leverage the issue to gain remote code execution by tricking an administrator into clicking on a malicious link.

In this post, I'll present a simplified approach to Detection Data Models and demonstrate how they can be used as an analytic technique to help with the task of identification.

In this blog post, I will walk through the basic implementation of Sysmon, share some tips, provide useful links, and also discuss strategies to ensure the integrity of Sysmon. Additionally, I'll illustrate the real-world application of Sysmon through two examples of actual attacks, showcasing its effectiveness and versatility.

In this post, we will break down some of the more advanced CyberChef operations and how these can be applied to develop a configuration extractor for a multi-stage malware loader.

In this article, we will detail how to leverage the Terraform provider entry in the state file to execute code in the same context as Terraform.

The focus of this blog will be on conditional access around devices and attacker behavior on compromising Microsoft 365 users. Ultimately, some conditions will give us persistent access to a user and a targeted device of our choosing for 90 days.

In this article, we describe an alternate method for coercing authentication via the the DCOM interfaces of the CertSrv Request application. Although this method may not be groundbreaking, it offers interesting alternative ways to force the authentication of a remote server by abusing the Remote Activation permission granted to regular domain users.

We detail a keylogging technique that relies on gafAsyncKeyState, an undocumented Windows kernel structure. By first locating and then parsing this structure, we can read keystrokes the way that NtUserGetAsyncKeyState does, without calling any APIs at all.

In this blog post, we will elaborate on an hidden attack surface in ASP.NET web applications that might unknowingly leak internal object URIs, which can be used to perform .NET Remoting attacks via HTTP, possibly allowing unauthenticated remote code execution.

This article is a sample gallery of what stuff can be found in public cloud storage, and a brief explaination why it shouldn't be there. Keep in mind that this is always only a small amount of the stuff which can be found.

In this post, we'll look at how to create a CommandLineEventConsumer WMI based persistence module. Aside from creating the module, we'll also take a look at WMI internals and how to detect this persistence mechanism.

In this post, we will demonstrate how to steal PEAP credentials from a Windows machine connected to a wired network using 802.1X.

We detail the inner workings of the command and control (C2) scripts deployed in the Turla APT. We also analyze the use of another three malicious modules deployed via the initial implant to maintain access, and carry out arbitrary command execution and credential harvesting.

We discovered an in-the-wild admin-to-kernel exploit for a previously unknown zero-day vulnerability in the appid.sys AppLocker driver. This article provides details about the vulnerability (CVE-2024-21338), its exploitation, and the FudModule rootkit that leverages it.

This in-depth examination focuses on the proliferation of Xeno RAT; an intricately designed malware, crafted with advanced functionalities, conveniently accessible at no cost on GitHub. The research explores the array of evasion tactics employed by threat actors to evade detection, while also illuminating the procedures involved in crafting resilient malware payloads.

This blog provides detailed information about a previously undocumented backdoor we named 'WINELOADER'. The attack is characterized by its very low volume and the advanced tactics, techniques, and procedures (TTPs) employed in the malware and command and control (C2) infrastructure.

In this article, we provide technical details about an open redirect vulnerability exists in the remains of Google Web Light service. This vulnerability is being actively exploited in multiple phishing campaigns.

We observed new PIKABOT campaigns, including an updated version. PIKABOT is a widely deployed loader malicious actors utilize to distribute additional payloads. This post will highlight the initial campaign, break down the new loader functionality, and review the core components

The Google developer documentation includes CSP examples which use domain wildcards, and additionally there are numerous endpoints within the Google eTLDs which are vulnerable to Javascript XSS. These can be combined into an effective attack against any domain with an HTML injection vector that would be otherwise unexploitable.

We detail and provide a PoC for an authentication bypass vulnerability in Fortra GoAnywhere (CVE-2024-0204) that allows an unauthenticated attacker to create an administrative user for the application.

In this article, I explain how I reverse-engineered the encrypted protocol GoodWe smart meters and solar inverters use to send metrics to the cloud.

In this article, I'm going to set up a model for thinking about threat detection and then use it to answer two fundamental questions. Where is the best place to focus detection engineering efforts to maximize impact? How do we evaluate the quality of a detection? What makes one detection better or worse than another?

In this post, we'll focus on the challenge of identifying and classifying events in order to detect a given attack technique.

In this write-up, we'll discuss how to go from one byte out-of-bounds write to a complete ROP chain without IO access and no brute force under extremely restrictive seccomp, without ever knowing ASLR base.

Pentest reports sometimes include bad information under a heading like, "Weak TLS Configuration" or "Insecure SSL Certificates". This article will explain how TLS is supposed to work, common ways it goes wrong, and a few pitfalls to avoid when testing.

In this article, we demonstrate that it is possible, given control of as few bytes of the flash as possible, to run custom code on a ESP32-C3 and ESP32-C6. It requires bypassing the Secure Boot feature using simple voltage fault injections, despite the countermeasures that Espressif has integrated into its Boot Rom.

The lack of SMB Signing requirements opens an attack path which can allow an attacker to escalate from zero to Domain Admin (DA) in an Active Directory environment. In this article, we will build off the SMB relay techniques and demonstrate an SMB to LDAP(S) relay attack.

In this blog post, I wanted to talk about how adversaries can use Entra ID Joined or Hybrid Joined devices to move laterally to the cloud, using EntraID SSO features, and how they can get a foothold on these devices.

An exploit was found that allows the generation of persistent Google cookies through token manipulation, therefore enabling continuous access to Google services, even after a user's password reset. This report delves into the exploit's discovery, its evolution, and the broader implications for cybersecurity.

No security is bypassed, no exciting exploits are used, and no dangerous backdoors are found. We will simply connect to the device and determine how it works using straightforward methodologies.

In this blog, we detail how we can determine an AWS account by taking advantage of the new S3:ResourceAccount Policy Condition Key. This condition restricts access based on the S3 bucket an account is in (other account-based policies restrict based on the account the requesting principal is in).

Programming language for building zero-knowledge programs, such as Cairo, are a bit different from other (imperative) programming languages. This article will explore an interesting new type of bug that can happen in under-constrained, zero-knowledge programs.

This article uses an example of an IoT monitoring/sensor device. We describe the investigation and analysis of that device, the possible problems along with proposed improvements.