The only real mistake is the one from which we learn nothing
New Articles
Pwning the Domain: Lateral Movement
04/12/2024Lateral movement in red teaming is all about moving between targets in the environment to reach the objective. This article summarizes and provides example of the most popular lateral movement techniques.
In this article I detail an authentication bypass vulnerability in Delinea Secret Server, a privileged access management (PAM).
In this article, we provide technical analysis of FakeBat, a loader malware that spreads through a technique known as malvertising, which involves exploiting online advertising platforms, including Google Ads, to spread malware.
We detail an attack case were the Metasploit Meterpreter backdoor has been installed via the Redis service. Such malware strains attack Redis servers open to the public on the Internet with the authentication feature disabled. After gaining access to Redis, threat actors can install malware through known attack methods.
XZ backdoor story - Initial analysis
04/12/2024This article provides a technical analysis of the initial infection and binary planted by the XZ backdoor on compromised systems. It also provides a set of IoC for detection.
A significant challenge facing organizations and defenders today is the lack of comprehensive visibility into their cloud infrastructures and the activities of adversaries targeting cloud technologies. This blog post aims to shed light on a specific technique outlined in the MITRE ATT&CK framework: Cloud Administration Command.
We recently discovered a threat actor distributing a phishing email containing malicious Scalable Vector Graphics (SVG) files. This article provides detailed insights into how this technique is used to distribute VenomRAT and other plugins.
Understanding ETW Patching
04/12/2024In this article, I will answer 3 questions about ETW patching: Which ETW providers can be patched ? What does it mean to actually patch out an ETW Provider? How can you detect ETW patching?
In this exploration of inspecting vulnerable driver attacks, we will delve into their history, explore effective hunting methodologies, and dissect strategies for prevention and monitoring.
This article provides technical details about a zero-day exploitation of a vulnerability found within the GlobalProtect feature of Palo Alto Networks PAN-OS (CVE-2024-3400).
We analyze and prvide IoCs for a curious backdoored (and signed) executable, masquerading as something else entirely.
Seccomp Internals Deep Dive - Part 1
04/08/2024In this blog series, we will explore the internals of seccomp, including its architecture, key concepts, and practical applications. in this first part we will cover its definition, how to configure it for processes, and the differences between strict and filter modes. Additionally, we will explore how seccomp is implemented in the Linux kernel.
In this blog, we discuss the exploitation of the AJP smuggling vulnerability (CVE-2022-26377) on IBM QRadar, leading to several unauthenticated attacks.
This is the story of how we breached Microsoft, kick-started a partnership that would change the landscape of self-hosted GitHub CI/CD security, and the growing pains we experienced along the way.
In this article, we will focus on the remaining Frida memory operations APIs, Memory.scanSync, Memory.protect, and Memory.patchCode.
In this article, we will examine vulnerable configurations for IAM roles with a trust relationship to the Cognito Identity service, how we uncovered a vulnerability in AWS Amplify that exposed these roles to be assumable by anyone, and how this finding impacts Amplify users.
Attacking Kubernetes
04/15/2024Securing Kubernetes begins with a comprehensive understanding of its architecture and potential attack vectors. This article summarizes and provides example of such vectors.
A quick post on Chen's algorithm
04/16/2024In this short post, we summarize the background and findings published in "Quantum Algorithms for Lattice Problems", which may allow allow future quantum computers to break post-quantum cryptography schemes.
This blog covers 2 vulnerabilities discovered in LoadMaster load balancers. CVE-2024-2448 is an authenticated command injection vulnerability and CVE-2024-2449 is a Cross-Site Request Forgery (CSRF) protection bypass vulnerability. Combination of these vulnerabilities would allow to execute commands on LoadMaster load balancers by targeting a user of the administration web user interface (WUI).
From S3 bucket to internal network operation
04/14/2024In this blog, I'll tell about a case that finding S3 with write permissions enabled me eventually to take control over most of a company's infrastructure.
In this article, we start from the description of CVE-2024-3400, an RCE in PaloAlto GlobalProtect, and travel all the way down to the finding of the vulnerability.
Exploiting American Conquest
04/16/2024We looked for vulnerabilities in American Conquest as a side research project. We found and reported multiple stack buffer overflow. In this article, we share the details of our research. This is an interesting article for those who want to get started in researching and exploiting vulnerabilities.
This blog post provides a detailed analysis of the tactics, techniques, and procedures (TTPs) of a campaign that aims at deploying a new backdoor called WINELOADER. We will focus on 2 aspects: the initial access and a technical analysis of WINELOADER
In this article, I detail vulnerability I found in Google's Flank repository. The vulnerability allowed anyone with a GitHub Account to steal Google service account credentials which were used as a repository secret along with obtaining access to a GITHUB_TOKEN with write access.
In this article, we deep-dive into a critical arbitrary file read vulnerability in Apache Allura (CVE-2023-46851) and outline how attackers could exploit it. Especially, we will see how exploitation of the vulnerability would have allowed threat actors to fully compromise SourceForge.
In this article we will review how the Microsoft Dev Tunnels works and how it can be used to provide one more tool for smuggling our traffic out.
We discovered an AWS access vulnerability
04/09/2024We discovered a vulnerability in STS that caused role trust policy statements to be evaluated incorrectly. In this case this vulnerability would have allowed certain users to gain unauthorized access to their AWS accounts.
In this series we will explain how to perform string decryption against polymorphic algorithm (has a slightly different decryption routine for each string). The specific sample we are going to analyze in this first post is a version of Conti ransomware.
In this blog post, we will present how we elevate the privilege from user to SYSTEM to chain the vulnerability of VMWare. The vulnerability is CVE-2023-29360, a beautiful and powerful logic bug in mskssrv.sys driver.
Introducing MisconfigurationManager.ps1, a PowerShell script that can be executed to identify exactly where these issues may exist. The script can be run with any Security Role in SCCM on or against any SMS Provider to identify every Takeover and Elevate technique.
Sysrv Infection (Linux Edition)
04/14/2024Upon analysis of a Linux crypto miner, we discovered that the malware is a component of the Sysrv botnet. In this short blog post, we will examine the ELF binary to uncover its capabilities and identify IOCs associated with the sample.
In this blog post, we'll leverage Windows Management Instrumentation (WMI) to extract the loaded modules of a specific process and understand how to get each module base address, show the advantages and the ability to perform ShellCode injection in .text section directly
Flaw in PuTTY leaks SSH private keys
04/16/2024This article provides a technical analysis of CVE-2024-31497, a vulnerability in PuTTY that could lead to users' private keys theft on previously compromised servers or in man-in-the-middle attack scenarios.
Banned Password Lists is a feature of the Password Protection component of Entra ID providing additional security for password-based authentication. This article aims at analyzing its implementation with the objectives to improve password spraying attacks for red team operators while providing better defenses for blue teams.
Google's NotebookLM allows users to upload files and analyze them with a large language model (LLM). However, it is vulnerable to Prompt Injection, meaning that uploaded files can manipulate the chat conversation and control what the user sees in responses.
MagicDot: A Hacker's Magic Show
04/18/2024In this article, I'll dive into the details about the DOS-to-NT path conversion process. I'll explain how rootkits operate today and I uncovered rootkit-like techniques to conceal and impersonate files, directories, and processes. Then, I will explore the vulnerabilities and provide examples and demonstrations about how they can be exploited.
This is an introduction to a series of blog posts that is meant to document what I've learned about the registry, including its basic functionality, advanced features, security properties, typical bug classes, case studies of specific vulnerabilities, and exploitation techniques.
We have identified two vulnerabilities in how specially forged intents generated from other apps are handled by Android applications. As an impact, a malicious application would be able to significantly break the security of the application, with possible impacts ranging from exfiltrating sensitive files via arbitrary chats to fully taking over victims' accounts.
In this fourth article of the series, we will focus how to enforce AES encryption for Kerberos, avoiding the use of RC4 as default encryption algorithm.
This article is the first of a series of articles regarding Post-Quantum Cryptography in 2024. It presents the evolutions that happened in the PQC world as well as various constructions.
Breaking Custom Encryption Using Frida
04/17/2024We encountered a unique encryption implementation affecting both the request and response bodies in an Android app. In this blog, we will explore the challenges and triumphs of understanding this function to understand the internal workings of the mobile app.
Analysis of the SoumniBot Android banker
04/17/2024We provide technical analysis of a new banker, SoumniBot, which is notable for an unconventional approach to evading analysis and detection, namely obfuscation of the Android manifest.
Still Recent
I wanted to find out which HTML elements are able to overwrite javascript variables through DOM Clobbering attacks. With this attack it is possible to overwrite variables used in the javascript code of a page and change the behavior of the script as a result. In this article I provide the results I got in Chrome, Firefox and Edge.
New HTML injection attack vectors
04/02/2024Dangling markup injection attacks are very simple. However, browsers provide security mitigating such attack. In this article, I details 2 attacks which bypass curre,nt browsers filters.
Patch Tuesday Diffing: CVE-2024-20696
03/11/2024This post will teach you how to patch diff CVE-2024-20696 (and indirectly CVE-2024-20697). This security patch was interesting as it wasn't fixing native Microsoft software per se, rather patching an open-source library libarchive used by Windows to support compression and decompression functionality.
HTTP/2 CONTINUATION Flood: Technical Details
04/03/2024Deep technical analysis of the CONTINUATION Flood: a class of vulnerabilities within numerous HTTP/2 protocol implementations. A single machine has the potential to disrupt server availability, with consequences ranging from server crashes to substantial performance degradation.
In this post we'll understand basic concepts of Browser Exploitation, focusing on the Firefox browser's Javascript engine, SpiderMonkey. There will be an introduction to topics like heaps, garbage collector, primitives and objects, in-memory structures, JIT interpreters and compilers, and most importantly, ways to exploit memory corruption flaws in Javascript engines.
It took me a few decades to learn what the "SysRq" button on the keyboard did, so I figured at the very least I'd pay it forward to the security community and inform you; in linux, there is in fact a button on the keyboard that dumps root memory.
In this post, we're going to cover a possible way to bypass signature analysis from AV using obfuscation and NT API inspection from EDR using indirect syscalls with a shellcode loader PE. This will get past some AV and EDR that only does on-disk inspection of the PE and inspects the system call return address, respectively.
In this Blog we'll reverse engineer an RCE vulnerability in Sitecore (CVE-2023-35813) from the fix provided and also exploit the vulnerability in local as well as live targets.
We provide details about CVE-2024-23897, a file read vulnerability in Jenkins that lies in the args4j library, used to parse command arguments and options on the Jenkins controller during CLI command processing.
From a SSRF to the creation of gcp_enum
04/02/2024In this article, we will discuss a case of SSRF in a GCP environment and how exploiting this vulnerability led to the idea and creation of the tool gcp_enum.
This article sets the stage by introducing Open RAN, its predecessors, and its overarching architecture, followed by a detailed examination of the communication interfaces that could serve as attack vectors, and practical attack we can perform using O-RAN stack.
Oldies but Goodies
Bypasses for the most popular WAFs
08/03/2023I decided to evaluate the security of many popular WAFs to see their evolution and how robust they've become over time. The conclusion is that most of them are still extremely vulnerable to very lethal attacks.
In 2021, Ivanti patched a vulnerability that they called "code injection". Rumors say it was a backdoor in an open source project. Let's find out what actually happened!
Unearthed Arcana
Hyperspace - Hidden Address Spaces
03/29/2021In this blog, we will explain the concepts of memory hyperspace and detail how to run code in a address space not associated with a process.
RFID Proximity Cloning Attacks
12/17/2020In this article, I detail my journey diving into RFID research while aiming at cloning a Miflare Classic 1K card.