Security Review #204

April 19, 2024

The only real mistake is the one from which we learn nothing

— John Powell

New Articles

Pwning the Domain: Lateral Movement

Lateral movement in red teaming is all about moving between targets in the environment to reach the objective. This article summarizes and provides example of the most popular lateral movement techniques.

The Return of the Bat: FakeBat's Payk RunPE Arsenal

In this article, we provide technical analysis of FakeBat, a loader malware that spreads through a technique known as malvertising, which involves exploiting online advertising platforms, including Google Ads, to spread malware.

Metasploit Meterpreter Installed via Redis Server

We detail an attack case were the Metasploit Meterpreter backdoor has been installed via the Redis service. Such malware strains attack Redis servers open to the public on the Internet with the authentication feature disabled. After gaining access to Redis, threat actors can install malware through known attack methods.

XZ backdoor story - Initial analysis

This article provides a technical analysis of the initial infection and binary planted by the XZ backdoor on compromised systems. It also provides a set of IoC for detection.

An Adversary Adventure with Cloud Administration Command

A significant challenge facing organizations and defenders today is the lack of comprehensive visibility into their cloud infrastructures and the activities of adversaries targeting cloud technologies. This blog post aims to shed light on a specific technique outlined in the MITRE ATT&CK framework: Cloud Administration Command.

ScrubCrypt Deploys VenomRAT with an Arsenal of Plugins

We recently discovered a threat actor distributing a phishing email containing malicious Scalable Vector Graphics (SVG) files. This article provides detailed insights into how this technique is used to distribute VenomRAT and other plugins.

Understanding ETW Patching

In this article, I will answer 3 questions about ETW patching: Which ETW providers can be patched ? What does it mean to actually patch out an ETW Provider? How can you detect ETW patching?

Seccomp Internals Deep Dive - Part 1

In this blog series, we will explore the internals of seccomp, including its architecture, key concepts, and practical applications. in this first part we will cover its definition, how to configure it for processes, and the differences between strict and filter modes. Additionally, we will explore how seccomp is implemented in the Linux kernel.

Fixing Typos and Breaching Microsoft's Perimeter

This is the story of how we breached Microsoft, kick-started a partnership that would change the landscape of self-hosted GitHub CI/CD security, and the growing pains we experienced along the way.

Amplified exposure: How AWS flaws made Amplify IAM roles vulnerable to takeover

In this article, we will examine vulnerable configurations for IAM roles with a trust relationship to the Cognito Identity service, how we uncovered a vulnerability in AWS Amplify that exposed these roles to be assumable by anyone, and how this finding impacts Amplify users.

Attacking Kubernetes

Securing Kubernetes begins with a comprehensive understanding of its architecture and potential attack vectors. This article summarizes and provides example of such vectors.

A quick post on Chen's algorithm

In this short post, we summarize the background and findings published in "Quantum Algorithms for Lattice Problems", which may allow allow future quantum computers to break post-quantum cryptography schemes.

CVE-2024-2448: Authenticated Command Injection In Progress Kemp LoadMaster

This blog covers 2 vulnerabilities discovered in LoadMaster load balancers. CVE-2024-2448 is an authenticated command injection vulnerability and CVE-2024-2449 is a Cross-Site Request Forgery (CSRF) protection bypass vulnerability. Combination of these vulnerabilities would allow to execute commands on LoadMaster load balancers by targeting a user of the administration web user interface (WUI).

From S3 bucket to internal network operation

In this blog, I'll tell about a case that finding S3 with write permissions enabled me eventually to take control over most of a company's infrastructure.

Putting The Protecc In GlobalProtect (CVE-2024-3400)

In this article, we start from the description of CVE-2024-3400, an RCE in PaloAlto GlobalProtect, and travel all the way down to the finding of the vulnerability.

Exploiting American Conquest

We looked for vulnerabilities in American Conquest as a side research project. We found and reported multiple stack buffer overflow. In this article, we share the details of our research. This is an interesting article for those who want to get started in researching and exploiting vulnerabilities.

From Water to Wine: An Analysis of WINELOADER

This blog post provides a detailed analysis of the tactics, techniques, and procedures (TTPs) of a campaign that aims at deploying a new backdoor called WINELOADER. We will focus on 2 aspects: the initial access and a technical analysis of WINELOADER

An Obscure Actions Workflow Vulnerability in Google's Flank

In this article, I detail vulnerability I found in Google's Flank repository. The vulnerability allowed anyone with a GitHub Account to steal Google service account credentials which were used as a repository secret along with obtaining access to a GITHUB_TOKEN with write access.

Dangerous Import: SourceForge Patches Critical Code Vulnerability

In this article, we deep-dive into a critical arbitrary file read vulnerability in Apache Allura (CVE-2023-46851) and outline how attackers could exploit it. Especially, we will see how exploitation of the vulnerability would have allowed threat actors to fully compromise SourceForge.

Using Microsoft Dev Tunnels for C2 Redirection

In this article we will review how the Microsoft Dev Tunnels works and how it can be used to provide one more tool for smuggling our traffic out.

We discovered an AWS access vulnerability

We discovered a vulnerability in STS that caused role trust policy statements to be evaluated incorrectly. In this case this vulnerability would have allowed certain users to gain unauthorized access to their AWS accounts.

Resolving Stack Strings with Emulation - Part 1

In this series we will explain how to perform string decryption against polymorphic algorithm (has a slightly different decryption routine for each string). The specific sample we are going to analyze in this first post is a version of Conti ransomware.

Rooting out Risky SCCM Configs with Misconfiguration Manager

Introducing MisconfigurationManager.ps1, a PowerShell script that can be executed to identify exactly where these issues may exist. The script can be run with any Security Role in SCCM on or against any SMS Provider to identify every Takeover and Elevate technique.

Sysrv Infection (Linux Edition)

Upon analysis of a Linux crypto miner, we discovered that the malware is a component of the Sysrv botnet. In this short blog post, we will examine the ELF binary to uncover its capabilities and identify IOCs associated with the sample.

How I Leveraged WMI to Enumerate a Process Modules and Their Base Addresses

In this blog post, we'll leverage Windows Management Instrumentation (WMI) to extract the loaded modules of a specific process and understand how to get each module base address, show the advantages and the ability to perform ShellCode injection in .text section directly

Flaw in PuTTY leaks SSH private keys

This article provides a technical analysis of CVE-2024-31497, a vulnerability in PuTTY that could lead to users' private keys theft on previously compromised servers or in man-in-the-middle attack scenarios.

Entra ID Banned Password Lists: password spraying optimizations and defenses

Banned Password Lists is a feature of the Password Protection component of Entra ID providing additional security for password-based authentication. This article aims at analyzing its implementation with the objectives to improve password spraying attacks for red team operators while providing better defenses for blue teams.

Bobby Tables but with LLM Apps - Google NotebookLM Data Exfiltration

Google's NotebookLM allows users to upload files and analyze them with a large language model (LLM). However, it is vulnerable to Prompt Injection, meaning that uploaded files can manipulate the chat conversation and control what the user sees in responses.

MagicDot: A Hacker's Magic Show

In this article, I'll dive into the details about the DOS-to-NT path conversion process. I'll explain how rootkits operate today and I uncovered rootkit-like techniques to conceal and impersonate files, directories, and processes. Then, I will explore the vulnerabilities and provide examples and demonstrations about how they can be exploited.

The Windows Registry Adventure Part 1: Introduction and research results

This is an introduction to a series of blog posts that is meant to document what I've learned about the registry, including its basic functionality, advanced features, security properties, typical bug classes, case studies of specific vulnerabilities, and exploitation techniques.

Element Android CVE-2024-26131, CVE-2024-26132 - Never Take Intents From Strangers

We have identified two vulnerabilities in how specially forged intents generated from other apps are handled by Android applications. As an impact, a malicious application would be able to significantly break the security of the application, with possible impacts ranging from exfiltrating sensitive files via arbitrary chats to fully taking over victims' accounts.

Quantum readiness - Part 1: Introduction to Modern Cryptography

This article is the first of a series of articles regarding Post-Quantum Cryptography in 2024. It presents the evolutions that happened in the PQC world as well as various constructions.

Breaking Custom Encryption Using Frida

We encountered a unique encryption implementation affecting both the request and response bodies in an Android app. In this blog, we will explore the challenges and triumphs of understanding this function to understand the internal workings of the mobile app.

Analysis of the SoumniBot Android banker

We provide technical analysis of a new banker, SoumniBot, which is notable for an unconventional approach to evading analysis and detection, namely obfuscation of the Android manifest.

Still Recent

List of HTML elements that can overwrite javascript variables via DOM Clobbering

I wanted to find out which HTML elements are able to overwrite javascript variables through DOM Clobbering attacks. With this attack it is possible to overwrite variables used in the javascript code of a page and change the behavior of the script as a result. In this article I provide the results I got in Chrome, Firefox and Edge.

New HTML injection attack vectors

Dangling markup injection attacks are very simple. However, browsers provide security mitigating such attack. In this article, I details 2 attacks which bypass curre,nt browsers filters.

Patch Tuesday Diffing: CVE-2024-20696

This post will teach you how to patch diff CVE-2024-20696 (and indirectly CVE-2024-20697). This security patch was interesting as it wasn't fixing native Microsoft software per se, rather patching an open-source library libarchive used by Windows to support compression and decompression functionality.

HTTP/2 CONTINUATION Flood: Technical Details

Deep technical analysis of the CONTINUATION Flood: a class of vulnerabilities within numerous HTTP/2 protocol implementations. A single machine has the potential to disrupt server availability, with consequences ranging from server crashes to substantial performance degradation.

Attacking JS engines: Fundamentals for understanding memory corruption crashes

In this post we'll understand basic concepts of Browser Exploitation, focusing on the Firefox browser's Javascript engine, SpiderMonkey. There will be an introduction to topics like heaps, garbage collector, primitives and objects, in-memory structures, JIT interpreters and compilers, and most importantly, ways to exploit memory corruption flaws in Javascript engines.

The Keyboard Button that Displays Linux Root Memory

It took me a few decades to learn what the "SysRq" button on the keyboard did, so I figured at the very least I'd pay it forward to the security community and inform you; in linux, there is in fact a button on the keyboard that dumps root memory.

Manual Indirect Syscalls and Obfuscation for Shellcode Execution

In this post, we're going to cover a possible way to bypass signature analysis from AV using obfuscation and NT API inspection from EDR using indirect syscalls with a shellcode loader PE. This will get past some AV and EDR that only does on-disk inspection of the PE and inspects the system call return address, respectively.

Reverse Engineering Sitecore Vulnerabilities - Part 1

In this Blog we'll reverse engineer an RCE vulnerability in Sitecore (CVE-2023-35813) from the fix provided and also exploit the vulnerability in local as well as live targets.

Jenkins Args4j CVE-2024-23897 Files Exposed Code at Risk

We provide details about CVE-2024-23897, a file read vulnerability in Jenkins that lies in the args4j library, used to parse command arguments and options on the Jenkins controller during CLI command processing.

From a SSRF to the creation of gcp_enum

In this article, we will discuss a case of SSRF in a GCP environment and how exploiting this vulnerability led to the idea and creation of the tool gcp_enum.

Open RAN: Attacks against mobile operators from the outside in practice

This article sets the stage by introducing Open RAN, its predecessors, and its overarching architecture, followed by a detailed examination of the communication interfaces that could serve as attack vectors, and practical attack we can perform using O-RAN stack.

Oldies but Goodies

Bypasses for the most popular WAFs

I decided to evaluate the security of many popular WAFs to see their evolution and how robust they've become over time. The conclusion is that most of them are still extremely vulnerable to very lethal attacks.

Unearthed Arcana

Hyperspace - Hidden Address Spaces

In this blog, we will explain the concepts of memory hyperspace and detail how to run code in a address space not associated with a process.

RFID Proximity Cloning Attacks

In this article, I detail my journey diving into RFID research while aiming at cloning a Miflare Classic 1K card.