Security Review #208

This is a blog about the short (but interesting) process of remotely dumping Windows security questions from a machine if you are Administrator.

In this post, we will dive into specification inaccuracies regarding the use of dangerous pseudo-schemes (JavaScript-URIs) in combination with POST-based SSO flows such as the OAuth 2.0 Form Post Response Mode2 and the SAML POST-Bindings3, resulting in a protocol-level Cross-Site Scripting (XSS) vulnerability pattern.

In this article, I introduce HoneyTrail. Designed specifically for AWS users, HoneyTrail adds a layer of deception without a complicated setup process. It includes S3, Lambda and RDS lures to help detecting suspicious activity.

In this article, I will talk about how I managed to find a 0-day RCE vector hidden in .gguf Metadata of one of the most use LLM dependency - llama-cpp-python, and how it sets the some worldclass NLP applications in jeopardy.

In this article, I revisit the state of the remote debugging feature of browsers for grabbing sensitive information, including cookies.

After establishing a foothold with the five sub-techniques of MITRE's ATT&CK Cloud Matrix T1578 (Modifying Cloud Compute Infrastructure), we will review each of these sub-techniques and their detection methods across AWS, Azure, and GCP cloud environments.

We discuss how an attacker can abuse the operating system's printing system to add and remove printers and create and manipulate printing jobs to achieve full C2 communication.

This blog post details my journey into researching and exploiting what turned out to be a decade old Server Side Browser.

This two-part blog series dives into two critical vulnerabilities in the remote desktop gateway Apache Guacamole. This first article will explain how Guacamole's architecture connects a Java component with a C backend serve. We will determine how Java's internal processing of Unicode strings can lead to unexpected behavior, which results in a severe vulnerability an attacker can exploit.

We provide details about remotely exploitable vulnerabilities in F5's Next Central Manager that can give attackers full administrative control of the device, and subsequently allow attackers to create accounts on any F5 assets managed by the Next Central Manager.

Several articles analyzing the CVE-2024-3094 vulnerability have already been published online. Here, let's learn about the techniques used to hide the backdoor in this incident.

This analyzis the infamous Lumma Stealer malware will provide an understanding of how it works. Developers of this malware are big trolls, they left a lot of funny strings and comments within the binaries of their executable which was quite fun to find.

We provide an encoding-based WAF technique that can be used to bypass WAF protection against Client Side Path Traversal.

We stumbled upon several entry points for exploitation in Masa/Mura CMS, including a critical SQL injection flaw that we were able to exploit within Apple's Book Travel portal. In this blog post, we aim to share our insights and experiences, detailing how we identified the vulnerability sink, linked it back to its source, and leveraged the SQL injection to achieve Remote Code Execution (RCE).

This series of posts will focus on Windows Malware, and I'll be using C and C+. In this first article, we will focus on the key components: PE files, WINAPI, function calls and memory management.

In this second part of the series, we will see how to generate, store and execute a payload.

In this third part we will see how to store our payload in the .rsrc section, encrypt it with a simple XOR operation and how to decrypt it upon execution.

We identified and traced hands-on-keyboard activity to a SocGholish infection initiated by a fake browser update. It used obfuscated JavaScript to evade detection and establish a foothold in the environment. Attackers used LoL to collect sensitive credentials and notably, configured web beacons in both email signatures and network shares to map out local and business-to-business relationships.

This article is a technical analysis of the famous Agent Tesla malware. It is broken in 2 parts: static analysis and dynamic analysis.

We detail a recently observed new attack that leveraged stolen cloud credentials in order to target ten cloud-hosted large language model (LLM) services, known as LLMjacking.

System Usage Monitor (SUM) User Access Logging (UAL) is used by Windows servers to aggregate client usage data by role and products on a server. In this article, we will see how they can be leveraged in the case where Windows Event Logs are no longer available.

Systemd continues its ongoing scope creep and has added timers. Systemd timers are a new task scheduling system that provide similar functionality to the existing cron (Vixie cron and anacron) and atd systems in Linux. And so this creates another mechanism that attackers can leverage for malware activation and persistence.

In this blog post, we'll explore the unique aspects of the increased use of residential proxies in identity phishing attacks. We'll go over some IOCs you can check in your own environment and cover some strategies for detecting current and new trends in these attacks.

Every Linux audit log will have a field named "Type" that can be used to quickly identify the type of the activity. In this article, we provide a list to identify the type of activity in the Linux audit log.

In this blog, we will cover a few scenarios on how we can leverage our privileges on our storage account linked with a logic app to gain access on Logic Apps and create our new workflow, upload code that will allow us to execute system commands, and more.

We provide full details of a Server Side Template injection in Llama. We analyze the root cause, and demonstrate how a malicious model can be crafted to execute arbitrary code on the targeted application.

This write-up is about DOM XSS and how you can hunt for DOM XSS by simply doing Source Code analysis of the client-side JavaScript.

In efforts of finding a way to circumvent c# marshaling and interop features limitations, we worked on a new marshaling technique that allows for using C++ dlls with C# entirely from memory without the need to drop anything on disk.

We have discovered multiple security vulnerabilities in the Azure Health Bot service, a patient-facing chatbot that handles medical information. The vulnerabilities, if exploited, could allow access to sensitive infrastructure and confidential medical data.

We detail a deserialization vulnerability against Schneider APC UPS on the application level within an exposed RMI method. So when a non-primitive type is used as one of the parameters of an exposed RMI method, we can abuse that for arbitrary deserialization and might leverage this for RCE.

This blog summarises some of our thinking with regards to compromising DevOps pipelines on your red team engagements. For now we will be focusing on Azure DevOps. That being said, the philosophy behind compromising CI/CD and attack scenarios mentioned in this article are common across the board.

We a provide analysis of a suspicious publication on PyPI. The package was called requests-darwin-lite and appeared to be a fork of the ever-popular requests package with a few key differences, most notably the inclusion of a malicious Go binary packed into a large version of the actual requests side-bar PNG logo, which the author purported to be.

We delve into the intricacies of identifying and mitigating security vulnerabilities within Rust codebases. Despite Rust's reputation for strong memory safety and thread concurrency, no programming language is immune to potential exploits. This article navigates through common attack vectors such as buffer overflows, race conditions, and injection attacks, illustrating how they can manifest within Rust applications.

In this 10th article ,we will introduce ExternallyViewableState, which holds information about the state of externally viewable objects in the system that we are loading, such as dyld, executable, and all dylibs.

We will go through the different steps necessary to inject and execute a DLL: creation, loader, remote injection in the target process then execution.

In this blog post, I'm going to discuss a new Open-Source Intelligence (OSINT) tool I created to assist with collecting information about target organizations during penetration testing engagements. I call it, Meta-Detector.

In this article, we explain how one can prevent a website from showing its content to any users with a single request, like a Denial of Service with minimal effort. This happens because the overly inclusive response rules of the WAF try to prevent SQL error leakage or web shells.

I discovered a sibling to the well-known Relative Path Overwrite (RPO) technique, which I have named Relative Path File Injection (RPFI). It is my hope that this new technique opens up new possibilities and sheds light on previously unexplored avenues for exploitation.

This series aims at uncovering basics and more sophisticated techniques to make phishing efficient. This first article addresses the main difficulties we are to face when launching a phishing campaign.

This second article of the series will teach us how to find the right phishing targets.

This post examines a particularly sneaky typosquatting campaign that's being used to deliver both AtomicStealer and Cuckoo. It makes use of a fake homepage for the package manager Homebrew.

This blogpost report aims at presenting a comprehensive technical analysis of the techniques used to compromise the MS-SQL honeypot we deployed. Additionally, it delves into the behaviour observed, with a focus on Mallox ransomware and its affiliates. Finally, we offer insights into detection opportunities to mitigate such threats in the future.

In this article, we discuss a PDF exploitation, mainly targeting users of Foxit Reader. This exploit triggers security warnings that could deceive unsuspecting users into executing harmful commands. Run by careless users, it is able to execute malicious commands that appear highly leveraged by threat actors.

JS-Tap is a tool intended to help red teams attack web applications. In this blog post I introduce version 2.0, with refined usability and scalability of the application and add the ability to execute custom JavaScript payloads on JS-Tap clients.

In this article I'll be developing a C2 controlled bot, that will try to connect and changes its activity based on the commands it gets.

This post explores Windows Side-by-Side (WinSxS) and DLL hijacking, deep-diving some tooling I've written and some of the fun along the way.

Part 1 of this series will discuss a common malware development problem that affects the bypassing of both Static Detections and Dynamic Detections when working with Windows Portable Executable (PE) files. The accessing of sensitive Windows Native API functions.

We detail the CVE-2024-21338 vulnerability that presents a significant elevation of privilege threat in Windows systems, exploited to bypass conventional security measures such as EDRs and antiviruses.

In this blog post, we'll share how to use the Reporting API to detect potential issues and identify the actual problems causing them. We'll also introduce an open source solution, so you can easily replicate our approach to processing reports and acting on them.

The domain name code.microsoft.com has an interesting story behind it. Today it's not linked to anything but that wasn't always true. This is the story of one of my most successful honeypot instances and how it enabled Microsoft to collect varied threat intelligence against a broad range of actor groups targeting Microsoft.

In this article i will show you how to find sensitive information that accidentally exposed to internet as passive attack, that is finding vulnerabilities without interacting to the services by only browsing & crawling on the internet.

In this article, we will deep dive into the major concepts behind random numbers and learn how to work with them on a Linux system. But first, we will try to understand what are random numbers and why they are so important for computing (especially cryptography).

The Open Radio Access Network (ORAN) architecture provides standardized interfaces and protocols to previously closed systems. However, our research on ORAN demonstrates the potential threat posed by malicious xApps that are capable of compromising the entire Ran Intelligent Controller (RIC) subsystem.

Crafted packets from cellular devices such as mobile phones can exploit faulty state machines in the 5G core to attack cellular infrastructure. This entry describes CVE-2021-45462 as a potential use case to deploy a denial-of-service (DoS) attack to private 5G networks.

In the second part of this series, we will examine how attackers can trigger vulnerabilities by sending control messages masquerading as user traffic to cross over from user plane to control plane.