Security Review #209

This post details CVE-2024-4367, a vulnerability in PDF.js. This bug allows an attacker to execute arbitrary JavaScript code as soon as a malicious PDF file is opened. This affects all Firefox users (<126) because PDF.js is used by Firefox to show PDF files, but also seriously impacts many web - and Electron - based applications that (indirectly) use PDF.js for preview functionality.

I found an ANSI escape sequence injection vulnerability in the console versions of RAR and UnRAR. This vulnerability, tracked as CVE-2024-33899 for Linux and Unix systems and CVE-2024-36052 for the Windows, allowed attackers to spoof screen output or cause denial of service.

In this blog series, we will explore different approaches to achieving passive persistence in an Active Directory (AD) environment. In this first part, we tackle the scenario of password rotation for compromised accounts, exploring how attackers can intercept and adapt to these changes.

In this post we will explore how memory features might be exploited by looking at three different attack avenues: Connected Apps, Uploaded Documents (Images) and Browsing.

In this article we will focus on the shellcode hashing obfuscation technique and demonstrate how it can be mitigated by integrating hash collisions into operating systems.

In this blog I will introduce GitHub Actions privilege escalation and lateral movement technique I'm going to call "Actions Cache Blasting".

This article describes how I reverse engineered an Electron app to discover what APIs it was reaching out to and why.

In this article, we will dive into Blackrock, a sneaky spyware that takes its commands from a hidden server. This malware uses tricks like messing with accessibility settings and pulling off phishing stunts to snatch keylogs and getting users to spill personal info.

This article presents a case study on new applications of domain name system (DNS) tunneling we have found in the wild. These techniques expand beyond DNS tunneling only for command and control (C2) and virtual private network (VPN) purposes.

We found no less than fifteen bugs of varying severity in QNAP QTS, and we'll be disclosing most of these in this article. We will, however, be focusing heavily on one in particular - CVE-2024-27130, an unauthenticated stack overflow bug, which allows remote-code execution

In this blog post, we quickly look into issues involving character devices. As is typical for Linux, everything is a file, so character devices are referenced as files, such as pseudo terminals (pts) under /dev/pts/.

In this writeup we will introduce our finding of a vulnerability in Microchip Atmel SAM microcontrollers family (CVE-2024-4760) to bypass the security bit. We will show how we can have a successful voltage fault injection (glitch) to bypass the security mechanism and have full control of the microcontroller.

In this post, we explore the powerful combination of Nmap and Grafana for network monitoring and visualization. By leveraging Nmap's network scanning and Grafana's intuitive dashboard creation, we get a detailed picture of our network, identify services and operating systems.

In this article we will focus on exploiting vulnerabilities in the WiFi protocol (IEEE 802.XX) using the Freeway.

You may have heard that it's possible to sign/verify files using SSH keys. In this blog, I demonstrate that HTTPS certificates (included those obtained from Let's Encrypt) can be used for that as well.

In this post, we examine how changing the implementation of tradecraft can have as much of an impact on detection programs as changing the behavior.

In this article, we'll do a detailed deepdive into Rootkits and Kernel Internals, going from theory to practice and analyzing 3 rootkits samples.

Modern terminals are very capable tools with quite extended support for various escape sequences. These escape sequences are specially treated by terminal emulators to generate colors, cursor styles, cliboard access and even hyperlinks! Let's see how this can be leveraged from an attacker standpoint.

Recently, Microsoft introduced a new synchronisation technology called Cloud Sync. In this blog, we will explore these two technologies, highlighting the differences from a hacker's perspective and explaining the necessary adjustments to TTPs.

We have identified a new information-stealing malware named "SamsStealer" that targets Windows systems. This .NET-based executable infiltrates a variety of browsers and applications to extract sensitive data like passwords, cookies, and cryptocurrency wallet details, posing a significant threat to user privacy and security.

Discover the most common error investigators make and learn how to develop powerful search algorithms that uncover hidden information and deliver actionable results.

We discovered a critical vulnerability dubbed Linguistic Lumberjack (CVE-2024-4323) within Fluent Bit's built-in HTTP server that could potentially allow for denial of service, information disclosure, or remote code execution.

We have researched Honeywell ControlEdge Virtual Unit Operations Center (UOC) and found multiple vulnerabilities in the EpicMo protocol implementation within ControlEdge Virtual UOC instances. These vulnerabilities are exploitable and can lead to unauthenticated remote code execution.

This article serves as a step-by-step guide on configuring AFL++ and employing it to fuzz Android binaries.

In machine learning model deserialization issues are a significant threat, and detecting them is crucial, as they can lead to arbitrary code execution. In this post we are covering backdooring the original Keras Husky AI model from the Machine Learning Attack Series, and afterwards we investigate tooling to detect the backdoor.

This blog post aims to provide details on methods for investigating potentially compromised Palo Alto Networks firewall devices and a general approach towards edge device threat detection.

Attacking .NET applications often involves exploiting weaknesses in the code or the runtime environment. In this article, we go through the main attack vectors, exposing vulnerable code and providing mitigation guidelines.

In this blog, we are going take a "from the ground up" approach to getting a Raspberry Pi Pico (Pico W) set up and running as a physical implant device for attacks such as USB Rubbery Ducky. Then, we will pivot slightly and extend the capability for the implant device by enabling and using a bolted-on LoRa module to take the entire attack process to level 11.

In this blog, we bring you a STRRAT malware detector. STRRAT is a Java-based remote access tool (RAT) that uses a plugin architecture to provide full remote access to an attacker, as well as credential stealing, key logging, and additional plugins.

In this post, we look at the types of embedded payloads that attackers leverage to abuse Microsoft OneNote files and provide an analysis of an Embedded EXE Payload.

This article explains various techniques and readily available tools for extracting data from an encrypted virtual disk. For incident-response situations in which the entire virtual disk has been encrypted, these tools and techniques may enable the investigating team to retrieve data from the encrypted system.

We explore the forensic utility of systemd journals. We will first need to understand what systemdand systemd-journal.service are. Understanding them makes the picture a little clearer for us as we would know what we would find in there.

I accidentally turned my server into a honeypot. Digging into my server logs, I found was equal parts fascinating and alarming. Among all the noise, there are some requests that stand out. Like, seriously weird stuff. It's like people are trying to target anything and everything they can get their hands on.

The service principals in Microsoft's Entra ID can be a boon for business email compromise, but they're also a key log source for detection.

In the following blog post, we will take a closer look at how the bind mount operation technique works, whether we can hide our processes so easily, and more importantly, which forensic artifacts we can use to detect this technique.

Through this post we will start to scratch the surface of C++ binaries, understand calling conventions and highlight some features of those binaries (e.g, classes and calling conventions). This will help in better triaging malware as a first step of analysis.

In this article I will introduce, and provide an example of, attack surface enumeration and specifically how to use Ghidra to produce a secondary script for tracing targeted function calls in GDB.

I identified several XSS vulnerabilities and a PHP Code Execution vulnerability via an insecure file upload in the learning management system (LMS) ILIAS. The XSS vulnerability can be chained with the code execution vulnerability so that attackers with tutor privileges in at least one course can perform this exploit chain.

It is possible to register a GitHub runner with the ubuntu-latest tag, granting access to jobs originally designated for GitHub-provisioned runners. Using this method, an attacker could compromise any workflow of the organization and steal CI/CD secrets or push malicious code on the different repositories.

Memory pollution can significantly undermine the reliability of LLMs. In this article, we overview the concept and risks associated to this type of attack.

Available as both an IDA plugin and a Python script, Nimfilt helps to reverse engineer binaries compiled with the Nim programming language compiler by demangling package and function names, and applying structs to strings.

In this third part, we will explore the techniques for leveraging gathered credentials material for lateral movement, privilege escalation, and persistence methods within the Active Directory environment.

In this article, we will find out how to bypass the protection of Protected Process Light (PPL) by leveraging the livedump generated by NtSystemDebugControl.

CVE-2023-40424 is a vulnerability that allows a root-level user to create a new user with a custom Transparency Consent and Control (TCC) database in macOS, which can then be used to access other users' private data.

In this challenge writeup, I will demonstrate how I achieved XSS through client-side desync and header reflection in a HEAD request.

We provide technical analysis of REF4578, an intrusion set incorporating several malicious modules and leveraging vulnerable drivers to disable known security solutions (EDRs) for crypto mining.

Multiple people reported seeing photos on their iPhone they had previously deleted. In this blogpost we will dive into how the bug appeared and how it was fixed by Apple.

In this blog post, we will create a really basic agent in C which will be able to interact with our Mythic instance.

In this article, I'll take you through my research uncovering how to use MITM attacks to bypass FIDO2. First, I will outline a complete WebAuthn authentication flow, then walk through the protections of FIDO2. Then I will tackle famous attack techniques and provide real-life use cases. Lastly, I will discuss mitigations and what you can do to protect your enterprise.

In this article we will discuss how the Host Compute Service converts the newly created Silo into a Server Silo. Then, we will focus our attention on a few mechanisms in the Kernel, such as limiting the execution of syscalls from within Silos and the actual difference between a Server Silo Job Object and Silo Job Object.

This is part one of a multipart blog series on researching a new generation of hardware implants and how using solutions from the world of IoT can unleash new capabilities.

This research will guide you through how to handle complex flows using the Reshaper plugin when performing web application security testing with Burp Suite. It may be used as a reference or baseline when building your Reshaper rules or a training ground to improve your Burp skills.

Code Interpreter sandbox, also known as Advanced Data Analysis sessions, are shared between private and public GPTs. Each user gets their own isolated container, but if a user uses multiple GPTs and stores files in Code Interpreter all GPTs can access (and also overwrite) each others files.

Cyberchef contains many advanced operations that are often ignored in favour of Python scripting. These include things like Flow Control, Registers and various Regular Expression capabilities. In this post. We will break down some of the more advanced CyberChef operations and how these can be applied to develop a configuration extractor for a multi-stage malware loader.

Pwndbg and Pwntools are Python frameworks for automating different parts of exploit development. This marks the beginning of a series of blogs aimed at improving my skills with pwntools for memory corruption.

We continue to explore the pwntools framework this time focusing on shellcode generation. Ultimately the end goal may be to obtain access to a remote system, or simply display the contents of a file. Instead of searching for shellcode on exploit-db or Packet Storm pwntools provides an easy to use interface to generate said shellcode.

We dive deeper into the Pwntools framework, focusing on automating interactions with binary programs.

ldapsearch is a extremely powerful tool, especially for Windows Active Directory enumeration. In this article, we will review the main options and filters to perform powerfull search operations.