Security Review #210

This is devoted to the research methodology against MS-RPC interfaces, developed after observing some interesting behavior from one of the Windows interfaces. Also included is a discussion of how we can link this behavior to null sessions, and revive their legacy by enumerating information from the domain controller, specifically domain users without triggering any alerts.

Despite the success and widespread usage of the technique, there are some lesser-known NTLM relay attacks that are potentially being overlooked by many offensive security professionals. This post aims to highlight some of those lesser-known attacks and add them to your arsenal.

CVE-2024-24919 is a 'high' priority bug, which falls under the category of Exposure of Sensitive Information to an Unauthorized Actor. In this post we will search for the root cause of the bug via patch-diffing and find a way to exploit it.

In this blog, we reveal how a few simple triggers can lead to the full exploitation of RAG Applications. We discovered a method to poison RAG pipelines, making the entire RAG app useless with proprietary poisoning payloads. We demonstrate a successful poisoning attack on RAG with a high Attack Success Rate (ASR) through small triggers inserted into the knowledge base documents.

In this post, I detail a keylogging technique that revolves around gafAsyncKeyState, an undocumented kernel structure in win32kbase.sys used by NtUserGetAsyncKeyState. By first locating and then parsing this structure, we can read keystrokes the way that NtUserGetAsyncKeyState does, without calling any APIs at all.

I wondered what a malicious page with disabled JavaScript could do. Focusing on SVG, which is based on XML, and allow file access. In this post I show the tests I run to check if the Same Origin Policy (SOP) is correctly implemented for all possible XML and SVG syntaxes and if access through the file:// protocol properly handled.

CVE-2023-39143 is a path traversal vulnerability found in Papercut MF/NG, a print management solution. This in-depth analysis will examine different exploitation scenarios associated with this CVE. Exploiting this vulnerability grants unauthorized access to read, download, and delete arbitrary files, thereby potentially enabling remote code execution (RCE) on the affected system

Meta's WhatsApp suffers from an integrity issue that allows attackers to create an inconsistent world view on victims' multi-device setup. Simply put, users expect their chats' history to be the same across all devices. However, we show that a rogue client can send different messages to the same user's different devices and it has some obvious (and some less obvious) security implications.

This article examines the analysis of a malware called "BloodAlchemy". BloodAlchemy is not an entirely new malware but an evolved version of Deed RAT, the successor to ShadowPad.

In this blog, I will walk you through how I discovered and exploited a Stored XSS -> RCE vulnerability in a popular Note App. From auditing sources to dynamically debugging Electron, I'll cover every step.

I discovered an Arbitrary File Read (AFR) vulnerability in LangChain JS library. This vulnerability allows an attacker to read files on the server that they should not be accessing. When combined with Server Side Request Forgery (SSRF), an attacker can exploit SSRF to read arbitrary files on the server and expose sensitive information.

YARA-X has modules that can parse certain file formats and produce a data structure containing information extracted from the parsed files. In this blog, we will see how this information can be leveraged to create more precise and powerful rules tailored to each file format's unique characteristics.

We found a 9-year-old WAN bug on RouterOS. The vulnerability occurs in the radvd of RouterOS. As a result, an attacker can trigger a buffer overflow by sending two crafted Router Advertisement packets, that allows an attacker to gain full control over the underlying Linux system of the router. This vulnerability was assigned as CVE-2023-32154

This is the eleventh and the last article in the series about debugging Dyld-1122 and analyzing its source code. We will learn how Dyld load dependent dylibs, bind them all together, return the address of the main(), calls it and finally terminates.

Email forensics involves the examination, extraction, and analysis of email data to gather digital evidence crucial for resolving crimes and specific incidents, ensuring the integrity of the investigation process. In this article, we will review the key elements of email investigation.

In this article, we've prepared a brief overview of UAC bypass methods in Windows 11 that are used in modern malware and provided examples of their implementation in active threats.

Brand impersonation could happen on many online platforms, including social media, websites, emails and mobile applications. In this article, we review the techniques used by threat actors to deceive their victims into giving up their credentials or other sensitive information by abusing the popularity of well-known brands.

The 'Create Snapshot', 'Create Cloud Instance', 'Delete Cloud Instance', 'Revert Cloud Instance' and 'Modify Cloud Compute Configurations' features are widely available across major cloud platforms. They can also be leveraged in many ways by threat actors. In this article, we will details techniques to detect such abuse.

A phishing method that has gained prominence involves phishing emails that masquerade as PDF viewer login pages. In this blog post, we will explore the intricacies of these phishing scams, how they operate, and the steps you can take to protect yourself from falling victim to them.

In this post, we'll explore how attackers are using a very obscure PHP snippet WordPress plugin to install server-side malware to harvest credit card details from a WooCommerce online store.

This blog post detail the steps of exploiting a Chrome V8 memory corruption: finding the corruption, breaking bounds, getting primitives, executing code and collecting garbage.

I stumbled upon a 24 years old buffer overflow in the glibc, proven useful in exploiting PHP engine in two different ways. In this first part of the series, I'll describe how I encountered the bug, why suitable targets are rare, and finally dive into the PHP engine to demonstrate a new exploitation vector: converting file read primitives into remote code execution in PHP applications.

In this article, we examine a group of packers based on the Nullsoft Scriptable Install System (NSIS) and describe an approach for creating a tool that lets us obtain unpacked samples automatically.

We identified two new archetypes for bypassing AWS CloudTrail through certain non-production endpoints with API actions that access account-level information and through API calls which generate multiple events in CloudTrail.

This post walks through the process of configuring Ghidra to automatically download symbols from well known public symbol servers for several types of binaries.

There is a second order command injection in FortiSIEM when certain parameters to datastore.py are sent. This blog will cover the CVE-2024-23108 which allows remote, unauthenticated command execution as root.

Eclipse ThreadX is an advanced embedded development suite including a small but powerful operating system that provides reliable, ultra-fast performance for resource-constrained devices. I identified multiple security vulnerabilities that may cause memory corruption. Their impacts range from denial of service to potential arbitrary code execution.

This research consist of three parts covering different areas namely developing a custom RPC client, reverse engineering and a bit of cryptography. This first part explains intricate parts of Remote Procedure Calls (RPC) in Windows environments and how to develop a custom client.

We will detail a vulnerability in the Replicate AI platform. Exploitation of this vulnerability would have allowed unauthorized access to the AI prompts and results of all Replicate's platform customers.

In this post, I'll walk you through my journey of reversing the Git RCE (CVE-2024-32002), from initial discovery to crafting a working exploit.

This article highlights the necessity of setting up and upholding a robust "back-and-restore" strategy as a primary defence mechanism against cyber threats. It becomes much more likely that recovery for ADCS will not be successful, and a complete rebuild will be required.

While CVE-2022-1388 is known to be used by various threat actors, post exploitation scenarios were not well documented. This article illustrates an MITM attack setup on the F5 appliance eventually leading to a full compromise the whole Windows domain - without performing a single AD attack.

In this post we describe a vulnerability we discovered in the Ivanti LanDesk software and how it can be exploited to achieve local privilege escalation via arbitrary code execution.

mXSS (mutation cross-site scripting) is a security vulnerability that arises from the way HTML is handled. This blog dives into mXSS, providing examples, splitting this big "mXSS" name into subsections, and covering developer mitigation strategies.

I have decided to focus on in-memory obfuscation techniques since my Reflective DLL was target of in-memory scanning tools. The idea is to use a Sacrificial DLL to load my Reflective DLL, stomp it and then restore the original content while sleeping.

This post shares details on the status of prompt injection and automated tool invocation when ChatGPT surfs the Internet.

We analyze glup-debugger-logger, a malicious NPM package published with two obfuscated files that worked together. One worked as a kind of initial dropper and the other script providing the attacker with a persistent remote access mechanism to control the compromised machine.

If the password of the krbtgt account is reset, we could end up in a scenario where the credentials that we have obtained no longer work to decrypt network data. To achieve our ultimate goal of eternal persistence, we need to take a look at how password changes are replicated. In this blog post we cover one aspect of AD's password replication process.

Like many Microsoft customers protecting users from external token theft and AiTM (adversary in the middle) ranks as one of the most top security concerns when it comes to an attacker gaining unauthorized access to cloud data. So I thought it was necessary to do an updated post on Token Protection in Conditional access.

We identified a logic flaw in Jitsi Meet, an open-source video conferencing and messaging platform for secure video conferencing, voice calls, and messaging. This logic flaw leads to the disclosure of the meeting password when a user is invited to the call after waiting in the lobby.

This blog post explores the discipline of Detection Engineering, a way to maximize detection efficacy given the limitations of existing detection systems.

In this post, we'll examine some recent changes in techniques and functionality of a JavaScript-based malware, including new obfuscation techniques and switch from client side to server side redirects. We will also reveal common indicators of compromise and malicious domains to watch out for, and outline how to mitigate risk and protect your website and server from infection.

Setting up a Sliver C2 is not a straight forward process if you want realistic code execution paths despite the slow download speed on these labs. On this blog, i will show you how i managed to solve that problem by combining Sliver C2 staging with the Dotnet Framework.