Security Review #212

I intended to write a simple note on the Maglev compiler and how to adjust V8 shellcode from Linux to Windows. But as I started, the project grew unexpectedly. I found myself diving into some prerequisites like the V8 pipeline and a root cause analysis of CVE-2023-4069, the bug we are about to explore.

In this article, I detail how the Microsoft's .NET profiling API can be leveraged as a code execution primitive to load a DLL into an arbitrary .NET process. As it relies on 3 environment variables that can be set system wide, this means that this also works as form of persistence. Whenever a .NET process executes, it will load the specified DLL.

We've developed a new hybrid machine learning (ML) model exploitation technique called Sleepy Pickle that takes advantage of the pervasive and notoriously insecure Pickle file format. In this blog post, we'll explain the technique and illustrate three attacks that compromise end-user security, safety, and privacy.

In this second part, we show how an attack that uses malicious pickle files to stealthily compromise ML models can be adapted to enable long-lasting presence on compromised systems while remaining undetected.

The DJB2 algorithm, although simple, provides a robust means of obfuscating and resolving API function names, making detection and analysis more challenging. This blog delves into the techniques used in these frameworks and how defenders can disrupt such shellcode.

In this article, we will focus on one of the most popular libraries in use jQuery. We will go over the basics on how it works and explain some of the most common vulnerabilities discovered over the years.

We have discovered a vulnerability in Android that allows an attacker with the WRITE_SECURE_SETTINGS permission, which is held by the ADB shell and certain privileged apps, to execute arbitrary code as any app on a device.

We investigate a vulnerability that affects XAMPP for Windows by default, allowing unauthenticated attackers to execute arbitrary code on remote XAMPP servers through specific character sequences.

A vulnerability in the Linux kernel allows local attackers to escalate privileges on affected installations of Linux Kernel. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

This article aims to demystify Mimikatz tool by providing a thorough exploration of its functionalities, practical applications, and the underlying principles that make it effective.

In this article I demonstrate a software attack that allows an operating system to set the PCRs of a discrete TPM device to arbitrary values and unseal any secret that uses a PCR based sealing policy (such as disk encryption keys used by unattended unlock TPM FDE schemes).

This article provides a technical analysis of a recent DarkGate variant, which noticeably switched from AutoIT to AutoHotKey.

We analyze a cryptojacking attack campaign exploiting exposed Docker remote API servers to deploy cryptocurrency miners, using Docker images from the open-source Commando project.

We discovered a remote code execution vulnerability in PHP, relying on the Best-Fit feature of encoding conversion within the Windows operating system. This oversight allows unauthenticated attackers to bypass the previous protection of CVE-2012-1823 by specific character sequences. Arbitrary code can be executed on remote PHP servers through the argument injection attack.

Compilers can suddenly and silently introduce implementation vulnerabilities in yesterday's secure code. We discovered an instance of this problem in the popular ML-KEM (Kyber) reference implementation. In this article, we investigate the issue in detail, and take a deep-dive into its root cause, as well as explaining how the problem was resolved.

We found a malicious version of the Advanced IP Scanner installer, which contained a backdoored DLL module.

Recall can provide fine-grained evidence of execution or persistence. It also provides the investigator the same Desktop view that the end user had at a particular point in time. Here is an overview of how we tested the Recall for its forensics investigation capabilities and a look at the results.

In organizations using AWS Identity Center for managing users, we expect that blocking a compromised user would be straightforward. However, the reality is quite different, and blocking a compromised Identity Center user is more challenging than it should be.

Any good incident response plan should include tool preparation. One of those tools is WinFE for forensic imaging and system investigations. In this article, we will learn how to build a WinFE ISO.

UAC is a module-driven tool for collecting artifacts from Unix-like systems (including Macs). In this article I will detail how how to modify UAC to add new artifacts for your own purposes.

In this article, we will review the techniques to give your phishing domain a reputation boost.

This article series attempts to dissect the terms we throw around when talking about PIM. In this first part, we break down confusing terminology and hopefully make it easier to understand.

Supply chain attacks are becoming increasingly popular in Web3. In response, Lavamoat has emerged as a robust defence mechanism against supply chain attacks, offering sophisticated isolation and access control features. In this article, we will explore how each component of Lavamoat works, and dive into the various bypasses we reported.

In this blog post, I will go step by step into how to track a variable allocation, its data type and it respective kmalloc cache. For this analysis we will try to infer the kernel cache for each kernel object.

In this article, I present how to leverage forensic tools to dump the NTDS database without being detected by an EDR.

This report details an intrusion that began with a spam campaign, distributing a forked IcedID loader. After setting up tools and moving across the infrastructure ALPHV ransomware was deployed across all domain joined Windows systems.

This is a full analysis and exploit for CVE-2024-29849, a Veeam authentication bypass vulnerability.

Progressive Web Apps or PWAs are applications that are built using web technologies that can be installed and behave similarly to native applications. The issue with PWAs is that manipulating the UI for phishing purposes is possible as we'll explore in this blog.

This article is a deep dive into desoldering Non-Volatile storage chips. By the end of the blog, we should cover the removal and reinstallation of a physical memory chip from a broken USB storage device to a new donor module.

This article gives more details about the internal mechanisms of the F5 Secure Vault and how we can decrypt encrypted values.

This article explains the concepts of Sigma rules correlation illustrated with some basic examples.

We observed a wave of email campaigns in late April targeting environments by deploying a new backdoor we're calling WARMCOOKIE based on data sent through the HTTP cookie parameter. This post will review an observed campaign and this new malware's functionality.

In this post we'll be exploring how Gh0st and Pantegana are detected and leveraged by threat actors to attack networks. We will also check up on the infrastructure of both families. Finally, our analysis will examine customized Pantegana certificates, likely used to evade researchers and network scanners.

In this post I detail how I turned a 0-day I found on the tenda.com latest firmware of Ac8v4 Router into an RCE.

In this post, I wanted to briefly explore ETW patching and a practical approach to observing this activity. Local patching is much more common than remote patching., and identifying the actual patch locally is extremely difficult. However, detecting changes in the protection masks for the memory region where the patch will take place remains a good indicator.

Modern Secure Email Gateways (SEGs) tend to rely heavily on machine learning to filter messages based on content. We take te evasion process to the next level by using obfuscation techniques, paired with testing to provide a feedback loop that can help us identify categorical bypasses for our target SEG.

An SQL injection resulting in remote code execution was found on Ivanti Endpoint Manager. In this post we will detail the internal workings of this vulnerability.

In this blog post, we will explore SolarMarker's infrastructure, uncovering key IP addresses, domains, and server configurations associated with the malware. This analysis reveals intriguing patterns, such as the reuse of IP addresses and SSH keys by different threat actors and the strategic use of various hosting providers.

This narrative demonstrates the importance of good security practices in web development by identifying different vulnerabilities commonly found in web application JavaScript code.

JA4 tools provide the ability to fingerprint client and server operating systems, devices, particular applications, hosting characteristics, and even if a connection is going through a tunnel, VPN, or proxy. If built into a WAF, firewall, or load balancer, it becomes possible to block malicious traffic.

On this page, we will explore how to reflectively load a class from a Java library and call its main method. In red team context, this can be used to stage additional java code without touching disk.

We identified a binary in the wild, identified as an information stealer: "SamsStealer". With its stealthy operation and comprehensive data exfiltration capabilities, the stealer poses a significant threat to users' privacy and security. This article provides technical analysis of the stealer, as well as the related IOCs and Yara rules.

This post details different techniques that can be used to perform efficient email spoofing.

The first step in finding vulnerabilities in some kind of IoT device is getting its firmware. There's no more a one-size-fits-all solution, and we have several ways of getting firmware, ranging from very easy to very hard.

In this blog I go over the new JA4+ network fingerprinting methods and examples of what they can detect.

This post details an old Windows kernel vulnerability. This vulnerablity is interesting for three reasons: it's a tweetable vulnerablity, it gave Write arbitrary data to arbitrary address primitive and it has an amusing story associated with it.

Because NtAPI is the lowest interaction possible in the Windows Operating system before transitioning to kernel space, directly interacting with NtAPI can have interesting results. By accessing the NtAPI we have significantly more flexibility when crafting malicious inputs, bypass hooks and checks on WinAPI functions, and thereby develop some techniques that can bypass some end user protections.

WinDbg added support for a new debugger data model, a change that completely changed the way we can use WinDbg. In this first post we will learn the basics of how to use this new data model - using custom and new built-in registers, iterating over objects, searching, filtering and customizing them with anonymous types. And finally we will learn how to parse arrays and lists in a much nicer and easier way.

We decided to go after something big: fuzzing the Windows kernel. As an added bonus, we can take our user-space bugs and use them together with any kernel bugs we find to create a full chain - because RCEs without a sandbox escape/privilege escalation are pretty much worthless nowadays.