Security Review #214

We have uncovered a new infection technique leveraging MSC files, which we refer to as GrimResource. It allows attackers to gain full code execution in the context of mmc.exe after a user clicks on a specially crafted MSC file.

In this blog, weill cover the details of a newly discovered type of generative AI jailbreak attack that we call Skeleton Key. This technique works by using a multi-turn (or multiple step) strategy to cause a model to ignore its guardrails. Once guardrails are ignored, a model will not be able to determine malicious or unsanctioned requests from any other.

A critical denial-of-service (DoS) vulnerability has been identified in media servers that process WebRTC's DTLS-SRTP, specifically in their handling of ClientHello messages. This vulnerability arises from a race condition between ICE and DTLS traffic and can be exploited to disrupt media sessions, compromising the availability of real-time communication services.

We have created a new technique for detecting process injection by analyzing network anomalies. Our methodology relies on observing the network behavior of a process, which makes it more difficult for a threat to remain undetected. We provide an example of this methodology in action from a real incident that was discovered to have ties to the WannaMine cryptojacking campaign.

CVE-2024-25065 is a vulnerability that exists in Apache OFBiz. It is a path traversal vulnerability that allows authentication bypass through the contextPath variable within the hasBasePermission() method.

We found a vulnerability that exploits the nuances of the OAuth protocol and iOS's handling of Custom URL Schemes and Safari browser sessions to steal OAuth Authentication Codes from vulnerable OAuth implementations, thereby allowing an attacker to gain access to a victim's account.

This blog delves into a chilling demonstration of how a signed rootkit, can leverage the PsSetCreateProcessNotifyRoutine function to cripple EDR processes. By registering a custom callback, this rootkit effectively blindsides security defenses, preventing critical EDR processes from starting and leaving the system vulnerable to undetected malicious activities.

In this post, we will dig into NetCloud, the 4G Cradlepoint router cloud management platform. I'll show you how to poke at the TLS-encrypted communications and how I found a RCE bug in NetCloud by analyzing network traffic.

In this blog post, we'll describe how unsafe deserialization vulnerabilities work and how an attacker can execute arbitrary commands on a remote server just by sending JSON. We will also review how these vulnerabilities can be detected in Ruby projects.

FSEvents is a macOS-specific API that enables applications to receive notifications about changes to the file system. From a forensic perspective, FSEvents can tell a story about changes the file system undergoes and reveal artifacts that can be leveraged when validating other artifacts.

When it comes to DFIR, there are obviously many artifacts to look at. You may even find an item of interest or "pivot point" in multiple artifacts. But is there an artifact or log that will have observed files, hashes, timestamps, full paths, and potentially even signatures? Enter Windows Defender MP (Microsoft Protection) logs.

In this article, we investigate how the Session Desktop messaging software for computer operating systems encrypts attachments that are stored locally.

In this second part of the series, we will expand on I/O system and IRPs. In particular, we will discuss other aspects of the I/O system such as IOCTLs, device stacks and I/O stack locations, as all are critical components of I/O operations.

We discovered a new remote access trojan (RAT) dubbed SpiceRAT and identified two infection chains used to deliver the malware utilizing LNK and HTA files as the initial attack vectors. This article provides technical details of the malware as well as the two identified infection chains.

In this post, we explore a campaign we've witnessed in the wild across several AWS environments. Specifically, we will be reporting on attacker techniques that we've noticed from a cluster of malicious IP addresses targeting AWS Secrets Manager, AWS S3 and AWS S3 Glacier.

In this article, I will cover the importance of detecting unauthorized changes to auditd rules and configurations. I'll introduce methods and tools, including auditd rules and Splunk queries, that can help identify these changes and ensure the reliability of your audit logs.

We observed a Rust-based stealer. In addition to its intricate code, the stealer is distributed using a variety of strategies and has a flexible way of choosing its target. This article summarizes the details of this campaign, roughly dividing the attack chain into three stages: Delivery, Preparatory Work, and Packer and Stealer Payload.

Where we track a SolarWinds Serv-U vulnerability with a new honeypot, including tricking a human attacker into making mistakes.

This post reviews strategies for identifying and mitigating potential attack vectors against virtual machine (VM) services in the cloud. This research focuses on VM services offered by three major cloud service providers (CSPs): Amazon Web Services (AWS), Azure and Google Cloud Platform (GCP).

This blog post discusses how to enhance PHP security using the disable_functions directive, which prevents specific PHP functions from being executed. We further explore webshell detection techniques.

This blog post outlines a method for monitoring changes to files and directories in Linux using path units. This setup might be particularly useful for detecting unauthorized access in environments where installing EDR solutions is not feasible.

Protected Management Frames (PMF) enhance the security of management frames by protecting them from tampering and unauthorised replay attacks. PMF achieves this by adding a Message Integrity Check (MIC) information element to the frames sent from the AP.

Diamorphine is a well-known Linux kernel rootkit that supports different Linux kernel versions and processor architectures. In this article, we provides technical details of a new Diamorphine variant undetected in-the-wild.

fsmon is a powerful tool for anyone interested in Android security. Its ability to monitor file system events in real-time can provide valuable insights into the workings of an application and help identify potential security vulnerabilities.

In this post, we'll review some of the major features that have been added to the codebase as well as some examples on how to set the fuzzer up for fuzzing.

In this post, I'll describe the steps taken to identify the hashing algorithm used by Apache Shiro 1 and how I created a Hashcat module capable of cracking it. This will guide you through the process of creating a custom module to effectively crack these hashes.

In this post, we'll describe some basics of Bluetooth Low Energy and advertising, and introduce CVE 2023-24871, an integer overflow vulnerability in the Bluetooth Low Energy library in Windows.

In this second post we'll discuss how the integer overflow can be used as an RCE vector. Three different modules use the vulnerable function to parse advertisement data received from remote devices, so there's a lot of ground to cover. Let's get started.

The path to LPE using CVE-2023-24871 is much simpler than the paths leading to RCE, as there's only a single module that's affected. This is a pretty classic LPE case on Windows - a privileged service runs an RPC server that unprivileged applications can connect to. Data sent from the unprivileged client can trigger a vulnerability on the server, and a wild LPE manifests.

This post will give a brief description about CVE-2023-23388, a local privilege escalation vulnerability in Windows Bluetooth Low Energy library. The bug is a very classic one, with input data not being validated properly and that giving an attacker an opportunity to wreak havoc.

This article details a cache poisoning vulnerability in the Next.js package leading to a potential Denial of Service.

Even though there are multiple attacks targeting MSSQL databases, relaying is one of the most effective ones. We'll explore the nuances of relaying attacks on MSSQL servers in this blog post. We'll investigate the workings of these attacks, and show how they might affect the systems they are aimed against. We'll also touch on the defensive side of the things with some remediation ideas.

In this article, we'll delve into the details of Prototype Pollution, a JavaScript vulnerability where it's possible for an attacker to control unexpected variables in JavaScript, which on the client-side can lead to Cross-Site Scripting, and on the server-side lead to Remote Code Execution.

Golang is a statically typed, compiled programming language designed at Google. It is known for its simplicity, efficiency, and strong performance. However, like any programming language, improper coding practices in Go can lead to security vulnerabilities. This article explores common security issues and how to mitigate them in Go.

In this article series we will introduce you to the vulnerability class that we will call ORM Leaks, where an insecure use of an ORM that does not validate user inputs beforehand could result in leaking out sensitive data. This first part focuses on the Django ORM and how a relational filtering attack could be used to leak out sensitive data.

This article details the root cause and provides a proof-of-concept for of CVE-2024-27815, a buffer overflow in the XNU kernel.

In this blog post, we will explore how to exploit Cloud Build to escalate privileges and achieve lateral movement in a GCP cloud environment.

Discovery of two vulnerabilities (CVE-2024-34065) in Strapi, an open source content management system. In this post we explain how these vulnerabilities, if chained together, allow authentication to be bypassed.

In this tutorial, we will walk through the process of setting up the Rust toolchain, creating a simple Rust program, and exploring how to reverse-engineer it. By the end, you'll have a basic understanding of how to build Rust applications and analyze their binaries.

This blog post is everything - a beautiful vulnerability and a masterclass in fun exploitation chains - about CVE-2024-5806, an authentication bypass vulnerability in MOVEit Transfer.

In this article, we will go over how to identify IDOR vulnerabilities and how you can exploit them as well. We will also be covering some advanced cases as well.

We identified an adware, which we have dubbed AdsExhaust, being distributed through a fake Oculus installer application. The adware is capable of exfiltrating screenshots from infected devices and interacting with browsers using simulated keystrokes.

In this blog post we detail how we created a PoC for CVE-2024-34102, a deserialization vulnerability in Magento, based on the the patches and hotfixe publicly provided.

Access cards - those little plastic rectangles that grant us entry to buildings, parking lots, and secure areas. But what if I told you that these cards can be cloned, and even emulated? Enter the Proxmark3, a powerful tool that opens doors (literally) to the world of RFID hacking.

This post, describe how I typically approach AWS Segmentation test and create a methodology from which one could operate.

The Chromium Embedded Framework (CEF) is an open-source framework that allows developers to embed the Chromium engine in their applications. In this article, we will use the Steam Client Browser (a CEF-based application) as an example to present the vulnerabilities we found and how we exploited them to build three Remote Code Execution (RCE) chains.

This article details several vulnerabilities found in Sharp multi-function printers, from local file inclusion to full remote command execution.

Cobalt Strike reach has expanded with Golang implementations known as Geacon and Geacon_Pro. In this post, we will explore the infrastructure linked to Geacon_Pro and provide insights from a few open directories, shedding light on their operations and the threat they pose to Linux and Windows users.

In this blog, we'll be looking at how you can easily fuzz scripting languages whether it be php, perl, ruby, python, or even lisp, using the fuzzing software traditionally built for binaries. We'll also look at some interesting bug classes which can be caught this way.

This article delves into common API vulnerabilities, drawing from the OWASP API Security Top 10 and beyond, to help you identify and mitigate weaknesses during API testing.

The idea behind this post is to show a different approach used by some malware families to achieve their goals in a way that requires the analyst to spend some time flowing through the code to understand what is happening.

While reversing a device, we stumbled across an interesting binary named unicorn. The binary appeared to be a developer utility potentially related to the Augentix SoC SDK. The unicorn binary is only executed when the device is set to developer mode. However, we were interested in the consequences of a device that could have been misconfigured.

In this blog post we show how multiple low-hanging fruit vulnerabilities in KakaoTalk's Android app can lead to the disclosure of users' messages. We will cover different topics ranging from Android AppSec to Web Security.

The following article concerns one of the many issues of missing documentation and logging in AWS CloudTrail. Some will say that it is not a security matter and, therefore, it is not a problem, and there will be others for whom it is an issue.

Employing the Linux Audit Daemon is vital for production systems as it records a log of system events. In this first part of the series, I will detail a singular, efficient Splunk query that can detect whether the auditd daemon has been stopped, regardless of the method used.

Imagine visiting your favorite website with the same address that you always use and it tells you that your browser needs an update. After downloading and executing the update, there's an unwelcome surprise: the BadSpace backdoor. What is this new threat capable of, and how is it eerily similar to a warm cookie?

Time-based SQL injection involves inserting a payload that delays the server response by a specific time, allowing attackers to infer database behavior based on response times. This article provides different techniques and optimization to this kind of attack.

This article details how we managed to add support for this specific architecture into Unicorn Engine, the various challenges we faced and how we successfully used this work to emulate and analyze a specific function.

This article reviews the main attacks techniques targeting Active Directory Certificate Services and provides exploitation examples.

This blog post will showcase how we used Static Code Analysis tools to find a Pre-Auth Remote DoS (CVE-2023-0122) caused by a NULL Pointer Dereference in the NVMe driver of the Linux kernel.

This post focuses on the Unified Audit Log, how to use the search tool, and many tips on investigating Microsoft 365 Cloud via Unified Audit Log (UAL).

In this second part of the series, we will enumerate threads and analyze them to find some potential malicious behavior.

LDAP (Lightweight Directory Access Protocol) exploration involves finding and querying data about organizations and individuals. This article details some techniques and tools for effective LDAP exploration.

This article details how to monitor Windows tokens at regular intervals for lateral movement without the risk of missing user connections.

In this blog post, we will learn about AS-REP Roasting attacks and how they can be performed both remotely as well as from a foothold on a target host in the domain.

This blog describes how we used an HTTP Request Smuggling vulnerability to simulate exploiting public-facing services, allowing us to harvest Active Directory credentials which we used to sign into Outlook Web Access and setup persistent access.