You haven't mastered a tool until you understand when it should not be used.
Starred Articles
Putting the C2 in C2loudflare
06/28/2024How to bring up an entire C2 infrastructure with all your tooling and their corresponding redirectors within 5 minutes with the help of Azure Snapshots, Cloudflare and Tmux Resurrect.
In this post, I'll exploit CVE-2024-3833, an object corruption bug in v8, the Javascript engine of Chrome, that allows remote code execution (RCE) in the renderer sandbox of Chrome by a single visit to a malicious site.
This security advisory provides details about a race condition in several OpenSSH version, leading to remote command execution on Linux servers.
This article covers how to create accounts used as honeypots (or honeytokens) that look like they provide something an attacker wants (access), but ultimately provides something the defender wants (detection). The focus is making honeypot accounts look normal and "real" in Active Directory and this premise should be somewhat portable to other systems.
New Articles
PgC: Garbage collecting Patchguard away
06/28/2024In this article we present an approach is that it is not defeating a specific version of Patchguard, but rather the entire concept of it.
In this writeup, I will cover two unauthenticated RCE vulnerabilities that I discovered in Xerox WorkCenter. Next, I'll provide a checklist for protecting your printers against attacks.
An AWS Administrator Identity Crisis: Part 1
06/28/2024This is the first part of this series dedicated to answering a simple question: "How many administrators are in your AWS environment? Does it even matter?". In this article we will try to articulate a relevant definition of what is an administrator in an AWS environment.
A Red Teamer's Guide to Wi-Fi Exploits
06/28/2024This article provides practical commands and tools commonly used in WiFi network pentesting.
Snake&Apple Part 7 - Antivirus
06/28/2024In this episode, we will learn about another MACF policy -- Quarantine. Together with Gatekeeper and XProtect, it forms an Antivirus Trinity.
We discovered CVE-2024-37032, an easy-to-exploit Remote Code Execution vulnerability in the open-source AI Infrastructure project Ollama.
It's time to explore Protected Management Frames limitations, specifically what PMF does not protect and the implications of these limitations.
Some months ago I exploited a vulnerability in the Lua implementation of Factorio that allowed a malicious server to obtain arbitrary execution on clients. This article is an in-depth explanation of the vulnerability, so that it can be used by others as a reference to understand how these attacks work.
In this series of articles we will explain the mechanics of GitHub Actions by first describing all the components that will then be useful for exploitation. In this first article we explore the mechanics of GitHub Actions, we expose the different elements that are present in a GitHub workflow. Some of them will play a crucial role when it comes to exploitation.
In this article, I'll show you how static websites can be leveraged for phishing during your engagements.
Do a firmware update for your AirPods
06/26/2024There's a security vulnerability (CVE-2024-27867) in the firmware of Apple AirPods. Anyone who knows the Bluetooth MAC address (which is somewhat public) can connect to your AirPods and listen to the microphone or play music. Even while the AirPods are connected to your phone (although music would stop playing in case somebody turns on the microphone).
In this blog, we will explore how to create memory dumps using LiME (Linux Memory Extractor) and how to further begin with our analysis process using volatility framework.
This blog post explores insights from recent attacks we've observed using help desk social engineering as the infiltration tactic, and identifies steps organizations can take to defend themselves against these attacks.
In this short blog post we provide three detections to detect MMC abuse, based on behavioral patterns. These detections can be used directly in an out-of-the-box configuration of Microsoft Defender for Endpoint (MDE).
Detecting stealth rootkits on Linux can be done from the command line. The secret is to ask the same question multiple ways to make sure all answers agree. If they don't all agree, something is likely hiding from you.
Logsign runs as a Python-based web server. Users have the ability to interact with the web server through a variety of APIs. This blog looks at two separate vulnerabilities that can be combined to achieve remote, unauthenticated code execution on the web server via HTTP requests.
In this blog post, we will work on Microsoft Defender Antivirus signatures. More specifically we focus on: the signature database, the loading process of the signatures, the types and layout of different signatures, and a detailed discussion on two signature types - PEHSTR and PEHSTR_EXT
This post examines CVE-2024-27292 in Docassemble, revealing an unauthenticated path traversal flaw that exposes sensitive files and secrets, leading to privilege escalation and template injection, enabling remote code execution. It details the vulnerability, its impact, and the exploitation steps.
The Dangers of Transition Mode
07/02/2024This article explains how transition mode can be leveraged to compromise WPA3 protected WiFi networks.
In this article we detail an attack that has been possible due to a systemic GitHub Actions CI/CD misconfiguration within Puppet Lab's public GitHub repositories. The vulnerability allowed anyone with a GitHub Account to obtain the API key Puppet used to push official modules to Puppet Forge.
This blog post will first cover the impact of vulnerabilities we found in Gogs that allow attackers to compromise vulnerable instances. We will then discuss the technical details of one of those vulnerabilities and provide recommendations and patches for users to help them protect their Gogs installations.
This article presents the activities of the FakeBat operators on cybercrime forums, an analysis of previously undocumented campaigns distributing FakeBat, technical details on its distribution campaigns and related C2 infrastructures. Additionally, we share Indicators of Compromise (IoCs), YARA rules and tracking heuristics to monitor the FakeBat distribution and C2 infrastructures.
Like Shooting Phish in a Barrel
07/02/2024This article deals with the second step of a phishing process: evading malicious link analysis by security link crawlers.
Cryptographic attacks, even more advanced ones, are often made more difficult to understand than they need to be. In this write-up, we lay out in simple terms statistical bias and side channels attacks, and review the main attacks against RSA.
We uncovered several vulnerabilities in the CocoaPods dependency manager that allows any malicious actor to claim ownership over thousands of unclaimed pods and insert malicious code into many of the most popular iOS and MacOS applications.
You can't always win racing the (key)cloak
07/01/2024This article focuses on dissecting Keycloak's security mechanisms. We will delve into a technique for fuzzing LDAP servers and deep dive into web race conditions, showcasing two distinct scenarios. Eventually we will presente and analyze the root cause of a security issue we found (CVE-2024-1722).
This is a write-up for CVE-2024-29510, a format string vulnerability in Ghostscript. We show how this can be exploited to bypass the -dSAFER sandbox and gain code execution.
We detail how to install and use BlueToolkit, an extensible Bluetooth Classic vulnerability automated testing framework designed to uncover both new and old vulnerabilities in Bluetooth-enabled devices.
This blog post is a brief introduces the basics of Client-Side Path Traversal, presenting sources and sinks for Cross-Site Request Forgery.
This is the first instalment of a series of blog articles that delve into the modern techniques and security controls surrounding password spraying. In this article, we will review the basics and the key features of Smart Lockout.
angr for real-world use cases
06/30/2024This blog shows how we can easily extend angr to show what's going on. I'm sharing code snippets for code-coverage visualization in real-time, per-state trace visualization and other niceties like bringing support for debug symbols for Windows targets.
Deconstructing Logon Session Enumeration
06/22/2024The goal of this blog post is to provide the community with a bit more information about how to implement test cases for logon session enumeration, what preventative controls might be, and how this process can be applied to other techniques.
In this article we investigate a trojaned version of JQuery, provudubg technical details and analysis of its propagation through the ecosystem.
This blog briefly introduces the danger in having Kerberos Unconstrained Delegation configured in the environment.
In this blog post, I'm going to talk about the fuzzing of two very different regular expression libraries. For each, I'll detail how I went about designing fuzzers for these targets, the usage of the fuzzers against these targets, the analysis and reporting of the bugs, and the maintainence of the fuzzers as automated regression testing tools.
In this article, we will see how we can simulate a Ransomware Attack with the Atomic Red Team and will do it with an example of the Akira Ransomware. The purpose is to ensure that all the tools deployed in our SOC work as expected and to measure our detection and prevention rate.
Still Recent
Emulation with Qiling
05/09/2024In this Labs post, we are going to look into Qiling and how it can be used to emulate a HTTP server binary from a router. The target chosen for this research was the NEXXT Polaris 150 travel router.
We identified some discrepancies between new Medusa samples and the previously known ones, including a lightweight permission set and new features, such as the ability to display a full-screen overlay and remotely uninstall applications.
Oldies but Goodies
Exploiting XPath Injection Weaknesses
11/30/2023In this blog, we delve into the depths of XPath Injection, examining its risks and consequences. Discover innovative techniques used to manipulate XPath queries and gain valuable insights.
Bypassing Intel CET with Counterfeit Objects
09/22/2022In this blog, we'll briefly cover how Control Flow Integrity (CFI) mitigations works, including CET, to block ROP attacks. We will then see how we can leverage COOP to effectively bypass Intel CET on the latest Windows releases.
Let's build a Chrome extension that steals as much data as possible. I'm talking kitchen sink, whole enchilada, Grinch-plundering-Whoville levels of data theft.
Unearthed Arcana
In this article , we'll consider various types of cryptographic attacks, with a focus on the attacks' underlying principles.