Security Review #215

July 05, 2024

You haven't mastered a tool until you understand when it should not be used.

— Kelsey Hightower

Starred Articles

Putting the C2 in C2loudflare

How to bring up an entire C2 infrastructure with all your tooling and their corresponding redirectors within 5 minutes with the help of Azure Snapshots, Cloudflare and Tmux Resurrect.

The Art of the Honeypot Account: Making the Unusual Look Normal

This article covers how to create accounts used as honeypots (or honeytokens) that look like they provide something an attacker wants (access), but ultimately provides something the defender wants (detection). The focus is making honeypot accounts look normal and "real" in Active Directory and this premise should be somewhat portable to other systems.

New Articles

PgC: Garbage collecting Patchguard away

In this article we present an approach is that it is not defeating a specific version of Patchguard, but rather the entire concept of it.

Inside Xerox WorkCentre: Two Unauthenticated RCEs

In this writeup, I will cover two unauthenticated RCE vulnerabilities that I discovered in Xerox WorkCenter. Next, I'll provide a checklist for protecting your printers against attacks.

An AWS Administrator Identity Crisis: Part 1

This is the first part of this series dedicated to answering a simple question: "How many administrators are in your AWS environment? Does it even matter?". In this article we will try to articulate a relevant definition of what is an administrator in an AWS environment.

A Red Teamer's Guide to Wi-Fi Exploits

This article provides practical commands and tools commonly used in WiFi network pentesting.

Snake&Apple Part 7 - Antivirus

In this episode, we will learn about another MACF policy -- Quarantine. Together with Gatekeeper and XProtect, it forms an Antivirus Trinity.

Bytecode Breakdown: Unraveling Factorio's Lua Security Flaws

Some months ago I exploited a vulnerability in the Lua implementation of Factorio that allowed a malicious server to obtain arbitrary execution on clients. This article is an in-depth explanation of the vulnerability, so that it can be used by others as a reference to understand how these attacks work.

GitHub Actions exploitation - Part 1: introduction

In this series of articles we will explain the mechanics of GitHub Actions by first describing all the components that will then be useful for exploitation. In this first article we explore the mechanics of GitHub Actions, we expose the different elements that are present in a GitHub workflow. Some of them will play a crucial role when it comes to exploitation.

Do a firmware update for your AirPods

There's a security vulnerability (CVE-2024-27867) in the firmware of Apple AirPods. Anyone who knows the Bluetooth MAC address (which is somewhat public) can connect to your AirPods and listen to the microphone or play music. Even while the AirPods are connected to your phone (although music would stop playing in case somebody turns on the microphone).

Creating memory dumps using LiME and using volatility framework

In this blog, we will explore how to create memory dumps using LiME (Linux Memory Extractor) and how to further begin with our analysis process using volatility framework.

Dissecting Real World Help Desk Social Engineering Attacks

This blog post explores insights from recent attacks we've observed using help desk social engineering as the infiltration tactic, and identifies steps organizations can take to defend themselves against these attacks.

Detecting MMC abuse using "GrimResource" with MDE

In this short blog post we provide three detections to detect MMC abuse, based on behavioral patterns. These detections can be used directly in an out-of-the-box configuration of Microsoft Defender for Endpoint (MDE).

Detecting Linux Stealth Rootkits with Directory Link Errors

Detecting stealth rootkits on Linux can be done from the command line. The secret is to ask the same question multiple ways to make sure all answers agree. If they don't all agree, something is likely hiding from you.

Getting Unauthenticated Remote Code Execution on the Logsign Unified SecOps Platform

Logsign runs as a Python-based web server. Users have the ability to interact with the web server through a variety of APIs. This blog looks at two separate vulnerabilities that can be combined to achieve remote, unauthenticated code execution on the web server via HTTP requests.

An unexpected journey into Microsoft Defender's signature World

In this blog post, we will work on Microsoft Defender Antivirus signatures. More specifically we focus on: the signature database, the loading process of the signatures, the types and layout of different signatures, and a detailed discussion on two signature types - PEHSTR and PEHSTR_EXT

CVE-2024-27292: docAssembling exploits for RCE

This post examines CVE-2024-27292 in Docassemble, revealing an unauthenticated path traversal flaw that exposes sensitive files and secrets, leading to privilege escalation and template injection, enabling remote code execution. It details the vulnerability, its impact, and the exploitation steps.

The Dangers of Transition Mode

This article explains how transition mode can be leveraged to compromise WPA3 protected WiFi networks.

RoguePuppet - A Critical Puppet Forge Supply Chain Vulnerability

In this article we detail an attack that has been possible due to a systemic GitHub Actions CI/CD misconfiguration within Puppet Lab's public GitHub repositories. The vulnerability allowed anyone with a GitHub Account to obtain the API key Puppet used to push official modules to Puppet Forge.

Securing Developer Tools: Unpatched Code Vulnerabilities in Gogs - Part 1

This blog post will first cover the impact of vulnerabilities we found in Gogs that allow attackers to compromise vulnerable instances. We will then discuss the technical details of one of those vulnerabilities and provide recommendations and patches for users to help them protect their Gogs installations.

Exposing FakeBat loader: distribution methods and adversary infrastructure

This article presents the activities of the FakeBat operators on cybercrime forums, an analysis of previously undocumented campaigns distributing FakeBat, technical details on its distribution campaigns and related C2 infrastructures. Additionally, we share Indicators of Compromise (IoCs), YARA rules and tracking heuristics to monitor the FakeBat distribution and C2 infrastructures.

Like Shooting Phish in a Barrel

This article deals with the second step of a phishing process: evading malicious link analysis by security link crawlers.

Modern Cryptographic Attacks: A Guide for the Perplexed

Cryptographic attacks, even more advanced ones, are often made more difficult to understand than they need to be. In this write-up, we lay out in simple terms statistical bias and side channels attacks, and review the main attacks against RSA.

You can't always win racing the (key)cloak

This article focuses on dissecting Keycloak's security mechanisms. We will delve into a technique for fuzzing LDAP servers and deep dive into web race conditions, showcasing two distinct scenarios. Eventually we will presente and analyze the root cause of a security issue we found (CVE-2024-1722).

Uncover Bluetooth Vulnerabilities with BlueToolkit

We detail how to install and use BlueToolkit, an extensible Bluetooth Classic vulnerability automated testing framework designed to uncover both new and old vulnerabilities in Bluetooth-enabled devices.

angr for real-world use cases

This blog shows how we can easily extend angr to show what's going on. I'm sharing code snippets for code-coverage visualization in real-time, per-state trace visualization and other niceties like bringing support for debug symbols for Windows targets.

Deconstructing Logon Session Enumeration

The goal of this blog post is to provide the community with a bit more information about how to implement test cases for logon session enumeration, what preventative controls might be, and how this process can be applied to other techniques.

Ring Around The Regex: Lessons learned from fuzzing regex libraries - Part 1

In this blog post, I'm going to talk about the fuzzing of two very different regular expression libraries. For each, I'll detail how I went about designing fuzzers for these targets, the usage of the fuzzers against these targets, the analysis and reporting of the bugs, and the maintainence of the fuzzers as automated regression testing tools.

Simulating a Akira Ransomware Attack with Atomic Red Team

In this article, we will see how we can simulate a Ransomware Attack with the Atomic Red Team and will do it with an example of the Akira Ransomware. The purpose is to ensure that all the tools deployed in our SOC work as expected and to measure our detection and prevention rate.

Still Recent

Emulation with Qiling

In this Labs post, we are going to look into Qiling and how it can be used to emulate a HTTP server binary from a router. The target chosen for this research was the NEXXT Polaris 150 travel router.

Medusa Reborn: A New Compact Variant Discovered

We identified some discrepancies between new Medusa samples and the previously known ones, including a lightweight permission set and new features, such as the ability to display a full-screen overlay and remotely uninstall applications.

Oldies but Goodies

Exploiting XPath Injection Weaknesses

In this blog, we delve into the depths of XPath Injection, examining its risks and consequences. Discover innovative techniques used to manipulate XPath queries and gain valuable insights.

Bypassing Intel CET with Counterfeit Objects

In this blog, we'll briefly cover how Control Flow Integrity (CFI) mitigations works, including CET, to block ROP attacks. We will then see how we can leverage COOP to effectively bypass Intel CET on the latest Windows releases.

Unearthed Arcana

Cryptographic Attacks: A Guide for the Perplexed

In this article , we'll consider various types of cryptographic attacks, with a focus on the attacks' underlying principles.