Security Review #219

In this series of blog posts, I will explore yet another avenue for bypassing LSA Protection in Userland. This first post will detail the Bring Your Own Vulnerable DLL (BYOVDLL) technique that we will use to reintroduce two vulnerabilities, and then exploit them to gain arbitrary code execution within a protected LSASS process.

"ShellWindows" DCOM application along with "ShellBrowserWindows", is well-known in the offensive security community for performing lateral movements by instantiating these objects remotely with admin privileges. However, I was curious to understand if they could be abused locally by a standard user.

We found a new GitHub action exploitation technique leveraging the Dependabot GitHub app to compromise some repositories, leading to arbitrary code push. In this article we will explain how we discovered it and illustrate with 2 real world examples.

This article details the the "0.0.0.0 Day" vulnerability. This vulnerability allows malicious websites to bypass browser security and interact with services running on an organization's local network, potentially leading to unauthorized access and remote code execution on local services by attackers outside the network.

WASM isorecursive canonical type confusion in JS-to-WASM conversion functions and their wrappers, resulting in type confusion between arbitrary WASM types.

This article explains how to leverage a Jenkins file read vulnerability (CVE-2024-23897) to RCE.

Some websites parse email addresses to extract the domain and infer which organisation the owner belongs to. In this paper I'm going to show you how to turn email parsing discrepancies into access control bypasses and even RCE.

In this paper, I'll unleash novel attack concepts to coax out server secrets including masked misconfigurations, blind data-structure injection, hidden routes to forbidden areas, and a vast expanse of invisible attack-surface.

This article details a series of discoveries that resulted in the ability to perform actions in Entra ID beyond expected authorization controls. Our most concerning discovery involved the ability to add and remove users from privileged roles, including the most powerful role in Entra ID: Global Administrator.

In this article, I'll trace a threat actor's steps through ransomware deployment, vertical (lateral) movement via AWS Systems Manager (SSM), and privilege escalation through IAM abuse. Forensics artifacts included in this report include Windows Sysmon logs, the Update Sequence Number (USN) Journal, AWS CloudTrail logs, and AWS Systems Manager command history.

In this blog post, we highlight the overlooked threat of VPN post-exploitation; that is, we address techniques that can be used by threat actors after compromising a VPN server to further escalate their intrusion.

This article provides technical analysis and IoCs for a new ransomware named DarkAngels, that was used in a highly targeted attack.

In this article, I'll provide an overview of how drive-by download works, and then we'll get into the details of FakeBat Loader and what it reveals about the current state of the cybercrime economy. We'll close out with a discussion of how best to combat this type of attack.

In this blog post I describe three different methods for decrypting TLS and explain when to use one or the other.

In this blog, we will explore the Cyber Kill Chain framework, outline the Incident Response Process, and discuss the relationship between these two concepts and their importance in a robust cybersecurity strategy.

In this post, we explore how bad actors use fake iOS updates to maintain persistence on compromised devices.

There are things defenders can do to interfere with an attack on ESXi. At minimum, these precautions slow attackers down, and they may even succeed in stopping the attack against ESXi altogether. This article covers ten tactics, with links to source materials and additional information where appropriate.

This blog peels back the layers of AD, revealing its core components and how they empower centralized control. Explore how AD streamlines administration, enhances security, and ensures seamless network operations.

In this blog, we'll explore how DLL sideloading works, how to identify vulnerabilities, and methods to protect against these attacks.

In this article, we will demonstrate how to leverage memory and function sharing between WASM and JavaScript to obfuscate malicious payloads.

We identified a network-based provisioning bypass which prevents the iPad to fetch and apply the provisioning profiles. The iPad boots into an unprovisioned mode without restrictions, which can be kept for an arbitrary amount of time. In this state the user is able to install Apps and Root CA certificates which are trusted for TLS communication.

In this article, we provide technical details regarding a phishing campaign that also employs multiple layers of evasion techniques to deploy various malware into an infected environment.

In this write-up, we will be exploring the interesting exploitation that has been done against the pfsense, a FreeBSD-based operating system designed to install and configure a firewall that can be easily configured via the web interface and installed on any PC.

We discovered critical vulnerabilities in six AWS services. In this blog, we thoroughly explain the "Shadow Resource" attack vector, which may lead to resource squatting, and the "Bucket Monopoly" technique that dramatically increases the success rate of an attacker.

In this paper will explore how different HTTP servers and proxies behave when parsing specially crafted URLs and explore ambiguities in the RFC that lead to path confusion. It will also introduce a set of novel techniques that can be used to leverage parser discrepancies and achieve arbitrary web cache poisoning and deception in countless websites and CDN providers.

In this article, we take a close look at the first stage of a recennr infostealer -specifically at the dropper, which is written in Swift and leverages APIs not seen in other recent stealers to capture and verify the user's password. Many detection methods focus on OSAscript; this malware takes a different approach to evade detection.

In this article, I'll walk you through the entire process I used to crack Kakasoft USB Copy Protection, sharing my thought process and detailed steps along the way.

In this article, I detail how I found several vulnerabilities that I used to develop Windows Downdate, a tool that allowed me to elevate privileges and bypass security features. As a result, I was able to make a fully patched Windows machine susceptible to thousands of past vulnerabilities.

In an attempt to better understand the security implications of cloud administrative assets, the idea of this article is to categorize roles and permissions, based on known attack paths.

In this blog post, we will examine the Quad7 botnet and the infrastructure used to control it in greater detail.

If you like BloodHound & PowerShell, and if you want to automate all the BloodHound things, this post is written for you. I'll be sharing a new tool for all your Dog Whispering needs.

In this article, we present the AS_REP Roasting attack, and the OPSEC considerations associated with it.

Many WordPress plugins use nonces and nothing else to authorize requests. This often has a potential for exploitation to gain privilege escalation. In this article, I elaborate on WordPress security features connected to nonces and AJAX/REST requests and describe three critical vulnerabilities I've found in popular WordPress plugins.

In this blog, I want to discuss how several mistakes I made during a pentest engagement can be avoided by using a collection of different keying variations and mechanisms.

How I found multiple vulnerabilities in ZimaOS and CasaOS due to my keyboard not working.

In this final part of the series, we will discuss remaining application permissions used in older versions of PIM.

In this article, we detail how to decode a Cobalt Strike script with CyberChef and VsCode.

During research on the Vestaboard web platform, we identified three instances of Broken Access Controls: read access to other Vestaboards, ability to update names of other users, and privilege escalation from Admin to Owner.

We investigate how StormBamboo successfully compromised an internet service provider (ISP) in order to poison DNS responses for target organizations, as well as the impact of this compromise for ISP customers.

osquery, the SQL-based open-source tool, lets you query your systems like a database, transforming complex system data into actionable insights. Paired with osctrl, a potent orchestration platform, you'll gain real-time control and visibility over your network's security posture.

In this short post we explain how directory traversal can be performed against Golang http.ServeFile.

This post, the second in our series on cryptography in the cloud, provides an overview of the cloud cryptography services offered within Google Cloud Platform (GCP): when to use them, when not to use them, and important usage considerations. Stay tuned for future posts covering other cloud services.

In this article, I will explain how I expanded the single-packet attack beyond its usual limit by using IP fragmentation and TCP sequence number reordering, and discuss possible ways to utilize it.

This article provides common tools and techniques to identify malicious named pipes open on a system. We also provide an example and show how to gather all the necessary details.

We provide the basics of a program that traces a few common system calls. To achieve this, we'll write two types of programs: eBPF programs and a loader (which loads the BPF objects into the kernel and attaches them).

This post details a defence evasion technique that overcomes a pitfall on Solaris and the BSDs. The technique is extended to Linux with additional anti-forensic behaviours to provide additional stealth, such as removing evidence of LD_PRELOAD.

This blog post is about why incident responder artifacts not only play a role on the defensive but also offensive side of cyber security. We will look at some of the usually collected evidences and how they can be valuable to us as red team operators. We will be putting everything together in a proof of concept tool that tries to simplify collecting that information.

In this article, I would like to point out options to identify, monitor and avoid persistent access on Managed Identities privileges by adding federated credentials on User-Assigned Managed Identities (UAMI) from malicious or unauthorized entities. We will also have a quick look at attack paths and privileges which should be considered.

We provide techniques to guess what communication channels are available for C2 callbacks, and use the same channels to sneak instructions to your implants and outputs back to your C2 server.

We discovered multiple privilege-escalation issues in the Azure Health Bot Service via a server-side request forgery (SSRF), which allowed researchers access to cross-tenant resources.

A combination of misconfigurations and security flaws can make artifacts leak tokens, both of third party cloud services and GitHub tokens, making them available for anyone with read access to the repository to consume. This potentially leads to the push of malicious code that can flow to production through the CI/CD pipeline, or to access secrets stored in the GitHub repository and organization.

This article illustrates that "security through obscurity" is a false assumption when it comes to cryptography.

We'll dive into the details behind Quick Share's communication protocol. Then, we will discuss the research process that led to the discovery of 10 vulnerabilities and explain how we were able to chain several of them together to develop an RCE attack.

We identified multiple medium severity vulnerabilities in OpenVPN. Attackers could chain and remotely exploit some of the discovered vulnerabilities to achieve an attack chain consisting of remote code execution (RCE) and local privilege escalation (LPE).

This report introduces Cyclops, a newly discovered and previously undocumented malware platform written in Go. Cyclops allows operators to execute arbitrary commands on the target's file system, as well as pivot inside the infected network. Notably, Cyclops is controlled through a HTTP REST API which is exposed to operators within an SSH tunnel.

We discovered and reported CVE-2024-38213. This exploit, which we've named copy2pwn, results in a file from a WebDAV share being copied locally without Mark-of-the-Web protections.

SCCM policies are a prime target for attackers in Active Directory environments as they may expose sensitive technical information such as account credentials. Said credentials could be retrieved by authenticated attackers impersonating a registered device, or in some cases from an unauthenticated position by exploiting misconfigurations on policies distribution.

This blog will explore advanced red teaming tactics tailored specifically for AWS, Azure, and GCP. By adopting an attacker's perspective, we will examine how to systematically breach, exploit, and maintain persistence in these cloud environments, outplaying your adversaries.

This post is about a new phishing technique based on Outlook UDL files.

In this first part of the series, we aim to provide you with an overview of the process involved in hacking Android games.

In this blog, I will explain how attacker gaining access to initial Entra ID user can enumerate and access resources from the Azure Key Vaults containing credentials which leads to lateral movement further extraction of Global Administrator credentials from the variable of Azure automation workbook variables.

In this blog post we'll look at defences and best practices to protect docker containers from security issues.

Jetpack Compose is a new approach to building UIs in Android, replacing the previously widely used fragments. This article details how deep links can be exploited to bypass application authentication screens.

In this post, I'll exploit CVE-2024-5830, a type confusion in Chrome that allows remote code execution (RCE) in the renderer sandbox of Chrome by a single visit to a malicious site.

This article discusses something that you might not be collecting or analyzing when performing host-based analysis. RDP Bitmap Cache. It is a fantastic and very unique artifact and may provide context, command-lines, tools, etc. that you may have not identified via traditional routes.

This post intoruces TrickDump. It allows to dump the lsass process without generating a Minidump file, generating instead three JSON files and one zip file with memory regions' dumps.

JavaScript analysis is a crucial part of bug bounty hunting because many web vulnerabilities are exposed through client-side scripts. Here's a comprehensive guide on how to analyze JavaScript for bug bounty purposes

This first post of the series surveyes WebRTC's implementation of various protocols, injects arbitrary read and arbitrary write vulnerabilities, and sets up a research environment to trigger the vulnerabilities.

In this second part of the series, we will cover the following topics: breaking ASLR with sequential leaks, limitations of Xcode's iOS simulator, setting up Corellium for iOS emulation and exploit development, locating and exfiltrating Signal's database, and stack pivoting and ARM64 ROP chain.

In this blog post, the third part of this series, we'll delve into creating detections and streamlining the alert flow.

In this first part of the series, we will discusse how application permissions related to active assignments in PIM can be abused to escalate to Global Admin.

In this part, we will take a closer look at permissions related to eligible assignments, to see how they can be abused to escalate to Global Admin.

In tenants relatively mature in terms of cloud security, eligible and active assignments are often constrained to meeting additional security requirements. In this part, we will take a closer look at how those constrains can be disabled to keep leveraging the Tier-0 permissions previously discussed, and still escalate to Global Admin in environments with strict PIM settings.

We discovered and disclosed a security bypass vulnerability in Rockwell Automation ControlLogix 1756 devices. Our technique allowed us to bypass the trusted slot feature implemented by Rockwell that enforces security policies and allows the controller to deny communication via untrusted paths on the local chassis.

In this article, we will go over how to identify SSRF vulnerabilities and how you can exploit them as well. We will also be covering some advanced cases too.

In this analysis, we detail the CVE-2024-39877 vulnerability, which allows authenticated DAG authors to exploit the doc_md parameter to execute arbitrary code in the scheduler context, violating Airflow's security model.

In this first part, we will discuss the impact of link-following vulnerabilities and how they can lead to privilege escalation on Windows systems.

Using alternate data streams to bypass assumptions privilege escalation technique involves the use of NTFS streams. To further explain this technique, we will look at CVE-2024-0353, a privilege escalation vulnerability we discovered and exploited.

To wrap up this blog series we wanted to include one more technique that you can use when exploiting this class of vulnerabilities. This technique becomes useful when you have an on-boot arbitrary delete primitive that you want to transform into an on-demand delete, so that you can escalate using the C:\Config.msi technique.

In this blog post, I'll share my journey of how I was able to find three different RCE vulnerabilities in Kafka UI.

The little bug that could: CVE-2024-30089 is a subtle kernel vulnerability I used to exploit a fully updated Windows 11 machine (with all Virtualization Based Security and hardware security mitigations enabled). In this article, I outline my straightforward approach to bug hunting: picking a starting point and intuitively following a path until something catches my attention.

In this second post we will detail how to weaponize the bugs we discovered in the CHARX SEC-3100 ControllerAgent service for Pwn2Own Automotive.

This blog post provides insights into three exploitation techniques that can still be used in cases of a hardened .NET Remoting server with TypeFilterLevel.Low and Code Access Security (CAS) restrictions in place. Two of these tricks are considered novel and can help in cases where ExploitRemotingService is stuck.

In this blog, we cover a third way of authenticating as an application: using federated credentials. With this blog I'm also introducing a new utility to the ROADtools family: roadoidc, which can set up a minimal Identity Provider (IdP), allowing us to authenticate using federated credentials as apps and user managed identities with roadtx.

We provide details about a supply chain attack via Polyfill, a common open-source library written in JavaScript, used in web development to provide modern functionality on older browsers like IE7 that did not support it natively.

This post explores the defence evasion technique of dynamically modifying process names in UNIX-like systems. It takes a look at various ways to "process masquerade" or "process stomp" primarily in the Linux operating system with the occasional detour looking at the BSDs and Solaris. The second half of the post goes a little deeper into the mechanisms at play.

Despite the issuers' validation procedures, we routinely detect malware that's signed with legitimate code-signing certificates. Fortunately, there are many ways to differentiate suspicious or malicious signed binaries from legitimate ones, and we're going to share some of our strategies for analyzing digital signatures.

In this post, we explore a powerful, yet widely unknown attack vector which has emerged in the last couple of years known as 'Repo Jacking'.

We detail a technique that will ease the abuse of several popular NTLM relay primitives by allowing attackers to control inbound 445/tcp traffic without loading a driver, loading a module into LSASS, or requiring a reboot of the target Windows machine.

This is the detailed write-up about CVE-2024-21338, a Windows Kernel Elevation of Privileges, specifically an Untrusted Pointer Dereference vulnerability in the appid.sys driver. The driver is responsible for the AppLocker technology.

We provide technical details about Specula, a C2 framework that operates via the Outlook home page feature.

This article provides an in-depth guide on manually hunting SQL injection vulnerabilities in MSSQL, MySQL, Oracle, and NoSQL databases, detailing different methods, advanced payloads etc.

This blogpost explains how we recovered the firmware of a fleet-sharing Electronic Control Unit (ECU) which has been erased from a FAT memory using Capstone disassembler to locate scattered parts, to be able to reverse-engineer it.

In this blog we are going to break down various attacks against Okta and how to identify them in Splunk. Some of the logs shown in this blog will be truncated to show the important parts for brevity.

Cisco Smart Software Manager On-Prem (SSM On-Prem) is susceptible to an account takeover vulnerability, which can be exploited by an unauthenticated attacker to gain unauthorized access and control over user accounts, including administrative accounts. The exploitation can be carried out with just a few HTTP requests.

NTLM relaying can be incredibly impactful. This documentation will go over an explanation of the specific avenues of exploitation, practical examples, their requirements, and configuration specifics for the attacks to take place.

This article details a new persistence technique that relies on adding a new Group Policy Preference (GPP) to an existing Group Policy Object (GPO).

In this blog post, we will abuse Vectored Exception Handlers (VEH) as a foundation to produce a legitimate thread call stack and employ indirect syscalls to bypass user-land EDR hooks.

This article explains how I configured a wifi router to evade detection by the campus IT department. The wifi router doesn't need to be completely hidden (after all, it's emitting radio waves that anyone nearby can receive), but it should at least avoid detection from an adversary that probably isn't trying very hard.

In this deep dive, we will explore how CORS works across different web browsers and how certain misconfigurations can be exploited despite the built-in anti-tracking mechanisms.

In this post, we will talk about the ret2dir technique, which leverages the functionality of physmap to place attack-controlled payload in kernel, bypassing existing ret2usr defenses.

In this series, we will explore kernel PWN and heap-based PWN on Linux. In this first post, I will follow an awesome tutorial to solve a PWN challenge from hxp CTF 2020 step by step.

In this article, we will learn about CVE-2009-1897 vulnerability and its exploitation, prepare a vulnerable environment and exploit this vulnerability.

In this third post of the series, we will learn how to set up our kernel debugging environment.

In this post, we will walk through DirtyCred. The DirtyCred technique is one of such attacks, which contains two sub-techniques: process cred swapping and file permission check bypass. By stealing a high privilege cred or writing read-only files, attackers can obtain root privilege, thus have no need to struggle with kernel vulnerability mitigations.

This blog is the first in a series of posts covering how we built an engineering-first security information and event management (SIEM) system. Our initial post will focus on the foundational features, delving into the "what" and "why" behind our decision to build.

In addressing the requirements and challenges of SIEM solutions, we drew inspiration from data engineering best practices, particularly the use of data lake and warehouses. Our approach was further informed by our data engineering team's use of the Snowflake platform for business analytics and data initiatives.

In this third part of the series, we are going to install and setup an operating system on the implant and configure basic networking.

In this blog, I'll show you the dangers of machine account SSO compromise. We will do so without extracting any user account hashes and will have the ability to impersonate any account without MFA to achieve full cloud dominance.

In this small article, I'll explore a fairly dull use-after-free in the Linux kernel that's been around in the process termination code for quite a number of years. The vulnerability is only dull because there doesn't appear to be any way to usefully exploit it beyond causing a DoS.

This first part of the series covers what XML is in short, a little bit about XML entities and parsers along with the different types of parsers available. We then proceed to cover a critical vulnerability - XXE (XML External Entities).

The purpose of this blog post is to provide a comprehensive reference of the inner workings of the Samsung RKP. It enables anyone to start poking at this obscure code that is executing at a high privilege level on their device.

This blog post that explains how we attacked Samsung RKP. After revealing three vulnerabilities leading to the compromise of the hypervisor or of its assurances, we also describe the exploitation paths we came up with.

This article dives into my full methodology for reverse engineering Yaesu FT-70D Firmware Encryption.