Security Review #220

In this second part, I'm going to discuss the strategies I considered and explored to improve my proof-of-concept, and hopefully achieve arbitrary code execution.

This article details the AS-REP Roasting attack, a technique to steal the password hashes of user accounts that have Kerberos preauthentication disabled.

AWS ACM has a missing security boundary that allows users with AWS Signer permissions - but without ACM permissions - to sign code using any ACM certificate within the same account. This bypasses critical security checks, enabling unauthorized code to be signed and potentially distributed as legitimate software.

Browsers such as Chrome and Edge utilize DPAPI to encrypt credentials prior to storage. The master key is stored locally and can be decrypted with the password of the user, which then is used to decrypt DPAPI data blobs. In this article, we review some tools that can be used to retrieve this master key.

In this post, we'll look at how to manually manipulate the Windows Vectored Exception Handler list, and how Vectored Exception Handlers can be used to evade defenses and perform process injection.

A technical analysis of the BANSHEE malware, a macOS-based infostealer that targets system information, browser data, and cryptocurrency wallets.

In this article, we explore a supply chain attack and detail how a malicious plugin can be developed to compromise a Confluence instance.

By chaining two vulnerabilities, remote unauthenticated attackers are able to take full control over a BYOB (Build Your Own Botnet) server.

This article will introduce how and when a process is Sandboxed on macOS. The main point is to show what is necessary for the sandbox to be enforced on the app on launch, which system component uses it, and where it is used during the execution flow.

During review of the OpenBMC source code, we discovered a critical vulnerability in the slpd-lite sub-component. Successful exploitation of this vulnerability would allow a network-resident (or remote attacker, depending upon the deployment) to fully compromise a BMC.

We recently uncovered Styx Stealer, a new malware capable of stealing browser data, instant messenger sessions from Telegram and Discord, and cryptocurrency. This article provides a technical analysis as well as an overview of the related ecosystem.

In this first part of the series, we will explain how Base64 encoding can be used to hide information by leveraging unused bits of encoded data.

SSH.exe has been bundled with Windows 10, 11 & Windows Server since late 2017 and signed by Microsoft. The reverse dynamic proxy is very powerful and there are a number of tricks that can be used to punch through corporate firewalls to get a reliable tunnel for offensive tooling to compromise entire AD domains.

This post details how an initially LPE vulnerability revealed to be a sandbox escape, and how it was ported to Xbox One to write a PE loader.

This article details how I exploited a SMM Memory Corruption Vulnerability in MSI firmware, allowing an attacker to execute arbitrary code.

In this blog post, we describe the security analysis and the found vulnerabilities in the industrial remote access solution Ewon Cosy+, allowing unauthenticated attackers to gain root access to the device.

A new Kubernetes vulnerability was uncovered (CVE-2024-7646) that affects the popular ingress-nginx controller. It allows malicious actors to bypass annotation validation and potentially gain unauthorized access to sensitive cluster resources.

This article explains the basics of CSP and provides some techniques used to bypass it.

Plaso is an open-source tool designed for efficient log file parsing and timeline creation. Given the limited information at this time on how Plaso processes CloudTrail logs, this article aims to provide insights and useful information on using Plaso with CloudTrail logs.

In this blog post, we'll explore two methods of simulating a backdoor in the SSH configuration or authentication process. This simulation is intended for educational purposes in a controlled environment, ensuring that all actions are logged, auditable, and reversible.

This article delves into Server-Side Template Injection (SSTI) vulnerabilities, a family of vulnerabilities that refer to weaknesses in web applications which attackers can exploit to inject malicious code into server-side templates.

In this blog post, we discuss how adversaries can adopt the Steal Application Access Token technique to manipulate application account API tokens in cloud and containerized environments. This can lead to privilege escalation and further compromise of the environment, all aimed at achieving their malicious objectives.

By collectively overlooking malicious TDSs over the years, the cybersecurity community has allowed them to flourish. This article pull back the curtain and shine a light on these networks.

This article provides a rundown of some of the most important Windows Event IDs that every cybersecurity analyst should be familiar with.

This blog explores emerging trends in email-based malware evasion, focusing on the latest strategies used by cybercriminals. By examining case studies, understanding common evasion techniques, and discussing the future of malware evasion, we aim to equip readers with the knowledge necessary to protect themselves and their organizations from these stealthy threats.

We present an overview of the "Defending OT with ATT&CK" project, that aims at identifying and defending against adversarial techniques that impact operations on critical infrastructure. We created resources to identify assets and technologies in complex IT/OT environments and present an approach to comprehensively identify adversarial behaviors targeting those systems.

We discovered a critical information-disclosure vulnerability in Microsoft's Copilot Studio via a server-side request forgery (SSRF), which allowed access to potentially sensitive information regarding service internals with potential cross-tenant impact.

In this post, I explain a generic technique I used to write an exploit for CVE-2024-22265, a double free vulnerability in Samsung npu driver.

In this post I will share a remediation script allowing you to automatically remove local admin accounts that are not authorized from Intune devices.

This article details a technique I used to take over an application account by bypassing the OTP mechanism used in the "forgot password" function.

Active Directory Certificate Services (AD CS) can be a highly attractive target for attackers, particularly through exploitation techniques known as ESC1 and ESC8. In this article, we will explain those techniques in detail.

This article discusses a technique I use to enumerate private TLD.

This research, a crash course on crash reports, will highlight how these often overlooked files are an invaluable source of information, capable of revealing malware infections, exploitation attempts, or even buggy (exploitable?) system code. Such insights are critical for defense and offense, empowering us to either protect or exploit macOS systems.

In this first part of the series, I will describe what most approaches are likely doing to detect threats. Then, I'll expand on the two fields - source IP and user - I believe are incorrectly used when aggregating or assigning them as the sole risk objects. I will use the example of an AWS IAM User being created in your environment.

In this blog post we describe how the MSC file format can be leveraged to execute arbitrary code via MMC (Microsoft Management Console) for initial access or lateral movement purposes.

A technical analysis of an Android malware that relays NFC data from victims' payment cards, via victims' mobile phones, to the device of a perpetrator waiting at an ATM

This blog entry describes an overlooked source of information in C++ programs that can make manual and automated type reconstruction more efficient. More information about the data types used within a function is hiding in plain sight; we can exploit it if we simply know where to look and how to interpret it.

Spring Cloud Data Flow, a microservices-based platform for streaming and batch data processing in Cloud Foundry and Kubernetes, is vulnerable to an arbitrary file write issue to any location on the server's filesystem, potentially leading to a complete server compromise.

In this blog you will learn about how to build a database of Bluetooth Low-Energy (BTLE) Generic Attribute (GATT) Universally Unique Identifiers (UUIDs) capable of remotely identifying Bluetooth Low-Energy devices for the purposes of vulnerability research, exploitation, and quantifying impact.

In this article, we will go over how you can identify CSRF vulnerabilities while also covering basic and advanced exploitation methods.

In this first part of the series, we focus on the general plugin ecosystem, specifically on the data center and server flavors for Atlassian products, and how we found multiple 0-day vulnerabilities.

In this article I explain how I gained control over a virtual power plant comprised of tens of thousands of grid connected batteries.

By leveraging "open" Tor relays as entry points and Tor hidden services as listeners, attackers could potentially run small, stealthy implants that connect back through the Tor network.

The main goal of this article is to write a stager to reduce the amount of triggered AV vendors for a simple msfvenom-based shellcode..

This article explains how to have Graph interoperate with Entra ID to explore permissions.

In this blog post we will examine the resilience of the new Hugging Chat Assistance to a combination of two techniques: Sleepy Agent and Image Markdown Rendering vulnerability. We used these techniques in order to publish a smart and deceptive malicious assistant that extracts email addresses of users, on the HuggingFace Chat platform.