Security Review #222

In this second part, we'll dive deeper into the world of Linux persistence and how to hunt these techniques. We'll set up the persistence mechanisms, analyze the logs, and observe the potential detection opportunities.

Following my failed attempt to achieve arbitrary code execution within a protected LSASS process using the BYOVDLL technique and an N-day exploit in the KeyIso service, I took a step back, and opted for a less ambitious solution: a (not so) simple memory dump.

Making the case against argv[0], this post demonstrates how it can be used to deceive security analysts, bypass detections and break defensive software, across all main operating systems.

Correlation headers like X-Request-ID or X-Correlation-ID are more than just debugging tools. They can expand the attack surface of a target by potentially interacting with various contexts within the application, from CI pipelines to internal logging, making them prime targets for exploitation.

In this blogpost I am going to talk about my finding which was a XSS on Netlify's Image CDN and how I managed to bypass the Content Security Policy.

Learn how to detect NTDS dumping attacks in issue five of a special series on critical Active Directory (AD) attack detections & misconfigurations.

In this article, we will explore the fundamental concepts of stealer logs, the types of data they capture, and how they can be used to analyze the initial IoC in some cases. Additionally, we will present a case study to illustrate how testers can effectively leverage stealer logs in security testing.

In this article, we create a Velociraptor pipeline to remotely access relevant forensic artefacts in backed up data. This aims to enable DFIR analysts to extend the time horizon in their investigations using Veeam backups and Velociraptor, while minimizing network bandwidth usage and extensive recovery operations.

This report delves into a new sample of LummaC2. Our analysis covers the different stages of the malware's execution, from the initial PowerShell command to the subsequent payload decryption and execution, providing insights into the tactics, techniques, and procedures (TTPs) used by the threat actor(s).

There may be various vulnerabilities inside MSI files, most of which will lead to privilege escalation. We have developed a tool called MyMSIAnalyzer that will make it easier to find vulnerabilities inside MSI files. You should read this article if you want to learn more about the insides of the MSI format and how the tool works.

We detail a recently patched code execution vulnerability in the VMware vCenter Server. Successfully exploiting this vulnerability could lead to a heap buffer overflow, which could result in the execution of arbitrary code in the context of the vulnerable service.

This article details how to use WPA-Enterprise with EAP-SIM to authenticate against a network using SIM cards.

This post will go over 4 exploits of a buffer overflow, starting with the simplest version (no stack canaries, no ASLR, corrupted return address) all the way up to an exploit written for the wappd binary shipped on the Netgear WAX206, where multiple mitigations are enabled and we go from x86-64 to arm64.

We analyze a piece of malware designed for stealthy data exfiltration, targeting Android devices and specifically focusing on sensitive information stored within the Chrome browser. It employs a range of techniques to evade detection and analysis, including anti-debugging measures, dynamic library loading, and obfuscation of the command-and-control (C2) server's address.

A technical analysis on how CVE-2023-22527 can be exploited by malicious actors for cryptojacking attacks that can spread across the victim's system.

We discovered an unauthenticated SQL injection against the latest version of progress whatsup gold and turned it into a authentication bypass, after that the product by design allows you to achieve RCE.

One of the most slept-on techniques I know of is "reversible debugging", or time-travel debugging (TTD). Binary Ninja TTD integration is somewhat new, so it seemed like it'd be worth going over the basic setup process and getting started with this feature.

There's a lot of sandbox evasion techniques, some are simple: query WMI, some are cool: parsing SMBIOS tables, most try to detect sandbox artifacts. I wanted to know if these techniques are still effective for detecting sandboxes, or if the sandboxes have since been updated to counter them.

This article describes an out-of-bound access vulnerability for TyphoonPWN 2024 in the Linux PE category.

We discovered a code execution vulnerability in WPS Office for Windows (CVE-2024-7262). Upon analyzing the root cause, we subsequently discovered another way to exploit the faulty code (CVE-2924-7263). In this blogpost, we provide technical details.

This is the first post of a three-part series, where we will be delving into the intricacies of fuzzing uC/OS protocol stacks. In this post, I will detail code modifications necessary for developing a fuzzing harness tailored for the uC/HTTP-server.

In this second post of the series, we will discuss a technique for delivering multiple requests per fuzz test case.

In this last article of the series I'll detail the code modifications required for fuzzing the uC/TCP-IP stack.

Let's take a closer look at the Security differences between AWS and Azure by reviewing the design choices, default settings and vulnerabilities that have been exploited over the years.

We discovered a Gatekeeper vulnerability in macOS that may lead to the execution of an unsigned and unnotarized application without displaying appropriate security prompts to the user.

In this article, we will learn how to applying Cyberchef Flow Control and Mathematical operators to deobfuscate a .vbs loader for Nanocore malware.

This post will seek to provide organizations with high-fidelity template detections based on classic Splunk SPL queries to assist with detecting browser abuse.

In this article, we will explain a potential misconfiguration of AWS IAM roles when using GitLab OpenID Connect (OIDC), walk through how to exploit them step-by-step, and explain how the AWS Console causes this misconfiguration by default.

CVE-2024-37084 is a critical security vulnerability in Spring Cloud Skipper, specifically related to how the application processes YAML input. This flaw could be exploited by an attacker providing malicious YAML data, potentially leading to remote code execution.

In this post I detail an alternative method for searching assembly instructions at runtime. Back tracing from a supervisor call and attempting to locate the MOV instructions associated with the access system call.

This blog details a PyPI supply chain attack technique we discovered. This attack technique involves hijacking PyPI software packages by manipulating the option to re-register them once they're removed from PyPI's index by the original owner; a technique we've dubbed "Revival Hijack".

In this part we will cover LDAP channel binding, a hardening technique that can be used to prevent relay and MITM attacks against LDAP.

Intunes is a prime target for attackers to abuse for conducting lateral movement and code execution. We will give a background on Intune, how it is being used within organizations and show how to use this cloud-based platform to deploy custom Windows applications to achieve code execution on user devices.

This post will break down what happens on the server when an Azure pipeline is triggered and address security risks. We'll especially focus on how someone could potentially escalate their access or discover sensitive information if they can manipulate the pipeline code.

This blog post describes how to exploit a use-after-free vulnerability due to a race condition in MIDI devices in Linux Kernel 5.6.13. This vulnerability is identified as CVE-2020-27786.

We observed an intrusion that started with the execution of a Cobalt Strike beacon and ended in the deployment of BlackSuit ransomware. The threat actor leveraged various tools, including Sharphound, Rubeus, SystemBC, Get-DataInfo.ps1, Cobalt Strike, and ADFind, along with built-in system tools.

Learn how to detect LLMNR poisoning attacks in part three of a special five-part series on critical Active Directory (AD) attack detections & misconfigurations

Learn how to detect NTLM relay attacks in part four of a special series on critical Active Directory (AD) attack detections & misconfigurations.

We have identified a new buffer overflow vulnerability in Samsung's baseband implementation (mainly used in Exynos chipsets). The vulnerability can be exploited to achieve arbitrary code execution in the baseband runtime.

This article provides a comprehensive analysis of backdoored SSH (CVE-2024-6387) exploits.

In this first part of the series, we will focus on the Local Storage of Firefox and see how data can be extracted from the local database.

In a remote incident response, where efficient data access is key, Veeam metadata files can be used to list and search for Backup objects. This article explores the structure of Veeam metadata and how to use a Velociraptor artifact to restructure this data.

In this research article, we'll take a deep dive into how WIFI networks authenticate a user's internet connection using MAC addresses are inherently vulnerable.

We discovered a path traversal-affiliated vulnerability pattern in multiple popular Android applications that could enable a malicious application to overwrite files in the vulnerable application's home directory.

In this post I will describe how I found a patch bypass to re-exploit a SQL injection vulnerability, along with how to take it further to achieve RCE on a vulnerable GLPI instance.

We identified several critical Pwn Request vulnerabilities within GitHub Actions used by the Rspack repository. These vulnerabilities could allow an external attacker to submit a malicious pull request and compromise NPM Deployment Token as well as GitHub Personal Access Token.

We tackle the data structures behind a further two mechanisms that websites can use to persist information: Session Storage and Local Storage.

In this article we will be exploring one of the most commonly used network utility and will learn how the other frameworks reinforce "Netcat" in order to generate a session.

An inherent vulnerability in the web interface of CA server allows an attacker to relay the requests from the web interface to request the Domain Controller machine account's (DC$) certificate and gain escalation+persistence. PetitPotam a tool that can coerce or persuade a windows host to authenticate against DC which can be used to request certificates and gain escalation.

A solution for more efficient OS hardening is using configuration management tools such as Ansible, Puppet or PowerShell Desired State Configuration (DSC). We have created PowerShell DSC code to automate several hardening guidelines.