Security Review #224

September 20, 2024

Sometimes it pays to stay in bed on Monday, rather than spending the rest of the week debugging Monday's code.

— Dan Salomon

Starred Articles

Revisiting MiniFilter Abuse Techniques to Blind EDR

Windows MiniFilter Altitude can be abused to blind EDR. Some vendors have developed mitigations, and we've decided to explore these mitigations and attempt to bypass them.

Vulnerabilities in Open Source C2 Frameworks

I decided to investigate Command & Control (C2) frameworks. The post begins with an illustrated introduction of what C2 frameworks are, followed by a survey of the current state of open source options. Next the post gives a brief C2 framework threat model, before sharing details of a mix of authenticated and unauthenticated remote code execution (RCE) vulnerabilities.

SAP Hash Cracking Techniques

In this blog, we will delve into how SAP stores passwords and explore the tools available for performing hash cracking tests.

Cast me an alert(1)

This article is about my journey trying to execute arbitrary code with implicit JavaScript calls.

New Articles

Exploring Deserialization Attacks and Their Effects

Let's discuss on what deserialization is and give a demonstration example, as it can sometimes can lead to Remote Code Execution (RCE), Privilege Escalation and additional weaknesses with severe impacts on the entire application.

Defend against vampires with 10 gbps network encryption

Discover how attackers can sniff your data on network cables and how you can defend against it, by encrypting on-the-fly all your ethernet traffic with very good performance.

DD Oriented Programming

Looking for a more generic way to inject arbitrary code by using a malicious shared object library, I realized that the procfs memory-related entries with r/w permissions left an open door to quite literally pwn and own the process. So I set out to prove it.

Friends don't let friends reuse nonces

This blog post tells a cautionary tale of what can go wrong when implementing a relatively basic type of cryptography: a bidirectional encrypted channel, such as an encrypted voice call or encrypted chat.

Shell Shocked: The Oyster Backdoor Update

We identified a potential update to the Oyster backdoor, now referred to as CleanUpLoader. By analysing the tactics, techniques, and procedures (TTPs) associated with CleanUpLoader and comparing them with the newly deployed executables, I was able to identify key patterns and draw meaningful conclusions.

Attacking PowerShell CLIXML Deserialization

In this article, we will learn that using PowerShell's CLIXML deserialization could lead to undesired effects, including remote code execution. We will also see that widely used solutions, like PowerShell Remoting and PowerShell Direct (Hyper-V), rely on such deserialization and could make you vulnerable to this kind of attack.

Escalating from Reader to Contributor in Azure API Management - Part 1

This blog post shows how a user with Reader-level access to an Azure API Management resource actually had the equivalent of Contributor-level access, allowing the user to read, modify and even delete configurations of the resource via the Direct Management API.

Investigating a Malicious USB Device (Part 2)

In this second part we'll walk you through the step-by-step process of setting up and conducting a Digital Forensics and Incident Response (DFIR) investigation using a virtual machine (VM). We'll cover everything from configuring the VM to ensure it's completely isolated to tackling the challenges of USB passthrough with a write blocker.

Decoy Manuals and Malicious Browser Extensions: A Closer Look at a Multi-Layered Threat

In a recent investigation of an open directory, we uncovered a Windows executable and two Chrome extension files. The extensions, deceptively presented as a "Dark Mode" feature, borrow code from an open-source project, providing the operator with capabilities such as logging keystrokes, taking screenshots, etc.

Large-Scale Data Exfiltration: Exploiting Secrets in .env Files to Compromise Cloud Accounts and Inflict Severe Business Degradation

Researchers have uncovered a major cyber attack targeting cloud environments by exploiting sensitive secrets stored in .env files. The following article offers a detailed breakdown of techniques used by attackers in this malicious operation. I will explore the 5 phases of the attack: Initial Access, Account Discovery, Privilege Escalation, Malicious Execution, and Data Exfiltration.

Advanced Frida Usage Part 10

This blog post takes a unique and intriguing approach by demonstrating how to use Frida's Stalker APIs to trace instructions as they execute within an app in real time. Additionally, we'll explore how to use various attributes of these instructions to extract valuable insights.

Exploiting Microsoft Kernel Applocker Driver (CVE-2024-38041)

CVE-2024-38041 allows a local attacker to retrieve information that could lead to a Kernel Address Space Layout Randomization (KASLR) bypass which might become a requirement in future releases of windows. This blog post details my process of patch diffing in the Windows kernel, analysing N-day vulnerability, finding the bug, and building a working exploit.

Exploring Large Language Models: Local LLM CTF & Lab

This blog post will dive into our research on isolating functional expectations for LLMs that provide a service through a controller that controls access to both privileged LLMs and quarantined LLMs.

Three-Headed Potato Dog

We have a look at using DCOM to coerce Windows systems to authenticate to other systems, and how this can be misused to relay the authentication to NTLM or Kerberos, to AD CS over HTTP for instance.

Hidden in Plain Sight: Abusing Entra ID Administrative Units for Sticky Persistence

Entra ID Administrative Units (AUs) allow scoped role assignment of an Entra ID role over a subset of Entra ID users, groups, and devices, instead of over the whole tenant. In this post, we'll cover the technical background you need to understand AUs, how they can be used and abused, and details of the AU restricted management and hidden membership features.

Snake&Apple Part 8 - App Sandbox

This article will examine the MacOS Sandbox components, such as the kernel extension, private framework, running in the userland daemons, and containers directories, to see how it works.

Extracting Credentials From Windows Logs

Active Directory logs are great for threat detection; however, it can also be leveraged by adversaries to find plaintext credentials.

From CVE to Swarm: A Case Study on CVE-2024-32963

By leveraging code review techniques and a few "What if..." scenarios, it's possible to uncover vulnerabilities hidden within common patterns like automatic ORM mapping and SQL query building. We demonstrate this through the analysis of CVE-2024-32963, a parameter tampering vulnerability in Navidrome.

Still Recent

Monitoring Gists with trufflehog

In this article, we will guide you through setting up a basic monitoring system to detect leaked secrets in GitHub Gists using Trufflehog. This process will help you to identify sensitive information, such as API keys and passwords, that may have been unintentionally exposed in public Gists.

Monitoring Gitlab Snippets for secrets with TruffleHog

In this article, we'll configure TruffleHog to detect sensitive information, such as API keys and passwords, that might have been inadvertently exposed in public GitLab Snippets.

Hacking Salesforce Lightning: A Guide for Bug Hunters

In this article, we'll go over some of the most common security misconfigurations present in Salesforce Experience Cloud that can lead to a wide variety of security vulnerabilities, ranging from sensitive data exposure (often including personally identifiable information) to allowing unauthorized users to perform unwanted actions.

Investigating a Malicious USB Device (Part 1)

This first part focuses on the prerequisites and preparation work done before kicking off an USB key investigation, such as explaining the forensic principles used in the investigation, how the evidence is preserved and introducing tools deployed.

Oldies but Goodies

Raising Beacons without UDRLs and Teaching them How to Sleep

RX->RW detections can detect a wide range of sleep obfuscation techniques and attackers need to find more creative ways to hide a beacon in memory while sleeping. This post describes an attempt in that direction using a PE generic loader to quickly prototype and test ideas that can then be further improved and engineered if deemed worthy.

Scaling Up Malware Analysis with Gemini 1.5 Flash

We tested to see if light-weight Gemini 1.5 Flash model is capable of large-scale malware dissection. We analyzed 1,000 Windows executables and DLLs randomly selected from VirusTotal's incoming stream. The system effectively resolved cases of false positives, samples with obfuscated code, and malware with zero detections on VirusTotal.

Advanced Frida Usage Part 9 - Memory Scanning in Android

In this part, we will learn how to use a very interesting API provided by frida called Memory.scan(). It can help you to scan bytes from the memory and also helps you to patch them as well.

From Assistant to Analyst: The Power of Gemini 1.5 Pro for Malware Analysis

We decided to put Gemini 1.5 Pro to the test to see how it performed at analyzing malware. By providing code and using a simple prompt, we asked Gemini 1.5 Pro to determine if the file was malicious, and also to provide a list of activities and indicators of compromise.

The Ultimate Guide for BloodHound Community Edition (BHCE)

BloodHound is powerful, but it is easy to get lost. This article will cover setting up, collecting data, analyzing the data, and providing value with that data.

Jailbreaking RabbitOS: Uncovering Secret Logs, and GPL Violations

In this article I'll outline the boot process of the R1, and how (and why) I subverted it to create a "tethered jailbreak" that gives you a root shell on otherwise-stock firmware, all without unlocking the bootloader or making any persistent changes to internal storage.

Unearthed Arcana

Attacking Smart Card Based Active Directory Networks

You don't need a physical smart card at all to authenticate to Active Directory that enforces smart card logon. The attributes of the certificate determine if it can be used for smart card based logon not the origin of the associated private key.

All is XSS that comes to the .NET

ASP.NET takes responsibility for fixing project files path problems by offering app-root-relative URLs. Luckily for the attackers - it also opens some new ways to attack web applications.

The real slim shady - Ivanti Endpoint Manager (EPM) Pre-Auth RCE

CVE-2024-29847 is a Remote Code Execution vulnerability impacting Ivanti Endpoint Manager (EPM). In the following blog post I will be publishing the fully working unauthenticated exploit and detail how this bug class works.