Security Review #225

We detail how a low-privileged user on a Linux machine can obtain the root privileges if he can execute iptables with sudo.

There are different types of Entra ID tokens with different utilities. Not all tokens are created equal either; there are more attractive tokens for an attacker to steal causing a world of confusion and pain for blue and red teamers. This blog aims to demystify the primary differences between the most common types of tokens you may encounter and the attacks they are susceptible to.

I detail a one-click clickjacking attack that chains a Google Slides YouTube embed path traversal to three separate redirects to gain editor access on a Drive file/folder.

We discovered a set of vulnerabilities in Kia vehicles that allowed remote control over key functions using only a license plate. These attacks could be executed remotely on any hardware-equipped vehicle in about 30 seconds, regardless of whether it had an active Kia Connect subscription.

Detail of a Cross-Site Scripting attack relying on 4 characters Client Side Template Injections.

In this second post, we will make this controlled pool overflow a success and eventually get a SYSTEM shell.

Analysis of a hardcoded static password vulnerability used to access licensing data in Cisco Smart Licensing Utility.

This post explains an attack chain for the ChatGPT macOS application. Through prompt injection from untrusted data, attackers could insert long-term persistent spyware into ChatGPT's memory. This led to continuous data exfiltration of any information the user typed or responses received by ChatGPT, including any future chat sessions.

In this second post, we will cover some evasions against anti-rootkits relying on malicious drivers mapped to unbacked memory detection. This post is mainly an aggregation of known anti-rootkit/anti-cheat evasion techniques and me coming up with ways to detect them.

We dive into Radare2 AI plugins. Over a (very) simple program, the quality of results are quite useful, but for more complex cases, currently, the AI simply never responds ("infinite" loop) or produces useless results.

This article discusses the discovery of a new post-exploitation red team tool called Splinter. It is developed in Rust and has a standard set of features commonly found in penetration testing tools.

In this last part, we will talk about how to generate the test cases that we can use to fuzz netconsd, in addition, we will go through the fuzz commands I used to fuzz the application.

In the context of Active Directory (AD), password spraying attacks are concerning because any authenticated user in an AD environment can use LDAP to query accounts without triggering account lockout policies. We review different password spraying techniques and provide guidelines for detection from the DC logs.

In this article we will look how you can set up your own monitoring mechanism to spot executed PowerShell code in your environment using Microsoft Sentinel and the Unified SecOps Platform.

In this post, we dive into how Impacket smbexec.py works and what artifacts it will leave behind on the target system.

We are going to examine the top seven digital forensic artifacts for macOS forensics, detailing their locations, what they reveal, and how to interpret them.

As phishing attacks become more sophisticated, investigators and security professionals need innovative techniques to identify and combat these threats. In this article, we look at an often overlooked method: using favicon hashes in conjunction with Shodan to uncover potential phishing sites.

I will be checking out some of the older adversary techniques used against Active Directory and how threat actors may use them to take over parts of an infrastructure.

We discovered an RCE vulnerability we dubbed CloudImposer that could have allowed a malicious attacker to run code on potentially millions of servers owned by Google servers and by its customers.

I found a zero-click vulnerability in macOS Calendar, which allows an attacker to add or delete arbitrary files inside the Calendar sandbox environment. This could lead to many bad things including malicious code execution.

This article is a short tutorial on writing Windows ARM64 shellcode with FASMG.

This article explores the workings, components, security implications, and management of System Integrity Protection, the default Sandbox Profile used for all macOS apps.

The following blogpost explains how during a Red Team engagement we were able to identify several vulnerabilities including Remote Code Executions in the latest version of Chamilo.

This post will explore the vulnerabilities in POCSAG networks, explain how message spoofing can be achieved using RIC/capcodes, and provide a hands-on look at how the Mayhem firmware makes it alarmingly accessible to execute these attacks.

AWS Nitro Enclaves have emerged as a powerful tool for isolating sensitive workloads. We have scrutinized the attack surface of AWS Nitro Enclaves, uncovering potential bugs that could compromise even these hardened environments.

Physical use-after-frees have proven to be extremely powerful vulnerabilities, almost completely unaffected by recent mitigations deployed into XNU. The strategy of exploitation for these bugs is not only simple to write, but also simple to understand. So with that, let's get into the explanation of what a physical use-after-free is.

We discovered a vulnerability in SolarWinds Web Help Desk (CVE-2024-28987), which allows unauthenticated attackers to remotely read and modify all help desk ticket details - often containing sensitive information like passwords from reset requests and shared service account credentials.

In this series of blog posts I'll describe how I found two vulnerabilities in a Windows kernel driver part of an old AMD software package and how I exploited them in order to achieve local privilege escalation. This first post will focus on the discovery of the vulnerability.

This first article of the series will detail an RCE in cups-browsed, a component of the CUPS system that is responsible for discovering new printers and automatically adding them to the system.

While DLL hijacking attacks can take on many different forms, this blog post will explore a specific type of attack called DLL proxying, providing insights into how it works, the potential risks it poses, and briefly the methodology for discovering these vulnerable DLLs.

We uncovered a malicious app on Google Play designed to steal cryptocurrency marking the first time a drainer has targeted mobile device users exclusively. The app used a set of evasion techniques to avoid detection and remained available for nearly five months before being removed.

We will focus on the CVE-2024-7965 vulnerability described as an inappropriate implementation in the browser's V8 engine. The vulnerability can lead to remote code execution (RCE) in the Chrome renderer and thus become a starting point for further exploitation.

We explore CVE-2024-45489, a remote code execution vulnerability in Arc browser through JavaScript boosts, due to firebase misconfigured URL.

Tar archives can contain multiple entries with the same filename. It is important to note that Golang follows symlinks while calling os.Create(name string) (*File, error). This combination can lead to arbitrary writes during file extraction.

In this second post, we will try to understand how our target works, and dig deeper into the message format used by the kernel.

This is the story of the Trident exploit chain: 3 zero-day vulnerabilities in iOS that enabled the first remote jailbreak. In this first part, we dive into the internals of the JavaScriptCore runtime: where a vulnerability lurks in WebKit which would crack your iPhone wide open.

This is a writeup of a heap pwn challenge at HitconCTF Qualifiers 2024, which explains some glibc malloc internals and some heap exploitation tricks that can be used for getting a shell!

In this tutorial, we will learn how to create a persistent backdoor with the help of Metasploit and Netcat utility.

This blog post will focus on how to detect Impacket atexec.py remote execution activity from various DFIR artifacts.

In this article, we will delve into the inner (boring) workings of Bluetooth technology to give you an understanding of how it works. Along with that, we'll also show you how to exploit these vulnerabilities (not boring).

This blog explores how foundational OS topics like System V, POSIX, UNIX, and BSD influence binary exploitation on macOS and Linux. I'll also cover the System V ABI, inter-process communication (IPC), threading, signaling, and security features like ASLR and stack canaries.

In this blog, we present details on the common Entra ID and on-premises Active Directory misconfigurations and provide guidance on how to properly configure Microsoft Entra ID to remove risks and harden environments against cyberattacks.

This comprehensive guide will show you how to use Mimikatz for hacking so you can dump credentials and perform lateral movement like a pro.

In this article I detail how I exploit Cross-Site scripting vulnerability bypassing Cloudflare WAF and additional restriction of characters implemented on the application level. Furthermore, the most important part was to leverage Cloudflare cache in such a way so that I can poison it with a malicious payload.

Anki versions is vulnerable to multiple exploits using shared decks, which can compromise your computer. This includes complete code execution. In total, we found three different vulnerabilities - one related to LaTeX content, one related to JavaScript on the card, and the final one related to media.

This is an overview of CVE-2024-29511. A vulnerability in Ghostscript, leading to an arbitrary file read/write (under certain conditions). In this post we detail the vulnerability and we show how it can be exploited to read and write files outside of the -dSAFER sandbox.

Windows Hello for Business (WHfB) replaces traditional password based authentication with a key based trust model. As with any new technology or feature introduces a new attack surface which could be potential for abuse. In this article, we detail how modification of the msDS-KeyCredentialLink attribute of a target computer or user account may lead to the retrieval of the NTLM hash.

This post aims to teach testers and developers on how to detect SQL injection vulnerabilities manually and automatically via a step-by-step process.