Security Review #226

This post primarily focuses on the functionality of Kerberos delegations and abuse cases. We have also included brief notes and best practices for detecting potential abuses and misconfigurations, which will in turn help to enhance security postures against these risks.

In this last part, we will convert a file read to remote code execution using CVE-2024-2961 without having any output. The exploit will be crashless and generic, and with a relatively small payload, to be usable in GET requests (inferior to 7000 bytes).

I will show you how I perform OT OSINT research and utilize different search engines and techniques to discover internet-connected ICS devices. I willl also attempt to uncover what lies behind these devices.

We observed Python scripts leveraging the BoxedApp SDK to conceal malicious activities. This use of the SDK's virtualization layer underscores an ongoing trend of abusing legitimate software to evade detection and hinder static and dynamic analysis. In this post, we will break down the structure of the scripts and explore how BoxedApp is employed to deliver follow-on malware.

Yet another user-enumeration method has been identified in Azure. While Microsoft may have disabled Basic Authentication some time ago, we can still abuse it to identify valid users with a classic technique - time-based user enumeration.

In this article, we will cover one of the most common security misconfigurations in Cloudflare R2 buckets that developers often make.

We delve into the intricacies of Return-Oriented Programming (ROP) and its significance in modern exploitation techniques. The article elucidates how attackers leverage existing code snippets, or "gadgets", within a program's memory to craft malicious payloads, thus circumventing traditional security mechanisms like Data Execution Prevention (DEP).

We describe a tool that was written to tackle both static and dynamic analysis by way of virtualisation. This technique, along with employing a custom polymorphic engine attempts to evade these types of analysis by layers of obfuscation. To bypass heuristic analysis, support for multiple virtual machines to run concurrently was added, disrupting patterns in created events.

This blog post dives into the inner workings of Binder, including the lifecycles of its objects and the underpinnings that keep everything running smoothly across Android. We will also introduce the libdevbinder library we developed.

CVE-2024-45409 is an XML signature wrapping attack affecting the main Ruby implementation of SAML. The vulnerability allows an attacker log in as any arbitrary user of the affected system.

In this blog post I attempt to demystify physical memory exploitation on Windows and how we can abuse the right physical memory primitives to gain control and manipulate system memory. First, we'll revisit the relationship between virtual and physical memory. Next, we go over physical memory primitives and how these primitives can be leveraged.

In this post I'm going to show you the information you can enumerate from a Slack workspace, and how you can use the 'unauthenticated probe' functionality of Slack Watchman to get it.

There is a vast number of options for gaining persistence, and the available methods will depend on the permissions of the compromised identity. In this article, I want to show how attackers can gain persistence in AWS by updating a SAML identity provider.

This article covers the creation of the hashlookup service, the included software catalogs, and how to use it to improve and facilitate forensic investigations on compromised systems.

We dive into progressive web apps and WebAPKs and comes up to ask "When is an app not an app" ? And more importantly, what data can possibly be extracted from them if you know where to look?

This most demonstrates the forensic value of JumpList file, and how it important in forensic investigation.

The evolution of the Windows Recycle Bin across different versions highlights its growing importance and sophistication in digital forensic investigations. This article helps understanding its functionality and significance is essential for forensic analysts.

We have discovered a new cryptojacking campaign targeting Docker Engine API, with the ability to move laterally to Docker Swarm, Kubernetes, and SSH servers. The campaign leverages Docker Hub, where the threat actor is hosting a number of malicious images.

In this blog series, we'll explore some practical techniques for monitoring the health of your data pipeline with Google Security Operations (SecOps). In this first part, I'll explain the importance of monitoring your data pipeline and some of the monitoring & alerting features available in Google SecOps and Google Cloud.

This second blog post shows you how to validate that your data is flowing reliably through your Google SecOps pipeline and your defenses are always ready to detect & respond to threats.

This blog post delves into the analysis of a control flow obfuscation technique employed by recent LummaC2 (LUMMAC.V2) stealer samples. In addition to the traditional control flow flattening technique used in older versions, the malware now leverages customized control flow indirection to manipulate the execution of the malware.

In this series we are going to be discussing something that we are very passionate about, native cloud incident response in an AWS environment. This first part will go over the approach that you can take when responding to an incident.

We recently discovered a novel version of the RomCom malware family called SnipBot and, for the first time, show post-infection activity from the attacker on a victim system. This new strain makes use of new tricks and unique code obfuscation methods in addition to those seen in previous versions.

We have been monitoring a widely popular phishing-as-a-service (PhaaS) platform named Sniper Dz. It uses a unique approach of hiding phishing content behind a public proxy server to launch live phishing attacks.

We discovered two malware samples used by the Sparkling Pisces (aka Kimsuky) threat group. This includes an undocumented keylogger, called KLogEXE by its authors, and an undocumented variant of a backdoor dubbed FPSpy.

In this post, we'll see how the SourceIdentity attribute in AWS's Security Token Service (STS) can help defenders trace AWS role activity back to its source.

The rise of HTML smuggling in phishing is slowly becoming a major concern in the cloud era. In this article, we outline a method relying on the usage of a blob URL to reference blob data hidden in JavaScript. Another example of HTML smuggling used to circumvent security controls.

This article reveals that the majority of known vulnerable drivers share certain characteristics. We examine how drivers of well-known security products are attempting to mitigate abuse, and provide a practical demonstration of how we were able to exploit chained vulnerabilities in one such product to bypass security measures and gain kernel privileges.

This article delves into a topic that can't be ignored in JS world: Prototype Override on Client Side. I will overview the problem and introduce how we can handle it.

The inconsistencies observed across programming languages highlight a lack of standardized definitions and behaviors for IP address classifications. This discrepancy is particularly critical in security contexts, as differing treatments can lead to unexpected behaviors - especially in scenarios involving server-side requests.

The difficult part of the initial response to a human-operated ransomware attack is identifying the attack vector. In this article, we will share the results of an investigation into the possibility of using Windows event log information to support the identification of such attack.

In this article we will detail how a COM class can be abused for Cross-Session privilege escalation and detail CVE-2024-7023 targeting Chrome Updater.

Permissive CORS can be tricky to exploit due to modern security controls. However it is still possible to find them, and sometimes with different impact, ranging from small information disclosures, to more critical scenarios impacting users sessions.

An RCE has been found on Zimbra (CVE-2024-45519). The vulnerability allows unauthenticated attackers to execute arbitrary commands on affected installations. In this blog post, we delve into the nature of this vulnerability, our journey in analyzing the patch, and the steps we took to exploit it manually.

This article explores package registries, the CLI tools used to interact with them, and their underlying mechanisms. We will then introduce Depfuzzer, a tool designed to automate the detection of dependency confusion vulnerabilities in package files.

What risks have we introduced by relying more and more on IaaS ? This article explores two common, yet critical vulnerability classes: dangling DNS records and leaked secrets.

This blog explains the GCG attack, which tricks AI chatbots into misbehaving, and introduces Broken Hill, an advanced, automated tool designed to generate crafted prompts that bypass restrictions in Large Language Models (LLMs).

The purpose of this blog post is to demonstrate how to extract a library from an Apple visionOS 2.0 dyld shared cache to instrument it with QBDI on an Apple M1.

In this write-up we give a short introduction to the technique of DLL Hijacking, highlighting the specific executables abused, way the hijack was implemented, and peeks into the internal structure of some of the involved malicious DLLs. We then discuss the tools available to application developers to prevent malicious actors from abusing their legitimate applications in this way.

The TI WooCommerce Wishlist plugin is vulnerable to a SQL injection vulnerability that allows any users to execute arbitrary SQL queries in the database of the WordPress site. No privileges are required to exploit the issue. The is tracked as the CVE-2024-43917.

This is not a vulnerability, this is just an showcase what happens if you give the full access to docker: one can easily get root privileges on the docker host.

In this post, we are going to explore a rarely discussed class of vulnerabilities in Ruby, known as class pollution. This concept is inspired by the idea of prototype pollution in JavaScript, where recursive merges are exploited to poison the prototype of objects, leading to unexpected behaviors.

In this write-up , I will go through most of the common languages and frameworks handle and test how they handle different kinds of parameter pollution.

In this second part of the series we will focus on confirming that we can actually exploit these vulnerabilities. We will start with the arbitrary MSR read and retrieve the base address of ntoskrnl.exe. Then we will focus on the arbitrary pointer dereference, and redirect the execution flow to an arbitrary location leading the VM to crash by causing a BSOD.

This is the story of how I found two vulnerabilities in the Tekton CI/CD Dashboard component that allow remote code execution and a potential node takeover if deployed in read/write mode as well as pre-authenticated access to the Kubernetes API server in all modes.

In this post, I'll explain how to exploit view state in different scenarios. I will also outline the artifacts generated by successful exploitation and how they can be used by threat hunters and responders to identify successful exploitation.

This article will help you leverage that benefit in the context of PHP applications and using the Xdebug PHP debugger.

This article dives into the technical details of CodeQL extractors that parses the source code to obtain a parse tree, converts that parse tree into a relational form, and writes those relations (database tables) to disk.