Security Review #227

We go through 3 techniques to prevent abuse of Point and Print (PnP) configuration, leading to the conclusion that you can't secure a PnP configuration if you allow low-privileged users to install printer drivers in one way or another.

In this article we will explain the methods we are observing attackers use when performing LLMJacking/LLMHijacking in AWS, why attackers are performing this type of attack, how to detect these methods, and potentially most importantly, provide insight into how attackers and their downstream clients are using the hijacked LLM resources.

In this article, I explain how I managed to write a local-privilege-escalation exploit that works based on injected hardware faults.

This blog post will talk about CVE-2024-30052, which allows arbitrary code execution when debugging dump files in Visual Studio.

In this brief introduction to differential fuzzing, we review the leading tools that can be used for testing cryptographic primitives. In the second half, we present a method for creating a differential fuzzer along with the results we obtained.

In this blog post, we will analyze CVE-2024-45409, a critical vulnerability impacting Ruby-SAML, OmniAuth-SAML libraries, which effectively affects GitLab. This vulnerability allows an attacker to bypass SAML authentication mechanisms and gain unauthorized access by exploiting a flaw in how SAML responses are handled.

In this second article of the series, we will continue to explore the Proxying to Kernel attack surface and bug Class, revealing another vulnerability and exploitation technique.

I found an integer overflow in the dav1d AV1 video decoder (CVE-2024-1580). That integer overflow leads to an out-of-bounds write to memory. This blog post is a case study in how to construct fuzzers to exercise as much code as possible.

We will look at shell items which hold data that helps recreate the layout of a file system and understand how files and folders are used. This data is important in different forensic situations, such as looking into cybercrime, digital scams, and stealing of intellectual property.

Let's discuss something you will likely see in nearly EVERY intrusion. Remote Desktop Protocol (RDP) abuse for lateral movement. This will be a two-part blog, with this one focusing heavily on the event logs and IDs generated for investigating RDP. The second part will focus on the artifacts generated.

In this first part of the series, I will walk through how to ingest Google Cloud logs into Google SecOps and create a YARA-L rule that alerts when any rules are modified or deleted.

This second post demonstrates how to detect rule changes by using Google Cloud Monitoring. One possible reason for adopting this approach is to detect if the rule that we configured in part one is modified or disabled.

A SolarWinds Serv-U honeypot has given us a really good dataset for which files attackers are searching for - let's see what we can learn!

In this second part, we will get practical and explore how to craft these detections using logs from your environment. This post will dive deep into the nerdiness of detection engineering, packed with details you might find useful.

Using built-in default version 1 certificate templates, an attacker can craft a CSR to include application policies that are preferred over the configured Extended Key Usage attributes specified in the template.

I discovered an edge use case of race condition which could potentially leads to Cache Poisoning DoS.

In this blog post, we will highlight the importance of fundamental code security by showcasing a technique that attackers can use to turn a file write vulnerability in a Node.js application into remote code execution - even though the target's file system is mounted read-only

In this post I cover the tools and techniques that were used to identify CVE-2024-31227, a DoS vulnerability affecting Redis, and showcase the value that fuzzing brings when complementing other secure development practices such as unit testing.

In this first part, we'll take a look at the analysis of a malicious sample for Windows from the StealC family, from the packed sample to the recovery of C2. We'll automate our analysis steps with a view to integrating them into an automated pipeline for extracting indicators of compromise.

In this second part, we'll retrieve C2 from the loader, get the third stage sample and unpack it.

In this last part, we will focus on the last stage (StealC malware) and C2 recovery using static analysis. We will also recover some IoCs.

In this first part I will detail how I failed having a malicious driver being loaded by TeamViewer. This will get us deep into the IPC communication protocol and its interactions with TeamViewer.

This second part is the summary of my findings while reversing the authentication protocol of Team Viewer. I will not go into the details and mostly provide the results highlights.

This last part compiles the previous finding to spoof a TV client an asks for a VPN Driver installation but indicating another INF.

This blog aims to highlight how we think about and unpackages the password spraying techniques in use by threat actors today, whether they target an environment as large as Microsoft, or a small business.

This blog post describes our analysis steps and how we still took over the operating system of an Axis IP Camera.

We prove that a computer, either stolen, or physically accessible, can be fully compromised and backdoor-ed in a short period of time.

In this short blog post, we examine the traces left behind from a tmate installation and some hints on where to find traces when actively looking for backdoored Linux servers with an active tmate instance running.

This blog details 4 vulnerabilities found in Palo Alto Expedition: CVE-2024-5910, allowing to remotely reset the Expedition application admin credentials, CVE-2024-9464, an authenticated command injection, CVE-2024-9465, an unauthenticated SQL injection and CVE-2024-9466, cleartext credentials in logs.

This article explains how during a Purple Team engagement we were able to identify a vulnerability in Microsoft Teams on macOS allowing us to access a user's camera and microphone.

In this final part of the series, we will craft a full exploit that allows us to enable all privileges on Windows.

This article details how XKS (eXternal Key Store) for AWS KMS (Key Management Service) can be leverage by an attacker to encrypt S3 buckets and EC2 EBS volumes.

In this article, you will learn how to restrict users from signing in to Exchange Online PowerShell by creating a security group and only allowing specific members to access Exchange Online PowerShell.

Four critical Remote Code Execution (RCE) vulnerabilities were found in CoSoSys's Endpoint Protector (EPP) solution, allowing full compromise of the server and clients. In this post, we will talk about the background and analysis process that led to the discovery of these vulnerabilities, as well as how we leveraged them to take control of the server and clients.

We dive into the awesomeness of the SigmaHQ detection repository, covering what Sigma HQ detections are, their usage, and formatting.

This blog describes some techniques for generating encoded Linux reverse shell payload as plaintext payloads may not work due to input filtering or the selected binary not being available on the target system.

This blog describes some techniques for generating encoded Windows reverse shell payload. There are two main reasons why reverse shell payloads don't work on Windows. First, the payload is typically considered malicious and blocked. Second, the payload can't get through the Web Application Firewall (WAF) because it contains suspicious strings.

In this article we investigate the Nginx Accel-Redirect header and demonstrate how it can be exploited - together with HTTP Response Splitting - to access internal files of the Nginx server.

We discovered 34 unique vulnerable drivers accepting firmware access and giving full control of the devices to non-admin users. In this blog post, we will describe how to identify such vulnerable drivers.

We scanned all the vulnerability disclosure programs for prototype pollution and find script gadgets to achieve XSS. This technical write-up will touch the tools we created, challenges we faced, and case studies during the whole process.

In this first part, we look at fuzzing simple IoT binaries with AFL++. These programs accepted input from a file and are straightforward to fuzz.

In this post, we will be looking at socket'ed binaries. Fuzzing binaries that communicate over the network using sockets are different from fuzzing binaries that use file-based I/O.