Security Review #229

This post aims at giving an overview of what SELinux is, how it is implemented, and how to bypass it, from the point of view of Android kernel exploitation.

We detail how to build a SQL Injection polyglot step by step. We end up with queries that demonstrate how this polyglot achieves a true result with no quotes, single quotes and double quotes.

This article details how the ability to conceal payloads through credentials, manipulate the username and password properties within anchor elements, and potentially combine this with DOM clobbering can be used for more advanced exploitation.

In this blog, we will explore how to identify and analyse process hollowing techniques using Velociraptor. This tool provides powerful capabilities for hunting and detecting Process Hollowing malware, enabling security analysts to dig deeper into suspicious processes, memory dumps, and hidden behaviours within infected systems.

CVE-2024-38178 is a type confusion vulnerability caused by the JIT engine in JScript9.dll performing incorrect optimizations on variables initialized with the usual arithmetic conversion exception operator, which can be used to bypass the CVE-2022-41128 patch

I detail an attack on Samsung's Smart Hub relying on JSON injection and leading to a complex chain of vulnerabilities, from SQL injection to remote code execution.

In this blog post, we will conduct an in-depth analysis of the patching technique used by the bedevil rootkit, exploring how it works and the advantages that dynamic linker patching offers to attackers.

In this blog, we will explore what RDP digital artifacts entail, where they are located, how they can be interpreted, and illustrate their use in an incident response case example.

Volatile data plays a pivotal role in forensic investigations, particularly in cases involving live systems. This guide is designed to equip forensic examiners with the skills to collect and analyze volatile data on macOS.

We analyze a PowerShell script that employs multiple malicious techniques, such as DNS cache clearing, scheduled jobs for persistence, remote code execution, and clipboard manipulation.

This blog post explores how attackers can leverage entry points across multiple programming ecosystems with an emphasis on Pypi to trick victims into running malicious code.

Hunting malicious processes generating network traffic using Wireshark involves tracking abnormal traffic patterns initiated by suspicious processes. We provide specific filters, such as for non-standard ports or unusual DNS queries, Wireshark helps identify command-and-control (C2) traffic, data exfiltration, and other malicious network activities.

We provide a simple technique to detect EDRSilencer, a tool uses Windows Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents from reporting security events to the server.

In this blog series, I'll demonstrate how to improve an organization's security posture by eliminating the need for long-lived credentials (service account keys) in a CI/CD pipeline. In this first post, we will review the security risks associated with long-lived credentials.

This article provides an overview of the quishing atacks, the operating modes and impacts, and provides recommendations and guidance for IT admins.

We discovered a complex taint flow vulnerability in OpenAPI Generator, that propagates user-controlled data via 28 steps to a dangerous sink. In this blog post, we will explain the technical details behind this taint flow vulnerability, which became CVE-2024-35219, a critical arbitrary file read and deletion vulnerability in the OpenAPI Generator.

We discuss challenges with using COM object activation APIs like CreateInstance and CoCreateInstance, which can fail if the COM object is incompatible with the CLR version loaded in the target .NET application.

This article details CVE-2024-37383, a vulnerability that was discovered in the Roundcube Webmail email client. This is a stored XSS vulnerability in the code that processes SVG elements in the email body markup that allows an attacker to execute JavaScript code on the user's page.

In this blog post, I go over each setting-menu and list the settings I would change. I will also provide a short explanation for why I would change the setting, as well as what the setting is by default.

We provide exploitation details, Yara detection rules and IoC for the vulnerability CVE-2024-47575 that allows a threat actor to use an unauthorized, threat actor-controlled FortiManager device to execute arbitrary code or commands against vulnerable FortiManager devices.

We have discovered new Rust-based tooling leading to the deployment of Embargo ransomware. The new toolkit consists of a loader and an EDR killer, we named MDeployer and MS4Killer. MS4Killer is particularly noteworthy as it is custom compiled for each victim's environment, targeting only selected security solutions.

I created a Nix configuration that kicks off a fuzz testing workflow with a single command. The only dependencies are Nix and git. I used my Nix workflow to find an unpatched bug in a PDF renderer, even though I'm a beginner at both Nix and fuzz testing.

In this second part, I'll get all of the installation and fuzzing down to a single command.

The updated GHOSTPULSE malware has evolved to embed malicious data directly within pixel structures, making it harder to detect and requiring new analysis and detection techniques.

In this blog post, we explore how the discovery of the Rekoobe backdoor in an open directory revealed a broader network of potentially malicious infrastructure, lookalike domains mimicking TradingView, and additional servers linked via shared SSH keys.

As the complexity of malware evolves, so must the efficiency and effectiveness of YARA rules. This article outlines key strategies for optimizing YARA rule performance, focusing on leveraging specific constructs and techniques.

We provides the details of a race condition in the perf_events Linux kernel subsystem (CVE-2024-46713).

This blog post explores a critical vulnerability in MyBB's admin panel, leading to authenticated Remote Code Execution (RCE).

In this post, we are going to walk through setting up the Kismet tool and performing basic analysis of 802.11x traffic.