Security Review #230

Is it possible to leak the entire content of an HTML text node only using CSS? The answer is yes. Well, kinda. I found a technique that generally allows this, but bumps into the limitations of the CSS engine at some point.

Claude Computer Use is a model + code that allows Claude to control a computer. This article details how it can be abused for multiple malicious purposes.

On a recent red team engagement, I was able to compromise the Jenkins admin user via retrieving the necessary components and decrypting credentials.xml. From here, I wanted to investigate Groovy, as it's something I've never really used - this blog covers a bunch of post-exploitation tasks in Groovy.

In this post, we will examine the anatomy of an LLM Remote Code Execution (RCE) vulnerability. We'll start by understanding how large language models are capable of executing code, and then we'll dive deep into a specific vulnerability we uncovered.

We uncovered 6 vulnerabilities in Ollama. Collectively, the vulnerabilities could allow an attacker to carry out a wide-range of malicious actions with a single HTTP request, including Denial of Service (DoS) attacks, model poisoning, model theft, and more.

Several widely-used apps have been found to contain hardcoded and unencrypted cloud service credentials within their codebases. In this blog, we will explore specific examples of these vulnerabilities, focusing on apps that have hardcoded Amazon Web Services (AWS) and Microsoft Azure Blob Storage credentials, and discuss best practices that developers should adopt to prevent such issues.

This blog details how I wrote an entire custom AddVEHHandler to evade EDR detection.

This post will cover our journey into the analysis of CVE-2018-0834, a ChakraCore JavaScript engine vulnerability discovered by LokiHardt, and how we exploited the vulnerability in order to get arbitrary code execution.

We explain how one connect to any SCCM-managed system using a VNC-like connection without the need for installing additional malicious modules, and even doing so remotely by abusing SCCM Remote Control features.

ValleyRAT is a remote access Trojan (RAT) designed to monitor and control infected systems, enabling attackers to deploy additional malicious plugins for further damage. We conduct an analysis for several variants of ValleyRAT's malware samples to extract its MITRE ATT&CK tactics, techniques, and procedures (TTPs).

In this blog post, we'll explain what the mseal syscall is, including how it's different from prior memory protection schemes and how it works in the kernel to protect virtual memory. We'll also describe the particular exploit scenarios that mseal helps stop in Linux userspace, such as stopping malicious permissions tampering and preventing memory unmapping attacks.

This blog will explore the forensic importance of PowerShell logs and transcripts, their location, how they are populated, common challenges, and a use case involving a network intrusion scenario.

Among the key Windowo artifacts are ShimCache (Application Compatibility Cache) and AmCache (Application Activity Cache). In this blog, we'll explore the forensic significance of ShimCache and AmCache, their locations, how entries are populated, their investigative value, and how they can be used in real-world cases.

An address poisoning attack is a particularly pernicious crypto scam that uses customized on-chain infrastructure to deceive victims out of their funds. In this article, we provide a chain analysis of this type of attack.

WarmCookie, observed being used for initial access and persistence, offers a means for continuous long-term access to compromised environments and is used to facilitate delivery of additional malware such as CSharp-Streamer-RAT and Cobalt Strike.

This blog post will explore PowerShell logging and monitoring with Microsoft Sentinel. I will explore some scenarios to ensure your environment is effectively secured against PowerShell-based threats, from log collection to creating custom detection rules.

We will provide artifacts and detection rules to identify atexe.py operations, a connects to a target host via RPC and uses the Task Scheduler service to register a new task.

This article details my analysis of the ViperSoft stealer step by step.

In this blog, I will introduce the structure of a browser extension and the vulnerabilities that are present in the ecosystem. I will then highlighting the attack surface and its relationship with mitigations that have been implemented. Lastly, I will recommend some CodeQL queries and best practices that users, developers and researchers can use to ensure the security of their extension.

Threat actors have adapted, leading to a growth in Adversary-in-the-Middle (AitM) phishing attacks. These attacks aim to automate the capture of valuable authentication tokens, compromising otherwise well-protected accounts. In this blog post, we'll explore four key aspects of phishing: what are tokens and what we're seeing in the wild.

In this article, we'll explore the mechanics of DLL hijacking, the potential risks it presents, and provide an example to illustrate its effectiveness in real-world attacks.

This blog explores how to use SELKS, an open-source, Debian-based IDS/IPS/Network Security Monitoring platform to investigate AsyncRAT infection traffic in PCAP file.

Given the wide range of different RMM tools available, performing a threat hunt to identify all different available tools used in the organization brings a couple of challenges. In this blog, we'll dive a little deeper into how we tackled this challenge and share this knowledge so you can use it to keep your organization safe.

This article details my efforts to improve iOS security. Investigate logging capabilities, available events and indicators that could be used for real-time detection.

In this articlme, Below, I'll first provide a high-level overview of my original Windows Downdate research. Next, I will show how I was able to downgrade the "ItsNotASecurityBoundary" DSE bypass patch on a fully updated Windows 11 system, effectively bringing the bypass back to life. Finally, I will highlight the importance of monitoring and detecting downgrade procedures

In this post, we discuss the threat of Kubernetes privilege escalation, specifically, Account Manipulation (T1098) and Valid Accounts (T1078) as well as the abuse potential of system pods within an attack chain.

In this articlze, we will review what cloud malware looks like, cloud malware taxonomy and exercises, and how to approach threat hunting in the cloud.

In this second part, we focus on Kubernetes CSI, how to conduct DFIR activities on K8s and containers, and how to perform static and dynamic analysis.

This article explores how S3 Access Logs work, how to set them up, and essential best practices to avoid common pitfalls like logging loops.

Understanding different ways to perform file transfers and how networks operate can help us accomplish our goals during an assessment. So, let's talk about the different ways to transfer files.

We have observed more spam campaigns using this hybrid form of cyberattack with varying tactics, techniques, and procedures (TTP). In this blog, we will showcase the different spam techniques used in these phishing emails.

We uncovered a security issue related to the AWS Cloud Development Kit (CDK), an open-source project. The impact of this issue could, in certain scenarios (outlined in the blog), allow an attacker to gain administrative access to a target AWS account, resulting in a full account takeover.

In this blog entry, we discuss how malicious actors are exploiting Docker remote API servers via gRPC/h2c to deploy the cryptominer SRBMiner to facilitate their mining of XRP on Docker hosts.

We decided to build a fuzzer based on attack scenarios defined after conducting an in-depth study of the BLE specification. Our work resulted in the discovery of non-conformities, bugs, and vulnerabilities in various BLE stacks.

This post discusses another mechanism for persistence on hosts running Windows. This mechanism is scheduled tasks and is documented as T1053.005 in the MITRE ATT&CK knowledge base.

In this article, we'll explore how we identified a Software Supply Chain Attack (SCA) targeting Consul, HashiCorp's open-source tool for service discovery and network automation.

This article helps to better understand the additional security provided by BitLocker when using multi-factor authentication but also its limitations. Knowing the PIN allows to decrypt the disk and might therefore be used by a rogue employee to take full control of his or her workstation but also to disable local security solutions including EDR, DLP and so on.

Windows Communication Foundation (WCF) is a framework that can provide inter-connectivity for .NET services, so a wide range of client applications and network topologies can be supported. In this post we aim to document our efforts to create more robust and maintainable tools for testing WCF-based applications.

In this article, we break down bypass implementations from the infostealer ecosystem's reaction to Chrome's Application-Bound Encryption scheme.

In this post, we will use Damn Vulnerable Banking App (DVBA) to learn how to proxy traffic and use different tools to test various aspects of the application.

The LoadLIbrary API allows a program to load a specific DLL from the disk. However, the drawback is that LoadLibrary raises several events and telemetry an EDR can analyze to detect the malicious C2 agent. In order to avoid this kind of event, I chose to implement a custom LoadLibrary that will not raise such events.

The Synology TC500 security camera running on an ARM 32-bit architecture was found to be vulnerable to a format string bug. This vulnerability was discovered in a WEB service, specifically in a function parsing HTTP requests, where improper string formatting led to the flaw.

What are hives? How do they map or relate to the top-level keys? Why are some HKEY root keys pointing inside of other root keys (e.g. HKCU being located under HKU)? These are all valid questions, but they are difficult to answer without fully understanding the interactions between the user-mode Registry API and the kernel-mode registry interface.

This brief post will cover the addition of AD CS object parsing to BOFHound and some queries to get you started.

In this post, we dive into the intricacies of Google Cloud's machine identities, the attack vectors they open for attackers, and how defenders can address these risks.

We identified a series of vulnerabilities in OpenText NetIQ iManager, an enterprise directory management tool. In this post we will focus on CVE-2024-4429, CVE-2024-3488, CVE-2024-3487, and CVE-2024-3483. Individually, each of these bugs are quite tame. However, when chained together, they can be leveraged to achieve full compromise of the iManager server.

We provide details and IoC about early stages of a typosquat campaign targeting developers intending to use the popular Puppeteer library.

We detail a methodology that aims at leveraging LLM for vulnerability discovery. To do this well, we combine deep program analysis with an adversarial agents that test the plausibility of vulnerabilties at each step. The solution ends up mirroring the traditional phases of a pentest - recon, analysis, exploitation.

In this blog, we will show how we used CodeQL to find vulnerabilities in Portainer, the go-to open-source tool for managing Kubernetes and Docker environments. We will provide generic patterns that might indicate security flaws and even wrote custom queries to find a specific vulnerability.

In this article, we'll break down what RCE is, how it works, real-world cases where it wreaked havoc and show why understanding RCE is crucial as it still remains one of the most powerful weapons in an attacker's arsenal.

We disclose a serious vulnerability in the Opera browser that allows malicious extensions to gain full access to permissive Private APIs, enabling actions like screen capturing, browser setting modifications, and account hijacking.

Being able to sign my own Windows drivers and running them on production Windows systems has been amazing. However, I would like to do so without having to worry about my kernel exploits being fixed, leaked certs being revoked or exploitable drivers being blacklisted.

We have observed that certain threat actors are attempting to leverage EDRSilencer as part of their attack strategies. This highlights the ongoing trend of threat actors seeking more effective tools for their attacks, especially those designed to disable antivirus and EDR solutions.

In this post, we will analyze malware and reverse engineer a sample called lumma stealer.

Tracking adversary infrastructure often starts with subtle clues. In this case, unconventional certificates and unique HTTP redirect headers led us to two distinct malicious networks. This post details the steps taken to uncover and track these networks.

The BugSleep backdoor has typical backdoor capabilities, such as establishing persistence, communicating with the C2 and executing commands, among others. The primary focus of this analysis is on the process injection aspect of the execution flow.

We discuss Lexmark's attempt to protect their newer printer firmwares assisted by this Wireless Trusted Module that is part of certain Marvell SoC's. We demonstrate that by simply replaying some commands to this security processor on a rooted device is enough to turn it into an oracle that can help us decrypt any newer firmwares that are protected by this mechanism.

Changes to the msds-KeyCredentialLink attribute are not audited/logged with standard audit configurations. This article details the steps to be taken to properly log such activity.

To analyze CVE-2024-21310, a pool overflow in Windows cloud filter driver, we will reverse engineer and perform a BinDiff on the vulnerable and patched cldflt.sys component to identify the vulnerability and find a way to trigger it.

We performed the first public analysis of the security and privacy properties of MMTLS, the main network protocol used by WeChat. We found that MMTLS is a modified version of TLS 1.3, with many of the modifications that WeChat developers made to the cryptography introducing weaknesses.

In this blog post we'll be covering how to acquire a traffic controller and get it up and running. We'll include where to find hardware, how to get it powered on, and how to configure the web interface.

This article takes you from the foundations of memory management to advanced exploitation techniques like stack overflows, writing shellcode, exploiting format string vulnerabilities, and taking advantage of heap overflows. By the end of this guide, you'll have both a theoretical understanding and hands-on experience with these techniques, making you a more effective vulnerability researcher.

After diving into over 100 write-ups and reports on Server-Side Request Forgery (SSRF), I've compiled the key insights and knowledge I've gained into this blog. Here, I aim to share a comprehensive overview of SSRF vulnerability.

This blog entry details my journey in writing a browser extension whose capabilities include keystroke logging and monitoring the sites a user is visiting.

Nowadays, performing DFIR Kubernetes or in containers is much more complicated than it used to be traditionally in production environments. This first article of the series will review the core steps to be taken to properly detect and investigate incidents in K8s environments.

In this series of blog posts I'll be discussing my finding dealing with traffic controllers and other traffic systems. I will start with finding vulnerabilities in traffic controllers, sourcing hardware and getting it running in a lab, and just how broken and behind the technology curve the traffic industry is.

In this blog post we're going to peek behind the curtain and find out what makes a traffic controller work. What I found surprised me and I can't believe this exists in any technology and honestly has no place in Critical National Infrastructure.

In this post, I'll exploit CVE-2024-3833, an object corruption bug in v8, the Javascript engine of Chrome, that allows remote code execution (RCE) in the renderer sandbox of Chrome by a single visit to a malicious site.

In this tutorial, we'll see how to extract the filesystem of a container image using nothing but the standard Docker means.

This blog will detail how an attacker can escalate their privileges in Google Cloud by leveraging weak group join settings for groups that have been granted roles in GCP. Opportunities for Hunting and Detection are provided towards the end of the blog.

Restricted Management Administrative Unit (RMAU) allows to protect objects from modification by Azure AD role members on directory-level scope. In this blog post, we will have a look on this feature and how you can automate management of RMAUs with Microsoft Graph API. In addition, I will explain use cases, limitations and why this feature support to implement a tiered administration model.

MobSF is an open source static and dynamic analysis tool for Android and iOS. When scanning an .ipa, the "IPA Binary Analysis" section can report multiple issues that can be hard to interpret. This blog helps understandings why vulnerabilities were reported and how to fix them.

In this article, we present the first security analysis of the threats posed by this programming practice, identifying an attack with major security implications. In particular, we show how a traditional XSS attack can abuse the Cache API to escalate into a person-in-the-middle attack against cached content, thus compromising its confidentiality and integrity.

This post will summarize the core concepts of Angular Template Injection, then show the development of a fresh sandbox escape affecting all modern Angular versions.

In this post, I'll look at how to develop a sandbox escape that works in a previously unexploitable context - the order by filter. I've written up the entire exploit development process including various techniques that didn't quite work out.