Security Review #231

This blog post provides a brief technical overview of how WAFs work and how to identify which WAF is in use, before delving into common and more novel approaches for bypassing WAFs. Finally, we will discuss a number of real-world case studies that demonstrate more advanced WAF evasion techniques.

multipart/form-data parsers fail to fully comply with the RFC, and when it comes to validating filenames or content uploaded by users, there are always numerous ways to bypass validation. We'll test various bypass techniques against PHP, Node.js, and Python parsers, as well as popular WAFs and load balancers like HAProxy, FortiWeb, Barracuda, and even some OpenResty Lua multipart parsers.

We explain how, from finding an expired email domain on a key repository account, we managed to ripple the full codebase of a target company. The goal of this article is to highlight the value of scrutinizing not only the code but the maintainers behind it.

In a rather novel attack chain, attackers deploy a custom-made emulated QEMU Linux box to persist on endpoints, delivered through phishing emails.

This blog post delves into CVE-2024-50550, a privilege escalation vulnerability in Wordpress LiteSpeed plugin.

In this blog post, we show how we fuzzed the ZBar barcode scanning library and why, despite our limited time budget, we found serious bugs: an out-of-bounds stack buffer write that can lead to arbitrary code execution with a malicious barcode, and a memory leak that can be used to perform a denial-of-service attack.

In this article, we will delve into the details of CVE-2024-38821, a critical vulnerability in Spring WebFlux, allowing attackers to access restricted resources under certain circumstances. We will also examine why it impacts only static resources.

We provide investigation details of an attacker operations. He accessed a server without authorization and moved laterally across the network, compromising the entire domain. The attacker remained undetected for two weeks. We determined the initial access vector to be the exploitation of a vulnerability, CVE 2024-38094, within the on-premise SharePoint server.

In this article, we will explore how to work with the USN Journal without collecting and parsing the $UsnJrnl:$J file. We will not discuss this artifact in details, but we will cover just basisc things and then jump to the meritum.

Collecting IIS logs has been a quiet challenge I have kicked around in my head for a number of years. Recently I decided to finally write down some ideas about collecting IIS logs that trace back to my first IIS case.

This article explains how IAM Roles Anywhere, due to its nature, can clearly allow attackers to gain persistence in AWS.

We're having a close look at CVE-2024-47575, also known as FortiJump, an elaborated command injection vulnerability in Fortinet FortiManager.

In this article, I explain how security professionals can extract passwords, NTLM hashes, and Kerberos tickets directly from memory, escalate privileges, and bypass authentication mechanisms with Mimikatz.

BugSleep is a remote access tool (RAT) that gives operators reverse shell and file input/output (I/O) capabilities on a victim's endpoint using a bespoke command and control (C2) protocol. This blog will demonstrate the practice and methodology of reversing BugSleep's protocol, writing a functional C2 server, and detecting this traffic with Snort.

In this article, we will unveil the intricacies of cloud forensics and explore the challenges investigators face when navigating these complex environments.

This blog article will dive into the many ways we have observed threat actors continue their path through the Attack lifecycle, skirting around the limitations of the quarantine policy that was applied.

In this post, we explore the structure of LNK files using Velociraptor, an open-source digital forensics and incident response (DFIR) tool. We will walk through each LNK structure and discuss some analysis techniques frequently used.

Adversaries can compromise key material in Azure OpenAI to host malicious models, poison trained models, and steal intellectual property. Here's how they do it and what to look for in the logs.

This article explains how, if I have a command and control (C2) agent on an Intune admin's workstation, I can use their privileges to execute a script or application on an Intune-enrolled device.

I detail how a Business Email Compromise can lead to data exfiltration from SharePoint.

I detail a LoL and privilege escalation found in Microsoft Software Center, a tool that allows end-users to install software on demand from a pre-approved catalogue of software and is a common sight in large organisations.

Introducing Living off the Land Searches (LOLSearches), using advanced search operators with SharePoint and Explorer to help in Red Teams.

This article focuses on ElizaRAT's evolution. We examine the various payloads and infrastructures employed by APT36 and the malware's inner workings, including deployment methods, second-stage payloads, and the persistent use of cloud infrastructure.

This article explains how I used PHP filters to create lightyear, a new tool that uses a new algorithm to dump files using an error-based oracle, making it faster than the already existing implementations.

This article details 32 vulnerabilities found in IBM Security Verify Access, a complete authorization and network security policy management solution, ranging from outdated SSL certificates to Remote Command Execution (RCE).

A technical analysis (with IoCs) of ToxicPanda, a modern RAT generation of mobile malware, allowing threat actors to conduct account takeover directly from the infected device, thus exploiting the On Device Fraud (ODF) technique.

This post explores RunningRAT, a remote access trojan (RAT) recently found deploying crypto mining payloads. We examine its infrastructure, delivery tactics, and C2 techniques, focusing on how open directories are leveraged in these operations.

This short post provides tips for analyzing encrypted phishing PDF files.

XSS protection by implementing HTML sanitization on the server side sounds logical at first glance, but this strategy has often fallen short. In this blog, we will demonstrate the limitations of relying solely on server-side sanitization, and why this is one of the main root causes of bypasses.

Hooking functions in .Net binary can be challenging as .NET applications are JIT-compiled, meaning the MSIL code is only translated into machine code at runtime. In this first part we will start by the beginning look for the addresses of functions you wish to hook.

In this second part of the series we will see, once we managed to hook functions, how to read variables that were being passed.

We detail bugs in Azure API Management that require the attacker to go back in time and use old versions of the ARM API. An attacker with Reader permissions on the APIM service can, contrary to the documentation, perform any operation in APIM including deploying new APIs, changing existing ones and read secrets and subscription keys.

In this article, I will share my journey optimizing MachOFileFinder, a tool for identifying Mach-O binaries on macOS. I will analyze the strengths and weaknesses of various approaches, including Python libraries like lief, python-magic, and even a Swift-based solution with CFBundleCopyExecutableArchitectures.

In this blog post, we delve into the various ClickFix infection chains and highlight detection opportunities based on the available data sources in addition to threat intelligence.

I recently discovered a couple of interesting bugs within Ruby's implementation of extracting substrings. The bugs result in incorrect and surprising return values that could violate assumptions made by Ruby application developers, potentially leading to security vulnerabilities.

A case study in using AFL++, afl-cov and basic custom harnesses to find a bug in libsoup for a public bug bounty program.

We provide the main Indicators of Compromise for CVE-2020-0688, a Remote Code Execution vulnerability on Microsoft Exchange server

We explain how, by utilizing the 'shareable link' feature on Bastions where it is enabled, an attacker can create a link to allow access to a virtual machine (VM) from untrusted networks. Public links generated for an Azure Bastion can allow VM network access to anyone with the generated URL.

I detail my journey in creating a deobfuscator for .NET binaries, that can be used in an automated malware deobfuscation pipeline.

This article reviews an incident where a threat actor unsuccessfully tried bypassing our EDR. By digging further into the incident, the process instead provided us with insight into the threat actor's operations. In this report, we provide an overview of the attack that occurred, details about the AV/EDR bypass tool, and its sale on cybercrime forums.

In this post we go deep and explore commands supported by the WTM firmware, without going through the existing netlink protocol. We need a way to talk directly to the WTM MMIO interface for starters.

In this article, i will introduce TypeLib libraries, see the relationship between TypeLib and COM, and achieve persistent code execution using TypeLib.

CPython uses a specific method for hashing integers, which can lead to collisions and performance issues.

This blog explains Kerberoasting risks and provides recommended actions administrators can take now to help prevent successful Kerberoasting cyberattacks.

I invite you to join me on a journey into the inner workings of Kekz headphones. We will talk about accessing the encrypted files on the device, breaking the crypto and discovering disclosure of data from customers.

We identified an attack targeting HiveOS. The initial access targeted the improperly managed SSH service, ultimately executing commands to mine new cryptocurrency and additionally installing a LinuxRC backdoor.

This blog will focus on a new Windows 11 insider build feature, Local Administrator Protection, designed to eliminate always-on admin rights. Instead, it uses a hidden elevation mechanism to provide just-in-time privileges when needed, keeping admin rights in the shadows until required.

We provide detailed analysis of CVE-2024-28000, a privilege escalation vulnerability in the Wordpress LiteSpeed Cache plugin.

I've identified a security concern within the self-hosted file sharing tool ProjectSend. By exploiting a chain of vulnerabilities - including Cross-Site Scripting (XSS), Insecure Direct Object Reference (IDOR), and weaknesses in its change password implementation - an authenticated attacker can force a logged-in user to unknowingly change their account password, by clicking a link.

This blog acts as a centralized repository of all HTTP request and response headers relevant to the security of a web domain or page.

In this first part of the series, we'll discuss Android architecture and the different layers of Android architecture.

In this second part, we will explore what APKs are, start reversing Android applications and discuss popular debugging tools.

There are several tools designed specifically for AWS pentesting that can help security professionals assess the security posture of their AWS environments. This write-up covers four popular AWS pentesting tools: Pacu, ScoutSuite, Enumerate-IAM, and PMapper.

We identified a malicious backdoor disguised as Synaptics.exe, known as "XRed Backdoor". This article highlights the identification of the XRed backdoor, its delivery using trojanized software, and notable persistence and propagation capabilities.

This article details the concepts and main operations of an SSH-based worm.

Protocol reverse engineering is the process of extracting the application/network level protocol used by either a client-server or an application. This article will provide step-by-step guidelines to capture, analyze and define the structure of an unknown protocol.

In this article, we'll see how we can analyse the behaviour of an unknown program before we run it.