Security Review #232

Upon reviewing the existing MacOS sandbox escape issues, I unearthed a significant overlooked attack surface and a novel attack technique. This led to the discovery of multiple new sandbox escape vulnerabilities: CVE-2023-27944, CVE-2023-32414, CVE-2023-32404, CVE-2023-41077, CVE-2023-42961, CVE-2024-27864, CVE-2023-42977, and more.

In this blog, we're going to describe how you can enhance GKE's already great security by adding runtime threat detection with Falco.

I share how AI helped uncover vulnerabilities in a document ID system, revealing sensitive files across an entire platform. The bug itself wasn't especially complex, but using AI allowed us to analyse patterns at scale - something that would have been time-consuming and likely overlooked if done manually.

This article details how Recraft's image generation service could leak its internal system prompts due to its unique architecture combining Claude (an AI language model) with a diffusion model.

In this blog, we will explain how a malicious actor could physically intrude one of your offices undetected and how you should protect yourself against this unexpected attack vector.

Fakebat (AKA Eugenloader, PaykLoader) showed up on our radar again via a malicious Google ad for the productivity application Notion. FakeBat is a unique loader that has been used to drop follow-up payloads such as Lumma stealer. In this blog post, we detail how criminals are targeting their victims and what final malware payload they are delivering post initial infection.

In this series of posts, I'll describe some of the most unusual, and potentially dangerous configurations, I've encountered over my years of experience. In this first entry, I will deal with configuring security policy settings for the registry.

Allowing end users to create accounts in Entra, as Microsoft Bookings does by default, poses significant security risks. An attacker could potentially purchase TLS certificates or transfer domain names and services relying on email verification, impersonate high-profile individuals, or hijack dormant accounts.

We uncovered several vulnerabilities such as sandbox escapes, local privilege escalations, and TCC bypasses in macOS diskarbitrationd and storagekitd system daemons. In this first part of the series I will cover CVE-2024-44175, which allows attackers to escape the application sandbox and also escalate their privileges to root from a low privileged user.

In this post we will be exploring two SQL Injections affecting LearnPress - WordPress LMS Plugin: CVE-2024-8529 and CVE-2024-8522.

We demonstrate how we reverse-engineered the communication between the Parrot Anafi consumer drone and its controller, which connect via Wi-Fi. The Parrot Anafi hosts its own Wi-Fi network, allowing either the controller or a phone running the Freeflight app to connect. Our goal was to understand the signals sent to the Anafi for initiating takeoff and landing sequences.

In this blog post, we will show a novel way of how adversaries can move laterally and elevate privileges within Microsoft Entra ID when organizations use a popular security architecture involving Intune-managed Privileged Access Workstations by abusing Intune permissions granted to Entra ID service principals.

This blog post is the result of some research, where I delved into Pishi, a static macOS kernel binary rewriting tool. I will try to explain everything as clearly as possible so that even those who are not familiar with fuzzing can enjoy and understand it. I'll break down the concepts, provide relatable examples, and resources.

Codecs and formats form the bulk of our source material, from both proprietary and standard files. This article provides a full breakdown of all the common types encountered in forensic video analysis.

This article talks about packaged vs. nonpackaged apps, some capabilities that an examiner might find interesting, the difference between each table, and some SQL commands that can make the data more readable. It also includes a link to a simple Python script that can help parse the database.

This blog post discusses how we were able to help an Akira ransomware victim restore their business critical data by extracting NTFS partitions from partially encrypted virtual disks. The post outlines a generic approach based on open source tools that allows affected parties to restore data from encrypted hypervisor systems.

We'll walk you through how to set up Docker, run log2timeline using a container, and map your physical file system to make it easy to process images without having to load them into the docker container image.

This article talks about how MD5 and SHA1 are used in digital forensics. It talks about their pros and cons and the current discussion about their future in cybersecurity.

This blog post dives into some of the recent techniques used by threat actors that leverage specific customer configurations or design to make unauthorized use of resources within an AWS account. We'll explain the techniques, the customer configurations that created the opportunity, and the AWS features and services you can use to help mitigate the impact of the tactics.

We detail a recent callback phishing attempt in a Docusign comment that reflects a growing trend of Living Off the Land (LOTL) attacks that abuse legitimate business services in order to evade detection. Docusign is one of many trusted business services we're seeing exploited.

Our analysisof the Interlock ransomware uncovered that the attacker used multiple components in the delivery chain including a Remote Access Tool (RAT) masquerading as a fake browser updater, PowerShell scripts, a credential stealer, and a keylogger before deploying and enabling the ransomware encryptor binary.

There has been much research on the topic of callbacks where they have been abused to be used as call stack evasion, sleep timers, evasion from memory scanners, DLL loading and execution, etc. In this blog post, we try to uncover previously unknown callbacks that could be abused maliciously and produce a tool for the same.

Winos4.0 is an advanced malicious framework that offers comprehensive functionality, a stable architecture, and efficient control over numerous online endpoints to execute further actions. In this blog post, we will delve into a comprehensive technical analysis of a campaign that leveraged these applications to deliver Winos4.0.

This series provides a set of lessons to help have the resources and knowledge necessary to properly learn x64 assembly/shellcode. This first part will focus on essentials: registers, alignment and shadow space. Then we will write our first program.

This second part will deal with PE offsets and how to calculate them.

In this third part we will see how we can get rid of NULL bytes from our shellcode.

In this part we will talk about shellcode basic encoding functionality built in to x64 assembly instructions: bitwise operations without using the bitwise command.

We are going to write a shellcode that pops the messagebox and exits gracefully.

This article explores the integration of ZAP and Noir to achieve better endpoint detection and testing outcomes.

Discover how Earth Estries employs a diverse set of tactics, techniques, and tools, including malware such as Zingdoor and Snappybee, for its campaigns.

This blog post will provide an in-depth look at GitHub Enterprise's SAML implementation and analyze the specific code issue that permits bypassing GitHub's SAML authentication when encrypted assertions are in use.

Transparency, Consent, and Control (TCC) is the final layer in the Apple App Security mode. Similar to the Sandbox, it aims to mitigate the threat of malware running successfully on macOS. This article will examine TCC components, such as its daemons, databases, permissions dialogs, entitlements, and where to find related APIs.

In this series, we'll walk through creating custom Ghidra data types by parsing C header files. In this first post, we'll define Ghidra Data Types (GDTs) and discuss when you need to create your own custom GDTs.

In this post, we will learn how to define custom data types. We will define NDIS data types using readily available Windows NDIS headers from the Windows Driver Kit and use them to build a custom GDT. Using these headers, we can transform the decompilation into something respectable.

The article provides a detailed technical analysis of a MSMQ Deserialization vulnerability in Citrix's "Session Recording" feature that leads to unauthenticated RCE against Citrix Virtual Apps and Desktops.

We identified and reported a vulnerability in the Lotus and Venus clients of the Filecoin network that allowed an attacker to remotely crash a node and trigger a denial of service. This issue is caused by an incorrect validation of an index, resulting in an index out-of-range panic.

In this first part of the series, I will focus on the voltage glitching part, as it is one of the most approachable techniques with limited hardware. The basic concept is that we "deprive" the chip of power, making it "unstable".

We uncovered 10 different vulnerabilities in the OvrC cloud platform, which is used by businesses and consumers to remotely manage IoT devices. When chained, they allow attackers to execute code on OvrC cloud-connected devices, remotely over the cloud.

This blog will walk through how an attacker can escalate privileges in Cloud Composer by targeting the environment's dedicated Cloud Storage Bucket for command execution. We will also discuss the impact of using default configurations and how these can be leveraged by an attacker.

This article emphasizes the importance of using third party GitHub Actions by SHA instead of mutable tags. Otherwise, the third party's attack surface is your attack surface as well. If a new vulnerability or technique allows an attacker to compromise the release process of an upstream Action, then your repository is immediately vulnerable.

In this post, we delve into the analysis of a recent vulnerability CVE-2024-9680, a use-after-free issue in Firefox animation timelines. Our investigation provides a deep dive into how this issue could be triggered and exploited.

This article discusses the advantages of using Event Tracing for Windows (ETW) over traditional EventLogs for forensic investigations. We first detail ETW architecture and event format, then explain how these events can be used for incident response.

This blog takes readers on a journey through OpenAI's containerized ChatGPT environment, uncovering the surprising capabilities that allow users to interact with the model's underlying structure in unexpected ways.

This second part of the series explores how a chain of misconfigurations in Google's GKE System Pods constitutes a vulnerability and how an attacker could chain them together to escalate privileges, compromise critical resources, become cluster admin, and take control of an entire Kubernetes cluster.

In this blog post, we delve into the nature of CVE-2024-45519, a vulnerability that allows unauthenticated attackers to execute arbitrary commands on affected Zimbra installations. We detail our journey in analyzing the patch, and the steps we took to exploit it manually. We also discuss the potential impact and emphasize the importance of timely patch application.

The Local RPC (LRPC) & ALPC have been the subject of scrutiny by some Windows internal enthusiasts and vulnerability researchers. In this article, we will go a step further to explore what can be done about LocalServer DCOM objects, how to instantiate them and directly connect to their interfaces without using the COM proxy clients normally rely on.

We provide details of CVE-2024-45409, a critical security flaw in the Ruby-SAML and OmniAuth-SAML libraries, exposing a vulnerability that allows complete authentication bypass.

This blog highlights the need for enhanced AI safety features, including early decoding of encoded content, improved context-awareness, and more robust filtering mechanisms to detect patterns indicative of exploit generation or vulnerability research.

In this article, we will delve into the world of API subdomains, exploring their purpose, methods to discover them, and performing API subdomain enumeration.

In this article, we'll explore how to implement safe and controlled canary deployments using AWS API Gateway and AWS Lambda.

In this SQLmap tutorial for beginners, we'll examine the tool's injection basics, demonstrate practically how it works and how to use it, decode database fingerprinting, data retrieval intricacies, and more.

The primary intention of this post is to demonstrate the UDRL's role in runtime masking and show how most important evasion tools interact. We will first demonstrate how to track Beacon with BUD. We will then load an External C2 DLL at the same time as Beacon and mask both DLLs at runtime with Sleepmask-VS.

We demonstrate that, given two mt_rand() output values separated by 226 others, it is possible to compute, without any bruteforce, the original seed, and therefore obtain any previous or subsequent mt_rand() output, effectively breaking the PRNG.

When playing around with Certipy and Rubeus in a recent project, I got into the rabbit hole. I managed to squeeze out quite some high-fidelity detections, of which I want to share two in this blog.