Security Review #233

A footgun is any feature likely to lead to the programmer shooting themself in the foot. Join me as we look at some security footguns that I've encountered during security assessments across a wide variety of languages and libraries.

This research unveils a quarry of hidden and forgotten secrets in Azure VM Images.

We review the main attacks against blockchains: the 51% attack, the selfish mining attack, the double spending attack and the reentrency attack.

This post demonstrates how to exploit CVE-2024-50340, a critical vulnerability affecting Symfony applications when the PHP directive register_argc_argv is enabled.

In this article, I explain how Microsoft announced VBS (virtualization-based security) enclave functionality can be used for game anti-cheating purposes.

We analyze SoftBank Wi-Fi Mesh RP562B, a dual-band Wi-Fi mesh system, and expose several vulnerabilities ranging from sensitive information exposure to command injection.

The Checkpoint Gaia portal is vulnerable to a code injection into the application's logic. When the application continues its execution, it may inadvertently execute the injected code due to the altered state of these variables.

The unified audit log is a centralized repository for M365 user and admin activities. The activities originate from different applications, such as Exchange, Teams, SharePoint, Azure, OneDrive and Defender XDR. In this blog, we compare four different ways to acquire and investigate the unified audit logs (UAL).

In this blog post, we'll explore how to reproduce the vulnerability described in CVE-2024-10979, where environment variable mutations are incorrectly allowed from trusted PL/Perl code in PostgreSQL.

We are going to write a reverse shell using x64 assembly.

We reported a vulnerability in Fortinet's Windows VPN client, FortiClient, where user credentials remain in process memory after a user authenticates to the VPN. This vulnerability was abused by BrazenBamboo in their DEEPDATA malware.

Here, we'll take a look at some of the more interesting techniques used by current phishing kits to break common login page detection signatures.

The Gogs self-hosted Git service is vulnerable to symbolic link path traversal that enables remote code execution (CVE-2024-44625). This vulnerability is exploitable against a default install, with the only attacker requirement being access to an account that can push to a repository and edit that repository's files from the web interface.

In this first part, we will introduce the concept of mXSS and will cover several DOMPurify bypasses.

iOS 18 introduced a new inactivity reboot security feature. What does it protect from and how does it work? This blog post covers all the details down to a kernel extension and the Secure Enclave Processor.

We provide details on a serious vulnerability in Redis, identified as CVE-2024-31449. This vulnerability allows an authenticated user to execute remote code using specially crafted Lua scripts, posing a significant threat to the security of systems using Redis.

We tracked a phishing kit under the name Gabagool targeting corporate and government employees. It leverages Cloudflare R2 buckets by hosting malicious content or phishing landing pages in these buckets, leveraging the trusted reputation of Cloudflare to bypass security filters.

We provide a comprehensive analysis of a custom modular infostealer, tracked as WezRat. It can execute commands, take screenshots, upload files, perform keylogging, and steal clipboard content and cookie files. Some functions are performed by separate modules retrieved from the C2 server in the form of DLL files, making the backdoor's main component less suspicious.

We have identified a novel phishing technique which is used to harvest Microsoft credentials via websites which are masqueraded as locked Microsoft Word documents. This technique, we call DirtyWord, uses a blurred Word document as the page background to inform the user that they must log in to view the document.

We will discuss how browsers handle data insecurely, focusing on the cleartext storage of sensitive information in memory.

We have recently uncovered two vulnerabilities in Google's Vertex AI platform. These vulnerabilities could have allowed attackers to escalate privileges and exfiltrate models.

In this first part of the series, we present the taxonomy of initial access vectors and discuss control plane access.

In this part, we focus on data plane access. We will go through the possible initial access vectors originating from the applications running on the cluster, discuss concerns around container images (their origin and potential escape scenarios), and wrap up with execution-as-a-service workload types.

HawkEye, also known as PredatorPain (Predator Pain), is a malware categorized as a keylogger, but over the years, it has adopted new functionalities that align it with the capabilities of other tools like stealers.

We have uncovered a new type of two-step phishing attack leveraging Microsoft Visio files (.vsdx) and SharePoint. These attacks embed malicious URLs in .vsdx format files to evade detection and steal credentials.

This blog post will focus on a number of case studies where we obtained data, and how we innovated using AI and LLM systems to process this into structured data that could be used to better defend organizations. We will showcase the lessons learned and key takeaways for all organizations and highlight other problems that can be solved with this approach for both red and blue teams.

In this article I'll be presenting the NTLM relay attack from WebDAV to LDAP protocol.

One development quirk of Beacon Object Files is the need to prefix imported symbols with the associated library name where the symbol can be found. This concept is known as Dynamic Function Resolution (or DFR). In this article I will show that you do not need to write these DFR prototypes in your code when developing BOFs.

This writeup provides an overview of the recently discovered arbitrary write vulnerability in MSI Center Pro. This vulnerability presents an opportunity for elevation of privilege to NT AUTHORITY/SYSTEM due to the file Device_DeviceID.dat.bak, being written to by a SYSTEM level process.

We detail the exploitation and mitigation for 2 vulnerabilities in ColdFusion: a path traversal (CVE-2024-20767) and an unauthenticated RCE (CVE-2024-21216).

This post will explore the tactical shifts observed in this version of XenoRAT's deployment, focusing on the infrastructure, protective layers, and key changes defenders should watch closely.

We're investigating an attack chain on Palo Alto SSLVPN, combining an authentication bypass vulnerability (CVE-2024-0012) and a provilege escalation (CVE-2024-9474).

As an attacker, you need a few things to go wrong to be able to exploit algorithm confusion attacks. In this blog post, we will cover why JWT libraries are not usually vulnerable to algorithm confusion.

This is a step by step guide to create a downloader capable of escapinf MS Defender detexction.

This blogpost provide a comprehensive Analysis of Helldown: Tactics, Techniques, and Procedures (TTPs).

This post details the existing and new functions in BARK that support adversarial tradecraft research relevant to the Azure Key Vault service. The latter part of the post shows an example of how a red team operator may use these commands during the course of an assessment.

My primary objective was to identify an XSS vulnerability within a Microsoft web product that could potentially be leveraged to exploit other Microsoft applications. I opted to focus my efforts specifically on the Microsoft Search Engine due to its widespread features and usage across various other Microsoft applications.

Raspberry Robin (also known as Roshtyak) is a malicious downloader that has circulated in the wild for several years, primarily spreading through infected USB devices. In this blog, we provides an in-depth analysis of Raspberry Robin's functionality, including its execution layers, obfuscation methods, and network communication process along with its latest exploits.

In this article we detail how we managed to extract credentials from the memory of the Palo Alto Global Protect solution.

This post provides an overview of the CVE-2024-41730 vulnerability targeting in the SAP BusinessObjects Business Intelligence Platform. The issue arises from a missing authentication check, which allows unauthorized attackers to exploit a REST endpoint to obtain a logon token. This could lead to a full system compromise.

In this blog entry, we discuss Water Barghest's exploitation of IoT devices, transforming them into profitable assets through advanced automation and monetization techniques.

In this article, we aim to provide additional insights from the original SMB relaying research and introduce an implementation using krbrelayx.

In this blogpost, we provide technical analysis and IoCs of two different Linux backdoors: WolfsBane and FireWood.

This article discusses my approach in fuzzing VA1 decoding on MacOS systems. My goal was not to create necessarily the "best" method for kernel extension fuzzing, but what for me was the simplest.

In this guide, I'll walk you through how I create tools to find exploits in video games. Specifically, I'll focus on my research into the game Sword of Convallaria.

Our analysis examines the fabrice (a typosquat of the legitimate fabric) package's actions on both Linux and Windows systems with insights into its behavior and recommendations for mitigating these attacks.

China's Great Firewall systematically poisons DNS queries, affecting domains routed through Chinese infrastructure. This tampering leads to unreliable DNS resolutions leading to potential DNS takeover.

Restricting the use of parentheses is one of the toughest limitations I have come across, mainly due to the fact that sometimes all sorts of escapes and encodings are blocked. In this article, we will see how to circumvent this limitation.

We provide a set of ingestion scripts, written in Python, that can simplify security data ingestion. Using Cloud Run functions, you can deploy them and streamline your log collection process.

In this blog post, we conduct an in-depth analysis of the various reasons why malware developers are increasingly opting for Rust over C and C++ in malware development.

This article provides an overview of the WMI COM API and how to use it to list active TCP connections on a Windows machine. We cover the basics of the WMI COM API, how to connect to the WMI service, and how to query the MSFT_NetTCPConnection class to list active TCP connections.

I investigated a site thayt implements a security layer: you should verify your email by sending token to your email (this happen also if you change your email). While editing my email, I performed Race Condition to bypass this verification layer.

In this blog post, we delve into the intricacies of BYOVD attacks, exploring how malicious actors exploit this technique to blind, terminate, and manipulate endpoint detection and response (EDR) solutions.