Security Review #235

This blogpost dissects three JA4H fingerprints observed the activity of a C2 cluster. It concludes that an even more general fingerprint can uncover the same activity with an acceptable false positive rate.

This post demonstrates how it is possible for a prompt injection in the DeepSeek AI application to entirely take over a user's account if an application is vulnerable to XSS, which the LLM can exploit.

In this blog post, we demonstrate a novel technique that can be used to circumvent all three current types of browser isolation (remote, on-premises, and local) for the purpose of controlling a malicious implant via C2. We show how attackers can use machine-readable QR codes to send commands from an attacker-controlled server to a victim device.

In this post, I'll explore some dangerous, lesser-known features of modern cookie parsers and show how they can be abused to bypass web application firewalls.

Microsoft SQL Server has been found to treat a goblin emoji as equivalent to an empty string, potentially leading to security vulnerabilities in applications that utilize it, particularly in the context of brute-force password attacks.

We analyze a malicious NPM package masquerading as an XML-RPC implementation that has maintained an unusually long presence on the NPM registry. The implanted malware steals sensitive data while mining cryptocurrency on infected systems. Data is exfiltrated through Dropbox and file.io.

VRChat is a fairly popular game letting users upload mostly whatever they want in a free environment exposing a massive attack surface for software vulnerabilities. I will leverage the VRChat's scripting language, Udon, to exploit an out-of-bounds heap read/write vulnerability in Unity's Texture class.

We describe a method that prevents the EDR agent from sending any data by altering Windows Name Resolution Policy Table (NRPT).

In this second part we will emphasis on host file and custom routes modifications to prevent EDR communications.

We detail a clean way to exploit an unauthenticated vulnerability in a Spring application.

This article gets into the details of leveraging MSSQL behavior when dealing with emojis.

We analyze the recent changes in the way Chromium-based browsers encrypt cookies. It clearly shows that having code execution access as the victim on their Windows host is no longer possible to obtain the cleartext version of their browser cookies by simply using the DPAPI user master keys.

We provide an analysis and a partial proof of concept for CVE-2024-44308, a a register corruption issue in WebKit's DFG JIT leading to an RCE in Apple Safari.

In this blog, we'll walk through the process of building a TLS-secured reverse shell using Python. This reverse shell ensures that all communications between the client and server are encrypted using self-signed certificates.

This forensic investigation looks at a number of artifacts including web server logs, container logs, CloudWatch Kubernetes logs, and CloudTrail logs across a variety of attacks - web application command injection, Instance Metadata Service (IMDS) access, JSON Web Token (JWT) abuse, and valid credential abuse.

Although timestomping is a common anti-forensics method, if you know how to approach it then it becomes nothing more than a minor inconvenience. This article explains how to use NTFS journaling to identify altered timestamps.

Let me introduce you to C2 hunting. A powerful threat hunting technique that allows you to stay one step ahead of the bad guys with publicly available information and investigative rigor.

What I want to do is to attempt to find artifacts that are immutable. Meaning - no matter what specific technique the attacker is using to dump WiFi - the assumption is that there is an artifact(s) that must be generated every single time, regardless of the tooling/tradecraft in use.

In this post, we will explore the exploitation of Discretionary Access Control Lists (DACL) using the GenericWrite permission in Active Directory environments. This permission can be exploited by attackers to update attributes such as group memberships, account permissions, or even execute privilege escalation by modifying login scripts or service principals.

A vulnerability in the ksthunk.sys CKSAutomationThunk::ThunkEnableEventIrp allows a local attacker to exploit an Integer Overflow vulnerability which can then be used to gain elevated privileges in the Windows operating system.

We discovered that Microsoft modified the "First Contact Safety Tip" anti-phishing feature to better resist our attack. In this blog post, we discuss these changes, and whether it is still possible to carry out the same attack.

In this post, we'll take a closer look at the newly-released PKCE support for AWS SSO authentication flows and how it can help preventing "device code phishing" attacks.

In this second post we will explore an unusual Group Policy Object (GPO) configuration: a source HOSTS file on a remote share granted with "Users" full control.

This post discusses CVE-2024-38193, a use-after-free vulnerability in the afd.sys Windows driver. Specifically, the vulnerability is in the Registered I/O extension for Windows sockets. We describe the exploitation process for the vulnerability.

A common assumption is that since the BitLocker keys are stored in the Trusted Platform Module (TPM) the decryption process is secure. This is however only partly true as we will see in this article. We will look at the purpose of the TPM and how it works in relation to BitLocker.

I exploited some common and other lesser-known flaws in Salesforce applications (also called Salesforce Communities), which eventually led to an account takeover vulnerability. I will show some plugins and in-depth techniques to facilitate the enumeration of the target and the discovery of these flaws.

In this article, I'll walk you through how I discovered and exploited a vulnerable file upload functionality in an environment of disabled PHP functions such as exec(), passthru() and systen() , pivoted to Local File Inclusion (LFI), and ultimately gained access to critical application data, including a database.

This blog post will walk through sqs_flag_shop CloudGoad scenario, where you will attempt to move through an AWS environment and perform privilege escalation against the Glue service in order to capture the flag.

In this blog post, we will demonstrate how to find and exploit Client Side Path Traversal bugs with Eval Villain.

I discovered a deserialization vulnerability in LINQPad, a .NET scratchpad application commonly used by developers. In this post, we will look at how this vulnerability was found.

In this blog post, we will analyze how threat actors misuse open directories to deliver XWorm, providing valuable insights into their targeting and operational behavior. We will also detail how XWorm is disguised as popular software, exposing the deceptive techniques used to trick potential victims.

We analyzed the construction and control flow of Akira ransomware's Rust version, which has specific features uniquely targeting ESXi server. Our analysis demonstrates how Rust idioms, boilerplate code, and compiler strategies come together to account for the complicated assembly.

We discovered a malicious JavaScript injection targeting Magento websites. This malware dynamically creates a fake credit card form or extracts payment fields directly depending on the variant of the malware, activating only on checkout pages. The stolen data is then encrypted and exfiltrated to a remote server.

This post shares two of my findings from a quick look at Shiny, the most popular web framework for use with the R programming language: a Denial of Service and a flow in the random number generator (RNG).

I identified a critical vulnerability in Kemp's LoadMaster Load Balancer. This vulnerability is a Command Injection and allows full system compromise. It requires no authentication and can be exploited remotely by having access to the Web User Interface.

This article will focus on the Mitel's MiCollab platform. We will discuss how to reproduce CVE-2024-35286, how we found an authentication bypass vulnerability (CVE-2024-41713), and a post-auth arbitrary file read.

Symantec Management Agent uses a "Account Connectivity Credential (ACC)". This account is used to facilitate network access to the Symantec Site Server in order to download package, policy and task configuration data. We provide details of all the steps required to recover the ACC using a low privileged domain user.

The following article explains how during an audit we took a look at Apache Superset and found bypasses (by reading the PostgreSQL documentation) for the security measures implemented.

In this article, we'll take a look at S/MIME and how we can use the concept of invisible salamanders to craft messages that tell each recipient a different story.

We have recently identified multiple instances of malware being distributed in Scalable Vector Graphics (SVG) format. The SVG malware is being distributed as an attachment in phishing emails, and the email body includes instructions on how to execute the file.

A quick and easy guide to John the Ripper for beginners.

In this blog post, we will walk you through the key highlights of our research on the Mongoose Web Server Library: we'll explain how we uncovered these security flaws, discuss their impacts on IoT devices and explore what they mean for the broader security IoT ecosystem.

In this article, we first review the concept of prototype pollution in JavaScript then focus on CVE-2023-45282, a vulnerability in Open MCT front-end application.

In this post we will explore the "First Contact Safety Tip" anti-phishing measure employed by Microsoft 365 as well as how it can be bypassed.

I decided to learn how Gem::SafeMarshal works and take on the challenge of breaking it to execute arbitrary commands.

In this article we will demonstrate hos to test an app's security without jailbreaking by using developer tools to gain debugging privileges and bypass FairPlay DRM.

In this article, I'm explaining the ROP chain method for a 64 bit architecture, as there aren't so many resources available to explain ROP Chain in 64 Bit Architecture easily.

ASLR stands for "Address space layout randomization" and is designed to prevent the buffer overflow attacks. This article explains how to overcome this mechanism by bruteforcing the base address of libc.

In this post, I show how we exploited SMBGhost, an integer overflow vulnerability in the SMBv3.1.1 message decompression routine, to accomplish RCE, defeating limitations and mitigations.

In this post, we demonstrate that AWS SSO is vulnerable by design to device code authentication phishing - just like any identity provider implementing OpenID Connect device code authentication. The feature provides a powerful phishing vector for attackers, rendering ineffective controls such as MFA (including Yubikeys) or IP allow-listing at the IdP level.