Security Review #236

We investigate how malicious prompts can leverage ANSI control characters to interfere with operating system terminal behavior.

The aim of this post is to provide a concise overview of Cobalt Strike's UDRL, SleepMask, and BeaconGate features. Each of these features can be used independently to bring custom evasion capabilities to different parts of Beacon, but perhaps more interestingly, they can also interoperate to some degree.

We discovered 10 vulnerabilities in its Ruijie Networks Reyee cloud management platform. The vulnerabilities, if exploited, could allow a malicious attacker to execute code on any cloud-enabled device, giving them the ability to control tens of thousands of devices.

This blog post presents a powerful new DCOM lateral movement attack that allows the writing of custom DLLs to a target machine, loading them to a service, and executing their functionality with arbitrary parameters. This backdoor-like attack abuses the IMsiServer COM interface by reversing its internals.

In this article, I explain how I could compromise the sysupgrade.openwrt.org service by exploiting the command injection and the SHA-256 collision. As I never found the hash collision attack in a real-world application, I was surprised that I could successfully exploit it by brute-forcing hashes.

An attacker appears to have compromised Ultralytics' CI, a very popular machine learning package, and then pivoted to making a malicious PyPI release. In this article, we provide insight about the incident and the malicious versions of the package.

This article explains how to interact with the network stack of the Linux kernel in Rust, in order to detect and block suspicious network activity.

In this article, I introduce two methods for leveraging Logback configuration to achieve Remote Code Execution (RCE) in Spring Boot applications. These techniques are effective on the latest version of Spring Boot, with the second approach requiring no additional dependencies.

CVE-2023-6200 is a race condition vulnerability within the linux kernel ICMPv6 subsystem. There is limited information available about this vulnerability, so I analyzed it as a practice to learn how to identify this kind of bug.

This second part of the series will focus on the concept of how memory should be acquired, what are tools available, what are the different ways to acquire volatile data from system.

In this article, I want to focus on a well-documented technique that attackers are actively using to establish persistence in AWS: the abuse of the GetFederationToken API.

In this discussion, I'll be diving into container drift detection, specifically, analyzing container drift from a forensics perspective, with a focus on OverlayFS.

In this article we will adopt the "Immutable Artifacts" methodology to detect such artifacts for enabling/disabling RDP connections on a Windows machine.

In this write-up I want to document and talk about 3 new events that are provided in the Threat-Intelligence (TI) ETW Provider. With these events defenders have a good way of picking up on token impersonation attacks. However, there are some caveats that should be mentioned about these events.

We discovered a JavaScript-based malware affecting WordPress sites, primarily targeting those using the Hello Elementor theme. The malware injects a malicious external script into the theme's header.php file, leading to harmful consequences for site owners and visitors.

In this blog, we discuss a config-dependent, DOMPurify bypass, from an interesting namespace confusion trick to the mishandling of the is attribute.

In this article, I want to talk about a method for bypassing DOMPurify when it is used for sanitizing SVG files.

This blog post is intended to share insights about the attack surface of Single-Page Applications integrated with Azure, aid technology professionals in securing their Azure environments, and serve as a guide for enumerating Azure tenants.

This blog post details two vulnerabilities in Cortex XDR Agent that can be exploited by a low privileged user. CVE-2024-5907 is a Local Privilege Escalation vulnerability, and CVE-2024-9469 enable a local Windows user to disable the agent..

This article dives into CVE-2024-50623, an RCE in Cleo MFT software. We will see what exactly the vulnerability is, if it has been properly patched and what should the administrators of affected servers do.

This write-up aims to illustrate the process of discovering a denial-of-service (DoS) bug that affects Messenger for iOS.

A look into how an unexpectedly weak PRNG in Dart leading to discovery of multiple vulnerabilities: an arbitrary file write, attack against the wallet and backup security, as well as predictable passwords.

Our goal was to reverse the patch for CVE-2024-8534, a Denial of Service vulnerability on Citrix Netscaler RDP Proxy, and see if the memory corruption could lead to anything more serious than just denial of service.

We uncovered several vulnerabilities and security flaws within the Prometheus ecosystem. These findings span across three major areas: information disclosure, denial-of-service (DoS), and code execution. We found that exposed Prometheus servers or exporters, often lacking proper authentication, allowed attackers to easily gather sensitive information, such as credentials and API keys.

In this second part, we will review a vulnerability (CVE-2024-40855) which allows someone to escape the sandbox and also fully bypass TCC by being able to mount over the user's TCC directory. This was possible by performing a directory traversal attack on diskarbitrationd.

Azure CLI was vulnerable to a registry server confusion attack in it's Azure Container Registry (ACR) module. If an attacker controls the value of the registry name, they can leak the token of the principal, effectively giving access to all Azure resources that the principal has access to.

In this post, I'll discuss how I exploited a 1day to obtain 0day-like LPE/container escape capabilities for around two months by quickly abusing the patch-gap to write an exploit before the fix could go downstream. I'll also share my journey analyzing the patch to understand the bug, and how I developed a universal exploit to target mainstream distros.

We investigate a new admin-to-kernel technique based on Windows driver KsecDD, implementing the Kernel Security Support Provider Interface, that can be used by the Local Security Authority Server Service (LSASS) to execute arbitrary kernel code. Our goal is to demonstrate that it is not limited to LSASS.

The availability of the NtSystemDebugControl provides privileged users a view of kernel memory, which holds various secrets. This confirms once again that admin-to-kernel (even read-only) techniques can be very interesting from an offensive point of view.

We responded to an incident where the user downloaded a malicious NFT marketplace project named "nft_marketplace-main" from a GitHub repository. Based on our investigation, it was determined that "nft_marketplace-main" was BeaverTail malware.

We responded to an incident where a software developer downloaded a JavaScript project that contained BeaverTail malware. Upon installing the project through the Node Package Manager (NPM) command, it executed malicious JavaScript files and subsequently deployed the InvisibleFerret malware to the host.

Microsoft Graph activity logs provides a history of all Microsoft Graph API requests. In this blog, we'll go over collection and analysis of these logs and share a few detection/hunting ideas. The goal is to create general awareness of this log source and show how it can be used effectively.

This article discusses the topic of securing the configuration of Kubernetes clusters. my goal is not merely to present a dry list of parameters and ready-made configuration snippets but to provide the reader with a fuller context.

In this first blog of the series, we try to understand what are concepts involved in memory management, how memory is managed in windows, virtual & physical address, paging, hibernation and lot more.

Devices are a crucial part of Microsoft's Zero Trust concept. Devices can be Registered, Joined, or Hybrid Joined to Azure AD. In this blog, I'll explain what these different registration types are, what happens under-the-hood during the registration, and how to register devices with AADInternals.