Security Review #240

This article and proof-of-concept demonstrate that it is possible to compromise and remotely control ChatGPT instances through prompt injection, effectively establishing the foundational elements of a novel kind of botnet.

Real-world applications often impose restrictions on file uploads to ensure security. In this post, we'll explore how to bypass some of these mechanisms to achieve the same goal. We'll cover common file validation methods and how they can be subverted.

In this blog, we explore JavaScriptCore exploitation of an uninitialized memory vulerability, leading to remote command execution. We provide details both on x86-64 architecture and arm64, overcoming a mitigation in the last one.

This article details ways to abuse some of the most popular cloud-based and internally hosted platforms used by enterprises such as BigML, Azure Machine Learning and Google Cloud Vertex AI. These attack scenarios will include data poisoning, data extraction and model extraction.

This article unveils a new attack surface in Windows by exploiting Best-Fit, an internal charset conversion feature. Through our work, we successfully transformed this feature into several practical attacks, including Path Traversal, Argument Injection, and even RCE, affecting numerous well-known applications.

In this article, we will be covering on how to hunt for blind cross-site scripting (XSS) vulnerabilities, including setting up the required tooling to help you find and get notified of this specific XSS type.

We'll now be exploiting a Write What Where vulnerability on Windows 7 (x86) then proceed to adapt what we learn to Windows 11 (x64). Arguably this is one of the most powerful types of vulnerabilities - which personally, I prefer to call an Arbitrary Write.

In this article, we're going to look at CVE-2024-4367, a serious vulnerability in PDF.js that allows attackers to run arbitrary JavaScript code.

In this article, I'll share some methods to find the origin IP of any website protected by a Web Application Firewall (WAF).

This article takes a look at an open source forensic analysis tool for Android mobile devices known as ALEAPP, and provides basic user guidance.

Services can be a target for attackers if they can exploit vulnerabilities, abuse misconfigurations, or manipulate legitimate services to establish persistence or escalate privileges on the system. As such, incident responders need to have a pre-established baseline to detect anomalies and locate artefacts related to service abuse.

Autostart scripts are commands or scripts executed automatically during system boot or user login. They play a critical role in streamlining the startup process of applications and utilities, ensuring essential components are operational without manual intervention.

Proper analysis of application artefacts enables forensic investigators to reconstruct events, identify anomalies, and evaluate the impact of an incident. This guide outlines common application artefacts and methodologies to effectively analyze them.

Logs are like the treasure maps of Linux. They guide system administrators and security analysts through the labyrinth of errors, events, and activities. By the time you're done with this part, you'll feel like Indiana Jones - except your artifacts are log files, and your whip is a terminal command.

In this post, we'll explore User Logging with Syslog and how you can use it to solve system mysteries faster than Sherlock Holmes.

Audit is a powerful tool that enhances the security posture of a Linux system by monitoring and logging detailed events, such as file access, user logins, and process executions. It is the user-space component of the Linux Auditing System, providing granular insights into system activities.

Application logs provide information about client requests and server responses for web servers like Apache2. For databases, application logs will include information about database queries and responses. In this task, we'll explore how to manage and analyze application logs using Apache2 as an example.

We tested how to use unified logs to track SSH connection activities effectively, even in the absence of traditional system log files. This blog documents our findings and the tools we used to make the process more straightforward.

We discovered a high-severity signature verification bypass in Nuclei, one of the most popular open-source security tools, which could potentially lead to arbitrary code execution.

In this article, we'll take you on a journey through the Windows Component Object Model, create our own event handlers, and learn about the Windows graphical representation tree, among other things.

In this post, I'll share how I created a layered C2 setup using Sliver and NGINX Proxy Manager, with an extra layer of protection and anonymity provided by Cloudflare. Additionally, I obfuscated and hardened Sliver's network traffic to bypass NDR, IDS/IPS, and other network monitoring tools.

In this article, we will explore why old domains and reclassification are effective, what security mechanisms they bypass, and provide a step-by-step hands-on practical implementation for building and testing your bypass infrastructure.

In this post, we'll walk you through how we exploited two vulnerabilities in Sonatype Nexus Repository 3, from initial access to the ultimate discovery of CVE-2024-5764. Buckle up as we dive into the details and reveal how these critical missteps can expose environments to serious risk.

In this post we're going to focus on some ADFS internals. We'll be staying clear of the SAML areas which have been beaten to death, and instead we're going to look at OAuth2, and how it underpins the analogues to Entra ID security features like Device Registration and Primary Refresh Tokens.

We decided to perform a vulnerability research activity on the SMB3 Kernel Server (ksmbd), a component of the Linux kernel. We identified multiple security issues, three of which are described in this post. These vulnerabilities share a common trait - they can be exploited without authentication during the session setup phase.

Lockbit 4 has two versions, Black and Green, In this article we will analyze the green version. I will focus on the aspects I find most intriguing, particularly how the malware attempts to evade detection, rather than delving deeply into the ransomware encryption process.

We discuss a vulnerability in Ivanti Connect Secure, identified as CVE-2025-0282. This vulnerability is a pre-authentication stack-based buffer overflow, allowing remote code execution (RCE).

In this article, we we will be learning about Type Confusions. we will begin exploiting a new flaw against the Windows 7 (x86) kernel to get a solid foundation on how the vulnerability occurs.

We perform a technical analysis of the Banshee macOS stealer, using the same string encryption algorithm Apple uses in its Xprotect antivirus engine for MacOS, and distributed through malicious GitHub repositories.

We tracked and analyzed a large-scale fake captcha campaign distributing a disastrous Lumma info-stealer malware that circumvents general security measures like Safe Browsing.

IOCONTROL has been used to attack IoT and SCADA/OT devices of various types including IP cameras, routers, PLCs, HMIs, firewalls, and more. Our analysis of IOCONTROL includes an in-depth look at the malware's capabilities and unique communication channels to the attackers' command-and-control infrastructure.

Meduza Stealer is an emerging malware threat known for its ability to harvest sensitive data from infected systems. In this blog, we analyze multiple variants of the Meduza Stealer malware to identify its MITRE ATT&CK tactics, techniques, and procedures (TTPs).

In this writeup, I will go through the different challenges I experienced while trying to deobfuscate a recent variant of the Lumma stealer, and how I overcame them.

In this article, we explain how Conditional Access Policies (CAPs) are used to enforce specific Intune authentication requirements and details the discovery process of a bypass method, including the use of a tool called TokenSmith, which can generate Entra ID access and refresh tokens.

In this post, I'll walk you through the vulnerabilities I uncovered in the GStreamer library and how I built a custom fuzzing generator to target MP4 files.

CVE-2024-30085 is a heap-based buffer overflow vulnerability affecting the Windows Cloud Files Mini Filter Driver cldflt.sys, making it possible to override privileges and escalate privileges to NT AUTHORITY\SYSTEM.

Dive into the complexities of AWS IAM credentials and uncover how defenders can stay ahead with in-depth knowledge of SDK behaviors and service-specific mechanisms.

The "cache stuffing" technique allows to clear reserved GitHub Actions cache entries and replace them with poisoned entries using a single Cache JWT. I am releasing a proof-of-concept tool. It automates the entire process from within a build. It leaves almost no trace. Meet Cacheract.

In this blog post, we will explore how to design and implement a fully production-ready serverless notification system using AWS services. This architecture will enable various types of notifications to be sent in response to specific events within a system.

In this article, I will analyse a client-side path traversal in Grafana JOSON API plugin and provide insights regarding its impact.

Multiple vulnerabilities have been discovered in the Mazda Connect Connectivity Master Unit (CMU) system installed in multiple car models, such as the Mazda 3 model year 2014-2021. Successful exploitation of some of these vulnerabilities results in arbitrary code execution with root privileges.

In this article we detail all the steps necessary to decrypt Chrome-stored passwords using Python.

Microsoft provides a range of built-in detection mechanisms based on user activity and sign-in behavior analysis. While these tools can offer significant insights, it's important to understand their limitations, potential false positives, and how to effectively investigate suspicious events.

We detail an unauthenticated Remote Code execution vulnerability which existed in FortiSIEM. The vulnerability was assigned with CVE-2023-34992 which existed due to improper neutralization of Special elements that could allow a remote threat actor to execute an unauthenticated OS command injection vulnerability via crafted API requests.

Git's implementation used to rename or delete sections of a configuration file contained a logic error that resulted in improperly treating configuration values longer than a fixed length as containing new sections. This can result in arbitrary configuration injection and may be used to achieve arbitrary code execution.

In this post, I'll explain the REcollapse technique. This technique can be used to perform zero-interaction account takeovers, uncover new bypasses for web application firewalls, and more.