Security Review #241

The article explores the concept of Assistant Prefill, a feature offered by many LLM providers that allows users to prefill the beginning of a model's response to guide its output. While designed for practical purposes, such as enforcing response formats like JSON or XML, it has a critical vulnerability: it can be exploited to bypass safety alignments.

In this article, we detail the concepts and techniques used by kernel rootkits for hooking, hiding and getting persistence. We also review the available detection techniques for defenders.

This post details how to exploit StopZilla vulnerable driver in order to bypass LSASS dump protection.

In this post we'll take a look at Microsoft VSCode Remote Tunnels, how they're abused by threat actors, and how you can detect their usage.

One of the most common ways to "blind" EDRs is to apply firewall rules against the desired EDR applications. In this blog, I'll touch on this technique and discuss how products can protect themselves from this attack.

We will cover a method to abuse excessive Storage Account permissions to get code execution in notebooks that run in the Azure Machine Learning service. We will also review a vulnerability in the service that allowed for privilege escalation from the Reader role to code execution in the notebooks.

Misconfigured Argo Workflows may result in a massive supply chain attack. In this blog post, we'll explore the root cause of these misconfigurations, the potential impact and how to deal with them.

We were able to achieve unauthenticated Remote Code Execution (RCE) via Server-Side Template Injection (SSTI) in a Spring Boot application. In this article we'll be diving into both the Thymeleaf templating engine and into the method we used to exploit SSTI in a modern Spring Boot application, specifically focusing on bypassing defenses in newer versions of Spring Boot.

The Gayfemboy botnet recently evolved, leveraging a 0-day vulnerability in Four-Faith industrial routers and unknown vulnerabilities in Neterbit routers and Vimar smart home devices to spread its payloads. This discovery prompted us to conduct an in-depth analysis of this botnet.

In this report, we provide an in-depth analysis of the group's tools. In a surprising discovery, our findings indicate that the development of the group's tools, including the encryptor, was likely AI-assisted, which may have contributed to their rapid iteration despite the author's apparent lack of technical expertise.

We discovered a new macOS vulnerability that could allow attackers to bypass Apple's System Integrity Protection (SIP) in macOS by loading third party kernel extensions. In this blog post, we detail the connection between entitlements and SIP and explain how CVE-2024-44243 could be used to bypass SIP security measures.

Reconnaissance is an important phase in bug bounty and in pentesting in general. In this article, we will be covering 7 overlooked reconnaissance techniques that you can apply to gather more useful data and find more security vulnerabilities.

In this blog, we will be talking about analyzing iOS Kernel panic logs. By carefully extracting and analyzing these logs, you can gain valuable insights into the root cause of the Kernel panic. Patterns in crashes and backtraces may help uncovering subtle issues that could lead to security exploits or performance bottlenecks.

Due to the improper neutralization of the user-controllable input before it is passed for the execution, an unauthenticated attacker can send a payload that is executed on the Aviatrix Network Controller.

In this article, we're going to walk through exploitation of CVE-2025-0282, an unauthenticated Remote Code Execution vulnerability in Ivanti's Connect Secure (VPN) appliance.

I will share with you a new TCC bypass vulnerability in the XPC service: CVE-2024-54527. I'm also going to dive into AppleMobileFileIntegrity.kext to correct some misconceptions in the minds of many and talk about the improvements Apple has made to it.

In this post, we'll explore some common vulnerabilities found in REST APIs, real-world examples, and how to mitigate these threats effectively.

This article provides an overview of the key forensics data for a live analysis of a compromised Linux system.

Osquery isn't just a tool. It's the Swiss Army knife of endpoint monitoring, designed to find those sneaky signs of malicious activity, and secure the system.

System profiling is the introduction to investigation. It's the step where you learn everything you can about the system: its users, software, hardware, and current state. In this post, I'll walk you through essential profiling commands that will make you feel like the Linux equivalent of a CSI investigator.

From a forensics point of view, finding out what processes are running on the suspected host and narrowing down the odd-looking ones is crucial. This step helps understand what's happening in the system.

After exploiting and gaining initial access, attackers often focus on maintaining a hidden and continuous foothold to extend their control. This post delves into techniques used by attackers to achieve persistence on Linux systems and provides guidance on how to detect these activities effectively.

In this article, we will combine file system analysis with metadata and checksums, to reconstruct an attack timeline and identified the root cause of an intrusion.

In the process of analyzing a compromised Linux system, a critical step involves examining users, groups, directories, and files. This analysis can reveal evidence of lateral movement, privilege escalation, or persistence mechanisms used by an attacker to maintain unauthorized access.

In analyzing compromised Linux systems, focusing on binaries, executables, and rootkits is crucial. Attackers often create or manipulate these elements to maintain access, escalate privileges, or exploit permission misconfigurations. In this article, we delve into key techniques for identifying and analyzing these artifacts.

This blog post hopefully sets some foundational knowledge to understand Intune attack paths which are also are compelling for the attack paths that emerge connecting Entra/Azure to on-premises Active Directory and vice versa.

In this blog, we will explain how we used QEMU to emulate the relevant system components of Planet Technology Corp's WGS-804HPT Industrial switch, and how it was used to uncover three vulnerabilities that could allow an attacker to remotely execute code on a vulnerable device. The vulnerabilities include separate buffer and integer overflow vulnerabilities and an OS command injection flaw.

There are two vulnerability whose root causes lie in the internal memory subsystem implementation exploited in kernelCTF: a race condition vulnerability between remapping and memory advising, and a UAF during stack expansion.

This is a two-part journey to understanding DynamicMethods, and how to leverage them to hide code. In this first part, we will learn how .NET methods are built and executed, and how to create a simple DynamicMethod.

In this second post of the series, we'll explore common problems when dealing with metadata tokens, and how to overcome them and "convert" any method into a DynamicMethod.

In this article, we detail a Call-Gate issue in ARM architecture: an SMM Supervisor vulnerability that allows privilege escalation to Ring0.

In this blog post, we will analyze CVE-2024-45409, a critical vulnerability impacting Ruby-SAML, OmniAuth-SAML libraries, which effectively affects GitLab. This vulnerability allows an attacker to bypass SAML authentication mechanisms and gain unauthorized access by exploiting a flaw in how SAML responses are handled.

In this article, we'll dive into a comprehensive explanation of Spring View Manipulation attacks, dissecting their nature and detailing how we successfully bypassed the defense mechanism in the latest version of Thymeleaf within Spring Boot integrations.

A passkey is a simple and secure way to sign in without having to enter a username or password. It also adds an extra layer of security to protect your account. In this article, you will learn how to configure passkeys in Microsoft Entra ID with Microsoft Authenticator.

In this post, we take a look at Microsoft Dev Tunnels, how they're abused by threat actors, and how you can detect their usage