Security Review #243

This short article details the unicode overflow technique used to bypass application security filters.

I gained remote code execution via MIDI messages to trick my synth into playing Bad Apple on its LCD. This blog post is about my journey with this reverse engineering project.

In this article, we explain how timing attacks work, using a function that checks if a user input matches a secret as an example. We will demonstrate how an attacker can guess a secret by timing multiple calls to the function and analyzing the results.

We describes a vulnerability in the Flickr's signing process that allows an attacker to generate valid signatures without knowing the shared secret. By exploiting this vulnerability, an attacker can send valid arbitrary requests on behalf of any application using Flickr's API.

Microsoft OneDrive is the most widely used cloud storage service, thanks to its default integration in Windows and its enterprise adoption via Microsoft 365. Understanding OneDrive forensic artifacts is crucial for investigations involving data exfiltration, insider threats, or deleted cloud files.

Microsoft OneDrive for Business is a powerful enterprise cloud storage solution, distinct from the personal OneDrive available by default on Windows. With Microsoft 365 integration, extensive logging, and advanced security controls, it provides rich forensic opportunities for investigators.

In this fourth part of the series, we will use YARA in order to hunt for malware indicators. We will write basic rules, execute targeted searches and eventually understand the fact that hunting is not done by randomly clicking around but a well thought out, very deliberate process.

In this article we will see how to integrate Yara with frameworks like the Cuckoo Sandbox or even Python's PE Module to amplify the technicality of your Yara rules ten-fold.

In this article, we will integrate with YarGen and see its role in creating precise Yara rules tailored to specific threats.

By leveraging tools like Sysmon and YARA, cybersecurity analysts can effectively detect and respond to malicious activities, even when attackers use advanced techniques like obfuscation or sandbox evasion.

In this article, we explain hidden text salting, a simple yet effective technique for bypassing email parsers, confusing spam filters, and evading detection engines that rely on keywords. The idea is to include some characters into the HTML source of an email that are not visually recognizable.

This blog delves into how attackers can use overprovisioned permissions like User.DeleteRestore.All. By strategically deleting and restoring user accounts, attackers can disrupt operations, evade detection, and establish long-term persistence.

In this blog, we explore how to leverage WinRM plugins to perform lateral movement to other systems. We also take a look at how the CIM_LogicFile WMI class can be used to bypass some tricky detections by Microsoft Defender.

In this blog, we will explore which functions create hardware breakpoints abuse ETW events with a kernel debugger, and an alternative method to set up hardware breakpoints to hook functionality without creating the same ETW TI events.

This blog post provides an overview of the supply chain attack, detailing the targeted phishing attacks and the malicious code added to the compromised extensions. Additionally, it shares insights into the adversary's infrastructure, as well as recommendations for remediation and Indicator of Compromise (IoCs).

ESXi ransomware attacks target virtualized infrastructures using SSH tunneling to remain undetected. In this article, we will detail the techniques, forensic insights, and actionable defense strategies to protect your ESXi appliances from evolving threats.

In this article, I write about the series of vulnerabilities that I found on Git-related projects, leading to credentials leak. As we will see, text-based protocols are often vulnerable to injection, and a small architecture flaw can lead to a big security issue.

A vulnerability resides within the FortiOS' jsconsole functionality, which is a GUI feature to execute CLI commands inside the management interface. Specifically, the weakness in this functionality allowed attackers to add a new administrative account.

It's not uncommon for iOS apps to include additional protections to keep prying eyes away - like jailbreak detection or code obfuscation. Let's take a look at each of these protections one-by-one, and figure out how to circumvent them.

We have been tracking the use of a backdoor attack tailored for use against enterprise-grade Juniper routers. This backdoor is opened by a passive agent that continuously monitors for a "magic packet", sent by the attacker in TCP traffic. In this article, we provide technical details of these packets.

CVE-2024-26230 is a critical vulnerability found in the Windows Telephony Service (TapiSrv), which can lead to an elevation of privilege on affected systems. In this blog post, we will take an in-depth look at how this vulnerability works, how it can be exploited, and the mitigation strategies that can help defend against it.

We detail CVE-2024-54507, a memory leak vulnerability in MacOS kernel, caused by an interger type confusion in XNU kernel at sysctl load.

In this article, we present a technique allowing to perform Kerberos relaying over HTTP by abusing local name resolution poisoning. We then propose a concrete implementation through the Responder and krbrelayx tools.

Process Hollowing (a.k.a. RunPE) is probably the oldest, and the most popular process impersonation technique. Loading of the PE on Windows 11 24H2 gets now interrupted. In this short blog I describe my findings, in hopes that it will help other people who experienced the same issue.

SparkRAT malware provides modular design, web-based user interface, and cross-platform support for Windows, macOS, and Linux systems. In this post, we will share techniques on detecting SparkRAT servers in the wild, and examine an extension of a suspected DPRK campaign targeting macOS users.

In this article, we will dive deep into the implications of processing unsanitized user-controllable input in PDF generators, how we can exploit these features and escalate our initial findings for more impact.

This post covers best practices for using Key Derivation Functions (KDF)s, including specialized scenarios that require careful treatment of key derivation to achieve the desired security properties.

Xloader is a malware family with information stealing capabilities targeting web browsers, email clients, and File Transfer Protocol (FTP) applications. The malware is also able to deploy second-stage payloads to an infected system. This first part of the series will cover the malware's latest obfuscation techniques to evade detection and hinder analysis.

This blog post covers a recently identified security vulnerability in the Wind River VxWorks operating system. The vulnerability lies in the use of weak password hashing algorithm, prone to collision.

CVE-2024-49138 covers 2 heap overflow vulnerabilities in Windows clfs.sys. In this first article we will detail and write a PoC for a vulnerability located in the LoadContainerQ() function.

In this second article, we will focus on another heap overflow vulnerability covered by CVE-2024-49138, located in the WriteMetadataBlock() function of Windows clfs.sys. We will also detail the steps to write a functioning PoC.

Yeti is a Forensic Intelligence platform and pipeline for DFIR teams. In this blog post, I will detail 2 security flaws that, if used in conjunction, could lead to unauthenticated remote code execution on the application server. These vulnerabilities are an SSTI (CVE-2024-46507) and use of static insecure secret (CVE-2024-46508).

In this article we provide a detailed walkthrough of modifying the PKINIT implementation in Certipy to evade Microsoft Defender for Identity (MDI) detections by changing the encryption types advertised in the AS-REQ messages.

The RDP bitmap cache can provide valuable context to a investigation. Reconstructed screen fragments can uncover concrete actions that are not logged or directly evident from the analysis of other sources (e.g., Windows event logs).

In this blog post we will explore the possibility of abusing Docker's API to achieve a 1-click RCE chain.

The Content-Security-Policy is used to protect applications against content injections such as XSS and HTML injections. This post will demonstrate that content injections can still be exploited regardless of having a Content-Security-Policy in place.

I found a bypass in DOMPurify which allows for sanitized HTML to cause XSS. It relies on a trick that makes it possible to have both comments and HTML elements in the <style> tag to mutate the anchor tag in.

This blog will explain and share a solution to get weekly reports on all the newly logged actions in Sentinel and Defender For Endpoint that are found in your tenant. This proactive approach helps to understand your data and enables organizations to identify patterns, anomalies, and potential indicators of compromise.

The NetAlertX web component is developed in a combination of PHP and Python and can be deployed in a docker container. In this blog post, I will be discussing 2 vulnerabilities: an unauthenticated command injection (CVE-2024-46506) and an unauthenticated file read (CVE-2024-48766).

This blog post has given you a short overview of how custom queries can be used to get the most out of BloodHound. We will specifically focus on finding specific configurations such as inactive objects, cross domain group memberships, local admin rights, protected users and path to untagged Tier Zero.

In this blog post, we present our in-depth analysis of the ScatterBrain obfuscator, which has led to the development of a complete stand-alone static deobfuscator library independent of any binary analysis frameworks.

In this article, we first detail the WebAssembly types, then investigate and provide PoC for some vulnerabilities (CVE-2024-2887, CVE-2024-6100, CVE-2024-8194) exploiting WebAssembly type confusion in JavaScript engines.

In this article, I will provide a brief overview of the Windows Package Manager - WinGet. Following that, I will demonstrate how to use WinGet as a transit station to execute living off the land PowerShell scripts.

We detail CVE-2024-54887, a MIPS buffer overflow with ROP in TP-Link TL-WR940N router.

Migrating custom queries from the legacy BloodHound to the new BloodHound Community Edition (CE) can seem daunting, but with the right steps, it can be a smooth process. In this post, we'll walk through the steps to download, transform, and upload your custom queries to BloodHound CE.

By exploring concepts like chunk metadata manipulation, wraparound calculations, and malloc hook exploitation, we highlight the foundational principles of heap exploitation. Although techniques like the House of Force are no longer effective in many modern systems, they serve as a stepping stone for understanding more advanced and creative exploitation methods.

This article is all about the importance of testing and examining JavaScript files for bug bounty hunters. We will guide you on what exactly to look for and provide examples of the most common vulnerabilities (and patterns that lead to vulnerabilities) in JavaScript files.

In this post, we will explore the exploitation of Discretionary Access Control Lists (DACL) using the AddSelf permission in Active Directory environments. By exploiting this misconfiguration, attackers can escalate privileges by adding themselves to privileged groups like Domain Admins or Backup Operators.

We introduce Brainstorm, a web fuzzing tool that combines local LLM models and ffuf to optimize directory and file discovery. It combines traditional web fuzzing techniques (as implemented in ffuf) with AI-powered path generation to discover hidden endpoints, files, and directories in web applications.

We detail a vulnerability in Apigee, a Google API management platform. The vulnerability lies in how Apigee manages custom code execution across different policies, as it creates an unexpected path to bypass sandbox restrictions. Exploitation of the vulnerability can lead to system compromise or data exfiltration.

The goal of this first of two blog posts is to provide a general technical overview of Bluetooth Auracast. As we are mainly interested in the security of the protocol, the post will be from a security researcher's perspective.