Security Review #245

This article details a heap overflow we found in Llama and how we exploited it into a remote code execution.

In this article we identify and exploit a vulnerability in SuiteCRM that allows to bypass application security filter and exploit several SQL injection vulnerabilities (CVE-2024-36408, CVE-2024-36409, CVE-2024-36410, CVE-2024-36411, CVE-2024-36412).

This article details an advanced software supply chain attack we found by targeting a subsidiary of a major company. By leveraging poorly secured Docker images and extracting sensitive tokens, we managed to infiltrate the subsidiary's systems and demonstrated the ability to compromise developers, CI/CD pipelines, and production servers.

Delayed Tool Invocation means that the attacker "pollutes" the chat context with instructions and a trigger action. It is a bit of a social engineering/phishing attack but nevertheless shows that an attacker can trick Gemini to store false information into a user's long-term memories simply by having them interact with a malicious document.

In this blog post, we'll have a glimpse at how PsExec.exe works, we'll write a python script that allows us to act as a legitimate PsExec.exe client and finally, we'll see why zero trust is a core requirement of cybersecurity.

We identified a pattern in the way multiple software projects were retrieving Amazon Machine IDs (AMIs) to create EC2 instances, and discovered how attackers could exploit it. The vulnerable pattern allows anyone that publishes an AMI with a specially crafted name to gain code execution within the vulnerable AWS account.

In this series, we will look for common patterns for the 20+ heap-based buffer overflows vulnerabilities found in Windows Telephony Services. This first part will focus on understanding TAPI and its underlying architecture.

This blog post is about Jooki, an intuitive, screen-free audio player. We will be peeling back the layers of its firmware, finding hidden exploits, a backdoor and unlocking code execution.

In this tutorial we're going back to Stack Overflow. However, this time we'll be encountering an exploit mitigation known as stack cookies or canaries and see how it can be bypassed.

is a well-known Remote Access Trojan (RAT) used by threat actors for espionage, data theft, and system control. In this post, I will perform static and dynamic analysis of a sample, and explore its behavior, obfuscation techniques, and deobfuscation process.

Box is one of the most forensic-friendly cloud storage applications, offering extensive logging, locally cached files, and SQLite databases that track user activity and file metadata. This makes it a goldmine for forensic investigators looking to analyze user interactions, deleted files, and cloud-stored documents.

Metadata is a goldmine of information in digital forensics, offering insights that go far beyond surface-level data. In this article, we will see how tools like Exiftool make it easy to extract and analyze metadata, empowering investigators to solve cases ranging from intellectual property theft to cyberattacks.

We exploited flaws in the Microsoft Software Installer (MSI) repair action of Lakeside Software's SysTrack installer to obtain arbitrary code execution (CVE-2023-6080). An attacker with low-privilege access to a system running the vulnerable version of SysTrack could escalate privileges locally.

In this blog post, we will describe how we leverage capa behavior-detection capabilities and state-of-art Gemini summarization to detect capabilities observed in Android malware. we will showcase a malware sample analysis, explain how capa rules identify and highlighted malicious behaviors and present how Gemini summarizes the highlighted code for security reviews.

LegionLoader, also known as Satacom, CurlyGate, and RobotDropper, is an active downloader that has been operating in the shadows. In this post, we'll break down everything we've uncovered so far (including: list of IoCs, phishing url, IDAPython script etc.).

CVE-2025-23369 is a SAML verification bypass issue in libxml2 which allows a SAML authenticated user to bypass authentication for other accounts.

In this blog, we'll explore what PHP type juggling is, and how attackers can exploit to bypass authentication, manipulate data, and gain unauthorized access. We will work on real-world exploitation scenarios, and provide best practices to prevent it.

We discuss a vulnerability within the HackSysExtremeVulnerableDriver (HEVD) related to a Time-of-Check Time-of-Use (TOCTOU) race condition. We will demonstrate how to trigger the TOCTOU race condition using multiple threads to call DeviceIoControl and switch the buffer size, and provide a full working PoC.

Specific configurations of DOMPurify can lead to a downgrade in sanitization protection, resulting in a full bypass. The goal of this article is to describe the approach to fix the issue and its limitations.

We have discovered a malicious typosquat package in the Go ecosystem, impersonating the widely used BoltDB database module. The malicious package contains a backdoor that enables remote code execution, allowing a threat actor to control infected systems via a command and control (C2) server.

In this guide, I'll walk you through my experience with Ludus and demonstrate how to build a red team lab using this tool - the simplest and most efficient method I've discovered so far. The lab will feature an Active Directory environment (using GOAD) integrated with an XDR/SIEM solution (Wazuh).

In this post, we'll be dissecting CVE-2022-22706 and CVE-2021-39793, two vulnerabilities that affect Mali GPUs, commonly found in many Android devices, and allow unprivileged apps to gain root access.

I discovered an interesting logic vulnerability in the PackageKit framework on macOS that allows for escalating privileges to root, circumventing the Transparency Consent and Control (TCC), and bypassing the System Integrity Protection (SIP).

CVE-2022-35202 is a security issue in Sitevision that allows a remote attacker, in certain (non-default) scenarios, to gain access to the private keys used for signing SAML Authn requests. The underlying issue is a Java keystore that may become accessible and downloadable via WebDAV. This keystore is protected with a low-complexity, auto-generated password.

We discovered two username enumeration vulnerabilities in the AWS Web Console. The findings we'll detail here, result from bugs in Amazon's credential verification software and put all console-enabled IAM users at risk of username enumeration.

When talking about glitches and fault injection, a theoretical hardware is often hypothesized that, due to its speed and precision, would allow to perform a glitch that affects a single bit, but this model is considered an unattainable unicorn. In this article we will start "looking for such unicorn", and check if this type of attack is feasible in pratice.

By chaining XSS with a malicious Service Worker, an attacker can achieve persistent request interception & data exfiltration. Since Service Workers remain active even after the XSS is removed, this technique can be difficult to detect and mitigate.

This is the story of how we discovered a zero-day auth bypass in the PAN-OS management interface (CVE-2025-0108). We will explore a suspicious (and quite common) architecture where authentication is enforced at a proxy later, but then the request is passed through a second layer with different behavior.

In this article, we detail several vulnerabilities in libarchive, used by Windows 11 to support additional compression formats. These include a heap buffer overflow vulnerability in the RAR decompression and arbitrary file write and delete vulnerabilities due to insufficient checks of libarchive's output on Windows.

In this article, we will cover several ways to identify security vulnerabilities in WordPress targets: enumerating outdated instances, exposed configuration files, misconfigured security settings, weak credentials, and exploiting vulnerable WordPress plugins and themes.

We investigate I2PRAT, a multi-stage RAT (Remote Access Trojan). We cover the various techniques identified during its reverse engineering. These techniques range from defense evasion, to privilege escalation, and include dynamic API resolution. We also analyze how it employs the I2P network to anonymise its final Command and Control (C2).

In this blog post we are going to explore how to manually exploit an AD CS ESC15 vulnerable instance when a Domain User has enrolment right for the web server template.

This post covers a novel approach for recovering application source code, leveraging AI language models to transform pseudo-disassembly into high-level source code. This method is able to handle complex abstractions introduced in high-level languages SwiftUI or Dart and generates output in popular programming languages like Swift, C#, Kotlin, Java, Python or even Bash.

In this article, we explore explores the discovery of a vulnerability in the "Network Configuration Operators" group in Active Directory. This group has excessive permissions, including the ability to create subkeys in sensitive registry keys. By exploiting these permissions and leveraging Performance Counters an attacker could run code with elevated privileges.

COM hijacking presents an opportunity to load a malicious DLL into the process. This attack vector allows us to exploit the security product's inherent trust in its own processes. In this post, we will delve into how we exploited this trust in AVG Internet Security (CVE-2024-6510) to gain elevated privileges.

In this post, we detail the first real-world vulnerability discovered by the Big Sleep agent: an exploitable stack buffer underflow in SQLite.

This is a guide to performing white box penetration testing on a JavaScript web application running within a Docker container. In testing a web application vulnerable to prototype pollution, we will demonstrate how to debug JavaScript inside Visual Studio Code in order to track our payloads throughout the code process and learn how security filters can hide vulnerabilities from view.

There are different ways of building your own anti-DDoS rules for iptables. We will be discussing the most effective iptables DDoS protection methods in this comprehensive tutorial.