Security Review #257

May 09, 2025

Common programmer thought pattern: there are only three numbers: 0, 1, and n.

— Joel Spolsky

Starred Articles

Drag and Pwnd: Leverage ASCII characters to exploit VS Code

In this post, I'll dive into the forgotten mechanics of ASCII's transport control characters, how they shaped early computing, and how they're now being abused in real-world vulnerabilities affecting modern applications.

MCP: May Cause Pwnage

I penetration tested the model context protocol (MCP) and had some fun breaking it. We ended up hacking a range of things, from cloud infrastructure to crypto.

MCP: Untrusted Servers and Confused Clients, Plus a Sneaky Exploit

WE delve into security threats related to the Model Context Protocol (MCP), which allows AI agents to interact with external tools dynamically, and see how MCP servers can control AI client behavior through prompt injection, leading to potential exploits.

A Guide to Using Longitudinal Data Analysis for Improved Identity Threat Detection

Rather than examining only the current state of an entity, such as a user’s level of privilege, Longitudinal Data Analysis (LDA) employs a variety of methods to combine past state with current state to identify anomalous activity or configurations. In this blog, we will focus on how LDA can be leveraged to detect anomalous privilege changes.

New Articles

Heavy USB Forensics

In this blog post, we will delve into USB forensics, covering approximately 95% of the essential knowledge and techniques that a digital forensics examiner would require when investigating USB-related cases.

Application Layer Encryption with Web Crypto API

Application layer encryption can be useful. In such case, the browser built-in Web Crypto API provides several efficient encryption and secure random number generation features to JavaScript code.

Creating a Timeline for Linux Triage with fls, mactime, and Plaso (Log2Timeline)

Building a timeline during forensic investigations is super important - it helps you see what happened and when. In this post, I'll walk you through two simple but powerful ways to create timelines: using fls + mactime, and using Plaso / Log2Timeline (psteal, log2timeline, psort).

Cloak and Firewall: Exposing Netsh's Hidden Command Tricks

In this blog, we'll explore how the Windows utility Netsh.exe processes command-line arguments in a way that can lead to unexpected behavior - specifically, how users can execute firewall commands without fully typing out parameters. This Netsh's behavior can be abused to evade traditional Netsh process command-line monitoring.

The Ultimate Guide to 403 Forbidden Bypass

In this article we'll break down how 403 errors work, why they occur and share real-world techniques to bypass them, helping you access restricted resources during your bug hunting process.

How I made $64k from deleted files

I built an automation that cloned and scanned tens of thousands of public GitHub repos for leaked secrets. For each repository I restored deleted files, found dangling blobs and unpacked .pack files to search in them for exposed API keys, tokens, and credentials.

Timestomping in Linux: Techniques, Detection, and Forensic Insights

Timestomping is a technique attackers use to manipulate file timestamps in order to hide their activities. Basically, they change the "last modified", "last accessed", or even "created" dates of files. In this article, we'll see how timestomping works on Linux systems and what you can do to uncover such activity.

The Ultimate Guide to Email Input Field Vulnerability Testing

Email input fields are a critical attack surface in web applications. Attackers often target these fields to exploit vulnerabilities ranging from XSS and SSRF to header injection and business logic flaws. This article provides a detailed methodology for testing email input fields including both foundational and advanced techniques with practical payloads for each scenario.

Windows is and always will be a Potatoland

This blog post will dive into the world of some of the recently published potato techniques that can lead to more serious risks than "just" local Privilege Escalation.

Exploring PLeak: An Algorithmic Method for System Prompt Leakage

What is PLeak, and what are the risks associated with it? We explored this algorithmic technique and how it can be used to jailbreak LLMs, which could be leveraged by threat actors to manipulate systems and steal sensitive data.

Analyzing CVE-2025-31191: A macOS security-scoped bookmarks-based sandbox escape

We uncovered a vulnerability in macOS (CVE-2025-31191) that could allow specially crafted codes to escape the App Sandbox and run unrestricted on the system. With the ability to run code unrestricted on the affected device, attackers could perform further malicious actions like elevating privileges, exfiltrating data, and deploying additional payloads.

ShimCache and AmCache Forensic Analysis

ShimCache and AmCache have lots to offer investigators. These artifacts collect metadata on PE files of interest (executed, viewed by user, etc.) and installed applications. As a result, the locations where Windows stores this metadata became key forensic artifacts.

Venom Spider Uses Server-Side Polymorphism to Weave a Web Around Victims

We investigate a campaign leveraging an enhanced version of the More_eggs backdoor. We'll provide a technical analysis of the campaign, indicators of compromise (IOCs), tips for remediation, and activity detection rules to counter this threat. 

DLL injection fundamental - Part1

In this first part, we will briefly explain what are DLL injections, how they work, and we will simulate a simple DLL injection with mavinject, a legitimate tool from Microsoft Application Virtualization (App-V), to inject a DLL into a running process (Notepad) using PowerShell.

SysOwned, Your Friendly Support Ticket

We discovered multiple pre-authenticated XML External Entity (XXE) injection vulnerabilities (CVE-2025-2775, CVE-2025-2776, CVE-2025-2777 and CVE-2025-2778) in SysAid On-Premise, that allow attackers to extract sensitive files, interact with internal services, and potentially escalate privileges.

A Basic Guide to Fuzzing with AFL++ Unicorn Mode

Fuzzing is an essential technique in finding vulnerabilities in software by providing invalid, unexpected data inputs to the targeted application. In this blog post, we will demonstrate how to fuzz a function from a Raspberry Pi Pico-W FreeRTOS firmware using AFL++ Unicorn mode.

The Ultimate Guide to JWT Vulnerabilities and Attacks (with Exploitation Examples)

Throughout this guide, we'll cover the most common - and most dangerous - JWT implementation flaws, how they are exploited, and how to detect or defend against them. We will learn how to exploit and defend against real-world JWT vulnerabilities like algorithm confusion, weak secrets, and kid injection.

Pwning the Ladybird browser

I found a use-after-free (UAF) bug leading to an arbitrary read/write in Ladybird, relatively new browser engine. This vulnerability provides us with complete control over the renderer and allows to mess with internal values, craft a fake vtable to gain control flow after a stack pivot, and overwrite stack return pointers to construct a ROP chain.

Unexpected behavior in Snowflake's Cortex AI

In this post, we'll examine how Snowflake’s CORTEX Search Service, a cutting-edge AI-driven search and retrieval tool, could end up exposing sensitive data within your Snowflake user base, even in a secure environment with tightly configured access and masking policies.

CVE-2024-11477- 7-Zip ZSTD Buffer Overflow Vulnerability

We detail CVE-2024-11477, a heap buffer overflow in the ZStandard (ZSTD) implementation of 7-Zip. The vulnerability is an out-of-bounds read, which, when controlled, leads to an uncontrolled heap buffer overflow.

CVE-2024-44236: Remote Code Execution vulnerability in Apple macOS

An out-of-bounds write vulnerability has been reported in macOS (CVE-2024-44236). A remote attacker could exploit this vulnerability by enticing a victim to open a crafted file. A successful attack may result in code execution on the victim's machine in the context of the running process.

Leaking oAuth Token via Referrer Leakage

We discuss a security vulnerability that allows attackers to steal OAuth tokens via referrer policy overrides in Google Chrome. The attack scenario involves manipulating an OAuth authentication flow, redirecting users to a location with limited HTML injection capabilities, and leveraging Chrome's handling of the Link header to override the referrer policy.

Evidence Collection in Linux Forensics (Disk + Memory Acquisition)

We're going to dive into a super important topic when it comes to Linux forensics - evidence collection. We'll cover the classic tools like dd, dcfldd, and dc3dd, and also talk about modern memory acquisition methods and a very cool script called UAC.

SonicBoom, From Stolen Tokens to Remote Shells

In this post, we're going to be analyzing and reproducing two vulnerabilities that can be chained to execute remote command injection on SonicWall devices. First, CVE-2024-38475 a pre-authentication arbitrary file read in Apache HTTP., and its SoniWall twist. Second, CVE-2023-44221, a post-authentication remote command injection.

Still Recent

Getting Started with AI Hacking: Part 1

This blog post introduces the concept of AI hacking by discussing common attacks for various machine learning systems. The purpose is to help understand that machine learning is not perfect and some of the ways that threat actors might exploit those imperfections.

Kerberos Relay

We discuss Kerberos relay attacks, a method to gain unauthorized access within Active Directory environments. We review the theory behind the attack as well as its limitations. Additionally, we explore some practical scenarios including DNS poisoning, coerced authentication, and multicast poisoning.

Tracing malloc calls with PCode

This post focuses on interacting with PCode from a Ghidra script. In this example, I will explain how to implement a script for flagging suspicious malloc calls based on the use of arithmetic to calculate an allocation size. This coding pattern can commonly lead to a heap buffer overflow.

Smarter Detections - Part 1: Seamless Sigma Integration with Velociraptor

In this post, we'll explore Velociraptor, an endpoint monitoring and digital forensic tool that has native Sigma support. You'll learn how to integrate Sigma seamlessly, schedule automated scans, exclude noisy detections, and push alerts to Copilot (or any other incident management platform).

TROX Stealer: A deep dive into a new Malware as a Service (MaaS) attack campaign

We will not only detail how the TROX Stealer installation process works technically, but also reveal the development patterns that demonstrate how this malware was packaged for large-scale deployment. Additionally, we'll examine the distribution mechanisms, including how the attackers leverage urgent messaging to deliver their payload.

Oldies but Goodies

Ollama server is vulnerable to OOM DoS attacks

We discovered a vulnerability in the ollama client that can be triggered when a malicious API server responds to a request with gzip bomb HTTP response. This vulnerability can lead to an Out-Of-Memory (OOM) attack, causing the ollama server to crash.

Pitting AI Against AI: Using PyRIT to Assess Large Language Models (LLMs)

This blog post gives a brief introduction to LLMs and some of their vulnerabilities. We go from start to finish with setting up Microsoft’s PyRIT and using it to attack a Crucible challenge. The purpose is to get you up and running without too much hassle of digging through code or searching the web for how to put the pieces together.

Unearthed Arcana

An Introduction into Sleep Obfuscation

Sleep obfuscation is a really cool technique that has been around for a bit now. The goal of this post is to break down this technique, specifically, the Ekko sleep obfuscation implementation by C5pider, and modify it to bypass the tool Hunt Sleeping Beacons.