Security Review #260

In this article, we leverage some Safari's specificity to combine TypeError XSS and eval() in error handler to execute arbitrary code in the targeted browser.

The built-in "MareBackup" scheduled task is susceptible to a trivial executable search order hijacking, which can be abused by a low-privileged user to gain SYSTEM privileges whenever a vulnerable folder is prepended to the system's PATH environment variable (instead of being appended).

In this paper I will reveal the discovery of wide-spread cases of request tunnelling in applications powered by popular servers including IIS, Azure Front Door and AWS' application load balancer including the creation of a novel detection technique that combined the recently popularized "Single-Packet Attack" with our ever-trusty HTTP desync techniques.

Understanding the impact of the BadSuccessor AD attack primitive and mitigating the abuse via targeted Deny ACEs on Organizational Units.

We uncovered a subtle yet critical logging evasion vulnerability within AWS environments - mainly the differing size limitations of individual AWS CloudTrail logs versus the actual content being logged. By exploiting whitespace and other syntactic quirks, an attacker can create valid IAM policies that effectively bypass CloudTrail logging.

Multiple Foscam X5 vulnerabilities have been discovered, the vulnerabilities allow a remote attacker to trigger code execution vulnerabilities in the product.

In this post I provide an overview of the BadSeccessor vulnerability; how I stood up a Windows Server 2025 DC in my existing GOAD domain lab; my .NET-based proof-of-concept development; the Kerberos ticketing challenges I encountered and how I resolved them; and finally detection and mitigation strategies that defenders can adopt to guard against BadSuccessor.

In this blog post, we will explore integer overflows in Windows kernel drivers and cover how arithmetic operations can lead to security vulnerabilities. We will analyze real-world cases, build a custom vulnerable driver, and demonstrate how these flaws can impact memory allocations and system stability.

In this post, I'll walk through the full process of how I found an SSRF and an Account Takeover vulnerabilities in Grafana (CVE-2525-4123).

We discuss the tachy0n exploit, a notable 0-day jailbreak for iOS 13.0 through 13.5. Starting from the origin of the exploit, we will dive into technical details and develop our exploitation strategy.

We break down different certificate acquisition methods attackers use, their pros and cons, and how defenders can identify suspicious HTTPS traffic. Key detection techniques include analyzing certificate transparency logs, hunting for anomalies in certificate fields, and using certificate repositories to track domain and IP history.

We examine the viability of LDAP enumeration in 2025, considering modern detection mechanisms like Microsoft Defender for Identity (MDI) and Microsoft Defender for Endpoint (MDE), and review various techniques, including obfuscated PowerShell queries, Cobalt Strike's ldapsearch Beacon Object File (BOF), and using Microsoft Excel's OleDB provider for stealthy LDAP queries.

In this post I'll show you how I used OpenAI's o3 model to find CVE-2025-37899, a use-after-free in the handler for the SMB 'logoff' command in the Linux kernel. I found the vulnerability with nothing more complicated than the o3 API - no scaffolding, no agentic frameworks, no tool use.

This is a step-by-step guide on how to unmask suspicious processes.

CefSharp is widely embedded in .NET-based Thick-Clients, often without proper hardening or awareness of its security implications. For researchers and red teamers, this creates opportunities for stealthy exploitation, persistence, and even RCE if misconfigurations are identified. In this post, we explore common misconfigurations and attack vectors encountered during testing.

In this post we detail how attackers can abuse the dMSA migration mechanism to impersonate any user in Active Directory, even Domain Admins because dMSA allows to inherit permissions and SPNs from older service accounts via a migration process.

We investigate Impacket, a tool that enables users to craft custom packets and perform operations at the protocol level, which makes it incredibly useful for tasks like remote command execution, credential harvesting, relay attacks, and Kerberos ticket manipulation.

Dive deep into the Android OS and learn how to examine from a forensics point of view.

In this post, we will direct our attention to the exploitation of hive-based memory corruption bugs, i.e., those that allow an attacker to overwrite data within an active hive mapping in memory.

In this post, I'll look at CVE-2025-0072, a vulnerability in the Arm Mali GPU, and show how it can be exploited to gain kernel code execution even when Memory Tagging Extension (MTE) is enabled.

In this article, I'll walk you through manual and automated techniques to extract valuable data from GitHub. We'll use filters, dorks and tools everything you need to perform impactful recon using only open-source intelligence (OSINT).

We analyze ViciousTrap, a newly identified threat that is turning edge devices into honeypots, leveraging mass-exploitation of CVE-2023-20118 vulnerability which affects several Cisco SOHO routers.

We explore how attackers ghost past EDR defenses. We start with a brief overview of major evasion categories (perfect for a quick read by IT managers), then dive deep into the technical rabbit hole of each evasion technique. Along the way, we’ll mention real-world tools, malware, and threat actor tactics.

We have found another SSRF vulnerability in Azure DevOps. We then bypassed Microsoft's fix of the vulnerability using DNS rebinding. This blog post outlines how these new SSRFs were identified by analyzing the Azure DevOps source code.

The objective of this post is to walk through various obfuscation techniques employed by ALCATRAZ, while highlighting methods to combat these techniques as malware analysts. These techniques include control flow flattening, instruction mutation, constant unfolding, LEA constant hiding, anti-disassembly tricks and entrypoint obfuscation.

A hidden comment was enough to make GitLab Duo leak private source code and inject untrusted HTML into its responses. In this blog post, we break down how the attack works - from prompt injection to HTML injection - and walk through a real-world end-to-end exploit scenario.

We explore critical security flaws in Volkswagen's My Volkswagen app that could allow unauthorized access to user data and vehicle controls.

The guide explains methods for extracting Apple Unified Logs, including using macOS terminal commands or third-party tools like UFADE and iOS Logs Acquisition Tool.

I will describe a handful actions that should be taken to protect Entra Connect Sync, a neuralogic point of hybrid Microsofty infrastructures, and give some audit and monitoring option.

The Evertz SDVN 3080ipx-10G is a High Bandwidth Ethernet Switching Fabric for Video Application. This device exposes a web management interface on port 80. This web interface has two endpoints that are vulnerable to arbitrary command injection and the authentication mechanism has a flaw leading to authentication bypass.

This post explores how Volatility 3 works, what Symbol Tables are, and how you can go about creating them.

This article discusses Apple's Transparency, Consent, and Control (TCC) framework on macOS. We detail why TCC isn't just an annoying prompt, but the last line of defense between malware and your private data.

This post walks through how attackers exploit trusted wireless networks using rogue APs, wireless pivots, and legacy protocols to turn secure EAP-TLS deployments into invisible attack surfaces.

An overview of BadUSB, a method that exploits flaws in the design of USB devices, allowing USB devices to be turned into attack tools targeting computers with USB ports.

We explore CVE-2025-20188, a hard-coded JWT vulnerability in Cisco IOS XE WLC that enables unauthenticated file upload and potential RCE, and how to mitigate it.

This blog walks through a practical threat hunting scenario aimed at identifying hidden Command and Control (C2) malware on a Windows Server 2016 system using Elastic SIEM, aligned with MITRE ATT&CK techniques.

Device codes were originally designed to be used to authenticate on TV’s, printers or IoT devices. In this article, we will create a YARA-L detection rule for device code phishing, an attack that involves threat actors abusing the device code authentication flow to trick users and gain unauthorized access.

We discuss how real-world tactics, techniques, and procedures (TTPs) apply to computer-use systems, specifically, we'll look at ClickFix attacks, having Claude launch a malicious script.

In this blog post, I will describe the various areas that are important in the context of low-level security research, from very general ones, such as the characteristics of the codebase that allow security bugs to exist in the first place, to more specific ones, like all possible entry points to attack the registry, the impact of vulnerabilities and the primitives they generate.

Analyzing transmission control protocol (TCP) SYN segments can reveal patterns and anomalies in network traffic, providing insights into potential threats. By focusing on packet headers we explore trends and demonstrate how even limited packet data can yield actionable intelligence without delving into payloads or complex attack patterns.

In this blog post, we take a closer look at a pre-auth Remote Code Execution (RCE) vulnerability affecting vBulletin. The bug stems from the misuse of PHP’s Reflection API within vBulletin's API controller logic. We'll walk through how this API design flaw enables attackers to directly call internal methods that were never meant to be exposed.

Multiple out-of-bounds read and null dereference bugs were identified in Microsoft Defender by using Snapshot Fuzzing with WTF and kAFL/NYX. The bugs can be used to crash the main Defender process as soon as the file is scanned. Most are unpatched, but none appear exploitable for code execution.

I’m going to walk through Component Object Model (COM) hijacking. It’s a method that strikes a good balance between stealth and reliability and, as a bonus, you can use it for more than just persistence. I’ll show how I identify opportunities for this technique, as well as how you can use it to load a callback into a process of interest such as Chrome or Edge.

Combing a lot of browser tricks to create a realistic Proof of Concept for the Double-Clickjacking attack. Moving a real popunder with your mouse cursor and triggering it right as you're trying to beat your Flappy Bird high score.

This article is all about getting comfortable with Wireshark’s GUI and some key features that make your job easier and your analysis sharper.

In this post, we walk through the differences of Amazon Elastic Cloud Compute (Amazon EC2) and EKS clusters on EC2 when responding to security events. By understanding the differences between the two AWS resource types, you can enhance your existing EC2 incident response (IR) automation to include EKS.

We often find information in SharePoint that can be useful for us in later attacks. As part of this we regularly want to download copies of the file, or parts of their contents. In this blog post we will discuss how the Restricted View privilege on SharePoint hampers our goals, and cover some methods at our disposal to circumvent these controls.

Lumma Stealer (also known as LummaC2) is a malware as a service (MaaS) offering that is capable of stealing data from various browsers and applications such as cryptocurrency wallets and installing other malware. In this post we will perform a technical analysis of the stealer and review its delivery techniques.

"defendnot" bypasses Windows Defender using undocumented APIs. In this article, we review detection strategies and setup robust defenses against this sophisticated evasion technique.

Forensic analysts often encounter SQLite databases during investigations, making it essential to understand their structure and the tools available for analyzing them.

When blackbox testing web apps and APIs, you're often met with the frustrating 401 or 403. However, in a recent analysis of Ivanti EPMM's CVE-2025-4427 and CVE-2025-4428 , this very flow of execution inadvertently paved the way to an unauthenticated Remote Code Execution vulnerability in an Ivanti EPMM/Mobileiron.

In this article, you'll learn how to detect and exploit path traversal in APIs, bypass sanitisation filters using encoding tricks, and escalate to internal path traversal by abusing server-side request forgery (SSRF) vulnerabilities or misconfigured proxies.

Learn how to implement and reverse-engineer Windows 11's undocumented Alternate Syscalls mechanism in the kernel using Rust. Step-by-step guide covers thunk generation, PspServiceDescriptorGroupTable patching, generic vs. fast paths, and HyperGuard considerations.

We discovered vulnerabilities in Microsoft Bookings that arises from a lack of proper validation, filtering, and sanitization of user-supplied input in the meeting creation and update APIs. This blog post outlines our technical analysis of the vulnerability, including proof-of-concept details.

While WSL was designed to empower developers by bringing Linux to Windows, it also opens up new avenues for attackers - and often, these pathways remain undetected by traditional security tools. In this article, I highlight key WSL artifacts that are essential for forensic analysts when investigating such hybrid environments.

In this blog, we examine a ​​denial-of-service (DoS) vulnerability pattern​​ in UDP-based remote services, using ​​Windows Deployment Service (WDS)​​ as a case study. We will demonstrate an remote DoS in WDS, which attacker can crash your WDS network without authentication or user interaction (0-click).

We want to find a way to suppress Microsoft Teams' ability to display new messages. The approach taken involved analyzing the process tree, identifying dependencies, and selectively suspending non-essential threads. This document outlines the methodology used, the technical findings, and the final implementation of a proof-of-concept tool that achieves this functionality.

Recently, there have been cases of threat actors utilizing the anonymity and censorship resistance of blockchain technology. This post will examine Etherhide, a technique that uses smart contracts as C&C infrastructures, and introduce cases of its abuse.

I explain a method for bypassing Kernel Address Space Layout Randomization (kASLR) using a cache timing side-channel attack. It explains the Prefetch Side-Channel technique, which takes advantage of speculative execution and processor cache behaviors.

This article explores how adversaries use Cloudflared, a legitimate tunneling tool, to maintain unauthorized access in compromised environments, and how these tunnels can be utilized as a strong indicator of compromise when examined at-scale.

This article details the Stealth Syscall Execution technique used to bypass ETW, Sysmon, and EDR detection. This technique relies on call stack spoofing, API hooking, execution in isolated kernel thread and hidden from debuggers.

I'm shedding light on a small yet critical piece of the hacking puzzle: the potential and limitations of USB-based attacks. This article uncovers the truth behind these techniques, exploring whether a normal USB can become a hacking weapon and how it fits into the broader landscape of cybersecurity.

We analyze Remcos RAT, a well-known remote access trojan recognized for its persistence and stealth. It provides attackers with full control over compromised systems, making it a preferred go-to tool for cyber espionage and data theft. In a recent campaign, threat actors delivered malicious LNK files embedded within ZIP archives, often disguised as Office documents.

Fast-Flux takes advantage of the operation of the existing domain-based infrastructure to make it difficult for threat actors to detect their C2 infrastructure. This post will examine the operation of Fast-Flux technology and how threat actors configure it, along with actual cases of its exploitation.

This part of the series is about hooking a specific function of the Direct3D library with the goal to cause Counter Strike: Global Offensive to draw additional things on the screen.

In this article, we will go over the WMI technology, the potential attack vectors it opens, some detection pitfalls (from an attacker's perspective), and how we can enumerate the technology for useful capabilities. We will close up with an example of escalating a remote registry write primitive into remote execution.

Among Us is based on the Unity engine. I thought it would be a great idea to identify the impostors right away and without having to guess. We will see how this can be done by injecting code in the engine.

In this post, I'll look at CVE-2023-6241, a vulnerability in the Arm Mali GPU that allows a malicious app to gain arbitrary kernel code execution and root on an Android phone. I'll show how this vulnerability can be exploited even when Memory Tagging Extension (MTE), a powerful mitigation, is enabled on the device.

The idTech3 game engine is most known for being used in games like Quake III Arena, Wolfenstein: ET and Star Wars: Jedi Knight - Jedi Academy. This post teaches you how to create hacks for games that are based on this game engine.

We found three SSRF vulnerabilities in Azure DevOps. This blog post outlines the way we identified these vulnerabilities, and demonstrates exploitation techniques using DNS rebinding and CRLF injection.

In this post, we'll explore how minor code modifications can significantly boost evasion and help sliver bypass EDR, highlighting both the benefits and pitfalls of standing on open source shoulders versus forging your own.

In this article I'll write about implementing several cool cheat features for your favorite game, CS:GO.

In this guide, we'll walk step-by-step through the process of building a functional external cheat (ESP/"WallHack" and Aimbot) for the game AssaultCube. We will explore memory structures, overlay rendering, and external aimbot logic.

This second part describes the process and results of the EDR driver security analysis of Palo Alto Cortex using manual analysis and Sophos Intercept X using snapshot fuzzing.

This post describes a DoS vulnerability affecting most Windows EDR agents. The vulnerability is an issue in the handling of already existing objects in the Object Manager's namespace.

This article gives an overview of the attack surface of EDR software and describes the process to search for attack surface on EDR drivers from a low-privileged user.

In this guide, we'll walk step-by-step through building a fully functional internal cheat for AssaultCube with features like ESP (WallHack), Aimbot, No Recoil, Noclip, Silent Aim, Instant Kill, and more. We will leverage internal DLL injection, function hooking, and in-engine logic control.

In this blog, we detail how Secure Boot and GRUB2 function, explain how the GRUB2 vulnerabilities could have been exploited, and provide information on the vulnerabilities found in other open-source bootloaders.

When it comes to patching certain functions of a binary on ASM level, it’s often performed by modifying the binary itself. This post shows a different approach to accomplish the same thing: Removing game cheat protections using runtime function patching.

This post covers creating a hack for the game Counter Strike: Global Offensive. The hack I've developed works in combination with the Linux version of the game - coding a windows-based hack can however be done with the same methodology and tools.

In this post, we demonstrate for the first time how defenders can replace their DPAPI backup key, to better defend their organization during or following an Active Directory compromise event. Replacing this key enables defenders to eliminate the ability of threat actors to indefinitely exploit a compromised key, and decrypt users' secrets.

This article will go in depth on how Stand Alone DPAPI works: only local Windows accounts (so no Active Directory nor Microsoft Live) and no TPM. This article will exclusively focus on local User and System DPAPI encryption and provides some in depth cryptographical insights.