Security Review #274

In this post, I will introduce XSS-Leak ("Cross-Site-Subdomain Leak"), a technique for Chromium-based browsers that leaks cross-origin redirects, fetch() destinations, and more.

CVE-2025-55241 is an Entra ID vulnerability that allows to compromise every Entra ID tenant. The vulnerability consist of two components: undocumented impersonation tokens used for backend service-to-service (S2S) communication, and a vulnerability in the Azure AD Graph API that did not properly validate the originating tenant, allowing these tokens to be used for cross-tenant access.

On modern versions of Windows, LSASS is protected by PPL: you cannot interact with the memory area of this process unless you have kernel privileges or are also a process protected by PPL. In this article, I will exploit a tool from an older version of Windows, WerFaultSecure.exe, to steal the memory area of the LSA process on the latest version of Windows 11.

Predictable hostnames can be exploited with malicious ADIDNS records to take control of hosts added to the domain at a later date. This is made possible by the default permissions every domain user has over the creation of arbitrary DNS records and the way these records translate to dnsNode objects.

We introduce an injection technique that leverages the Component Object Model (COM) and DLL Surrogate processes for stealthy code execution. This technique exploits the surrogate hosting capabilities to achieve process injection with several operational advantages, including parent process masquerading and reduced detection footprint.

We look at a couple of examples of Active Directory attacks, starting with Kerberoasting. For each attack, we’ll explain what the attack is, provide an example of attacker tools and commands you can use to replicate the attack, and then show how Deception can provide early and high-fidelity detection of these attacks.

I detail how I managed to exploit an SQL injection on application protected by a Cloudflare WAF. Instead of fighting the WAF head-on, I decided to go around it. My goal was to find the origin IP, bypass the WAF completely, confirm the vulnerability, and retrieve sensitive data for proof of concept.

In this post I'll go over the process I went through turning an out-of-bound read vulnerability in the Linux kernel (CVE-2025-21692) into a valuable write primitive, then turning that into RCE.

We discovered HybridPetya, a copycat of the infamous Petya/NotPetya malware that adds the capability of compromising UEFI-based systems and weaponizing CVE-2024-7344 to bypass UEFI Secure Boot on outdated systems.

In this blog, I’m going to show you a few overlooked native tools that an attacker can use to exfiltrate data out of your network.

By intercepting and relaying WSUS authentication flows, it's possible to capture NTLM hashes from both user and machine accounts, turning routine update traffic into an opportunity for credential theft and relay attacks. In this post, I'll show how to identify WSUS traffic, and demonstrate how HTTP/S WSUS endpoints can be abused.

In this article, we'll explore the concept of access persistence in AWS, dissecting the techniques adversaries can use to hide themselves within a cloud environment.

This second part focuses on registry-based Windows persistence with AppInit DLLs, LSASS packages, Winlogon hijacks, and Office keys. These methods survive reboots.

The bitpixie vulnerability in Windows Boot Manager is caused by a flaw in the PXE soft reboot feature, whereby the BitLocker key is not erased from memory. This enables attackers to bypass BitLocker encryption, which could grant them administrative access. We also show that privilege escalation is possible if a BitLocker PIN is set and the attacker knows the PIN.

Dirty Pagetable is a powerful exploitation technique that targets heap vulnerabilities in the Linux kernel. The idea is to overlap a freed object with a page table entry (PTE), letting the attacker directly manipulate the page table. This provides strong control over physical memory and allows to bypass critical security mechanisms such as KASLR, SMAP, and SMEP.

A cheatsheet to harden Supabase with clear steps for RLS, schemas, Edge Functions, Storage, CORS and tokens.

This article features the reverse engineering of Synology encrypted archives extraction libraries and the release of a script able to decrypt these archives.

I will share the technique I use with Wireshark to gain access to the information that is contained within the packets found generated by secure network protocols including HTTPS, TCP, TLSv1.2, TLSv1.3 and other secure protocols.

The .NET MAUI apps on macOS do not enforce library validation for managed assemblies in the MonoBundle directory. This behavior effectively bypasses the Hardened Runtime protection mechanism. Consequently, these applications are vulnerable to code injection through DLL modification, even when signed with the Hardened Runtime flag.

We provide a technical analysis of tools deployed by a threat actor: Rust Loader and PureHVNC RAT. Additionnally we delve into the ecosystem built by the malicious actor PureCoder.

We provide a technical analysis of a malware targeting Palo Alto executable, leveraging DLL side-loading, payload obfuscation and azure serverless functions for command and control channel.

ToneShell is a lightweight backdoor typically delivered via DLL sideloading inside compressed archives with legitimate signed executables and often spread through cloud-hosted lures. This blog is a technical analysis of a variant of the backdoor implementing new anti-analysis techniques.

In this article, I detail how JavaScript makes it possible to get rid of parenthesis and semi-columns, and how payloads can be built that way to evade detection from Web Application Firewalls.

Several recent high-impact campaigns have combined credential phishing and malware delivery. In this article, we review four possible methods of delivering both credential phishing and malware.

Spotlight plugins provide the means to extract file metadata and contents to facilitate indexing and searching on macOS. In this article, we present a 0-day that leverages a bug that can be exploited from a Spotlight plugin, even on macOS Tahoe, to access TCC-protected files, including sensitive databases that log user and system behaviors that can power Apple's AI features.

I detail my journey in chaining 2 vulnerabilities in ksmdb to obtain a Remote Command Execution on Linux.

An analysis of the Gentlemen ransomware, which employs advanced, adaptive tactics, techniques, and procedure. It is distinguished by its use of custom-built tools for defense evasion, its ability to study and adapt to deployed security software, and its methodical abuse of both legitimate and vulnerable system components to subvert layered enterprise defenses.

We provide a technical analysis of kkRAT, a RAT that provides remote access, disable antivirus and EDRs, & proxy network traffic.

A technical analysis of the Yurei ransomware, derived with only minor modifications from Prince-Ransomware, an open-source ransomware family written in Go.

This article aims at giving an introduction to the base principles of COM and DCOM protocols as well as a detailed network analysis of DCOM.

I detail how to use the MacOS auditd persistence technique as the starting point of an execution chain, that would result in the execution of a reflective loader.

HTTP/2's CONNECT method transforms a single connection into a conduit for multiple, independent tunnels. This offers a highly efficient way to multiplex connections, enabling applications like port scanning, or - because this traffic is encapsulated within a standard HTTP/2 stream - network inspection tools bypass.

A technical walkthrough of discovery, exploitation, and remediation of CVE-2025–9961 a stack-based buffer overflow in the CWMP binary of TP-Link routers. By brute-forcing and performing ret2libc attacks, we achieve code execution despite ASLR protections.

We explain how we built a Yara rule to detect CastleBot, focusing on the core backdoor stage.

In this series we at securely integrating GitHub Actions with Azure using OIDC. This second post is focused purely on the integration with Azure.

Recently, I came across an app protected by RASP. Every time I attached Frida at runtime, the app would immediately crash. That pushed me to focus more on static analysis with Ghidra and symbolic execution with angr to decrypt some strings used in one of the native libraries. In this post, I’ll focus on a simpler case where we statically decrypt strings using angr and Ghidra.

The browser-service on WebOS TV opens port 18888 when a USB storage device is connected to the TV, allowing peer devices to download files from the /tmp/usb or /tmp/home.office.documentviewer directories via the /getFile?path=… API. However, the application does not validate the path parameter, which allows arbitrary file downloads from the device without authentication.

An in-depth analysis of Phantom Net Voxel: infection chain, weaponized Office lures, COM-hijack DLL, PNG stego to Covenant Grunt via Koofr, BeardShell on icedrive.

Win32_Process has been the go to WMI class for remote command execution for years. In this post we will cover a new WMI class that functions like Win32_Process and offers further capability.

ELF injection is crucial for developing complex homebrew applications. However There are a few protections and permission restrictions that prevent simple tasks, such as requesting executable memory pages in user mode. In this post, we'll dive into the available methods to bypass this limitation, how an injection would work, and how to instrument the target process to do everything for us.

In this article we will cover several configuration-based persistence strategies on Windows, ranging from user and registry manipulation to more advanced abuses of Image File Execution Options (IFEO), Global Flags with SilentProcessExit, and WMI event subscriptions.

We introduce MeetC2, a.k.a. MeetingC2, is a cross-platform (macOS/Linux) application that demonstrates how legitimate cloud services can be abused for adversarial operations. By using Google Calendar APIs, the framework creates a hidden communication channel that blends in with normal business traffic.

Multiple vulnerabilities in vtenext allow unauthenticated attackers to bypass authentication through three separate vectors, ultimately leading to remote code execution on the underlying server.

This post explores the evolution from manual code review to automated security testing, covering how SAST tools work, taint analysis and data flow tracking, sink-to-source vs source-to-sink methodologies, mitigation strategies, dealing with false positives, implementing SAST tools at scale an the complementary relationship between manual and automated testing.

This straight-to-the-point article only contains the essential stuff that you encounter the most when reversing, albeit missing crucial details for the sake of brevity, coming up with examples/ideas/projects to practice on. The goal is to hopefully guide an aspiring reverse engineer and arouse motivation towards learning more about this seemingly elusive passion.

In this post, I explain how to Implement an early exception handler for hooking and threadless process injection without relying on VEH or SEH. I provide two simple, and obvious, examples on how we can implement this to achieve common offensive functionalities.

In this article, we detail how to update a table of a PostgreSQL database directly by altering the underlying filenode.

In this article I detail the technique I used to get a Remote Command Execution on a PostgreSQL database without the need for stacked commands and only relying on SELECT statements.

This post is about how to keep secrets out of logs. Although there are no silver bullet, I will detail 10 techniques that can still give us a real good chance at succeeding. My hope is that by the end, you’ll have a slightly better framework for how to reason about this problem and some new ideas to add to your kit.

In this post post we talk about writing self-mutating malware, how to build your own polymorphic engine, and a bit on metamorphic code too. Self-mutation in malware represents one of the most elegant solutions to the detection problem. Instead of hiding what you are, you become something different each time you reproduce. It’s digital evolution in its purest form.

In this post, we will analyze WebGoat application which is written in Java to discover some vulnerabilities in the source code and then write an exploit using Python.

In this post we will explore the use of direct system calls within Cobalt Strike Beacon Object Files (BOF). We will explain how direct system calls can be used in Cobalt Strike BOF to circumvent typical AV and EDR detections, and provide Proof-of-Concept BOF code which can be used to enable WDigest credential caching and circumvent Credential Guard by patching LSASS process memory.