Date Content Media
2023-01-14 18:50:48
Counting the transistors in the 8086 processor: it's harder than you might think...Continue reading at Ken Shirriff's blog
2023-01-14 16:50:59
santa-linux: a proof of concept binary authorization system for linux, based on Google's Santasanta for linux proof-of-conceptThis is a proof-of-concept clone of Google's Santa, a binary authorization system for macOS.KernelThe kernel module hooks calls to the kernel function finalize_exec() using a kprobe pre-handler.Kernel-Daemon Communication: Generic NetlinkThe kernel module and daemon components communicate over a Netlink socket using a custom generic netlink protocol.The kernel module registers a new Netlink family and associated handlers for the different commands the protocol understands.The mode is currently hardcoded into the daemon binary and changing the mode requires recompiling the binary....Continue reading at (from /r/netsec)
2023-01-14 13:50:48
Restoring Dyld Memory LoadingUp until recently, we've enjoyed in-memory loading of Mach-O bundles courtesy of dyld and its NSCreateObjectFileImageFromMemory/NSLinkModule API methods. And while these methods still exist today, there is a key difference.. memory modules are now persisted to disk. So in this post we'll take a look at just what was changed in dyld, and see what we can do to restore this functionality... hopefully keeping our warez in memory for a little longer....Continue reading at XPN InfoSec Blog
2023-01-13 22:20:59
A Public Git repository & misconfiguration detection toolA tag already exists with the provided branch name.Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior.Are you sure you want to create this branch?...Continue reading at (from /r/netsec)
2023-01-13 17:51:00
Crassus: Windows privilege escalation discovery tool...but with a twist as Crassus is utilizing the SysInternals Process Monitor and is parsing raw PML log files.Typical usage is to generate a boot log using Process Monitor and then parse it with Crassus.ExamplesParse the Process Monitor boot log saved in boot.PML .If it is installed to a location outside of C:\Program Files , Crassus will uncover several possibilities for privilege escalation.Or simply place the file and investigate the behavior with a new Process Monitor boot log, if you prefer the easier brute force path....Continue reading at (from /r/netsec)
2023-01-13 16:20:59
Clear communication is crucial: why writing effective vulnerability reports mattersWhy it is necessary to write a clear reportIt is necessary to write a clear report because clear communication is essential for ensuring that the vulnerability is understood and that appropriate action can be taken.A clear report also provides detailed information on how to mitigate the vulnerability, which is crucial for addressing the issue and preventing future attacks.Now that we have established the advantages of a clear report, let’s discuss some things to keep in mind while writing one.So, what are the key components of a clear vulnerability report?I have uploaded a youtube video, regarding the topic of writing a clear report....Continue reading at (from /r/netsec)
2023-01-13 15:20:48
Announcing a stable release of sigstore-pythonBy William Woodruff Read the official announcement on the Sigstore blog as well! Trail of Bits is thrilled to announce the first stable release of sigstore-python, a client implementation of Sigstore that we’ve been developing for nearly a year! This work has been graciously funded by Google’s Open Source Security Team (GOSST), who we’ve also […]...Continue reading at Trail of Bits Blog
2023-01-13 10:21:00
Bad things come in large packages: .pkg signature verification bypass on macOSBad things come in large packages: .pkg signature verification bypass on macOSCode signing of applications is an essential element of macOS security.For example, appending more data to a xar file will always keep the TOC hash and signature valid.The vulnerabilityFor signed packages, the TOC hash needs to be used for two different checks:The computed TOC hash needs to be equal to the TOC hash stored on the heap.Place the new TOC hash at heap offset 4294967296, leaving the original TOC hash at heap offset 0.These also use .pkg files and verify the TOC hash, however, they compare it to the computed TOC hash....Continue reading at (from /r/netsec)
2023-01-12 21:20:59
GraphQL exploitation – All you need to know – CyberveliaThe Structure of GraphQLTo better understand how it works, let’s get started with a simple GraphQL query.Finally, the graphql query is included in a JSON format and more particularly in the field “query”.GraphQL EnumerationThe GraphQL exposes its schema and its structures to a query commonly called GraphQL Introspection.Manually Crafting a Mutation QueryRecall the introspection results:... "name": "updateUsers", "description": null, "args": [ { "name": "userInput", "description": null, "type": { "kind": "LIST", "name": null, "ofType": { "kind": "INPUT_OBJECT", "name": "InputUserData", "ofType": null } }, "defaultValue": null } ], "type": { "kind": "LIST", "name": null, "ofType": { "kind": "NON_NULL", "name": null, "ofType": { "kind": "OBJECT", "name": "User", "ofType": null } } }, ...Try to limit the results:{ "variables": { "pagination": { "l...Continue reading at (from /r/netsec)
2023-01-12 19:50:48
DER Entitlements: The (Brief) Return of the Psychic Paper...Continue reading at Project Zero
2023-01-12 18:20:49
Reverse-engineering an airspeed/Mach indicator from 1977...Continue reading at Ken Shirriff's blog
2023-01-12 16:20:59
Avoiding API Key Exposures: The Importance of Strong Fundamentals and the Limitations of AIExposing API keys publicly online is a serious security issue because it allows anyone who has access to those keys to potentially use them to access sensitive data or resources.Furthermore, exposing API keys publicly online can also potentially lead to financial loss for the organization or individuals involved.In short, exposing API keys publicly online is a major security risk that can have serious consequences for organizations and individuals.As a security researcher, I have discovered a number of API keys and secrets that are publicly available online.It is important to ensure that sensitive information, including API keys, is kept secure to prevent unauthorized access....Continue reading at (from /r/netsec)
2023-01-12 15:20:49
Announcing Pwn2Own Vancouver for 2023Last year, we celebrated the 15th anniversary of Pwn2Own with a spectacular contest. We awarded more than $1,000,000 USD for the amazing research demonstrated. That makes us even more excited to return to Vancouver for the 2023 edition of Pwn2Own. Similar to last year, we’ll be holding a hybrid conference with most of us in person at the Sheraton Wall Center in Vancouver for the CanSecWest conference on March 22-24, 2023. The other part of the hybrid event means that we also allow remote participation. If you have either travel restrictions or travel safety concerns, you can opt to compete remotely. We’re also excited to have return as a partner. They always innovate, and we’ve...Continue reading at Zero Day Initiative - Blog
2023-01-12 13:50:50
SCCM Site Takeover via Automatic Client Push Installation...Continue reading at Posts By SpecterOps Team Members - Medium
2023-01-12 13:20:48
Keeping the wolves out of wolfSSLBy Max Ammann Trail of Bits is publicly disclosing four vulnerabilities that affect wolfSSL: CVE-2022-38152, CVE-2022-38153, CVE-2022-39173, and CVE-2022-42905. The four issues, which have CVSS scores ranging from medium to critical, can all result in a denial of service (DoS). These vulnerabilities have been discovered automatically using the novel protocol fuzzer tlspuffin. This blog post […]...Continue reading at Trail of Bits Blog
2023-01-12 11:20:49
NoName057(16) – The Pro-Russian Hacktivist Group Targeting NATOIn the name of Russia's war in Ukraine, NoName057(16) abuses GitHub and Telegram in an ongoing campaign to disrupt NATO's critical infrastructure....Continue reading at SentinelLabs - We are hunters, reversers, exploit developers, and tinkerers shedding light on the world of malware, exploits, APTs, and cybercrime across all platforms.
2023-01-11 21:20:59
T95 Allwinner T616 Malware Analysis - "Pre-owned" Android TV DeviceT95 Allwinner T616 Malware Analysis · CleanupDoes your T95 Android TV Box contain a folder named:/data/system/Corejava...and a file named/data/system/shared_prefs/open_preference.xml ?Your T95 is infected with malware pre-installed, ready to do whatever the C2 servers decide.If they insist on selling these devices they really should add an "Includes Malware" category in the Android TV section.A few months ago I purchased a T95 Android TV box; it came with Android 10 (with working Play store) and an Allwinner H616 processor.After searching unsuccessfully for a clean ROM, I set out to remove the malware in a last-ditch effort to make the T95 useful....Continue reading at (from /r/netsec)
2023-01-11 17:50:59
Legitify supports scanning GitLab for security misconfigurations and best practicesYou signed in with another tab or window.Reload to refresh your session....Continue reading at (from /r/netsec)
2023-01-11 14:50:49
LABScon Replay | Blasting Event-Driven Cornucopia: WMI-based User-Space Attacks Blind SIEMs and EDRsWMI-based attacks impact all versions of Windows and can severely impact EDRs. Claudiu Teodorescu explores how they work and how they can be detected....Continue reading at SentinelLabs - We are hunters, reversers, exploit developers, and tinkerers shedding light on the world of malware, exploits, APTs, and cybercrime across all platforms.
2023-01-11 11:50:59
SANS Christmas Challenge 2022 - Write-upThe candy cane: When dropped on Glamtariel: Glamtariel: "Mmmmm, I love Kringlish Delight!"The ice cube: When dropped on Glamtariel: Glamtariel: "No worries, it doesn't get nearly as cold here as it did in Melgarexa.The igloo: When dropped on Glamtariel: Glamtariel: "It's understandable to wonder about home when one is adventuring."The sailing ship: When dropped on Glamtariel: Glamtariel: "These ice boat things would have been helpful back in the day.Silver rings, silver rings ...."The red ring: When dropped on Glamtariel: Glamtariel: "Ah, the fiery red ring!...Continue reading at (from /r/netsec)
2023-01-11 04:51:00
How to find a Google account with a phone numberIn the two Sector035 blogs you can read how you can find out the unique ID of the account using a Gmail account.In addition, it is also described how you can find out via the Gmail account which services this account is linked to.Consider, for example, services such as YouTube and Google Maps, but also a service such as MSN.The website has a handy tool that uses the Google IDs (note: this is a third party website!).In this blog we use the ID for another reason: to be able to link a phone number to an email address (and vice versa)....Continue reading at (from /r/netsec)
2023-01-10 23:51:00
Taking over a Dead IoT CompanyNow, 5 years after the company collapsed, I acquired one of their signs to investigate why the company failed.One trick I use is that multiplying the BOM cost by 4 will often get you the retail price.There are 2 primary custom components running on the Pi:The Python server (LED Server)The NodeJS server (Config Server)LED ServerThe LED Server written in Python is responsible for drawing to the LED Matrix and getting train data from the company’s API.The product had some ideas around serving ads but an LED sign isn’t really a “get big fast” kind of company.Too Many AdsThe NYCTrainSign company at one point had a Chief Marketing Officer as well as a Social Media Manager and a Social Media Assistant....Continue reading at (from /r/netsec)
2023-01-10 21:50:59
Antivirus Evasion: Tearing AMSI down with 3 bytes onlyThis post aims on showcasing one of the many possible techniques for bypassing antivirus solutions through in-memory patching of AMSI instructions.This poses a necessity for offensive security and red team professionals to be proficient in evading and circumventing such defenses.Understanding AMSIThe following is an overview of an AMSI implementation, using Powershell and Microsoft Defender as an example.The amsi.dll library will be loaded into every Powershell and ISE process, providing exported functions for the processes to make use of.HRESULT AmsiOpenSession( [in] HAMSICONTEXT amsiContext, [out] HAMSISESSION *amsiSession );If this function succeeds, it returns S_OK....Continue reading at (from /r/netsec)
2023-01-10 18:50:55
The 8086 processor's microcode pipeline from die analysis...Continue reading at Ken Shirriff's blog
2023-01-10 13:50:48
Another prolific year of open-source contributionsBy Samuel Moelius This time last year, we wrote about the more than 190 Trail of Bits-authored pull requests that were merged into non-Trail of Bits repositories in 2021. In 2022, we continued that trend by having more than 400 pull requests merged into non-Trail of Bits repositories! Why is this significant? While we take […]...Continue reading at Trail of Bits Blog
2023-01-10 12:20:59
An electromagnetic-wave side-channel issue on ARMv8 AES instructions16 B } , [ x3 ] , # 16 aesd v12 .16 B aesd v13 .16 B aesd v14 .16 B aesd v12 .16 B aesd v13 ....Continue reading at (from /r/netsec)
2023-01-10 11:51:00
ImageMagick Security Policy EvaluatorImageMagick Security Policy EvaluatorDuring our audits we occasionally stumble across ImageMagick security policy configuration files ( policy.xml ), useful for limiting the default behavior and the resources consumed by the library.Allowlist vs Denylist approachA number of seemingly secure policies can be found online, specifying a list of insecure coders similar to:... ...A more secure policy would specify:... ...Case sensitivityConsider the following directive:... ...With this, conversions will still be allowed, since policy patterns are case sensitive.Policy fragmentationOnce a policy is defined, it’s important to make sure that the policy file is taking effect.A starter, restrictive policyStarting from the most restrictive policy described in the official documentation, we designed a res...Continue reading at (from /r/netsec)
2023-01-09 22:23:13
Security News - Technical pinned «Reverse Engineering TikTok's VM Obfuscation (Part 2) Reverse Engineering TikTok's VM Obfuscation (Part 2)One day, I stumbled across an interesting blog post penned by someone called Veritas, where they laid out the first steps towards reverse-engineering…»
2023-01-09 17:50:59
Releasing hermes-dec, an open-source disassembler and decompiler for the React Native Hermes bytecodeThe Hermes bytecode is a binary-form, intermediary representation of Javascript which is used as a mean of optimizing the execution speed of React Native mobile applications.Announced by Facebook on July 2019, and ultimately used by default in new React Native projects since September 2022, we have seen the Hermes bytecode format used in many popular React Native applications, whilst React Native itself is an increasingly popular mobile software development platform, and a major cross-platform mobile development framework.When enabled, the Hermes bytecode compiler is used to produce a binary-form output into the “assets/” file present in the file tree of the Android .APK file (...Continue reading at (from /r/netsec)
2023-01-09 13:20:59
Unwrapping Ursnifs GiftsThe Ursnif malware family (also commonly referred to as Gozi or ISFB) is one of the oldest banking trojans still active today.Case SummaryIn this intrusion, a malicious ISO file was delivered to a user which contained Ursnif malware.The threat actor first ran some initial discovery on the host using built-in Windows utilities like ipconfig, systeminfo, net, and ping.Shortly afterwards, the threat actor injected into various processes and then proceeded to access lsass memory on the host to extract credentials.Initial AccessIn this case, the Ursnif malware was delivered using a very familiar technique of being contained within an ISO file....Continue reading at (from /r/netsec)
2023-01-09 12:20:59
Practical Example Of Client Side Path Manipulation...Continue reading at (from /r/netsec)
2023-01-09 11:50:59
Reverse Engineering TikTok's VM Obfuscation (Part 2)Reverse Engineering TikTok's VM Obfuscation (Part 2)One day, I stumbled across an interesting blog post penned by someone called Veritas, where they laid out the first steps towards reverse-engineering the code that is deployed on TikTok's website.After running some simple Babel transforms on webmssdk.js from TikTok's website, I was left with a file that looked like this:!( function ( _0x5c2c98 , _0x2cd9f0 ) { })( this , function ( _0x2a8ff7 ) { "use strict" ; function _0x14c284 ( _0x108694 ) { } function _0x14e389 ( _0xec17cf , _0x3ecc59 ) { } function _0x2d7234 ( _0x2ec4c3 , _0x160011 , _0x5f50ca , _0x2907ae ) { } function _0x45536a ( _0x445bf1 , _0x53ea83 ) { } function _0x2ed536 ( _0x2cb834 , _0x3fe249 ) { } // ... hundreds more of these Object .function _0x4c03ae ( _0x3892f1 , _0x1f3ab1 , _0x456cff ) { // string...Continue reading at (from /r/netsec)
2023-01-09 10:51:06
Unleashed Firmware FlipperToday we're going to unleashing the power of the Flipper Zero by installing some custom firmware.Updating Flipper Zero:After downloading the Flipper Zero desktop software, open it from the icon on your computer.Installing Flipper Zero Custom Firmware:To install the custom unleashed firmware of Flipper Zero, go to the settings page in the Flipper Desktop application.For now, you can try them out on your Flipper Zero device and see how they enhance your experience.After the Flipper desktop application reaches 100%, you will need to follow the instructions on your Flipper Zero device to complete the installation....Continue reading at (from /r/netsec)
2023-01-09 10:50:48
Protected: UK gov website being used to phish porn site credsThere is no excerpt because this is a protected post.The post Protected: UK gov website being used to phish porn site creds first appeared on Pen Test Partners....Continue reading at Security Blog | Pen Test Partners
2023-01-09 10:20:59
Cool Recon techniques every hacker misses!White hat hackers are ethical hackers who use their skills to improve security, while black hat hackers are malicious hackers who use their skills to gain unauthorized access or steal information.Gray hat hackers are somewhere in between, often disclosing vulnerabilities to organizations but sometimes also exploiting them for personal gain.This article is about some cool recon techniques every hacker misses!Technique 1: Active subdomain enumerationA very common technique but a lot of researchers rely on passive subdomain enumeration rather than active subdomain enumeration.There are many techniques that can be used for reconnaissance, including passive techniques like footprinting and active techniques like scanning and network mapping....Continue reading at (from /r/netsec)
2023-01-09 02:50:59
How To Attack Admin Panels Successfully Part 2How To Attack Admin Panels Successfully Part 2Not Attacking Web Apps Admin Panels The Right Way?Photo by Jason Blackeye on UnsplashYou should start here: Part_1Tools:MsfvenomMetasploitPHPKali LinuxIntro...Continue reading at (from /r/netsec)
2023-01-08 15:51:08
Strategies for effective CSRF mitigationHowever, a new attack variant, Client-Side CSRF (CSCSRF), is possible on sites that use client-side scripting without appropriate input validation.Bonus classic CSRF example: logging out #Another example of a CSRF attack is terminating users’ sessions.Client-Side CSRF: a concrete example #Client-Side CSRF has similar consequences to classic CSRF but is carried out in a different way (through insecure input validation) that renders most defences against classic CSRF ineffective.Protection against Client-Side CSRF #Unlike classic CSRF, client-side CSRF can be more challenging to protect against because rather than checking for the correctness of certain predetermined values, one needs to check for the well-formedness and correctness of application-dependent data.Some useful guidelines against client-side CSRF can be:When possible, av...Continue reading at (from /r/netsec)
2023-01-08 15:50:59
Analyzing CVE-2022-46630 (DLL Hijacking in Squirrel.Windows)Analyzing CVE-2022-46630 (DLL Hijacking in Squirrel.Windows)About The ProjectIn December of 2022, a DLL Hijacking vulnerability with a CVSS score of 7.8 was reported in the Squirrel.Windows auto-install/update utility.DLL Hijacking is nothing new, and I have blogged about it before, but it continues to plague Windows environments.As a quick recap of this technique, DLL Hijacking occurs when an attacker can plant a DLL which is then loaded into a given target process.Recreating The IssueMonitoring the launch of an application leveraging a vulnerable version of Squirrel.Windows via procmon, the DLL hijacking vulnerability is visible in the image below.Numerous Sigma rules exist for DLL hijacking and could be adapted to Squirrel.Windows if this software is used in your environment....Continue reading at (from /r/netsec)
2023-01-08 00:50:59
GUARDARA 0.9.9 Available with Web Service TestingIf you wish to install GUARDARA using Terraform, you can find an example Terraform configuration on the GUARDARA Community GitLab.Asset Type Description Download Installer Bundle Product Installer bundle to deploy GUARDARA.Download Installer Bundle (AWS) Product Installer bundle to deploy GUARDARA using the Terraform configuration example.Download GDB Monitor Extension / Monitor Extension to monitor remote process status via the GNU Debugger (GDB) server.Download Log Monitor Extension / Monitor Remote-syslog and local file log monitor....Continue reading at (from /r/netsec)
2023-01-07 20:20:59
VSCode Supply Chain Attacks: Protect Your IDE from Malicious ExtensionsAs a VSCode user, have you ever asked yourself if a VSCode extension is trustworthy?When searching the web for malicious VSCode extensions, there are few results, and those that do return queries are about vulnerabilities in VSCode or its extensions.Malicious VSCode Extensions in the MarketplaceDuring our research we found several suspicious VSCode extensions residing in the Marketplace, although it is still unclear if these extensions were actually created by attackers and uploaded to the VSCode Marketplace, or they were created with some poor coding choices leading to vulnerable code.It's also important to note that VSCode extensions are written in Node, and the packages are downloaded from NPM.In addition to VSCode extensions, the Marketplace also offers extensions for Visual Studio and Azur...Continue reading at (from /r/netsec)
2023-01-07 16:22:01
Escaping from bhyveEnvironmentAs I don't have a FreeBSD installed on my machine, I'm running bhyve hypervisor inside a QEMU/KVM virtual machine with nested virtualization enabled.The related data structure ( e1000_data_desc ) holds a pointer to the physical address of the data buffer.)e82545_transmit(struct e82545_softc *sc, uint16_t head, uint16_t tail, uint16_t dsize, uint16_t *rhead, int *tdwb) { /* ... */ /* Simple non-TSO case.Nonetheless, the hdr pointer can still be corrupted:The hdr pointer is used is the segmentation loop as follows :pv = 1; pvoff = 0; for (seg = 0, left = paylen; left > 0; seg++, left -= now) { now = MIN(left, mss); /* Construct IOVs for the segment.As shown in the previous section, by corrupting the hdr pointer one can force the host to leak part of the bhyve's process stack....Continue reading at
2023-01-07 02:19:25
I made an Open Source Browser extension to aid in Threat Investigations!SOC Multi-toolA free and open source tool to aid in investigations!What is SOC Multi-tool?Lookup IP Info using Tor relay checker & WHOISLookup Hash Reputation using VirusTotal.Lookup File Extension Info using fileinfo.comLookup Filename info using File.netLookup MAC Address manufacturer using maclookup.comParse a UserAgent using user-agents.netLookup Microsoft Error codes using Microsoft's DBLookup Event ID's (Windows, Sharepoint, SQL Server, Exchange, and Sysmon) using ultimatewindowssecurity.comHow to install the extension?Navigate in the SOC Multi-tool to the type of data highlighted and click your selection....Continue reading at (from /r/netsec)
2023-01-06 21:19:28
Hybrid fuzzing: Sharpening the spikes of EchidnaBy Tom Malcolm, University of Queensland, Australia Smart contract fuzzing is an effective bug-finding technique that is largely used at Trail Of Bits during audits. During my internship at Trail of Bits, I contributed to expand our fuzzing capabilities by working on Hybrid Echidna, a “hybrid fuzzer” that couples our smart contract fuzzer, Echidna, with […]...Continue reading at Trail of Bits Blog
2023-01-06 21:19:22
Exploiting CVE-2022-42703 - Bringing back the stack attack...Continue reading at Project Zero
2023-01-06 20:50:46
I scanned every package on PyPi and found 57 live AWS keysAfter inadvertently finding that InfoSys leaked an AWS key on PyPi I wanted to know how many other live AWS keys may be present on Python package index.Detecting AWS keys is actually fairly simple.One example comes from a package version published by Terradata.Most test keys are used with S3, but there was one specific test from BigJob2 that appears to launch an EC2 instance 😱.I think there’s a conflux of different reasons that have led to the large number of keys published to PyPi:...Continue reading at (from /r/netsec)
2023-01-06 20:50:32
Compromised Cloud Compute Credentials: Case Studies From the WildA walk-through of attacks in the wild that abuse stolen cloud compute credentials in the cloud environment. Unit 42 researchers highlight two case studies.The post Compromised Cloud Compute Credentials: Case Studies From the Wild appeared first on Unit 42....Continue reading at Unit 42
2023-01-06 20:50:28
How to train your GhidraBrief introduction to setting up Ghidra, and then configuring it with a familiar UI and shortcuts, so that you would not need to re-learn all the key sequences you have got used to over the years....Continue reading at Securelist
2023-01-06 20:50:22
Pwn2Own Toronto 2022 - Day Four Results and Master of PwnWelcome back to the final day of Pwn2Own Toronto for 2022! Yesterday, we awarded another $253,500 USD, which brings our three-day total to $934,750. While that alone would make it an amazing event, we’ve got another full day of exploitation ahead of us. Stay tuned as we update this blog with results as we get them and total the points to crown the Master of Pwn. - Quarkslab was unable to get their exploit of the NETGEAR WAN interface working within the time allotted. - Peter Geissler was unable to get his exploit of the Lexmark MC3224i printer working within the time allotted. - The NCC Group was able to execute their code execution attack against the WAN interface of the Canon printer. However, the exploit they used was previously in the contest. They still earn $5,000 and 1 Master of...Continue reading at Zero Day Initiative - Blog
2023-01-06 20:50:16
Precious Gemstones: The New Generation of Kerberos AttacksUnit 42 researchers show new methods to improve detection of a next-gen line of Kerberos attacks, which allow attackers to modify Kerberos tickets to maintain privileged access. The post Precious Gemstones: The New Generation of Kerberos Attacks appeared first on Unit 42....Continue reading at Unit 42
2023-01-06 20:50:09
What’s My Name Again? Reolink camera command injectionTL;DR Research on Reolink’s RLC-520A smart motion detection camera has turned up an authenticated command injection vulnerability. Exploiting this vulnerability with an injected system command can render the device useless. […]The post What’s My Name Again? Reolink camera command injection first appeared on Pen Test Partners....Continue reading at Security Blog | Pen Test Partners
2023-01-06 20:50:05
Online Machine Learning: how to integrate user feedbackWhen designing and implementing a machine learning model, ensuring it is continually updated is a challenge that all engineers encounter.  In this article, I explore the online machine learning technique that I used during a project and present how it was implemented for effective results. Choosing a machine learning method Machine learning solutions can be […]...Continue reading at JUMPSEC LABS
2023-01-06 20:49:51
Is Europe Just Not Good at Innovating?This article is part of a series on (European) innovation and capabilities. Feedback is very welcome on I’d also like to thank the many proofreaders, but all mistakes remain mine!In the world of (high) technology, Europe is exceptionally weak at innovating. There are many ways to explain how this came to be, and a lot of the discussion focuses on unfair business conditions and regulation. In this post however I want to talk about important cultural and social reasons that are at least part of the reason, and present some possible solutions....Continue reading at Bert Hubert's writings
2023-01-06 20:49:47
Driving Through Defenses | Targeted Attacks Leverage Signed Malicious Microsoft DriversThreat actors are abusing legitimately signed Microsoft drivers in active intrusions into telecommunication, BPO, MSSP, and financial services businesses....Continue reading at SentinelLabs - We are hunters, reversers, exploit developers, and tinkerers shedding light on the world of malware, exploits, APTs, and cybercrime across all platforms.
2023-01-06 20:49:39
Reassessing cyberwarfare. Lessons learned in 2022In this report, we propose to go over the various activities that were observed in cyberspace in relation to the conflict in Ukraine, understand their meaning in the context of the current conflict, and study their impact on the cybersecurity field as a whole....Continue reading at Securelist
2023-01-06 20:49:35
How I gave ManticoreUI a makeoverBy Calvin Fong During my internship at Trail of Bits, I explored the effectiveness of symbolic execution for finding vulnerabilities in native applications ranging from CTF challenges to popular open source libraries like image parsers, focusing on finding ways to enhance ManticoreUI. It is a powerful tool that improves accessibility to symbolic execution and vulnerability […]...Continue reading at Trail of Bits Blog
2023-01-06 20:49:31
Digging Inside Azure Functions: HyperV Is the Last Line of DefenseWe investigated Azure's serverless architecture and found that a HyperV VM was the remaining defense after a container breakout.The post Digging Inside Azure Functions: HyperV Is the Last Line of Defense appeared first on Unit 42....Continue reading at Unit 42
2023-01-06 20:20:30
Advisory CVE-2022-37832 – Mutiny Network Monitoring Appliance hardcoded credentialsSoftware: Mutiny Network Monitoring Appliance Affected versions: <= 7.2.0-10855 Vendor page: CVE Reference: CVE-2022-37832 Published: 16/12/2022 CVSS 3.1 Score: 10.0 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Attack Vector: Network Credit: Ryan Saridar Summary An attacker can log in as root remotely to the appliance via SSH. Mitigation Upgrade to version 7.2.0-10855 onwards to remediate the problem. Technical details Before […]...Continue reading at JUMPSEC LABS
2023-01-06 20:20:26
Hilarious Buffer Overflow Mitigation and TCL Injection in CheckPoint Gaia PortalHey there, I am going to disclose two bug classes I found a while ago in CheckPoint R77.30: Two buffer overflows in the username (no shit) and HTTP method of a request to the administrative UI pre-auth and some interesting injections into the TCL web interface. Let’s start with the TCL part. The web interface […]...Continue reading at
2023-01-06 20:20:18
DEFCON 30 - Hunting Bugs In The TropicsI gave a talk at DEF CON 30 this year, titled Hunting Bugs In The Tropics. It covered a few years of my security research on Aruba Networks products, including the software in use on several of their popular products, as well as architectural details, and a whole lot of vulnerabilities....Continue reading at
2023-01-06 20:19:54
Australian Privacy Act 2022 Updates A series of stunning data breaches in 2022 has prompted lawmakers to begin making changes to the 1988 Australian Privacy Act in the form of the new Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022....Continue reading at Varonis Blog
2023-01-06 20:19:41
What child is this?A Primer on Process Reparenting in Windows By Yarden Shafir Process reparenting is a technique used in Microsoft Windows to create a child process under a different parent process than the one making the call to CreateProcess. Malicious actors can use this technique to evade security products or break process ancestry ties, making detection more […]...Continue reading at Trail of Bits Blog
2023-01-06 20:19:38
And the world keeps changing...Continue reading at Vincent Zimmer's blog
2023-01-06 20:19:34
Meddler-in-the-Middle Phishing Attacks ExplainedMeddler-in-the-Middle (MitM) phishing attacks show how threat actors find ways to get around traditional defenses and advice. The post Meddler-in-the-Middle Phishing Attacks Explained appeared first on Unit 42....Continue reading at Unit 42
2023-01-06 20:19:30
11 Problems ChatGPT Can Solve For Reverse Engineers and Malware AnalystsChatGPT has captured the imagination of many across infosec. Here's how it can superpower the efforts of reversers and malware analysts....Continue reading at SentinelLabs - We are hunters, reversers, exploit developers, and tinkerers shedding light on the world of malware, exploits, APTs, and cybercrime across all platforms.
2023-01-06 20:19:27
Passwordless Persistence and Privilege Escalation in Azure...Continue reading at Posts By SpecterOps Team Members - Medium
2023-01-06 19:50:25
Fast and accurate syntax searching for C and C++By Mate Kukri The naive approach to searching for patterns in source code is to use regular expressions; a better way is to parse the code with a custom parser, but both of these approaches have limitations. During my internship, I prototyped an internal tool called Syntex that does searching on Clang ASTs to avoid […]...Continue reading at Trail of Bits Blog
2023-01-06 19:50:18
Printer Spooler Bug ResearchIn this blog, we dive into and show how attackers could combine the 0day CVE-2020-0986 with the 0day in IE browser to achieve privilege escalation and then execute code remotely. Now, Maddie Stone, a security researcher on Google's Project Zero team, found that an attacker can still trigger CVE-2020-0986 and elevate kernel privileges by sending an offset instead of a pointer.The post Printer Spooler Bug Research appeared first on VerSprite....Continue reading at Security Research – VerSprite
2023-01-06 19:50:14
How to share what you’ve learned from our auditsBy Nick Selby Trail of Bits recently completed a security review of cURL, which is an amazing and ubiquitous tool for transferring data. We were really thrilled to see cURL founder and lead developer Daniel Stenberg write a blog post about the engagement and the report, and wanted to highlight some important things he pointed […]...Continue reading at Trail of Bits Blog
2023-01-06 19:50:07
Vervang vergeten verontwaardiging over privacyschendingen door inhoudelijke analyse...Continue reading at Bert Hubert's writings
2023-01-06 19:50:03
Always use feenableexcept() when doing floating point mathThis is a refreshed & expanded copy of a very old page I hosted outside of this blog. I recently ran into “silent NaNs” again, and thought it might be a good idea to republish this advice here.A small post that documents something that almost no one appears to know. And if you do anything with floating point, you do need to know.Exceptions In C or C++, try this:...Continue reading at Bert Hubert's writings
2023-01-06 19:49:56
BlueNoroff introduces new methods bypassing MoTWWe continue to track the BlueNoroff group’s activities and this October we observed the adoption of new malware strains in its arsenal....Continue reading at Securelist
2023-01-06 19:49:52
Navigating the Vast Ocean of Sandbox EvasionsAfter creating a bespoke sandbox environment, we discuss techniques used to target malware evasions with memory detection and more.The post Navigating the Vast Ocean of Sandbox Evasions appeared first on Unit 42....Continue reading at Unit 42
2023-01-06 19:49:47
Technical Analysis of CVE-2022-33679 and CVE-2022-33647 Kerberos VulnerabilitiesWritten by Yoav Iellin and Dor Segal, Researchers at Silverfort Microsoft’s September 2022 Patch Tuesday included two high-risk elevation of privilege vulnerabilities in Kerberos, that were discovered by Google Project Zero. The two vulnerabilities take advantage of the ability to force Kerberos do downgrade its encoding from the default AES encryption to the outdated MD4-RC4....The post Technical Analysis of CVE-2022-33679 and CVE-2022-33647 Kerberos Vulnerabilities appeared first on Silverfort....Continue reading at Silverfort
2023-01-06 19:49:31
Revolutionizing Work at Silverfort with ChatGPT At Silverfort, we’re always looking for ways to improve our work and make it more efficient. Recently, we started using ChatGPT internally and have already seen significant changes in how we do things.  For those who aren’t familiar, ChatGPT is a natural language processing (NLP) AI that can generate human-like text. It’s been used in...The post Revolutionizing Work at Silverfort with ChatGPT  appeared first on Silverfort....Continue reading at Silverfort
2023-01-06 19:49:24
Valuable or vain: assessing cybersecurity solutionsAwhile back, I had a nice chat with a venture capitalist about the cybersecurity industry. She was picking my brain about trends I had observed when she asked me a great question: “When you hear about a new cybersecurity solution, how do you predict whether or not a new solution will be truly successful?” My ... ...Continue reading at Mike Salvatore's Blog
2023-01-06 19:30:38
Security News - Technical pinned «Bot is going back to life. In the next few hours / days all the articles since it died will be sent, and then it will be back working as in the old days :)»
2023-01-06 19:28:32
Bot is going back to life. In the next few hours / days all the articles since it died will be sent, and then it will be back working as in the old days :)
2023-01-06 19:21:01
How the Lastpass Breach affects Lastpass SSOHow the Lastpass Breach affects Lastpass SSOEvery week, almost without fail, I come across one thing that confuses, entertains, or most commonly infuriates me.Most folks at this point are familiar with the recent Lastpass Breach where attackers are known to have exfiltrated Lastpass encrypted user vaults.While Lastpass is known for their consumer product, many may not realize that Lastpass actually supports a number of SSO technologies.The SolutionHow it WorksIn this case I’m going to discuss Lastpass’ Okta SSO integration because I’m most familiar with it.Any employee who uses Lastpass within an org has trivial access to this value (as it’s in the Okta Access Token)....Continue reading at (from /r/netsec)
2023-01-06 19:20:50
Variant analysis of CVE-2022-3515 affecting libksba, which resulted in CVE-2022-47629*/ gpg_error_t _ksba_ber_read_tl ( ksba_reader_t reader, struct tag_info *ti) { int c; unsigned long tag; ti-> length = 0 ; ti-> ndef = 0 ; ti-> nhdr = 0 ; ti-> err_string = NULL ; ti-> non_der = 0 ; /* Get the tag */ c = read_byte (reader); if (c==- 1 ) return eof_or_error (reader, ti, 0 ); ti-> buf [ti-> nhdr ++] = c; ti-> class = (c & 0xc0 ) >> 6 ; ti-> is_constructed = !(c & 0x20 ); tag = c & 0x1f ; if (tag == 0x1f ) { tag = 0 ; do { /* We silently ignore an overflow in the tag value.There were three vulnerable points identified:In this writeup, we'll focus on the parsing of CRL data.The Variant Bug (CVE-2022-47629)A variant of the original bug was discovered that also occurs during parsing of CRL data.length ; [...] /* and...Continue reading at (from /r/netsec)
2023-01-06 19:20:22
Chrome Exploitation:To teach Chrome exploitation to my team, I've selected a previous 0day RCE that I found last year for my company VerSprite: CVE-2021-21224, and I've paired it with a SBX bug found by Tim Becker: The post Chrome Exploitation: appeared first on VerSprite....Continue reading at Security Research – VerSprite
2023-01-06 19:20:09
PPS For All: Directly charging lithium-ion batteries with a USB-C PD testerUSB-C with PPS [Programmable Power Supply] technology is here, it's cool, and now it's usable on more than just the newest smartphones - it works on almost any Li-ion battery with the right USB-C tester. Continue reading ...Continue reading at Rip It Apart – Jason's electronics blog-thingy
2023-01-06 19:20:03
Inside the 8086 processor's instruction prefetch circuitry...Continue reading at Ken Shirriff's blog
2023-01-06 19:19:56
LABScon Replay | InkySquid: The Missing ArsenalPaul Rascagneres explores a macOS port of the Windows RokRAT malware and how it bypasses Apple security protections....Continue reading at SentinelLabs - We are hunters, reversers, exploit developers, and tinkerers shedding light on the world of malware, exploits, APTs, and cybercrime across all platforms.
2023-01-06 19:19:53
Non-Destructive Silicon Imaging (and Winner of Name that Ware December 2022)The ware for December 2022 is an AMD Radeon RX540 chip, part number 216-0905018. Congrats to SAM for guessing the ware; email me for your prize. The image is from Fritzchen Fritz’s Flickr feed; I recommend checking out his photos (or you can follow him on twitter). Even if you aren’t into photos of chips, […]...Continue reading at bunnie's blog
2022-05-16 05:40:48
Reverse Engineering PsExec for fun and knowledgeSummaryPsExec is a tool developed by Mark Russinovich that can be used to execute applications on remote systems.This post’s purpose is to give details about the inner workings of PsExec for research purposes only.This is not an extensive analysis of every argument that PsExec uses, and we only provide details about the general usage of the tool.The idea of Reverse Engineering PsExec was initially proposed in the following tweet: first part presents a situation where PsExec is running on a remote machine specified by a computer name or an IP address....Continue reading at (from /r/netsec)
2022-05-15 08:52:22
The digital ranging system that measured the distance to the Apollo spacecraft...Continue reading at Ken Shirriff's blog
2022-05-15 08:20:46
The Illustrated QUIC ConnectionClient Initial Keys Calc0001020304050607initial_salt = 38762cf7f55934b34d179ae6a4c80cadccbb7f0a initial_random = (random bytes from client given above) initial_secret = HKDF-Extract(salt: initial_salt, key: initial_random) client_secret = HKDF-Expand-Label(key: initial_secret, label: "client in", ctx: "", len: 32) server_secret = HKDF-Expand-Label(key: initial_secret, label: "server in", ctx: "", len: 32) client_key = HKDF-Expand-Label(key: client_secret, label: "quic key", ctx: "", len: 16) server_key = HKDF-Expand-Label(key: server_secret, label: "quic key", ctx: "", len: 16) client_iv = HKDF-Expand-Label(key: server_secret, label: "quic iv", ctx: "", len: 12) server_iv = HKDF-Expand-Label(key: server_secret, label: "quic iv", ctx: "", len: 12) client_hp_key = HKDF-Expand-Label(key: server_secret, label: "quic hp", ctx: "", len: 16) server_hp_key = HKDF-Expand-Label(key: s...Continue reading at (from /r/netsec)
2022-05-14 05:56:34
CVE-2022-21449: Psychic Signatures in JavaIt turns out that some recent releases of Java were vulnerable to a similar kind of trick, in the implementation of widely-used ECDSA signatures.For context, almost all WebAuthn/FIDO devices in the real world (including Yubikeys*) use ECDSA signatures and many OIDC providers use ECDSA-signed JWTs.If you have deployed Java 15, Java 16, Java 17, or Java 18 in production then you should stop what you are doing and immediately update to install the fixes in the April 2022 Critical Patch Update.Guess which check Java forgot?This is a relatively recent bug introduced by a rewrite of the EC code from native C++ code to Java, which happened in the Java 15 release....Continue reading at (from /r/netsec)
2022-05-14 05:36:44
Teaching Burp a new HTTP Transport EncodingIn this blog post we explain how we can teach Burp Suite to handle a custom Transport Encoding that is spoken between an HTTP client and a server by using Burp extensions.For example, the built-in Burp Logger is a tab in the Burp UI showing all requests/responses that flow through Burp.Here's the early decoder: from burp import IBurpExtender from burp import IHttpListener from burp import IProxyListener from burp import IBurpExtenderCallbacks NAME = "Pentagrid early decoder" class BurpExtender ( IBurpExtender , IHttpListener , IProxyListener ): def registerExtenderCallbacks ( self , callbacks ): # keep a reference to our callbacks object self .filter_message ( toolFlag , messageIsRequest , messageInfo ) # # implement IProxyListener # def processProxyMessage ( self , messageIsRequest , message ): # Responses are ...Continue reading at (from /r/netsec)
2022-05-08 03:55:23
THCon CTF Writeup - SHA-1 exploitation, PHP LFI and RCEI participated in THCon 2k22 CTF and amongst the incredible “web” challenges – my favorite was “Local Card Maker” (made by jrjgjk ).We pad that to a SHA-1 block (64 bytes including the salt, first byte after data is 0x80 and last 2 bytes are length) and add a 2nd block: aaa + base64("/.././././././././phpinfo") .The result joined_buf which we were able to sign (before URL encoding) is:64 6d 6c 6c 64 31 39 77 63 6d 39 6d 61 57 78 6c dmlld19wcm9maWxl 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 01 38 61 61 61 4c 79 34 75 ....... .8 aaa Ly4u 4c 79 34 76 4c 69 38 75 4c 79 34 76 4c 69 38 75 Ly4vLi8uLy4vLi8u 4c 79 34 76 63 47 68 77 61 57 35 6d 62 77 3d 3d Ly4vcGhwaW5mbw==The first part (green) is the original Base64-encoded string (containing “view_profile”).Afterwards, the white 0x...Continue reading at (from /r/netsec)
2022-04-22 15:37:20
Inside the Black Box | How We Fuzzed Microsoft Defender for IoT and Found Multiple VulnerabilitiesA must-read for fuzzing fans, this post gives a detailed look at the advanced techniques used in our recent discovery of multiple bugs in Defender for IoT....Continue reading at SentinelLabs - We are hunters, reversers, exploit developers, and tinkerers shedding light on the world of malware, exploits, APTs, and cybercrime across all platforms.
2022-04-22 08:15:33
Coercing NTLM Authentication from SCCM...Continue reading at Posts By SpecterOps Team Members - Medium
2022-04-22 06:53:56
CVE-2022-25165: Privilege Escalation to SYSTEM in AWS VPN ClientThis allows OpenVPN configuration directives outside of the AWS VPN Client allowed OpenVPN directives list to be injected into the configuration file prior to the AWS VPN Client service, which runs as SYSTEM, processing the file.This could be exploited by having a user attempt to import a malicious VPN configuration file into the AWS VPN Client.What Is AWS VPN ClientAWS VPN Client is a desktop application that can be used to connect to the AWS Client VPN.From the product website: The client for AWS Client VPN is provided free of charge.You can connect your computer directly to AWS Client VPN for an end-to-end VPN experience....Continue reading at (from /r/netsec)
2022-04-21 16:24:55
NTLMquicIn this post, we'll dig into just how SMB over QUIC works, answer some of the immediate questions around which attacks are feasible, and show how we can repurpose some existing tooling to capture NTLM handshakes....Continue reading at XPN InfoSec Blog
2022-04-20 11:54:18
Russia’s certificate authority for sanctioned organizationsRussia’s certificate authority for sanctioned organizationsAfter Russia’s invasion of Ukraine, several countries and blocs have imposed sweeping sanctions on Russian companies, banks, and individuals.This special certificate is the root certificate of Russia’s new national certificate authority.Any website that uses a certificate that is signed by this certificate authority is trusted by Yandex Browser.Russian Trusted Root CAAt the moment, the root_certs field contains a single PEM-encoded RSA root certificate of the Russian Trusted Root CA.Their certificate authority operates more like a normal certificate authority, in the sense that it only issues certificates for DNS names for which the ownership could be verified....Continue reading at (from /r/netsec)
2022-04-20 11:47:28
Exploiting CVE-2022-0778, a bug in OpenSSL vis-à-vis WebRTC platformsWe write about VoIP, WebRTC and real-time communications security....Continue reading at (from /r/netsec)
2022-04-20 11:42:35
ImpressCMS: from unauthenticated SQL injection to RCEThe application comes with a built-in security module – Protector – which is designed to improve the overall security of ImpressCMS websites and prevent certain web attacks such as Cross-Site Scripting (XSS) and SQL sensitive data from the “users” database table through boolean-based SQL Injection attacks, without the knowledge of the tables prefix (which is randomly generated during the installation).On the other hand, (by default) ImpressCMS uses PDO as a database driver, which allows for stacked SQL queries separated by a semicolon.They also have a WAF which – according to the official company website – is the cornerstone of their advanced application security portfolio that keeps applications and APIs secure.Well, I was too curious not to try whether their web application firewall ...Continue reading at (from /r/netsec)
2022-04-20 10:55:40
CVE-2021-30737, @xerub's 2021 iOS ASN.1 Vulnerability...Continue reading at Project Zero
2022-04-20 10:52:44
CVE-2022-26381: Gone by others! Triggering a UAF in FirefoxMemory corruption vulnerabilities have been well known for a long time and programmers have developed various methods to prevent them. One type of memory corruption that is very hard to prevent is the use-after-free and the reason is that it has too many faces! Since it cannot be associated with any specific pattern in source code, it is not trivial to eliminate this vulnerability class. In this blog, a use-after-free vulnerability in Mozilla Firefox will be explained which has been assigned CVE-2022-26381. The Mozilla bug entry 1756793 is still closed to the public as of this writing, but the Zero...Continue reading at Zero Day Initiative - Blog
2022-04-19 11:28:18
Fuzzing Like A Caveman 6: Binary Only Snapshot Fuzzing HarnessIntroduction It’s been a while since I’ve done one of these, and one of my goals this year is to do more so here we are. A side project of mine is kind of reaching a good stopping point so I’ll have more free-time to do my own research and blog again. Looking forward to sharing more and more this year....Continue reading at The Human Machine Interface
2022-04-19 11:12:49
DoS vulnerability in firmware v3.0.3 of KNXnet/IP Secure router SCN-IP100.03Proof of Concept for CVE-2021-37740Table of ContentsIntroductionCVE-2021-37740 is a denial of service (DoS) vulnerability that affects firmware v3.0.3 of the KNXnet/IP Secure router SCN-IP100.03 and interface SCN-IP000.03 by MDT.The SESSION_REQUEST is the first frame sent during the handshake of the KNXnet/IP Secure unicast protocol, as specified by ISO 22510:2019.It establishes a TCP connection with the target device and attempts to start the KNXnet/IP Secure unicast handshake.If a device is vulnerable, subsequent executions of the will not yield a reply, unless the the target device is rebooted.RemediationThe vulnerability was fixed in firmware v3.0.4, as documented by the change log for the MDT firmware....Continue reading at (from /r/netsec)
2022-04-19 10:07:57
FORCEDENTRY: Sandbox Escape...Continue reading at Project Zero
2022-04-19 09:35:06
Pwning 3CX Phone Management Backends from the InternetLet’s check Shodan:Well, this seems to be a good candidate.The next two screenshots show my recently set up 3CX Phone Management System with the web interface(s) easily detectable and fingerprinted.Because nginx in default configuration might bring you in trouble with getting your path traversal payloads through the reverse proxy component if using / as URI segment separator.A simple grep for the credentials on the file system reveals the corresponding file with customers table content.So we googled for other “fancy Windows path formats” and found this in the Microsoft .NET documentation....Continue reading at (from /r/netsec)
2022-04-19 09:22:06
Spring4Shell 0-day writeup and guidanceThe exploit code targeted a zero-day vulnerability in the Spring Core module of the Spring Framework.The vulnerability (and proof of concept) isn’t exploitable with out-of-the-box installations of Spring Framework.Vulnerability disambiguationThere has been significant confusion about the zero-day vulnerability we discuss in this blog post because an unrelated vulnerability in another Spring project was published yesterday (March 29, 2022).That vulnerability, CVE-2022-22963, affects Spring Cloud Function, which is not in Spring Framework.Spring Framework Controller AdviceOur friends at Praetorian have suggested a heavy but validated mitigation strategy by using the Spring Framework to disallow certain patterns....Continue reading at (from /r/netsec)