last10

  • CVE-2024-30043: ABUSING URL PARSING CONFUSION TO EXPLOIT XXE ON SHAREPOINT SERVER AND CLOUD
    Original text by Piotr Bazydło Yes, the title is right. This blog covers an XML eXternal Entity (XXE) injection vulnerability that I found in SharePoint. The bug was recently patched by Microsoft. In general, XXE vulnerabilities are not very exciting in terms of discovery and related technical aspects. They may sometimes be fun to exploit and exfiltrate data (or do other nasty things) in real environments, but in the vulnerability research world, you typically find them, report them, and forget about them. So why am I writing a blog post about an XXE? I have two reasons: ·       It affects …
  • Keylogging in the Windows Kernel with undocumented data structures
    Original test by eversinc33 If you are into rootkits and offensive windows kernel driver development, you have probably watched the talk Close Encounters of the Advanced Persistent Kind: Leveraging Rootkits for Post-Exploitation, by Valentina Palmiotti (@chompie1337) and Ruben Boonen (@FuzzySec), in which they talk about using rootkits for offensive operations. I do believe that rootkits are the future of post-exploitation and EDR evasion — EDR is getting tougher to evade in userland and Windows drivers are full of vulnerabilites which can be exploited to deploy rootkits. One part of this talk however particularly caught my interest: Around the 16 minute mark, …
  • Hunting down the HVCI bug in UEFI
    Original text by Satoshi’s notes This post was coauthored with Andrea Allievi (@aall86), a Windows Core OS engineer who analyzed and fixed the issue. This post details the story and technical details of the non-secure Hypervisor-Protected Code Integrity (HVCI) configuration vulnerability disclosed and fixed with the January 9th update on Windows. This vulnerability, CVE-2024-21305, allowed arbitrary kernel-mode code execution, effectively bypassing HVCI within the root partition. While analysis of the HVCI bypass bug alone can be interesting enough, I and Andrea found that the process of root causing and fixing it would also be fun to detail and decided to write …
  • 64 bytes and a ROP chain – A journey through nftables
    Original text by di Davide Ornaghi The purpose of this article is to dive into the process of vulnerability research in the Linux kernel through my experience that led to the finding of CVE-2023-0179 and a fully functional Local Privilege Escalation (LPE).By the end of this post, the reader should be more comfortable interacting with the nftables component and approaching the new mitigations encountered while exploiting the kernel stack from the network context. 1. Context As a fresh X user indefinitely scrolling through my feed, one day I noticed a tweet about a Netfilter Use-after-Free vulnerability. Not being at all familiar with …
  • Nmap Dashboard with Grafana
    Original text by hackertarget Generate an Nmap Dashboard using Grafana and Dockerto get a clear overview of the network and open services. This weekend’s project uses a similar technique to the previous Zeek Dashboard to build an easy to deploy dashboard solution for Nmap results.  Building small deployments like this gives the operator a greater understanding of how the tools work, developing skills that can be used to implement custom solutions for your specific use cases. Explore the Nmap Dashboard, and dig deeper into your network analysis. Introduction to Nmap Visualisation Nmap is a well known port scanner to find open network services. Not only finding open ports Nmap is able …
  • CVE-2024-4985 (CVSS 10): Critical Authentication Bypass Flaw Found in GitHub Enterprise Server
    GitHub, the world’s leading software development platform, has disclosed a critical security vulnerability (CVE-2024-4985) in its self-hosted GitHub Enterprise Server (GHES) product. The vulnerability, which carries a maximum severity rating of 10 on the Common Vulnerability Scoring System (CVSS), could allow attackers to bypass authentication and gain unauthorized access to sensitive code repositories and data. GitHub Enterprise Server is the self-hosted version of GitHub Enterprise, tailored for businesses seeking a secure and customizable environment for source code management. Installed on an organization’s own servers or private cloud, it enables collaborative development while providing robust security and administrative controls. The flaw resides in …
  • Advanced CyberChef Techniques For Malware Analysis — Detailed Walkthrough and Examples
    Original by Matthew We’re all used to the regular CyberChef operations like «From Base64», From Decimal and the occasional magic decode or xor. But what happens when we need to do something more advanced? Cyberchef contains many advanced operations that are often ignored in favour of Python scripting. Few are aware of the more complex operations of which Cyberchef is capable. These include things like Flow Control, Registers and various Regular Expression capabilities.  In this post. We will break down some of the more advanced CyberChef operations and how these can be applied to develop a configuration extractor for a …
  • CVE-2024-4367 – Arbitrary JavaScript execution in PDF.js
    research by Thomas Rinsma TL;DR  This post details CVE-2024-4367, a vulnerability in PDF.js found by Codean Labs. PDF.js is a JavaScript-based PDF viewer maintained by Mozilla. This bug allows an attacker to execute arbitrary JavaScript code as soon as a malicious PDF file is opened. This affects all Firefox users (<126) because PDF.js is used by Firefox to show PDF files, but also seriously impacts many web- and Electron-based applications that (indirectly) use PDF.js for preview functionality. If you are a developer of a JavaScript/Typescript-based application that handles PDF files in any way, we recommend checking that you are not (indirectly) using a version a …
  • Analysis of VirtualBox CVE-2023-21987 and CVE-2023-21991
    Analysis of VirtualBox CVE-2023-21987 and CVE-2023-21991 #VirtualBox #CVE-2023-21991 #CVE-2023-21987 #revers #vm #poc #exploiting
  • CVE-2023-20887 VMWare Aria Operations for Networks (vRealize Network Insight) unauthenticated RCE
    VMWare Aria Operations for Networks (vRealize Network Insight) unauthenticated RCE #PoC #CVE-2023-20887 #RCE