Showing Posts From

Application Security

  • 29 Feb 2024

The Hidden Depths of Mainframe Application Testing: More Than (Green) Screen-Deep

Mainframe application security testing requires looking beyond surface-level "green screen" interfaces. The article explores three key vulnerability areas in mainframe environments: application breakouts that allow unauthorized transaction access, surrogate chaining that can bypass environment segregation controls, and downstream misconfigurations in database and system components. Comprehensive security assessments must take a holistic approach to mainframe application testing.

Detecting OneNote Abuse

OneNote file formats present multiple attack vectors for threat actors to embed malicious attachments with minimal user interaction. The article explores various abuse techniques including executable attachments, living-off-the-land binaries, and right-to-left override spoofing. Detection strategies involve monitoring OneNote process operations, tracking file write events, and analyzing parent-child process relationships.

Looting Microsoft Configuration Manager

CMLoot is a PowerShell tool designed to extract and analyze files from Microsoft Configuration Manager network shares. The tool automates exploration of content libraries, helping security professionals discover potentially sensitive information like credentials, certificates, and configuration details. By examining Distribution Points and Content Library structures, CMLoot enables systematic file inventory and selective downloading of interesting files.

  • 8 Sep 2022

Prototype Pollution Primer for Pentesters and Programmers

Prototype pollution is a JavaScript vulnerability where attackers can manipulate object prototypes to inject malicious properties. The attack involves two stages: polluting the prototype and then exploiting functions that process polluted objects. A demonstration using jQuery BBQ and jQuery shows how an attacker can potentially execute arbitrary JavaScript in web applications.

Scheduled Task Tampering

This article explores techniques for manipulating Windows scheduled tasks through direct registry modifications. Multiple methods were demonstrated to create and modify tasks without generating standard Task Scheduler logging and event records. The techniques include registry manipulation and Event Tracing for Windows (ETW) tampering, which can be used to establish persistence or execute malicious actions while evading detection.

A bit of a Fixer Upper - Testing FIX-backed applications

This article explores testing and intercepting FIX protocol applications using MitM_Relay and Burp Suite. A custom Python script was developed to maintain message integrity when modifying FIX messages. A Burp extension called "Fixer Upper" was created to simplify FIX message interception and modification.

  • 3 Aug 2021

Playing with PuTTY

This article explores techniques for manipulating PuTTY's source code and session sharing mechanism to capture credentials and execute remote commands. Multiple methods are demonstrated for backdooring PuTTY, including capturing user commands, stealing authentication details, and hijacking SSH sessions through named pipe communications. The techniques provide creative approaches for bypassing security controls during adversarial simulations without traditional keylogging methods.

Attack Detection Fundamentals 2021: macOS - Lab #1

This article explores macOS attack detection fundamentals using the Mythic post-exploitation framework. It demonstrates initial access via Office macros, persistence techniques using LaunchAgents, and sandbox breakout methods. The focus is on detecting malicious process trees and understanding macOS security mechanisms through practical attack scenarios.

Attack Detection Fundamentals 2021: macOS - Lab #2

This article explores LaunchAgent persistence techniques on macOS, demonstrating how attackers can abuse system functionality to maintain access. Detection methods using Endpoint Security Framework and osquery are discussed to identify suspicious LaunchAgent behavior. Key strategies include monitoring file creation events and analyzing unsigned binaries executed by LaunchAgents.

Attack Detection Fundamentals 2021: macOS - Lab #3

This article explores a macOS attack technique that bypasses Apple's Transparency, Consent & Control (TCC) security mechanism. The attack leverages SSH's full disk access to directly modify the TCC database, allowing unauthorized access to protected system resources. Detection methods are demonstrated, focusing on monitoring local SSH connections and direct database modifications.

Attack Detection Fundamentals 2021: Windows - Lab #1

This article details a cybersecurity workshop demonstrating advanced Windows endpoint attack techniques for initial access. An HTA-based attack method was developed that drops a DLL and uses registration-free COM activation to execute a malicious payload. The payload involves shellcode injection, AMSI bypassing, and process injection techniques targeting Windows endpoints.

Attack Detection Fundamentals 2021: Windows - Lab #2

This article explores advanced defense evasion techniques in Windows cybersecurity, focusing on API unhooking and ETW bypassing. The lab demonstrates methods attackers can use to minimize their detection footprint during endpoint attacks, such as removing API hooks and disabling event tracing. Techniques include intercepting API calls, unhooking ntdll.dll, and manipulating .NET runtime event tracing to avoid security monitoring.

Attack Detection Fundamentals 2021: Windows - Lab #3

This article explores API hooking techniques for stealing RDP credentials during Windows authentication. The lab demonstrates how API hooks can intercept plaintext login information when users connect to remote desktop sessions. Multiple methods are presented, including using Frida and RdpThief, to extract credentials from the RDP client process.

Attack Detection Fundamentals 2021: Windows - Lab #4

This article demonstrates a technique for stealing browser cookies and saved passwords from a Windows endpoint using Chlonium. The attack involves extracting Chrome's encryption keys and cookie databases to hijack web sessions. System Access Control Lists (SACLs) are explored as a method for detecting and logging sensitive file access during such attacks.

GWTMap - Reverse Engineering Google Web Toolkit Applications

GWTMap is a novel tool for reverse engineering Google Web Toolkit (GWT) applications. The tool extracts and maps service method endpoints from obfuscated client-side code across different GWT versions. It enables cybersecurity professionals to generate example GWT-RPC request payloads and analyze the attack surface of GWT-based web applications.

Operationalising Calendar Alerts: Persistence on macOS

A novel macOS persistence technique leverages calendar alerts in Automator.app to execute arbitrary applications at specified times. The method exploits an undocumented API in EventKit to programmatically create calendar events with executable alerts. By using JavaScript for Automation (JXA), attackers can establish stealthy persistence on macOS systems through calendar event manipulation.

  • 29 Sep 2020

Application-level Purple Teaming: A case study

An application-level purple teaming approach was demonstrated using a file-sharing web application. The methodology focused on improving logging, alerting, and potential response mechanisms by systematically identifying detection gaps across enumeration and injection attack categories. The project used tools like Elasticsearch, Logstash, Kibana, and ElastAlert to enhance application security detection capabilities.

  • 7 Sep 2020

Securing AEM With Dispatcher

This article explores securing Adobe Experience Manager (AEM) using Dispatcher configuration. It demonstrates how to prevent security vulnerabilities by carefully configuring Dispatcher rules to block potential exploits. The walkthrough includes identifying and mitigating Dispatcher bypasses and cross-site scripting (XSS) attacks through systematic testing and rule refinement.

  • 2 Sep 2020

N1QL Injection: Kind of SQL Injection in a NoSQL Database

N1QL injection is a vulnerability in Couchbase NoSQL databases that allows attackers to manipulate database queries. An open-source tool called N1QLMap was developed to automate N1QL injection testing and exploitation. The tool enables data extraction, system information retrieval, and server-side request forgery (SSRF) attacks through specialized query techniques.

  • 27 Aug 2020

Exploiting CVE-2019-17026 - A Firefox JIT Bug

A detailed technical analysis of a critical vulnerability (CVE-2019-17026) in Firefox's SpiderMonkey JIT compiler was presented. The vulnerability involves type confusion and bounds check elimination in the IonMonkey JIT compilation process. The article explores how carefully crafted JavaScript can exploit interactions between multiple compilation chains to bypass JIT compiler safeguards and potentially execute arbitrary code.

  • 3 Jul 2020

Attack Detection Fundamentals: Code Execution and Persistence - Lab #1

This article details a cybersecurity lab simulating the Astaroth malware attack chain using Living-off-the-Land (LOLBins) techniques. The lab demonstrates how attackers can exploit Windows utilities like BITSAdmin and ExtExport.exe, along with Alternate Data Streams, to stealthily download and execute malware. Multiple detection strategies are explored, including Sigma rules, event log analysis, and tools like Sysmon for identifying these sophisticated attack methods.

  • 3 Jul 2020

Attack Detection Fundamentals: Code Execution and Persistence - Lab #2

This article explores persistence techniques used by attackers in Windows environments. Two primary methods are demonstrated: adding files to the Startup folder and modifying Windows Registry Run Keys. The guide provides technical insights into malware persistence strategies and detection approaches for cybersecurity professionals.

Attack Detection Fundamentals: Initial Access - Lab #1

This article demonstrates a technique for establishing initial access in a target environment using malicious Office macros. The lab walkthrough covers creating a PowerShell-based command and control payload embedded in a macro document. Detection strategies are explored through parent-child process analysis and Sysmon event log examination, with a focus on identifying anomalous process spawning from Office applications.

Attack Detection Fundamentals: Initial Access - Lab #4

This article demonstrates creating a malicious Excel 4.0 Macro with Metasploit shellcode to obtain remote access on a Windows system. The lab walks through generating a Meterpreter payload, setting up a Metasploit listener, and executing the malicious macro. Memory forensics techniques using Volatility are explored to analyze the compromised host and detect stealthy code injection methods.

  • 20 May 2020

Releasing the CAPTCHA Cracken

A tool called CAPTCHA Cracken was developed to bypass text-based CAPTCHAs on an Outlook Web App portal. Advanced image preprocessing techniques and browser automation with Pyppeteer were used to overcome significant CAPTCHA recognition challenges. The project demonstrated the vulnerability of traditional text-based CAPTCHAs to machine learning-based automated attacks.

  • 15 May 2020

Internet Exploiter: Understanding vulnerabilities in Internet Explorer

This article provides a deep technical analysis of CVE-2020-0674, a use-after-free vulnerability in Internet Explorer's legacy JScript engine. The analysis explores the internal mechanics of the JScript interpreter, garbage collection process, and demonstrates complex exploitation techniques to bypass security mitigations. The research reveals how an attacker could potentially execute arbitrary code by manipulating memory management in the legacy JavaScript engine.

  • 1 May 2020

Bypassing Windows Defender Runtime Scanning

This article details techniques for bypassing Windows Defender's runtime memory scanning by exploiting memory permission limitations. A method was developed using PAGE_NOACCESS memory permissions to prevent detection during suspicious API calls. A custom Metasploit extension called Ninjasploit was created to implement these bypass techniques.

Jamfing for Joy: Attacking macOS in Enterprise

The article details multiple attack vectors against Jamf, a macOS enterprise management platform. Multiple techniques for compromising device management systems are explored, including password spraying, user enumeration, and policy abuse. An open-source Jamf Attack Toolkit was developed to demonstrate and facilitate these cybersecurity vulnerabilities.

Rethinking Credential Theft

Physmem2profit is a novel red team tool for credential theft that bypasses traditional LSASS process monitoring. The tool allows remote extraction of credential material by exposing and analyzing physical memory without directly interacting with the LSASS process. It provides an alternative approach to credential theft by leveraging memory forensics techniques on Windows systems.

Uncommon SQL Database Alert - Informix SQL Injection

An authenticated SQL injection vulnerability was discovered in the Cisco UCM administrative portal using Informix SQL. Custom techniques were developed to enumerate database tables, users, and sensitive information when standard SQLMap tools failed. The research involved creating specialized scripts to exploit the vulnerability by bypassing security restrictions in the database.

  • 15 Nov 2019

Prince of the Honeycomb

A critical heap-buffer overflow vulnerability was discovered in Prince XML, a PDF conversion tool used by the Honeycomb application. The vulnerability was found through fuzzing and binary analysis of TIFF image parsing code. By crafting a malicious TIFF file, an attacker could potentially achieve remote command execution when processing specially crafted image files.

Getting Real with XSS

This article provides a comprehensive guide to practical Cross-Site Scripting (XSS) attacks in modern web applications. It explores technical challenges such as innerHTML limitations, Content Security Policy (CSP) restrictions, and techniques for bypassing browser security controls. The guide demonstrates how to craft meaningful XSS payloads that go beyond simple alert demonstrations.

  • 22 Feb 2019

AutoCAD - Designing a Kill Chain

A detailed analysis of potential cybersecurity vulnerabilities in AutoCAD reveals multiple attack vectors across the cyber kill chain. The research demonstrates how malicious actors can exploit AutoCAD's features like ActionMacros, AutoLisp scripts, and remote text functionality to gain code execution, establish persistence, and perform lateral movement. Multiple attack techniques were identified that could potentially compromise users in high-value industries through targeted AutoCAD-specific exploitation methods.

  • 23 Jan 2019

What the Fuzz

Fuzzing is an automated software testing technique that generates random inputs to identify potential vulnerabilities in programs. The article explores fuzzing fundamentals, including its architecture, different approaches like dumb and smart fuzzing, and a selection of fuzzing tools and recent research. The goal is to provide an overview of fuzzing techniques and their potential for discovering software bugs.

  • 8 Nov 2018

Intro to Binary Analysis with Z3 and angr

A workshop presentation introduces binary analysis techniques using Z3 and angr for security professionals. The presentation covers SMT solvers and their applications in reverse engineering and vulnerability research. Sample code and labs are provided to help participants understand and apply SMT solving techniques.

  • 31 Oct 2018

Undisable Restricted Admin

Restricted Admin mode is a Windows feature that prevents credential caching during RDP sessions by using network logons instead of interactive logons. The mode offers protection against lateral movement in network environments, though it introduces a minor pass-the-hash attack vector. Organizations can enable this control by modifying registry settings and group policy to enhance network security.

Apple Safari Pwn2Own 2018 Whitepaper

This whitepaper details two Safari vulnerabilities demonstrated at Desktop PWN2OWN 2018. The vulnerabilities (CVE-2018-4199 and CVE-2018-4196) allowed full compromise of macOS systems running Safari 11.0.3. The exploits could potentially breach user data on the affected systems.

Big Game Fuzzing Pwn2Own Safari T2

A presentation detailed vulnerability research targeting macOS Safari at Pwn2Own. The talk covered specialized fuzzing tools and exploit development techniques for browser security. Specific vulnerabilities were discussed, including a heap underflow in the browser and a sandbox breakout using uninitialized memory.

  • 13 Jun 2018

EQL Injection (not a typo) and Oracle Endeca

EQL injection is a novel attack technique targeting Oracle Endeca search functionality in e-commerce platforms. Attackers can exploit unsecured Endeca search parameters to extract sensitive product information or perform denial of service attacks. The vulnerability stems from improper input validation in Endeca search implementations.

Apple Safari - Wasm Section Exploit

A technical investigation was conducted into a vulnerability in Apple Safari's Web Assembly (Wasm) implementation discovered during Pwn2own 2018. The vulnerability (CVE-2018-4121) was found in the relatively new Wasm component of WebKit, which was likely less thoroughly tested. The paper details technical exploration of the exploit techniques on macOS 10.13.3.

  • 13 Apr 2018

Some Brief Notes on WebKit Heap Hardening

WebKit has implemented substantial heap hardening techniques to improve memory safety in browsers. The changes include Gigacages, which isolate different object types into separate heaps, and IsoHeap, which allocates objects in dedicated memory pages. Additional protections involve pointer poisoning to make type confusion attacks more difficult.

Corrupting Memory In Microsoft Office Protected-View Sandbox

This presentation explores vulnerabilities in Microsoft Office's Protected-View sandbox through fuzzing its Inter-Process Communication (IPC) attack surface. Two critical CVEs were discovered targeting the reduced functionality sandbox environment. The talk details the methodology for generating test cases and analyzing potential security weaknesses in Protected-View.

Biting the Apple that feeds you - macOS Kernel Fuzzing

An automated kernel fuzzing framework was developed for the macOS XNU kernel using an in-memory fuzzer with static and dynamic analysis techniques. The framework targeted core subsystems to identify critical vulnerabilities in macOS. The approach aimed to address the limited existing automated kernel fuzzing solutions for the Apple platform.

Land, Configure Microsoft Office, Persist

This presentation explores native Microsoft Office add-in mechanisms that can be exploited for persistence on compromised workstations. Various techniques for abusing Office add-ins are analyzed from a red teaming perspective. The talk examines deployment complexity, privilege requirements, and effectiveness in different computing environments.

  • 7 Jul 2017

Using Windows File Auditing to Detect Honeyfile Access

Windows file auditing offers a covert method for detecting unauthorized access to sensitive files on network shares. By configuring native Windows audit policies, detailed logs can be generated when interactions occur with specific "honeyfiles". This technique provides a low-noise, high-fidelity approach to monitoring potential security breaches on file systems.

  • 16 May 2017

DLL Tricks with VBA to Improve Offensive Macro Capability

This article explores advanced VBA macro techniques for bypassing security controls using DLLs. Two key techniques are presented: executing remote COM scriptlets without regsvr32 and storing malicious DLLs as seemingly legitimate Office files. These methods enable attackers to execute payloads while evading traditional security detection mechanisms.

  • 21 Apr 2017

Add-In Opportunities for Office Persistence

This article explores multiple techniques for gaining persistence through Microsoft Office add-ins. Multiple methods are examined, including WLL, XLL, VBA, COM, Automation, VBE, and VSTO add-ins that can execute code when Office applications start. Each add-in type offers unique mechanisms for potential code execution with different technical advantages and limitations.

  • 10 Mar 2017

A Window into Ring0

Sam Brown's presentation explores Windows kernel mode attack surfaces and vulnerabilities in modern systems. The talk covers techniques for finding bugs in kernel mode code and common exploitation methods for gaining system-level access. Brown discusses the increasing trend of attackers targeting kernel mode to bypass user account restrictions and sandboxing.

  • 27 Jan 2017

A Tale Of Bitmaps: Leaking GDI Objects Post Windows 10 Anniversary Edition

A novel technique for leaking kernel bitmap object addresses in Windows post-Anniversary Edition is detailed. The method exploits memory reuse in the kernel's paged pool by leveraging accelerator tables and bitmap object allocation. This approach provides a way to retrieve kernel object addresses after previous information leak protections were implemented.

  • 29 Nov 2016

Hello MS08-067, My Old Friend

A proof-of-concept exploit was developed for the MS08-067 vulnerability targeting 64-bit Windows Server 2003 x64 SP0. The work addressed the lack of publicly available exploits for 64-bit systems vulnerable to this critical remote code execution flaw. The article provides insights into the challenges of 64-bit exploit development without introducing new exploit techniques.

One Template To Rule 'Em All

A presentation explored how Microsoft Office VBA and templates can be exploited as a persistent malware delivery mechanism. The talk demonstrated vulnerabilities in locked-down environments through a proof-of-concept tool called WePWNise. VBA-enabled files remain an attractive attack vector due to business requirements and human factors in targeted attacks.

Static Analysis for Code and Infrastructure

Static analysis techniques for software development are explored in this presentation by Nick Jones at DevSecCon 2016. The talk covers methods like taint checking and control flow graph analysis for identifying software bugs early in the development cycle. Guidance is provided on integrating static analysis tools effectively into development environments and infrastructure.

  • 18 Oct 2016

Securing the loading of dynamic code

This article explores the security risks associated with dynamic code loading through reflection in programming languages. It discusses methods to secure reflective code loading, including techniques like hashing, code signing, and file permissions to prevent unauthorized code execution and potential privilege escalation vulnerabilities.

Fuzzing the Windows kernel

A presentation by Yong Chuan Koh at HITB GSEC 2016 introduced a Python-based fuzzing framework for testing Windows kernel security. The framework is designed to be scalable and extensible for comprehensive kernel vulnerability detection. Presentation slides are available for download from the original source.

Windows Kernel Fuzzing

A distributed fuzzing technique was developed to target the Windows kernel and identify critical vulnerabilities. The approach focused on generating high-quality test cases to detect potential privilege escalation and sandbox breakout exploits. The fuzzing method scaled across hundreds of CPU cores to systematically assess the kernel's attack surface.

Malicious Outlook Rules

XRulez is a tool that enables programmatic creation of malicious Outlook rules by injecting rules directly into Exchange servers. The tool allows attackers to create persistent remote code execution mechanisms via email triggers without requiring direct credential access. By exploiting MAPI sessions, malicious rules can be set up to execute payloads when specific email conditions are met.

Platform Agnostic Kernel Fuzzing

Platform agnostic kernel fuzzing research developed a method for systematically testing system and library calls across Windows and POSIX kernels. The approach focused on effectively logging crashes, reproducing vulnerabilities, and scaling fuzzing across multiple virtual machines. The research provided a framework for identifying kernel-level bugs through comprehensive and methodical testing.

Bug hunting with static code analysis

Static code analysis techniques can improve application security by identifying vulnerabilities early in the software development lifecycle. The presentation explores automated methods for detecting security flaws, ranging from simple scripts to sophisticated analysis tools. These techniques can be integrated into continuous integration systems to proactively catch and resolve security issues before product release.

Safer Shellcode Implants

This article discusses techniques for creating safer shellcode implants by implementing runtime security controls. The proposed methods include ensuring single execution through mutex checks, validating the target endpoint using host-specific identifiers, and adding an expiry time to control the implant's lifecycle. Implementation examples are provided in both assembly and C languages to demonstrate these security controls.

  • 19 Apr 2016

Heap tracing with WinDbg and Python

This article demonstrates how to use Python and PyKd to create WinDbg scripts for heap tracing in Windows. The script hooks memory allocation functions like RtlAllocateHeap and RtlFreeHeap to log heap operations. The technique allows visualization of memory allocation patterns and can support exploit development by providing insights into heap behavior.

Masquerading as a Windows System Binary Using Digital Signatures

This article demonstrates a technique for creating fake digital certificates that mimic Microsoft's code signing certificates. By generating certificates that look like they are from Microsoft and installing a custom root CA, malicious Windows binaries can be signed to appear legitimate. The method allows attackers to create executables that blend in with system processes and potentially evade initial detection.

  • 5 Apr 2016

Windows Kernel Exploitation 101: Exploiting CVE-2014-4113

This article provides a detailed walkthrough of exploiting CVE-2014-4113, a Windows kernel vulnerability. The guide demonstrates the process of creating an exploit for Windows 7 SP1 32-bit by analyzing an original Anti-Virus vendor report. The goal is to make kernel exploitation more accessible to cybersecurity researchers.

Persistence Architecture Matters

This article explores the Windows-on-Windows (WOW) redirection layer in 64-bit Windows systems. It explains how filesystem and registry paths are dynamically remapped depending on the process architecture. The technical explanation reveals how 32-bit and 64-bit processes interact with system directories and registry keys differently.

Abusing PuTTY & Pageant through native functionality

A technique for remotely interacting with SSH keys stored in PuTTY's Pageant SSH agent on Windows is explored. The method leverages native functionality to proxy SSH authentication requests through a compromised workstation without traditional exploitation. An attack tool called PageantJacker enables forwarding authentication requests to a remote Pageant instance, allowing an attacker to use a target's SSH keys from their own machine.

QNX: 99 Problems but a Microkernel ain't one!

This presentation explores security research on the QNX microkernel operating system used in critical systems like automotive and consumer devices. The talk examined QNX's security architecture through reverse engineering and fuzzing techniques. The goal was to provide insights into QNX subsystems and potential attack surfaces for privilege escalation.

QNX: Security Architecture Whitepaper

A whitepaper by Alex Plaskett and Georgi Geshev examines the security architecture of QNX, a microkernel operating system. The document explores key operating system features and potential attack vectors against QNX-based platforms. The research identifies security weaknesses and suggests opportunities for further investigation into the QNX platform's security.

When LanMan history reveals the present and future, but might just be lying to you

Windows password history hashes may contain seemingly random data even when LanMan hash storage is disabled. Analysis of these historical hashes can reveal password patterns and potentially help guess current user credentials during security assessments. Password history examination demonstrates how users often create predictable password sequences despite technical controls.

  • 16 Oct 2015

Journey Into Hunting The Attackers

A presentation at BSides Manchester 2015 explored stealthy credential retrieval techniques used by attackers targeting Windows systems. The talk focused on methods for extracting credentials that can bypass Anti-Virus detection. Techniques discussed included using built-in Windows commands and attacker tools designed to remain undetected during system intrusions.

Memory Allocation: How injecting into your own tools might help you compromise a Windows domain

ADEGrab is a memory injection tool designed to extract search results from Sysinternals' AD Explorer by directly accessing the application's memory. The tool allows penetration testers to copy search results from Active Directory exploration tools that do not natively support result export. It uses Windows API calls to read and manipulate memory within the AD Explorer process, enabling users to capture and save search results.

Understanding the Protected-View Sandbox

The whitepaper analyzes the Microsoft Office 2013 Protected-View sandbox architecture. It explores the sandbox's initialization, system resource restrictions, and Inter-Process Communication (IPC) mechanism. The technical analysis was originally presented at the REcon 2015 Security Conference.

Why Bother Assessing Popular Software?

A presentation at BSides London 2015 examined software security vulnerabilities through a case study of Adobe Reader. The analysis focused on investigating the attack surface of the software by examining its JavaScript API, PDF Rendering Engine, and Sandbox. High-risk security vulnerabilities were identified during the detailed technical assessment.

How to own any Windows network with group policy hijacking attacks

Group policy hijacking attacks can compromise Windows networks by intercepting and manipulating group policy traffic. The attacks exploit vulnerabilities in SMB signing and Kerberos authentication to gain SYSTEM-level access on domain-joined systems. Multiple attack vectors allow attackers to modify group policy settings and execute arbitrary code on target networks.

  • 27 Mar 2015

Disgusting Code: GeoIP lookups in Excel

A blog post describes an unconventional method for performing GeoIP lookups in Excel using native formulas and Maxmind's GeoIP database. The technique involves complex nested Excel formulas to convert IP addresses to decimal and perform lookups without external dependencies or macros. The approach is designed for use on locked-down corporate machines with limited computational resources.

  • 20 Mar 2015

GitLab User Enumeration

A user enumeration vulnerability was discovered in GitLab versions 5.0.0 to 7.5.0 that allows anonymous discovery of usernames through an unauthenticated internal API. The vulnerability enables attackers to potentially exploit source code repositories by enumerating valid usernames and targeting authentication systems. Metasploit modules were developed to demonstrate and exploit this security issue.

Practically Exploiting MS15-014 and MS15-011

The article details two Microsoft vulnerabilities (MS15-011 and MS15-014) that enable remote code execution on domain-joined Windows systems. These vulnerabilities can be exploited through a two-stage attack method to gain SYSTEM-level access by manipulating group policy and SMB signing configurations. A video demonstration shows how these vulnerabilities can be chained together to compromise hardened domain environments.

  • 12 Feb 2015

Popping alert(1) in Flash

This article explores cross-site scripting (XSS) vulnerabilities in Adobe Flash applications. It details how ActionScript can be exploited through unvalidated FlashVars, ExternalInterface calls, and remote content loading techniques. Multiple attack vectors are demonstrated, including manipulating URL parameters, loading malicious XML, and abusing URI schemes in Flash applications.

Digging into MS14-068, Exploitation and Defence

MS14-068 is a critical Windows vulnerability in Kerberos authentication that allows any authenticated domain user to forge a Privilege Attribute Certificate (PAC) and escalate privileges to domain administrator. The vulnerability enables an attacker to manipulate PAC signatures and bypass authentication controls on domain controllers running Windows 2008 and earlier. Exploitation requires only a standard domain user account and can be performed using tools like PyKEK and Impacket.

  • 10 Dec 2014

Faster fuzzing with Python

This article explores performance optimization techniques for executing external processes in Python. By investigating process spawning methods like subprocess, fork, and posix_spawn, the performance of small binary executions was analyzed. The investigation revealed that using posix_spawn with vfork can significantly improve execution speed compared to traditional subprocess methods.

Windows Services - All roads lead to SYSTEM

This whitepaper examines security vulnerabilities in Windows services, focusing on configuration-related flaws that can lead to privilege escalation. It explores six key service areas where misconfigurations can provide attackers opportunities to execute arbitrary code with elevated system privileges. The document provides insights into assessing and remediating potential security risks in Windows service configurations.

  • 15 Aug 2014

Windows 8 Kernel Memory Protections Bypass

A technique for bypassing Windows 8 kernel memory protections like SMEP and DEP is demonstrated by manipulating paging structures. The method allows modification of memory page flags to enable user-mode code execution in kernel-mode. By targeting isolated paging structures, an attacker can corrupt page table entries to circumvent kernel memory safeguards on 64-bit Windows systems.

  • 20 Jun 2014

Isolated Heap & Friends - Object Allocation Hardening in Web Browsers

Web browsers have implemented object allocation hardening techniques to mitigate use-after-free vulnerabilities. These techniques include Internet Explorer's Isolated Heap, Firefox's Presentation Arena, and Chrome's PartitionAlloc. Each approach aims to constrain memory allocation strategies and make exploitation more difficult by separating object types and controlling memory reuse.

Poor Man's Static Analysis - BSides London 2014

A presentation at BSides London 2014 explored using Clang for developing static analysis tools to assist manual code review. The research demonstrated tracing control flow in Google Chrome's DOM event dispatch mechanisms. The approach focused on creating custom static analysis techniques for examining complex software codebases.

Windows Phone 8 Application Security Slides Syscan 2014

MWR researchers Alex Plaskett and Nick Walker presented slides at Syscan 2014 analyzing Windows Phone 8 application security. The presentation covered novel vulnerabilities in mobile app development. Slides provide programmatic guidance for developers to improve Windows Phone 8 application security.

Windows Phone 8 Application Security Whitepaper Syscan 2014

A whitepaper on Windows Phone 8 application security was presented at Syscan 2014. The research identified common developer mistakes that introduce security vulnerabilities in Windows Phone 8 applications. The whitepaper provides guidance on detecting and mitigating specific application security weaknesses in the platform.

  • 11 Apr 2014

Laravel cookie forgery, decryption, and RCE

A critical vulnerability in Laravel's encryption API allowed attackers to forge session cookies and impersonate users. The flaw enabled potential remote code execution by exploiting weaknesses in MAC verification, IV handling, and PHP object deserialization. Attackers could manipulate cookies to authenticate as any user and potentially inject malicious code through serialized PHP objects.

  • 11 Apr 2014

WordPress auth cookie forgery

A vulnerability in WordPress's authentication cookie validation allows potential cookie forgery through PHP type juggling. The flaw enables attackers to bypass authentication by exploiting non-strict comparison methods in the cookie verification code. Two attack vectors were identified: MAC verification bypass and potential timing attacks to determine expected MAC values.

  • 12 Nov 2013

Run SAP, Run

Metasploit modules for SAP system security assessment were developed to comprehensively test SAP enterprise environments. The modules enable penetration testers to discover SAP services, enumerate clients, perform bruteforce attacks, and execute remote commands across different SAP connectors. Multiple attack techniques were demonstrated, including information gathering, credential extraction, and obtaining interactive shells on both Linux and Windows SAP systems.

  • 6 Sep 2013

MWR Labs Pwn2Own 2013 Write-up - Kernel Exploit

A kernel pool overflow vulnerability in Windows 7's Win32k system was demonstrated at Pwn2Own 2013. The exploit involved manipulating message buffer allocations to corrupt kernel memory structures. By carefully controlling message handling and window object properties, kernel-mode code execution was achieved, enabling a sandbox escape in Google Chrome.

Polishing Chrome for Fun and Profit (NSC)

A presentation at the Nordic Security Conference detailed a full sandbox escape vulnerability in Google Chrome. The vulnerability was successfully exploited at the Pwn2Own 2013 hacking competition. Technical details of compromising Chrome's security mechanisms were demonstrated by MWR's Nils and Jon.

  • 19 Apr 2013

MWR Labs Pwn2Own 2013 Write-up - Webkit Exploit

A detailed technical write-up of a WebKit exploit demonstrated at Pwn2Own 2013 describes a type confusion vulnerability in SVG document handling. The exploit leveraged the ability to cast non-SVG elements to SVG elements, enabling precise memory manipulation and control. By chaining multiple exploit stages, the vulnerability allowed leaking pointers, calculating memory addresses, and ultimately achieving code execution in the browser.

  • 6 Mar 2013

Pwn2Own at CanSecWest 2013

MWR Labs demonstrated a full sandbox bypass exploit against Google Chrome at Pwn2Own 2013. The exploit leveraged vulnerabilities to gain code execution in the renderer process and bypass ASLR and DEP protection mechanisms. Memory address leakage techniques were used to execute arbitrary commands outside the browser sandbox.

  • 14 Feb 2013

2013 Summer Internship Positions

MWR is recruiting paid summer internship positions in Basingstoke for students and security enthusiasts. Interns will work on personal research projects and gain hands-on experience in information security consultancy. The internship offers opportunities to work with a research team and potentially secure a junior position after completion.

SAP Slapping (DeepSec)

Dave Hartley's DeepSec presentation "SAP Slapping" explored vulnerabilities in SAP systems. The talk provided an overview of common misconfigurations and security weaknesses in enterprise software. Metasploit modules were demonstrated to highlight potential security risks in SAP infrastructure.

  • 3 Sep 2012

SAP Parameter Injection

A vulnerability in SAP's Host Control service enables remote unauthenticated command execution on Windows SAP systems using SAP MaxDB. The attack involves manipulating parameters of the dbmcli executable to write and execute attacker-controlled commands. Metasploit modules were developed to demonstrate command injection across different SAP system interfaces.

  • 18 Jul 2012

Incognito v2.0 Released

Incognito v2.0 is a Windows security tool for token enumeration and manipulation. The new version introduces multi-host input, multi-threading, grepable output, quiet mode, and improved handling of administrative privileges. Key improvements include better API compatibility, enhanced token discovery across multiple systems, and more flexible output options for security professionals.

SAP Slapping

Dave Hartley presented the "SAP Slapping" talk at CRESTCon and BSides London, exploring common vulnerabilities in SAP systems. The presentation provided an overview of SAP security misconfigurations. Metasploit modules were demonstrated to highlight potential security weaknesses in SAP infrastructure.

  • 2 Mar 2012

Summer Internship Positions

MWR InfoSecurity offers paid summer internships for computer science students interested in cybersecurity research. Internships are approximately 12 weeks long and based in the UK offices. Candidates from second or third year of university with a strong interest in applied computer security are encouraged to apply.

  • 12 Dec 2011

Tell Us Your Incognito Ideas and Win One of 5 Lego Ninjas

Incognito, a tool for exploiting Windows access tokens launched in 2007, seeks community input on potential improvements. The project aims to enhance the tool's effectiveness by gathering feature suggestions from the information security community. As an incentive, five Lego Ninjas will be awarded to the best feature ideas submitted.

Blue Hat v11 Executive Briefings: Win Phone 7 OEM Fail

A presentation at Blue Hat v11 executive briefings examined Windows Phone 7 security research. The briefing covered vulnerability trends and potential platform security improvements. It provided a high-level overview of security research findings for the Windows Phone 7 platform.

Windows Pwn 7 OEM - Owned Every Mobile?

Alex Plaskett presented research on Windows Phone 7 security vulnerabilities at multiple cybersecurity conferences. The presentation explored the Windows Phone 7 security model and potential system weaknesses. Technical findings and exploitation techniques were demonstrated during the talks.

  • 2 Sep 2010

Assessing the Tux Strength: Part 2 - Into the Kernel

This article examines Linux kernel security features across different distributions. It analyzes memory protection mechanisms and randomization techniques using tools like paxtest. The research reveals varying levels of kernel-level security settings, with most distributions showing vulnerabilities to certain exploitation techniques. Gentoo with a PaX kernel demonstrated the most robust security settings.

  • 16 Jul 2010

Just Arrived! - Max Pwnage

MWR Labs released Max Pwnage trading cards highlighting significant computer security vulnerabilities from the past 30 years. The cards are available to clients and conference attendees at multiple cybersecurity events in 2010. Max Pwnage is a fictional character representing the discovery and exploitation of computer system vulnerabilities.

  • 8 Mar 2010

Video: How To Be An RSol: Effective Bug Hunting in Solaris - ShmooCon 2010

A video from ShmooCon 2010 presents a Ruby-based Solaris debugging library. The presentation includes a video and slides discussing the library and its proof-of-concept tools. Materials from the talk are available online for review.

  • 5 Mar 2010

Presentation: ShmooCon 2010 - How To Be An RSol: Effective Bug Hunting in Solaris

Matt Hillman presented a research talk at ShmooCon 2010 about Solaris bug hunting techniques. The presentation demonstrated a Ruby-based debugging interface for Solaris that enables advanced software testing methods. The tool supports fault monitoring, code coverage, run tracing, code profiling, and fault injection.

  • 25 Jan 2010

Aurora and Web Browser Security

A technical analysis of web browser security in 2010 revealed significant Address Space Layout Randomization (ASLR) vulnerabilities across major browsers. The study compared default installations of Internet Explorer, Firefox, Opera, Safari, and Chrome on Windows 7, highlighting inconsistent implementation of security mitigation techniques. Market share and exploit complexity were identified as key factors in browser security risks.

  • 18 Jan 2010

Google Forensics (...beta)

File carving is a forensic technique for recovering deleted files by extracting data based on file header signatures. Unique web artifacts like Google's commemorative logos can provide contextual information about system usage and activity. This method allows forensic investigators to reconstruct system interactions by analyzing temporary internet files and their visual content.

  • 18 Jan 2010

Solaris Debugging and Bug Hunting at ShmooCon 2010

Matt Hillman introduces RSol, a Ruby-based debugging tool for Solaris at ShmooCon 2010. The tool explores the effectiveness of DTrace for bug hunting and reverse engineering compared to traditional debugging techniques. RSol aims to become a comprehensive suite that combines debugging and DTrace-based methods.

  • 14 Jan 2010

Adobe Reader Exploit on Vista and 7

A vulnerability in Adobe Reader affecting Vista and Windows 7 systems was discovered, impacting the "media.newPlayer" issue. The exploit functions reliably across multiple Adobe Reader versions, even with ASLR and DEP protections enabled. Disabling JavaScript and applying patches are recommended mitigation strategies.

  • 7 Sep 2009

Attacking Altiris at DeepSec '09

Luke Jennings will present research on vulnerabilities in Symantec's Altiris Deployment Solution at DeepSec '09 in Vienna. The presentation will focus on security issues in deployment technologies. Cybersecurity professionals interested in deployment solution security are encouraged to attend the conference.

HashCookies - A Simple Recipe

HashCookies is a session security technique that uses random salt and hashing to generate browser-specific session cookies. The method prevents session hijacking by making stolen session IDs unusable without the original salt. Implementation requires support from both web browsers and web servers to generate secure, context-specific session identifiers.

DeepSec 2008 - Behind Enemy Lines: Administrative Web Application Attacks

At DeepSec 2008, Rafael Dominguez Vega presented research on administrative web application attacks. The presentation focused on script injection vulnerabilities in SSID and DHCP systems. Demonstration techniques for exploiting administrative web interfaces were discussed in the talk.

Presentation: DeepSec 2008 - Behind Enemy Lines: Administrative Web Application Attacks

A presentation at DeepSec 2008 by Rafael Dominguez Vega explored administrative web application attacks. The talk focused on script injection vulnerabilities discovered through SSID and DHCP attack vectors. Presentation slides are available for download and review.

  • 15 Sep 2008

Stockholm Sec-T Conference Roundup

The inaugural Sec-T conference in Stockholm featured diverse cybersecurity presentations covering virtualization security, cybercrime, and emerging technological threats. Speakers discussed organized criminal activities, vulnerabilities in operating systems, and enterprise software security challenges. The conference provided insights into cutting-edge security research across multiple domains of information technology.

  • 11 Aug 2008

Defcon 16 Talk Review: Advanced Software Armouring and Polymorphic Kung-Fu

Nick Harbour presented PE-Scrambler, an advanced Windows executable packer that manipulates binary code at the disassembly level to obstruct reverse engineering. The tool uses sophisticated techniques like destroying call trees, relocating code chunks, and creating ambiguous disassembly to make binary analysis challenging. Additionally, Harbour demonstrated FindEvil, a tool that detects packed binaries by comparing disassembly size to binary size.

  • 31 Jul 2008

Behind Enemy Lines: Administrative Application Attacks White Paper released

A white paper by MWR InfoSecurity explores security vulnerabilities in administrative web applications. The research details how alternative network protocols like DHCP and 802.11 can be leveraged to conduct web-based attacks. The paper provides insights into practical exploitation techniques for testing and compromising administrative web applications.

Security Implications of Windows Access Tokens

A whitepaper by Luke Jennings explores the security implications of Windows access tokens in enterprise environments. The document details how access token design can be exploited during penetration testing, highlighting systemic vulnerabilities in corporate security controls. The paper discusses the technical mechanisms of Windows access tokens and provides insights into potential post-exploitation techniques.

FIST 2007 - Inspect a Gadget

A presentation by Rafael Dominguez Vega explores security vulnerabilities in Windows Vista Sidebar Gadgets. The research investigates potential attack vectors targeting these gadgets. Best practice recommendations are provided for mitigating security risks associated with sidebar gadget implementations.

Considerations for the Secure Rollout of Sidebar Gadgets on Windows Vista

This white paper analyzes the security implications of Windows Vista's Sidebar Gadgets feature. It explores potential attack vectors and risks associated with the new technology. The document provides recommendations for a secure implementation of Sidebar Gadgets.