- 21 Apr 2017
Add-In Opportunities for Office Persistence
This article explores multiple techniques for gaining persistence through Microsoft Office add-ins. Multiple methods are examined, including WLL, XLL, VBA, COM, Automation, VBE, and VSTO add-ins that can execute code when Office applications start. Each add-in type offers unique mechanisms for potential code execution with different technical advantages and limitations.
- 21 Apr 2017
Logic Bug Hunting in Chrome on Android
A methodology for identifying logic flaws in mobile applications is demonstrated through an analysis of Chrome for Android. The approach focuses on finding logic bugs that enable access to user files and emails without memory corruption exploits. A specific logic bug in Chrome for Android is highlighted as allowing attackers to bypass Android Nougat security mechanisms.
- 10 Mar 2017
A Window into Ring0
Sam Brown's presentation explores Windows kernel mode attack surfaces and vulnerabilities in modern systems. The talk covers techniques for finding bugs in kernel mode code and common exploitation methods for gaining system-level access. Brown discusses the increasing trend of attackers targeting kernel mode to bypass user account restrictions and sandboxing.
- 27 Jan 2017
A Tale Of Bitmaps: Leaking GDI Objects Post Windows 10 Anniversary Edition
A novel technique for leaking kernel bitmap object addresses in Windows post-Anniversary Edition is detailed. The method exploits memory reuse in the kernel's paged pool by leveraging accelerator tables and bitmap object allocation. This approach provides a way to retrieve kernel object addresses after previous information leak protections were implemented.
- 10 Jan 2017
Digital Lockpicking: Why Your Front Door Shouldn't Be On The Internet
A critical vulnerability was discovered in FingerTec/ZKTeco biometric access control devices. The unencrypted UDP protocol allows attackers to create unauthorized admin accounts, extract user data, and potentially unlock doors without authorization. Over 4000 such devices are exposed on the internet, posing significant security risks.
- 4 Jan 2017
High Interaction Honeypots with Sysdig and Falco
A technical exploration of using sysdig and falco tools to rapidly deploy high-interaction honeypots on Linux systems. The project demonstrated techniques for monitoring and forensically analyzing attacker interactions through detailed system call and log capture. Two case studies revealed successful honeypot deployments that captured real-world attacker behaviors and malware interactions.
-
Ben Campbell - 3 Jan 2017
Trust? Years to earn, seconds to break
An Active Directory security vulnerability involves the TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION (T2A4D) User-Account-Control flag. The vulnerability can allow attackers to exploit Kerberos protocol extensions and potentially compromise domain controllers through dangerous authentication delegation attacks. Mitigation strategies include carefully managing account delegation settings and protecting sensitive user accounts.
- 29 Nov 2016
Hello MS08-067, My Old Friend
A proof-of-concept exploit was developed for the MS08-067 vulnerability targeting 64-bit Windows Server 2003 x64 SP0. The work addressed the lack of publicly available exploits for 64-bit systems vulnerable to this critical remote code execution flaw. The article provides insights into the challenges of 64-bit exploit development without introducing new exploit techniques.
- 17 Nov 2016
Working 9 till 5
A summer intern at MWR conducted security research on the Android game "Legion Hunters", uncovering multiple vulnerabilities in the game's login system. The research revealed unencrypted API calls, weak authentication mechanisms, and insecure account management that could allow unauthorized access to user accounts. The intern demonstrated how an attacker could potentially log in as any user by exploiting these security flaws.
- Kostas Lintovois
- 11 Nov 2016
One Template To Rule 'Em All
A presentation explored how Microsoft Office VBA and templates can be exploited as a persistent malware delivery mechanism. The talk demonstrated vulnerabilities in locked-down environments through a proof-of-concept tool called WePWNise. VBA-enabled files remain an attractive attack vector due to business requirements and human factors in targeted attacks.
- 3 Nov 2016
A Penetration Tester’s Guide to the Azure Cloud
This presentation provides a comprehensive guide to security assessment of Microsoft Azure Cloud services. It explores key security components, controls, and configurations across Azure deployments. The talk introduces Azurite, a tool for collecting and visualizing Azure infrastructure information.
- 3 Nov 2016
AVRop VM: A ROP based M/o/Vfuscator VM on a Harvard device
A novel virtual machine (VM) based on Return-Oriented Programming (ROP) was developed for an AVR microcontroller. The VM adapts the Movfuscator concept to a Harvard architecture device, implementing a single ROP chain that can execute different payloads through memory-mapped instruction interpretation. The approach allows for executing varied functionality using the same ROP chain on an embedded device with limited resources.