The Research Blog

• 20 Mar 2015

GitLab User Enumeration

A user enumeration vulnerability was discovered in GitLab versions 5.0.0 to 7.5.0 that allows anonymous discovery of usernames through an unauthenticated internal API. The vulnerability enables attackers to potentially exploit source code repositories by enumerating valid usernames and targeting authentication systems. Metasploit modules were developed to demonstrate and exploit this security issue.

• 16 Mar 2015

HackFu Challenge 2015

MWR's HackFu Challenge 2015 is an invitation-only hacking event offering 10 free tickets to cybersecurity professionals. The challenge involves a sci-fi themed mission to save the planet from an intergalactic threat by solving complex cybersecurity puzzles. Participants must complete challenges by April 30th, 2015, with the opportunity to attend the event in the UK in June.

• Jahmel Harris
• 6 Mar 2015

Watch You Lookin' At?

A security presentation at Securi-Tay 2015 examined vulnerabilities in Android Wear wearable devices. The research by Jahmel Harris and Owen Evans revealed potential malware risks for extracting sensitive information from these platforms. Security weaknesses in Android Wear's implementation were discussed as part of the investigation.

• Luke Jennings
• 13 Feb 2015

Practically Exploiting MS15-014 and MS15-011

The article details two Microsoft vulnerabilities (MS15-011 and MS15-014) that enable remote code execution on domain-joined Windows systems. These vulnerabilities can be exploited through a two-stage attack method to gain SYSTEM-level access by manipulating group policy and SMB signing configurations. A video demonstration shows how these vulnerabilities can be chained together to compromise hardened domain environments.

• 12 Feb 2015

Popping alert(1) in Flash

This article explores cross-site scripting (XSS) vulnerabilities in Adobe Flash applications. It details how ActionScript can be exploited through unvalidated FlashVars, ExternalInterface calls, and remote content loading techniques. Multiple attack vectors are demonstrated, including manipulating URL parameters, loading malicious XML, and abusing URI schemes in Flash applications.

• 8 Jan 2015

CVE-2014-8272: A Case of Weak Session-ID in Dell iDRAC

A vulnerability in Dell iDRAC's IPMI v1.5 implementation allows unauthenticated attackers to predict session IDs. The weak session ID generation mechanism enables attackers to inject arbitrary commands into privileged sessions by exploiting predictable session identification. The vulnerability potentially allows privilege escalation across different IPMI communication channels.

• Ben Campbell Jon Cave
• 16 Dec 2014

Digging into MS14-068, Exploitation and Defence

MS14-068 is a critical Windows vulnerability in Kerberos authentication that allows any authenticated domain user to forge a Privilege Attribute Certificate (PAC) and escalate privileges to domain administrator. The vulnerability enables an attacker to manipulate PAC signatures and bypass authentication controls on domain controllers running Windows 2008 and earlier. Exploitation requires only a standard domain user account and can be performed using tools like PyKEK and Impacket.

• 10 Dec 2014

Faster fuzzing with Python

This article explores performance optimization techniques for executing external processes in Python. By investigating process spawning methods like subprocess, fork, and posix_spawn, the performance of small binary executions was analyzed. The investigation revealed that using posix_spawn with vfork can significantly improve execution speed compared to traditional subprocess methods.

• 28 Nov 2014

My NFC Remains Enabled - Reflections on Mobile Pwn2Own 2014

Mobile Pwn2Own 2014 highlighted zero-day vulnerabilities in mobile devices, particularly those involving NFC technologies. The competition demonstrated the ongoing challenges in mobile device security, emphasizing the importance of careful app store selection for users and proactive security design for developers. Despite potential NFC-related risks, most users are more likely to encounter threats through phishing and malware.

• Kostas Lintovois
• 31 Oct 2014

Windows Services - All roads lead to SYSTEM

This whitepaper examines security vulnerabilities in Windows services, focusing on configuration-related flaws that can lead to privilege escalation. It explores six key service areas where misconfigurations can provide attackers opportunities to execute arbitrary code with elevated system privileges. The document provides insights into assessing and remediating potential security risks in Windows service configurations.

• 15 Aug 2014

Windows 8 Kernel Memory Protections Bypass

A technique for bypassing Windows 8 kernel memory protections like SMEP and DEP is demonstrated by manipulating paging structures. The method allows modification of memory page flags to enable user-mode code execution in kernel-mode. By targeting isolated paging structures, an attacker can corrupt page table entries to circumvent kernel memory safeguards on 64-bit Windows systems.

• 20 Jun 2014

Isolated Heap & Friends - Object Allocation Hardening in Web Browsers

Web browsers have implemented object allocation hardening techniques to mitigate use-after-free vulnerabilities. These techniques include Internet Explorer's Isolated Heap, Firefox's Presentation Arena, and Chrome's PartitionAlloc. Each approach aims to constrain memory allocation strategies and make exploitation more difficult by separating object types and controlling memory reuse.