The Research Blog

  • 2 Feb 2024

runc working directory breakout (CVE-2024-21626)

A critical vulnerability in runc (CVE-2024-21626) allows attackers to break out of container filesystems by exploiting a file descriptor leak. The flaw enables setting a container's working directory to the host filesystem, potentially granting unauthorized access to host systems in Kubernetes and containerized environments. Attackers can leverage this vulnerability to access host filesystems, execute malicious code, and potentially compromise multi-tenant Kubernetes clusters.

Synthetic Recollections

The article explores prompt injection techniques that can manipulate LLM agents with multi-chain reasoning systems. Two primary attack vectors are presented: thought/observation injection and thought-only injection. These attacks can potentially compromise the integrity of LLM-powered agents by tricking them into performing unintended actions through carefully crafted prompts.

  • 11 Oct 2023

Enumerating Cognito Clients Exposed to the internet

This article details a methodology for discovering and enumerating potential misconfigurations in AWS Cognito at scale. The approach involves finding ways to identify vulnerable Cognito instances using SEO backlink tools, AWS CLI commands, and systematic scanning techniques. The project highlights the challenges of cloud service security and the potential for large-scale vulnerability discovery through programmatic scanning.

  • 13 Sep 2023

Guiding black-box CAN fuzzing with electromagnetic side-channel analysis

An electromagnetic side-channel analysis technique is introduced for guiding black-box CAN fuzzing in automotive Electronic Control Units (ECUs). The method helps identify valid CAN message IDs by analyzing electromagnetic emissions during message processing. This approach improves fuzzing effectiveness when detailed system documentation is unavailable.

Executing Arbitrary Code & Executables in Read-Only FileSystems

This article explores methods of executing arbitrary code in read-only Kubernetes pod file systems. Three techniques are demonstrated for bypassing read-only filesystem restrictions, including using in-memory execution, exploiting /dev/shm, and leveraging dynamic program loaders. The research highlights the complexity of container security and the need for multi-layered defense strategies.

Megafeis-palm: Exploiting Vulnerabilities to Open Bluetooth SmartLocks

A security analysis of Megafeis smart padlocks revealed critical vulnerabilities in their mobile application and API. By exploiting authorization flaws, an attacker within Bluetooth range can enumerate account information and transfer lock ownership to their own account. The research demonstrates significant security weaknesses in the smart lock's backend infrastructure and mobile application.

Detecting OneNote Abuse

OneNote file formats present multiple attack vectors for threat actors to embed malicious attachments with minimal user interaction. The article explores various abuse techniques including executable attachments, living-off-the-land binaries, and right-to-left override spoofing. Detection strategies involve monitoring OneNote process operations, tracking file write events, and analyzing parent-child process relationships.

Dangers of a Service as a Principal in AWS Resource-Based Policies

A critical AWS security vulnerability involves overly permissive resource-based policies that can allow cross-account access to services like SNS and Lambda. These policies enable attackers to interact with resources without direct account permissions, potentially bypassing network restrictions. The attack can exploit AWS service principals to gain unauthorized access to sensitive resources across different AWS accounts.

Looting Microsoft Configuration Manager

CMLoot is a PowerShell tool designed to extract and analyze files from Microsoft Configuration Manager network shares. The tool automates exploration of content libraries, helping security professionals discover potentially sensitive information like credentials, certificates, and configuration details. By examining Distribution Points and Content Library structures, CMLoot enables systematic file inventory and selective downloading of interesting files.

  • 8 Sep 2022

Prototype Pollution Primer for Pentesters and Programmers

Prototype pollution is a JavaScript vulnerability where attackers can manipulate object prototypes to inject malicious properties. The attack involves two stages: polluting the prototype and then exploiting functions that process polluted objects. A demonstration using jQuery BBQ and jQuery shows how an attacker can potentially execute arbitrary JavaScript in web applications.

Scheduled Task Tampering

This article explores techniques for manipulating Windows scheduled tasks through direct registry modifications. Multiple methods were demonstrated to create and modify tasks without generating standard Task Scheduler logging and event records. The techniques include registry manipulation and Event Tracing for Windows (ETW) tampering, which can be used to establish persistence or execute malicious actions while evading detection.

Faking Another Positive COVID Test

A vulnerability was discovered in the Cue Health Home COVID-19 Test that allows manipulation of Bluetooth-transmitted test results. By exploiting weaknesses in the device's Protobuf communication protocol, test results could be changed from negative to positive. A Frida script was developed to intercept and modify Bluetooth packets, successfully altering the test outcome.