The Research Blog

Executing Arbitrary Code & Executables in Read-Only FileSystems

This article explores methods of executing arbitrary code in read-only Kubernetes pod file systems. Three techniques are demonstrated for bypassing read-only filesystem restrictions, including using in-memory execution, exploiting /dev/shm, and leveraging dynamic program loaders. The research highlights the complexity of container security and the need for multi-layered defense strategies.

Megafeis-palm: Exploiting Vulnerabilities to Open Bluetooth SmartLocks

A security analysis of Megafeis smart padlocks revealed critical vulnerabilities in their mobile application and API. By exploiting authorization flaws, an attacker within Bluetooth range can enumerate account information and transfer lock ownership to their own account. The research demonstrates significant security weaknesses in the smart lock's backend infrastructure and mobile application.

Detecting OneNote Abuse

OneNote file formats present multiple attack vectors for threat actors to embed malicious attachments with minimal user interaction. The article explores various abuse techniques including executable attachments, living-off-the-land binaries, and right-to-left override spoofing. Detection strategies involve monitoring OneNote process operations, tracking file write events, and analyzing parent-child process relationships.

Dangers of a Service as a Principal in AWS Resource-Based Policies

A critical AWS security vulnerability involves overly permissive resource-based policies that can allow cross-account access to services like SNS and Lambda. These policies enable attackers to interact with resources without direct account permissions, potentially bypassing network restrictions. The attack can exploit AWS service principals to gain unauthorized access to sensitive resources across different AWS accounts.

Looting Microsoft Configuration Manager

CMLoot is a PowerShell tool designed to extract and analyze files from Microsoft Configuration Manager network shares. The tool automates exploration of content libraries, helping security professionals discover potentially sensitive information like credentials, certificates, and configuration details. By examining Distribution Points and Content Library structures, CMLoot enables systematic file inventory and selective downloading of interesting files.

Prototype Pollution Primer for Pentesters and Programmers

Prototype pollution is a JavaScript vulnerability where attackers can manipulate object prototypes to inject malicious properties. The attack involves two stages: polluting the prototype and then exploiting functions that process polluted objects. A demonstration using jQuery BBQ and jQuery shows how an attacker can potentially execute arbitrary JavaScript in web applications.

Scheduled Task Tampering

This article explores techniques for manipulating Windows scheduled tasks through direct registry modifications. Multiple methods were demonstrated to create and modify tasks without generating standard Task Scheduler logging and event records. The techniques include registry manipulation and Event Tracing for Windows (ETW) tampering, which can be used to establish persistence or execute malicious actions while evading detection.

Faking Another Positive COVID Test

A vulnerability was discovered in the Cue Health Home COVID-19 Test that allows manipulation of Bluetooth-transmitted test results. By exploiting weaknesses in the device's Protobuf communication protocol, test results could be changed from negative to positive. A Frida script was developed to intercept and modify Bluetooth packets, successfully altering the test outcome.

Detecting Attacks against Azure DevOps

This article explores detection opportunities for attacks against Azure DevOps, focusing on telemetry sources and logging limitations. It details how malicious actors can exploit Azure AD applications, steal Personal Access Tokens (PAT), and compromise DevOps pipelines. The research emphasizes the importance of multi-source logging and contextual analysis to detect sophisticated DevOps security incidents.

Performing and Preventing Attacks on Azure Cloud Environments through Azure DevOps

This article explores potential attack paths in Azure DevOps by demonstrating how an unprivileged user can compromise cloud environments. The attack scenario involves phishing a Personal Access Token (PAT) to gain access to Azure DevOps repositories and pipelines. By manipulating pipeline code, an attacker can exfiltrate Service Principal credentials and gain unauthorized access to Azure cloud resources.

Faking A Positive COVID Test

A vulnerability was discovered in the Ellume COVID-19 Home Test that allows falsifying test results. By manipulating Bluetooth traffic, it was possible to change a negative test to a positive result. The attack involved modifying specific byte values in the device's communication protocol and recalculating checksums, ultimately obtaining a verified COVID test certificate from Azova.

Printing Shellz

Multiple zero-day vulnerabilities were discovered affecting over 150 HP multi-function printers. The vulnerabilities enable network infrastructure compromise through malicious printing and web-based exploits. New tooling was developed to demonstrate how printers can serve as entry points for network attacks.