Showing Posts About

2017

  • 17 Dec 2017

Finding the Low-Hanging Route

A critical vulnerability was discovered in Cisco's APIC-EM SDN controller that allows unauthorized access to internal network services. By adding a static route and exploiting IP routing configurations, an attacker can bypass network isolation and directly access sensitive internal services without authentication. The vulnerability enables potential compromise of system credentials and unauthorized access to critical infrastructure components like Apache Cassandra and RabbitMQ.

Corrupting Memory In Microsoft Office Protected-View Sandbox

This presentation explores vulnerabilities in Microsoft Office's Protected-View sandbox through fuzzing its Inter-Process Communication (IPC) attack surface. Two critical CVEs were discovered targeting the reduced functionality sandbox environment. The talk details the methodology for generating test cases and analyzing potential security weaknesses in Protected-View.

  • 3 Oct 2017

WebUSB - How a website could steal data off your phone

WebUSB is a JavaScript API in Chrome that allows websites to access USB devices with user permission. The API enables potential data theft from connected devices like Android phones by establishing unauthorized connections. Security considerations highlight risks such as file system access, installing APKs, and potential device compromise through a single user interaction.

Biting the Apple that feeds you - macOS Kernel Fuzzing

An automated kernel fuzzing framework was developed for the macOS XNU kernel using an in-memory fuzzer with static and dynamic analysis techniques. The framework targeted core subsystems to identify critical vulnerabilities in macOS. The approach aimed to address the limited existing automated kernel fuzzing solutions for the Apple platform.

  • 22 Sep 2017

“Tasking” Office 365 for Cobalt Strike C2

A novel Command and Control (C2) technique for Cobalt Strike was demonstrated using Office 365's Exchange Web Services. The technique leverages Outlook tasks as a communication channel to transmit malicious traffic through a legitimate service. The proof-of-concept shows how attackers can use the External C2 interface to create covert communication paths through enterprise collaboration tools.

Kernel Driver mmap Handler Exploitation

This whitepaper explores exploitation techniques for Linux kernel driver memory mapping vulnerabilities. The research addresses the lack of public documentation on identifying and exploiting security flaws in kernel driver development. The goal is to provide guidance for developers to understand and mitigate memory mapping issues in kernel drivers.

Land, Configure Microsoft Office, Persist

This presentation explores native Microsoft Office add-in mechanisms that can be exploited for persistence on compromised workstations. Various techniques for abusing Office add-ins are analyzed from a red teaming perspective. The talk examines deployment complexity, privilege requirements, and effectiveness in different computing environments.

  • 1 Aug 2017

Alexa, are you listening?

A physical attack on early Amazon Echo models allows root access by exploiting exposed debug pads and an SD card boot configuration. By gaining root shell access, an attacker can install a malware implant that turns the device into a remote wiretap. The attack requires physical access to the device and can potentially stream live microphone audio to remote services without disrupting the Echo's normal functionality.

  • 7 Jul 2017

Using Windows File Auditing to Detect Honeyfile Access

Windows file auditing offers a covert method for detecting unauthorized access to sensitive files on network shares. By configuring native Windows audit policies, detailed logs can be generated when interactions occur with specific "honeyfiles". This technique provides a low-noise, high-fidelity approach to monitoring potential security breaches on file systems.

  • 29 Jun 2017

Offensive ICS Exploitation: A Description of an ICS CTF

A cybersecurity team demonstrated multiple attack vectors against industrial control systems (ICS) water treatment testbeds during a Capture the Flag competition. The attacks included establishing external command and control channels, overwriting historian database values, manipulating human-machine interfaces, and modifying programmable logic controller logic. Multiple techniques were used to compromise network systems and tamper with sensor data, exposing critical infrastructure vulnerabilities.

  • 16 May 2017

DLL Tricks with VBA to Improve Offensive Macro Capability

This article explores advanced VBA macro techniques for bypassing security controls using DLLs. Two key techniques are presented: executing remote COM scriptlets without regsvr32 and storing malicious DLLs as seemingly legitimate Office files. These methods enable attackers to execute payloads while evading traditional security detection mechanisms.

  • 21 Apr 2017

Add-In Opportunities for Office Persistence

This article explores multiple techniques for gaining persistence through Microsoft Office add-ins. Multiple methods are examined, including WLL, XLL, VBA, COM, Automation, VBE, and VSTO add-ins that can execute code when Office applications start. Each add-in type offers unique mechanisms for potential code execution with different technical advantages and limitations.

  • 21 Apr 2017

Logic Bug Hunting in Chrome on Android

A methodology for identifying logic flaws in mobile applications is demonstrated through an analysis of Chrome for Android. The approach focuses on finding logic bugs that enable access to user files and emails without memory corruption exploits. A specific logic bug in Chrome for Android is highlighted as allowing attackers to bypass Android Nougat security mechanisms.

  • 10 Mar 2017

A Window into Ring0

Sam Brown's presentation explores Windows kernel mode attack surfaces and vulnerabilities in modern systems. The talk covers techniques for finding bugs in kernel mode code and common exploitation methods for gaining system-level access. Brown discusses the increasing trend of attackers targeting kernel mode to bypass user account restrictions and sandboxing.

  • 27 Jan 2017

A Tale Of Bitmaps: Leaking GDI Objects Post Windows 10 Anniversary Edition

A novel technique for leaking kernel bitmap object addresses in Windows post-Anniversary Edition is detailed. The method exploits memory reuse in the kernel's paged pool by leveraging accelerator tables and bitmap object allocation. This approach provides a way to retrieve kernel object addresses after previous information leak protections were implemented.

  • 10 Jan 2017

Digital Lockpicking: Why Your Front Door Shouldn't Be On The Internet

A critical vulnerability was discovered in FingerTec/ZKTeco biometric access control devices. The unencrypted UDP protocol allows attackers to create unauthorized admin accounts, extract user data, and potentially unlock doors without authorization. Over 4000 such devices are exposed on the internet, posing significant security risks.

  • 4 Jan 2017

High Interaction Honeypots with Sysdig and Falco

A technical exploration of using sysdig and falco tools to rapidly deploy high-interaction honeypots on Linux systems. The project demonstrated techniques for monitoring and forensically analyzing attacker interactions through detailed system call and log capture. Two case studies revealed successful honeypot deployments that captured real-world attacker behaviors and malware interactions.

Trust? Years to earn, seconds to break

An Active Directory security vulnerability involves the TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION (T2A4D) User-Account-Control flag. The vulnerability can allow attackers to exploit Kerberos protocol extensions and potentially compromise domain controllers through dangerous authentication delegation attacks. Mitigation strategies include carefully managing account delegation settings and protecting sensitive user accounts.