Showing Posts About

2018

  • 21 Dec 2018

Twinkly Twinkly Little Star

Multiple security vulnerabilities were discovered in Twinkly IoT Christmas lights. The vulnerabilities include unencrypted local network communications, trivial authentication bypass, and potential remote control through MQTT and DNS rebinding attacks. These flaws could allow attackers to manipulate or control the lights remotely, potentially affecting thousands of connected devices.

  • 8 Nov 2018

Intro to Binary Analysis with Z3 and angr

A workshop presentation introduces binary analysis techniques using Z3 and angr for security professionals. The presentation covers SMT solvers and their applications in reverse engineering and vulnerability research. Sample code and labs are provided to help participants understand and apply SMT solving techniques.

  • 2 Nov 2018

HP NonStop Basics

HP NonStop is a fault-tolerant computing platform used in critical transaction systems since 1976. The system features a unique architecture with Guardian and Open System Services environments, and uses specialized security components like Safeguard for user management and access control. The platform employs a distinctive approach to user and file management, with unique identifiers, access control lists, and specific security configurations that differ significantly from standard Unix or Windows systems.

  • 31 Oct 2018

Undisable Restricted Admin

Restricted Admin mode is a Windows feature that prevents credential caching during RDP sessions by using network logons instead of interactive logons. The mode offers protection against lateral movement in network environments, though it introduces a minor pass-the-hash attack vector. Organizations can enable this control by modifying registry settings and group policy to enhance network security.

Apple Safari Pwn2Own 2018 Whitepaper

This whitepaper details two Safari vulnerabilities demonstrated at Desktop PWN2OWN 2018. The vulnerabilities (CVE-2018-4199 and CVE-2018-4196) allowed full compromise of macOS systems running Safari 11.0.3. The exploits could potentially breach user data on the affected systems.

Big Game Fuzzing Pwn2Own Safari T2

A presentation detailed vulnerability research targeting macOS Safari at Pwn2Own. The talk covered specialized fuzzing tools and exploit development techniques for browser security. Specific vulnerabilities were discussed, including a heap underflow in the browser and a sandbox breakout using uninitialized memory.

The Mate Escape - Huawei Pwn2Owning

A presentation at Hacktivity 2018 explored vulnerability discovery techniques targeting the Huawei Mate 9 Pro by focusing on logic bugs in Android platforms. The talk highlighted the expanding attack surface of logic vulnerabilities as memory corruption exploitation becomes increasingly challenging. Techniques for rapidly identifying potential remote compromise vulnerabilities across mobile handsets were discussed.

Debugging Released Xamarin Android Applications

A technical investigation revealed debugging techniques for released Xamarin Android applications. By manipulating system properties like 'debug.mono.runtime_args', method tracing can be performed on release builds. Code execution is possible through the Mono log profiler by creating a payload in the '.__override__' directory, allowing analysis of Xamarin applications without modifying the original APK.

  • 23 Aug 2018

DNS Rebinding Headless Browsers

A DNS rebinding attack technique targeting headless browsers running on AWS was demonstrated. The attack can exploit the AWS metadata endpoint by manipulating DNS and causing browsers to hang, potentially allowing exfiltration of sensitive AWS credentials. The method bypasses same-origin policy restrictions by dynamically changing domain IP addresses during browser interactions.

  • 23 Jul 2018

A Guide to Repacking iOS Applications

This technical guide details the process of repacking iOS applications for security research purposes. The methodology covers decrypting application binaries, patching with Frida, generating provisioning profiles, and resigning applications across different scenarios. Key techniques are demonstrated for repacking various types of iOS applications, including those with frameworks, app extensions, and WatchOS companion apps.

  • 18 Jul 2018

Bypassing Memory Scanners with Cobalt Strike and Gargoyle

A novel technique for bypassing memory scanners using the Gargoyle method with Cobalt Strike is demonstrated. The approach involves periodically staging and removing a beacon payload from memory to evade detection by endpoint security solutions. By moving in and out of executable memory at timed intervals, the technique aims to avoid traditional memory scanning techniques.

EC2 Policies: security, freedom, and both

This article explores how to balance security and flexibility when configuring AWS EC2 permissions. It demonstrates how carefully crafted IAM policies can enable precise infrastructure management while maintaining granular access controls. The solution involves using AWS policy conditions and resource tags to create specific permission boundaries for EC2 instance management.

  • 11 Jul 2018

Passing-the-Hash to NTLM Authenticated Web Applications

This article details a Pass-the-Hash (PtH) attack technique against web applications using Windows NTLM authentication. The attack allows impersonation of domain users by injecting a user's NT hash to authenticate to web applications without knowing the actual password. A practical demonstration is provided using an Exchange 2013 server and Mimikatz to execute the attack.

Chainspotting: Building Exploit Chains with Logic Bugs

A presentation explores the development of an exploit chain involving 11 logic bugs across 6 Android applications. The study demonstrates how logic vulnerabilities can be chained together to achieve malicious actions like silent APK installation. Techniques for discovering and exploiting logic bugs in Android systems are discussed, highlighting the challenges of complex vulnerability chaining.

  • 13 Jun 2018

EQL Injection (not a typo) and Oracle Endeca

EQL injection is a novel attack technique targeting Oracle Endeca search functionality in e-commerce platforms. Attackers can exploit unsecured Endeca search parameters to extract sensitive product information or perform denial of service attacks. The vulnerability stems from improper input validation in Endeca search implementations.

Huawei Mate 9 Pro Mobile Pwn2Own 2017

A whitepaper details vulnerabilities discovered in the Huawei Mate 9 Pro during Mobile Pwn2Own 2017. The document focuses on security issues found in the Huawei Reader and HIApp applications. Technical details of the vulnerabilities and exploitation methods are presented in the document.

Apple Safari - Wasm Section Exploit

A technical investigation was conducted into a vulnerability in Apple Safari's Web Assembly (Wasm) implementation discovered during Pwn2own 2018. The vulnerability (CVE-2018-4121) was found in the relatively new Wasm component of WebKit, which was likely less thoroughly tested. The paper details technical exploration of the exploit techniques on macOS 10.13.3.

  • 13 Apr 2018

Some Brief Notes on WebKit Heap Hardening

WebKit has implemented substantial heap hardening techniques to improve memory safety in browsers. The changes include Gigacages, which isolate different object types into separate heaps, and IsoHeap, which allocates objects in dedicated memory pages. Additional protections involve pointer poisoning to make type confusion attacks more difficult.

Investigating RF Controls with RTL-SDR

A presentation at BSidesNYC 2018 explored Software Defined Radio (SDR) techniques using RTL-SDR to investigate insecure wireless signals. The talk demonstrated how affordable SDR tools can capture and decode simple RF controls like remote switches and car fobs. It highlighted the ongoing vulnerabilities in wireless communication protocols and encouraged exploration of RF security.

Enumerating remote access policies through GPO

This article details techniques for enumerating remote access policies in Windows environments through Group Policy Objects. It explores how User Account Control (UAC) and User Rights Assignment (URA) settings impact remote authentication and lateral movement opportunities. PowerView extensions were introduced to help map computer objects with specific remote authentication configurations.