Showing Posts About

Blog post

  • 10 Apr 2024

Abusing search permissions on Docker directories for privilege escalation

A privilege escalation vulnerability was discovered in Docker environments where the /var/lib/docker directory has search permissions for other users. Low-privileged attackers can access container filesystems by exploiting these permissions. By modifying container startup scripts and leveraging host reboot capabilities, attackers can potentially gain root access on the host system.

  • 29 Feb 2024

Binary Exploitation for SPECIAL Occasions: Privilege Escalation in z/OS

This article explores a privilege escalation technique in z/OS mainframe systems by manipulating the Accessor Environment Element (ACEE). The technique involves creating an APF-authorized assembly program that modifies user flags in memory to gain SPECIAL privileges. The exploit demonstrates how low-level memory structures and system internals can be leveraged to escalate system access.

  • 29 Feb 2024

The Hidden Depths of Mainframe Application Testing: More Than (Green) Screen-Deep

Mainframe application security testing requires looking beyond surface-level "green screen" interfaces. The article explores three key vulnerability areas in mainframe environments: application breakouts that allow unauthorized transaction access, surrogate chaining that can bypass environment segregation controls, and downstream misconfigurations in database and system components. Comprehensive security assessments must take a holistic approach to mainframe application testing.

eLinkSmart - Unlocking Bluetooth LE padlocks with polite requests

A critical security analysis of eLinkSmart Bluetooth padlocks revealed multiple severe vulnerabilities. The locks have hardcoded encryption keys, an insecure web API with SQL injection flaws, and weak authentication controls. These vulnerabilities allow attackers to unlock any lock within Bluetooth range and access sensitive user information.

Synthetic Recollections

The article explores prompt injection techniques that can manipulate LLM agents with multi-chain reasoning systems. Two primary attack vectors are presented: thought/observation injection and thought-only injection. These attacks can potentially compromise the integrity of LLM-powered agents by tricking them into performing unintended actions through carefully crafted prompts.

  • 13 Sep 2023

Guiding black-box CAN fuzzing with electromagnetic side-channel analysis

An electromagnetic side-channel analysis technique is introduced for guiding black-box CAN fuzzing in automotive Electronic Control Units (ECUs). The method helps identify valid CAN message IDs by analyzing electromagnetic emissions during message processing. This approach improves fuzzing effectiveness when detailed system documentation is unavailable.

Executing Arbitrary Code & Executables in Read-Only FileSystems

This article explores methods of executing arbitrary code in read-only Kubernetes pod file systems. Three techniques are demonstrated for bypassing read-only filesystem restrictions, including using in-memory execution, exploiting /dev/shm, and leveraging dynamic program loaders. The research highlights the complexity of container security and the need for multi-layered defense strategies.

Detecting OneNote Abuse

OneNote file formats present multiple attack vectors for threat actors to embed malicious attachments with minimal user interaction. The article explores various abuse techniques including executable attachments, living-off-the-land binaries, and right-to-left override spoofing. Detection strategies involve monitoring OneNote process operations, tracking file write events, and analyzing parent-child process relationships.

Dangers of a Service as a Principal in AWS Resource-Based Policies

A critical AWS security vulnerability involves overly permissive resource-based policies that can allow cross-account access to services like SNS and Lambda. These policies enable attackers to interact with resources without direct account permissions, potentially bypassing network restrictions. The attack can exploit AWS service principals to gain unauthorized access to sensitive resources across different AWS accounts.

Looting Microsoft Configuration Manager

CMLoot is a PowerShell tool designed to extract and analyze files from Microsoft Configuration Manager network shares. The tool automates exploration of content libraries, helping security professionals discover potentially sensitive information like credentials, certificates, and configuration details. By examining Distribution Points and Content Library structures, CMLoot enables systematic file inventory and selective downloading of interesting files.

  • 8 Sep 2022

Prototype Pollution Primer for Pentesters and Programmers

Prototype pollution is a JavaScript vulnerability where attackers can manipulate object prototypes to inject malicious properties. The attack involves two stages: polluting the prototype and then exploiting functions that process polluted objects. A demonstration using jQuery BBQ and jQuery shows how an attacker can potentially execute arbitrary JavaScript in web applications.

Scheduled Task Tampering

This article explores techniques for manipulating Windows scheduled tasks through direct registry modifications. Multiple methods were demonstrated to create and modify tasks without generating standard Task Scheduler logging and event records. The techniques include registry manipulation and Event Tracing for Windows (ETW) tampering, which can be used to establish persistence or execute malicious actions while evading detection.

Faking Another Positive COVID Test

A vulnerability was discovered in the Cue Health Home COVID-19 Test that allows manipulation of Bluetooth-transmitted test results. By exploiting weaknesses in the device's Protobuf communication protocol, test results could be changed from negative to positive. A Frida script was developed to intercept and modify Bluetooth packets, successfully altering the test outcome.

Detecting Attacks against Azure DevOps

This article explores detection opportunities for attacks against Azure DevOps, focusing on telemetry sources and logging limitations. It details how malicious actors can exploit Azure AD applications, steal Personal Access Tokens (PAT), and compromise DevOps pipelines. The research emphasizes the importance of multi-source logging and contextual analysis to detect sophisticated DevOps security incidents.

Performing and Preventing Attacks on Azure Cloud Environments through Azure DevOps

This article explores potential attack paths in Azure DevOps by demonstrating how an unprivileged user can compromise cloud environments. The attack scenario involves phishing a Personal Access Token (PAT) to gain access to Azure DevOps repositories and pipelines. By manipulating pipeline code, an attacker can exfiltrate Service Principal credentials and gain unauthorized access to Azure cloud resources.

Faking A Positive COVID Test

A vulnerability was discovered in the Ellume COVID-19 Home Test that allows falsifying test results. By manipulating Bluetooth traffic, it was possible to change a negative test to a positive result. The attack involved modifying specific byte values in the device's communication protocol and recalculating checksums, ultimately obtaining a verified COVID test certificate from Azova.

A bit of a Fixer Upper - Testing FIX-backed applications

This article explores testing and intercepting FIX protocol applications using MitM_Relay and Burp Suite. A custom Python script was developed to maintain message integrity when modifying FIX messages. A Burp extension called "Fixer Upper" was created to simplify FIX message interception and modification.

  • 3 Aug 2021

Playing with PuTTY

This article explores techniques for manipulating PuTTY's source code and session sharing mechanism to capture credentials and execute remote commands. Multiple methods are demonstrated for backdooring PuTTY, including capturing user commands, stealing authentication details, and hijacking SSH sessions through named pipe communications. The techniques provide creative approaches for bypassing security controls during adversarial simulations without traditional keylogging methods.

  • 28 Apr 2021

Attack Detection Fundamentals 2021: Azure - Lab #1

This article demonstrates a consent phishing attack in Azure, showing how an attacker can trick a user into granting malicious application permissions to access sensitive resources. The walkthrough covers setting up a lab environment using Terraform, deploying Azure resources, and using the O365 Attack Toolkit to generate a phishing link. Azure AD audit logs are explored to detect the attack and understand the permissions granted during the consent phishing process.

  • 28 Apr 2021

Attack Detection Fundamentals 2021: Azure - Lab #2

An Azure security lab demonstrated privilege escalation by exploiting insecure Logic App workflow configurations. By leveraging a service principal with Reader permissions, sensitive credentials embedded in clear text were discovered. The attack allowed escalation from Reader to Contributor-level access in the Azure resource group.

  • 28 Apr 2021

Attack Detection Fundamentals 2021: Azure - Lab #3

This article demonstrates a stealthy method of data collection from an Azure VM by creating a snapshot of a target VM's disk and mounting it to an attack VM. The technique allows accessing sensitive information without directly interacting with the original VM, minimizing detection risks. The lab concludes by highlighting the importance of monitoring Azure activity logs for detecting such lateral movement techniques.

Heavy Metal Debugging

This article provides a detailed walkthrough of reverse engineering and debugging techniques on IBM zOS using the TSO TEST debugger. A vulnerable C program with a buffer overflow vulnerability is analyzed through low-level assembly language examination. The guide covers compiling, running, and debugging a sample program on the zOS mainframe environment, demonstrating techniques for finding passwords and exploiting buffer overflow vulnerabilities.

Attack Detection Fundamentals 2021: AWS - Lab #1

This article demonstrates AWS attack detection fundamentals through a lab exploring IAM reconnaissance techniques. The lab uses a deliberately misconfigured AWS environment to show how an attacker might enumerate user permissions using AWS CLI and CloudTrail log analysis with Athena. The walkthrough highlights the risks of overly permissive IAM policies and the importance of monitoring user activities in cloud environments.

Attack Detection Fundamentals 2021: AWS - Lab #2

This article details an AWS security lab demonstrating how an attacker can add an access key and login profile to a compromised user account. The lab explores using Pacu to create additional AWS credentials and gain web console access. CloudTrail log analysis reveals key detection indicators, including changes in user agent and console login without multi-factor authentication.

Attack Detection Fundamentals 2021: AWS - Lab #3

This article details an AWS security lab demonstrating an attack scenario involving unauthorized S3 bucket access. The walkthrough covers exfiltrating customer data, modifying user permissions, and deleting files in an S3 bucket. Detection methods using CloudTrail and S3 access logs are explored to track malicious activities and understand the attack's forensic evidence.

Attack Detection Fundamentals 2021: macOS - Lab #1

This article explores macOS attack detection fundamentals using the Mythic post-exploitation framework. It demonstrates initial access via Office macros, persistence techniques using LaunchAgents, and sandbox breakout methods. The focus is on detecting malicious process trees and understanding macOS security mechanisms through practical attack scenarios.

Attack Detection Fundamentals 2021: macOS - Lab #2

This article explores LaunchAgent persistence techniques on macOS, demonstrating how attackers can abuse system functionality to maintain access. Detection methods using Endpoint Security Framework and osquery are discussed to identify suspicious LaunchAgent behavior. Key strategies include monitoring file creation events and analyzing unsigned binaries executed by LaunchAgents.

Attack Detection Fundamentals 2021: macOS - Lab #3

This article explores a macOS attack technique that bypasses Apple's Transparency, Consent & Control (TCC) security mechanism. The attack leverages SSH's full disk access to directly modify the TCC database, allowing unauthorized access to protected system resources. Detection methods are demonstrated, focusing on monitoring local SSH connections and direct database modifications.

Detecting Exposed Cobalt Strike DNS Redirectors

A technique was developed to detect exposed Cobalt Strike DNS redirectors by identifying DNS servers that consistently return the same IP address for all domain queries. The method involves scanning DNS servers and analyzing their response patterns to identify potential Cobalt Strike infrastructure. An internet-wide survey was conducted to validate the detection approach, revealing multiple potential Cobalt Strike DNS servers.

Attack Detection Fundamentals 2021: Windows - Lab #1

This article details a cybersecurity workshop demonstrating advanced Windows endpoint attack techniques for initial access. An HTA-based attack method was developed that drops a DLL and uses registration-free COM activation to execute a malicious payload. The payload involves shellcode injection, AMSI bypassing, and process injection techniques targeting Windows endpoints.

Attack Detection Fundamentals 2021: Windows - Lab #2

This article explores advanced defense evasion techniques in Windows cybersecurity, focusing on API unhooking and ETW bypassing. The lab demonstrates methods attackers can use to minimize their detection footprint during endpoint attacks, such as removing API hooks and disabling event tracing. Techniques include intercepting API calls, unhooking ntdll.dll, and manipulating .NET runtime event tracing to avoid security monitoring.

Attack Detection Fundamentals 2021: Windows - Lab #3

This article explores API hooking techniques for stealing RDP credentials during Windows authentication. The lab demonstrates how API hooks can intercept plaintext login information when users connect to remote desktop sessions. Multiple methods are presented, including using Frida and RdpThief, to extract credentials from the RDP client process.

Attack Detection Fundamentals 2021: Windows - Lab #4

This article demonstrates a technique for stealing browser cookies and saved passwords from a Windows endpoint using Chlonium. The attack involves extracting Chrome's encryption keys and cookie databases to hijack web sessions. System Access Control Lists (SACLs) are explored as a method for detecting and logging sensitive file access during such attacks.

  • 30 Mar 2021

Click here for free TV! - Chaining bugs to takeover Wind Vision accounts

A critical vulnerability was discovered in the Wind Vision mobile app that enables account takeover through chained security flaws. The attack exploits insecure URL schemes, weak device identification, and authentication mechanisms to intercept OAuth tokens. By crafting a malicious app, an attacker can potentially stream content or remove user devices from the Wind Vision account.

Sniff, there leaks my BitLocker key

A low-cost method was demonstrated to extract BitLocker encryption keys by sniffing the SPI bus of a Trusted Platform Module (TPM). The attack requires brief physical access to a target machine and can be performed using publicly available tools. By capturing TPM communication, the Volume Master Key can be retrieved and used to decrypt a BitLocker-protected drive.

Detecting Cobalt Strike Default Modules via Named Pipe Analysis

A technical analysis of Cobalt Strike's default modules reveals distinctive named and anonymous pipe communication patterns. The article explores how Cobalt Strike uses pipes for inter-process communication during post-exploitation activities like keylogging and screenshot capture. Detection techniques are proposed, including Yara rules and Splunk searches to identify these unique pipe characteristics.

Using and detecting C2 printer pivoting

A novel Command & Control (C2) technique using printer infrastructure for covert communication is explored in this article. The method involves placing print jobs in a paused state and using document names for data transfer. Multiple detection opportunities are detailed across endpoints, networks, and print servers to identify this stealthy communication method.

Samsung S20 - RCE via Samsung Galaxy Store App

A remote code execution vulnerability was discovered in the Samsung Galaxy Store app for S20 devices. The vulnerability allowed attackers to install applications without user consent by exploiting a WebView JavaScript interface. An attack could be conducted via a man-in-the-middle attack using NFC or WiFi.

GWTMap - Reverse Engineering Google Web Toolkit Applications

GWTMap is a novel tool for reverse engineering Google Web Toolkit (GWT) applications. The tool extracts and maps service method endpoints from obfuscated client-side code across different GWT versions. It enables cybersecurity professionals to generate example GWT-RPC request payloads and analyze the attack surface of GWT-based web applications.

Operationalising Calendar Alerts: Persistence on macOS

A novel macOS persistence technique leverages calendar alerts in Automator.app to execute arbitrary applications at specified times. The method exploits an undocumented API in EventKit to programmatically create calendar events with executable alerts. By using JavaScript for Automation (JXA), attackers can establish stealthy persistence on macOS systems through calendar event manipulation.

Introducing LDAP C2 for C3

A new Command & Control (C2) channel for C3 has been introduced using LDAP for covert communication within networks. The technique enables lateral movement by leveraging user attributes with minimal account compromise. A quick start guide is provided to help deploy LDAP-based C2 channels in network environments.

  • 29 Sep 2020

Application-level Purple Teaming: A case study

An application-level purple teaming approach was demonstrated using a file-sharing web application. The methodology focused on improving logging, alerting, and potential response mechanisms by systematically identifying detection gaps across enumeration and injection attack categories. The project used tools like Elasticsearch, Logstash, Kibana, and ElastAlert to enhance application security detection capabilities.

  • 7 Sep 2020

Securing AEM With Dispatcher

This article explores securing Adobe Experience Manager (AEM) using Dispatcher configuration. It demonstrates how to prevent security vulnerabilities by carefully configuring Dispatcher rules to block potential exploits. The walkthrough includes identifying and mitigating Dispatcher bypasses and cross-site scripting (XSS) attacks through systematic testing and rule refinement.

  • 2 Sep 2020

N1QL Injection: Kind of SQL Injection in a NoSQL Database

N1QL injection is a vulnerability in Couchbase NoSQL databases that allows attackers to manipulate database queries. An open-source tool called N1QLMap was developed to automate N1QL injection testing and exploitation. The tool enables data extraction, system information retrieval, and server-side request forgery (SSRF) attacks through specialized query techniques.

  • 27 Aug 2020

Exploiting CVE-2019-17026 - A Firefox JIT Bug

A detailed technical analysis of a critical vulnerability (CVE-2019-17026) in Firefox's SpiderMonkey JIT compiler was presented. The vulnerability involves type confusion and bounds check elimination in the IonMonkey JIT compilation process. The article explores how carefully crafted JavaScript can exploit interactions between multiple compilation chains to bypass JIT compiler safeguards and potentially execute arbitrary code.

Attack Detection Fundamentals: C2 and Exfiltration - Lab #1

This article demonstrates detection techniques for PowerShell Empire's Command and Control (C2) traffic. Network indicators like default URIs, user agents, and server responses are analyzed to identify potential malicious communication patterns. A Snort rule is developed to detect these specific network traffic characteristics associated with PowerShell Empire.

Attack Detection Fundamentals: C2 and Exfiltration - Lab #2

This article demonstrates techniques for detecting DNS Command and Control (C2) channels using the dnscat2 tool. Detection strategies include analyzing DNS traffic for unique strings like "dnscat", unusual request sizes, and uncommon DNS record types. Practical Snort rule examples are provided to identify potential DNS-based exfiltration and C2 communication.

Attack Detection Fundamentals: C2 and Exfiltration - Lab #3

This article explores using Dropbox as a command and control (C2) channel for malware communication. Detection strategies are discussed using Windows ETW and Sysmon telemetry, focusing on identifying suspicious network behaviors like anomalous DNS queries and API endpoint interactions. Key detection opportunities include monitoring beaconing patterns and unusual web requests to Dropbox API endpoints.

Attack Detection Fundamentals: Discovery and Lateral Movement - Lab #1

This article explores attack detection techniques for discovering valuable users in an Active Directory environment. It demonstrates methods for identifying kerberoastable and AS-REP roastable users through LDAP queries using tools like Rubeus and SharpSploit. Event Tracing for Windows (ETW) logging is used to capture and analyze reconnaissance activities in a cybersecurity lab setting.

Attack Detection Fundamentals: Discovery and Lateral Movement - Lab #2

This article explores techniques for detecting file share enumeration and lateral movement in Windows environments. The lab demonstrates how to use Event Tracing for Windows (ETW) and Windows Event Logs to identify suspicious LDAP queries and file share access patterns. Specific focus is placed on using SharpShares to discover exposed file shares and detect potential security risks, including analysis of Group Policy Preference files.

Attack Detection Fundamentals: Discovery and Lateral Movement - Lab #3

This article explores lateral movement techniques using C3 and Covenant to pivot through file shares in a Windows environment. The lab demonstrates detection strategies by analyzing file share access logs and Event Tracing for Windows (ETW) events to identify suspicious .NET module loading and communication patterns. Key detection techniques include monitoring file share object access logs and tracking anomalous CLR module loading in processes.

Attack Detection Fundamentals: Discovery and Lateral Movement - Lab #4

This article explores lateral movement techniques using PsExec in Windows environments. It details detection strategies for identifying suspicious remote execution activities through Windows event logs and Sysmon telemetry. Key detection opportunities include monitoring service creation events, process creation logs, and named pipe interactions during remote command execution.

Attack Detection Fundamentals: Discovery and Lateral Movement - Lab #5

This article explores lateral movement techniques using Windows Management Instrumentation (WMI) in cybersecurity attack detection. The lab demonstrates detection strategies for both native WMIC commands and Impacket's wmiexec tool. Key detection opportunities include analyzing process creation events, network traffic patterns, and examining parent-child process relationships during WMI-based lateral movement attacks.

  • 3 Jul 2020

Attack Detection Fundamentals: Code Execution and Persistence - Lab #1

This article details a cybersecurity lab simulating the Astaroth malware attack chain using Living-off-the-Land (LOLBins) techniques. The lab demonstrates how attackers can exploit Windows utilities like BITSAdmin and ExtExport.exe, along with Alternate Data Streams, to stealthily download and execute malware. Multiple detection strategies are explored, including Sigma rules, event log analysis, and tools like Sysmon for identifying these sophisticated attack methods.

  • 3 Jul 2020

Attack Detection Fundamentals: Code Execution and Persistence - Lab #2

This article explores persistence techniques used by attackers in Windows environments. Two primary methods are demonstrated: adding files to the Startup folder and modifying Windows Registry Run Keys. The guide provides technical insights into malware persistence strategies and detection approaches for cybersecurity professionals.

  • 3 Jul 2020

Helping root out of the container

A container breakout technique exploits AF_LOCAL sockets to smuggle file descriptors into a container. By passing a file descriptor for the root directory, a root user within the container can modify files outside its mount namespace. This attack demonstrates how root access in a container can compromise intended security isolation boundaries.

Attack Detection Fundamentals: Initial Access - Lab #1

This article demonstrates a technique for establishing initial access in a target environment using malicious Office macros. The lab walkthrough covers creating a PowerShell-based command and control payload embedded in a macro document. Detection strategies are explored through parent-child process analysis and Sysmon event log examination, with a focus on identifying anomalous process spawning from Office applications.

Attack Detection Fundamentals: Initial Access - Lab #2

This article explores attack detection techniques for initial access using the Koadic post-exploitation framework deployed via an HTA file. The lab focuses on identifying suspicious process and network connection relationships using Sysmon event logs. Key objectives include detecting anomalous binaries and network connections as potential indicators of compromise.

Attack Detection Fundamentals: Initial Access - Lab #3

This article details a multi-stage initial access attack technique used by the Cobalt Kitty group involving a malicious Word macro. The attack creates a scheduled task to execute an obfuscated PowerShell payload that ultimately injects a Cobalt Strike beacon into memory. The walkthrough explores detailed steps of crafting a beacon delivery mechanism while highlighting potential detection strategies.

Attack Detection Fundamentals: Initial Access - Lab #4

This article demonstrates creating a malicious Excel 4.0 Macro with Metasploit shellcode to obtain remote access on a Windows system. The lab walks through generating a Meterpreter payload, setting up a Metasploit listener, and executing the malicious macro. Memory forensics techniques using Volatility are explored to analyze the compromised host and detect stealthy code injection methods.

  • 11 Jun 2020

Abusing access to mount namespaces through /proc/pid/root

Linux namespaces can be abused for privilege escalation in containerized environments. Two key attack vectors are demonstrated: creating block devices in Docker containers to bypass access controls and exploiting symlink vulnerabilities through mount and user namespaces. The research highlights potential security risks in container configurations and namespace implementations.

  • 20 May 2020

Releasing the CAPTCHA Cracken

A tool called CAPTCHA Cracken was developed to bypass text-based CAPTCHAs on an Outlook Web App portal. Advanced image preprocessing techniques and browser automation with Pyppeteer were used to overcome significant CAPTCHA recognition challenges. The project demonstrated the vulnerability of traditional text-based CAPTCHAs to machine learning-based automated attacks.

  • 15 May 2020

Internet Exploiter: Understanding vulnerabilities in Internet Explorer

This article provides a deep technical analysis of CVE-2020-0674, a use-after-free vulnerability in Internet Explorer's legacy JScript engine. The analysis explores the internal mechanics of the JScript interpreter, garbage collection process, and demonstrates complex exploitation techniques to bypass security mitigations. The research reveals how an attacker could potentially execute arbitrary code by manipulating memory management in the legacy JavaScript engine.

  • 1 May 2020

Bypassing Windows Defender Runtime Scanning

This article details techniques for bypassing Windows Defender's runtime memory scanning by exploiting memory permission limitations. A method was developed using PAGE_NOACCESS memory permissions to prevent detection during suspicious API calls. A custom Metasploit extension called Ninjasploit was created to implement these bypass techniques.

Jamfing for Joy: Attacking macOS in Enterprise

The article details multiple attack vectors against Jamf, a macOS enterprise management platform. Multiple techniques for compromising device management systems are explored, including password spraying, user enumeration, and policy abuse. An open-source Jamf Attack Toolkit was developed to demonstrate and facilitate these cybersecurity vulnerabilities.

How are we doing with Android's overlay attacks in 2020?

Android's Accessibility Services (AAS) can be exploited by malicious apps to perform dangerous actions on a user's device. These actions include keylogging, auto-granting permissions, reading screen content, and performing automated interactions with other apps. The article demonstrates how a malicious app can leverage AAS to potentially steal sensitive information and perform unauthorized actions without user detection.

  • 10 Mar 2020

Making Donuts Explode – Updates to the C3 Framework

The C3 framework's "Exploding Donut" release introduces significant updates to cybersecurity operations. Key improvements include integration with the Covenant C2 framework and Donut for compressed shellcode generation. The ChannelLinter project was added to simplify channel development for cybersecurity professionals.

Rethinking Credential Theft

Physmem2profit is a novel red team tool for credential theft that bypasses traditional LSASS process monitoring. The tool allows remote extraction of credential material by exposing and analyzing physical memory without directly interacting with the LSASS process. It provides an alternative approach to credential theft by leveraging memory forensics techniques on Windows systems.

TamaGo

TamaGo is a Go-based framework for developing secure embedded system firmware without C dependencies or complex operating systems. It provides a minimal runtime with direct hardware drivers for specific System-on-Chip platforms, enabling Go applications to run directly on bare metal hardware. The framework aims to reduce firmware attack surfaces by eliminating traditional low-level code complexities.

  • 17 Jan 2020

Misadventures in AWS

This article details manual techniques for AWS security assessment and privilege escalation during penetration testing. The approach involves generating temporary access keys for multiple AWS roles and systematically collecting data across different accounts using AWS CLI tools. The methodology demonstrates how an attacker with limited initial access can enumerate AWS resources, analyze IAM policies, and potentially escalate privileges within an AWS environment.

  • 24 Dec 2019

Hackin' around the Christmas tree

A vulnerability was discovered in the Abis HD6000+ SMART Android projector that allows remote code execution on the local network. The vulnerability stems from an unauthenticated HTTP endpoint on port 9909 that enables command execution. An attacker can potentially escalate the attack to a wide-area network remote code execution scenario using WebRTC techniques.

  • 20 Dec 2019

Opening Up the Samsung Q60 series smart TV

A technical analysis was conducted on the Samsung Q60 series smart TV, exploring its hardware, firmware, and network services through detailed reverse engineering techniques. The investigation involved board-level analysis, extracting and examining the eMMC flash memory, and investigating the proprietary VDFS filesystem. Multiple approaches were used to understand the TV's internal architecture, including examining debug ports, firmware upgrade processes, and network services.

Digital lockpicking - stealing keys to the kingdom

A security analysis of the KeyWe Smart Lock revealed critical vulnerabilities in its Bluetooth Low Energy communication protocol. The lock's in-house key exchange mechanism allows attackers to easily intercept and decrypt device communications by exploiting a predictable common key generation process. By analyzing the mobile application and BLE traffic, the vulnerability in the lock's cryptographic design was exposed.

AWS: Such auspices are very hard to read

awspx is a proof-of-concept tool designed to visualize and analyze complex AWS access management relationships. The tool helps identify potential attack paths by mapping out resource interactions and effective access within AWS cloud infrastructure. It addresses the challenge of understanding intricate AWS policy interactions by creating a graph-based representation of resource and action relationships.

Uncommon SQL Database Alert - Informix SQL Injection

An authenticated SQL injection vulnerability was discovered in the Cisco UCM administrative portal using Informix SQL. Custom techniques were developed to enumerate database tables, users, and sensitive information when standard SQLMap tools failed. The research involved creating specialized scripts to exploit the vulnerability by bypassing security restrictions in the database.

  • 15 Nov 2019

Prince of the Honeycomb

A critical heap-buffer overflow vulnerability was discovered in Prince XML, a PDF conversion tool used by the Honeycomb application. The vulnerability was found through fuzzing and binary analysis of TIFF image parsing code. By crafting a malicious TIFF file, an attacker could potentially achieve remote command execution when processing specially crafted image files.

  • 6 Nov 2019

OU having a laugh?

A novel attack technique exploits Group Policy Object (GPO) processing in Active Directory by manipulating the gpLink attribute. An attacker with OU modification rights can redirect GPO resolution to a rogue domain controller, potentially compromising computers and users within that OU. The attack leverages default Active Directory configurations and can be executed with minimal domain user permissions.

  • 1 Nov 2019

Automating Pwn2Own with Jandroid

Jandroid is an automated tool designed to help identify potential logic bugs in Android applications. The tool uses configurable templates to analyze APK files, searching for specific patterns in Android manifests and code. By reducing manual analysis effort, Jandroid enables semi-automatic detection of exploitable vulnerabilities in mobile applications.

How Secure is your Android Keystore Authentication?

This article explores vulnerabilities in Android Keystore authentication mechanisms for local device security. Multiple security weaknesses were identified in how developers implement biometric and keystore authentication in Android applications. Frida scripts were developed to help security professionals audit and test the robustness of Android application authentication implementations.

Getting Real with XSS

This article provides a comprehensive guide to practical Cross-Site Scripting (XSS) attacks in modern web applications. It explores technical challenges such as innerHTML limitations, Content Security Policy (CSP) restrictions, and techniques for bypassing browser security controls. The guide demonstrates how to craft meaningful XSS payloads that go beyond simple alert demonstrations.

  • 22 Feb 2019

AutoCAD - Designing a Kill Chain

A detailed analysis of potential cybersecurity vulnerabilities in AutoCAD reveals multiple attack vectors across the cyber kill chain. The research demonstrates how malicious actors can exploit AutoCAD's features like ActionMacros, AutoLisp scripts, and remote text functionality to gain code execution, establish persistence, and perform lateral movement. Multiple attack techniques were identified that could potentially compromise users in high-value industries through targeted AutoCAD-specific exploitation methods.

  • 15 Feb 2019

Ventures into Hyper-V - Fuzzing hypercalls

A technical investigation explored fuzzing Hyper-V hypercalls using a custom kernel driver called Virdian Fuzzer (VIFU). The research systematically tested both documented and undocumented hypercalls in Microsoft's virtualization platform. The project involved complex technical analysis of hypercall mechanisms, address translation, and potential vulnerabilities in the Hyper-V architecture.

  • 23 Jan 2019

What the Fuzz

Fuzzing is an automated software testing technique that generates random inputs to identify potential vulnerabilities in programs. The article explores fuzzing fundamentals, including its architecture, different approaches like dumb and smart fuzzing, and a selection of fuzzing tools and recent research. The goal is to provide an overview of fuzzing techniques and their potential for discovering software bugs.

  • 17 Jan 2019

CAPTCHA-22: Breaking Text-Based CAPTCHAs with Machine Learning

A machine learning technique was developed to break text-based CAPTCHAs using an Attention-based OCR model. By manually labeling training data from a large dataset of CAPTCHA images, near-perfect accuracy was achieved in solving various CAPTCHA implementations. The study demonstrated how machine learning can effectively bypass traditional text-based CAPTCHA systems with minimal computational resources.

  • 11 Jan 2019

Attacking Kubernetes through Kubelet

A method of attacking Kubernetes clusters by exploiting the default kubelet configuration is detailed in this article. The vulnerability allows anonymous authentication to the kubelet API, enabling attackers to list pods, execute commands in containers, and potentially obtain service account tokens. These tokens can be used to access the kube-apiserver and gain deeper access to the Kubernetes cluster.

  • 21 Dec 2018

Twinkly Twinkly Little Star

Multiple security vulnerabilities were discovered in Twinkly IoT Christmas lights. The vulnerabilities include unencrypted local network communications, trivial authentication bypass, and potential remote control through MQTT and DNS rebinding attacks. These flaws could allow attackers to manipulate or control the lights remotely, potentially affecting thousands of connected devices.

  • 2 Nov 2018

HP NonStop Basics

HP NonStop is a fault-tolerant computing platform used in critical transaction systems since 1976. The system features a unique architecture with Guardian and Open System Services environments, and uses specialized security components like Safeguard for user management and access control. The platform employs a distinctive approach to user and file management, with unique identifiers, access control lists, and specific security configurations that differ significantly from standard Unix or Windows systems.

  • 31 Oct 2018

Undisable Restricted Admin

Restricted Admin mode is a Windows feature that prevents credential caching during RDP sessions by using network logons instead of interactive logons. The mode offers protection against lateral movement in network environments, though it introduces a minor pass-the-hash attack vector. Organizations can enable this control by modifying registry settings and group policy to enhance network security.

Debugging Released Xamarin Android Applications

A technical investigation revealed debugging techniques for released Xamarin Android applications. By manipulating system properties like 'debug.mono.runtime_args', method tracing can be performed on release builds. Code execution is possible through the Mono log profiler by creating a payload in the '.__override__' directory, allowing analysis of Xamarin applications without modifying the original APK.

  • 23 Aug 2018

DNS Rebinding Headless Browsers

A DNS rebinding attack technique targeting headless browsers running on AWS was demonstrated. The attack can exploit the AWS metadata endpoint by manipulating DNS and causing browsers to hang, potentially allowing exfiltration of sensitive AWS credentials. The method bypasses same-origin policy restrictions by dynamically changing domain IP addresses during browser interactions.

  • 23 Jul 2018

A Guide to Repacking iOS Applications

This technical guide details the process of repacking iOS applications for security research purposes. The methodology covers decrypting application binaries, patching with Frida, generating provisioning profiles, and resigning applications across different scenarios. Key techniques are demonstrated for repacking various types of iOS applications, including those with frameworks, app extensions, and WatchOS companion apps.

  • 18 Jul 2018

Bypassing Memory Scanners with Cobalt Strike and Gargoyle

A novel technique for bypassing memory scanners using the Gargoyle method with Cobalt Strike is demonstrated. The approach involves periodically staging and removing a beacon payload from memory to evade detection by endpoint security solutions. By moving in and out of executable memory at timed intervals, the technique aims to avoid traditional memory scanning techniques.

EC2 Policies: security, freedom, and both

This article explores how to balance security and flexibility when configuring AWS EC2 permissions. It demonstrates how carefully crafted IAM policies can enable precise infrastructure management while maintaining granular access controls. The solution involves using AWS policy conditions and resource tags to create specific permission boundaries for EC2 instance management.

  • 11 Jul 2018

Passing-the-Hash to NTLM Authenticated Web Applications

This article details a Pass-the-Hash (PtH) attack technique against web applications using Windows NTLM authentication. The attack allows impersonation of domain users by injecting a user's NT hash to authenticate to web applications without knowing the actual password. A practical demonstration is provided using an Exchange 2013 server and Mimikatz to execute the attack.

  • 13 Jun 2018

EQL Injection (not a typo) and Oracle Endeca

EQL injection is a novel attack technique targeting Oracle Endeca search functionality in e-commerce platforms. Attackers can exploit unsecured Endeca search parameters to extract sensitive product information or perform denial of service attacks. The vulnerability stems from improper input validation in Endeca search implementations.

  • 13 Apr 2018

Some Brief Notes on WebKit Heap Hardening

WebKit has implemented substantial heap hardening techniques to improve memory safety in browsers. The changes include Gigacages, which isolate different object types into separate heaps, and IsoHeap, which allocates objects in dedicated memory pages. Additional protections involve pointer poisoning to make type confusion attacks more difficult.

Enumerating remote access policies through GPO

This article details techniques for enumerating remote access policies in Windows environments through Group Policy Objects. It explores how User Account Control (UAC) and User Rights Assignment (URA) settings impact remote authentication and lateral movement opportunities. PowerView extensions were introduced to help map computer objects with specific remote authentication configurations.

  • 17 Dec 2017

Finding the Low-Hanging Route

A critical vulnerability was discovered in Cisco's APIC-EM SDN controller that allows unauthorized access to internal network services. By adding a static route and exploiting IP routing configurations, an attacker can bypass network isolation and directly access sensitive internal services without authentication. The vulnerability enables potential compromise of system credentials and unauthorized access to critical infrastructure components like Apache Cassandra and RabbitMQ.

  • 3 Oct 2017

WebUSB - How a website could steal data off your phone

WebUSB is a JavaScript API in Chrome that allows websites to access USB devices with user permission. The API enables potential data theft from connected devices like Android phones by establishing unauthorized connections. Security considerations highlight risks such as file system access, installing APKs, and potential device compromise through a single user interaction.

  • 22 Sep 2017

“Tasking” Office 365 for Cobalt Strike C2

A novel Command and Control (C2) technique for Cobalt Strike was demonstrated using Office 365's Exchange Web Services. The technique leverages Outlook tasks as a communication channel to transmit malicious traffic through a legitimate service. The proof-of-concept shows how attackers can use the External C2 interface to create covert communication paths through enterprise collaboration tools.

  • 1 Aug 2017

Alexa, are you listening?

A physical attack on early Amazon Echo models allows root access by exploiting exposed debug pads and an SD card boot configuration. By gaining root shell access, an attacker can install a malware implant that turns the device into a remote wiretap. The attack requires physical access to the device and can potentially stream live microphone audio to remote services without disrupting the Echo's normal functionality.

  • 7 Jul 2017

Using Windows File Auditing to Detect Honeyfile Access

Windows file auditing offers a covert method for detecting unauthorized access to sensitive files on network shares. By configuring native Windows audit policies, detailed logs can be generated when interactions occur with specific "honeyfiles". This technique provides a low-noise, high-fidelity approach to monitoring potential security breaches on file systems.

  • 16 May 2017

DLL Tricks with VBA to Improve Offensive Macro Capability

This article explores advanced VBA macro techniques for bypassing security controls using DLLs. Two key techniques are presented: executing remote COM scriptlets without regsvr32 and storing malicious DLLs as seemingly legitimate Office files. These methods enable attackers to execute payloads while evading traditional security detection mechanisms.

  • 21 Apr 2017

Add-In Opportunities for Office Persistence

This article explores multiple techniques for gaining persistence through Microsoft Office add-ins. Multiple methods are examined, including WLL, XLL, VBA, COM, Automation, VBE, and VSTO add-ins that can execute code when Office applications start. Each add-in type offers unique mechanisms for potential code execution with different technical advantages and limitations.

  • 27 Jan 2017

A Tale Of Bitmaps: Leaking GDI Objects Post Windows 10 Anniversary Edition

A novel technique for leaking kernel bitmap object addresses in Windows post-Anniversary Edition is detailed. The method exploits memory reuse in the kernel's paged pool by leveraging accelerator tables and bitmap object allocation. This approach provides a way to retrieve kernel object addresses after previous information leak protections were implemented.

  • 10 Jan 2017

Digital Lockpicking: Why Your Front Door Shouldn't Be On The Internet

A critical vulnerability was discovered in FingerTec/ZKTeco biometric access control devices. The unencrypted UDP protocol allows attackers to create unauthorized admin accounts, extract user data, and potentially unlock doors without authorization. Over 4000 such devices are exposed on the internet, posing significant security risks.

  • 4 Jan 2017

High Interaction Honeypots with Sysdig and Falco

A technical exploration of using sysdig and falco tools to rapidly deploy high-interaction honeypots on Linux systems. The project demonstrated techniques for monitoring and forensically analyzing attacker interactions through detailed system call and log capture. Two case studies revealed successful honeypot deployments that captured real-world attacker behaviors and malware interactions.

Trust? Years to earn, seconds to break

An Active Directory security vulnerability involves the TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION (T2A4D) User-Account-Control flag. The vulnerability can allow attackers to exploit Kerberos protocol extensions and potentially compromise domain controllers through dangerous authentication delegation attacks. Mitigation strategies include carefully managing account delegation settings and protecting sensitive user accounts.

  • 17 Nov 2016

Working 9 till 5

A summer intern at MWR conducted security research on the Android game "Legion Hunters", uncovering multiple vulnerabilities in the game's login system. The research revealed unencrypted API calls, weak authentication mechanisms, and insecure account management that could allow unauthorized access to user accounts. The intern demonstrated how an attacker could potentially log in as any user by exploiting these security flaws.

  • 3 Nov 2016

AVRop VM: A ROP based M/o/Vfuscator VM on a Harvard device

A novel virtual machine (VM) based on Return-Oriented Programming (ROP) was developed for an AVR microcontroller. The VM adapts the Movfuscator concept to a Harvard architecture device, implementing a single ROP chain that can execute different payloads through memory-mapped instruction interpretation. The approach allows for executing varied functionality using the same ROP chain on an embedded device with limited resources.

  • 21 Oct 2016

A Hybrid Approach to ICS Intrusion Detection

SENAMI introduces a hybrid intrusion detection approach for Industrial Control Systems that combines passive network monitoring with selective active monitoring of critical Siemens S7 PLC variables. The method focuses on detecting value tampering attacks by monitoring three key memory locations with minimal performance impact. The approach achieves a 93% detection rate of active threats while avoiding overloading legacy PLC systems.

  • 18 Oct 2016

Securing the loading of dynamic code

This article explores the security risks associated with dynamic code loading through reflection in programming languages. It discusses methods to secure reflective code loading, including techniques like hashing, code signing, and file permissions to prevent unauthorized code execution and potential privilege escalation vulnerabilities.

Accessing Internal Fileshares through Exchange ActiveSync

Exchange ActiveSync (EAS) can be exploited to access internal Windows file shares using only user mailbox credentials. The vulnerability was confirmed in Exchange 2013 and 2016 with near-default configurations. Attackers can list file share contents and download files by using specific EAS commands, potentially bypassing traditional access controls.

Popping my DoS Cherry at DerbyCon

DerbyCon 6 was a cybersecurity conference featuring notable offensive security talks and tool releases. Key presentations covered topics like privilege escalation, threat emulation, and Exchange/Outlook security. Several new offensive security tools were introduced, including Rotten Potato, Lucky Strike, MailSniper, and OWA-Toolkit.

  • 16 Sep 2016

H-field electromagnetic sniffing

An electromagnetic side-channel attack technique using a custom H-field sensor is demonstrated to sniff secret information from electronic devices. The method involves capturing electromagnetic emissions during data transmission using off-the-shelf components like a shielded-loop antenna, low-noise amplifier, and software-defined radio. By processing the captured signals through cross-correlation and statistical analysis, hidden serial communication data can be successfully extracted.

Malicious Outlook Rules

XRulez is a tool that enables programmatic creation of malicious Outlook rules by injecting rules directly into Exchange servers. The tool allows attackers to create persistent remote code execution mechanisms via email triggers without requiring direct credential access. By exploiting MAPI sessions, malicious rules can be set up to execute payloads when specific email conditions are met.

  • 11 Aug 2016

The hack that changed the blockchain perspective

The 2016 DAO hack on Ethereum exposed a critical recursive call vulnerability in a smart contract. An attacker exploited this flaw to drain 3.6 million ETH, triggering a controversial hard fork that challenged fundamental principles of decentralized blockchain technology. The incident highlighted significant security risks in early blockchain smart contract implementations.

  • 24 Jun 2016

Alice, Bob, and Eve: How quantum technology can secure against adversaries.

Quantum key distribution (QKD) offers a provably secure communication method that protects against potential quantum computer attacks on classical encryption. The technique uses quantum mechanics principles, specifically the Heisenberg uncertainty principle, to ensure uninterceptable communication between parties. QKD provides a robust alternative to traditional encryption methods that could be compromised by quantum computing technologies.

  • 24 Jun 2016

Don't Try This at Home: Decapping ICs With Boiling Acid.

A technical blog post details the process of decapping integrated circuits using boiling nitric and sulphuric acids. The technique involves dissolving the epoxy packaging to expose the silicon chip inside. Decapping can be used for identifying counterfeit chips, resetting lock bits, and performing hardware reverse engineering.

  • 20 Jun 2016

The current state of quantum cryptography, QKD, and the future of information security.

Quantum key distribution (QKD) offers a provably secure communication method based on quantum physics principles. The technology leverages the Heisenberg uncertainty principle to create encryption keys that cannot be intercepted without detection. Commercial QKD systems are being developed to extend communication ranges and integrate with existing security infrastructure.

  • 14 Jun 2016

D-Wave, why all the controversy?

D-Wave's quantum computer uses quantum annealing architecture, specialized for solving optimization problems. Unlike universal quantum computers, it offers significant speed advantages for certain computational tasks but has limitations in quantum scaling and programmability. The computer can solve some optimization problems much faster than classical computers, though its applicability remains restricted to specific problem types.

  • 7 Jun 2016

Quantum paradoxes: Popping the bubble with Shor's algorithm.

Quantum computers pose a significant threat to current cryptographic systems through Shor's algorithm, which can efficiently factor large prime numbers used in encryption. The algorithm leverages quantum mechanical principles and Fourier transforms to break RSA encryption by finding prime factors much faster than classical computers. Increasing investments in quantum technologies suggest that cryptographic systems may become vulnerable in the future as quantum computing capabilities advance.

Visualising Organisational Charts from Active Directory

This article demonstrates techniques for extracting and visualizing organizational hierarchies from Active Directory using tools like Metasploit, SQLite, and Neo4j. The methods enable mapping of reporting structures and relationships within an organization by converting Active Directory data into a graph database. Complex queries about organizational relationships can be performed dynamically, revealing management chains and reporting structures.

Safer Shellcode Implants

This article discusses techniques for creating safer shellcode implants by implementing runtime security controls. The proposed methods include ensuring single execution through mutex checks, validating the target endpoint using host-specific identifiers, and adding an expiry time to control the implant's lifecycle. Implementation examples are provided in both assembly and C languages to demonstrate these security controls.

  • 19 Apr 2016

Heap tracing with WinDbg and Python

This article demonstrates how to use Python and PyKd to create WinDbg scripts for heap tracing in Windows. The script hooks memory allocation functions like RtlAllocateHeap and RtlFreeHeap to log heap operations. The technique allows visualization of memory allocation patterns and can support exploit development by providing insights into heap behavior.

Masquerading as a Windows System Binary Using Digital Signatures

This article demonstrates a technique for creating fake digital certificates that mimic Microsoft's code signing certificates. By generating certificates that look like they are from Microsoft and installing a custom root CA, malicious Windows binaries can be signed to appear legitimate. The method allows attackers to create executables that blend in with system processes and potentially evade initial detection.

Offline SQL Querying of Active Directory

ADOffline is a tool that converts Active Directory LDAP data into a SQLite database for offline analysis. It enables cybersecurity professionals to perform detailed reconnaissance by querying domain users, groups, and computers without maintaining a live connection to the domain controller. The tool supports complex SQL queries and provides intuitive views to explore Active Directory information.

Egress Checking

The EgressCheck Framework is a tool designed to help penetration testers and system administrators identify network egress opportunities. It generates traffic across multiple ports and protocols, capturing connection attempts using tcpdump. The framework supports both TCP and UDP scanning, and can generate one-liner scripts for Python and PowerShell.

Persistence Architecture Matters

This article explores the Windows-on-Windows (WOW) redirection layer in 64-bit Windows systems. It explains how filesystem and registry paths are dynamically remapped depending on the process architecture. The technical explanation reveals how 32-bit and 64-bit processes interact with system directories and registry keys differently.

Abusing PuTTY & Pageant through native functionality

A technique for remotely interacting with SSH keys stored in PuTTY's Pageant SSH agent on Windows is explored. The method leverages native functionality to proxy SSH authentication requests through a compromised workstation without traditional exploitation. An attack tool called PageantJacker enables forwarding authentication requests to a remote Pageant instance, allowing an attacker to use a target's SSH keys from their own machine.

When LanMan history reveals the present and future, but might just be lying to you

Windows password history hashes may contain seemingly random data even when LanMan hash storage is disabled. Analysis of these historical hashes can reveal password patterns and potentially help guess current user credentials during security assessments. Password history examination demonstrates how users often create predictable password sequences despite technical controls.

EMV Protocol Fuzzer

An EMV protocol fuzzer was developed to evaluate the security of point-of-sale devices and smartcard systems. The fuzzer enables real-time monitoring and modification of EMV communication streams to identify potential vulnerabilities. The tool includes Python interfaces and robotic automation to facilitate comprehensive security testing of financial transaction technologies.

Active Directory: Users in Nested Groups Reconnaissance

The article discusses a technique for efficiently discovering users in nested Active Directory groups using the LDAP_MATCHING_RULE_IN_CHAIN OID. New Metasploit commands were introduced to perform comprehensive Active Directory user and group reconnaissance, allowing identification of users in complex nested group structures. The method enables penetration testers to quickly identify users with administrative privileges across nested group hierarchies.

Mass HTTP Enumeration with Metasploit

A Metasploit module enables mass HTTP enumeration of web servers during penetration testing. The module efficiently extracts server headers, HTTP status codes, and page titles across large networks. It allows quick identification of interesting or anomalous hosts using Metasploit's database and multithreading capabilities.

Memory Allocation: How injecting into your own tools might help you compromise a Windows domain

ADEGrab is a memory injection tool designed to extract search results from Sysinternals' AD Explorer by directly accessing the application's memory. The tool allows penetration testers to copy search results from Active Directory exploration tools that do not natively support result export. It uses Windows API calls to read and manipulate memory within the AD Explorer process, enabling users to capture and save search results.

  • 25 Sep 2015

A Practical Guide to Cracking Password Hashes

This article provides a comprehensive guide to password hash cracking techniques using Hashcat. It demonstrates how rule-based attacks can efficiently generate password variations from wordlists, significantly improving password guessing success rates. By empirically testing and developing targeted rulesets, password crackers can dramatically increase the number of cracked hashes.

  • 25 Jun 2015

Set Fire to the Phone

Two security researchers from MWRLabs discovered multiple vulnerabilities in the Amazon Fire Phone's AppStore ecosystem. By chaining three distinct vulnerabilities, they achieved remote code execution without using native or memory-based attacks. The exploit allowed installation of malware, extraction of device data, and demonstrated significant application security risks in the Fire Phone's software.

Android Wear Security Analysis

A security analysis of Android Wear reveals robust security controls in WearableListenerService and WearableService. The research examined how Android Wear applications communicate and found strict checks preventing unauthorized message delivery between applications. Security mechanisms effectively block low-privileged malware from interfering with inter-application communication on wearable devices.

How to own any Windows network with group policy hijacking attacks

Group policy hijacking attacks can compromise Windows networks by intercepting and manipulating group policy traffic. The attacks exploit vulnerabilities in SMB signing and Kerberos authentication to gain SYSTEM-level access on domain-joined systems. Multiple attack vectors allow attackers to modify group policy settings and execute arbitrary code on target networks.

  • 27 Mar 2015

Disgusting Code: GeoIP lookups in Excel

A blog post describes an unconventional method for performing GeoIP lookups in Excel using native formulas and Maxmind's GeoIP database. The technique involves complex nested Excel formulas to convert IP addresses to decimal and perform lookups without external dependencies or macros. The approach is designed for use on locked-down corporate machines with limited computational resources.

  • 20 Mar 2015

GitLab User Enumeration

A user enumeration vulnerability was discovered in GitLab versions 5.0.0 to 7.5.0 that allows anonymous discovery of usernames through an unauthenticated internal API. The vulnerability enables attackers to potentially exploit source code repositories by enumerating valid usernames and targeting authentication systems. Metasploit modules were developed to demonstrate and exploit this security issue.

  • 16 Mar 2015

HackFu Challenge 2015

MWR's HackFu Challenge 2015 is an invitation-only hacking event offering 10 free tickets to cybersecurity professionals. The challenge involves a sci-fi themed mission to save the planet from an intergalactic threat by solving complex cybersecurity puzzles. Participants must complete challenges by April 30th, 2015, with the opportunity to attend the event in the UK in June.

Practically Exploiting MS15-014 and MS15-011

The article details two Microsoft vulnerabilities (MS15-011 and MS15-014) that enable remote code execution on domain-joined Windows systems. These vulnerabilities can be exploited through a two-stage attack method to gain SYSTEM-level access by manipulating group policy and SMB signing configurations. A video demonstration shows how these vulnerabilities can be chained together to compromise hardened domain environments.

  • 12 Feb 2015

Popping alert(1) in Flash

This article explores cross-site scripting (XSS) vulnerabilities in Adobe Flash applications. It details how ActionScript can be exploited through unvalidated FlashVars, ExternalInterface calls, and remote content loading techniques. Multiple attack vectors are demonstrated, including manipulating URL parameters, loading malicious XML, and abusing URI schemes in Flash applications.

  • 8 Jan 2015

CVE-2014-8272: A Case of Weak Session-ID in Dell iDRAC

A vulnerability in Dell iDRAC's IPMI v1.5 implementation allows unauthenticated attackers to predict session IDs. The weak session ID generation mechanism enables attackers to inject arbitrary commands into privileged sessions by exploiting predictable session identification. The vulnerability potentially allows privilege escalation across different IPMI communication channels.

Digging into MS14-068, Exploitation and Defence

MS14-068 is a critical Windows vulnerability in Kerberos authentication that allows any authenticated domain user to forge a Privilege Attribute Certificate (PAC) and escalate privileges to domain administrator. The vulnerability enables an attacker to manipulate PAC signatures and bypass authentication controls on domain controllers running Windows 2008 and earlier. Exploitation requires only a standard domain user account and can be performed using tools like PyKEK and Impacket.

  • 10 Dec 2014

Faster fuzzing with Python

This article explores performance optimization techniques for executing external processes in Python. By investigating process spawning methods like subprocess, fork, and posix_spawn, the performance of small binary executions was analyzed. The investigation revealed that using posix_spawn with vfork can significantly improve execution speed compared to traditional subprocess methods.

  • 28 Nov 2014

My NFC Remains Enabled - Reflections on Mobile Pwn2Own 2014

Mobile Pwn2Own 2014 highlighted zero-day vulnerabilities in mobile devices, particularly those involving NFC technologies. The competition demonstrated the ongoing challenges in mobile device security, emphasizing the importance of careful app store selection for users and proactive security design for developers. Despite potential NFC-related risks, most users are more likely to encounter threats through phishing and malware.

  • 15 Aug 2014

Windows 8 Kernel Memory Protections Bypass

A technique for bypassing Windows 8 kernel memory protections like SMEP and DEP is demonstrated by manipulating paging structures. The method allows modification of memory page flags to enable user-mode code execution in kernel-mode. By targeting isolated paging structures, an attacker can corrupt page table entries to circumvent kernel memory safeguards on 64-bit Windows systems.

  • 20 Jun 2014

Isolated Heap & Friends - Object Allocation Hardening in Web Browsers

Web browsers have implemented object allocation hardening techniques to mitigate use-after-free vulnerabilities. These techniques include Internet Explorer's Isolated Heap, Firefox's Presentation Arena, and Chrome's PartitionAlloc. Each approach aims to constrain memory allocation strategies and make exploitation more difficult by separating object types and controlling memory reuse.

  • 18 Jun 2014

BeagleBone Black, GNU Radio, and HackRF One

This guide details setting up a BeagleBone Black with Ångström Linux to compile GNU Radio and HackRF drivers. The tutorial provides step-by-step instructions for configuring an embedded Linux system to work with a HackRF One software-defined radio. Configuration involves installing dependencies, setting up system settings, and building software components for software-defined radio applications.

  • 12 Jun 2014

Putting JavaScript Bridges into (Android) Context

This article explores techniques for obtaining Android Context in WebView JavaScript-to-Java bridge vulnerabilities. Multiple methods for retrieving Context are investigated using reflection and Java Native Interface (JNI) techniques. The research demonstrates approaches to accessing system resources and package information during post-exploitation scenarios in Android applications.

  • 5 Jun 2014

Continued Adventures with iOS UIWebViews

This article explores security vulnerabilities in iOS UIWebViews, specifically focusing on custom NSURLProtocol implementations. The research demonstrates how attackers can bypass naive security checks by manipulating HTTP headers and using techniques like XMLHttpRequest to access restricted resources. A proof-of-concept JavaScript payload is presented to illustrate potential exploitation methods for file access and data exfiltration.

  • 2 Jun 2014

HackFu Venue 2014 - Clue Four

A puzzle image from the HackFu Venue 2014 event is presented. The image appears to be part of a challenge or game series. The puzzle was shared by the WithSecure Threat Intelligence Team.

  • 27 May 2014

HackFu Venue 2014 - Clue Three

The blog post presents the third puzzle clue for HackFu 2014, featuring two cryptic images. The images appear to be part of a challenge or puzzle for participants to solve. Minimal context is provided, leaving the puzzle's details intentionally mysterious.

  • 20 May 2014

HackFu Venue 2014 - Clue Two

HackFu 2014's second clue reveals a Western-themed hacking event set in the fictional town of Hacksville. A cryptic image is provided as part of the location discovery challenge. Participants are invited to solve puzzles in a cowboy-inspired adventure.

  • 13 May 2014

HackFu Venue 2014 - Clue One

HackFu 2014 launched an interactive puzzle challenge to reveal its secret event venue location. Participants must solve weekly Only Connect-style puzzles that progressively disclose clues about the event's location. The first person to correctly identify the venue will win a prize.

  • 12 May 2014

HackLab 2014 - Builders are better Breakers

A hardware design project at HackLab 2014 explored electronics and embedded programming to enhance security testing skills. Team members experimented with various electronic components, protocols, and design challenges through hands-on learning. The project aimed to provide practical experience in understanding system design from a builder's perspective.

  • 12 May 2014

HackLab 2014 - Hard disk drives? Squishy disk drives!

A technical investigation examined the security of hardware-encrypted hard drives by exploring potential vulnerabilities in ATA disk protection passwords and microcontroller access. The study focused on self-encrypting drives from Samsung, Intel, and Seagate, analyzing firmware update utilities and potential attack vectors for accessing drive encryption keys. Multiple approaches were pursued to understand the practical security limitations of hardware-encrypted storage devices.

  • 12 May 2014

HackLab 2014 - The JaegerBomber

An experimental project called the JagerBomber attempted to create a quadcopter controlled by an Android phone using OTG functionality and an Arduino. The team aimed to develop a drone capable of navigating and potentially delivering alcohol, but technical challenges prevented a successful launch. The project explored Android's capabilities for serial communication and drone control, demonstrating complex technical integration challenges.

  • 12 May 2014

HackLab 2014

HackLab 2014 was an internal hacking event featuring three technical projects. Projects included building a quadcopter, developing a mysterious hardware project, and exploring hard drive firmware hacking. Participants collaborated in the Basingstoke offices, fueled by pizza and caffeine to tackle innovative technical challenges.

  • 11 Apr 2014

Laravel cookie forgery, decryption, and RCE

A critical vulnerability in Laravel's encryption API allowed attackers to forge session cookies and impersonate users. The flaw enabled potential remote code execution by exploiting weaknesses in MAC verification, IV handling, and PHP object deserialization. Attackers could manipulate cookies to authenticate as any user and potentially inject malicious code through serialized PHP objects.

  • 11 Apr 2014

WordPress auth cookie forgery

A vulnerability in WordPress's authentication cookie validation allows potential cookie forgery through PHP type juggling. The flaw enables attackers to bypass authentication by exploiting non-strict comparison methods in the cookie verification code. Two attack vectors were identified: MAC verification bypass and potential timing attacks to determine expected MAC values.

  • 8 Apr 2014

HackFu Challenge 2014

HackFu 2014 is a prestigious hacking event offering 10 invitations to cybersecurity professionals. The challenge involves solving puzzles and tracking down an enemy agent named Ilichy. Participants can win entry to a multi-day hacking competition in the UK, with potential prizes including event admission, accommodation, and travel support.

  • 20 Dec 2013

Google AdMob Ad Library - Arbitrary Intent Activity Invocation

A vulnerability was discovered in the Google AdMob SDK for Android that allows attackers to manipulate Intent Activities by injecting JavaScript into a WebView. The vulnerability enables arbitrary activity invocation by controlling multiple parameters passed to the 'startActivity' method. Potential remote exploitation can occur by targeting exposed activities in other Android applications.

  • 20 Dec 2013

HackFu 2013: The Movie

A teaser video for HackFu 2013 was released, presenting a puzzle for viewers to solve without hacking or brute force methods. The video hints at the upcoming HackFu 2014 event scheduled for June 26-28, 2014. Participants are challenged to solve the puzzle while allowing others the opportunity to do so independently.

  • 20 Dec 2013

PontiFlex Ad Library - Remote JavaScript Command Execution

A critical vulnerability was discovered in the PontiFlex ad library for Android that enables remote JavaScript command execution. The flaw allows attackers to download and execute arbitrary code, perform directory traversal, and potentially steal files from mobile applications through manipulated WebView JavaScript interfaces. The vulnerability impacts Android apps using the PontiFlex ad library, potentially exposing millions of users to remote code execution risks.

  • 29 Nov 2013

Advanced Persistent Timelords

A thought experiment explores cybersecurity challenges if attackers could manipulate time. The analysis examines potential vulnerabilities in physical access, document security, personnel management, and digital systems under a hypothetical temporal manipulation scenario. The exploration demonstrates how traditional security controls would break down if an attacker could jump to different points in time or pause time itself.

  • 29 Nov 2013

Debug All the Android Things

This blog post describes a technique for enabling debugging on Android applications using Cydia Substrate. The method involves hooking the Android process startup method to force debugging flags, allowing developers to use jdb to interact with and manipulate running Android applications, even for apps not marked as debuggable in their manifest.

  • 27 Nov 2013

Millenial Media Ad Library

A critical vulnerability was discovered in the Millenial Media SDK across mobile platforms. The SDK's WebView implementation allows attackers to perform dangerous actions like file manipulation, clipboard access, audio recording, and cross-application exploitation through malicious JavaScript injection. These security flaws could enable comprehensive mobile device compromise and unauthorized access to sensitive user information.

  • 20 Nov 2013

AppLovin Ad Library SDK: Remote Command Execution via Update Mechanism

A critical vulnerability was discovered in the AppLovin Ad Library SDK for Android that enables remote command execution through an insecure update mechanism. The vulnerability allows attackers to inject malicious code into applications by exploiting the SDK's dynamic class loading process during updates. An attacker can craft a malicious SDK update that gets automatically downloaded and executed when an application starts.

  • 12 Nov 2013

Run SAP, Run

Metasploit modules for SAP system security assessment were developed to comprehensively test SAP enterprise environments. The modules enable penetration testers to discover SAP services, enumerate clients, perform bruteforce attacks, and execute remote commands across different SAP connectors. Multiple attack techniques were demonstrated, including information gathering, credential extraction, and obtaining interactive shells on both Linux and Windows SAP systems.

  • 25 Oct 2013

HackFu - The Final Wrap Up

HackFu 2013 was an immersive cybersecurity event hosted by MWR at the RAF Air Defence Radar Museum. The event featured a Crystal Maze-themed competition with four themed zones: Aztec, Industrial, Medieval, and Futuristic. Teams competed across multiple technical challenges testing skills in networking, forensics, hacking, and problem-solving.

  • 24 Sep 2013

WebView addJavascriptInterface Remote Code Execution

A critical remote code execution vulnerability was discovered in Android WebViews using JavaScript interfaces. The vulnerability allows attackers to execute arbitrary system commands by injecting malicious JavaScript into applications using advertising network SDKs. Analysis revealed that a significant number of Android applications could potentially be compromised through this security flaw.

  • 6 Sep 2013

MWR Labs Pwn2Own 2013 Write-up - Kernel Exploit

A kernel pool overflow vulnerability in Windows 7's Win32k system was demonstrated at Pwn2Own 2013. The exploit involved manipulating message buffer allocations to corrupt kernel memory structures. By carefully controlling message handling and window object properties, kernel-mode code execution was achieved, enabling a sandbox escape in Google Chrome.

  • 5 Sep 2013

Conference Review: Nordic Sec Conf (NSC2013)

The Nordic Security Conference (NSC2013) was held in Reykjavik, Iceland, featuring notable cybersecurity talks on bug bounties, defensive strategies, and cyber conflicts. The conference included high-quality technical presentations, a competitive CTF event, and networking opportunities. Attendees enjoyed the conference's unique venue and the stunning Icelandic landscape.

  • 1 Sep 2013

Introducing drozer

Drozer is an open-source mobile security tool for Android exploit development. It enables advanced payload deployment and post-exploitation through multiple "weasel" techniques for gaining device access. The tool allows security researchers to build exploits, create reverse TCP shells, and escalate privileges on target Android devices.

  • 4 Jul 2013

BSides Challenge Walkthrough

The BSides London 2013 challenge involved analyzing the 'Evil Planner' Android application for security vulnerabilities. Multiple critical security flaws were discovered, including directory traversal in content providers, weak PIN encryption using device ID, and SQL injection in database content providers. These vulnerabilities could allow an attacker to access sensitive user data stored within the application.

  • 5 Jun 2013

Mercury v2.2.1

Mercury, an Android security testing tool, released its final version 2.2.1 with significant updates. The release included a new BSD license, improved PATH functionality, and a new Windows installer. The project will transition to its successor drozer at BlackHat Arsenal.

  • 16 May 2013

HackFu Venue - Clue 7

The 7th clue in a puzzle references a person named Juliet working in Hartley during the 1980s. The clue appears to be part of a cryptic challenge or puzzle context. Specific details about the purpose or full meaning of the clue remain unclear.

  • 16 May 2013

MWR HackLab - Getting Frequency with SDR

A Software Defined Radio (SDR) workshop explored wireless signal interception and replay techniques using tools like USRP E100 and GNU/Radio. The project focused on analyzing low-cost wireless devices, such as 433MHz doorbells, demonstrating vulnerabilities in basic wireless technologies through signal capture and replay attacks.

  • 16 May 2013

MWR HackLab - MWRcade

MWR HackLab developed a custom arcade machine capable of running multiple console emulators across different platforms. The project aimed to create a unified gaming interface using Linux, SDL, and Python for settling office disputes between employees. The machine supports multiple gaming consoles and was designed to enable remote multiplayer gaming between different office locations.

  • 10 May 2013

HackFu Venue - Clue 6

The 6th clue for a HackFu event provides a betting-related instruction. The clue specifies betting on 6 doubles, 4 trebles, and a fourfold accumulator. The context appears to be part of a game or challenge involving betting strategies.

  • 2 May 2013

HackFu Venue - Clue 5

The fifth clue for the HackFu venue location is presented as a mathematical puzzle involving exponents and arithmetic operations. The puzzle requires solving an equation to determine the event's location. This clue is part of a series of puzzles leading to the final venue reveal.

  • 30 Apr 2013

MWR Challenge 2013

MWR InfoSecurity launched its 2013 cybersecurity challenge called "The Hunt for Ilichy". The competition invited participants to solve counter-intelligence puzzles with the opportunity to win tickets to HackFu, their annual hacking event. Ten winners would receive event entry, accommodation, and potentially travel prizes for exceptional submissions.

  • 25 Apr 2013

HackFu Venue - Clue 4

A HackFu event puzzle presents a riddle about a ballet dancer's post-university experience. The clue challenges participants to fill in a two-word blank describing the dancer's situation after graduating. The puzzle is presented as a Blankety Blank-style challenge with an accompanying image.

  • 25 Apr 2013

MWR HackLab - Chubby Data

A team analyzed a massive 9TB internet scan dataset using cloud and NoSQL technologies. Multiple approaches were explored to make the data searchable, including Amazon CloudSearch for FTP banners, SQL databases for NBTStat scan results, and NoSQL databases like CouchDB and ElasticSearch for HTTP headers. The project focused on developing efficient parsing and search techniques for large-scale internet infrastructure data.

  • 25 Apr 2013

MWR HackLab - Root/Beer Fridge

A cybersecurity team created an innovative beer fridge that unlocks through hacking challenges. The system uses a Raspberry Pi and Arduino with solenoid locks to create an interactive reward mechanism for solving technical puzzles. The project aimed to gamify hacking achievements by providing beer as a reward for completing security challenges.

  • 22 Apr 2013

MWR HackLab

MWR Labs hosted an internal hackathon where team members collaborated on diverse technology projects. Participants worked on innovative ideas across areas like data analysis, hardware hacking, and electronic systems. The event fostered creativity and team engagement through hands-on exploration of technical challenges.

  • 19 Apr 2013

MWR Labs Pwn2Own 2013 Write-up - Webkit Exploit

A detailed technical write-up of a WebKit exploit demonstrated at Pwn2Own 2013 describes a type confusion vulnerability in SVG document handling. The exploit leveraged the ability to cast non-SVG elements to SVG elements, enabling precise memory manipulation and control. By chaining multiple exploit stages, the vulnerability allowed leaking pointers, calculating memory addresses, and ultimately achieving code execution in the browser.

  • 18 Apr 2013

HackFu Venue - Clue 3

The third clue for the HackFu venue location is revealed as a mathematical puzzle. The cryptic clue "I squared plus two" presents a mathematical challenge to participants seeking the event's location. The clue is accompanied by an image, adding to the mysterious nature of the venue reveal.

  • 12 Apr 2013

HackFu Venue - Clue 2

The blog post reveals the second cryptic clue for the HackFu event venue location. The clue is a poetic line: "Of thy tongue's uttering, yet I know the sound." The specific meaning of the clue remains enigmatic, suggesting a puzzle or riddle about the event's destination.

  • 3 Apr 2013

HackFu Venue - Clue 1

The first clue for HackFu's venue location references the famous "Remember, remember" line, specifically mentioning "the Vth". This cryptic hint is part of a series of clues designed to guide participants in discovering the event's location. The first clue was released as part of a multi-week puzzle to reveal the HackFu venue.

  • 28 Mar 2013

Announcing Mercury v2.2

Mercury v2.2, an Android Security Assessment Framework, introduces enhanced auto-completion features for command suggestions. The update maintains separate command histories for different contexts and improves ContentProvider interaction stability. A vulnerable Android app called Sieve is released to help security practitioners practice using the framework.

  • 11 Mar 2013

BSides Challenge

MWR Labs hosted a cybersecurity challenge focused on analyzing the "Evil Planner" Android application. The challenge invited participants to find vulnerabilities that would allow BigCorp to extract encrypted data from a potentially malicious employee's device. Multiple prizes were offered for discovering and exploiting application security weaknesses.

  • 6 Mar 2013

Pwn2Own at CanSecWest 2013

MWR Labs demonstrated a full sandbox bypass exploit against Google Chrome at Pwn2Own 2013. The exploit leveraged vulnerabilities to gain code execution in the renderer process and bypass ASLR and DEP protection mechanisms. Memory address leakage techniques were used to execute arbitrary commands outside the browser sandbox.

  • 14 Feb 2013

2013 Summer Internship Positions

MWR is recruiting paid summer internship positions in Basingstoke for students and security enthusiasts. Interns will work on personal research projects and gain hands-on experience in information security consultancy. The internship offers opportunities to work with a research team and potentially secure a junior position after completion.

  • 7 Feb 2013

Announcing Mercury v2.1

Mercury v2.1, an Android security assessment framework, introduces three key improvements. Modules can now be installed directly from an online repository. Connections between the Mercury console and device can be secured with SSL and optional password protection. Performance optimizations have been made to the Mercury Agent to improve efficiency and resource management.

  • 14 Dec 2012

What's New in Mercury v2?

Mercury v2.0 introduces a completely rewritten architecture with modular reflection-based functionality. Infrastructure Mode enables remote device connectivity across firewalls and NAT. The user interface has been streamlined to provide faster, more direct access to Mercury's capabilities.

  • 19 Sep 2012

Mobile Pwn2Own at EuSecWest 2012

MWR Labs demonstrated a critical Android vulnerability at EuSecWest 2012 targeting a Samsung Galaxy S3 running Android 4.0.4. The exploit used NFC to upload a malicious file, enabling code execution and privilege escalation. Through multiple vulnerabilities, the team could exfiltrate user data and compromise the device's security by bypassing Android's exploit mitigation features.

  • 13 Sep 2012

SAP Smashing (Internet Windows)

SAProuter is a SAP network proxy that can route TCP connections through firewalls. A proof-of-concept technique was developed to establish native connections through SAProuter. The method allows routing network connections and was demonstrated by integrating with Metasploit to access systems behind the proxy.

  • 7 Sep 2012

Mercury v1.1 is Released

Mercury v1.1 is an Android security testing framework with enhanced compatibility for newer Android versions. The release introduces a Reflection Interface for dynamic feature addition and includes new modules for comprehensive security scanning of Android devices and applications. Key improvements enable security professionals to more efficiently analyze potential vulnerabilities in Android systems.

  • 3 Sep 2012

SAP Parameter Injection

A vulnerability in SAP's Host Control service enables remote unauthenticated command execution on Windows SAP systems using SAP MaxDB. The attack involves manipulating parameters of the dbmcli executable to write and execute attacker-controlled commands. Metasploit modules were developed to demonstrate command injection across different SAP system interfaces.

  • 1 Sep 2012

A Look at the BlackBerry OS as a Secure Platform for Third Party Applications

This article examines critical security vulnerabilities in the BlackBerry OS for third-party applications running in the BlackBerry Internet Service environment. Key security issues include unprotected data storage, insecure data transmission, and weak application sandboxing that could allow malicious apps to compromise device security. The study reveals multiple attack vectors such as database manipulation, input simulation, and unauthorized screenshots.

  • 23 Aug 2012

Mercury Reflection

Mercury developed a dynamic reflection interface for Android security assessment that enables runtime code execution and plugin creation. The interface allows developers to load Java code dynamically on the server side without modifying the core application. This approach provides flexible functionality for examining and interacting with Android applications through a simple set of reflection methods.

  • 20 Jul 2012

Hacking Embedded Devices: UART Consoles

Hardware hacking techniques can provide root-level access to embedded devices through UART console interfaces. By physically inspecting circuit boards and identifying specific pins, access to hidden device consoles can be obtained. The methodology involves using tools like oscilloscopes and logic analyzers to locate and interact with serial interfaces on devices such as routers and modems.

  • 18 Jul 2012

Incognito v2.0 Released

Incognito v2.0 is a Windows security tool for token enumeration and manipulation. The new version introduces multi-host input, multi-threading, grepable output, quiet mode, and improved handling of administrative privileges. Key improvements include better API compatibility, enhanced token discovery across multiple systems, and more flexible output options for security professionals.

  • 11 Jun 2012

HackFu 2012

HackFu 2012, a cybersecurity event, is scheduled for June 28th. Multiple Twitter accounts will provide live updates during the event. Participants can follow the action on designated Twitter handles like @umd9, @_cyberdyne_, @r3dl4nd, and @neweurope_.

  • 6 Jun 2012

veripy is Released

MWR Labs released veripy, an open-source testing tool for IPv6 network transition. The tool aims to build confidence in hardware and software products supporting IPv6 networking. veripy is designed to help organizations navigate the complex shift from IPv4 to IPv6 infrastructure.

  • 30 Apr 2012

Building Android Java/JavaScript Bridges

This article explores security vulnerabilities in Android WebView implementations, focusing on Java/JavaScript bridges. It examines methods like addJavascriptInterface and method overriding that allow native code exposure to web content. The research highlights potential attack vectors in cross-platform mobile application development frameworks, particularly in PhoneGap.

  • 20 Apr 2012

HackFu Challenge 2012

HackFu 2012 is a cybersecurity challenge event sponsored by MWR in the UK targeting recent graduates and students. The competition offers 10 participants a chance to solve technical challenges in a futuristic "EarthDate: 2139" themed event. Participants will compete in teams at a secret location in the UK, solving various security-related challenges.

  • 18 Apr 2012

HackFu 2012

HackFu 2012 is a cybersecurity event scheduled for June 28-30, set in a futuristic scenario of the year 2139. A select group of invited participants will compete in team challenges. The specific location and challenge details remain a closely guarded secret.

  • 2 Mar 2012

Summer Internship Positions

MWR InfoSecurity offers paid summer internships for computer science students interested in cybersecurity research. Internships are approximately 12 weeks long and based in the UK offices. Candidates from second or third year of university with a strong interest in applied computer security are encouraged to apply.

  • 14 Dec 2011

veripy: New Project to Support the Migration to IPv6

MWR InfoSecurity launched a new open-source project called veripy to support IPv6 migration. The project aims to develop a tool for testing equipment readiness according to the RIPE 501 specification. The first version of the tool is planned for release in March 2012, with the goal of providing confidence in IPv6 networking hardware and software.

  • 12 Dec 2011

Tell Us Your Incognito Ideas and Win One of 5 Lego Ninjas

Incognito, a tool for exploiting Windows access tokens launched in 2007, seeks community input on potential improvements. The project aims to enhance the tool's effectiveness by gathering feature suggestions from the information security community. As an incentive, five Lego Ninjas will be awarded to the best feature ideas submitted.

  • 2 Dec 2011

How to find Android 0day in no time

WebContentResolver is an Android assessment tool that exposes Content Providers through a web interface. The tool allows security testing of Android Content Providers by enabling queries and revealing potential vulnerabilities like SQL injection. It provides a simple method to explore and test Content Providers using web application testing techniques.

  • 4 Nov 2011

A taste of Finland - T2 2011

T2 2011 was an intimate Finnish cybersecurity conference featuring technical talks from industry experts. The event covered diverse topics including cyber terrorism, botnet disruption, and emerging security research. Speakers presented innovative technical insights across areas like mobile security, firmware extraction, and cyber threat analysis.

  • 14 Jul 2011

USB Fuzzing for the Masses

This article explores USB fuzzing techniques for discovering vulnerabilities in device drivers across different platforms. Multiple approaches to USB fuzzing are discussed, including virtualized fuzzing using Qemu and hardware-based fuzzing methods. The research highlights potential security risks in USB device driver implementations, demonstrating techniques for crash debugging and vulnerability exploitation.

  • 7 Jul 2011

Debuggable Apps in Android Market

A security analysis of Android applications revealed that approximately 5% of popular free apps are shipped with debugging enabled. Debuggable applications can be exploited by malicious apps to establish a JDWP connection and gain full access to the Java process. Developers are advised to disable debugging before shipping applications to prevent potential security risks.

  • 30 Jun 2011

To the victor goes the gold, to the loser ...

HackFu is a cybersecurity challenge involving two complex technical puzzles set on a fictional "Hacker Island". The challenges require solving network forensics and signal interception problems to uncover hidden information. Participants were tasked with investigating a virtual treasure chest theft and decoding enemy communications using provided network captures.

  • 18 May 2011

The Google Android Update Dilemma

The Android update process involves multiple parties including Google, device vendors, and carriers, creating a complex and fragmented security update mechanism. This multi-stage update chain introduces significant delays and vulnerabilities, as patches must pass through numerous intermediaries before reaching end-users. Google's recent update initiative fails to comprehensively address the fundamental security challenges in Android's update ecosystem.

  • 20 Apr 2011

HackFu 2011 - The Countdown Continues

MWR's annual HackFu cybersecurity event is scheduled for early June with the theme "The Secret of Hacker Island". The event will feature a mysterious location and challenging competition, following the previous year's Cold War-themed event in a nuclear bunker. Special guest invitations have been sent out, with event details remaining confidential.

  • 24 Dec 2010

Forensic Readiness: A Primer

Forensic readiness is a critical component of cybersecurity incident management. The article outlines six key strategies for organizations to prepare for potential security incidents, including accepting that incidents will occur, educating staff, maintaining flexible response plans, enabling communication, implementing robust logging, and dedicating appropriate budget and resources.

  • 17 Nov 2010

A Postcard From Finland!

The article recounts the T2'10 security conference held in Helsinki, featuring technical presentations by MWR InfoSecurity researchers. Talks focused on mobile platform and smart card vulnerabilities, including live demonstrations of attacks on Google Android and Palm WebOS devices. The conference emphasized knowledge sharing and technical research in cybersecurity.

  • 14 Sep 2010

A Reason to Visit Stockholm in September?

The SEC-T security conference in Stockholm showcased high-quality cybersecurity talks by MWR InfoSecurity. Presentations covered deployment solution risks, physical security penetration testing, and social engineering methodologies. The conference offered innovative and engaging presentations that provided deep insights into security testing techniques.

  • 14 Sep 2010

Career Opportunities at MWR

MWR InfoSecurity is recruiting technical consultants for its Technical Consultancy Team. The company seeks professionals with strong information security skills to work on client projects and MWR Labs initiatives. Interested candidates are invited to submit their CV and covering letter to the recruitment email address.

  • 16 Aug 2010

Recent Palm webOS Vulnerabilities - MWR InfoSecurity Clarification

MWR InfoSecurity identified two vulnerabilities in Palm WebOS in May 2010. One local service vulnerability was fixed in version 1.4.5, while a vCard parsing vulnerability remained unaddressed. The company aimed to highlight smartphone security risks through responsible disclosure.

  • 16 Jul 2010

Just Arrived! - Max Pwnage

MWR Labs released Max Pwnage trading cards highlighting significant computer security vulnerabilities from the past 30 years. The cards are available to clients and conference attendees at multiple cybersecurity events in 2010. Max Pwnage is a fictional character representing the discovery and exploitation of computer system vulnerabilities.

  • 7 Jul 2010

Palm webOS 1.4.5 fixes security issue found by MWR InfoSecurity

Palm released webOS version 1.4.5 to address a security vulnerability discovered by MWR InfoSecurity. A detailed advisory will be published after most devices have been updated. The update is being distributed by mobile carriers.

  • 30 Mar 2010

CanSecWest 2010

CanSecWest 2010 was a cybersecurity conference featuring notable security research presentations and the Pwn2Own hacking contest. Presentations covered diverse topics including collaborative reverse engineering, fuzzing techniques, kernel vulnerabilities, and wireless device security. The Pwn2Own contest demonstrated successful exploits across multiple web browsers and mobile platforms.

  • 8 Mar 2010

Video: How To Be An RSol: Effective Bug Hunting in Solaris - ShmooCon 2010

A video from ShmooCon 2010 presents a Ruby-based Solaris debugging library. The presentation includes a video and slides discussing the library and its proof-of-concept tools. Materials from the talk are available online for review.

  • 25 Jan 2010

Aurora and Web Browser Security

A technical analysis of web browser security in 2010 revealed significant Address Space Layout Randomization (ASLR) vulnerabilities across major browsers. The study compared default installations of Internet Explorer, Firefox, Opera, Safari, and Chrome on Windows 7, highlighting inconsistent implementation of security mitigation techniques. Market share and exploit complexity were identified as key factors in browser security risks.

  • 18 Jan 2010

Google Forensics (...beta)

File carving is a forensic technique for recovering deleted files by extracting data based on file header signatures. Unique web artifacts like Google's commemorative logos can provide contextual information about system usage and activity. This method allows forensic investigators to reconstruct system interactions by analyzing temporary internet files and their visual content.

  • 18 Jan 2010

Solaris Debugging and Bug Hunting at ShmooCon 2010

Matt Hillman introduces RSol, a Ruby-based debugging tool for Solaris at ShmooCon 2010. The tool explores the effectiveness of DTrace for bug hunting and reverse engineering compared to traditional debugging techniques. RSol aims to become a comprehensive suite that combines debugging and DTrace-based methods.

  • 14 Jan 2010

Adobe Reader Exploit on Vista and 7

A vulnerability in Adobe Reader affecting Vista and Windows 7 systems was discovered, impacting the "media.newPlayer" issue. The exploit functions reliably across multiple Adobe Reader versions, even with ASLR and DEP protections enabled. Disabling JavaScript and applying patches are recommended mitigation strategies.

  • 3 Dec 2009

DeepSec 2009

DeepSec 2009 was a security conference in Vienna featuring diverse cybersecurity presentations. Talks covered topics including wireless keyboard sniffing, GSM encryption vulnerabilities, virtual machine rootkit detection, and browser attack surfaces. The conference provided insights into emerging security research and potential system vulnerabilities across various technological domains.

  • 17 Nov 2009

Singing the Mainframe Security Blues?

This article explores the security challenges of legacy network protocols, particularly Systems Network Architecture (SNA), in enterprise environments. It emphasizes the critical importance of understanding network technologies beyond IP to effectively assess and mitigate security risks. The key message is that comprehensive network security requires deep knowledge of all protocols in use, not just modern IP-based technologies.

  • 7 Sep 2009

Attacking Altiris at DeepSec '09

Luke Jennings will present research on vulnerabilities in Symantec's Altiris Deployment Solution at DeepSec '09 in Vienna. The presentation will focus on security issues in deployment technologies. Cybersecurity professionals interested in deployment solution security are encouraged to attend the conference.

  • 1 Sep 2009

USB Research to be Presented at t2'09

A USB security research presentation will be given at T2 in Finland, focusing on attack methods and vulnerabilities in USB drivers. The talk will explore potential security risks associated with malicious USB devices and techniques for identifying and exploiting driver vulnerabilities. The presentation follows previous research presented at Defcon 17.

  • 7 Aug 2009

Defcon 17

DefCon 17 featured technical talks covering diverse cybersecurity topics including wireless sensor exploitation, USB security vulnerabilities, and router hacking. Presentations explored critical security issues such as extracting encryption keys, inline hooking techniques, and vulnerability disclosure strategies. The conference highlighted emerging research on hardware and software vulnerabilities across technological domains.

  • 4 Jun 2009

EuSecWest 2009 Run Down

EuSecWest 2009 featured technical presentations on cybersecurity vulnerabilities and attack techniques across multiple domains. Talks covered Microsoft exploit mitigations, PCI bus attacks, Trusted Computing vulnerabilities, iPhone security exploits, and Firefox extension risks. The conference provided insights into emerging cybersecurity research and potential system vulnerabilities.

  • 13 Mar 2009

Have you got bad timing?

Timing attacks exploit variations in system response times to extract sensitive information. A specific example involving Citrix Access Gateway revealed that authentication attempts with valid Active Directory usernames took slightly longer to return failed login messages. This timing difference could potentially allow attackers to identify valid usernames and assist in password guessing attempts.

  • 15 Sep 2008

Stockholm Sec-T Conference Roundup

The inaugural Sec-T conference in Stockholm featured diverse cybersecurity presentations covering virtualization security, cybercrime, and emerging technological threats. Speakers discussed organized criminal activities, vulnerabilities in operating systems, and enterprise software security challenges. The conference provided insights into cutting-edge security research across multiple domains of information technology.

  • 11 Aug 2008

Defcon 16 Talk Review: Advanced Software Armouring and Polymorphic Kung-Fu

Nick Harbour presented PE-Scrambler, an advanced Windows executable packer that manipulates binary code at the disassembly level to obstruct reverse engineering. The tool uses sophisticated techniques like destroying call trees, relocating code chunks, and creating ambiguous disassembly to make binary analysis challenging. Additionally, Harbour demonstrated FindEvil, a tool that detects packed binaries by comparing disassembly size to binary size.

  • 11 Aug 2008

Defcon 16 Talk Review: The Pentest is Dead, Long Live the Pentest

The article reviews a Defcon 16 talk about the evolution of penetration testing from an underground practice to a professional service. It highlights the shift from ad-hoc, tool-driven approaches to a more strategic, methodology-focused discipline. Key recommendations include developing creative testing methods, producing context-rich reports, and maintaining ongoing client partnerships.

  • 11 Aug 2008

Defcon 16 Talk Review: Time-Based Blind SQL Injection Using Heavy Queries and the Marathon Tool

This blog post compiles recent cybersecurity publications from WithSecure Threat Intelligence Team. The page highlights research on topics including AI security, privilege escalation, cyber threats to the Olympics, and mass exploitation of enterprise infrastructure. Multiple publications and advisories are listed, covering various cybersecurity research and vulnerability discoveries.