Showing Posts About
Email security
- 21 Apr 2017
Logic Bug Hunting in Chrome on Android
A methodology for identifying logic flaws in mobile applications is demonstrated through an analysis of Chrome for Android. The approach focuses on finding logic bugs that enable access to user files and emails without memory corruption exploits. A specific logic bug in Chrome for Android is highlighted as allowing attackers to bypass Android Nougat security mechanisms.
-
David Chismon - 7 Oct 2016
Accessing Internal Fileshares through Exchange ActiveSync
Exchange ActiveSync (EAS) can be exploited to access internal Windows file shares using only user mailbox credentials. The vulnerability was confirmed in Exchange 2013 and 2016 with near-default configurations. Attackers can list file share contents and download files by using specific EAS commands, potentially bypassing traditional access controls.
- Dave Hartley
- 2 Sep 2016
Malicious Outlook Rules
XRulez is a tool that enables programmatic creation of malicious Outlook rules by injecting rules directly into Exchange servers. The tool allows attackers to create persistent remote code execution mechanisms via email triggers without requiring direct credential access. By exploiting MAPI sessions, malicious rules can be set up to execute payloads when specific email conditions are met.