Showing Posts About

• 10 Apr 2024

Abusing search permissions on Docker directories for privilege escalation

A privilege escalation vulnerability was discovered in Docker environments where the /var/lib/docker directory has search permissions for other users. Low-privileged attackers can access container filesystems by exploiting these permissions. By modifying container startup scripts and leveraging host reboot capabilities, attackers can potentially gain root access on the host system.

• 3 Jul 2020

Attack Detection Fundamentals: Code Execution and Persistence - Lab #1

This article details a cybersecurity lab simulating the Astaroth malware attack chain using Living-off-the-Land (LOLBins) techniques. The lab demonstrates how attackers can exploit Windows utilities like BITSAdmin and ExtExport.exe, along with Alternate Data Streams, to stealthily download and execute malware. Multiple detection strategies are explored, including Sigma rules, event log analysis, and tools like Sysmon for identifying these sophisticated attack methods.

• 3 Jul 2020

Attack Detection Fundamentals: Code Execution and Persistence - Lab #2

This article explores persistence techniques used by attackers in Windows environments. Two primary methods are demonstrated: adding files to the Startup folder and modifying Windows Registry Run Keys. The guide provides technical insights into malware persistence strategies and detection approaches for cybersecurity professionals.

• 11 Jun 2020

Abusing access to mount namespaces through /proc/pid/root

Linux namespaces can be abused for privilege escalation in containerized environments. Two key attack vectors are demonstrated: creating block devices in Docker containers to bypass access controls and exploiting symlink vulnerabilities through mount and user namespaces. The research highlights potential security risks in container configurations and namespace implementations.

• 11 Jan 2019

Attacking Kubernetes through Kubelet

A method of attacking Kubernetes clusters by exploiting the default kubelet configuration is detailed in this article. The vulnerability allows anonymous authentication to the kubelet API, enabling attackers to list pods, execute commands in containers, and potentially obtain service account tokens. These tokens can be used to access the kube-apiserver and gain deeper access to the Kubernetes cluster.

• Mateusz Fruba
• 19 Sep 2017

Kernel Driver mmap Handler Exploitation

This whitepaper explores exploitation techniques for Linux kernel driver memory mapping vulnerabilities. The research addresses the lack of public documentation on identifying and exploiting security flaws in kernel driver development. The goal is to provide guidance for developers to understand and mitigate memory mapping issues in kernel drivers.

• 1 Aug 2017

Alexa, are you listening?

A physical attack on early Amazon Echo models allows root access by exploiting exposed debug pads and an SD card boot configuration. By gaining root shell access, an attacker can install a malware implant that turns the device into a remote wiretap. The attack requires physical access to the device and can potentially stream live microphone audio to remote services without disrupting the Echo's normal functionality.

• 18 Jun 2014

BeagleBone Black, GNU Radio, and HackRF One

This guide details setting up a BeagleBone Black with Ångström Linux to compile GNU Radio and HackRF drivers. The tutorial provides step-by-step instructions for configuring an embedded Linux system to work with a HackRF One software-defined radio. Configuration involves installing dependencies, setting up system settings, and building software components for software-defined radio applications.