Showing Posts About

• 15 May 2020

Internet Exploiter: Understanding vulnerabilities in Internet Explorer

This article provides a deep technical analysis of CVE-2020-0674, a use-after-free vulnerability in Internet Explorer's legacy JScript engine. The analysis explores the internal mechanics of the JScript interpreter, garbage collection process, and demonstrates complex exploitation techniques to bypass security mitigations. The research reveals how an attacker could potentially execute arbitrary code by manipulating memory management in the legacy JavaScript engine.

• 6 Nov 2019

OU having a laugh?

A novel attack technique exploits Group Policy Object (GPO) processing in Active Directory by manipulating the gpLink attribute. An attacker with OU modification rights can redirect GPO resolution to a rogue domain controller, potentially compromising computers and users within that OU. The attack leverages default Active Directory configurations and can be executed with minimal domain user permissions.

• 31 Oct 2018

Undisable Restricted Admin

Restricted Admin mode is a Windows feature that prevents credential caching during RDP sessions by using network logons instead of interactive logons. The mode offers protection against lateral movement in network environments, though it introduces a minor pass-the-hash attack vector. Organizations can enable this control by modifying registry settings and group policy to enhance network security.

• Yong Chuan Koh
• 12 Oct 2016

Fuzzing the Windows kernel

A presentation by Yong Chuan Koh at HITB GSEC 2016 introduced a Python-based fuzzing framework for testing Windows kernel security. The framework is designed to be scalable and extensible for comprehensive kernel vulnerability detection. Presentation slides are available for download from the original source.

• Ben Campbell Jon Cave
• 16 Dec 2014

Digging into MS14-068, Exploitation and Defence

MS14-068 is a critical Windows vulnerability in Kerberos authentication that allows any authenticated domain user to forge a Privilege Attribute Certificate (PAC) and escalate privileges to domain administrator. The vulnerability enables an attacker to manipulate PAC signatures and bypass authentication controls on domain controllers running Windows 2008 and earlier. Exploitation requires only a standard domain user account and can be performed using tools like PyKEK and Impacket.

• 15 Aug 2014

Windows 8 Kernel Memory Protections Bypass

A technique for bypassing Windows 8 kernel memory protections like SMEP and DEP is demonstrated by manipulating paging structures. The method allows modification of memory page flags to enable user-mode code execution in kernel-mode. By targeting isolated paging structures, an attacker can corrupt page table entries to circumvent kernel memory safeguards on 64-bit Windows systems.