Regex_ReDoS.pdf
449.7 KB
#Research
"Counting in Regexes Considered Harmful: Exposing ReDoS Vulnerability of Nonbacktracking Matchers", 2022.
]-> Tool to perform static analysis on regexes to determine whether they are vulnerable to ReDoS:
https://github.com/NicolaasWeideman/RegexStaticAnalysis
"Counting in Regexes Considered Harmful: Exposing ReDoS Vulnerability of Nonbacktracking Matchers", 2022.
]-> Tool to perform static analysis on regexes to determine whether they are vulnerable to ReDoS:
https://github.com/NicolaasWeideman/RegexStaticAnalysis
#exploit
1. Workaround for CVE-2022-41923: Privilege Management Vulnerability
https://github.com/grails/GSSC-CVE-2022-41923
2. CVE-2022-32060:
Snipe-IT v.6.0.2 - arbitrary file upload
https://github.com/bypazs/CVE-2022-32060
3. CVE-2022-45472:
DOM Based XSS
https://github.com/nicbrinkley/CVE-2022-45472
1. Workaround for CVE-2022-41923: Privilege Management Vulnerability
https://github.com/grails/GSSC-CVE-2022-41923
2. CVE-2022-32060:
Snipe-IT v.6.0.2 - arbitrary file upload
https://github.com/bypazs/CVE-2022-32060
3. CVE-2022-45472:
DOM Based XSS
https://github.com/nicbrinkley/CVE-2022-45472
GitHub
GitHub - grails/GSSC-CVE-2022-41923
Contribute to grails/GSSC-CVE-2022-41923 development by creating an account on GitHub.
OpenDoc.pdf
1.1 MB
#Threat_Research
"Code Execution and Content Spoofing: The First Comprehensive Analysis of OpenDocument Signatures", 2022.
"Code Execution and Content Spoofing: The First Comprehensive Analysis of OpenDocument Signatures", 2022.
#Offensive_security
1. Linux Password Mining
https://medium.com/@tinopreter/linux-password-mining-58e341635f1c
2. Bypassing Intel DCM’s Authentication by Spoofing Kerberos and LDAP Responses (CVE-2022-33942)
https://www.rcesecurity.com/2022/11/from-zero-to-hero-part-1-bypassing-intel-dcms-authentication-cve-2022-33942
1. Linux Password Mining
https://medium.com/@tinopreter/linux-password-mining-58e341635f1c
2. Bypassing Intel DCM’s Authentication by Spoofing Kerberos and LDAP Responses (CVE-2022-33942)
https://www.rcesecurity.com/2022/11/from-zero-to-hero-part-1-bypassing-intel-dcms-authentication-cve-2022-33942
Medium
Linux Password Mining
Linux encrypts and stores user passwords locally; following a first penetration, user…
#tools
#Blue_Team_Techniques
1. PassFiltEx - Active Directory Password Filter
https://github.com/ryanries/PassFiltEx
2. Administrative tools and logon types
https://learn.microsoft.com/en-us/windows-server/identity/securing-privileged-access/reference-tools-logon-types
#Blue_Team_Techniques
1. PassFiltEx - Active Directory Password Filter
https://github.com/ryanries/PassFiltEx
2. Administrative tools and logon types
https://learn.microsoft.com/en-us/windows-server/identity/securing-privileged-access/reference-tools-logon-types
GitHub
GitHub - ryanries/PassFiltEx: PassFiltEx. An Active Directory Password Filter.
PassFiltEx. An Active Directory Password Filter. Contribute to ryanries/PassFiltEx development by creating an account on GitHub.
#exploit
JavaScript Engine Exploitation Primitives
https://www.madstacks.dev/posts/V8-Exploitation-Series-Part-6/#writing-an-exploit
]-> V8 Exploitation Series:
https://www.madstacks.dev/categories/v8-series
JavaScript Engine Exploitation Primitives
https://www.madstacks.dev/posts/V8-Exploitation-Series-Part-6/#writing-an-exploit
]-> V8 Exploitation Series:
https://www.madstacks.dev/categories/v8-series
SARA.pdf
1.1 MB
#Research
"SARA: Secure Android Remote Authorization", 2022.
]-> Repo: https://github.com/purseclab/SARA-Secure-Android-Remote-Authorization
"SARA: Secure Android Remote Authorization", 2022.
]-> Repo: https://github.com/purseclab/SARA-Secure-Android-Remote-Authorization
#Threat_Research
1. Android SharkBot Droppers on Google Play
https://www.bitdefender.com/blog/labs/android-sharkbot-droppers-on-google-play-underlines-platforms-security-needs
2. Cryptonite Ransomware
https://www.fortinet.com/blog/threat-research/Ransomware-Roundup-Cryptonite-Ransomware
1. Android SharkBot Droppers on Google Play
https://www.bitdefender.com/blog/labs/android-sharkbot-droppers-on-google-play-underlines-platforms-security-needs
2. Cryptonite Ransomware
https://www.fortinet.com/blog/threat-research/Ransomware-Roundup-Cryptonite-Ransomware
Bitdefender Labs
Android SharkBot Droppers on Google Play Underline Platform's Security Needs
A common theme we've noticed in the last few months consists of malicious apps distributed directly from the Google Play Store.
👍1
mas_6-1.pdf
3.9 MB
#Malware_analysis
Malware Analysis Series (MAS) - Article 6, November/24/2022, rev: A.1.
Malware Analysis Series (MAS) - Article 6, November/24/2022, rev: A.1.
#Offensive_security
1. Fetch data (open ports, CVEs, CPEs, ...) from shodan internetDB API
https://github.com/s4hm4d/shodanidb
2. Find MS Exchange instance for a given domain and identify the exact version
https://github.com/mhaskar/ExchangeFinder
1. Fetch data (open ports, CVEs, CPEs, ...) from shodan internetDB API
https://github.com/s4hm4d/shodanidb
2. Find MS Exchange instance for a given domain and identify the exact version
https://github.com/mhaskar/ExchangeFinder
GitHub
GitHub - s4hm4d/shodanidb: Fetch data (open ports, CVEs, CPEs, ...) from shodan internetDB API
Fetch data (open ports, CVEs, CPEs, ...) from shodan internetDB API - s4hm4d/shodanidb
#Red_Team_Tactics
1. Header spoofing via a hidden parameter in Facebook Batch GraphQL APIs
https://feed.bugs.xdavidhu.me/bugs/0017
2. UAC Bypass On Windows Defender For Endpoint With HighBorn
https://assume-breach.medium.com/home-grown-red-team-uac-bypass-on-windows-defender-for-endpoint-with-highborn-e9ea16546029
1. Header spoofing via a hidden parameter in Facebook Batch GraphQL APIs
https://feed.bugs.xdavidhu.me/bugs/0017
2. UAC Bypass On Windows Defender For Endpoint With HighBorn
https://assume-breach.medium.com/home-grown-red-team-uac-bypass-on-windows-defender-for-endpoint-with-highborn-e9ea16546029
feed.bugs.xdavidhu.me
Header spoofing via a hidden parameter in Facebook Batch GraphQL APIs
xdavidhu's bug bounty disclosures.
👍1
Defending_nginx (1).pdf
8.9 MB
#hardening
"Defending against automatization using NGINX", 2022.
]-> Nginx Bad Bot and User-Agent Blocker, Spam Referrer Blocker, Anti DDOS, Bad IP Blocker, Wordpress Theme Detector Blocker:
https://github.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker
"Defending against automatization using NGINX", 2022.
]-> Nginx Bad Bot and User-Agent Blocker, Spam Referrer Blocker, Anti DDOS, Bad IP Blocker, Wordpress Theme Detector Blocker:
https://github.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker
#OpSec
JustEvadeBro, a cheat sheet which will aid you through AMSI/AV evasion & bypasses
https://github.com/sinfulz/JustEvadeBro
JustEvadeBro, a cheat sheet which will aid you through AMSI/AV evasion & bypasses
https://github.com/sinfulz/JustEvadeBro
GitHub
GitHub - sinfulz/JustEvadeBro: JustEvadeBro, a cheat sheet which will aid you through AMSI/AV evasion & bypasses.
JustEvadeBro, a cheat sheet which will aid you through AMSI/AV evasion & bypasses. - sinfulz/JustEvadeBro
Nessie.pdf
747.9 KB
#Research
"Nessie: Automatically Testing JavaScript APIs with Asynchronous Callbacks", 2022.
]-> https://zenodo.org/record/5874851#.Y4Gx7aSOFSA
"Nessie: Automatically Testing JavaScript APIs with Asynchronous Callbacks", 2022.
]-> https://zenodo.org/record/5874851#.Y4Gx7aSOFSA
#exploit
1. CVE-2022-32898:
ANE_ProgramCreate() multiple kernel memory corruption
https://0x36.github.io/CVE-2022-32898
2. CVE-2022-43781:
Command injection vulnerability using environment variables in Bitbucket Server/Data Center
https://petrusviet.medium.com/cve-2022-43781-32bc29de8960
3. CVE-2022-38374:
XSS in Fortinet FortiADC 7.0.0 - 7.0.2, 6.2.0 - 6.2.4
https://github.com/azhurtanov/CVE-2022-38374
1. CVE-2022-32898:
ANE_ProgramCreate() multiple kernel memory corruption
https://0x36.github.io/CVE-2022-32898
2. CVE-2022-43781:
Command injection vulnerability using environment variables in Bitbucket Server/Data Center
https://petrusviet.medium.com/cve-2022-43781-32bc29de8960
3. CVE-2022-38374:
XSS in Fortinet FortiADC 7.0.0 - 7.0.2, 6.2.0 - 6.2.4
https://github.com/azhurtanov/CVE-2022-38374
Nimjector.pdf
4.9 MB
#Offensive_security
"Understanding and Re-creating Process Injection Techniques through Nimjector", 2022.
]-> https://github.com/cybernomad1/NimJection
"Understanding and Re-creating Process Injection Techniques through Nimjector", 2022.
]-> https://github.com/cybernomad1/NimJection
💥Nighthawk: An Up-and-Coming Pentest Tool Likely to Gain Threat Actor Notice
Nighthawk is a mature and advanced commercial C2 framework for lawful red team operations that is specifically built for detection evasion, and it does this well. While Proofpoint researchers are not aware of adoption of Nighthawk in the wild by attributed threat actors, it would be incorrect and dangerous to assume that this tool will never be appropriated by threat actors with a variety of intexfnts and purposes.
🔥🔥🔥PoC of the removed registered LdrDllNotification for your enjoyment.
🔥🔥🔥PoC for utilizing RtlQueueWorkItem to load libraries
Nighthawk is a mature and advanced commercial C2 framework for lawful red team operations that is specifically built for detection evasion, and it does this well. While Proofpoint researchers are not aware of adoption of Nighthawk in the wild by attributed threat actors, it would be incorrect and dangerous to assume that this tool will never be appropriated by threat actors with a variety of intexfnts and purposes.
🔥🔥🔥PoC of the removed registered LdrDllNotification for your enjoyment.
🔥🔥🔥PoC for utilizing RtlQueueWorkItem to load libraries
🔥Vulnerabilities in BMC Firmware Affect OT/IoT Device Security(part1)
By abusing these vulnerabilities, an unauthenticated attacker may achieve RCE with root privileges on the BMC, completely compromising it and gaining control of the managed host. During our research, we uncovered other vulnerabilities whose patching is still in progress and thus cannot be disclosed as of yet; those will be covered in a follow-up blog post.
Our discussion starts with an introduction to BMCs and an illustration of the vulnerabilities discovered. We will then provide an example of how an attacker can abuse these issues to ultimately compromise the device, and conclude with remediations that asset owners can implement.
By abusing these vulnerabilities, an unauthenticated attacker may achieve RCE with root privileges on the BMC, completely compromising it and gaining control of the managed host. During our research, we uncovered other vulnerabilities whose patching is still in progress and thus cannot be disclosed as of yet; those will be covered in a follow-up blog post.
Our discussion starts with an introduction to BMCs and an illustration of the vulnerabilities discovered. We will then provide an example of how an attacker can abuse these issues to ultimately compromise the device, and conclude with remediations that asset owners can implement.