MacOS "DirtyNIB" Vulnerability
#xpn
While looking for avenues of injecting code into platform binaries back in macOS Monterey, I was able to identify a vulnerability which allowed the hijacking of Apple application entitlements. Recently I decided to revisit this vulnerability after a long time of trying to have it patched, and was surprised to see that it still works. There are some caveats introduced with later versions of macOS which we will explore, but in this post we’ll look at a vulnerability in macOS Sonoma which has been around for a long time, and remains an 0day, urm, to this day.
via XPN InfoSec Blog
#xpn
While looking for avenues of injecting code into platform binaries back in macOS Monterey, I was able to identify a vulnerability which allowed the hijacking of Apple application entitlements. Recently I decided to revisit this vulnerability after a long time of trying to have it patched, and was surprised to see that it still works. There are some caveats introduced with later versions of macOS which we will explore, but in this post we’ll look at a vulnerability in macOS Sonoma which has been around for a long time, and remains an 0day, urm, to this day.
via XPN InfoSec Blog
Out of Band Update: Cobalt Strike 4.9.1
#cobaltstrike
Cobalt Strike 4.9.1 is now available. This is an out of band update to fix an issue that was discovered in the 4.9 release that we felt would negatively impact customers as they start to roll out the release and for which there is no straightforward workaround. We also took the opportunity to address a [...]
via Cobalt Strike Blog (author: Greg Darwin)
#cobaltstrike
Cobalt Strike 4.9.1 is now available. This is an out of band update to fix an issue that was discovered in the 4.9 release that we felt would negatively impact customers as they start to roll out the release and for which there is no straightforward workaround. We also took the opportunity to address a [...]
via Cobalt Strike Blog (author: Greg Darwin)
Phishing for Primary Refresh Tokens and Windows Hello keys
#dirkjanm
In Microsoft Entra ID (formerly Azure AD, in this blog referred to as “Azure AD”), there are different types of OAuth tokens. The most powerful token is a Primary Refresh Token, which is linked to a user’s device and can be used to sign in to any Entra ID connected application and web site. In phishing scenarios, especially those that abuse legit OAuth flows such as device code phishing, the resulting tokens are often less powerful tokens that are limited in scope or usage methods. In this blog, I will describe new techniques to phish directly for Primary Refresh Tokens, and in some scenarios also deploy passwordless credentials that comply with even the strictest MFA policies.
via Dirk-jan Blog (author: Dirk-jan Mollema)
#dirkjanm
In Microsoft Entra ID (formerly Azure AD, in this blog referred to as “Azure AD”), there are different types of OAuth tokens. The most powerful token is a Primary Refresh Token, which is linked to a user’s device and can be used to sign in to any Entra ID connected application and web site. In phishing scenarios, especially those that abuse legit OAuth flows such as device code phishing, the resulting tokens are often less powerful tokens that are limited in scope or usage methods. In this blog, I will describe new techniques to phish directly for Primary Refresh Tokens, and in some scenarios also deploy passwordless credentials that comply with even the strictest MFA policies.
via Dirk-jan Blog (author: Dirk-jan Mollema)
Finding a POP chain on a common Symfony bundle : part 2
#synacktiv
via Synacktiv Blog (author: Rémi Matasse)
#synacktiv
via Synacktiv Blog (author: Rémi Matasse)
A Deep Dive into TPM-based BitLocker Drive Encryption
#itm4n
When I investigated CVE-2022-41099, a BitLocker Drive Encryption bypass through the Windows Recovery Environment (WinRE), the fact that the latter was able to transparently access an encrypted drive without requiring the recovery password struck me. My initial thought was that there had to be a way to reproduce this behavior and obtain the master key from the Recovery Environment (WinRE). The o...
via Itm4n Blog (author: itm4n)
#itm4n
When I investigated CVE-2022-41099, a BitLocker Drive Encryption bypass through the Windows Recovery Environment (WinRE), the fact that the latter was able to transparently access an encrypted drive without requiring the recovery password struck me. My initial thought was that there had to be a way to reproduce this behavior and obtain the master key from the Recovery Environment (WinRE). The o...
via Itm4n Blog (author: itm4n)
The single-packet attack: making remote race-conditions 'local'
#portswigger
The single-packet attack is a new technique for triggering web race conditions. It works by completing multiple HTTP/2 requests with a single TCP packet, which effectively eliminates network jitter an
via PortSwigger Research
#portswigger
The single-packet attack is a new technique for triggering web race conditions. It works by completing multiple HTTP/2 requests with a single TCP packet, which effectively eliminates network jitter an
via PortSwigger Research
Uncovering RPC Servers through Windows API Analysis
#specterops
via SpecterOps Team Medium (author: Kai Huang)
#specterops
via SpecterOps Team Medium (author: Kai Huang)
Medium
Uncovering RPC Servers through Windows API Analysis
Intro
Listing remote named pipes
#outflank
On Windows, named pipes are a form of interprocess communication (IPC) that allows processes to communicate with one another, both locally and across the network. Named pipes serve as a mechanism to transfer data between Windows components as well as third-party applications and services. Both locally as well as on a domain. From an offensive perspective, named pipes may leak some information that could be useful for reconnaissance purposes. Since named pipes can also be used (depending on configuration) to access services remotely – they could allow remote exploits (MS08-067).
In this post we will explore how named pipes can be listed remotely in offensive operations, for example via an implant running on a compromised Windows system.
via Outflank Blog (author: Cedric Van Bockhaven)
#outflank
On Windows, named pipes are a form of interprocess communication (IPC) that allows processes to communicate with one another, both locally and across the network. Named pipes serve as a mechanism to transfer data between Windows components as well as third-party applications and services. Both locally as well as on a domain. From an offensive perspective, named pipes may leak some information that could be useful for reconnaissance purposes. Since named pipes can also be used (depending on configuration) to access services remotely – they could allow remote exploits (MS08-067).
In this post we will explore how named pipes can be listed remotely in offensive operations, for example via an implant running on a compromised Windows system.
via Outflank Blog (author: Cedric Van Bockhaven)
Bloodhound Enterprise: securing Active Directory using graph theory
#specterops
via SpecterOps Team Medium (author: Irshad Ajmal Ahmed)
#specterops
via SpecterOps Team Medium (author: Irshad Ajmal Ahmed)
Medium
BloodHound Enterprise: securing Active Directory using graphs
Prior to my employment at SpecterOps, I hadn’t worked in the information security industry- as a result, many security related terms and…
CVE-2023–4632: Local Privilege Escalation in Lenovo System Updater
#specterops
via SpecterOps Team Medium (author: Matt Nelson)
#specterops
via SpecterOps Team Medium (author: Matt Nelson)
Medium
CVE-2023–4632: Local Privilege Escalation in Lenovo System Updater
Version: Lenovo Updater Version <= 5.08.01.0009
Operating System Tested On: Windows 10 22H2 (x64)
Vulnerability: Lenovo System Updater…
Operating System Tested On: Windows 10 22H2 (x64)
Vulnerability: Lenovo System Updater…
Lateral Movement: Abuse the Power of DCOM Excel Application
#specterops
via SpecterOps Team Medium (author: Raj Patel)
#specterops
via SpecterOps Team Medium (author: Raj Patel)
SpecterOps
Lateral Movement: Abuse the Power of DCOM Excel Application - SpecterOps
Learn about an interesting lateral movement technique called ActivateMicrosoftApp() method within the distributed component object model (DCOM) Excel application.
Forwarded from Offensive Xwitter
😈 [ Almond OffSec @AlmondOffSec ]
Understanding the different types of LDAP authentication methods is fundamental to apprehend subjects such as relay attacks or countermeasures. This post by @lowercase_drm introduces them through the lens of Python libraries.
🔗 https://offsec.almond.consulting/ldap-authentication-in-active-directory-environments.html
🐥 [ tweet ]
Understanding the different types of LDAP authentication methods is fundamental to apprehend subjects such as relay attacks or countermeasures. This post by @lowercase_drm introduces them through the lens of Python libraries.
🔗 https://offsec.almond.consulting/ldap-authentication-in-active-directory-environments.html
🐥 [ tweet ]
👍1
Reflecting on a Year with Fortra and Next Steps for Outflank
#outflank
When we debuted OST back in 2021, we wrote a blog detailing both the product features and the rationale for investing time into this toolset. In 2022, we joined forces with Fortra and we can hardly believe it’s been over a year already. It was a big decision to go from being a small team of red teamers to becoming part of a large company, but we’re very pleased with the switch. In this reflection on the past 12 months, we want to provide an update on our mission, detail our continued dedication to OST, discuss the process of growing the Outflank community, and touch on where we’re headed next.
A Product Oriented Focus
One of our biggest challenges when we joined Fortra was the decision to put most of our energy into Outflank Security Tooling (OST).
via Outflank Blog (author: Marc Smeets)
#outflank
When we debuted OST back in 2021, we wrote a blog detailing both the product features and the rationale for investing time into this toolset. In 2022, we joined forces with Fortra and we can hardly believe it’s been over a year already. It was a big decision to go from being a small team of red teamers to becoming part of a large company, but we’re very pleased with the switch. In this reflection on the past 12 months, we want to provide an update on our mission, detail our continued dedication to OST, discuss the process of growing the Outflank community, and touch on where we’re headed next.
A Product Oriented Focus
One of our biggest challenges when we joined Fortra was the decision to put most of our energy into Outflank Security Tooling (OST).
via Outflank Blog (author: Marc Smeets)