[ Splitting the email atom: exploiting parsers to bypass access controls ]
Some websites parse email addresses to extract the domain and infer which organisation the owner belongs to. This pattern makes email-address parser discrepancies critical. Predicting which domain an email will be routed to should be simple, but is actually ludicrously difficult - even for 'valid', RFC-compliant addresses.
In this paper I'm going to show you how to turn email parsing discrepancies into access control bypasses and even RCE.
https://portswigger.net/research/splitting-the-email-atom
Repo:
https://github.com/portswigger/splitting-the-email-atom
CTF:
https://portswigger.net/web-security/logic-flaws/examples#email-address-parser-discrepancies
Some websites parse email addresses to extract the domain and infer which organisation the owner belongs to. This pattern makes email-address parser discrepancies critical. Predicting which domain an email will be routed to should be simple, but is actually ludicrously difficult - even for 'valid', RFC-compliant addresses.
In this paper I'm going to show you how to turn email parsing discrepancies into access control bypasses and even RCE.
New research from Portswigger (Gareth Heyes):https://portswigger.net/research/splitting-the-email-atom
Repo:
https://github.com/portswigger/splitting-the-email-atom
CTF:
https://portswigger.net/web-security/logic-flaws/examples#email-address-parser-discrepancies
#aws
[ Project Apeman ]
Apeman is a graph-based tool to model AWS IAM permissions. This marks the start of a new journey to methodically identify and remediate IAM attack paths.
The first in a series of blog posts on how Apeman identifies IAM attack paths in AWS: https://posts.specterops.io/an-aws-administrator-identity-crisis-part-1-919e6171ec0a
By Daniel Heinsen (SpecterOps)
https://github.com/hotnops/apeman
[ Project Apeman ]
Apeman is a graph-based tool to model AWS IAM permissions. This marks the start of a new journey to methodically identify and remediate IAM attack paths.
The first in a series of blog posts on how Apeman identifies IAM attack paths in AWS: https://posts.specterops.io/an-aws-administrator-identity-crisis-part-1-919e6171ec0a
By Daniel Heinsen (SpecterOps)
https://github.com/hotnops/apeman
[ Confusion Attacks: Exploiting Hidden Semantic Ambiguity in Apache HTTP Server ]
Highlights include:
⚡ Escaping from DocumentRoot to System Root
⚡ Bypassing built-in ACL/Auth with just a '?'
⚡ Turning XSS into RCE with legacy code from 1996
By... Orange Tsai!
https://blog.orange.tw/2024/08/confusion-attacks-en.html
Highlights include:
⚡ Escaping from DocumentRoot to System Root
⚡ Bypassing built-in ACL/Auth with just a '?'
⚡ Turning XSS into RCE with legacy code from 1996
By... Orange Tsai!
https://blog.orange.tw/2024/08/confusion-attacks-en.html
#windows #rce
CVE-2024-38077 WINDOWS Remote Desktop Licensing Service. 0-click RCE
https://github.com/CloudCrowSec001/CVE-2024-38077-POC
P.S. POC беззубый, надо читать статью и приводить его в работоспособное состояние.
CVE-2024-38077 WINDOWS Remote Desktop Licensing Service. 0-click RCE
https://github.com/CloudCrowSec001/CVE-2024-38077-POC
P.S. POC беззубый, надо читать статью и приводить его в работоспособное состояние.
Ghost in the PPL Part 1: BYOVDLL
Ghost in the PPL Part 2: From BYOVDLL to Arbitrary Code Execution in LSASS
bypassing LSA Protection in Userland
Ghost in the PPL Part 2: From BYOVDLL to Arbitrary Code Execution in LSASS
bypassing LSA Protection in Userland
[ New attack for Android and iOS — Not patched ]
mapAccountHijack is a tool designed to carry out a MAP Account hijack attack, which exploits the Message Access Profile (MAP) in Bluetooth Classic devices. This attack enables the theft of Multi-factor Authentication (MFA) codes and One-Time Passwords (OTPs), leading to the successful hijacking of victim accounts on services that rely on SMS-based OTPs during login or recovery processes. The tool is highly valuable for red teaming, penetration testing, bug bounty hunting, and security research, and the attack works on the latest versions of both Android and iOS devices (Samsung, Google Pixel, iPhone).
Additionally, the tool exposes the victim's phone number, either by accessing metadata from previously received SMS messages or by making the victim's smartphone send an SMS to a phone number controlled by the attacker. It serves as a Proof of Concept for Bluetooth Classic attacks or as a component in account hijacking schemes and helps with intercepting, stealing, and relaying SMS messages and phone numbers.
TLDR:
1-click account takeover attack on iOS (Not Patched, not going to be fixed)
2-click account takeover attack on Android (Not Patched, is going to be fixed)
Some services that one can hijack:
* Meta
* Paypal
* Coinbase
* Google Account
Presentation at DEF CON: Exploiting Bluetooth: from your car to the bank account$$
https://github.com/sgxgsx/mapAccountHijack
mapAccountHijack is a tool designed to carry out a MAP Account hijack attack, which exploits the Message Access Profile (MAP) in Bluetooth Classic devices. This attack enables the theft of Multi-factor Authentication (MFA) codes and One-Time Passwords (OTPs), leading to the successful hijacking of victim accounts on services that rely on SMS-based OTPs during login or recovery processes. The tool is highly valuable for red teaming, penetration testing, bug bounty hunting, and security research, and the attack works on the latest versions of both Android and iOS devices (Samsung, Google Pixel, iPhone).
Additionally, the tool exposes the victim's phone number, either by accessing metadata from previously received SMS messages or by making the victim's smartphone send an SMS to a phone number controlled by the attacker. It serves as a Proof of Concept for Bluetooth Classic attacks or as a component in account hijacking schemes and helps with intercepting, stealing, and relaying SMS messages and phone numbers.
TLDR:
1-click account takeover attack on iOS (Not Patched, not going to be fixed)
2-click account takeover attack on Android (Not Patched, is going to be fixed)
Some services that one can hijack:
* Meta
* Paypal
* Coinbase
* Google Account
Presentation at DEF CON: Exploiting Bluetooth: from your car to the bank account$$
https://github.com/sgxgsx/mapAccountHijack
GitHub
GitHub - sgxgsx/mapAccountHijack: mapAccountHijack is a tool designed to carry out a MAP Account hijack attack, which exploits…
mapAccountHijack is a tool designed to carry out a MAP Account hijack attack, which exploits the Message Access Profile (MAP) in Bluetooth Classic, enables the theft of MFA and OTPs leading to the ...
If you're looking for something interesting to watch during this weekend
Talk demonstrating how with minor tweaks you can really frustrate command line-based detections across Windows, Linux and MacOS is now live
https://www.youtube.com/watch?v=52tAmVLg1KM
By Wietze
Talk demonstrating how with minor tweaks you can really frustrate command line-based detections across Windows, Linux and MacOS is now live
https://www.youtube.com/watch?v=52tAmVLg1KM
By Wietze
YouTube
Command-Line Obfuscation: You Can Run, _and_ You Can Hide - Wietze Beukema
#jenkins
CVE-2024-08-07
Arbitrary file read vulnerability through agent connections can lead to RCE
https://www.jenkins.io/security/advisory/2024-08-07/
CVE-2024-08-07
Arbitrary file read vulnerability through agent connections can lead to RCE
https://www.jenkins.io/security/advisory/2024-08-07/
#office #lpe
[ ShimMe ]
Manipulating Shim and Office for Code Injection. by David Shandalov & Ron Ben Yizhak
DEFFCON POST
Invokes an RPC method in OfficeClickToRun service that will inject a DLL into a suspended process running as NT AUTHORITY\SYSTEM launched by the task scheduler service, thus achieving privilege escalation from administrator to SYSTEM.
https://github.com/deepinstinct/ShimMe
[ ShimMe ]
Manipulating Shim and Office for Code Injection. by David Shandalov & Ron Ben Yizhak
DEFFCON POST
Invokes an RPC method in OfficeClickToRun service that will inject a DLL into a suspended process running as NT AUTHORITY\SYSTEM launched by the task scheduler service, thus achieving privilege escalation from administrator to SYSTEM.
https://github.com/deepinstinct/ShimMe
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38063
Всё чудесатее и чудесатее (с) Л.К.
Всё чудесатее и чудесатее (с) Л.К.
Волосатый бублик
[ PostgreSQL SELECT only RCE ] SELECTing your way to RCE. A way to pwn Postgres without stacked SQLi queries Author: adeadfed https://adeadfed.com/posts/postgresql-select-only-rce
[ World of SELECT-only PostgreSQL Injections: (Ab)using the filesystem ]
Congrats to adeadfed, his article just released on phcrack!
http://phrack.org/issues/71/8.html#article
Congrats to adeadfed, his article just released on phcrack!
http://phrack.org/issues/71/8.html#article
phrack.org
.:: Phrack Magazine ::.
Phrack staff website.
Forwarded from APT
🔐 FreeIPA Rosting (CVE-2024-3183)
A vulnerability recently discovered by my friend @Im10n in FreeIPA involves a Kerberos TGS-REQ being encrypted using the client’s session key. If a principal’s key is compromised, an attacker could potentially perform offline brute-force attacks to decrypt tickets by exploiting the encrypted key and associated salts.
🔗Source:
https://github.com/Cyxow/CVE-2024-3183-POC
#freeipa #kerberos #hashcat #cve
———
Добавляем доклад Миши в вишлист на Offzone🚶♂️
A vulnerability recently discovered by my friend @Im10n in FreeIPA involves a Kerberos TGS-REQ being encrypted using the client’s session key. If a principal’s key is compromised, an attacker could potentially perform offline brute-force attacks to decrypt tickets by exploiting the encrypted key and associated salts.
🔗Source:
https://github.com/Cyxow/CVE-2024-3183-POC
#freeipa #kerberos #hashcat #cve
———
Добавляем доклад Миши в вишлист на Offzone
Please open Telegram to view this post
VIEW IN TELEGRAM
W.T.F. Is a Kubernete and How Do I Attack It? with Graham Helton (currently live, recording will be available, same link)
Attendees will gain a high level understanding of what Kubernetes is (without any pre-existing Kubernetes knowledge) and learn how to effectively hack into a real Kubernetes cluster (uh... with permission of course).
https://www.youtube.com/watch?v=gc2NExPp20Y
Attendees will gain a high level understanding of what Kubernetes is (without any pre-existing Kubernetes knowledge) and learn how to effectively hack into a real Kubernetes cluster (uh... with permission of course).
https://www.youtube.com/watch?v=gc2NExPp20Y
YouTube
W.T.F. Is a Kubernete and How Do I Attack It? with Graham Helton #livestream #training #kubernetes
/// 🔗 Register for webcasts, summits, and workshops -
https://poweredbybhis.com
🛝 Webcast Slides -
https://www.antisyphontraining.com/wp-content/uploads/2024/08/2024_08_21_anticast_W.T.F.-Is-a-Kubernete-and-How-Do-I-Attack-It_Graham-Helton.pdf
We've all…
https://poweredbybhis.com
🛝 Webcast Slides -
https://www.antisyphontraining.com/wp-content/uploads/2024/08/2024_08_21_anticast_W.T.F.-Is-a-Kubernete-and-How-Do-I-Attack-It_Graham-Helton.pdf
We've all…
New blog from Josh (X-Force Red) on manually manipulating Vectored Exception Handlers to evade some EDRs and perform threadless process injection.
Blog: https://securityintelligence.com/x-force/using-veh-for-defense-evasion-process-injection
Code: https://github.com/xforcered/VectoredExceptionHandling
«This is research that I did back in 2022, but since some similar research has come out it seemed like time to release it. I developed this threadless process injection technique before that was a thing, but now there are a few examples of threadless injection out there»
«In short, by reimplementing the RtlAddVectoredExceptionHandler API, we can insert our own handlers into the list to circumvent EDR handlers. This also works cross-process since all info for VEH is in userland, which enables the threadless injection technique»
Blog: https://securityintelligence.com/x-force/using-veh-for-defense-evasion-process-injection
Code: https://github.com/xforcered/VectoredExceptionHandling
«This is research that I did back in 2022, but since some similar research has come out it seemed like time to release it. I developed this threadless process injection technique before that was a thing, but now there are a few examples of threadless injection out there»
«In short, by reimplementing the RtlAddVectoredExceptionHandler API, we can insert our own handlers into the list to circumvent EDR handlers. This also works cross-process since all info for VEH is in userland, which enables the threadless injection technique»
Forwarded from Offensive Twitter
😈 [ Charlie Bromberg « Shutdown » @_nwodtuhs ]
🎉 After >1y of hard work, @AzeTIIx and I are thrilled to release v2 of The Hacker Recipes!
We moved away from GitBook and now have control over both engine & hosting 🥹
1st addition for contributors: your work is being highlighted across the site! 🫡
🔗 https://thehacker.recipes/
🐥 [ tweet ]
🎉 After >1y of hard work, @AzeTIIx and I are thrilled to release v2 of The Hacker Recipes!
We moved away from GitBook and now have control over both engine & hosting 🥹
1st addition for contributors: your work is being highlighted across the site! 🫡
🔗 https://thehacker.recipes/
🐥 [ tweet ]
Волосатый бублик
😈 [ Charlie Bromberg « Shutdown » @_nwodtuhs ] 🎉 After >1y of hard work, @AzeTIIx and I are thrilled to release v2 of The Hacker Recipes! We moved away from GitBook and now have control over both engine & hosting 🥹 1st addition for contributors: your work…
If you're not using The Hacker Recipes project then you're not a real hacker. Bookmark this site right now - https://thehacker.recipes