Bypassing Symantec Endpoint Protection for Fun & Profit!
๐ฃinput0
This is fun, but missing some details.
1. Version of Symantec Endpoint Protection tested is not listed. SEP14.3 came out a couple weeks ago and adds new capabilities including AMSI (finally).
1. Test was conducted on Windows 2012R2. Yes, Windows 2012R2 is still widespread in production and under support, however Windows 10/2016 have enhancements that make dumping credentials much more difficult (LSAS virtualization in Virtualization Bases Security).
Without this information, this blog really is "I walked through an intentionally vulnerable pen testing lab scenario", vs. "here is a demonstration that you should do something and actionable guidance on what you should do". (IE, you should upgrade your fleet to 2016/10, etc).
๐คR-EDDIT
๐@malwr
๐ฃinput0
This is fun, but missing some details.
1. Version of Symantec Endpoint Protection tested is not listed. SEP14.3 came out a couple weeks ago and adds new capabilities including AMSI (finally).
1. Test was conducted on Windows 2012R2. Yes, Windows 2012R2 is still widespread in production and under support, however Windows 10/2016 have enhancements that make dumping credentials much more difficult (LSAS virtualization in Virtualization Bases Security).
Without this information, this blog really is "I walked through an intentionally vulnerable pen testing lab scenario", vs. "here is a demonstration that you should do something and actionable guidance on what you should do". (IE, you should upgrade your fleet to 2016/10, etc).
๐คR-EDDIT
๐@malwr
Was a USB drive inserted into my Windows computer? - Boncaldoโs Forensics Blog
๐ฃLordUlthar
๐@malwr
๐ฃLordUlthar
๐@malwr
Boncaldo's Forensics Blog
DFS# 03: Was a USB drive inserted into my Windows computer?
Can you tell if a USB storage drive was plugged into a specific computer? Data exfiltration โand introductionโ through USB storage devices can be a plausible concern in an overabundanceโฆ
checkra1n, USB Restrictions and Breaking Into Locked iPhones - Elcomsoft Blog
๐ฃLordUlthar
๐@malwr
๐ฃLordUlthar
๐@malwr
ElcomSoft blog
checkra1n, USB Restrictions and Breaking Into Locked iPhones
The checkra1n jailbreak is fantastic. Not only does it work with the latest versions of iOS the other jailbreaks aren't even available for, but it also allows performing partial data extraction from disabled and locked iPhones even if the passcode is notโฆ
House of Io โ Bypassing Safe-Linking and attacking Glibc's tcache
๐ฃeyalitki
Very interesting! I remember noticing the same thing about the first chunk but didnโt think much about. Good work getting a new exploit type out of the mitigationโs.
๐คmdulin2
In a classic "Thank you /r/netsec" /u/awarau888 and I were able to develop their initial attack variant that was posted here a few days ago, into a working bypass.
๐คeyalitki
๐@malwr
๐ฃeyalitki
Very interesting! I remember noticing the same thing about the first chunk but didnโt think much about. Good work getting a new exploit type out of the mitigationโs.
๐คmdulin2
In a classic "Thank you /r/netsec" /u/awarau888 and I were able to develop their initial attack variant that was posted here a few days ago, into a working bypass.
๐คeyalitki
๐@malwr
awarau
House of Io โ Remastered
A few days ago, I (Awarau) published a blog post (link) with my analysis of the new heap mitigation, Safe-Linking, that will be introduced in GLibc 2.32. The blog post describes the mechanism, alonโฆ
Abusing Java Remote Protocols in IBM WebSphere: Details on two bugs - one RCE and one Info Disclosure - in the WebSphere application server
๐ฃRedmondSecGnome
๐@malwr
๐ฃRedmondSecGnome
๐@malwr
Zero Day Initiative
Zero Day Initiative โ Abusing Java Remote Protocols in IBM WebSphere
Back in April of this year, a researcher named tint0 submitted two bugs in IBM WebSphere to the ZDI program. One was an information disclosure vulnerability while the other could lead to remote code execution (RCE). This blog covers ZDI-20-689 /CVE-2020โฆ
Sophos XG - A Tale of the Unfortunate Re-engineering of an N-Day and the Lucky Find of a 0-Day
๐ฃ0xniph
๐@malwr
๐ฃ0xniph
๐@malwr
Blogspot
CODE WHITE | Blog: Sophos XG - A Tale of the Unfortunate Re-engineering of an N-Day and the Lucky Find of a 0-Day
On April 25, 2020, Sophos published a knowledge base article (KBA) 135412 which warned about a pre-authenticated SQL injection (SQLi) vulne...