"All Your Macs are belong to us" by @objective_see - how and why an unsigned, unnotarized, script-based proof of concept application could trivially and reliably sidestep all of macOS’s relevant security mechanisms (File Quarantine, Gatekeeper, and Notarization Requirements) … even on a fully patched M1 macOS system, reverting protection from running malicious code to a pre-2007 era.
Contents:
• Outline
• Background
• File Quarantine
• Gatekeeper
• Notarization Requirements
• Quarantine Attribute
• Problem(s) In Paradise
• Root Cause Analysis
• To The Logs!
• To The Disassembler & Debugger!
• A Recap
• In the Wild
• The Patch
• Protections
• Detections
• Conclusions
https://objective-see.com/blog/blog_0x64.html
Contents:
• Outline
• Background
• File Quarantine
• Gatekeeper
• Notarization Requirements
• Quarantine Attribute
• Problem(s) In Paradise
• Root Cause Analysis
• To The Logs!
• To The Disassembler & Debugger!
• A Recap
• In the Wild
• The Patch
• Protections
• Detections
• Conclusions
https://objective-see.com/blog/blog_0x64.html
Objective-See
All Your Macs Are Belong To Us
bypassing macOS's file quarantine, gatekeeper, and notarization requirements
Cisco fixed an Unauth DoS in Adaptive Security Appliance and Firepower Threat Defense found by our researcher Nikita Abramov.
Assigned CVEs: CVE-2021-1445, CVE-2021-1504
Advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-ftd-vpn-dos-fpBcpEcD
Assigned CVEs: CVE-2021-1445, CVE-2021-1504
Advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-ftd-vpn-dos-fpBcpEcD
"Detecting and annoying Burp users" by @dustriorg
Some fun and innovative ways to keep pesky Burp users at bay.
Contents:
• Detecting Burp users
• Detecting the web interface
• Detecting the TLS man-in-the-middle
• TLS ciphers support
• JA3
• Infinitely chunked responses
• Detecting the Burp browser extension recording
• Brotli compression
• User-agent of the embedded browser
• Hackvector
• Breaking stuff in Burp
• Breaking the crawler
• Confusing Burp's active scan
• Breaking the decoding
• Breaking the Intruder
https://www.dustri.org/b/detecting-and-annoying-burp-users.html
Some fun and innovative ways to keep pesky Burp users at bay.
Contents:
• Detecting Burp users
• Detecting the web interface
• Detecting the TLS man-in-the-middle
• TLS ciphers support
• JA3
• Infinitely chunked responses
• Detecting the Burp browser extension recording
• Brotli compression
• User-agent of the embedded browser
• Hackvector
• Breaking stuff in Burp
• Breaking the crawler
• Confusing Burp's active scan
• Breaking the decoding
• Breaking the Intruder
https://www.dustri.org/b/detecting-and-annoying-burp-users.html
www.dustri.org
Detecting and annoying Burp users
Personal blog of Julien (jvoisin) Voisin
Cisco fixed two Unauth RCEs and an Arbitrary File Upload in HyperFlex HX Data Platform found by our researchers Nikita Abramov and Mikhail Klyuchnikov.
CVE-2021-1497
CVE-2021-1498
CVE-2021-1499
Advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-hyperflex-rce-TjjNrkpR
CVE-2021-1497
CVE-2021-1498
CVE-2021-1499
Advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-hyperflex-rce-TjjNrkpR
VMware fixed an Unauth RCE in vRealize Business for Cloud (CVE-2021-21984) found by our researcher Egor Dimitrenko.
Advisory: https://www.vmware.com/security/advisories/VMSA-2021-0007.html
Advisory: https://www.vmware.com/security/advisories/VMSA-2021-0007.html
New article "How we bypassed bytenode and decompiled Node.js (V8) bytecode in Ghidra" by our researcher Sergey Fedonin.
https://swarm.ptsecurity.com/how-we-bypassed-bytenode-and-decompiled-node-js-bytecode-in-ghidra/
https://swarm.ptsecurity.com/how-we-bypassed-bytenode-and-decompiled-node-js-bytecode-in-ghidra/
ExifTool CVE-2021-22204 - Arbitrary Code Execution discovered by @vakzz.
The story of finding an ImageTragick-esque vulnerability, originally in gitlab. Go down the rabbit hole of image parsing with perl!
Contents:
• Background
• The Bug
• Additional Formats
• Bonus Formats
• References
https://devcraft.io/2021/05/04/exiftool-arbitrary-code-execution-cve-2021-22204.html
The story of finding an ImageTragick-esque vulnerability, originally in gitlab. Go down the rabbit hole of image parsing with perl!
Contents:
• Background
• The Bug
• Additional Formats
• Bonus Formats
• References
https://devcraft.io/2021/05/04/exiftool-arbitrary-code-execution-cve-2021-22204.html
devcraft.io
ExifTool CVE-2021-22204 - Arbitrary Code Execution
Background
NoSQL Injections in Rocket.Chat 3.12.1: How A Small Leak Grounds A Rocket by Paul Gerste
RCE on Rocket.Chat servers via MongoDB noSQLi. Valid account required.
Contents:
• Impact
• Technical Details
• MongoDB Injection Primer
• NoSQL Injection #1: Taking Over a Regular User
• NoSQL Injection #2: Elevating Privileges
• From Admin to Remote Code Execution
• Mitigation
• Timeline
• Summary
https://blog.sonarsource.com/nosql-injections-in-rocket-chat/
RCE on Rocket.Chat servers via MongoDB noSQLi. Valid account required.
Contents:
• Impact
• Technical Details
• MongoDB Injection Primer
• NoSQL Injection #1: Taking Over a Regular User
• NoSQL Injection #2: Elevating Privileges
• From Admin to Remote Code Execution
• Mitigation
• Timeline
• Summary
https://blog.sonarsource.com/nosql-injections-in-rocket-chat/
Sonarsource
NoSQL Injections in Rocket.Chat 3.12.1: How A Small Leak Grounds A Rocket
We recently discovered vulnerabilities in Rocket.Chat, a popular team communications solution, that could be used to take over Rock.Chat instances.
New article: Decompiling Node.js in Ghidra by our researcher Vladimir Kononovich.
This is the second article in the series dedicated to covering the technical details of our plugin to decompile bytenode JSC files (serialized Node.js bytecode).
https://swarm.ptsecurity.com/decompiling-node-js-in-ghidra/
This is the second article in the series dedicated to covering the technical details of our plugin to decompile bytenode JSC files (serialized Node.js bytecode).
https://swarm.ptsecurity.com/decompiling-node-js-in-ghidra/
HTTP Request Smuggling via higher HTTP versions by @emil_lerner as presented at PHDays 2021.
HTTP request smuggling reinvented with multiple novel approaches implemented in a new tool http2smugl.
Contents:
• HTTP Request Smuggling basic concepts
• HTTP Request Smuggling exploitation scenarios
• HTTP/2 body transfer
• content-length conflicts actual length
• no content-length forwarding
• content-length conflicting transfer-encoding
• HTTP/2 header validation
• new lines in headers
• less strict validation
• Detection ideas
• False positive
• Varnish
• RFC 8441
• Haproxy & nghttp2
• Open problem
• H2O http3 (QUIC)
• Automation
• Further research
Slideshow: https://www.slideshare.net/neexemil/http-request-smuggling-via-higher-http-versions
Video Presentation: https://standoff365.com/phdays10/schedule/tech/http-request-smuggling-via-higher-http-versions/
HTTP request smuggling reinvented with multiple novel approaches implemented in a new tool http2smugl.
Contents:
• HTTP Request Smuggling basic concepts
• HTTP Request Smuggling exploitation scenarios
• HTTP/2 body transfer
• content-length conflicts actual length
• no content-length forwarding
• content-length conflicting transfer-encoding
• HTTP/2 header validation
• new lines in headers
• less strict validation
• Detection ideas
• False positive
• Varnish
• RFC 8441
• Haproxy & nghttp2
• Open problem
• H2O http3 (QUIC)
• Automation
• Further research
Slideshow: https://www.slideshare.net/neexemil/http-request-smuggling-via-higher-http-versions
Video Presentation: https://standoff365.com/phdays10/schedule/tech/http-request-smuggling-via-higher-http-versions/
Slideshare
HTTP Request Smuggling via higher HTTP versions
This document summarizes HTTP request smuggling vulnerabilities. It explains how an attacker can craft a single HTTP request that is parsed differently by the frontend and backend servers, allowing the backend to interpret additional hidden requests. Several…
We continue our series of articles dedicated to decompiling Node.js bytecode with a new article by Natalya Tlyapova: Creating a Ghidra processor module in SLEIGH using V8 bytecode as an example.
https://swarm.ptsecurity.com/creating-a-ghidra-processor-module-in-sleigh-using-v8-bytecode-as-an-example/
https://swarm.ptsecurity.com/creating-a-ghidra-processor-module-in-sleigh-using-v8-bytecode-as-an-example/
PT SWARM
Creating a Ghidra processor module in SLEIGH using V8 bytecode as an example
Last year our team had to analyze V8 bytecode. Back then, there were no tools in place to decompile such code and facilitate convenient navigation over it. We decided to try writing a processor module for the Ghidra framework. Thanks to the features of the…
"13 Nagios Vulnerabilities, #7 will SHOCK you!" by Samir Ghanem
Gaining access to Nagios XI server results in upstream compromise of management server, i.e. every other customer monitored. Exploitation facilitated with soygun tool.
Contents:
• TL;DR
• Why Nagios?
• What is Nagios?
• The Code
• Challenge Accepted
• What are we trying to achieve?
• Step 1: RCE on Nagios XI server from low privilege Nagios XI user (CVE-2020-28648)
• Step 2: Elevate privileges to ‘root’ on Nagios XI server (CVE-2020-28910)
• Step 3: Trigger XSS by tainting data returned to Nagios Fusion from XI (CVE-2020-28903)
• Step 4: Authenticated remote code execution on Nagios Fusion (CVE-2020-28905)
• Step 5: Elevate privileges from apache to root using the ‘cmd_subsys.php’ (CVE-2020-28902)
• Step 6: Get list of “fused” XI servers and exploit them using Step 1 and 2
• PoC or Attack Platform
• SoyGun
• Command & Control (C2)
• SoyGun Implant
• DeadDrop
• Demo
• Disclosure and Afterthoughts
• Full Vulnerabilities List
https://skylightcyber.com/2021/05/20/13-nagios-vulnerabilities-7-will-shock-you/
Gaining access to Nagios XI server results in upstream compromise of management server, i.e. every other customer monitored. Exploitation facilitated with soygun tool.
Contents:
• TL;DR
• Why Nagios?
• What is Nagios?
• The Code
• Challenge Accepted
• What are we trying to achieve?
• Step 1: RCE on Nagios XI server from low privilege Nagios XI user (CVE-2020-28648)
• Step 2: Elevate privileges to ‘root’ on Nagios XI server (CVE-2020-28910)
• Step 3: Trigger XSS by tainting data returned to Nagios Fusion from XI (CVE-2020-28903)
• Step 4: Authenticated remote code execution on Nagios Fusion (CVE-2020-28905)
• Step 5: Elevate privileges from apache to root using the ‘cmd_subsys.php’ (CVE-2020-28902)
• Step 6: Get list of “fused” XI servers and exploit them using Step 1 and 2
• PoC or Attack Platform
• SoyGun
• Command & Control (C2)
• SoyGun Implant
• DeadDrop
• Demo
• Disclosure and Afterthoughts
• Full Vulnerabilities List
https://skylightcyber.com/2021/05/20/13-nagios-vulnerabilities-7-will-shock-you/
Skylightcyber
Skylight Cyber | 13 Nagios Vulnerabilities, #7 will SHOCK you!
Ever wondered what synergy looks like? Read how we discovered and combined a few lame(ish) vulnerabilities in Nagios to create an over-the-top attack platform for upstream attacks.
Fortinet fixed a Post-Auth RCE in FortiWeb (CVE-2021-22123) found by our researcher Andrey Medov.
This vulnerability was part of an Unauth RCE chain submitted together with CVE-2020-29015 (Unauth SQL Injection), which was fixed by Fortinet earlier.
Advisory: https://www.fortiguard.com/psirt/FG-IR-20-120
Subscribe to the PT SWARM Twitter to get updates about all of the latest vulnerabilities discovered by us.
This vulnerability was part of an Unauth RCE chain submitted together with CVE-2020-29015 (Unauth SQL Injection), which was fixed by Fortinet earlier.
Advisory: https://www.fortiguard.com/psirt/FG-IR-20-120
Subscribe to the PT SWARM Twitter to get updates about all of the latest vulnerabilities discovered by us.
New Article: "Guide to P-code Injection: Changing the intermediate representation of code on the fly in Ghidra" by Vyacheslav Moskvin.
The final piece of the four part series about creating a Ghidra plugin to decompile Node.js bytecode is now out!
https://swarm.ptsecurity.com/guide-to-p-code-injection/
The final piece of the four part series about creating a Ghidra plugin to decompile Node.js bytecode is now out!
https://swarm.ptsecurity.com/guide-to-p-code-injection/
CVE-2021-31181: MicroSoft SharePoint webpart interpretation conflict RCE vulnerability
To quote @thezdi: "this vulnerability could be used by an authenticated user to execute arbitrary code on the server in the context of the service account of the SharePoint web application. For a successful attack, the attacker must have SPBasePermissions.ManageLists permissions on any SharePoint site. By default, any authenticated user can create their own site where they have the necessary permission."
Contents:
• The Vulnerability
• Proof of Concept
• Getting Remote Code Execution
• Conclusion
https://www.zerodayinitiative.com/blog/2021/6/1/cve-2021-31181-microsoft-sharepoint-webpart-interpretation-conflict-remote-code-execution-vulnerability
To quote @thezdi: "this vulnerability could be used by an authenticated user to execute arbitrary code on the server in the context of the service account of the SharePoint web application. For a successful attack, the attacker must have SPBasePermissions.ManageLists permissions on any SharePoint site. By default, any authenticated user can create their own site where they have the necessary permission."
Contents:
• The Vulnerability
• Proof of Concept
• Getting Remote Code Execution
• Conclusion
https://www.zerodayinitiative.com/blog/2021/6/1/cve-2021-31181-microsoft-sharepoint-webpart-interpretation-conflict-remote-code-execution-vulnerability
Zero Day Initiative
Zero Day Initiative — CVE-2021-31181: Microsoft SharePoint WebPart Interpretation Conflict Remote Code Execution Vulnerability
In May of 2021, Microsoft released a patch to correct CVE-2021-31181 – a remote code execution bug in the supported versions of Microsoft SharePoint Server. This bug was reported to the ZDI program by an anonymous researcher and is also known as ZDI-21…
"Active Directory forest trusts part 2 - Trust transitivity and finding a trust bypass" by @_dirkjan.
Detailed description of CVE-2020-0665, a logic flaw, which allowed the bypassing of the SID filtering mechanism, leading to the compromise of hosts in transitively trusted forests.
Contents:
• Some important points
• Forging inter-realm tickets and Wireshark debugging
• Do you need to use inter-realm tickets?
• Which keys do I need for inter-realm tickets
• Debugging Kerberos the easy way
• Trust transitivity
• Trust transitivity - new domain discovery
• Trust transitivity, adding our own SIDs to the trust
• How many domains are there in a domain?
• Do you trust this domain? [Y/n]
• Designing a new forest trust attack
• Executing the forest trust bypass
• Obtaining the local SID
• Becoming a domain
• Executing the chain
• Disclosure and patch notes
https://dirkjanm.io/active-directory-forest-trusts-part-two-trust-transitivity/
Detailed description of CVE-2020-0665, a logic flaw, which allowed the bypassing of the SID filtering mechanism, leading to the compromise of hosts in transitively trusted forests.
Contents:
• Some important points
• Forging inter-realm tickets and Wireshark debugging
• Do you need to use inter-realm tickets?
• Which keys do I need for inter-realm tickets
• Debugging Kerberos the easy way
• Trust transitivity
• Trust transitivity - new domain discovery
• Trust transitivity, adding our own SIDs to the trust
• How many domains are there in a domain?
• Do you trust this domain? [Y/n]
• Designing a new forest trust attack
• Executing the forest trust bypass
• Obtaining the local SID
• Becoming a domain
• Executing the chain
• Disclosure and patch notes
https://dirkjanm.io/active-directory-forest-trusts-part-two-trust-transitivity/
dirkjanm.io
Active Directory forest trusts part 2 - Trust transitivity and finding a trust bypass
In my first personal blog post in 2018 I wrote about Active Directory forest trusts and how they work under the hood. Part two of the series was since then promised but never delivered. I researched this topic again in 2019 and ended up finding a logic flaw…
LEXSS: Bypassing Lexical Parsing Security Controls
👤 by Chris Davis of @Bishop Fox
"By using special HTML tags that leverage HTML parsing logic, it is possible to achieve cross-site scripting (XSS) even in instances where lexical parsers are used to nullify dangerous content. The primary goal in exploiting these types of XSS vulnerabilities is to get the sanitizing lexical parser to view the data as text data and not computer instructions (e.g., JavaScript instructions)."
📝 Contents:
• Introduction to Key Concepts
• Cross-site Scripting (XSS) Protections
• Cross-site Scripting (XSS) Protections via Lexical Parsing
• How the Data Flows Through the HTML Parser
• The Concept of the HTML Parser's Context State
• Namespaces – Foreign Content and Leveraging the Unexpected Behavior
• Sanitizing Lexical Parsing Flow
• Test Case 1 = TinyMCE XSS
• Test Case 2 = Froala XSS
• Prevention
• Conclusion
• Resources
Read the article
👤 by Chris Davis of @Bishop Fox
"By using special HTML tags that leverage HTML parsing logic, it is possible to achieve cross-site scripting (XSS) even in instances where lexical parsers are used to nullify dangerous content. The primary goal in exploiting these types of XSS vulnerabilities is to get the sanitizing lexical parser to view the data as text data and not computer instructions (e.g., JavaScript instructions)."
📝 Contents:
• Introduction to Key Concepts
• Cross-site Scripting (XSS) Protections
• Cross-site Scripting (XSS) Protections via Lexical Parsing
• How the Data Flows Through the HTML Parser
• The Concept of the HTML Parser's Context State
• Namespaces – Foreign Content and Leveraging the Unexpected Behavior
• Sanitizing Lexical Parsing Flow
• Test Case 1 = TinyMCE XSS
• Test Case 2 = Froala XSS
• Prevention
• Conclusion
• Resources
Read the article
Bishop Fox
LEXSS: Bypassing Lexical Parsing Security Controls
Technical details of achieving cross-site scripting (XSS) attacks by using HTML parsing logic where lexical parsers are used to nullify dangerous content.
Pre-auth RCE in ForgeRock OpenAM (CVE-2021-35464)
👤 by Michael Stepankin aka @artsploit
The story of discovering and exploiting a java deserialization vulnerability leading to RCE in ForgeRock OpenAM.
PoC:
• The Story
• Obtaining Code & Decompiling
• Source code analysis
• Jato
• Testing on bug bounty (and failing)
• Building a custom gadget chain
• Let's get this bread
• The patch
• Key takeaways
https://portswigger.net/research/pre-auth-rce-in-forgerock-openam-cve-2021-35464
👤 by Michael Stepankin aka @artsploit
The story of discovering and exploiting a java deserialization vulnerability leading to RCE in ForgeRock OpenAM.
PoC:
GET /openam/oauth2/..;/ccversion/Version?jato.pageSession=[serialized_object]
📝 Contents:• The Story
• Obtaining Code & Decompiling
• Source code analysis
• Jato
• Testing on bug bounty (and failing)
• Building a custom gadget chain
• Let's get this bread
• The patch
• Key takeaways
https://portswigger.net/research/pre-auth-rce-in-forgerock-openam-cve-2021-35464
RARLAB fixed a MITM (CVE-2021-35052) in WinRAR found by our researcher Igor Sak-Sakovskiy.
This attack could be leveraged to achieve code execution on a user's machine.
Advisory: https://win-rar.com/singlenewsview.html?L=0&tx_ttnews%5Btt_news%5D=165&cHash=1
This attack could be leveraged to achieve code execution on a user's machine.
Advisory: https://win-rar.com/singlenewsview.html?L=0&tx_ttnews%5Btt_news%5D=165&cHash=1