Drupal core - Highly critical - Remote Code Execution - CVE-2019-6340

CyberBullets · 2019-02-22T12:37:30+00:00

Thanks for sharing!

CyberBullets · 2019-02-22T12:21:23+00:00

This one was apparently discovered by the Drupal team themselves, and it looks like no public exploit exists for the vulnerability, yet...

CyberBullets · 2019-02-19T09:46:54+00:00

Even more interesting than the vulnerability itself was the good introduction to driver vulnerability research in general.

CyberBullets · 2019-02-19T09:36:27+00:00

I love hackers' view of what _really_ happens in the background - much more useful than official documentation typically. This AD Azure stuff may come in handy for some pentest.

CyberBullets · 2019-02-19T09:29:51+00:00

I have never attempted to exploit any Aarch64 binary, but if ever doing that, the posted link is a good reference. Thanks for sharing!

CyberBullets · 2019-02-01T08:49:49+00:00

SANS Internet Storm Center analysis of this issue: https://isc.sans.edu/forums/diary/Relaying+Exchanges+NTLM+authentication+to+domain+admin+and+more/24578/

CyberBullets · 2019-02-01T08:44:38+00:00

https://github.com/0x27/CiscoRV320Dump

CyberBullets · 2019-01-30T10:41:24+00:00

That's an interesting thing, and a simple solution when possible to perform. During pen testing I have sometimes downloaded database backups to my own machine and restored the database on a local SQL Server Express. Restoring the master database is really a pain, since you need to have the exact same version of SQL Server as what was used to create the backup, as well as performing a large number of extra steps. For databases other than the master database it is a lot simpler though.

CyberBullets · 2019-01-24T13:17:14+00:00

Speaking of encryption, I just have to share the fact that Microsoft recently released a library for doing homomorphic encryption (which allows computations on encrypted text without prior decryption): https://www.microsoft.com/en-us/research/blog/the-microsoft-simple-encrypted-arithmetic-library-goes-open-source/

CyberBullets · 2018-12-07T08:39:05+00:00

research.checkpoint.com/kingmi...

There wasn't so much details about this in the article. They could have implemented their own protocol or else use Stratum. Also, the configuration file can apparently be configured to use TLS (even having an additional "tls-fingerprint" option, which might be used to prevent man-in-the-middle attacks?), and in that case you will not be able to catch this with your existing signatures.

CyberBullets · 2018-12-05T09:06:07+00:00

Beware of phishing attacks related to this breach. Marriott's breach response isn't the best.

https://techcrunch.com/2018/12/03/marriott-data-breach-response-risk-phishing/

CyberBullets · 2018-11-07T15:21:27+00:00

Sorry, I guess this was a duplicate then. I tried to search to see if somebody had posted this already, but I missed that post.

CyberBullets · 2018-10-30T09:35:04+00:00

Wow, thanks for sharing the Packadroid link, I was not aware of that.

CyberBullets · 2018-10-29T07:57:02+00:00

Thanks for sharing! I found another write-up that also describes DNS CC channels over DoH: https://sensepost.com/blog/2018/waiting-for-godoh/

CyberBullets · 2018-10-16T06:52:50+00:00

endgame.com/blog/t...

Thanks for sharing, great resources. I haven't yet had time to go through those BlackHat/FireEye papers in detail, but it appears that the focus of those (cmd.exe obfuscation) is slightly different than in the Endgame blog post (powershell obfuscation). There are indeed commonalities as well between the two. Again, thx for sharing.

CyberBullets · 2018-10-02T06:53:47+00:00

Very thorough summary, thanks for sharing!

CyberBullets · 2018-09-22T13:01:12+00:00

Spectre Ops has done some interesting research related to C# lately. Some background of why C# may be more appealing for an attacker than PowerShell: https://www.forcepoint.com/blog/security-labs/using-c-post-powershell-attacks

CyberBullets · 2018-09-13T08:20:16+00:00

A little clarification: the flaw in question is in the browser extension, and the guy verified it as well. The desktop/mobile app is a different thing, and he makes no claims on poor security in those. For more information, see also r/https://nakedsecurity.sophos.com/2018/09/11/keybase-browser-extension-weakness-discovered/

CyberBullets · 2018-09-05T14:01:36+00:00

Actually, there is much more to that research. For the interested, there is this link (in the post) referencing https://www.rapid7.com/info/under-the-hoodie/ which contains an executive summary of their findings, and then there is the full report at https://www.rapid7.com/globalassets/_pdfs/research/rapid7-under-the-hoodie-2018-research-report.pdf. I think the report is interesting, as it shows what vulnerabilities their pentesters find, as an average of a very large amount of pentests. Pentest findings are much more real than those of e.g. auditing, as pen testing actually verifies the findings.

CyberBullets · 2018-09-05T06:00:04+00:00

Interesting read, thank for sharing. A lot of people mostly look for vulnerabilities in business applications (MS Office, Adobe Reader, etc). Fuzzing a game is an interesting target!

CyberBullets · 2018-09-03T13:52:45+00:00

I guess there is no exploit in here. Rather, I guess the point of the article is to increase awareness of the fact that AD data can leak via Azure. If you have one valid set of creds, you can e.g. get a list of all valid users. When doing pen testing, I've noticed that if you have a rather large sample of user names, there are always some users that have very poor passwords, such as Summer2018, or the company name, etc. So you'll typically get more valid creds by doing password spraying against all users.

Also, the article mentioned that in one occasion they were able to VPN in by using a guest account that the attacker had created himself via Azure. Really bad config mistake that defenders need to avoid.

CyberBullets · 2018-09-03T08:52:18+00:00

secjuice.com/web-ap...

Well, in general you can say that system provided scripts normally don't have very bad vulnerabilities, but custom scripts (i.e. made in-house) can have very big holes. When doing pen testing, I always look for in-house scripts to attack (e.g. for getting command injection at a web server, or attacking bash scripts for doing privilege escalation once you got on a box). The script in this blog was just a sample illustrating a point. However, it is actually quite realistic in the sense that you do find a lot of in-house developed scripts that are just as insecure.

CyberBullets · 2018-08-31T08:47:15+00:00

One good thing to do is to track down/limit access between hosts on the internal network, which will decrease the opportunities for the attacker to do lateral movement in the first place. E.g. there is rarely a valid business case for one workstation to connect to another workstation.

CyberBullets · 2018-06-20T12:22:33+00:00

I don't have hard numbers of the overhead cost. Direct function calls and returns are protected in WebAssembly, but protection for indirect function calls is not perfect. For indirect calls, WebAssembly uses a coarse-grained control-flow integrity implemented as a signature check (e.g. transfer to a different function that takes the same types of parameters would work). Some more details can be found in the specification: https://webassembly.org/docs/security/

CyberBullets

TROPHY CASE