Notes

While playing around with the vUSBf kernel fuzzer, I found a vulnerability (CVE-2016-2384) in the Linux kernel USB MIDI driver. I reproduced the bug with a Facedancer21 board and wrote an exploit to gain code execution within the kernel. My exploit requires user space cooperation, but the bug is exploitable externally provided one finds the right primitives.

The bug in the USB MIDI driver is a double-free of a kmalloc-512 object, which occurs when a malicious USB device is plugged in. The vulnerability is only present if the USB MIDI module is enabled, but this is the case for many modern distributions. The bug has been fixed in the mainline kernel by Takashi Iwai. CVE-2016-2384: Exploiting a double-free in the Linux kernel USB MIDI driver

Azure Site Recovery is a suite of tools aimed at providing disaster recovery services for cloud resources. It provides utilities for replication, data recovery, and failover services during outages.

Tenable Research has discovered that this service is vulnerable to a DLL hijacking attack due to incorrect directory permissions. This allows any low-privileged user to escalate to SYSTEM level privileges on hosts where this service is installed.

Microsoft has assigned this issue CVE-2022–33675 and rated it a severity of Important with a CVSSv3 score 7.8. Tenable’s advisory can be found here. Microsoft’s post regarding this issue can be found here. Additionally, Microsoft is expected to award a $10,000 bug bounty for this finding. Microsoft Azure Site Recovery DLL Hijacking

Back in the late 90’s, early 2000’s, things moved more rapidly, there were a lot of smaller startups, less incumbency, and with few barriers to entry, anyone with a good idea could slap together some code, get a funding proposal, and become the ’next big thing’. Now the tech sector is just another corporate welfare cronyist shell game centralized around a handful of CIA-financed (read In-Q-Tel) oligopolies. The open web is almost dead. Open hardware is dead. Free software is dead (although ‘open source’ is doing just fine). There is literally nothing to be excited about anymore.

Last week, we introduced a new product you may already have heard about: the MNT Pocket Reform! For this 7’ mini laptop, the best features of MNT Reform were condensed into a smaller, lighter and more affordable device.

An advanced multi-threaded, multi-client python reverse shell for hacking Linux systems. There’s still more work to do so feel free to help out with the development. PwnLnx

The purpose of this guide is to view Active Directory from an attacker perspective. I will try to review different aspects of Active Directory and those terms that every pentester should control in order to understand the attacks that can be performed in a Active Directory network.

In order to understand how to attack Active Directory (and any other technology), I think is important to not only know the tools, but how the tools work, what protocols/mechanisms they use, and why these mechanisms/protocols exist.

The information present here come from open sources and my own experience with Active Directory. However, I cannot be certain that everything stated here is correct, so you are encourage to perform your own test and in case you find any error, please let me know.

Moreover, I know that not everything about Active Directory is covered here, but it is my intention to cover at least the basic knowledge required to understand Active Directory and their attacks, and expand this source in the future. So, if you feel that I miss something that a pentester should know related Active Directory, please let me know. Attacking Active Directory: 0 to 0.9

Android devices have had multiple CVE findings through the past few years which enable an individual to bypass the lock screen and obtain unauthorized access or escalation of privilege. For example, CVE-2015–3860 is a previously identified CVE that utilizes the emergency dialer and camera processes to stage a buffer overflow like scenario on the pin entry of the lock screen. The buffer overflow scenario then crashes one or more processes associated with the lock screen to expose the owner’s home screen. More information on CVE-2015–3860 can be found at this link CVE-2015–3860. CVE-2022–20006 - Lock Screen Bypass Exploit of Android Devices

TripleCross is a Linux eBPF rootkit that demonstrates the offensive capabilities of the eBPF technology.

TripleCross is inspired by previous implant designs in this area, notably the works of Jeff Dileo at DEFCON 27, Pat Hogan at DEFCON 29, Guillaume Fournier and Sylvain Afchain also at DEFCON 29, and Kris Nóva’s Boopkit. We reuse and extend some of the techniques pioneered by these previous explorations of the offensive capabilities of eBPF technology. TripleCross

Social media just made it easier to spread and enforce mind viruses. Echo chambers made sure that the infected won’t have a chance to seek a cure.

Today, cyber attacks are more numerous and cause damage in companies. Nevertheless, many software products exist to detect cyber threats. The S1EM solution is based on the principle of bringing together the best products in their field, free of charge, and making them quickly interoperable.

S1EM is a SIEM with SIRP and Threat Intel, a full packet capture, all in one. S1EM

An OSINT tool to search fast for accounts by username across 131 sites. Blackbird

The name PngBin comes from an image format file extension PNG (Portable Network Graphics) and the word Binary. An image produced by PngBin will have every property like a normal PNG image except that when viewed by an image viewer, It will appear broken and noisy (which is normal for any PngBin images). By utilizing the lossless data compression feature, A PNG image can be made to contain arbitrary binary data (this is why PngBin image can look noisy) without losing a single bit of information, Unlike JPEG image, which has lossy compression and cannot reverse its data to the original form. PngBin - convert any binary data to a PNG image file and vice versa

The target machine needs to start the Cluster Nio Receiver,Sending a special TCP packet will cause a Denial of Service to the target. Whether EncryptInterceptor is used or not, there is the possibility of denial of service vulnerability

Condition: Enable tomcat cluster function and use NioReceiver for communication

Any version of Tomcat will be affected. The only solution is to use a trusted network. Apache Tomcat DoS (CVE-2022-29885) Exploit

We are witnessing the fall of the USA empire into fascism.

Have you seen the latest Mega nothing-burger? We call it The Security Racket.

I have a feeling that all this “DIS AI BE SENTIENT U PLEB!!!” shit is not about anthropomorphising machines but about dehumanising us.

getimiskon has a very interesting article on how to set up a fully compliant XMPP server from scratch, check it out!

ARM is the acronym for Advanced RISC Machines and if it is not followed by a noun, it refers to a family of processors (CPUs) that are designed based on the architecture developed by Arm Ltd., a British company based in Cambridge, England. The RISC is another acronym which stands for Reduced Instruction Set Computer and comes as an alternative to CISC which stands for Complex Instruction Set Computer, used by Intel processors. You may find their main differences bellow, but for the purpose of this workshop, just keep in mind the reduced instruction set (as the term implies) as well as the larger number of general purpose registers of the RISC based machines. ARM 64 Assembly Series— Basic definitions and registers

Security by design has long been something of a holy grail for cybersecurity professionals. It’s a simple concept: ensure products are designed to be as secure as possible in order to minimize the chances of compromise further down the line. The concept has been expanded further in recent years to signify an effort to embed security into every part of an organization – from its DevOps pipelines to its employees’ day-to-day working practices. By creating a security-first culture like this, organizations will be both more resilient to cyberthreats and better equipped to minimize their impact if they do suffer a breach.

Technology controls are, of course, an important tool to help create this kind of deeply embedded security culture. But so too is phishing awareness training – which plays a hugely important role in mitigating one of the biggest threats to corporate security today and must be a staple in general cybersecurity awareness training programs. Phishing awareness training: Help your employees avoid the hook

Be afraid, be very afraid! (pdf download)