Security Operations

Windows - Data Protection API - A journey into various DPAPI potential abuses from an offensive security perspective::Information Security Services. Offensive Security, Penetration Testing, Mobile and Application, Purple Team, Red Team

Exploiting 0-click Android Bluetooth vulnerability to inject keystrokes without pairing (CVE-2023-45866)::A recently discovered critical vulnerabilities (CVE-2023-45866, CVE-2024-21306) in Bluetooth can be exploited to inject keystrokes without user confirmation – by accepting any Bluetooth pairing request. These vulnerabilities affect Android, Linux, macOS, iOS, and Windows operating systems, making it a serious threat to users across different platforms. The vulnerabilities were discovered by Marc Newlin, that also

Many CVE Records Are Listing the Wrong Versions of Software as Being Affected::undefined

LogBoost - A tool for parsing and enriching IP addresses in any type of log/file with GEO, DNS, OSINT IOCs and ASN context::Convert a variety of log formats to CSV while enriching detected IPs with Geolocation, Domain, ASN, DNS and Threat Indicator matches. - GitHub - joeavanzato/LogBoost: Convert a variety of log formats to CSV while enriching detected IPs with Geolocation, Domain, ASN, DNS and Threat Indicator matches.

npm Package Found Delivering RAT Through Signed Microsoft Executable::On January 12, 2024 Phylum’s automated risk detection platform alerted us to a suspicious publication on npm. The package in question, oscompatible, contained a few strange binaries, including a single exe file, a single DLL file, and an encrypted dat file. The only JavaScript file present, index.js, simply

Outlook Vulnerability Discovery and New Ways to Leak NTLM Hashes::undefined

Hacking into a Toyota/Eicher Motors insurance company by exploiting their premium calculator website::A vulnerable API on Toyota Tsusho Insurance Broker India’s premium calculator website exposed Microsoft corporate cloud credentials.

PixieFail: Nine vulnerabilities in Tianocore's EDK II IPv6 network stack::undefined

Welcome To 2024, The SSLVPN Chaos Continues - Ivanti CVE-2023-46805 & CVE-2024-21887 (watchTowr Labs)::Did you have a good break? Have you had a chance to breathe? Wake up.

It’s 2024, and the chaos continues - thanks to Volexity (Volexity’s writeup), the industry has been alerted to in-the-wild exploitation of 2 incredibly serious 0days (CVE-2023-46805 and CVE-2024-21887 - two bugs, Command Injection

Vulnerabilities on Bosch Rexroth Nutrunners May Be Abused to Stop Production Lines, Tamper with Safety-Critical Tightenings::New vulnerabilities discovered in the Bosch Rexroth NXA015S-36V-B, a popular smart nutrunner used in automotive production lines, may halt production or compromise safety.

Unauthenticated RCE in Adobe Coldfusion – CVE-2023-26360::Explore the intricacies of CVE-2023-26360, an unauthenticated Remote Code Execution (RCE) vulnerability in Adobe ColdFusion

Using honeytokens to detect (AiTM) phishing attacks on your Microsoft 365 tenant::Phishing attacks are rapidly increasing against Microsoft 365 tenants. Why? Microsoft is used by many company's and users, so targetting it is very attractive. Also, techniques to bypass Multi-Factor Authentication (MFA) during a phishing attack are gaining popularity (AiTM phishing attacks). This allows attackers to even compromise accounts protected by MFA. At Zolder we are…

Bypass Cognito Account Enumeration Controls::Leverage a flaw in Cognito's API to enumerate accounts in User Pools.

Buffer Overflow in TP-Link Tapo C100 Home Security Camera:: Note: This blogpost was written in November 2023, but I was waiting for the TP Link Security Team to release a fix so now it’s published(Jan 2024).

Hello world! and happy new year. It’s been a long time since I last posted here. I decided to take a new challenge, to do something I wanted to do since I was 15 years old(!) enthusiastic kid watching this Black Hat talk: hacking a Security Camera. 10 years later, I think it’s my turn now hehe

In this blogpost, I’ll share my journey of targeting the TP-Link Tapo C100 Home Security Camera. From extracting the firmware to spotting an n-day and writing a full RCE exploit.

Extracting the firmware

To get an initial foothold on the device, I soldered some cables to the UART pins of the device in hopes that I will get a bash shell.

My plan was to try a known technique used in other models of this camera: inserting an SD Card to the camera → copy /dev/mtdblock* files to the card → plug it to my laptop → run binwalk on it.

However, for some reason the camera did not manage to detect the SD Card ;_; so what I did was:

Dumping the whole contents of the /dev/mtdblock* files with xxd(or, hexdump) Save all the UART output to a txt file Decode it back from hexdump to raw bytes

Yes, I dumped the whole firmware via UART, and it was so slow :‘) But desperate times call for desperate measures.

Intro to the “dsd” binary

The dsd binary, located at /usr/bin/dsd is one of the main components of the REST API the camera is exposing to the client. Basically, the uhttpd binary is using a local unix socket to send the user input to the dsd binary, perform the necessary action(change the camera settings, etc.) and return a response.

Spotting the bug

The bug exists in the check_user_info request handler.

The request: {

(Im)perfectProject(or) - Hacking a small WiFi connected projector for fun and to learn hard lessons.::A perfect project to hack an imperfect projector, including a hardware teardown, potential CLI injection, and some lessons learned.

LDAP Watchdog: A real-time LDAP monitoring tool for detecting (or stalking) directory changes::LDAP Watchdog: A real-time linux-compatible LDAP monitoring tool for detecting directory changes, providing visibility into additions, modifications, and deletions for administrators and security researchers. - GitHub - MegaManSec/LDAP-Monitoring-Watchdog: LDAP Watchdog: A real-time linux-compatible LDAP monitoring tool for detecting directory changes, providing visibility into additions, modifications, and deletions for administrators and security researchers.

Intro into CI/CD research that has lead to critical vulnerabilities in Google, Meta, Microsoft, Blockchains, and more.::Six months ago, my friend and colleague Adnan Khan started researching a new class of CI/CD attacks. Adnan grasped the significance of these attacks after executing them against GitHub to gain total control of the GitHub Actions runner images. GitHub’s bug bounty program scored this vulnerability as “Critical” and paid a $20,000 reward. Following this…

SSH-Snake: Automated Self-Propagating, Self-Replicating, Fileless SSH-Based Network Traversal::SSH-Snake is a self-propagating, self-replicating, file-less script that automates the post-exploitation task of SSH private key and host discovery. - GitHub - MegaManSec/SSH-Snake: SSH-Snake is a self-propagating, self-replicating, file-less script that automates the post-exploitation task of SSH private key and host discovery.

Bitwarden Heist - How to Break into Password Vaults Without Using Passwords::Sometimes, making particular security design decisions can have unexpected consequences. For security-critical software, such as password managers, this can easily lead to catastrophic failure: In this blog post, we show how Bitwarden’s Windows Hello …

BPF Memory Forensics with Volatility 3::BPF Memory Forensics with Volatility 3 Introduction and Motivation Have you ever wondered how an eBPF rootkit looks like? Well, here’s one, have a good look: Upon receiving a command and control (C2) request, this specimen can execute arbitrary commands on the infected machine, exfiltrate sensitive files, perform passive and active network discovery scans (like nmap), or provide a privilege escalation backdoor to a local shell. Of course, it’s also trying its best to hide itself from system administrators hunting it with different command line tools such as ps, lsof, tcpdump an others or even try tools like rkhunter or chkrootkit.

Active Directory and Internal Pentest Cheatsheets - Internal All The Things::Active Directory and Internal Pentest Cheatsheets

Ghidriff: Ghidra Binary Diffing Engine::As seen in most security blog posts today, binary diffing tools are essential for reverse engineering, vulnerability research, and malware analysis. Patch diffing is a technique widely used to identify changes across versions of binaries as related to security patches. By diffing two binaries, a security researcher can dig deeper into the latest CVEs and patched vulnerabilities to understand their root cause. This post presents Ghidriff, a new open-source Python package that offers a command-line binary diffing capability leveraging the power of the Ghidra Software Reverse Engineering (SRE) Framework with a fresh take on the standard patch diffing workflow.

Terrapin - SSH prefix truncation attack - CVE-2023-48795::undefined

Understanding The Workings of Russian Hacker “Wazawaka”::undefined

How Microsoft might have lured unsuspecting end-users into the hands of criminals::We found a serious error in Microsoft’s Attack Simulator program. Without a fix, it would have turned into a real phishing attack platform circumventing all protection mechanisms.