Pinned post

Qualys does it again! It’s so rewarding when all the pieces of an #exploit come to fit together nicely.

Race condition in snap-confine's must_mkdir_and_open_with_perms() (CVE-2022-3328)

Last week.
Me: "AI is going to replace many aspects of cyber security jobs"
Red Teaming Lamers: "outrageous, impossible, *generic insult*"

This week.
Red Teaming Lamers: "look at this AI, it's doing things better than some of us, super interesting"
Me: "..."


This website was very useful to find exactly when the manifest changed, definitely worth a visit if you do any Microsoft vulnerability research and need to check system binary versions and changes. Thanks @raptor for pointing me towards this earlier today & @Rairii for suggestions -

Show thread

The manifest of this binary was adjusted to run asInvoker so the autoelevate attribute is no longer honored making it useless for UAC, on systems that have the legacy manifest it could already be trivially leveraged via mscfile shell open command registry. I leveraged OneDrive to sideload the DLL so it should only impact desktops, I do not think the server versions are impacted unless they ship with OneDrive. I'll check on 2012 but I doubt it will be exploitable to bypass UAC notification.

Show thread

DLL side-loading vulnerability in Microsoft signed autoelevate CompMgmtLauncher.exe - unfortunately the manifest on this file changed in Windows 10 1703 so it can no longer be used to bypass UAC. The side loading doesn't trigger in 1507-1607, this maybe exploitable in some situations but is being discarded as a dead end. There is one more of these that we've found but have been unable to exploit. This one is only useful to sideload malware in a signed executable and not for UAC.

Is there a website that tracks changes to specific windows files and provides the patch level that the change occurred in? I am trying to locate when a specific component was changed under the Windows %SystemRoot% - trial and error says "sometime between 8 / 10" but I would like to know when something was patched.

As a middle aged #unix #hacker :hecked:​ I really enjoyed reading @timb_machine's #oldschool whitepaper titled "Breaking the links: Exploiting the linker". It contains some fun tidbits of almost-forgotten lore.

TL;DR: "The discussion relating to insecure library loading on the Microsoft Windows platform provoked a significant amount of debate as to whether GNU/Linux and UNIX variants could be vulnerable to similar attacks. Whilst the general consensus of the Slashdot herd appeared to be that this was just another example of Microsoft doing things wrong, the author felt this was unfair and responded with a blog post that sought to highlight an example of where POSIX style linkers get things wrong. Based on the feedback received to that post, the author decided to investigate the issue a little further. This paper is an amalgamation of what was learnt."

Grrr spent the day hacking around and found some new UAC bypasses but they are patched in Windows 11 due to a change in a manifest but still impact Windows 10 and Windows 10 only. Other older versions may be impacted if another Microsoft product is installed but default on Windows 10. Release them or no interest?

If you're into x86-64 #assembly and like riddles and/or poetry, I highly recommend "xchg rax, rax" by xorpd.

If you are concerned about government agencies like CERT or CISA being on the fediverse, then I have some *shocking* news for you. 3-letter agencies and the military industrial complex have long since played a secret hand in the creation of decentralized, federated, social network services and anonymity technology. Those you fear have always been here and blocking instances hosting public relations accounts won't hide you or reduce your risks. Mastodon exposes the infosec/hacker divide on topic.

A little about us:
The Wall of Sheep was founded over 20 years ago as a fun, interactive way to educate people about the risks of unsecured network traffic and sniffing.

Since then, we've grown into the Packet Hacking Village: one of DEF CON's largest and most storied villages.

Every year, we provide training, education, and fun to people of all backgrounds and skill levels.

Welcome to the flock.

#introduction #hacking #cybersecurity #security #defcon #WallOfSheep

Avast says that in recent attacks, the ViperSoftX infostealer operators have switched to using their malware to install an extension for Chromium-based browsers in order to execute a MitM attack when users visit cryptocurrency platforms to steal credentials and swap wallet addresses with one they operate.

It seems #Tiktok has an open redirect being actively abused by attackers.


#openRedirect #phishing #fraud

I should warn you all that my self-help and philosophy content is not posted here. I view Mastodon as a place where I can share hacking and tech content openly without breaking any terms-of-services and have true freedom of speech. My instance is self-hosted out of Iceland along with my peertube and Matrix service, e-mail is handled offshore in Sweden. You should consider this account the hackerfantastic but an after-dark edition...

I moved from gVim to Atom as a cross-platform text editor a few years ago, have just learned that they are "sunsetting" the editor. I am a big fan of VSCode and Visual Studio in general, XCode on MacOS but these are more fully-featured IDE's. What text editors will run on Windows, Linux and MacOS that offered the same flexibility as Atom? Seeking recommendations before I just go back to GTK+Vim and die a little inside. More info on the sunset for Atom 😢

Brokenflow : A simple PoC to invoke an encrypted shellcode by using an hidden call : credits @s4tan (twiiter)

NEW: According to a leaked document, the cybersecurity startup Corellium offered trials to controversial surveillance companies NSO Group and DarkMatter.

Corellium also sold to cellphone cracking firms Cellebrite (Israel) and Elcomsoft (Russia), as well as Pwnzen, a hacking firm with ties to China's government, according to the document.

Corellium declined to answer most of the questions we asked about its customers.

Corellium said NSO and DarkMatter only had access to “a limited time/limited functionality trial version of Corellium's software” and that both were later denied requests to purchase the full version following its vetting process.

The company told us that it has a careful vetting process, and that it has had “opportunities to profit from these bad actors and have chosen not to."

#Apple #cybersecurity

Show older

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!