- 1. CVE-2021-31956 Exploiting the Windows Kernel (NTFS with WNF) – Part 1
"This blog post is the first in the series and will describe the vulnerability, the initial constraints from an exploit development perspective and finally how WNF can be abused to obtain a number of exploit primitives. The blogs will also cover exploit mitigation challenges encountered along the way, which make writing modern pool exploits more difficult on the most recent versions of Windows."
- 2. Sequoia: A Deep Root In Linux’s Filesystem Layer ? Packet Storm
Neat! "Qualys discovered a size_t-to-int conversion vulnerability in the Linux kernel's filesystem layer: by creating, mounting, and deleting a deep directory structure whose total path length exceeds 1GB, an unprivileged local attacker can write the 10-byte string "//deleted" to an offset of exactly -2GB-10B below the beginning of a vmalloc()ated kernel buffer. They successfully exploited this uncontrolled out-of-bounds write, and obtained full root privileges on default installations of Ubuntu 20.04, Ubuntu 20.10, Ubuntu 21.04, Debian 11, and Fedora 34 Workstation; other Linux distributions are certainly vulnerable, and probably exploitable. A basic proof of concept (a crasher) is attached to this advisory." Qualys Post: https://blog.qualys.com/vulnerabilities-threat-research/2021/07/20/sequoia-a-local-privilege-escalation-vulnerability-in-linuxs-filesystem-layer-cve-2021-33909 Note: In a separate post, the Qualys research team also disclosed a DoS vulnerability in systemd: https://blog.qualys.com/vulnerabilities-threat-research/2021/07/20/cve-2021-33910-denial-of-service-stack-exhaustion-in-systemd-pid-1
- 3. CVE-2021-3438: 16 Years In Hiding – Millions of Printers Worldwide Vulnerable – SentinelLabs
Ya wonder how no one has found this before, given: "Several months ago, while configuring a brand new HP printer, our team came across an old printer driver from 2005 called SSPORT.SYS thanks to an alert by Process Hacker once again. This led to the discovery of a high severity vulnerability in HP, Xerox, and Samsung printer driver software that has remained undisclosed for 16 years. This vulnerability affects a very long list of over 380 different HP and Samsung printer models as well as at least a dozen different Xerox products."
- 4. SonicWall warns of ‘imminent ransomware campaign’ targeting its EOL equipment – The Record by Recorded Future
Don't want ransomware? Upgrade your devices, and you'll pay: "If customers can’t update, SonicWall is recommending that they disconnect devices immediately and reset their access passwords, and enable account multi-factor authentication, if supported. “The affected end-of-life devices with 8.x firmware are past temporary mitigations. Continued use of this firmware or end-of-life devices is an active security risk,” it added." - I mean, or you could just unplug your firewalls and other gear...SMH.
- 5. Microsoft: New Unpatched Bug in Windows Print Spooler
"The company released the advisory late Thursday for the latest bug, a Windows Print Spooler elevation-of-privilege vulnerability tracked as CVE-2021-34481. Microsoft credited Dragos vulnerability researcher Jacob Baines for identifying the issue."
- 6. Backdoor.Win32.IRCBot.gen Remote Command Execution
Is this a bug or a feature? "The malware listens on TCP port 6777. Third-party attackers who can reach infected systems can execute commands. Commands must be wrapped in quotes or it will fail."
- 7. Is Microsoft a National Security Threat?
I don't buy it, regardless of the operating system, you are just as vulnerable: "Because of this, organizations relying on Windows will have a hell of a time migrating away from Windows and the rest of the Microsoft ecosystem which means that they’re naturally going to drag their toes in doing so; the bigger they are, the slower any attempt at a migration will go. In turn, this means that there is plenty of time for those that can easily migrate away from the madness and insecurity of the Microsoft ecosystem as a means of sheltering themselves from a barrage of attacks safely in the shadow of Microsoft for the time being." - Apple hides their vulnerabilities as best they can. No one wants to take the time to find and disclose a big enough percentage of Linux vulnerabilities to make a difference (Though Qualys is having a go at it.).
- 8. “Clickless” exploits from Israeli firm hacked activists’ fully updated iPhones
"Pegasus is frequently installed through “zero-click” exploits, such as those sent by text messages, which require no interaction from victims. After the exploits surreptitiously jailbreak or root a target's iPhone or Android device, Pegasus immediately trawls through a wealth of the device's resources. It copies call histories, text messages, calendar entries, and contacts. It is capable of activating the cameras and microphones of compromised phones to eavesdrop on nearby activities. It can also track a target's movements and steal messages from end-to-end encrypted chat apps." More info: https://www.theguardian.com/news/2021/jul/18/what-is-pegasus-spyware-and-how-does-it-hack-phones
- 9. Microsoft Cracks Down on Malicious Homoglyph Domains
Brand monitoring tools should catch this, right? If so, then why did Microsoft have to kill 20 attacker-owned domains? - "In one instance, the attackers hijacked legitimate Office 365 e-mail communication to send an impersonation email from a homoglyph domain (that had a single letter changed) and convince the victim that the message came from a known trusted source. They then falsely claimed that the CFO put a hold on the account, asking for a payment to be made as soon as quickly."
- 10. Bug Bounty Bootcamp?—?Ch07: Open Redirects
We talked about open redirects on a previous episode, this is a pretty good tutorial to use as a reference.
- 11. Fortinet’s security appliances hit by remote code execution vulnerability
"A Use After Free (CWE-416) vulnerability in [the] FortiManager and FortiAnalyzer fgfmsd daemon may allow a remote, non-authenticated attacker to execute unauthorised code as root via sending a specifically crafted request to the FGFM port of the targeted device," the vendor warned customers. Note that the FGFM service is disabled by default in FortiAnalyzer..."
- 12. How to Test a Plugin’s Performance and Security
For Wordpress, mostly stuff people know about already, but interesting how you can use Chrome's built-in dev tools to report on unused CSS/JS files. Curious if there are potential attack vectors here...?
- 13. How does TLS work?
- 14. The elegant maths behind the RSA Encryption
- 15. Security implications of misconfigurations
The lost domain that led to: "Talos registered the domain and we immediately noticed a significant majority of the DNS requests were related to internet computers looking for a file called "wpad.dat" on tiburoninc.net's web server...Abusing the proxy settings communicated to these employees could have allowed a potential attacker to establish their own proxy, inspect all data transmitted from the employees' computers, and manipulate the data returned in the response." They also found a typosquat domain that had requests for VPN connections and others that made a typo in the MX server record!