TL;DR: there’s a new website section here that reviews the week’s most mentioned CVEs with public PoCs elon killed the cvetrends star cvetrends.com was an amazing offsec resource. It gave you a dashboard of all the most relevant vulnerabilities based on what was trending on infosec twitter. I used to have it on as a 3rd screen throughout my workday and it was indispensable. Here’s the UI: Beautiful.…

CVE-2023-46604 is a critical vulnerability (CVSS 9.8) in Apache ActiveMQ that gives remote, unauthenticated attackers code execution on the machine, with the same privileges as the MQ server. In this post, we’ll spin up a vulnerable Docker image from Symptoma and use X1r0’z PoC for the exploitation. The post is based on X1r0z’s README.md, Apache MQ’s updates, and Rapid7’s technical analysis of the vulnerability. Summary ActiveMQ is a message broker, developed in Java, which passes messages between different services.…

I recently earned the Offsec Wireless Professional cert which focuses on attacking WiFi networks (course info here). It was an enjoyable and interesting short course and 4 hour exam which was a welcome change of pace after the sheer madness of OSCP. However, one flaw of the course is that they don’t provide any WiFi labs, instead requiring you to set up vulnerable wireless networks at home with your own physical gear.…

This post is a quick walkthrough of an attack identified by Simon Rohlmann, Vladislav Mladenov, Christian Mainka, Daniel Hirschberger, and Jörg Schwenk of Ruhr University Bochum in their brilliant paper “Every Signature is Broken: On the Insecurity of Microsoft Office’s OOXML Signatures”. They analysed 6000+ pages of the Office Open XML File Formats standard and tested Microsoft Office products for their (in)correct implementation of digital signatures. The upshot is that, at the time of writing, if you open a Microsoft Office document with a ‘valid’ digital signature, you can absolutely not trust that signature.…

I recently earned OffSec’s OSCP cert having completed the PEN-200 course and passed the exam. I’ve benefited massively from reading blogs and posts in r/oscp, so I’ll write a few lines outlining my OSCP experience in the hopes that someone will find it useful. Prep Courses I studied in preparation for the exam: PEN-200 materials from OffSec TCM Linux Privilege Escalation TCM Windows Privilege Escalation TCM Practical Ethical Hacking (Active Directory content only) HTB SQLi Fundamentals HTB Windows Privilege Escalation (the sections on Privileges) The Cyber Plumber’s Handbook (+ lab) The PEN-200 course was updated right before my exam so I didn’t have time to go through all the new material, but I found the old SQLi and PrivEsc materials were lacking which is why I supplemented them with the courses above.…

This post outlines CVE-2023-23397 affecting Microsoft Outlook for Windows: how to exploit and mitigate it. It’s based on last week’s blog post by MDSec. What is CVE-2023-23397? A critical risk vulnerability affecting all supported Microsoft Outlook clients for Windows, leading to NTLM credential theft. Outlook on other platforms such as Mac, mobile etc. are not affected. More info from Microsoft here, and here’s a brilliant post from Huntress. How does it work?…

This post outlines CVE-2023-22809 affecting Sudo: how to detect, exploit and mitigate it. We’ll also run through a more detailed practical example on a vulnerable Ubuntu Docker container where we exploit the vulnerability to elevate privileges. Summary The full security advisory from Synacktiv, on which this post is based, can be found here. In Sudo <=1.9.12p1, if a user has been granted sudoedit privileges on a document, they can inject a malicious environment variable to let them edit any document as the configured runas user.…

As a quick personal project, I recently created a really basic web app that does one thing only - it’s vulnerable to CVE-2022-42889 aka Text4Shell. You can find more info about the vulnerability here. It allows an attacker to run code remotely if their input is passed directly into a StringSubtituter within Apache Commons Text. The vulnerable versions are v1.5-1.9. The root cause is one of dangerous defaults - url, dns and script lookups are enabled by default on these versions.…

Notes taken while reading Reid Blackman’s book on ethics in AI. I heard the author speaking on the Machine Ethics Podcast and appreciated his communication style - high signal to noise ratio, clear and simple communication. So I picked up his book. The following are personal pro memoria of the main points of each section. The big three challenges of AI ethics privacy violations lack of explainability bias Ethics program elements It’s important do distinguish between two elements of an ethical AI program in an org:…

Some notes on best practise when using JSON Web Tokens (as defined in RFC 7519) Best Practise Allowlist algorithms - a blocklist can be bypassed by malforming unwanted algorithms (eg. ‘NoNe’) Signature. Use asymmetric: ES256 (faster) or RS256 (more widely supported) Why use asymmetric signing? easier to keep the secret secret proves it was signed by the real signer If you really have to use symmetric, use ephemeral secrets Always validate the token JWT can be used for access or ID - check the expected usage Of course, never include confidential information in the JWT itself Common Exploits CVE-2015-2591: alg:none CVE-2016-10555: RSA/HMAC-SHA public key mismatch CVE 2018-0114: key injection CVE-2019-20933: blank password CVE-2020-28042: null signature Sources & More Info This presentation by Philippe De Ryck The OWASP Testing Guide …