Microsoft Outlook Elevation of Privilege Vulnerability: CVE-2023-23397
This post outlines CVE-2023-23397 affecting Microsoft Outlook for Windows: how to exploit and mitigate it. It’s based on last week’s blog post by MDSec.
What is CVE-2023-23397? A critical risk vulnerability affecting all supported Microsoft Outlook clients for Windows, leading to NTLM credential theft. Outlook on other platforms such as Mac, mobile etc. are not affected.
More info from Microsoft here, and here’s a brilliant post from Huntress.
How does it work?…
Read more ⟶
Sudo Arbitrary File Write: CVE-2023-22809
This post outlines CVE-2023-22809 affecting Sudo: how to detect, exploit and mitigate it.
We’ll also run through a more detailed practical example on a vulnerable Ubuntu Docker container where we exploit the vulnerability to elevate privileges.
Summary The full security advisory from Synacktiv, on which this post is based, can be found here.
In Sudo <=1.9.12p1, if a user has been granted sudoedit privileges on a document, they can inject a malicious environment variable to let them edit any document as the configured runas user.…
Read more ⟶
CVE-2022-42889: Text4Shell - Making a Vulnerable Web App
As a quick personal project, I recently created a really basic web app that does one thing only - it’s vulnerable to CVE-2022-42889 aka Text4Shell.
You can find more info about the vulnerability here.
It allows an attacker to run code remotely if their input is passed directly into a StringSubtituter within Apache Commons Text. The vulnerable versions are v1.5-1.9.
The root cause is one of dangerous defaults - url, dns and script lookups are enabled by default on these versions.…
Read more ⟶
Book notes: Ethical Machines
Notes taken while reading Reid Blackman’s book on ethics in AI. I heard the author speaking on the Machine Ethics Podcast and appreciated his communication style - high signal to noise ratio, clear and simple communication. So I picked up his book. The following are personal pro memoria of the main points of each section.
The big three challenges of AI ethics privacy violations lack of explainability bias Ethics program elements It’s important do distinguish between two elements of an ethical AI program in an org:…
Read more ⟶
tl;dr: Jwt Best Practise
Some notes on best practise when using JSON Web Tokens (as defined in RFC 7519)
Best Practise Allowlist algorithms - a blocklist can be bypassed by malforming unwanted algorithms (eg. ‘NoNe’) Signature. Use asymmetric: ES256 (faster) or RS256 (more widely supported) Why use asymmetric signing? easier to keep the secret secret proves it was signed by the real signer If you really have to use symmetric, use ephemeral secrets Always validate the token JWT can be used for access or ID - check the expected usage Of course, never include confidential information in the JWT itself Common Exploits CVE-2015-2591: alg:none CVE-2016-10555: RSA/HMAC-SHA public key mismatch CVE 2018-0114: key injection CVE-2019-20933: blank password CVE-2020-28042: null signature Sources & More Info This presentation by Philippe De Ryck The OWASP Testing Guide …
Read more ⟶
tl;dr: Deanonymisation Attacks via Leaky Resources and JavaScript Cache Probing
A quick summary of the main ideas (in very broad strokes) explored in this awesome paper by Mojtaba Zaheri, Yossi Oren and Reza Curtmola.
What’s the attack? A deanonymisation attack is when seemingly incidental data is used to infer someone’s identity online.
Attack Scenario Imagine an authoritarian government has a zero day that they want to deploy to a journalist’s computer. They have their state news website all ready to go to deliver this exploit.…
Read more ⟶
tl;dr: Account Pre-Hijacking
A quick, practical rundown of this research paper by Avinash Sudhodanan and Andrew Paverd on account pre-hijacking attacks, for reference during pentests.
What’s the attack? Stealing user accounts before they’ve even been registered by the victim. After the victim registers them, the attacker has access.
If, during a web app test, you notice that you can register a new account and are let in without having to click an email confirmation link, these attacks will potentially work.…
Read more ⟶
tl;dr: Hunting Evasive Vulnerabilities
Below are some takeaways from @albinowax’s brilliant presentation at Nullcon Berlin. He explores why some vulnerabilities are evasive and gives some ideas and advice on how to dig them out. You can find the keynote here.
Takeaways Don’t let the appearance of defences deter you from trying the attack anyway. The defences may be misconfigured in a way that nobody understands yet. Seek out old or unfashionable exploit techniques and learn about them from the original research.…
Read more ⟶
Cloud Pentesting Lab
How To Create a Kali & Parrot Pentesting Lab in AWS Using Docker and Terraform In this post, I’ll quickly run through how to set up an AWS EC2 machine and install pre-configured kali and parrot containers, all provisioned automatically with terraform.
Prerequisites Sign up for a free AWS account. You just need a valid credit card.
Install AWS CLI tool.
Install Terraform CLI tool.
Pull the lab repo from my github that contains everything you need to follow this guide, and cd into it:…
Read more ⟶
Trojan Source Attacks
I was reading through this week’s Hive Five security newsletter and found the article on Trojan Source Attacks really interesting.
Research by Nicholas Boucher and Ross Anderson shows a new way to hide malicious code in plain sight: the source code that’s rendered doesn’t reflect its true functionality when run!
How? Languages like English and Italian are written and read from left to right. Others like Hebrew and Arabic are the opposite: right to left.…
Read more ⟶