A Deep Dive into the GetProcessHandleFromHwnd API
Original text by James Forshaw
The article provides a deep technical analysis of the Windows API GetProcessHandleFromHwnd, examining its historical evolution and the security implications of its implementation. The API is intended to return a handle to the process that owns a specified window handle (HWND), simplifying interactions with GUI processes. The research begins by…
https://core-jmp.org/2026/03/a-deep-dive-into-the-getprocesshandlefromhwnd-api/
Original text by James Forshaw
The article provides a deep technical analysis of the Windows API GetProcessHandleFromHwnd, examining its historical evolution and the security implications of its implementation. The API is intended to return a handle to the process that owns a specified window handle (HWND), simplifying interactions with GUI processes. The research begins by…
https://core-jmp.org/2026/03/a-deep-dive-into-the-getprocesshandlefromhwnd-api/
👍5
Vulnerabilities in Broadcom VMware Aria Operations: Privilege Escalation (CVE-2025-41245 / CVE-2026-22721)
Original text by Lorin Lehawany
The article analyzes two security vulnerabilities discovered in Broadcom VMware Aria Operations, focusing on how weaknesses in privilege handling and credential management can lead to privilege escalation within virtualized infrastructure environments. The research examines CVE-2025-41245 and CVE-2026-22721, demonstrating how attackers with limited privileges can escalate their access and gain control…
https://core-jmp.org/2026/03/vulnerabilities-in-broadcom-vmware-aria-operations-privilege-escalation-cve-2025-41245-cve-2026-22721/
Original text by Lorin Lehawany
The article analyzes two security vulnerabilities discovered in Broadcom VMware Aria Operations, focusing on how weaknesses in privilege handling and credential management can lead to privilege escalation within virtualized infrastructure environments. The research examines CVE-2025-41245 and CVE-2026-22721, demonstrating how attackers with limited privileges can escalate their access and gain control…
https://core-jmp.org/2026/03/vulnerabilities-in-broadcom-vmware-aria-operations-privilege-escalation-cve-2025-41245-cve-2026-22721/
👍6
NT AFD.SYS HTTP Downloader: From First Syscall to bypass the majority of usermode EDR hooks
Text and code by Eleven Red Pandas https://github.com/oxfemale · https://x.com/bytecodevm
The article explores a low-level networking technique on Windows that bypasses the traditional Winsock API layer by communicating directly with the kernel networking driver AFD (Ancillary Function Driver) through Native API calls such as NtCreateFile and NtDeviceIoControlFile. Instead of using standard functions from ws2_32.dll, the…
https://core-jmp.org/2026/03/nt-afd-sys-http-downloader-from-first-syscall-to-bypass-the-majority-of-usermode-edr-hooks/
Text and code by Eleven Red Pandas https://github.com/oxfemale · https://x.com/bytecodevm
The article explores a low-level networking technique on Windows that bypasses the traditional Winsock API layer by communicating directly with the kernel networking driver AFD (Ancillary Function Driver) through Native API calls such as NtCreateFile and NtDeviceIoControlFile. Instead of using standard functions from ws2_32.dll, the…
https://core-jmp.org/2026/03/nt-afd-sys-http-downloader-from-first-syscall-to-bypass-the-majority-of-usermode-edr-hooks/
😱8👍4🔥1
ODR: Internals of Microsoft’s New Native MCP Registration
Original text by originhq
The article analyzes Microsoft’s new ODR mechanism related to MCP registration and explains how it integrates with the emerging Model Context Protocol (MCP) ecosystem. MCP is an open protocol designed to standardize how AI agents and applications interact with external tools, data sources, and services. Instead of building custom integrations for…
https://core-jmp.org/2026/03/odr-internals-of-microsofts-new-native-mcp-registration/
Original text by originhq
The article analyzes Microsoft’s new ODR mechanism related to MCP registration and explains how it integrates with the emerging Model Context Protocol (MCP) ecosystem. MCP is an open protocol designed to standardize how AI agents and applications interact with external tools, data sources, and services. Instead of building custom integrations for…
https://core-jmp.org/2026/03/odr-internals-of-microsofts-new-native-mcp-registration/
👍9
Ну во первых это красиво !
*
snap-confine + systemd-tmpfiles = root (CVE-2026-3888)
*
Дырка появляется когда два дурака (
НО то ладно, дальше больше.
Нужно проломленным локальным юзером прождать 10 ДНЕЙ (на Ubuntu 24.04.х ) и 30 ДНЕЙ (на Ubuntu 24.10.х) пока
*
snap-confine + systemd-tmpfiles = root (CVE-2026-3888)
*
Дырка появляется когда два дурака (
snap-confine и systemd-tmpfiles) жмут руки.НО то ладно, дальше больше.
Нужно проломленным локальным юзером прождать 10 ДНЕЙ (на Ubuntu 24.04.х ) и 30 ДНЕЙ (на Ubuntu 24.10.х) пока
systemd-tmpfiles удалит нужный подкаталог в /tmp, а потом ещё выиграть гонку в момент пересборки sandbox.🔥21👍10
Invisible Execution: Hiding Malware with Unwind Metadata Manipulation
Original text by klezVirus
The article introduces BYOUD (Bring Your Own Unwind Data), a novel stack-evasion technique designed to bypass modern endpoint detection and response (EDR) systems that rely on call-stack inspection to identify malicious execution. Traditional stack-spoofing techniques modify return addresses or construct synthetic stack frames to disguise the origin of a call. However,…
https://core-jmp.org/2026/03/invisible-execution-hiding-malware-with-unwind-metadata-manipulation/
Original text by klezVirus
The article introduces BYOUD (Bring Your Own Unwind Data), a novel stack-evasion technique designed to bypass modern endpoint detection and response (EDR) systems that rely on call-stack inspection to identify malicious execution. Traditional stack-spoofing techniques modify return addresses or construct synthetic stack frames to disguise the origin of a call. However,…
https://core-jmp.org/2026/03/invisible-execution-hiding-malware-with-unwind-metadata-manipulation/
👍10
Booting into Trust: Reverse Engineering macOS Secure Boot Internals
Original textby int
The article provides a deep reverse-engineering oriented analysis of the macOS secure boot chain on Apple Silicon, explaining how Apple constructs a hardware-anchored security architecture that protects the system from the moment power is applied until userland starts. The security model begins with the Boot ROM (SecureROM) embedded directly into the SoC.…
https://core-jmp.org/2026/03/booting-into-trust-reverse-engineering-macos-secure-boot-internals/
Original textby int
The article provides a deep reverse-engineering oriented analysis of the macOS secure boot chain on Apple Silicon, explaining how Apple constructs a hardware-anchored security architecture that protects the system from the moment power is applied until userland starts. The security model begins with the Boot ROM (SecureROM) embedded directly into the SoC.…
https://core-jmp.org/2026/03/booting-into-trust-reverse-engineering-macos-secure-boot-internals/
🔥7👍3
TP-Link Tapo C200: Hardcoded Keys, Buffer Overflows and Privacy in the Era of AI Assisted Reverse Engineering
Original textby Simone Margaritelli
The article describes a security research project analyzing the firmware of the TP-Link Tapo C200 IP camera, demonstrating how modern AI-assisted reverse engineering can significantly accelerate vulnerability discovery in IoT devices. The author extracts and studies the camera firmware, using tools such as binwalk, Android app decompilation, and AI assistance to…
https://core-jmp.org/2026/03/tp-link-tapo-c200-hardcoded-keys-buffer-overflows-and-privacy-in-the-era-of-ai-assisted-reverse-engineering/
Original textby Simone Margaritelli
The article describes a security research project analyzing the firmware of the TP-Link Tapo C200 IP camera, demonstrating how modern AI-assisted reverse engineering can significantly accelerate vulnerability discovery in IoT devices. The author extracts and studies the camera firmware, using tools such as binwalk, Android app decompilation, and AI assistance to…
https://core-jmp.org/2026/03/tp-link-tapo-c200-hardcoded-keys-buffer-overflows-and-privacy-in-the-era-of-ai-assisted-reverse-engineering/
🔥13
Exploiting a PHP Object Injection in Profile Builder Pro in the era of AI
Original text by Mattia (0xbro) Brollo
The article analyzes a vulnerability in the WordPress plugin Profile Builder Pro that allows unauthenticated PHP Object Injection, demonstrating how modern AI-assisted reverse engineering and code analysis can help identify and exploit complex vulnerabilities faster. The research explains how a vulnerable AJAX endpoint in the plugin processes user-controlled input…
https://core-jmp.org/2026/03/exploiting-a-php-object-injection-in-profile-builder-pro-in-the-era-of-ai/
Original text by Mattia (0xbro) Brollo
The article analyzes a vulnerability in the WordPress plugin Profile Builder Pro that allows unauthenticated PHP Object Injection, demonstrating how modern AI-assisted reverse engineering and code analysis can help identify and exploit complex vulnerabilities faster. The research explains how a vulnerable AJAX endpoint in the plugin processes user-controlled input…
https://core-jmp.org/2026/03/exploiting-a-php-object-injection-in-profile-builder-pro-in-the-era-of-ai/
👍5
When Local AI Becomes an Attack Vector: A Deep Dive into LLM Infrastructure Security
Original text by Charles Senges
The article “Deep dive into the deployment of an on-premise low-privileged LLM server” by Synacktiv examines how organizations deploy internal Large Language Model (LLM) servers and analyzes the security implications of running such systems inside corporate infrastructure. The researchers study a real deployment where an open-source LLM is hosted on-premise…
https://core-jmp.org/2026/03/when-local-ai-becomes-an-attack-vector-a-deep-dive-into-llm-infrastructure-security/
Original text by Charles Senges
The article “Deep dive into the deployment of an on-premise low-privileged LLM server” by Synacktiv examines how organizations deploy internal Large Language Model (LLM) servers and analyzes the security implications of running such systems inside corporate infrastructure. The researchers study a real deployment where an open-source LLM is hosted on-premise…
https://core-jmp.org/2026/03/when-local-ai-becomes-an-attack-vector-a-deep-dive-into-llm-infrastructure-security/
🔥7
A 32-Year-Old Bug Walks Into A Telnet Server (GNU inetutils Telnetd CVE-2026-32746 Pre-Auth RCE)
Original textby watchTowr Labs
The article emphasizes the historical aspect of the bug: the vulnerable code path originates from legacy Telnet implementations and remained unnoticed for over three decades, illustrating how long-standing protocol features and old code can persist in modern software. The researchers walk through the debugging process, protocol analysis, and memory-corruption behavior, showing…
https://core-jmp.org/2026/03/a-32-year-old-bug-walks-into-a-telnet-server-gnu-inetutils-telnetd-cve-2026-32746-pre-auth-rce/
Original textby watchTowr Labs
The article emphasizes the historical aspect of the bug: the vulnerable code path originates from legacy Telnet implementations and remained unnoticed for over three decades, illustrating how long-standing protocol features and old code can persist in modern software. The researchers walk through the debugging process, protocol analysis, and memory-corruption behavior, showing…
https://core-jmp.org/2026/03/a-32-year-old-bug-walks-into-a-telnet-server-gnu-inetutils-telnetd-cve-2026-32746-pre-auth-rce/
🔥6😱2👍1
Рубрика На заметку
*
*
Polkit Privilege Escalation
НО то ладно, кому вообще нужны CVE, когда есть кривые и липкие лапы админов !
Обычно правила тут:
А вот пример плохого правила:
В реальных сценариях если есть права на управу сервисами, изменение сети или mount ус тройств > можно запилить свой сервис и подменить конфиг, дальше любой код от рута.
*
*
Polkit pkexec + PATH hijacking
D-Bus abuse через polkit
Polkit часто работает через D-Bus. Можно чекнуть сервисы
Polkit проверяет пользователя и action, что КОНКРЕТНО делает action - нет, а зачем ))
*
*
UDisks2 → mount → root file write
Еще через polkit часто разрешают маунтить устройства через
СХема такова:
подключаем loop device > монтируем с нужными правами > подсовываем файлы, например подмена бинаря.
*
*
NetworkManager abuse
Часто полисиКиту отдают
Значит и изменить DNS можно и роутить куда угодно и даже настроить VPN падонку для обхода блокировок РКН и немедленно позвонить куда следует.
Тут же и
*
*
Environment injection через pkexec
Через
А это прямой путь к подмене конфигов, поведения программ, И
Как видно Polkit ниразу не умнее своего сводного брата SUDO, дурость у них семейно-генетическая.
#РубрикаНаЗаметкуХакеру
$[email protected] - part 9*
*
Polkit Privilege Escalation
PolicyKit — это решала, который раздает привилегии. Юзается в systemd, NetworkManager, dbus, десктопах там всяких. Помню была там дырка (CVE-2021-4034 PwnKit) которая тихо себе жила 13 ЛЕТ.НО то ладно, кому вообще нужны CVE, когда есть кривые и липкие лапы админов !
Обычно правила тут:
/etc/polkit-1/rules.d/А вот пример плохого правила:
polkit.addRule(function(action, subject) {
return polkit.Result.YES;
});
### любой пользователь получает root доступ к действиям В реальных сценариях если есть права на управу сервисами, изменение сети или mount ус тройств > можно запилить свой сервис и подменить конфиг, дальше любой код от рута.
*
*
Polkit pkexec + PATH hijacking
pkexec запускает команды от root, но 'иногда' не фиксирует PATH, тогда:### приложение вызывает
pkexec happy_script
### а внутри (условно):
tar -czf backup.tar /home
### И PATH можно контролировать
export PATH=/tmp:$PATH
### создаем рут шелл
echo '/bin/bash' > /tmp/tar
chmod +x /tmp/tar
D-Bus abuse через polkit
Polkit часто работает через D-Bus. Можно чекнуть сервисы
busctl list (методы: рестарт сервисов, изменение конфигов, управление системой).### И если правило разрешает
org.freedesktop.systemd1.manage-units
### то можно, вообще без sudo, чисто через polkit разрешение
systemctl start evil.service
Polkit проверяет пользователя и action, что КОНКРЕТНО делает action - нет, а зачем ))
*
*
UDisks2 → mount → root file write
Еще через polkit часто разрешают маунтить устройства через
org.freedesktop.udisks2СХема такова:
подключаем loop device > монтируем с нужными правами > подсовываем файлы, например подмена бинаря.
*
*
NetworkManager abuse
Часто полисиКиту отдают
org.freedesktop.NetworkManagerЗначит и изменить DNS можно и роутить куда угодно и даже настроить VPN падонку для обхода блокировок РКН и немедленно позвонить куда следует.
Тут же и
DNS MITM и перехват трафика .*
*
Environment injection через pkexec
Через
pkexec можно передать env, а приложения любят env !А это прямой путь к подмене конфигов, поведения программ, И
LD_LIBRARY_PATHКак видно Polkit ниразу не умнее своего сводного брата SUDO, дурость у них семейно-генетическая.
#РубрикаНаЗаметкуХакеру
👍7🔥5
(CVE-2026-0714) TPM-sniffing LUKS Keys on an Embedded Device
Original text by Per Idenfeldt Okuyama & Sam Eizad
The article describes a vulnerability (CVE-2026-0714) affecting the Moxa UC-1222A Secure Edition embedded industrial computer, where the disk encryption key for a LUKS-encrypted storage volume can be extracted by passively sniffing the communication between the SoC and the discrete TPM 2.0 chip. The device stores the…
https://core-jmp.org/2026/03/cve-2026-0714-tpm-sniffing-luks-keys-on-an-embedded-device/
Original text by Per Idenfeldt Okuyama & Sam Eizad
The article describes a vulnerability (CVE-2026-0714) affecting the Moxa UC-1222A Secure Edition embedded industrial computer, where the disk encryption key for a LUKS-encrypted storage volume can be extracted by passively sniffing the communication between the SoC and the discrete TPM 2.0 chip. The device stores the…
https://core-jmp.org/2026/03/cve-2026-0714-tpm-sniffing-luks-keys-on-an-embedded-device/
🔥12👍6
Can it Resolve DOOM? Game Engine in 2,000 DNS Records
Original text by Adam Rice
The article “DOOM Over DNS” demonstrates an unusual proof-of-concept showing how the classic game DOOM can be stored and executed entirely using DNS infrastructure. The author exploits the fact that DNS TXT records allow arbitrary text data and are rarely validated or monitored in depth. By Base64-encoding binary files, splitting…
https://core-jmp.org/2026/03/can-it-resolve-doom-game-engine-in-2000-dns-records/
Original text by Adam Rice
The article “DOOM Over DNS” demonstrates an unusual proof-of-concept showing how the classic game DOOM can be stored and executed entirely using DNS infrastructure. The author exploits the fact that DNS TXT records allow arbitrary text data and are rarely validated or monitored in depth. By Base64-encoding binary files, splitting…
https://core-jmp.org/2026/03/can-it-resolve-doom-game-engine-in-2000-dns-records/
😱13🔥9👍3
What You Need to Know: Windows Admin Center Remote Privilege Escalation (CVE-2026-26119)
Original text by Andrea Pierini
The article explains the security implications of CVE-2026-26119, a high-severity privilege-escalation vulnerability affecting Microsoft Windows Admin Center (WAC). Windows Admin Center is a browser-based management platform widely used by administrators to manage Windows servers, clusters, virtual machines, and other enterprise infrastructure. The vulnerability stems from improper authentication logic, which allows…
https://core-jmp.org/2026/03/what-you-need-to-know-windows-admin-center-remote-privilege-escalation-cve-2026-26119/
Original text by Andrea Pierini
The article explains the security implications of CVE-2026-26119, a high-severity privilege-escalation vulnerability affecting Microsoft Windows Admin Center (WAC). Windows Admin Center is a browser-based management platform widely used by administrators to manage Windows servers, clusters, virtual machines, and other enterprise infrastructure. The vulnerability stems from improper authentication logic, which allows…
https://core-jmp.org/2026/03/what-you-need-to-know-windows-admin-center-remote-privilege-escalation-cve-2026-26119/
👍8
По просьба трудящихся
*
*
Привет! Недавно запустил DriverShield — бесплатная онлайн-платформа
для анализа Windows kernel драйверов (
14-этапный глубокий анализ: извлечение IOCTL, AI-классификация
поведения, маппинг MITRE ATT&CK и автогенерация Sigma-правил
для SIEM.
200+ драйверов уже проанализировано. Без регистрации.
drivershield
*
*
Привет! Недавно запустил DriverShield — бесплатная онлайн-платформа
для анализа Windows kernel драйверов (
.sys) на уязвимости BYOVD, rootkit-поведение и вредоносные паттерны.14-этапный глубокий анализ: извлечение IOCTL, AI-классификация
поведения, маппинг MITRE ATT&CK и автогенерация Sigma-правил
для SIEM.
200+ драйверов уже проанализировано. Без регистрации.
drivershield
👍14🔥8