Exploiting a PHP Object Injection in Profile Builder Pro in the era of AI
Original text by Mattia (0xbro) Brollo
The article analyzes a vulnerability in the WordPress plugin Profile Builder Pro that allows unauthenticated PHP Object Injection, demonstrating how modern AI-assisted reverse engineering and code analysis can help identify and exploit complex vulnerabilities faster. The research explains how a vulnerable AJAX endpoint in the plugin processes user-controlled input…
https://core-jmp.org/2026/03/exploiting-a-php-object-injection-in-profile-builder-pro-in-the-era-of-ai/
Original text by Mattia (0xbro) Brollo
The article analyzes a vulnerability in the WordPress plugin Profile Builder Pro that allows unauthenticated PHP Object Injection, demonstrating how modern AI-assisted reverse engineering and code analysis can help identify and exploit complex vulnerabilities faster. The research explains how a vulnerable AJAX endpoint in the plugin processes user-controlled input…
https://core-jmp.org/2026/03/exploiting-a-php-object-injection-in-profile-builder-pro-in-the-era-of-ai/
👍5
When Local AI Becomes an Attack Vector: A Deep Dive into LLM Infrastructure Security
Original text by Charles Senges
The article “Deep dive into the deployment of an on-premise low-privileged LLM server” by Synacktiv examines how organizations deploy internal Large Language Model (LLM) servers and analyzes the security implications of running such systems inside corporate infrastructure. The researchers study a real deployment where an open-source LLM is hosted on-premise…
https://core-jmp.org/2026/03/when-local-ai-becomes-an-attack-vector-a-deep-dive-into-llm-infrastructure-security/
Original text by Charles Senges
The article “Deep dive into the deployment of an on-premise low-privileged LLM server” by Synacktiv examines how organizations deploy internal Large Language Model (LLM) servers and analyzes the security implications of running such systems inside corporate infrastructure. The researchers study a real deployment where an open-source LLM is hosted on-premise…
https://core-jmp.org/2026/03/when-local-ai-becomes-an-attack-vector-a-deep-dive-into-llm-infrastructure-security/
🔥7
A 32-Year-Old Bug Walks Into A Telnet Server (GNU inetutils Telnetd CVE-2026-32746 Pre-Auth RCE)
Original textby watchTowr Labs
The article emphasizes the historical aspect of the bug: the vulnerable code path originates from legacy Telnet implementations and remained unnoticed for over three decades, illustrating how long-standing protocol features and old code can persist in modern software. The researchers walk through the debugging process, protocol analysis, and memory-corruption behavior, showing…
https://core-jmp.org/2026/03/a-32-year-old-bug-walks-into-a-telnet-server-gnu-inetutils-telnetd-cve-2026-32746-pre-auth-rce/
Original textby watchTowr Labs
The article emphasizes the historical aspect of the bug: the vulnerable code path originates from legacy Telnet implementations and remained unnoticed for over three decades, illustrating how long-standing protocol features and old code can persist in modern software. The researchers walk through the debugging process, protocol analysis, and memory-corruption behavior, showing…
https://core-jmp.org/2026/03/a-32-year-old-bug-walks-into-a-telnet-server-gnu-inetutils-telnetd-cve-2026-32746-pre-auth-rce/
🔥6😱2👍1
Рубрика На заметку
*
*
Polkit Privilege Escalation
НО то ладно, кому вообще нужны CVE, когда есть кривые и липкие лапы админов !
Обычно правила тут:
А вот пример плохого правила:
В реальных сценариях если есть права на управу сервисами, изменение сети или mount ус тройств > можно запилить свой сервис и подменить конфиг, дальше любой код от рута.
*
*
Polkit pkexec + PATH hijacking
D-Bus abuse через polkit
Polkit часто работает через D-Bus. Можно чекнуть сервисы
Polkit проверяет пользователя и action, что КОНКРЕТНО делает action - нет, а зачем ))
*
*
UDisks2 → mount → root file write
Еще через polkit часто разрешают маунтить устройства через
СХема такова:
подключаем loop device > монтируем с нужными правами > подсовываем файлы, например подмена бинаря.
*
*
NetworkManager abuse
Часто полисиКиту отдают
Значит и изменить DNS можно и роутить куда угодно и даже настроить VPN падонку для обхода блокировок РКН и немедленно позвонить куда следует.
Тут же и
*
*
Environment injection через pkexec
Через
А это прямой путь к подмене конфигов, поведения программ, И
Как видно Polkit ниразу не умнее своего сводного брата SUDO, дурость у них семейно-генетическая.
#РубрикаНаЗаметкуХакеру
$[email protected] - part 9*
*
Polkit Privilege Escalation
PolicyKit — это решала, который раздает привилегии. Юзается в systemd, NetworkManager, dbus, десктопах там всяких. Помню была там дырка (CVE-2021-4034 PwnKit) которая тихо себе жила 13 ЛЕТ.НО то ладно, кому вообще нужны CVE, когда есть кривые и липкие лапы админов !
Обычно правила тут:
/etc/polkit-1/rules.d/А вот пример плохого правила:
polkit.addRule(function(action, subject) {
return polkit.Result.YES;
});
### любой пользователь получает root доступ к действиям В реальных сценариях если есть права на управу сервисами, изменение сети или mount ус тройств > можно запилить свой сервис и подменить конфиг, дальше любой код от рута.
*
*
Polkit pkexec + PATH hijacking
pkexec запускает команды от root, но 'иногда' не фиксирует PATH, тогда:### приложение вызывает
pkexec happy_script
### а внутри (условно):
tar -czf backup.tar /home
### И PATH можно контролировать
export PATH=/tmp:$PATH
### создаем рут шелл
echo '/bin/bash' > /tmp/tar
chmod +x /tmp/tar
D-Bus abuse через polkit
Polkit часто работает через D-Bus. Можно чекнуть сервисы
busctl list (методы: рестарт сервисов, изменение конфигов, управление системой).### И если правило разрешает
org.freedesktop.systemd1.manage-units
### то можно, вообще без sudo, чисто через polkit разрешение
systemctl start evil.service
Polkit проверяет пользователя и action, что КОНКРЕТНО делает action - нет, а зачем ))
*
*
UDisks2 → mount → root file write
Еще через polkit часто разрешают маунтить устройства через
org.freedesktop.udisks2СХема такова:
подключаем loop device > монтируем с нужными правами > подсовываем файлы, например подмена бинаря.
*
*
NetworkManager abuse
Часто полисиКиту отдают
org.freedesktop.NetworkManagerЗначит и изменить DNS можно и роутить куда угодно и даже настроить VPN падонку для обхода блокировок РКН и немедленно позвонить куда следует.
Тут же и
DNS MITM и перехват трафика .*
*
Environment injection через pkexec
Через
pkexec можно передать env, а приложения любят env !А это прямой путь к подмене конфигов, поведения программ, И
LD_LIBRARY_PATHКак видно Polkit ниразу не умнее своего сводного брата SUDO, дурость у них семейно-генетическая.
#РубрикаНаЗаметкуХакеру
👍7🔥5
(CVE-2026-0714) TPM-sniffing LUKS Keys on an Embedded Device
Original text by Per Idenfeldt Okuyama & Sam Eizad
The article describes a vulnerability (CVE-2026-0714) affecting the Moxa UC-1222A Secure Edition embedded industrial computer, where the disk encryption key for a LUKS-encrypted storage volume can be extracted by passively sniffing the communication between the SoC and the discrete TPM 2.0 chip. The device stores the…
https://core-jmp.org/2026/03/cve-2026-0714-tpm-sniffing-luks-keys-on-an-embedded-device/
Original text by Per Idenfeldt Okuyama & Sam Eizad
The article describes a vulnerability (CVE-2026-0714) affecting the Moxa UC-1222A Secure Edition embedded industrial computer, where the disk encryption key for a LUKS-encrypted storage volume can be extracted by passively sniffing the communication between the SoC and the discrete TPM 2.0 chip. The device stores the…
https://core-jmp.org/2026/03/cve-2026-0714-tpm-sniffing-luks-keys-on-an-embedded-device/
🔥12👍6
Can it Resolve DOOM? Game Engine in 2,000 DNS Records
Original text by Adam Rice
The article “DOOM Over DNS” demonstrates an unusual proof-of-concept showing how the classic game DOOM can be stored and executed entirely using DNS infrastructure. The author exploits the fact that DNS TXT records allow arbitrary text data and are rarely validated or monitored in depth. By Base64-encoding binary files, splitting…
https://core-jmp.org/2026/03/can-it-resolve-doom-game-engine-in-2000-dns-records/
Original text by Adam Rice
The article “DOOM Over DNS” demonstrates an unusual proof-of-concept showing how the classic game DOOM can be stored and executed entirely using DNS infrastructure. The author exploits the fact that DNS TXT records allow arbitrary text data and are rarely validated or monitored in depth. By Base64-encoding binary files, splitting…
https://core-jmp.org/2026/03/can-it-resolve-doom-game-engine-in-2000-dns-records/
😱13🔥9👍3
What You Need to Know: Windows Admin Center Remote Privilege Escalation (CVE-2026-26119)
Original text by Andrea Pierini
The article explains the security implications of CVE-2026-26119, a high-severity privilege-escalation vulnerability affecting Microsoft Windows Admin Center (WAC). Windows Admin Center is a browser-based management platform widely used by administrators to manage Windows servers, clusters, virtual machines, and other enterprise infrastructure. The vulnerability stems from improper authentication logic, which allows…
https://core-jmp.org/2026/03/what-you-need-to-know-windows-admin-center-remote-privilege-escalation-cve-2026-26119/
Original text by Andrea Pierini
The article explains the security implications of CVE-2026-26119, a high-severity privilege-escalation vulnerability affecting Microsoft Windows Admin Center (WAC). Windows Admin Center is a browser-based management platform widely used by administrators to manage Windows servers, clusters, virtual machines, and other enterprise infrastructure. The vulnerability stems from improper authentication logic, which allows…
https://core-jmp.org/2026/03/what-you-need-to-know-windows-admin-center-remote-privilege-escalation-cve-2026-26119/
👍8
По просьба трудящихся
*
*
Привет! Недавно запустил DriverShield — бесплатная онлайн-платформа
для анализа Windows kernel драйверов (
14-этапный глубокий анализ: извлечение IOCTL, AI-классификация
поведения, маппинг MITRE ATT&CK и автогенерация Sigma-правил
для SIEM.
200+ драйверов уже проанализировано. Без регистрации.
drivershield
*
*
Привет! Недавно запустил DriverShield — бесплатная онлайн-платформа
для анализа Windows kernel драйверов (
.sys) на уязвимости BYOVD, rootkit-поведение и вредоносные паттерны.14-этапный глубокий анализ: извлечение IOCTL, AI-классификация
поведения, маппинг MITRE ATT&CK и автогенерация Sigma-правил
для SIEM.
200+ драйверов уже проанализировано. Без регистрации.
drivershield
👍14🔥8
Debugging – WinDBG & WinDBGX Fundamentals
Original text by corelanc0d3r
The article from Corelan Team explains the fundamentals of debugging with WinDbg and WinDbgX, focusing on how security researchers and reverse engineers can analyze Windows applications during runtime. It introduces the debugger architecture, explains the difference between the classic WinDbg and the newer WinDbgX interface, and describes how to attach to…
https://core-jmp.org/2026/03/debugging-windbg-windbgx-fundamentals/
Original text by corelanc0d3r
The article from Corelan Team explains the fundamentals of debugging with WinDbg and WinDbgX, focusing on how security researchers and reverse engineers can analyze Windows applications during runtime. It introduces the debugger architecture, explains the difference between the classic WinDbg and the newer WinDbgX interface, and describes how to attach to…
https://core-jmp.org/2026/03/debugging-windbg-windbgx-fundamentals/
👍10
This media is not supported in your browser
VIEW IN TELEGRAM
Подписывайся на нас в месседжере FUCKS
Ты с нами ? с нами ? не ? ну давай
Ты с нами ? с нами ? не ? ну давай
👍23🔥9
Report: Microsoft quietly blocks Windows 11 25H2, 24H2 performance boost hack for SSDs
Original text by Sayan Sen
The report describes how Microsoft Windows 11 recently blocked a popular performance tweak that allowed users to significantly increase NVMe SSD performance in versions 24H2 and 25H2. Enthusiasts had discovered a registry-based workaround that enabled a hidden native NVMe storage driver originally introduced for Windows Server. By activating several FeatureManagement…
https://core-jmp.org/2026/03/report-microsoft-quietly-blocks-windows-11-25h2-24h2-performance-boost-hack-for-ssds/
Original text by Sayan Sen
The report describes how Microsoft Windows 11 recently blocked a popular performance tweak that allowed users to significantly increase NVMe SSD performance in versions 24H2 and 25H2. Enthusiasts had discovered a registry-based workaround that enabled a hidden native NVMe storage driver originally introduced for Windows Server. By activating several FeatureManagement…
https://core-jmp.org/2026/03/report-microsoft-quietly-blocks-windows-11-25h2-24h2-performance-boost-hack-for-ssds/
👍6😱4🔥2
Breaking the Shield: Unpacking a VMProtected Windows Kernel Driver
Original text by eversinc33
The article explains a practical workflow for unpacking a Windows kernel driver protected with VMProtect and preparing it for reverse engineering. The author analyzes an anti-cheat driver (KSophon_x64.sys) protected by VMProtect v2–3 and demonstrates how to bypass its protection mechanisms to restore a usable binary for analysis. The main challenge comes…
https://core-jmp.org/2026/03/breaking-the-shield-unpacking-a-vmprotected-windows-kernel-driver/
Original text by eversinc33
The article explains a practical workflow for unpacking a Windows kernel driver protected with VMProtect and preparing it for reverse engineering. The author analyzes an anti-cheat driver (KSophon_x64.sys) protected by VMProtect v2–3 and demonstrates how to bypass its protection mechanisms to restore a usable binary for analysis. The main challenge comes…
https://core-jmp.org/2026/03/breaking-the-shield-unpacking-a-vmprotected-windows-kernel-driver/
🔥15
Ghost in LSASS: Inside the KslKatz Credential Dumping Framework
Original text by S1lkys
The GitHub project KslKatz introduces a credential-dumping tool designed for red-team operations and security research on Windows systems. The project combines techniques from multiple tools—most notably KslDump and GhostKatz—to extract credentials from the lsass.exe process, which stores authentication secrets used by Windows. Instead of relying on common approaches such as direct…
https://core-jmp.org/2026/03/ghost-in-lsass-inside-the-kslkatz-credential-dumping-framework/
Original text by S1lkys
The GitHub project KslKatz introduces a credential-dumping tool designed for red-team operations and security research on Windows systems. The project combines techniques from multiple tools—most notably KslDump and GhostKatz—to extract credentials from the lsass.exe process, which stores authentication secrets used by Windows. Instead of relying on common approaches such as direct…
https://core-jmp.org/2026/03/ghost-in-lsass-inside-the-kslkatz-credential-dumping-framework/
👍10
From PCAP to Passwords: Automating Kerberos Roast Extraction
Original text by jalvarezz13
Krb5RoastParser is an open-source Python tool created to simplify the extraction of Kerberos authentication hashes from captured network traffic. Instead of manually analyzing packets in Wireshark, the tool processes .pcap files and automatically identifies Kerberos authentication messages such as AS-REQ, AS-REP, and TGS-REP. Using tshark, the script parses these packets and…
https://core-jmp.org/2026/03/from-pcap-to-passwords-automating-kerberos-roast-extraction/
Original text by jalvarezz13
Krb5RoastParser is an open-source Python tool created to simplify the extraction of Kerberos authentication hashes from captured network traffic. Instead of manually analyzing packets in Wireshark, the tool processes .pcap files and automatically identifies Kerberos authentication messages such as AS-REQ, AS-REP, and TGS-REP. Using tshark, the script parses these packets and…
https://core-jmp.org/2026/03/from-pcap-to-passwords-automating-kerberos-roast-extraction/
🔥10😱5
Breaking the Flat Network: How Tiering Models Protect Active Directory
Original text by Aurelien Chalot
The article explains why many enterprise networks remain vulnerable due to flat network architectures, where systems and administrative privileges are poorly segmented. Drawing on years of internal penetration-testing experience, the author shows that even organizations equipped with modern security tools can still be compromised if attackers gain an initial foothold.…
https://core-jmp.org/2026/03/breaking-the-flat-network-how-tiering-models-protect-active-directory/
Original text by Aurelien Chalot
The article explains why many enterprise networks remain vulnerable due to flat network architectures, where systems and administrative privileges are poorly segmented. Drawing on years of internal penetration-testing experience, the author shows that even organizations equipped with modern security tools can still be compromised if attackers gain an initial foothold.…
https://core-jmp.org/2026/03/breaking-the-flat-network-how-tiering-models-protect-active-directory/
🔥10👍1
Out-of-Cancel: A New Linux Kernel Race Condition Bug Class
Original text by v4bel
The article introduces a newly identified Linux kernel vulnerability pattern called “Out-of-Cancel”, which arises from incorrect assumptions about the behavior of workqueue cancellation APIs. The author analyzes how functions such as cancel_work_sync() or cancel_delayed_work_sync() are often used in kernel teardown paths to stop asynchronous work before freeing an object. However, these…
https://core-jmp.org/2026/03/out-of-cancel-a-new-linux-kernel-race-condition-bug-class/
Original text by v4bel
The article introduces a newly identified Linux kernel vulnerability pattern called “Out-of-Cancel”, which arises from incorrect assumptions about the behavior of workqueue cancellation APIs. The author analyzes how functions such as cancel_work_sync() or cancel_delayed_work_sync() are often used in kernel teardown paths to stop asynchronous work before freeing an object. However, these…
https://core-jmp.org/2026/03/out-of-cancel-a-new-linux-kernel-race-condition-bug-class/
👍8