Earlier this year, an intriguing admin-to-kernel technique was published by @floesen_ in the form of a proof-of-concept (PoC) on GitHub. The author mentioned a strong limitation involving LSASS and Server Silos, without providing much details about it. This piqued our interest, so we decided to give it a second look…
Continue reading Exploiting KsecDD through Server SilosCategory: Exploit
Getting code execution on Veeam through CVE-2023-27532
While several blog posts have shown how to retrieve credentials through this vulnerability, we decided to dig deeper and see whether it was possible to execute arbitrary code through this issue.
Continue reading Getting code execution on Veeam through CVE-2023-27532Ghost in the PPL Part 3: LSASS Memory Dump
Following my failed attempt to achieve arbitrary code execution within a protected LSASS process using the BYOVDLL technique and an N-day exploit in the KeyIso service, I took a step back, and reconsidered my life choices opted for a less ambitious solution: a (not so) simple memory dump. After all, when it comes to LSASS, we are mostly interested in extracting credentials stored in memory.
Ghost in the PPL Part 2: From BYOVDLL to Arbitrary Code Execution in LSASS
In the previous part, I showed how a technique called “Bring Your Own Vulnerable DLL” (BYOVDLL) could be used to reintroduce known vulnerabilities in LSASS, even when it’s protected. In this second part, I’m going to discuss the strategies I considered and explored to improve my proof-of-concept, and hopefully achieve arbitrary code execution.
Continue reading Ghost in the PPL Part 2: From BYOVDLL to Arbitrary Code Execution in LSASSGhost in the PPL Part 1: BYOVDLL
In this series of blog posts, I will explore yet another avenue for bypassing LSA Protection in Userland. I will also detail the biggest challenges I faced while developing a proof-of-concept, and discuss some novel techniques and tricks to load an arbitrary DLL in LSASS, or even dump its memory.
Continue reading Ghost in the PPL Part 1: BYOVDLLApache Solr 8.3.1 RCE from exposed administration interface
Back in 2020, during an external pentest, I stumbled upon a visible Solr administration panel. With nothing else of interest, I focused on this specific application to test what was hidden underneath.
Continue reading Apache Solr 8.3.1 RCE from exposed administration interfaceAttacking Android Antivirus Applications
Although the usefulness of security tools such as Antivirus, VPN and EDR is now indisputable in business circles, these solutions often need a lot of privileges and permissions to work properly, also making them an excellent target for an attacker. The presence of a bug in one of these types of solutions could allow a malware to elevate its privileges and cause more damage to the organization.
Continue reading Attacking Android Antivirus ApplicationsBypassing PPL in Userland (again)
This post is a sequel to Bypassing LSA Protection in Userland and The End of PPLdump. Here, I will discuss how I was able to bypass the latest mitigation implemented by Microsoft and develop a new Userland exploit for injecting arbitrary code in a PPL with the highest signer type.
Continue reading Bypassing PPL in Userland (again)Producing a POC for CVE-2022-42475 (Fortinet RCE)
Late last year a new remote code execution vulnerability was discovered in Fortinet’s SSLVPN service. Given the relative lack of information surrounding it at the time, and the fact I’d have some uninterrupted research time due to a lengthy flight, I decided to attempt to produce a POC for the vulnerability.
Continue reading Producing a POC for CVE-2022-42475 (Fortinet RCE)Bypassing LSA Protection in Userland
In 2018, James Forshaw published an article in which he briefly mentioned a trick that could be used to inject arbitrary code into a PPL as an administrator. However, I feel like this post did not get the attention it deserved as it literally described a potential Userland exploit for bypassing PPL (which includes LSA Protection).
Continue reading Bypassing LSA Protection in Userland