CVE-2023-40303: unchecked return values of set*id() family functions in GNU inetutils
Aug 14, 2023
GNU inetutils do not check return values of set*id() family functions, leading to potential privilege escalations in binaries such as ftpd or rcpd.
On checking set*id() return values
Jul 26, 2023
set*id() syscalls' return values are not checked, it can cause security issues such as privilege escalation.
CVE-2023-38336: Command injection in netkit-rcp
Jul 18, 2023
Netkit-rcp is vulnerable to a command injection in filenames used as copy arguments.
CVE-2023-36631: Circumventing Windows Firewall controls with... Malwarebytes' Windows Firewall Control
Jun 21, 2023
Malwarebytes' software for firewall management let unprivileged users perform administrative firewall actions without access controls allowing for local network rules bypass.
OSINT from images' metadata hosted on websites
Apr 13, 2023
TL;DR; Images hosted by websites contains numerous metadata fields depending on their filetype (JPG, PNG…). These fields include interesting information for reconnaissance purposes such as: names, telephone numbers, email addresses or URLs. Often, website editors do not strip the images hosted on their websites, making leaks of information possible.
Introduction Imagine you are part of a red team and your task is to penetrate inside a company’s perimeter. First, you want to gather intelligence.
DMARC Identifier Alignment: relax, don't do it, when you want to go to it
Jan 25, 2023
From subdomain takeover to phishing mails
TL;DR; if you have a subdomain takeover for a given domain, and default DMARC alignment settings, you can create emails that passes SPF and DMARC for phishing purposes. DKIM, however, cannot be passed for the domain but a trick is possible to make emails look more trustworthy.
This post and more are now part of a book I wrote on email security:
Introduction I like Mozilla’s definition of a subdomain takeover:
Nmap - detecting the network mapper
Jan 03, 2023
Detecting network scans When we speak about detection, you can often hear “let’s detect attackers' scans”. I believe that sentence is thrown in order to detect intruders on early stages of an attack. However there are a few issues with this mindset as blindly detecting all types of scans made on a security perimeter will drive the SOC crazy with the amount of false positive and legit alerts generated. It will not improve the level of detection you have either because you will not be able to treat all the alerts and may miss the ones revealing the presence of intruders.
Divin'n'phishin with executable filetypes on Windows
Oct 26, 2022
In order to find phishing payloads, one needs to understand how executable filetypes on Windows are handled, finding which ones can be delivered to mail clients, thus users, without being caught by mail defences in between and without requesting multiple validation steps from that user for execution once clicked on.
Other filetypes are also relevant for phishing even if they are not executable per-se, they are also mentionned in this article.
Evading command-line detection with doskey
Oct 22, 2022
the doskey command can be used to evade some command-line detection rules by hidding the executable name behind an alias.