In 2024, we still have trivially exploitable Ubuntu LPE bugs 🤷♂️
But one of the disclosed bugs involves the good old pipe character in Perl "filenames" 🤯
Another great investigation by the Qualys Threat Research Unit 💎
But one of the disclosed bugs involves the good old pipe character in Perl "filenames" 🤯
Another great investigation by the Qualys Threat Research Unit 💎
www.qualys.com
December 20, 2024 at 12:20 PM
Reposted by Nitesh Surana
[4/n] My Hexacon 2023 talk about .NET Deserialization. New gadgets, insecure serialization (RCE through serialization) and custom gadgets found in the products codebase.
Talk: www.youtube.com/watch?v=_CJm...
White paper: github.com/thezdi/prese...
Talk: www.youtube.com/watch?v=_CJm...
White paper: github.com/thezdi/prese...
HEXACON2023 - Exploiting Hardened .NET Deserialization by Piotr Bazydło
YouTube video by Hexacon
www.youtube.com
December 19, 2024 at 11:39 AM
[4/n] My Hexacon 2023 talk about .NET Deserialization. New gadgets, insecure serialization (RCE through serialization) and custom gadgets found in the products codebase.
Talk: www.youtube.com/watch?v=_CJm...
White paper: github.com/thezdi/prese...
Talk: www.youtube.com/watch?v=_CJm...
White paper: github.com/thezdi/prese...
Reposted by Nitesh Surana
[3/n] I've followed OffensiveCon talk with a series of 4 blog posts. The most interesting one describes a nice chain of 3 gadgets:
- Arbitrary File Write to drop DLL.
- Arbitrary FIle Read to leak DLL drop location
- DLL load gadget.
www.zerodayinitiative.com/blog/2024/9/...
- Arbitrary File Write to drop DLL.
- Arbitrary FIle Read to leak DLL drop location
- DLL load gadget.
www.zerodayinitiative.com/blog/2024/9/...
Zero Day Initiative — Exploiting Exchange PowerShell After ProxyNotShell: Part 3 – DLL Loading Chain for RCE
As you may know, I recently presented my Exchange-related talk during OffensiveCon 2024. This series of 4 blog posts is meant to supplement the talk and provide additional technical details. In this...
www.zerodayinitiative.com
December 19, 2024 at 11:37 AM
[3/n] I've followed OffensiveCon talk with a series of 4 blog posts. The most interesting one describes a nice chain of 3 gadgets:
- Arbitrary File Write to drop DLL.
- Arbitrary FIle Read to leak DLL drop location
- DLL load gadget.
www.zerodayinitiative.com/blog/2024/9/...
- Arbitrary File Write to drop DLL.
- Arbitrary FIle Read to leak DLL drop location
- DLL load gadget.
www.zerodayinitiative.com/blog/2024/9/...
Reposted by Nitesh Surana
[2/n] My OffensiveCon 2024 talk about Exchange PowerShell Remoting. It includes details concerning PowerShell Remoting deserialization and custom Exchange converters.
Several RCE chains included.
www.youtube.com/watch?v=AxNO...
Several RCE chains included.
www.youtube.com/watch?v=AxNO...
OffensiveCon24 - Piotr Bazydlo - Half Measures and Full Compromise
YouTube video by OffensiveCon
www.youtube.com
December 19, 2024 at 11:34 AM
[2/n] My OffensiveCon 2024 talk about Exchange PowerShell Remoting. It includes details concerning PowerShell Remoting deserialization and custom Exchange converters.
Several RCE chains included.
www.youtube.com/watch?v=AxNO...
Several RCE chains included.
www.youtube.com/watch?v=AxNO...
Reposted by Nitesh Surana
[1/n] I want to kick off my profile here a little bit, thus I'll post several fun projects that I've made last year.
Let's kick off with SharePoint XXE blog, which could be abused due to URL parsing confusion between SharePoint and .NET components:
www.zerodayinitiative.com/blog/2024/5/...
Let's kick off with SharePoint XXE blog, which could be abused due to URL parsing confusion between SharePoint and .NET components:
www.zerodayinitiative.com/blog/2024/5/...
Zero Day Initiative — CVE-2024-30043: Abusing URL Parsing Confusion to Exploit XXE on SharePoint Server and Cloud
Yes, the title is right. This blog covers an XML eXternal Entity (XXE) injection vulnerability that I found in SharePoint. The bug was recently patched by Microsoft. In general, XXE vulnerabilities ar...
www.zerodayinitiative.com
December 19, 2024 at 11:32 AM
[1/n] I want to kick off my profile here a little bit, thus I'll post several fun projects that I've made last year.
Let's kick off with SharePoint XXE blog, which could be abused due to URL parsing confusion between SharePoint and .NET components:
www.zerodayinitiative.com/blog/2024/5/...
Let's kick off with SharePoint XXE blog, which could be abused due to URL parsing confusion between SharePoint and .NET components:
www.zerodayinitiative.com/blog/2024/5/...
Reposted by Nitesh Surana
I wrote a fun, little blog post. Remote pre-auth file deletion in SolarWinds ARM allowed to achieve LPE on AD machines 🙃
In his latest blog, @chudypb.bsky.social covers a pre-auth Arbitrary File Deletion bug he discovered in the SolarWinds Access Rights Manager (ARM). It may not sound exciting, but it can lead to an LPE on domain-joined Windows machines. Read the details at www.zerodayinitiative.com/blog/2024/12...
Zero Day Initiative — SolarWinds Access Rights Manager: One Vulnerability to LPE Them All
Some time ago, I spent some time researching a core SolarWinds product, SolarWinds Platform (previously Orion Platform). At that time, I hadn’t been aware of the SolarWinds Access Right Manager produc...
www.zerodayinitiative.com
December 12, 2024 at 6:03 PM
I wrote a fun, little blog post. Remote pre-auth file deletion in SolarWinds ARM allowed to achieve LPE on AD machines 🙃
Picking old, breaking new.
November 29, 2024 at 12:54 PM
Picking old, breaking new.