This document provides an overview of Device Guard and techniques to bypass its application whitelisting capabilities. It begins with an introduction to Device Guard and what arbitrary code execution means under application whitelisting. It then discusses various bypass techniques, including using VBA macros, Excel 4.0 macros, ActiveScript hosts, and XSLT transforms to execute arbitrary code without requiring whitelisted applications. It notes that many of these techniques can be used for stealthy execution regardless of Device Guard. The document concludes by stating that the bypasses described could be detected with the right monitoring but that locking down Office and implementing a consistent ActiveScript model could help strengthen the feature.
Long thought to be relegated to the domain of fast, multithreaded desktop applications, race conditions have made their way into web applications. These bugs are often difficult to test for, and are becoming increasingly prevalent due to faster and faster clients, while server-side languages like Node.js and PHP are struggling to keep up. Race conditions are no longer just bugs- when they are found in critical components of web applications, they become a serious security vulnerability. If the proper checks and defensive measures are not in place, databases get confused, “one-time-use” becomes a relative term, and “limited” becomes “unlimited”. This talk will detail specific examples where malicious users could cause damage or profit from a race-condition flaw in a web application. A custom open-source tool will also be introduced to help security researchers and developers easily check for this class of vulnerability in web applications.
Not a Security Boundary: Bypassing User Account Controlenigma0x3
This document summarizes the evolution of techniques for bypassing Windows User Account Control (UAC) without user interaction. It begins with an overview of UAC and integrity levels, then discusses early bypass techniques that abused objects like scheduled tasks and COM interfaces that elevate privileges silently. It traces the progression of bypass methods, from registry modifications and race conditions to more sophisticated approaches like token manipulation. The document emphasizes that mitigating UAC bypasses requires stopping the use of local administrator accounts and practicing least privilege. It directs the audience to additional resources on UAC bypass research.
From 0 to 0xdeadbeef - security mistakes that will haunt your startupDiogo Mónica
Every company has to deal with the topic of security. Depending on the product/service, security might be more or less important, but it doesn’t matter if the product is moving money or sending disappearing pictures, if the company grows, it will have to deal with security sooner or later.
Unfortunately, not all security mistakes are created equal.
This talk will go over some security mistakes are several orders of magnitude harder to fix later in the lifecycle of a company, helping people prioritize their decisions when trying to keep the fine balance between security and product.
Jonathan Birch from Microsoft discusses how misuse of serialization in .NET can lead to remote code execution (RCE) vulnerabilities. He explains how serialization works and how untrusted data streams containing type information can be exploited to instantiate dangerous classes and execute arbitrary code. He provides advice on how to prevent these vulnerabilities, such as using serialization formats without type information, constraining allowed types, and validating streams have not been modified.
The document discusses preventing file-based botnet persistence and growth through various layers of protection. It covers limiting software and access, script control for Windows Script Host, Microsoft Office macros, and PowerShell. It also discusses application whitelisting using AppLocker to restrict unauthorized executable code from running. The goal is to educate on the threat landscape and layers of defense that can be implemented at the host level.
This document discusses using Windows Management Instrumentation (WMI) to create fileless backdoors and persistent implants. It begins with an overview of WMI and its class structure. It then covers duplicating existing WMI classes to hide backdoor methods and storing payloads in WMI properties. The document also introduces creating custom WMI providers using .NET to implement backdoor functionality directly in WMI. It concludes by examining options for registering custom WMI providers, including manually registering through WMI calls to avoid event log warnings. In summary, the document explores abusing WMI's class inheritance and provider models to develop advanced fileless and persistent backdoors on Windows systems.
This document discusses various techniques for finding and exploiting vulnerabilities during a penetration test when vulnerabilities are marked as "low" or "medium" in severity. It argues that penetration testers and clients should not rely solely on vulnerability scanners and should thoroughly investigate even lower severity issues. Specific techniques mentioned include exploiting default credentials on services like VNC, exploiting exposed admin interfaces found through tools like Metasploit, taking advantage of browsable directories with backups or other sensitive files, exploiting SharePoint misconfigurations, exploiting HTTP PUT or WebDAV configurations, exploiting Apple Filing Protocol, and exploiting trace.axd to view request details in .NET applications. The document emphasizes finding overlooked vulnerabilities and keeping "a human in the mix" rather than full reliance
This document provides an overview of Device Guard and techniques to bypass its application whitelisting capabilities. It begins with an introduction to Device Guard and what arbitrary code execution means under application whitelisting. It then discusses various bypass techniques, including using VBA macros, Excel 4.0 macros, ActiveScript hosts, and XSLT transforms to execute arbitrary code without requiring whitelisted applications. It notes that many of these techniques can be used for stealthy execution regardless of Device Guard. The document concludes by stating that the bypasses described could be detected with the right monitoring but that locking down Office and implementing a consistent ActiveScript model could help strengthen the feature.
Long thought to be relegated to the domain of fast, multithreaded desktop applications, race conditions have made their way into web applications. These bugs are often difficult to test for, and are becoming increasingly prevalent due to faster and faster clients, while server-side languages like Node.js and PHP are struggling to keep up. Race conditions are no longer just bugs- when they are found in critical components of web applications, they become a serious security vulnerability. If the proper checks and defensive measures are not in place, databases get confused, “one-time-use” becomes a relative term, and “limited” becomes “unlimited”. This talk will detail specific examples where malicious users could cause damage or profit from a race-condition flaw in a web application. A custom open-source tool will also be introduced to help security researchers and developers easily check for this class of vulnerability in web applications.
Not a Security Boundary: Bypassing User Account Controlenigma0x3
This document summarizes the evolution of techniques for bypassing Windows User Account Control (UAC) without user interaction. It begins with an overview of UAC and integrity levels, then discusses early bypass techniques that abused objects like scheduled tasks and COM interfaces that elevate privileges silently. It traces the progression of bypass methods, from registry modifications and race conditions to more sophisticated approaches like token manipulation. The document emphasizes that mitigating UAC bypasses requires stopping the use of local administrator accounts and practicing least privilege. It directs the audience to additional resources on UAC bypass research.
From 0 to 0xdeadbeef - security mistakes that will haunt your startupDiogo Mónica
Every company has to deal with the topic of security. Depending on the product/service, security might be more or less important, but it doesn’t matter if the product is moving money or sending disappearing pictures, if the company grows, it will have to deal with security sooner or later.
Unfortunately, not all security mistakes are created equal.
This talk will go over some security mistakes are several orders of magnitude harder to fix later in the lifecycle of a company, helping people prioritize their decisions when trying to keep the fine balance between security and product.
Jonathan Birch from Microsoft discusses how misuse of serialization in .NET can lead to remote code execution (RCE) vulnerabilities. He explains how serialization works and how untrusted data streams containing type information can be exploited to instantiate dangerous classes and execute arbitrary code. He provides advice on how to prevent these vulnerabilities, such as using serialization formats without type information, constraining allowed types, and validating streams have not been modified.
The document discusses preventing file-based botnet persistence and growth through various layers of protection. It covers limiting software and access, script control for Windows Script Host, Microsoft Office macros, and PowerShell. It also discusses application whitelisting using AppLocker to restrict unauthorized executable code from running. The goal is to educate on the threat landscape and layers of defense that can be implemented at the host level.
This document discusses using Windows Management Instrumentation (WMI) to create fileless backdoors and persistent implants. It begins with an overview of WMI and its class structure. It then covers duplicating existing WMI classes to hide backdoor methods and storing payloads in WMI properties. The document also introduces creating custom WMI providers using .NET to implement backdoor functionality directly in WMI. It concludes by examining options for registering custom WMI providers, including manually registering through WMI calls to avoid event log warnings. In summary, the document explores abusing WMI's class inheritance and provider models to develop advanced fileless and persistent backdoors on Windows systems.
This document discusses various techniques for finding and exploiting vulnerabilities during a penetration test when vulnerabilities are marked as "low" or "medium" in severity. It argues that penetration testers and clients should not rely solely on vulnerability scanners and should thoroughly investigate even lower severity issues. Specific techniques mentioned include exploiting default credentials on services like VNC, exploiting exposed admin interfaces found through tools like Metasploit, taking advantage of browsable directories with backups or other sensitive files, exploiting SharePoint misconfigurations, exploiting HTTP PUT or WebDAV configurations, exploiting Apple Filing Protocol, and exploiting trace.axd to view request details in .NET applications. The document emphasizes finding overlooked vulnerabilities and keeping "a human in the mix" rather than full reliance
“_____ Is Not a Security Boundary: Things I Have Learned and Things That Have...enigma0x3
This document summarizes Matt Nelson's presentation on security boundaries and feature bypasses in Microsoft software. Some key points include:
- Security boundaries are not always clearly defined and what is/isn't a boundary can discourage researchers from reporting issues.
- Attackers don't care about boundaries and will exploit any feature or bypass that raises their chances of success.
- Examples of feature bypasses like Outlook forms, OLE, and UAC show how Microsoft has improved at issuing fixes for non-boundaries in the name of defense in depth.
- Technologies like AMSI, Device Guard, and UAC still have bypasses but increasing costs for attackers through fixes is worthwhile even if not a strict boundary.
- The call
Over the last few years threat hunting has risen from being a grassroots hands-on defensive technique to all-out hype as security vendors have jumped on the bandwagon. In this talk I wanted to strip away the marketing and talk about real-life threat hunting at scale and how it differs from traditional security monitoring. I'll cover the key datasets, different analytical approaches, cutting-edge TTPs and the people/skills needed to make it happen. I'll also share some real-world compromises that would have been missed by traditional detection but were found through hands-on threat hunting.
Lei Shi & Mei Wang, Qihoo 360
Virtualization is one of the most complicated software in the world. The VMware workstation is very popular in many fields. The windows 10 has a lot of mitigation technology to get avoid of exploitation. It's a great challenge to make a vm escape in VMware workstation under Win 10. Especially when the guest and host are both win 10 and the guest user are NO-ADMIN. This talk will present how to make a vm escape and execute arbitrary code in the host from a NO-ADMIN guest user under Win 10(both the guest and host are Win 10). They have developed three different exploitation. This talk will introduce them and show a very elegant exploitation technology of vm escape. Besides the vm escape technology, this talk will also show the exploitation technology in Win 10. It is quite attractive because there's a process continuation, saying that the guest can execute the exploitation without crashing/disturbing the host process(VMware workstation virtual machine process). The exploitation is very reliable, it reaches nearly 100% successful rate.
Bridging the Gap: Lessons in Adversarial Tradecraftenigma0x3
This document discusses bridging the gap between penetration testing and red teaming using offensive PowerShell techniques. It describes how standard Windows images often have vulnerabilities, dirty networks with outdated users and services provide easy targets, and domain trusts allow access between organizations. The authors promote the Empire PowerShell agent for post-exploitation, highlighting modules for execution, credential theft, and lateral movement. They provide examples using Empire to inject into processes and extract credentials with Mimikatz.
The document discusses attacking websites using HTML5 features and capabilities. It introduces HTML5 and some of its new tags, attributes, and APIs that can be abused for attacks like cross-site scripting and bypassing input filters. Specific techniques demonstrated include bypassing blacklists using new HTML5 event attributes and tags, setting up reverse web shells using cross-origin requests, and clickjacking via the drag-and-drop API. The talk also covers poisoning the HTML5 application cache and exploiting client-side file includes through cross-origin XMLHttpRequests. Demo attacks are promised to illustrate these HTML5-based vulnerabilities.
Nate Warfield, Microsoft
Ben Ridgway, Microsoft
MongoDB, Redis, Elastic, Hadoop, SMBv1, IIS6.0, Samba. What do they all have in common? Thousands of them were pwned. In Azure. In 2017. Attackers have shifted tactics, leveraged nation-state leaked tools and are leveraging ransomware to monetize their attacks. Cloud networks are prime targets; the DMZ is gone, the firewall doesn't exist and customers may not realize they've exposed insecure services to the internet until it's too late. In this talk we'll discuss hunting, finding and remediating compromised customer systems in Azure - a non-trivial task with 1.59million exposed hosts and counting. Remediating system compromise is only the first stage so we'll also cover how we applied the lessons learned to proactively secure Azure Marketplace.
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfacesmichelemanzotti
The document discusses security vulnerabilities found in the web interfaces of security gateways. The author details how they used automated scanners, manual testing with Burp, and SSH access to root to find over 35 exploits in various security gateway products since 2011. Common vulnerabilities included input validation issues, predictable URLs and parameters enabling CSRF, excessive privileges, and session management flaws. The author provides examples of compromising ClearOS and Websense gateways, and demonstrates OSRF through Proofpoint's email system. They conclude many techniques are older but there remains a knowledge gap between secure web and UI development.
The document discusses open source software (OSS) security issues and strategies for addressing vulnerabilities. It notes that while open development allows many eyeballs to find bugs, in reality most don't know what to look for and vulnerabilities are still regularly found. It then provides data on vulnerabilities reported over time for several major OSS projects. The document advocates applying a secure development lifecycle and vulnerability management process to address issues early. It also discusses automating scanning of code and binaries for vulnerabilities and integrating these tools into developer workflows.
This document discusses exploiting Android devices through practical physical and remote attacks. It covers bypassing lock screens through USB debugging bugs, removing key files, and abusing application issues. It also discusses exploiting browser vulnerabilities through JavaScript interfaces. Remote attacks include browser and PDF viewer exploits that can lead to privilege escalation and maintaining root access through a custom su binary. Man-in-the-middle exploits through wireless networking are also mentioned.
This document discusses various methods for securing websites against brute force and denial of service attacks. It explores using .htaccess files with HTTP authentication, monitoring traffic for suspicious patterns, using one-time passwords or tokens, and integrating with firewalls or proxies to restrict traffic from suspect IP addresses. While .htaccess provides basic protection, more robust solutions are needed to prevent automated cracking attempts from compromising accounts or overloading server resources.
Covers building a malware analysis environment for enterprises that don't currently have a dedicated team for such purposes. Presented at Blackhat DC 2010.
Continuous intrusion: Why CI tools are an attacker’s best friendsNikhil Mittal
Jenkins, TeamCity, Go, and CruiseControl are popular continuous integration and delivery tools. Each tool allows executing commands or scripts during a build step with varying levels of privilege depending on the user's role. This poses a security risk as it could allow compromising the system or configuration files if malicious commands are run. The document discusses different ways an attacker could abuse build configurations and credentials to escalate privileges or maintain persistence on the CI server.
The document outlines attacks on a virtualization fabric by compromised administrators. It describes 6 attacks by the storage admin "Ned" and fabric admin "Taylor" to gain unauthorized access and privileges. Each attack is followed by mitigation strategies to harden the fabric, such as encrypting storage, using secure boot, enforcing code integrity policies, and implementing an external attestation service to verify host configuration and policies before allowing sensitive VM access. The review lists the layered security measures now in place to protect against insider threats.
Louis Nyffenegger gave a talk about the recent vulnerabilities discovered in Ruby on Rails. Several vulnerabilities allowed remote code execution by injecting malicious YAML payloads that were parsed by Rails. These issues arose due to assumptions that Rails was secure, increased scrutiny as its popularity grew, and its flexible parsing of requests. Upgrades and removing unnecessary parsers can help mitigate risks going forward.
Cookies stored by web browsers can be easily stolen, as most browsers store them in plaintext. Popular browsers like Firefox store cookies in SQLite databases, Internet Explorer in text files, and Opera and Safari in custom binary formats - all of which can be read easily by tools or code. Chromium encrypts cookies on Windows, Mac, and Linux, but cookies can still be decrypted on Linux. Physical access, social engineering, malware, and other attacks can steal browser cookies. Defenses include disk encryption, application firewalls, SELinux, and a master password for cookies.
This document discusses exploiting Android devices through practical physical and remote attacks. It covers bypassing lock screens through USB debugging bugs, removing key files, and abusing application issues. Remote exploits discussed include browser and application memory corruption, JavaScript interface attacks, and maintaining privileged access through "minimal su". The document also mentions man-in-the-middle exploits and privilege escalation techniques.
I got 99 trends and a # is all of them or How we found over 100 200+ RCE vulnerabilities in Trend Micro software.
Presentation released at Hack In The Box 2017 Amsterdam, by Roberto Suggi Liverani @malerisch and Steven Seeley @steventseeley.
For more information, please visit: http://blog.malerisch.net or http://srcincite.io
This document provides an overview of attacking ColdFusion applications. It begins with an introduction to ColdFusion and discusses how to find sites running it. Common vulnerabilities in ColdFusion like XSS, SQL injection, and exposed admin interfaces are explained. Specific exploits like BlazeDS XML injection and the locale traversal issue are covered in detail. The document also discusses brute forcing admin logins, interacting with CFCs, and abusing long-lived admin cookies. It concludes with a section on post-exploitation activities like scheduling tasks and executing code once administrative access is obtained.
The document discusses the analysis of an attack involving a compromised website containing a PHP webshell. Additional artifacts found included an initial SQL injection, a China Chopper webshell, and a Golang-coded ss.exe backdoor. The attacker used a vulnerability in Sandboxie to evade detection and execute a debugsrv.exe trojan. Yara rules were provided to detect related malware samples. The investigation mapped the attacker's lateral movement and a remediation plan was implemented over 35 days.
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Christian Schneider
The document discusses integrating security testing into continuous integration pipelines, referred to as "Security DevOps". It proposes a "Security DevOps Maturity Model" with four axes: Static Depth, Dynamic Depth, Intensity, and Consolidation. For the Dynamic Depth axis, it describes different levels of integrating dynamic application security testing tools like ZAP, Arachni, BDD-Security, and Gauntlt to test public, authenticated, and backend application layers within a CI pipeline. Examples are given for configuring the tools to perform targeted scans during commits or nightly builds.
“_____ Is Not a Security Boundary: Things I Have Learned and Things That Have...enigma0x3
This document summarizes Matt Nelson's presentation on security boundaries and feature bypasses in Microsoft software. Some key points include:
- Security boundaries are not always clearly defined and what is/isn't a boundary can discourage researchers from reporting issues.
- Attackers don't care about boundaries and will exploit any feature or bypass that raises their chances of success.
- Examples of feature bypasses like Outlook forms, OLE, and UAC show how Microsoft has improved at issuing fixes for non-boundaries in the name of defense in depth.
- Technologies like AMSI, Device Guard, and UAC still have bypasses but increasing costs for attackers through fixes is worthwhile even if not a strict boundary.
- The call
Over the last few years threat hunting has risen from being a grassroots hands-on defensive technique to all-out hype as security vendors have jumped on the bandwagon. In this talk I wanted to strip away the marketing and talk about real-life threat hunting at scale and how it differs from traditional security monitoring. I'll cover the key datasets, different analytical approaches, cutting-edge TTPs and the people/skills needed to make it happen. I'll also share some real-world compromises that would have been missed by traditional detection but were found through hands-on threat hunting.
Lei Shi & Mei Wang, Qihoo 360
Virtualization is one of the most complicated software in the world. The VMware workstation is very popular in many fields. The windows 10 has a lot of mitigation technology to get avoid of exploitation. It's a great challenge to make a vm escape in VMware workstation under Win 10. Especially when the guest and host are both win 10 and the guest user are NO-ADMIN. This talk will present how to make a vm escape and execute arbitrary code in the host from a NO-ADMIN guest user under Win 10(both the guest and host are Win 10). They have developed three different exploitation. This talk will introduce them and show a very elegant exploitation technology of vm escape. Besides the vm escape technology, this talk will also show the exploitation technology in Win 10. It is quite attractive because there's a process continuation, saying that the guest can execute the exploitation without crashing/disturbing the host process(VMware workstation virtual machine process). The exploitation is very reliable, it reaches nearly 100% successful rate.
Bridging the Gap: Lessons in Adversarial Tradecraftenigma0x3
This document discusses bridging the gap between penetration testing and red teaming using offensive PowerShell techniques. It describes how standard Windows images often have vulnerabilities, dirty networks with outdated users and services provide easy targets, and domain trusts allow access between organizations. The authors promote the Empire PowerShell agent for post-exploitation, highlighting modules for execution, credential theft, and lateral movement. They provide examples using Empire to inject into processes and extract credentials with Mimikatz.
The document discusses attacking websites using HTML5 features and capabilities. It introduces HTML5 and some of its new tags, attributes, and APIs that can be abused for attacks like cross-site scripting and bypassing input filters. Specific techniques demonstrated include bypassing blacklists using new HTML5 event attributes and tags, setting up reverse web shells using cross-origin requests, and clickjacking via the drag-and-drop API. The talk also covers poisoning the HTML5 application cache and exploiting client-side file includes through cross-origin XMLHttpRequests. Demo attacks are promised to illustrate these HTML5-based vulnerabilities.
Nate Warfield, Microsoft
Ben Ridgway, Microsoft
MongoDB, Redis, Elastic, Hadoop, SMBv1, IIS6.0, Samba. What do they all have in common? Thousands of them were pwned. In Azure. In 2017. Attackers have shifted tactics, leveraged nation-state leaked tools and are leveraging ransomware to monetize their attacks. Cloud networks are prime targets; the DMZ is gone, the firewall doesn't exist and customers may not realize they've exposed insecure services to the internet until it's too late. In this talk we'll discuss hunting, finding and remediating compromised customer systems in Azure - a non-trivial task with 1.59million exposed hosts and counting. Remediating system compromise is only the first stage so we'll also cover how we applied the lessons learned to proactively secure Azure Marketplace.
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfacesmichelemanzotti
The document discusses security vulnerabilities found in the web interfaces of security gateways. The author details how they used automated scanners, manual testing with Burp, and SSH access to root to find over 35 exploits in various security gateway products since 2011. Common vulnerabilities included input validation issues, predictable URLs and parameters enabling CSRF, excessive privileges, and session management flaws. The author provides examples of compromising ClearOS and Websense gateways, and demonstrates OSRF through Proofpoint's email system. They conclude many techniques are older but there remains a knowledge gap between secure web and UI development.
The document discusses open source software (OSS) security issues and strategies for addressing vulnerabilities. It notes that while open development allows many eyeballs to find bugs, in reality most don't know what to look for and vulnerabilities are still regularly found. It then provides data on vulnerabilities reported over time for several major OSS projects. The document advocates applying a secure development lifecycle and vulnerability management process to address issues early. It also discusses automating scanning of code and binaries for vulnerabilities and integrating these tools into developer workflows.
This document discusses exploiting Android devices through practical physical and remote attacks. It covers bypassing lock screens through USB debugging bugs, removing key files, and abusing application issues. It also discusses exploiting browser vulnerabilities through JavaScript interfaces. Remote attacks include browser and PDF viewer exploits that can lead to privilege escalation and maintaining root access through a custom su binary. Man-in-the-middle exploits through wireless networking are also mentioned.
This document discusses various methods for securing websites against brute force and denial of service attacks. It explores using .htaccess files with HTTP authentication, monitoring traffic for suspicious patterns, using one-time passwords or tokens, and integrating with firewalls or proxies to restrict traffic from suspect IP addresses. While .htaccess provides basic protection, more robust solutions are needed to prevent automated cracking attempts from compromising accounts or overloading server resources.
Covers building a malware analysis environment for enterprises that don't currently have a dedicated team for such purposes. Presented at Blackhat DC 2010.
Continuous intrusion: Why CI tools are an attacker’s best friendsNikhil Mittal
Jenkins, TeamCity, Go, and CruiseControl are popular continuous integration and delivery tools. Each tool allows executing commands or scripts during a build step with varying levels of privilege depending on the user's role. This poses a security risk as it could allow compromising the system or configuration files if malicious commands are run. The document discusses different ways an attacker could abuse build configurations and credentials to escalate privileges or maintain persistence on the CI server.
The document outlines attacks on a virtualization fabric by compromised administrators. It describes 6 attacks by the storage admin "Ned" and fabric admin "Taylor" to gain unauthorized access and privileges. Each attack is followed by mitigation strategies to harden the fabric, such as encrypting storage, using secure boot, enforcing code integrity policies, and implementing an external attestation service to verify host configuration and policies before allowing sensitive VM access. The review lists the layered security measures now in place to protect against insider threats.
Louis Nyffenegger gave a talk about the recent vulnerabilities discovered in Ruby on Rails. Several vulnerabilities allowed remote code execution by injecting malicious YAML payloads that were parsed by Rails. These issues arose due to assumptions that Rails was secure, increased scrutiny as its popularity grew, and its flexible parsing of requests. Upgrades and removing unnecessary parsers can help mitigate risks going forward.
Cookies stored by web browsers can be easily stolen, as most browsers store them in plaintext. Popular browsers like Firefox store cookies in SQLite databases, Internet Explorer in text files, and Opera and Safari in custom binary formats - all of which can be read easily by tools or code. Chromium encrypts cookies on Windows, Mac, and Linux, but cookies can still be decrypted on Linux. Physical access, social engineering, malware, and other attacks can steal browser cookies. Defenses include disk encryption, application firewalls, SELinux, and a master password for cookies.
This document discusses exploiting Android devices through practical physical and remote attacks. It covers bypassing lock screens through USB debugging bugs, removing key files, and abusing application issues. Remote exploits discussed include browser and application memory corruption, JavaScript interface attacks, and maintaining privileged access through "minimal su". The document also mentions man-in-the-middle exploits and privilege escalation techniques.
I got 99 trends and a # is all of them or How we found over 100 200+ RCE vulnerabilities in Trend Micro software.
Presentation released at Hack In The Box 2017 Amsterdam, by Roberto Suggi Liverani @malerisch and Steven Seeley @steventseeley.
For more information, please visit: http://blog.malerisch.net or http://srcincite.io
This document provides an overview of attacking ColdFusion applications. It begins with an introduction to ColdFusion and discusses how to find sites running it. Common vulnerabilities in ColdFusion like XSS, SQL injection, and exposed admin interfaces are explained. Specific exploits like BlazeDS XML injection and the locale traversal issue are covered in detail. The document also discusses brute forcing admin logins, interacting with CFCs, and abusing long-lived admin cookies. It concludes with a section on post-exploitation activities like scheduling tasks and executing code once administrative access is obtained.
The document discusses the analysis of an attack involving a compromised website containing a PHP webshell. Additional artifacts found included an initial SQL injection, a China Chopper webshell, and a Golang-coded ss.exe backdoor. The attacker used a vulnerability in Sandboxie to evade detection and execute a debugsrv.exe trojan. Yara rules were provided to detect related malware samples. The investigation mapped the attacker's lateral movement and a remediation plan was implemented over 35 days.
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Christian Schneider
The document discusses integrating security testing into continuous integration pipelines, referred to as "Security DevOps". It proposes a "Security DevOps Maturity Model" with four axes: Static Depth, Dynamic Depth, Intensity, and Consolidation. For the Dynamic Depth axis, it describes different levels of integrating dynamic application security testing tools like ZAP, Arachni, BDD-Security, and Gauntlt to test public, authenticated, and backend application layers within a CI pipeline. Examples are given for configuring the tools to perform targeted scans during commits or nightly builds.
Security DevOps - Wie Sie in agilen Projekten trotzdem sicher bleiben // DevO...Christian Schneider
Diese Session zeigt Ihnen, welche Automatisierungsoptionen zur Überwachung bestimmter Sicherheitsaspekte in der agilen Softwareentwicklung bestehen. Ausgehend von dem etablierten DevOps-Konzept, mit dem im Übergang von Entwicklung zu Betrieb Prozesse automatisiert und verzahnt werden, wird mit „Security-DevOps“ dieser Antrieb aufgegriffen und auf die Absicherung von Anwendungen gegen Hackerangriffe übertragen. Durch frühe Rückkopplung sicherheitstechnischer Findings an die Entwicklung im Rahmen der Automatisierung haben Ihre Pentester die Möglichkeit, sich auf die kniffligeren Sicherheitschecks zu konzentrieren – trotz geforderter kurzer Releasezyklen.
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...Felipe Prado
This document contains biographies of three individuals - Anthony Rose, Jacob Krasnov, and Vincent Rose - who are co-founders of BC Security and researchers focused on security topics like Bluetooth, wireless security, and embedded systems. It then provides an overview of a session about techniques for obfuscating malware to avoid detection by defenses like AMSI and sandboxes. The document outlines goals, expectations, and provides brief explanations of key concepts like AMSI, malware triggering, and Empire tutorials.
Scripting and Automation within the MAX Platform - Mark Petrie MAXfocus
The document discusses scripting and automation capabilities in GFI MAX RemoteManagement. It provides an overview of scripting concepts, how scripts can be used for monitoring checks and automated maintenance tasks, and examples of built-in and custom scripts. The document also covers best practices for writing scripts, including using command line arguments, interacting with the file system, registry, applications, and returning results.
The document discusses bypassing endpoint detection and response (EDR) systems. It begins with an introduction and agenda, then provides background on the evolution of endpoint security technologies. It describes how EDRs and antiviruses work, including userland hooking techniques. The document outlines various 2022 EDR bypass techniques such as direct system calls, unhooking, and .NET evasion. It focuses on researching techniques to bypass AM-PPL (Antimalware Protected Process Light) and describes how to bypass it by abusing a 2018 vulnerability in Object Manager directories.
Blackhat Arsenal 2017 - The Cumulus ToolkitJavier Godinez
There is a lack of tools for testing the security of Cloud deployments; the Cumulus Toolkit is an attack framework for exploiting the Cloud's weak points.
The Cloud enables software projects to speed up development because it allows developers to provision infrastructure and make configuration changes to their networks without much friction. This ease of deployment was but a dream in the age of the traditional datacenter. However, the Cloud also brings new attack surface which needs further exploration. Cloud Identity and Access Management (IAM) services (such as Amazon's) are primary targets for attackers, as these typically control access to hundreds of API calls over many services.
Over the years there have been various discussions around cloud security, e.g., Pivoting in Amazon Clouds (2013), and few tools have been developed to enable testing the security of Cloud deployments. These tools are standalone, have not attained wide adoption, and/or have not made it into widely adopted toolkits. To fill this void, we have developed the Cumulus Toolkit. The Cumulus Toolkit is a Cloud exploitation toolkit based on the Metasploit Framework. We chose Metasploit because of its wide adoption and its wealth of existing features.
The Cumulus toolkit is a set of modules that can be used perform privilege escalation, account takeover, and to launch unauthorized workloads. To illustrate security concerns resulting from lax IAM policies, we present the Create IAM User module which can be used to create a user with administrative privileges. To perform complete account takeover, an attack that we've seen in the wild, we present the User Locker module which is used to lock out all legitimate users out of the account. Finally, we present the Launch Instances module which can be used to launch Cloud hosts on demand.
Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...Apostolos Giannakidis
This talk provides an introduction and detailed overview of Java deserialization attacks. You will understand the basic concepts of how Java deserialization exploits (gadget chains) work, what solutions exist and the advantages and disadvantages of each. Finally, a new approach will be presented, using Runtime Virtualization, Compartmentalization and Privilege De-escalation.
This talk was presented by Apostolos Giannakidis at the OWASP London meetup on May 2017.
This document discusses current and emerging web attacks. It notes that while cross-site scripting (XSS) and SQL injection attacks were once prevalent, modern web applications and browsers incorporate defenses against these attacks. However, the document argues that web applications and browsers are evolving in ways that enable new types of multi-layer attacks. Examples are provided of attacks that combine layers like the database management system, JavaScript execution in browsers, and HTML parsing quirks to bypass defenses. The document urges security researchers and practitioners to consider these evolving attack techniques and the growing diversity of client devices and applications.
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Ajin Abraham
Tizen is an operating system which is built to run on various kinds of devices. Tizen OS defines following profiles based on the devices types supported.
Tizen IVI (in-vehicle infotainment)
Tizen Mobile
Tizen TV, and
Tizen Wearable
Samsung's first Tizen-based devices are set to be launched in India in Nov 2014. This paper presents the research outcome on the security analysis of Tizen OS. The paper begins with a quick introduction to Tizen architecture which explains the various components of Tizen OS. This will be followed by Tizen's security model, where Application Sandboxing and Resource Access Control powered by Smack will be explained.
The vulnerabilities in Tizen identified during the research and responsibly disclosed to Tizen community will be discussed. This includes issues like Tizen WebKit2 Address spoofing and content injection, Buffer Overflows, Issues in Memory Protection like ASLR and DEP, Injecting SSL Certificate into Trusted Zone, (Shellshock) CVE-2014-6271 etc. Applications in Tizen can be written in HTML5/JS/CSS or natively using C/C++. Overview of pentesting Tizen application will be presented along with some of the issues impacting the security of Tizen application. There will be comparisons made to Android application, and how these security issues differ with Tizen.
For eg: Security issues with inter application communication with custom URL schemes or intent broadcasting in Android as opposed to using MessagePort API in Tizen. Issues with Webview & JavaScript Bridge in Android compared to how the web to native communication is handled with Tizen etc.
Tizen is late to enter into the market as compared to Android or iOS, which gives it the benefit of learning from the mistakes impacting the security of mobile OS, and fixing these issues right in the Security Architecture. To conclude, a verdict would be provided by the speaker on how much Tizen has achieved with regard to making this mobile OS a secure one.
The document discusses techniques used by malware authors to evade detection from antivirus and other security tools. It covers obfuscation, crypters, packers, and frameworks that can generate bypass antivirus malware. Specific techniques mentioned include bypassing User Account Control (UAC), AppLocker whitelisting, and using tools like Mimikatz to dump credentials from infected systems. The document emphasizes that endpoint protection alone is not enough, and that security awareness training and layered defenses are needed to protect against evolving malware threats.
The document describes an anatomy of a buffer overflow attack. It begins with disclaimers about the legal and ethical responsibilities when discussing exploits. It then provides an overview of the scenario which involves exploiting a vulnerability in a Windows FTP server to obtain a reverse shell. It defines relevant terminology like buffers, fuzzing, shellcode and bind/reverse shells. It also provides examples of assembly shellcode and encoded shellcode. Finally, it outlines the process of identifying the vulnerability, designing an exploit through fuzzing and overwriting registers, and obtaining a shell through the exploit.
Automated Intrusion Detection and Response on AWSTeri Radichel
This document discusses using AWS services to automate intrusion detection and response. It provides examples of using AWS services like EC2, CloudFormation, and VPC to deploy resources and configure them with security features. Code examples are given to start EC2 instances, deploy templates to AWS, and monitor VPC flow logs to detect threats and take actions like snapshotting or terminating instances in response. The document argues that AWS services can improve security operations when best practices are followed, as AWS provides capabilities like built-in logging, inventory, and tools that facilitate automated detection and response.
1) This document provides 30 tips for using XPages in 60 minutes.
2) The tips cover general programming, debugging, user interface design, using XPages in the Notes client, and working with Dojo.
3) Example tips include using scoped variables to store data, calling Java classes from XPages, turning on debugging to view error messages, using themes for global configuration, and enabling Dojo parseOnLoad to initialize widgets.
Watch How The Giants Fall: Learning from Bug Bounty Resultsjtmelton
Security is hard. We all miss things. Attackers find things.
"You must learn from the mistakes of others. You can't possibly live long enough to make them all yourself." -Samuel Levenson
This talk is a fun, fast-moving survey of some of the best recent bug bounty finds against some of the largest and best-known applications in the world. Some of the bugs are really simple, some are super complex, but all are entertaining. As we go through these, we'll take a look at what caused the issue, and how to fix it.
From this talk, you'll walk away with:
* a few minutes of entertainment
* a view of the wide breadth of security issues
* practical ideas on testing and shoring up security in your own applications
* (maybe) a new side gig as a bug bounty hunter!
Security research over Windows #defcon chinaPeter Hlavaty
Past several years Microsoft Windows undergo lot of fundamental security changes. Where one can argue still imperfect and bound to tons of legacy issues, on the other hand those changes made important shifts in attacker perspective. From tightened sandboxing, restricting attack surface, introducing mitigations, applying virtualization up to stronger focus even on win32k. In our talk we will go trough those changes, how it affects us and how we tackle them from choosing targets, finding bugs up to exploitation primitives we are using. While also empathize that windows research is not only about sandbox, and there are many more interesting target to look for.
Waf.js: How to Protect Web Applications using JavaScriptDenis Kolegov
The document discusses techniques for protecting web applications from client-side attacks using JavaScript (Waf.js). It covers the following key points in 3 sentences:
Waf.js provides defenses like CSRF prevention, DOM-based XSS prevention, and detection of unwanted applications. It utilizes parsers like Acorn and DOMPurify to parse and sanitize inputs to prevent injections. The document outlines approaches used by Waf.js to build the AST of an input and search for dangerous code like function calls to prevent attacks while minimizing false positives.
This document provides information on secure coding training. It discusses topics like security misconfiguration, common vulnerabilities, dependency checking, and Apache hardening. It emphasizes the importance of establishing repeatable hardening processes, keeping environments consistently configured, and following guides to secure software components and platforms. References are included for further resources on secure configuration best practices.
The document provides an overview of using the Metasploit framework to conduct penetration testing. It discusses installing required software, updating and opening MSFConsole. It describes different Metasploit interfaces like GUI, console and Armitage. It covers topics like exploits, payloads, encoders, information gathering, vulnerability scanning, exploitation, and Meterpreter. Advanced Meterpreter commands are also summarized like capturing screenshots, migrating processes, dumping password hashes, and maintaining persistence.
Similar to Sneaking Past Device Guard - HITB19AMS (20)
The Power of Visual Regression Testing_ Why It Is Critical for Enterprise App...kalichargn70th171
Visual testing plays a vital role in ensuring that software products meet the aesthetic requirements specified by clients in functional and non-functional specifications. In today's highly competitive digital landscape, users expect a seamless and visually appealing online experience. Visual testing, also known as automated UI testing or visual regression testing, verifies the accuracy of the visual elements that users interact with.
A neural network is a machine learning program, or model, that makes decisions in a manner similar to the human brain, by using processes that mimic the way biological neurons work together to identify phenomena, weigh options and arrive at conclusions.
Enhanced Screen Flows UI/UX using SLDS with Tom KittPeter Caitens
Join us for an engaging session led by Flow Champion, Tom Kitt. This session will dive into a technique of enhancing the user interfaces and user experiences within Screen Flows using the Salesforce Lightning Design System (SLDS). This technique uses Native functionality, with No Apex Code, No Custom Components and No Managed Packages required.
Mobile App Development Company In Noida | Drona InfotechDrona Infotech
React.js, a JavaScript library developed by Facebook, has gained immense popularity for building user interfaces, especially for single-page applications. Over the years, React has evolved and expanded its capabilities, becoming a preferred choice for mobile app development. This article will explore why React.js is an excellent choice for the Best Mobile App development company in Noida.
Visit Us For Information: https://www.linkedin.com/pulse/what-makes-reactjs-stand-out-mobile-app-development-rajesh-rai-pihvf/
Malibou Pitch Deck For Its €3M Seed Roundsjcobrien
French start-up Malibou raised a €3 million Seed Round to develop its payroll and human resources
management platform for VSEs and SMEs. The financing round was led by investors Breega, Y Combinator, and FCVC.
A Comprehensive Guide on Implementing Real-World Mobile Testing Strategies fo...kalichargn70th171
In today's fiercely competitive mobile app market, the role of the QA team is pivotal for continuous improvement and sustained success. Effective testing strategies are essential to navigate the challenges confidently and precisely. Ensuring the perfection of mobile apps before they reach end-users requires thoughtful decisions in the testing plan.
Photoshop Tutorial for Beginners (2024 Edition)alowpalsadig
Photoshop Tutorial for Beginners (2024 Edition)
Explore the evolution of programming and software development and design in 2024. Discover emerging trends shaping the future of coding in our insightful analysis."
Here's an overview:Introduction: The Evolution of Programming and Software DevelopmentThe Rise of Artificial Intelligence and Machine Learning in CodingAdopting Low-Code and No-Code PlatformsQuantum Computing: Entering the Software Development MainstreamIntegration of DevOps with Machine Learning: MLOpsAdvancements in Cybersecurity PracticesThe Growth of Edge ComputingEmerging Programming Languages and FrameworksSoftware Development Ethics and AI RegulationSustainability in Software EngineeringThe Future Workforce: Remote and Distributed TeamsConclusion: Adapting to the Changing Software Development LandscapeIntroduction: The Evolution of Programming and Software Development
Photoshop Tutorial for Beginners (2024 Edition)Explore the evolution of programming and software development and design in 2024. Discover emerging trends shaping the future of coding in our insightful analysis."Here's an overview:Introduction: The Evolution of Programming and Software DevelopmentThe Rise of Artificial Intelligence and Machine Learning in CodingAdopting Low-Code and No-Code PlatformsQuantum Computing: Entering the Software Development MainstreamIntegration of DevOps with Machine Learning: MLOpsAdvancements in Cybersecurity PracticesThe Growth of Edge ComputingEmerging Programming Languages and FrameworksSoftware Development Ethics and AI RegulationSustainability in Software EngineeringThe Future Workforce: Remote and Distributed TeamsConclusion: Adapting to the Changing Software Development LandscapeIntroduction: The Evolution of Programming and Software Development
The importance of developing and designing programming in 2024
Programming design and development represents a vital step in keeping pace with technological advancements and meeting ever-changing market needs. This course is intended for anyone who wants to understand the fundamental importance of software development and design, whether you are a beginner or a professional seeking to update your knowledge.
Course objectives:
1. **Learn about the basics of software development:
- Understanding software development processes and tools.
- Identify the role of programmers and designers in software projects.
2. Understanding the software design process:
- Learn about the principles of good software design.
- Discussing common design patterns such as Object-Oriented Design.
3. The importance of user experience (UX) in modern software:
- Explore how user experience can improve software acceptance and usability.
- Tools and techniques to analyze and improve user experience.
4. Increase efficiency and productivity through modern development tools:
- Access to the latest programming tools and languages used in the industry.
- Study live examples of applications
Orca: Nocode Graphical Editor for Container OrchestrationPedro J. Molina
Tool demo on CEDI/SISTEDES/JISBD2024 at A Coruña, Spain. 2024.06.18
"Orca: Nocode Graphical Editor for Container Orchestration"
by Pedro J. Molina PhD. from Metadev
Measures in SQL (SIGMOD 2024, Santiago, Chile)Julian Hyde
SQL has attained widespread adoption, but Business Intelligence tools still use their own higher level languages based upon a multidimensional paradigm. Composable calculations are what is missing from SQL, and we propose a new kind of column, called a measure, that attaches a calculation to a table. Like regular tables, tables with measures are composable and closed when used in queries.
SQL-with-measures has the power, conciseness and reusability of multidimensional languages but retains SQL semantics. Measure invocations can be expanded in place to simple, clear SQL.
To define the evaluation semantics for measures, we introduce context-sensitive expressions (a way to evaluate multidimensional expressions that is consistent with existing SQL semantics), a concept called evaluation context, and several operations for setting and modifying the evaluation context.
A talk at SIGMOD, June 9–15, 2024, Santiago, Chile
Authors: Julian Hyde (Google) and John Fremlin (Google)
https://doi.org/10.1145/3626246.3653374
The Comprehensive Guide to Validating Audio-Visual Performances.pdfkalichargn70th171
Ensuring the optimal performance of your audio-visual (AV) equipment is crucial for delivering exceptional experiences. AV performance validation is a critical process that verifies the quality and functionality of your AV setup. Whether you're a content creator, a business conducting webinars, or a homeowner creating a home theater, validating your AV performance is essential.
What to do when you have a perfect model for your software but you are constrained by an imperfect business model?
This talk explores the challenges of bringing modelling rigour to the business and strategy levels, and talking to your non-technical counterparts in the process.
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSISTier1 app
Are you ready to unlock the secrets hidden within Java thread dumps? Join us for a hands-on session where we'll delve into effective troubleshooting patterns to swiftly identify the root causes of production problems. Discover the right tools, techniques, and best practices while exploring *real-world case studies of major outages* in Fortune 500 enterprises. Engage in interactive lab exercises where you'll have the opportunity to troubleshoot thread dumps and uncover performance issues firsthand. Join us and become a master of Java thread dump analysis!
Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...The Third Creative Media
"Navigating Invideo: A Comprehensive Guide" is an essential resource for anyone looking to master Invideo, an AI-powered video creation tool. This guide provides step-by-step instructions, helpful tips, and comparisons with other AI video creators. Whether you're a beginner or an experienced video editor, you'll find valuable insights to enhance your video projects and bring your creative ideas to life.
5. DEVICE GUARD – WHAT AND WHY?
» Application whitelisting feature in Win10
» Only code defined in a policy (by cert/hash/etc.) should
be able to run
» Inhibits an attacker’s ability to run code on a
compromised machine
» Very interesting and permissive threat model:
» Attacker can already execute commands on a machine
6. WHAT DOES ARBITRARY CODE REALLY MEAN?
» The ability to interact with the OS freely (under
privilege constraints)
» Most direct way to achieve this is having full control of
process memory
8. WHAT DOES ARBITRARY CODE REALLY MEAN?
» Without AWL:
»Arbitrary commands == arbitrary
code
»Just run your own process/library
and you’re set
9. WHAT DOES ARBITRARY CODE REALLY MEAN?
» With AWL:
»You have to rely only on allowed
executables/scripts
»Implementing basic offensive
functionality (cred stealing, c&c
etc.) becomes immensely hard
10. LOSING ARBITRARY EXECUTION IS EASY!
Fully
Controlled
Process
Privilege
Escalation
Lateral
Movement
Sandbox
Escape
Persistenc
e
11. DEVICE GUARD – IN PRACTICE
» PE Files
» Only whitelisted files may be executed
» Powershell
» Constrained Language Mode (CLM) allows only very
restricted types in non-whitelisted scripts
» ActiveScript Engines
» COM object filtering on non-whitelisted scripts
13. ADMIN BYPASSES ARE STILL DANGEROUS
» Admin users can disable Device Guard
» Requires a restart
» Throws a nasty event log
» Forces attackers into very conspicuous and detectable behavior
14. ADMIN BYPASSES ARE STILL DANGEROUS
» New admin bypasses may be unnoticed by defenders
» Most common scenario for Lateral Movement
» More unfixed admin bypasses = less reliability to the
feature
16. A WORD ON VBA
» You can’t expect MS to lock every piece of code in
existence
» But Office is MS made, and ubiquitous
» VBA is uninstrumented by Device Guard
» Macros easily allow you to gain full process control:
» Import WINAPI functions and run shellcode
» DotNetToJScript
18. THE NAÏVE APPROACH
» Requires user interaction, and RDPing to a victim is a
bit too much
» Is also really lame
» Could we run macros without user/GUI interactions?
19. THE LATERAL MOVEMENT/DCOM APPROACH
» Macro functionality is exposed via DCOM
» No files, no protected mode!
» Easily available only remotely
» Requires Admin in most configs
21. BUT WE WANT TO DO IT LOCALLY!
AND UNPRIVILEGED!
22. WHEN DOES OFFICE FORSAKE PROTECTED MODE?
» Documents for which macros were enabled once are considered
trusted
» So are documents running from trusted locations
23. TRUSTED LOCATIONS
» Trusted locations are managed in the registry
» All the default ones are only writable by admins
30. EXCEL4.0 MACROS
» Excel actually has another, legacy macro feature,
introduced in ‘92
» Implemented in excel.exe itself
» CALL and REGISTER functions allow execution of arbitrary
dll functions
» May leave a subtle taste of vomit in your mouth after use
31. EXCEL4.0 MACROS
» Can be used to run x86 shellcode via a method discovered
by Stan Hegt and Pieter Ceelen of Outflank
33. RUNNING SHELLCODE VIA DCOM
Fileless version by Stan Hegt available here -
https://github.com/outflanknl/Excel4-DCOM
34. EXCEL4.0 MACROS
» The current technique can’t support x64 shellcode due to
datatype and calling convention constraints
» The fileless lateral movement version is a bit slow, as
it writes the payload byte by byte
» A fast, 64-bit supporting version and an accompanying
blogpost are available here –
https://www.cybereason.com/blog/excel4.0-macros-now-with-twice-the-bits
36. RUNNING SHELLCODE VIA TRUSTED FOLDER
» The trusted directory trick works exactly the same, without
VBA
37. BENEFITS OF EXCEL4 MACROS
» Less likely to be killed if DG is introduced to office
» No external library to block
» Excel is installed = Device Guard Forever(?)-Day
39. ACTIVESCRIPT BYPASSES
» ActiveScript is a generic Windows scripting technology
» What’s behind vbscript/jscript
» The target of many recent bypasses (Squibly[A-Za-z]*)
43. ACTIVESCRIPTCONSUMER
» You might know this WMI class from the most common WMI
persistence method
» Implemented as scrcons.exe
» An independent ActiveScript host by itself
» Not instrumented by Device Guard
» Only available as admin :(
46. XSLT TRANSFORMS
» XML Transform stylesheets
» Support embedded scripting
» Implement their own uninstrumented scripting host in
msxml.dll
» Applying an arbitrary xsl transform can result in running
arbitrary code
49. OUTLOOK OBJECT CREATION + XSLT
Modification of a method published here:
https://enigma0x3.net/2017/11/16/lateral-movement-using-outlooks-createobject-method-and-dotnettojscript/
50. THIS WAS A LIE BY OMISSION
Engine
Wldp.dll
Host
Engine
Script
new ActiveXObject
(“Wscript.Shell”);
CLSIDFromProgID (“Wscript.Shell”,
&clsid)
Host->IsClassAllowed (clsid, &is_allowed)
WldpIsClassInApprovedList
(classID, hostInformation, isApproved, optionalFlags)
CoCreateInstance (clsid, *otherparams)
52. WHAT DOES THIS MEAN FOR US?
» Mshtml.dll is responsible for
calling IsClassAllowed for the
engine
» Cscript.exe exposes IsClassAllowed
to the engine, which calls it
directly
53. CVE-2018-8417
» Jscript9.dll was not meant to be used by wcscript, and
thus assumes the host will call IsClassAllowed for it
» Can be run under cscript if asked very nicely
» The engine relies on the host to check the whitelist,
while the host relies on the engine
» IsClassAllowed is never called
» Object is created with no checks
55. OK, BUT WHAT ABOUT SCRIPTLETS?!
» Scrobj.dll (the scriptlet host) works exactly the
same
» Scriptlets need a ProgID, not a CLSID
» Just register your own and you’re set
59. UPDATED MACHINE? – BYOV!
» Jimmy Bayne (@bohops) discovered that you could still
abuse two of our recent bypasses, despite them being
patched
» Borrowing a trick from driver signature enforcement
bypasses
» Bad catalog hygiene means that the signature of the
vulnerable library is still valid
61. NOT JUST THE BYPASSES, BUT THE OVERFLOWS AND UAFS TOO!
62. THE SCOPE OF THE PROBLEM
» Stale catalogs are not the exception, but rather the norm
» Your machine is vulnerable to anything that is:
» A DG bypass / Code execution vulnerability
» Vulnerable code is reachable via command line / COM hijacking /
dll hijacking
» Vulnerability was patched after the current major Windows update
(RS#) was released
» Almost all vulnerable versions of files can be found in
the WinSxS folder
» Fixing this requires either better catalog hygiene on
update, or adding every single such vulnerability to the
block list as it is released.
64. ALTERNATIVE EXECUTION METHODS ARE ALWAYS FUN
» Some of the bypasses shown can be used as
stealthy execution techniques regardless of
Device Guard
65. AMSI BYPASSES
» Jscript9.dll isn’t instrumented with AMSI
» Even on an updated machine you are provided
with a free AMSI bypass!
66. AMSI BYPASSES
» Chakra.dll – Yes, there’s another ActiveScript JS
implementation!
» No AMSI, but no ActiveX functionality
» Wscript.CreateObject to the rescue!
67. STICKING TECHNIQUES TOGETHER
» Use Jscript9/Chakra.dll to create the Excel object
» Run shellcode through Excel
» No files, No AMSI, and no injections!
69. YOU ALREADY HAVE THE TOOLS FOR DETECTION
» Each of the bypasses described can be easily detected, if
you know what to look for
» Command lines, registry and maybe a tiny bit of WMI is
all you need
70. HOW I THINK THE FEATURE SHOULD DEVELOP
» Lock down Office, as it is pretty ubiquitous
» Implement a generic solution for the catalog
hygiene issue
» A single consistent implementation for
ActiveScript
» Some kind of way to extend the whitelisting
model to other applications would be nice
71. PEOPLE TO FOLLOW
» James Forshaw - @tiraniddo
» Matt Graeber - @mattifestation
» Casey Smith - @subtee
» Matt Nelson - @enigma0x3
» Jimmy Bayne - @bohops
72. You can also reach me via @PhilipTsukerman
QUESTIONS?