5 min
Windows
Are You Still Running End-of-Life Windows Servers?
Windows Server 2008 and 2008 R2 reached their end of life (EOL) on Jan. 14, 2020, but what does that mean in practice?
4 min
Vulnerability Management
Windows DNS Server Remote Code Execution Vulnerability (CVE-2020-1350): What You Need to Know
On Tuesday, July 14, 2020, Microsoft released a patch for a 17-year-old remote code execution (RCE) vulnerability in Windows Domain Name System (DNS) servers discovered by Check Point researchers.
2 min
Vulnerability Management
Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601): What You Need to Know
In this blog, we discuss everything you need to know about the CVE-2020-0601: Windows CryptoAPI Spoofing Vulnerability.
18 min
Windows
Heap Overflow Exploitation on Windows 10 Explained
Heap corruption can be a scary topic. In this post, we go through a basic example of a heap overflow on Windows 10.
3 min
Windows
Microsoft Windows RDP Network Level Authentication Bypass (CVE-2019-9510)
CERT/CC has released an advisory regarding discovered behavior in the Microsoft Windows Remote Desktop Protocol (RDP), which can allow an attacker to bypass the lock screen on some remote sessions.
8 min
Windows
PowerShell: How to Defend Against Malicious PowerShell Attacks
By implementing basic controls, you can keep your data safe from potential PowerShell attacks and better detect malicious behavior trying to circumvent said controls.
4 min
Microsoft
Petya-like Ransomware Explained
TL;DR summary (7:40 PM EDT June 28): A major ransomware attack started in
Ukraine yesterday and has spread around the world. The ransomware, which was
initially thought to be a modified Petya variant, encrypts files on infected
machines and uses multiple mechanisms to both gain entry to target networks and
to spread laterally. Several research teams are reporting that once victims'
disks are encrypted, they cannot be decrypted
[https://securelist.com/expetrpetyanotpetya-is-a-wiper-not-ransomware
4 min
Microsoft
Attacking Microsoft Office - OpenOffice with Metasploit Macro Exploits
It is fair to say that Microsoft Office and OpenOffice are some of the most
popular applications in the world. We use them for writing papers, making slides
for presentations, analyzing sales or financial data, and more. This software is
so important to businesses that, even in developing countries, workers that are
proficient in an Office suite can make a decent living based on this skill
alone.
Unfortunately, high popularity for software also means more high-value targets
in the eyes of an
1 min
Nexpose
CVE-2017-3823: Remote Code Execution Vulnerability in Cisco WebEx Browser Plugin
On January 21st 2017, Google's Project Zero disclosed a vulnerability in Cisco's
WebEx browser plugin extension that could allow attackers to perform a remote
code execution (RCE) exploit on any Windows host running the plugin.
An initial fix was pushed out by Cisco that warned a user if they were launching
a meeting from a domain other than *.webex.com or *.webex.com.cn, however, the
fix was questioned by April King from Mozilla
[https://bugs.chromium.org/p/project-zero/issues/detail?id=1096#c
7 min
Haxmas
The Twelve Pains of Infosec
One of my favorite Christmas carols is the 12 Days of Christmas
[https://www.youtube.com/watch?v=oyEyMjdD2uk]. Back in the 90's, a satire of the
song came out in the form of the 12 Pains of Christmas
[https://www.youtube.com/watch?v=h4NlR5KQLQ8], which had me rolling on the floor
in laughter, and still does. Now that I am in information security, I decided it
is time for a new satire, maybe this will start a new tradition, and so I am
presenting, the 12 Pains of Infosec.
----------------------
2 min
Windows
Nexpose Remote Registry Activation for Windows
The Windows Registry is a database which stores all settings for a Windows
system, e.g. hardware, software installed, Windows updates installed and
preferences for users and their applications. During normal day to day use a
standard user will inadvertently push changes into this database when they
update the system, add/remove applications and so on.
Remote Registry is a Windows service which allows a non-local user to read or
make changes to the registry on your Windows system when they are
2 min
Windows
Metasploit Framework Open Source Installers
Rapid7 has long supplied universal Metasploit installers for Linux and Windows.
These installers contain both the open source Metasploit Framework as well as
commercial extensions, which include a graphical user interface, metamodules,
wizards, social engineering tools and integration with other Rapid7 tools. While
these features are very useful, we recognized that they are not for everyone.
According to our recent survey of Metasploit Community users, most only used it
for the open source comp
6 min
Metasploit
Flipping Bits in the Windows Kernel
Recently, the MS15-061 bulletin has received some attention. This security
bulletin includes patches for several Windows Kernel vulnerabilities, mainly
related to win32k.sys. Details of one of them, discovered by Udi Yavo, have been
very well covered.
First, the same Udi Yavo published details about the Use After Free on a blog
entry. Later, Dominic Wang [https://twitter.com/d0mzw] wrote a even more
detailed analysis of both the vulnerability and its exploitation on this paper.
Finally, Meysam
20 min
Metasploit
A Debugging Session in the Kernel
Last week, an awesome paper
[https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2015/september/exploiting-cve-2015-2426-and-how-i-ported-it-to-a-recent-windows-8.1-64-bit/]
about the MS15-078 vulnerability and it's exploitation was published by Cedric
Halbronn [https://twitter.com/saidelike]. This vulnerability, originally found
and exploited by Eugene Ching [https://twitter.com/eugeii], already has a
work-in-progress module in Metasploit, which you can follow on github
[https://
5 min
Exploits
Revisiting an Info Leak
Today an interesting tweet
[https://twitter.com/Laughing_Mantis/status/631170614720462848] from Greg
Linares [https://twitter.com/Laughing_Mantis] (who has been posting awesome
analysis on twitter lately!) came to our attention, concerning the MS15-080
[https://technet.microsoft.com/en-us/library/security/ms15-080.aspx] patch:
This patch (included in MS15-080) may have been intended stop one of the Window
kernel bugs exploited by Hacking Team. But, after our analysis, it appears that
there is