๐ค New article by our researcher Nikita Petrov: "From opcode to code: how AI chatbots can help with decompilation".
Read the blog post: https://swarm.ptsecurity.com/from-opcode-to
Read the blog post: https://swarm.ptsecurity.com/from-opcode-to
PT SWARM
From opcode to code: how AI chatbots can help with decompilation
Sometimes, when searching for vulnerabilities, you come across protected PHP code. Often, itโs protected by commercial encoders. These encoders perform a straightforward task: they compile the source code into Zend Engine bytecode and then encode it. Theโฆ
๐23๐2
Splitting the email atom: exploiting parsers to bypass access controls
๐ค by Gareth Heyes
Some websites parse email addresses to extract the domain and infer which organisation the owner belongs to. This pattern makes email-address parser discrepancies critical. Predicting which domain an email will be routed to should be simple, but is actually ludicrously difficult - even for 'valid', RFC-compliant addresses.
In this paper author is going to show you how to turn email parsing discrepancies into access control bypasses and even RCE.
This paper is accompanied by a free online CTF, so you'll be able to try out your new skill set immediately.
๐ Contents:
โ Introduction
โ Creating email domain confusion
โ Parser discrepancies
โ Punycode
โ Methodology/Tooling
โ Defence
โ Materials
โ CTF
โ Takeaways
โ Timeline
โ References
https://portswigger.net/research/splitting-the-email-atom
๐ค by Gareth Heyes
Some websites parse email addresses to extract the domain and infer which organisation the owner belongs to. This pattern makes email-address parser discrepancies critical. Predicting which domain an email will be routed to should be simple, but is actually ludicrously difficult - even for 'valid', RFC-compliant addresses.
In this paper author is going to show you how to turn email parsing discrepancies into access control bypasses and even RCE.
This paper is accompanied by a free online CTF, so you'll be able to try out your new skill set immediately.
๐ Contents:
โ Introduction
โ Creating email domain confusion
โ Parser discrepancies
โ Punycode
โ Methodology/Tooling
โ Defence
โ Materials
โ CTF
โ Takeaways
โ Timeline
โ References
https://portswigger.net/research/splitting-the-email-atom
๐10
Confusion Attacks: Exploiting Hidden Semantic Ambiguity in Apache HTTP Server!
๐ค by Orange Tsai
This article explores architectural issues within the Apache HTTP Server, highlighting several technical debts within Httpd, including 3 types of Confusion Attacks, 9 new vulnerabilities, 20 exploitation techniques, and over 30 case studies. The content includes, but is not limited to:
๐ How a single
๐ How unsafe
๐ How to leverage a piece of code from 1996 to transform an XSS into RCE.
๐ Contents:
โ Before the Story
โ How Did the Story Begin?
โ Why Apache HTTP Server Smells Bad?
โ A Whole New Attack โ Confusion Attack
โข Filename Confusion
โข DocumentRoot Confusion
โข Handler Confusion
โข Other Vulnerabilities
โ Future Works
โ Conclusion
https://blog.orange.tw/2024/08/confusion-attacks-en.html
๐ค by Orange Tsai
This article explores architectural issues within the Apache HTTP Server, highlighting several technical debts within Httpd, including 3 types of Confusion Attacks, 9 new vulnerabilities, 20 exploitation techniques, and over 30 case studies. The content includes, but is not limited to:
? can bypass Httpdโs built-in access control and authentication.RewriteRules can escape the Web Root and access the entire filesystem.๐ Contents:
โ Before the Story
โ How Did the Story Begin?
โ Why Apache HTTP Server Smells Bad?
โ A Whole New Attack โ Confusion Attack
โข Filename Confusion
โข DocumentRoot Confusion
โข Handler Confusion
โข Other Vulnerabilities
โ Future Works
โ Conclusion
https://blog.orange.tw/2024/08/confusion-attacks-en.html
Please open Telegram to view this post
VIEW IN TELEGRAM
๐14
๐ฅท๐ป DEFCON 32 is over and you can find the links on the interesting researches (in our view) below:
๐ SQL Injection Isn't Dead. Smuggling Queries at the Protocol Level
๐ A TWO-PART SAGA: CONTINUING THE JOURNEY OF HACKING MALWARE C2S
๐ Outlook Unleashing RCE Chaos: CVE-2024-30103 & CVE-2024-38021
๐ Gotta Cache โem all: Bending the rules of web cache exploitation
๐ NTLM: the last ride
๐ HookChain: a new perspective for Bypassing EDR Solutions
๐ sshamble: Unexpected Exposures in SSH
๐ MaLDAPtive LDAP Obfuscation Deobfuscation and Detection
๐ Iconv, set the charset to RCE: exploiting the glibc to hack the PHP engine
๐ Techniques for Creating Process Injection Attacks with Advanced Return-Oriented Programming
All presentations from DEFCON32: https://media.defcon.org/DEF%20CON%2032/DEF%20CON%2032%20presentations/
All presentations from DEFCON32: https://media.defcon.org/DEF%20CON%2032/DEF%20CON%2032%20presentations/
Please open Telegram to view this post
VIEW IN TELEGRAM
๐22
๐ฑ Check out our new article on Android Jetpack Navigation by our researcher @OxFi5t!
Learn how to exploit implicit deep links and hijack user sessions. A must-read for Android devs and mobile security researchers!
https://swarm.ptsecurity.com/android-jetpack-navigation-go-even-deeper/
Learn how to exploit implicit deep links and hijack user sessions. A must-read for Android devs and mobile security researchers!
https://swarm.ptsecurity.com/android-jetpack-navigation-go-even-deeper/
PT SWARM
Android Jetpack Navigation: Go Even Deeper
Previous research Some time ago, my colleague discovered an interesting vulnerability in the Jetpack Navigation library, which allows someone to open any screen of the application, bypassing existing restrictions for components that are not exported and thereforeโฆ
๐10๐1
World of SELECT-only PostgreSQL Injections: (Ab)using the filesystem
๐ค by Maksym Vatsyk
In this article, author managed to escalate the impact of a seemingly very restricted SQL injection to a critical level by recreating DELETE and UPDATE statements from scratch via the direct modification of the DBMS files and data, and develop a novel technique of escalating user permissions!
Excessive server file read/write permissions can be a powerful tool in the wrong hands. There is still much to discover with this attack vector, but he hopes you've learned something useful today.
๐ Contents:
โ Introduction
โ PostgreSQL storage concepts
โ Updating the PostgreSQL data without UPDATE
โ SELECT-only RCE
โ Conclusions
โ References
โ Source code
http://phrack.org/issues/71/8.html#article
๐ค by Maksym Vatsyk
In this article, author managed to escalate the impact of a seemingly very restricted SQL injection to a critical level by recreating DELETE and UPDATE statements from scratch via the direct modification of the DBMS files and data, and develop a novel technique of escalating user permissions!
Excessive server file read/write permissions can be a powerful tool in the wrong hands. There is still much to discover with this attack vector, but he hopes you've learned something useful today.
๐ Contents:
โ Introduction
โ PostgreSQL storage concepts
โ Updating the PostgreSQL data without UPDATE
โ SELECT-only RCE
โ Conclusions
โ References
โ Source code
http://phrack.org/issues/71/8.html#article
๐18
This media is not supported in your browser
VIEW IN TELEGRAM
โ ๏ธ We've confirmed critical CVE-2024-45519 in Zimbra!
SMTP-based vulnerability in postjournal service allows unauthenticated attackers to inject commands under zimbra user.
โ Update your software ASAP to avoid exploitation!
SMTP-based vulnerability in postjournal service allows unauthenticated attackers to inject commands under zimbra user.
โ Update your software ASAP to avoid exploitation!
๐48๐1
๐ Weโre launching Positive Hack Talks! These are worldwide one-day cybersecurity meetups featuring insights from our speakers and local experts!
๐ Bengaluru, India ๐ฎ๐ณ
๐ Oct 11, 2024
Got something to share or want to join the event? Sign up today! โฌ๏ธ
https://phtalks.ptsecurity.com/
๐ Bengaluru, India ๐ฎ๐ณ
๐ Oct 11, 2024
Got something to share or want to join the event? Sign up today! โฌ๏ธ
https://phtalks.ptsecurity.com/
Ptsecurity
Positive Hack Talks in Sรฃo Paulo
A free, community-driven cybersecurity meetup where real hackers share what theyโve built, broken, and learned. No marketing, no nonsense. Brutally honest โ just the way it should be.
๐18
This media is not supported in your browser
VIEW IN TELEGRAM
๐ฅ ESET fixed CVE-2024-7400 found by our researcher Dmitriy Zuzlov!
This is an LPE that affects 13 ESET solutions and allows a low-privileged attacker to delete arbitrary files, which can be used to obtain NT AUTHORITY\SYSTEM privileges!
The advisory ๐ https://support.eset.com/en/ca8726-local-privilege-escalation-fixed-for-vulnerability-during-detected-file-removal-in-eset-products-for-windows
This is an LPE that affects 13 ESET solutions and allows a low-privileged attacker to delete arbitrary files, which can be used to obtain NT AUTHORITY\SYSTEM privileges!
The advisory ๐ https://support.eset.com/en/ca8726-local-privilege-escalation-fixed-for-vulnerability-during-detected-file-removal-in-eset-products-for-windows
๐32
ATTACKING UNIX SYSTEMS VIA CUPS, PART I
๐ค by Simone Margaritelli
A remote unauthenticated attacker can silently replace existing printersโ (or install new ones) IPP urls with a malicious one, resulting in arbitrary command execution (on the computer) when a print job is started (from that computer).
Entry Points
โข WAN / public internet: a remote attacker sends an UDP packet to port 631. No authentication whatsoever.
โข LAN: a local attacker can spoof zeroconf / mDNS / DNS-SD advertisements and achieve the same code path leading to RCE.
RCE chain
โข Force the target machine to connect back to our malicious IPP server.
โข Return an IPP attribute string that will inject controlled PPD directives to the temporary file.
โข Wait for a print job to be sent to our fake printer for the PPD directives, and therefore the command, to be executed.
๐ Contents:
โ Summary
โ Intro
โ What is cups-browsed?
โ Stack Buffer Overflows and Race Conditions
โ Back to found_cups_printer
โ Internet Printing Protocol
โ PostScript Printer Description
โ The problematic child: foomatic-rip
โ Remote Command Execution chain
โ Personal Considerations
โ One More Thing
https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/
๐ค by Simone Margaritelli
A remote unauthenticated attacker can silently replace existing printersโ (or install new ones) IPP urls with a malicious one, resulting in arbitrary command execution (on the computer) when a print job is started (from that computer).
Entry Points
โข WAN / public internet: a remote attacker sends an UDP packet to port 631. No authentication whatsoever.
โข LAN: a local attacker can spoof zeroconf / mDNS / DNS-SD advertisements and achieve the same code path leading to RCE.
RCE chain
โข Force the target machine to connect back to our malicious IPP server.
โข Return an IPP attribute string that will inject controlled PPD directives to the temporary file.
โข Wait for a print job to be sent to our fake printer for the PPD directives, and therefore the command, to be executed.
๐ Contents:
โ Summary
โ Intro
โ What is cups-browsed?
โ Stack Buffer Overflows and Race Conditions
โ Back to found_cups_printer
โ Internet Printing Protocol
โ PostScript Printer Description
โ The problematic child: foomatic-rip
โ Remote Command Execution chain
โ Personal Considerations
โ One More Thing
https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/
๐22๐1
Ruby-SAML / GitLab Authentication Bypass (CVE-2024-45409)
๐ค by Harsh Jaiswal & Rahul Maini
In this blog post, authors will analyze CVE-2024-45409, a critical vulnerability impacting Ruby-SAML, OmniAuth-SAML libraries, which effectively affects GitLab.
This vulnerability allows an attacker to bypass SAML authentication mechanisms and gain unauthorized access by exploiting a flaw in how SAML responses are handled. The issue arises due to weaknesses in the verification of the digital signature used to protect SAML assertions, allowing attackers to manipulate the SAML response and bypass critical security checks.
๐ Contents:
โ Introduction
โ SAML Message Verification
โข How SAML Signatures Work?
โข How digest and signature ensure integrity?
โ Ruby-SAML Bypass
โข Bypassing Signature Validation
โ Conclusion
https://blog.projectdiscovery.io/ruby-saml-gitlab-auth-bypass/
๐ค by Harsh Jaiswal & Rahul Maini
In this blog post, authors will analyze CVE-2024-45409, a critical vulnerability impacting Ruby-SAML, OmniAuth-SAML libraries, which effectively affects GitLab.
This vulnerability allows an attacker to bypass SAML authentication mechanisms and gain unauthorized access by exploiting a flaw in how SAML responses are handled. The issue arises due to weaknesses in the verification of the digital signature used to protect SAML assertions, allowing attackers to manipulate the SAML response and bypass critical security checks.
๐ Contents:
โ Introduction
โ SAML Message Verification
โข How SAML Signatures Work?
โข How digest and signature ensure integrity?
โ Ruby-SAML Bypass
โข Bypassing Signature Validation
โ Conclusion
https://blog.projectdiscovery.io/ruby-saml-gitlab-auth-bypass/
๐13
๐คโจ Our security researcher, Konstantin Polishin, presented โRed Team Social Engineering 2024: Initial Access TTP and Project Experience of Our Teamโ at #ROOTCON18 ๐
Recording: https://youtube.com/watch?v=6nnZJiL0Tgk
Recording: https://youtube.com/watch?v=6nnZJiL0Tgk
๐29
๐พ Check out our latest publication on DMA attacks via SD cards!
The article was written by our researcher Gesser.
โก๏ธ https://swarm.ptsecurity.com/new-dog-old-tr
The article was written by our researcher Gesser.
โก๏ธ https://swarm.ptsecurity.com/new-dog-old-tr
PT SWARM
New dog, old tricks: DaMAgeCard attack targets memory directly thru SD card reader
Did I ever tell you what the definition of insanity is? Insanity is doing the exactโฆ same ******* thingโฆ over and over again expectingโฆ **** to changeโฆ That. Is. Crazy.Far Cry 3 Intro The peripheral device industry has once again sacrificed security in theโฆ
๐12
๐ป๐ณ The Positive Hack Talks in Vietnam has finished!
Slides from our researcher Arseniy Sharoglazov: https://static.ptsecurity.com/events/exch-vietnam.pdf
Wordlist: https://github.com/mohemiv/dodgypass
๐ Includes a PoC for MyQ Unauthenticated RCE! (CVE-2024-28059)
Slides from our researcher Arseniy Sharoglazov: https://static.ptsecurity.com/events/exch-vietnam.pdf
Wordlist: https://github.com/mohemiv/dodgypass
๐ Includes a PoC for MyQ Unauthenticated RCE! (CVE-2024-28059)
๐25
๐ป๐ณ At the Positive Hack Talks in Hanoi, our blue team member naumovax shared valuable insights:
1๏ธโฃ Architecture of an automation tool for detecting malware in the network
2๏ธโฃ Key features you should add to your tool
3๏ธโฃ Our refined Suricata rules
Link ๐ https://static.ptsecurity.com/events/stratocaster-how-we-automated-the-routine-search-for-unknown-malware-in-the-network-traffic.pdf
Link to our Suricata rules: https://rules.ptsecurity.com/
1๏ธโฃ Architecture of an automation tool for detecting malware in the network
2๏ธโฃ Key features you should add to your tool
3๏ธโฃ Our refined Suricata rules
Link ๐ https://static.ptsecurity.com/events/stratocaster-how-we-automated-the-routine-search-for-unknown-malware-in-the-network-traffic.pdf
Link to our Suricata rules: https://rules.ptsecurity.com/
๐24๐5
Exploiting SSTI in a Modern Spring Boot Application (3.3.4)
๐ค by parzel
The article explores exploiting a Server-Side Template Injection (SSTI) vulnerability in a Spring Boot 3.3.4 application using Thymeleaf, leading to Remote Code Execution (RCE). It highlights the process of injecting malicious input to trigger Java reflection and bypass security defenses in modern framework.
The post provides a detailed walkthrough of achieving RCE despite the robust safeguards present, emphasizing the complexity of exploiting such vulnerabilities in contemporary applications.
๐ Contents:
โ Identifying the Bug
โ Facing Problems
โ Bypassing the Defenses
โ Developing the Exploit
https://modzero.com/en/blog/spring_boot_ssti/
๐ค by parzel
The article explores exploiting a Server-Side Template Injection (SSTI) vulnerability in a Spring Boot 3.3.4 application using Thymeleaf, leading to Remote Code Execution (RCE). It highlights the process of injecting malicious input to trigger Java reflection and bypass security defenses in modern framework.
The post provides a detailed walkthrough of achieving RCE despite the robust safeguards present, emphasizing the complexity of exploiting such vulnerabilities in contemporary applications.
๐ Contents:
โ Identifying the Bug
โ Facing Problems
โ Bypassing the Defenses
โ Developing the Exploit
https://modzero.com/en/blog/spring_boot_ssti/
๐32
๐ฎ Xbox 360 security in details: the long way to RGH3. Read the exclusive story about the chipless and reliable Xbox 360 modding method by 15432h
๐ https://swarm.ptsecurity.com/xbox-360-security-in-details-the-long-way-to-rgh3/
Please open Telegram to view this post
VIEW IN TELEGRAM
๐18
๐ Our researcher a1exdandy has uncovered vulnerabilities in GD32 microcontrollers (GigaDevice) that bypass protection mechanisms, allowing memory extraction.
The article ๐ https://swarm.ptsecurity.com/gigavulnerability-readout-protection-bypass-on-gigadevice-gd32-mcus/
The article ๐ https://swarm.ptsecurity.com/gigavulnerability-readout-protection-bypass-on-gigadevice-gd32-mcus/
๐28
๐ฅ The "impossible" XXE in PHP? Not so impossible anymore.
Our researcher Aleksandr Zhurnakov discovered an interesting combination of PHP wrappers and a feature of XML parsing in libxml2 to exploit it.
Read: https://swarm.ptsecurity.com/impossible-xxe-in-php/
Our researcher Aleksandr Zhurnakov discovered an interesting combination of PHP wrappers and a feature of XML parsing in libxml2 to exploit it.
Read: https://swarm.ptsecurity.com/impossible-xxe-in-php/
๐54
Next.js and the corrupt middleware: the authorizing artifact
๐ค by Rachid Allam & Yasser Allam
Researchers have discovered a critical vulnerability in Next.js, a popular framework for building web applications. The flaw allows attackers to bypass middleware responsible for request processing, including authentication and path rewrites.
By adding the
Many versions of Next.js are affected, making this a widespread security concern.
๐ Contents:
โ The Next.js middleware
โ The authorizing artifact artifact: old code, 0ld treasure
โข Execution order and
โ The authorizing artifact: nostalgia has its charm, but living in the moment is better
โข /src directory
โข Max recursion depth
โ Exploits
โข Authorization/Rewrite bypass
โข CSP bypass
โข DoS via Cache-Poisoning (what?)
โข Clarification
โ Security Advisory - CVE-2025-29927
โ Disclaimer
โ Conclusion
https://zhero-web-sec.github.io/research-and-things/nextjs-and-the-corrupt-middleware
๐ค by Rachid Allam & Yasser Allam
Researchers have discovered a critical vulnerability in Next.js, a popular framework for building web applications. The flaw allows attackers to bypass middleware responsible for request processing, including authentication and path rewrites.
By adding the
x-middleware-subrequest header with a specific value, an attacker can completely ignore middleware execution, gaining unauthorized access to protected resources. Additionally, the vulnerability can be exploited for denial-of-service (DoS) attacks by poisoning the cache, leading to service disruption.Many versions of Next.js are affected, making this a widespread security concern.
๐ Contents:
โ The Next.js middleware
โ The authorizing artifact artifact: old code, 0ld treasure
โข Execution order and
middlewareInfo.nameโ The authorizing artifact: nostalgia has its charm, but living in the moment is better
โข /src directory
โข Max recursion depth
โ Exploits
โข Authorization/Rewrite bypass
โข CSP bypass
โข DoS via Cache-Poisoning (what?)
โข Clarification
โ Security Advisory - CVE-2025-29927
โ Disclaimer
โ Conclusion
https://zhero-web-sec.github.io/research-and-things/nextjs-and-the-corrupt-middleware
๐28