Authored by: Ricardo Narvaja Note: This work was originally done by Cristian Rubio and Ricardo Narvaja of Core Labs on Windows Server 2008 SP1 32 and 64-bit. There are not many differences in other versions of Windows. While the basis of the SIGred bug is quite simple, it’s critical to explore exactly how this vulnerability can exploited.
Read articles from CoreLabs, the research division of Core Security. CoreLabs prides itself on taking a holistic view of information security with a focus on developing solutions to complex, real-world security problems that affect our customers.
Sep 17, 2020
What You Need to Know About Netlogon and Zerologon On September 11th, 2020, researchers at Secura published information on a critical vulnerability in Microsoft’s Netlogon authentication process which they dubbed “Zerologon." It is a cryptographic flaw that has a clear path to full takeover of an Active Directory domain.
Jun 8, 2020
In part four, we performed an analysis of stacks three and four with exercises on testing bad characters. In this next part, we will complete our analysis of Stack4 using IDA Free. In subsequent parts, we’ll complete ABOS exercises that delve deeper into the use of the different tools.
Mar 9, 2020
In part three, we learned how to analyze the first two exercises (stacks), using the three interactive disassemblers, IDA FREE, RADARE, and GHIDRA. In this next part, we will continue our analysis with stack three and stack four. However, before that we need to introduce the new concept of invalid or bad chars.
Feb 18, 2020
In part two of this series, we learned to solve the exercise stack1 using x64dbg, debugging tool that allows us to analyze a program by running it, tracing it, even allowing us to set breakpoints, etc.
Feb 5, 2020
Core Labs has completed an in-depth analysis of two Microsoft vulnerabilities, CVE-2019-1181 and CVE-2019-1182, which were patched in August 2019. These vulnerabilities are particularly interesting and worth further assessment because they affect OS versions ranging from Windows 7 to Windows 10 1903 (x86, x86-64 and ARM64).
Jan 20, 2020
Zeppelin is the latest member of the VegaLocker ransomware family, which also contains strains like Jamper, Storm, or Buran. Zeppelin is an example of well-organized threat actors, as those behind Zeppelin have been incredibly strategic in carefully targeting these ransomware attacks. First spotted in November 2019, Zeppelin has been targeting primarily large companies in Europe and the United States.
Jan 15, 2020
A Core Impact module was released on January 14, 2020 to exploit an as-yet unpatched patch traversal flaw in Citrix Application Delivery Controller (ADC) and Gateway (formerly known as NetScaler ADC & NetScaler Gateway) identified as CVE-2019-19781.
Jan 7, 2020
In part one of this series, we focused on installing several tools that will be useful for reversing and exploiting security weaknesses on Windows. These tools are free to access, so anyone can use them to learn and try out the useful exercises
Dec 25, 2019
Pen testing is a dynamic process that requires practitioners to exploit an environment to expose security weaknesses. In order to do this safely and efficiently, pen testers enlist the help of different tools. This article series will focus on reversing and exploiting Windows using free and easy to get tools, such as IDA FREE, Radare, Windbg, X64dbg, or Ghidra.
Dec 9, 2019
The latest and greatest in Linux-MTD is UBI and UBIfs. It is important to keep in mind that UBI is not the same as UBIfs. These two are actually two layers in a stack. UBI UBI (unsorted block images) is an abstraction layer that rides
Dec 9, 2019
In the first series of this introduction to Linux and flash, we began with a basic lesson on flash memory. In part two, we can begin to tackle how Linux interacts with it. From this point forward, we’ll focus on NAND flash, with the following assumptions...
Dec 9, 2019
During hardware-oriented engagements, we are sometimes faced with a hardware device's firmware image. This may happen because we downloaded a firmware upgrade image to try to understand a device with a view of finding security flaws...
Oct 27, 2019
Though its origins date back to 2017, Smominru is a dangerous botnet that has been making headlines recently as it continues to spread, attacking targets in every industry. Smominru, which also operates under known variants like including Hexmen and Mykings, has infiltrated hundreds of thousands of machines, primarily attacking Windows servers. Smominru is not only resilient, it also poses a treacherous dual threat, capable of both stealing data and cryptomining.
Oct 8, 2019
There have been many stories in the news about Ryuk, a targeted and powerful piece of ransomware that has been attacking organizations, including municipal governments, state courts, hospitals, enterprises, and large universities. Many of these organizations have paid hefty fees to recover their files following a Ryuk attack, only to find that any number of files have been stolen, and some of the data left behind is beyond repair.
Aug 5, 2019
In the Windows NT operating system family, svchost.exe ('Service Host) is a system process that serves or hosts multiple Windows services. It runs on multiple instances, each hosting one or more services.
Mar 6, 2019
In a previous blog post, I described how I bypassed the patch for the first fix for CVE-2018-15422. That bypass was also discovered by other researchers as well.
Nov 26, 2018
As an exploit writer, one of my tasks consists of gathering common vulnerabilities and exposures (CVE) and all of the information related to them in order to design an exploit for Core Impact. As part of this process I stumbled across CVE-2018-15422: A vulnerability in the update service of Cisco WebEx Meetings Desktop App for Windows.
Apr 16, 2018
Core Impact 18.1 release brought a ton of streamlined enhancements and new capabilities to the client-side vector in general, and phishing in particular. To be clear on terms, I consider phishing to be inducing a target to follow a link presented in an email for the purposes of capturing credentials for some system or another. Using an email to get a user to overtly run a compromised attachment or covertly execute an exploit payload falls under the broader client-side umbrella.
Dec 13, 2017
While working on the NVIDIA DxgDdiEscape Handler exploit, it became obvious that The GDI primitives approach discussed the last couple of years would be of no help to reliably exploit this vulnerability. So we came up with another solution: We could map some specially chosen virtual addresses...
Nov 13, 2017
Core Impact 2017 R1 and Metasploit Pro are tools used to create multi-staged, real-world attacks to test enterprise security defenses. Organizations need improved visibility into the the holes in their enterprise network defenses. Pen Testing tools allow an organization to evaluate their ability to detect, prevent, and respond to attacks using multi-staged, real-world attacks.
Jul 12, 2017
As part of my daily work as an Exploit Writer, I decided to take a look at CVE-2017-7308. It is a Linux Kernel vulnerability related to packet sockets. I will not go into details about the bug itself or its exploitation because there is an‚Ä¶
Jun 7, 2017
1. Introduction In this blog post, we will cover the analysis and exploitation of a simple heap buffer overflow found in SAPCAR a few weeks ago. SAP published security note #2441560 classifying the issue as "Potential Denial of Service". This post is our attempt to show
Jan 9, 2017
In November 8, 2016 Microsoft released a security update for Windows Authentication Methods (MS16-137) which included 3 CVEs: Virtual Secure Mode Information Disclosure Vulnerability CVE-2016-7220 Local Security Authority Subsystem Service Denial of Service Vulnerability CVE-2016-7237 Windows NTLM Elevation of Privilege Vulnerability CVE-2016-7238 Talking specifically about CVE-2016-7237, this‚Ä¶
Sep 26, 2016
Here’s the scenario: You’ve compromised a system but it hasn’t been logged into recently by an administrator, so you’re quite disappointed by your Mimikatz results. You’ve got local system credentials but nothing that’s on the domain except the machine account. Your mission: do something with the system that will attract the attention of someone with administrator credentials and make them log into the system WITHOUT setting off enough alarm bells to trigger a full blown incident response.