CoreLabs Articles

Read articles from CoreLabs, the research division of Core Security. CoreLabs prides itself on taking a holistic view of information security with a focus on developing solutions to complex, real-world security problems that affect our customers.


Jan 9, 2017
In November 8, 2016 Microsoft released a security update for Windows Authentication Methods (MS16-137) which included 3 CVEs: Virtual Secure Mode Information Disclosure Vulnerability CVE-2016-7220 Local Security Authority Subsystem Service Denial of Service Vulnerability CVE-2016-7237 Windows NTLM Elevation of Privilege Vulnerability CVE-2016-7238 Talking specifically about CVE-2016-7237, this…
Sep 26, 2016
Here’s the scenario: You’ve compromised a system but it hasn’t been logged into recently by an administrator, so you’re quite disappointed by your Mimikatz results. You’ve got local system credentials but nothing that’s on the domain except the machine account. Your mission: do something with the system that will attract the attention of someone with administrator credentials and make them log into the system WITHOUT setting off enough alarm bells to trigger a full blown incident response.
Sep 19, 2016
What if I told you that in most networks these days, you don’t have to bother with cracking the passwords? With most networks with Active Directory, you can use the stored hash obtained via Mimikatz or a WPAD attack to authenticate. How, you may ask? It’s because of the wondrous bit of mis-engineering that is the Windows NT Login Challenge and Response. I’m going to dive into this a bit, so that we understand just what it is that we’re exploiting.
Aug 24, 2016
Continuing with my Getting Physical blog posts series (CanSec2016’s presentation), in this third episode I’m going to talk about how Windows Paging is related to the HAL's heap and how it can be abused by kernel exploits. This is probably the simplest way of abusing Windows paging structures, because deep knowledge about how Intel paging works is not necessary to implement the attack.
Aug 22, 2016
Dropped USB flash drives are still effective means for getting into networks. The goal of this post is to give you a bit of a hands on lab and show you some tricks for actually conducting USB drop attacks, including how to prepare the payload using Core Impact. USB drop attacks are a bit of a performance art form. You need to build an enticing story that’ll make the discoverers of the drop, whom I will refer to as ‘The Marks’, curious enough to override common sense and plug in the stick to figure out what’s on it.
Jun 20, 2016
Continuing with the previous Getting Physical blog posts series (CanSec2016's presentation), this time I'm going to talk about what paging implementation has been chosen by Windows and how it works. At the same time and according to Alex Ionescu's blog post, it's interesting to see that Microsoft has...
Jun 16, 2016
Hi, After Enrique Elias Nissim (@kiqueNissim) and I presented "Getting Physical: Extreme abuse of Intel based Paging Systems" at CanSecWest2016 (slides here), I decided to write a series of blog posts explaining in detail what we presented and show what we couldn't in a full time talk (50 minutes of presentation is a lot but not in this case !).
Apr 24, 2016
In October 13, 2015 Microsoft published security bulletin MS15-106, addressing multiple vulnerabilities in Internet Explorer. Zero Day Initiative published advisory ZDI-15-521 for one of those vulnerabilities affecting IE...
Sep 27, 2015
Every once in a while I get to work on something special, something that leaves me with the keys to open new doors. Introduction: Not long ago I came across a certain font related vulnerability, it was a 0day being exploited in the wild...
Sep 16, 2015
On August 11, 2015 Microsoft released 14 security fixes, including an SMB Server fix. In this post I'll explain how I triggered the SMB Server bug. Microsoft Security Bulletin MS15-083: Of all the available patches...
May 17, 2015
Windows has been around a long time. After years of evolving from one version to another, it is rare to find vulnerabilities that allow remote code execution from Windows XP to Windows 8.1 (32 and 64-bit)...
Mar 24, 2015
At the beginning of March we published a blog post analyzing CVE-2015-0311, a Use-After-Free vulnerability in Adobe Flash Player, and we outlined how to exploit it on Windows 7 SP1 machines...
Mar 3, 2015
At the end of January, Adobe published the security bulletin APSA15-01 for Flash Player, which fixes a critical use-after-free vulnerability affecting Adobe Flash Player and earlier versions. This vulnerability, identified as CVE-2015-0311, allows attackers to execute arbitrary code...
Dec 8, 2014
A few weeks ago a critical vulnerability (MS14-068) affecting Windows environments was published by Microsoft (credited to Tom Maddock and team). Specifically, the vulnerability affects Kerberos. [The vulnerability will] allow an attacker to elevate unprivileged domain user account privileges to those of the domain administrator account.
Dec 15, 2010
Oftentimes after using Network Information Gathering, we are still left with a number of devices that may reflect an "Unknown" OS. With the saturation of these devices in the market today, there is a good chance there may be some located on your network. By identifying these devices we can also potentially expand our attack surface and gain other useful information. So, where do we start? We may as well create a new search folder so that only the machines that reflect "unknown" under the OS column can be viewed.
Aug 10, 2009
Alfredo Ortega and Anibal Sacco presented their findings in Absolute Software’s Computrace “persistent agent” as part of their ongoing research on BIOS rootkits at Black Hat USA 2009. Before I dig into some technicalities of the findings of Alfredo and Anibal, let me dispel any doubts about the disclosure process that we followed. The vendor was made aware of the report and upcoming presentation several weeks prior to Black Hat by at least three separate sources.
Dec 27, 2006
In our last installment, I gave you a final hunk of code with several function calls and decided to let you stew for a week before revealing what was going on under the hood. Well, you’ve stewed for a week, so let’s review.
Dec 20, 2006
Last week, we discussed exactly what we’ll be building and got some of the boilerplate done along the way. I’m sure that you dug into the modules that I strongly hinted that you take a look at for inspiration. To review, this module will need to:
Dec 13, 2006
In this installment, we’ll start diving into the anatomy of an Impact module where you'll get the opportunity to absorb some of the features and implications before we dive into building something real and useful. In the course of conducting penetration tests, we often come across password hashes of various types. We can sometimes use these without cracking them, but, it is often useful and necessary to crack those hashes. Why? You may ask.