Insinuator.net – Page 2 – Bold Statements

July 11, 2023 by Florian Bausch

All your parcel are belong to us – Talk at Troopers 2023

At Troopers 2023, we gave a talk on how to attack DHL parcel tracking information based on OSINT. Since we previously had an exemplary disclosure process about this attack with DHL, Mr. Kiehne (from DHL) joined us to provide interesting background information and insights on how they addressed our findings.

Continue reading “All your parcel are belong to us – Talk at Troopers 2023”

Misc

June 21, 2023 by Matthias Hamann

The DRACO Stream Cipher

In symmetric-key cryptography, we typically distinguish two types of encryption schemes: block ciphers and stream ciphers. Block ciphers divide a plaintext into blocks of a fixed size (e.g., 64 or 128 bits) and encrypt one such block of data as a whole. Stream ciphers, on the other hand, consider the plaintext as a continuous stream of data. The stream cipher maintains an internal state and in each step it outputs one bit or several bits and updates its internal state. The output bit stream is then combined with the plaintext, usually using the XOR operation. One advantage of stream ciphers is that their resource requirements are lower than those of block ciphers in many application scenarios. This makes them particularly useful in lightweight cryptography targeting resource constrained devices such as low-cost RFID tags.

In this blog post, we provide an overview over current developments in this area and introduce our new lightweight stream cipher DRACO, which was developed in cooperation with the Universität Mannheim (Alexander Moch, Matthias Krause) and the Universität Siegen (Vasily Mikhalev) and has recently been presented at FSE 2023 in Kobe, Japan.

Continue reading “The DRACO Stream Cipher”

Breaking

June 13, 2023 by Dennis Heinze

Jasper Reports Library Code Injection

During the past year we had several projects where our target application used Jasper Reports in some way. In a few of the cases we found an API that offered to render a template along with some arguments into a PDF file. This was done with the help of the Jasper Reports Java library. Due to the way the library and the expression mechanism works, this endpoint gave us the possibility to inject Java code and gain remote code execution on the target systems.

In this blog post we want to provide an overview over the Jasper Reports Java library in terms of security especially with regard to expression injection attacks.

TL;DR; If you come across an API that lets you freely define a Jasper Report template you very likely have code execution. Or to put it differently: Never let Jasper Report templates be user or attacker controlled.

Continue reading “Jasper Reports Library Code Injection”

Misc

May 25, 2023 by Florian Bausch

IMF Conference 2023 in Munich

The IMF Conference is the International Conference on IT Security Incident Management & IT Forensics. This year it took place from May 23 to 24 in Munich. The schedule lists a lot of interesting talks. One of the talks was my presentation on a paper about Ceph forensics, based on my Master Thesis:

Continue reading “IMF Conference 2023 in Munich”

Misc

May 5, 2023 by Friedwart Kuhn

AD /Azure Security Track on Troopers 23

Hi!

We’re excited to announce the nearly complete composition of the Active Directory & Azure Security Track on Troopers 23 with fantastic speakers!

Here we go:

“Dumping NTHashes from Azure AD”
(Nestori Syynimaa)

“Hidden Pathways: Exploring the Anatomy of ACL-Based Active Directory Attacks and Building Strong Defenses”
(Jonas Bülow Knudsen, Alexander Schmitt)

“Priority for Effective Action – A Practical Model for quantifying the Risk of Active Directory Attacks”
(Mars Cheng, Dexter Chen)

“(Windows) Hello from the other side” (Dirk-jan Mollema)

“The Power of Coercion Techniques in Windows Environments”
(Martin Grottenthaler)

Stay tuned for regularly updated info about Troopers 23 conference.

Cheers,

Friedwart.

Misc

May 4, 2023 by Julian Suleder

Hack In The Box Security Conference 2023 @ Amsterdam – Summary

In this blog post, we are sharing summaries of talks from the Hack in the Box Conference in Amsterdam (HITBSecConf2023), the final HITB conference in Amsterdam. Before we do that, however, we would like to extend a heartfelt thank you to the organizers of the conference for putting together such an insightful and engaging event.

Continue reading “Hack In The Box Security Conference 2023 @ Amsterdam – Summary”

Misc

December 16, 2022 by Florian Grunow

Hilarious Buffer Overflow Mitigation and TCL Injection in CheckPoint Gaia Portal

Hey there,

I am going to disclose two bug classes I found a while ago in CheckPoint R77.30: Two buffer overflows in the username (no shit) and HTTP method of a request to the administrative UI pre-auth and some interesting injections into the TCL web interface.

Continue reading “Hilarious Buffer Overflow Mitigation and TCL Injection in CheckPoint Gaia Portal”

Breaking

September 29, 2022 by Frank Block

Some experiments with Process Hollowing

Process Hollowing is a technique used by various malware families (such as FormBook, TrickBot and Agent Tesla) to hide their malicious code within a benign appearing process. The typical workflow for setting up such a hollowed process is as follows:

Create a new process (victim) using a benign executable, in suspended state.
Unmap the executable from that process.
Allocate memory for the malicious executable at the address of the previously mapped victim executable.
Write the malicious executable to the new memory area and potentially apply relocations.
Adjust the entry point.
Resume process.

We will refer to this as the “normal” Process Hollowing workflow. There are also variants of this technique, one being to not unmap the original executable and to allocate the new memory somewhere else. We will call this one no-unmap. But wait, why does malware not simply overwrite the existing executable but creates a new memory area which stands out due to its characteristics? In this blog post we will have a closer look at this overwrite approach but also on the no-unmap method, their effects on analysis/detection tools and on some tricks to make the detection harder. We are also releasing Proof of Concept implementations of all mentioned tools/plugins (the links are at the end of this post).

Continue reading “Some experiments with Process Hollowing”

Misc

September 7, 2022 by Ahmad Abolhadid

Spymax: The android RAT and it works like that….

Spymax is a mobile Remote Administration Tool (RAT) that enables an attacker to control victims’ devices through an Android malware. Once the malware is installed on a phone, the attacker can execute many attacks that highly impact the confidentiality and integrity of the victim’s data, as well as the victim’s privacy. It is powerful, widely available, and does not require root privileges on the victim’s device. In this blogpost, I show the capabilities of this RAT and analyze how its Android malware works.

Continue reading “Spymax: The android RAT and it works like that….”

Misc

August 10, 2022 by Fabian Ullrich

Whitepaper Endpoint Management & Monitoring Solutions Released

Over the course of the last 2 years we performed vulnerability research on several Endpoint Management & Monitoring Solutions. The results were already partially presented in security advisories which were published on this blog during the last two years. The advisories can be found here:

We also recently presented the results on Troopers 2022. Now the results have been published in a more in-depth manner in the form of a technical whitepaper. The whitepaper can be found here.