I share with you my discoveries around pentesting and security research.

NTLM relay of ADWS (WCF) connections with Impacket

NTLM relay of ADWS (WCF) connections with Impacket feature image

The NTLM relay feature of Impacket’s ntlmrelayx.py used to offer only two servers, HTTP and SMB, for incoming NTLM authenticated connections using those two protocols. Which can then be relayed to more protocols: HTTP, SMB, LDAP, SMTP, etc. I had a situation where the incoming NTLM authenticated connection used ADWS (built upon NetTcpBinding WCF) so I implemented this new server protocol in Impacket 😉

Read more...

CVE-2020-7315 McAfee Agent DLL injection

CVE-2020-7315 McAfee Agent DLL injection feature image

DLL injection in McAfee Agent allowing a local administrator to kill the antivirus, or tamper with it, without knowing the McAfee password

Read more...

"Twitter likes" Python tool

"Twitter likes" Python tool feature image

This small Python 3 project allows to fetch from Twitter API all the tweets you (or even another account) liked, to save them (for backup) and display them as a nice HTML page.

Read more...

"Google Drive uploader" Python tool

"Google Drive uploader" Python tool feature image

This Python 3 script allows to archive a local folder, as a ZIP file, and upload it to a Google Drive folder. It allows to easily backup a folder from a server for example.

Read more...

CVE-2019-1172 Disclosure of Azure AD personal account auth token to malicious websites when using the recommended browser extension 2/2

CVE-2019-1172 Disclosure of Azure AD personal account auth token to malicious websites when using the recommended browser extension 2/2 feature image

Second part of the article about CVE-2019-1172 where we will deep-dive through reverse-engineering to finally understand how it works and discover the cause of the vulnerability. We will also review the patch via binary diffing.

Read more...

CVE-2019-1172 Disclosure of Azure AD personal account auth token to malicious websites when using the recommended browser extension 1/2

CVE-2019-1172 Disclosure of Azure AD personal account auth token to malicious websites when using the recommended browser extension 1/2 feature image

CVE-2019-1172 is the first vulnerability I discovered in Windows and it allows the disclosure of Azure AD personal account auth token to malicious websites when using the recommended browser extension.
The vulnerability lies in an incorrect check of the origin of a web request: “login.live.com” is the only authorized host, however “login.live.com.example.com” (under the control of “example.com”) is also accepted!

This is a classic and unimpressive issue. But in this post, I will explain how I discovered it and I think the journey is more interesting than the end result here. I will also give details about the vulnerability and share a PoC.
Also, it may look easy once finished and summarized in an article, but note that I discovered almost everything on the fly! So can you 😉

Read more...

CVE-2020-4311 IBM Tivoli Monitoring weak folder permissions

CVE-2020-4311 IBM Tivoli Monitoring weak folder permissions feature image

The default file folder permissions on ITM windows installation allow for non-privileged access which could allow for exploits such as dll planting.

Read more...

Server-Side Template Injection (SSTI) in ASP.NET Razor

Server-Side Template Injection (SSTI) in ASP.NET Razor feature image

Server-Side Template Injection (SSTI) are vulnerabilities in web templating engines where attackers can inject code eventually leading to Remote-Code Execution (RCE).

I have discovered that the ASP.NET Razor templating engine can be vulnerable too when improperly used leading to execution of arbitrary code.

Read more...

Security pitfalls in authenticating users and protecting secrets with biometry on mobile devices (Apple & Android)

Security pitfalls in authenticating users and protecting secrets with biometry on mobile devices (Apple & Android) feature image

In a previous post we presented Windows Hello which is the solution to protect secrets and authenticate users using biometry (fingerprint, face recognition, iris…) on modern Microsoft Windows.

Biometry in the consumer world was first introduced on mobile devices, and especially Apple and Android platforms. Therefore, we will see here what they offer, and security pitfalls similar to the one highlighted in Windows Hello.

Read more...

When Windows Hello fails at securely authenticating users and protecting credentials

When Windows Hello fails at securely authenticating users and protecting credentials feature image

In this post I will show you how to bypass Windows Hello based authentication in some Windows desktop apps.

Read more...