Story of how I discovered a DLL planting vulnerability in IBM Tivoli Monitoring, due to dangerous default folder permissions. Including PoC steps.

Server-Side Template Injection (SSTI) are vulnerabilities in web templating engines where attackers can inject code eventually leading to Remote-Code Execution (RCE).

I have discovered that the ASP.NET Razor templating engine can be vulnerable too when improperly used leading to execution of arbitrary code.

In a previous post we presented Windows Hello which is the solution to protect secrets and authenticate users using biometry (fingerprint, face recognition, iris…) on modern Microsoft Windows.

Biometry in the consumer world was first introduced on mobile devices, and especially Apple and Android platforms. Therefore, we will see here what they offer, and security pitfalls similar to the one highlighted in Windows Hello.

In this post I will show you how to bypass Windows Hello based authentication in some Windows desktop apps.

An information disclosure vulnerability exists in Azure Active Directory (AAD) Microsoft Account (MSA) during the login request session. An attacker who successfully exploited the vulnerability could take over a user’s account.

If you have compromised a Windows host, and cannot or do not want to, dump clear-text passwords using traditional techniques (e.g. mimikatz’s sekurlsa::logonpasswords, or LSASS dumping), you should check out the credential delegations settings. If enabled, it allows to obtain clear-text passwords without touching the LSASS process or even without having administrator rights (limited to the current user’s password then)!

You have to use @gentilkiwi’s “kekeo” tool and its tsssp module! “mimikatz” is not even required here!

You may have deployed Splunk Universal Forwarders on your systems to forward to your SIEM, but what if they are not properly secured and could be hijacked? Attackers could leverage them to remotely execute code (RCE)!

I share two new tools to demonstrate this technique.

Intel Driver & Support Assistant allows users to manage and update their drivers from Intel’s website.

It runs locally an API server available on dsalocal.intel.com which resolves to 127.0.0.1. Intel website requests this API and the CORS mechanism mandates that the Origin header is added to the request so the server can verify it, and allow or deny the request.

Chrome now prompts for the Windows password before disclosing the passwords it manages: is it really more secure? Can it be bypassed?

Administrators can connect to their UCOPIA Wireless Appliance using the SSH (TCP/22) or Web SSH (TCP/222) interfaces. The system shell is restricted through the usage of rbash and clish: specific commands or flags are disallowed on purpose, therefore a malicious administrator might want to escape from this shell in order to execute arbitrary commands.

The vulnerability lies in the handling of the ~/.ssh/config file on the UCOPIA system: OpenSSH reads this file when connecting to other machines through SSH. However, a malicious administrator could abuse the LocalCommand instruction to start a sh shell locally after establishing the connection, and therefore obtaining an unrestricted shell.