Found 15 bookmarks
Custom sorting
Iconv, set the charset to RCE: Exploiting the glibc to hack the PHP engine (part 1)
Iconv, set the charset to RCE: Exploiting the glibc to hack the PHP engine (part 1)
A few months ago, I stumbled upon a 24 years old buffer overflow in the glibc, the base library for linux programs. Despite being reachable in multiple well-known libraries or executables, it proved rarely exploitable — while it didn't provide much leeway, it required hard-to-achieve preconditions. Looking for targets lead mainly to disappointment. On PHP however, the bug shone, and proved useful in exploiting its engine in two different ways.
·ambionics.io·
Iconv, set the charset to RCE: Exploiting the glibc to hack the PHP engine (part 1)
XZ Utils backdoor
XZ Utils backdoor
This page is short for now but it will get updated as I learn more about the incident. Most likely it will be during the first week of April 2024. The Git repositories of XZ projects are on git.tukaani.org. xz.tukaani.org DNS name (CNAME) has been removed. The XZ projects currently don’t have a home page. This will be fixed in a few days.
·tukaani.org·
XZ Utils backdoor
Flipping Pages: An analysis of a new Linux vulnerability in nf_tables and hardened exploitation techniques
Flipping Pages: An analysis of a new Linux vulnerability in nf_tables and hardened exploitation techniques
A tale about exploiting KernelCTF Mitigation, Debian, and Ubuntu instances with a double-free in nf_tables in the Linux kernel, using novel techniques like Dirty Pagedirectory. All without even having to recompile the exploit for different kernel targets once.
·pwning.tech·
Flipping Pages: An analysis of a new Linux vulnerability in nf_tables and hardened exploitation techniques
Magnet Goblin Targets Publicly Facing Servers Using 1-Day Vulnerabilities
Magnet Goblin Targets Publicly Facing Servers Using 1-Day Vulnerabilities
  • Magnet Goblin is a financially motivated threat actor that quickly adopts and leverages 1-day vulnerabilities in public-facing services as an initial infection vector. At least in one case of Ivanti Connect Secure VPN (CVE-2024-21887), the exploit entered the group’s arsenal as fast as within 1 day after a POC for it was published. Campaigns that we were able to attribute to this actor targeted Ivanti, Magento, Qlink Sense and possibly Apache ActiveMQ. Analysis of the actor’s recent Ivanti Connect Secure VPN campaign revealed a novel Linux version of a malware called NerbianRAT, in addition to WARPWIRE, a JavaScript credential stealer. * The actor’s arsenal also includes MiniNerbian, a small Linux backdoor, and remote monitoring and management (RMM) tools for Windows like ScreenConnect and AnyDesk.
·research.checkpoint.com·
Magnet Goblin Targets Publicly Facing Servers Using 1-Day Vulnerabilities