Miloš
Miloš boosted:
RedTeam PentestingRedTeamPentesting
2025-06-12

🚨 Our new blog post about Windows CVE-2025-33073 which we discovered is live:

🪞The Reflective Kerberos Relay Attack - Remote privilege escalation from low-priv user to SYSTEM with RCE by applying a long forgotten NTLM relay technique to Kerberos:

blog.redteam-pentesting.de/202

2025-01-31

@fonetone hey! I believe the cve affects both rtf emails and regular documents as well. In my proof-of-concept I provided a RTF document for simplicity sakes, as reproducing the vulnerability via e-mail would require a more complicated setup. Nevertheless, any application that parses RTF files is most likely vulnerable, as they will all use the vulnerable ole32. dll library to extract OLE object data from RTF data.

on a separate note, it is indeed confusing that Microsoft makes an effort to single-out outlook/email use-case, I imagine it is so because it's the only application they ship where the vuln could be triggered without user interaction.

Miloš boosted:
James Forshaw :donor:tiraniddo@infosec.exchange
2025-01-30

The second blog is about an interesting bug class in COM servers that implement IDispatch, which allows you to potentially create other objects in the process. For example every OOP COM server with IDispatch allows you to create a STDFONT object which isn’t really designed to be safely used cross process. To demo its usefulness I then use the trick to get code injection in a Windows-PPL process from where you could open protected LSASS etc. googleprojectzero.blogspot.com

Miloš boosted:
2025-01-27

In case if you wonder what broke on Windows 11 24H2, I have something for you: hshrzd.wordpress.com/2025/01/2

2025-01-27

@jaydinbas thanks! and sorry for a late reply. in theory it should be possible to trigger the vulnerability via OLE2.0 objects. I haven't yet published the details on how the proof of concept works, but I will hopefully do it soon.

In short - as long as the application calls OleLoad (or a variant) on the object, and the object has a CLSID corresponding to StaticDib or StaticMetafile with the clipboard format in data being set to 2 (CF_BITMAP), you should be able to trigger the vuln.

2025-01-20

POC for CVE-2025-21298 (Windows OLE RCE CVSS 9.8): github.com/ynwarcs/CVE-2025-21

I'll publish some details about the PoC later, but the vulnerability is pretty boring, a double-free (UAF more generally) with a narrow window of time between the two operations so you'd need a miracle to exploit it.

2024-10-04

Exploiting Visual Studio via dump files - #CVE-2024-30052: ynwarcs.github.io/exploiting-v

Miloš boosted:
2024-09-05

Windows Wi-Fi Driver RCE Vulnerability - CVE-2024-30078 crowdfense.com/windows-wi-fi-d

Miloš boosted:
Trend Zero Day Initiativethezdi@infosec.exchange
2024-09-04

We've updated our blog on abusing file deletes to escalate privileges. We've also released PoC to demonstrate this. The exploit offers a high degree of reliability and eliminates all race conditions. It has been tested on the latest Windows 11 Enterprise. zerodayinitiative.com/blog/202

2024-08-27

@malwaretech nice, this was pretty much my journey through the investigation too. I added a link to your analysis in the poc repo, it's much more useful than my recap. I normally would've written a blog post too but one of my arms is out of service for the next few weeks due to an injury and I didn't have the patience to do it at 20 wpm.

2024-08-24

I released a poc & some details for CVE-2024-38063, a RCE vuln in tcpip.sys patched by MS last week: github.com/ynwarcs/CVE-2024-38

2024-08-17

I just released pdbconv, a program to convert PDB files between the plain old MSF format and the new MSFZ format that MS hasn't officially released yet.

It's available on github: github.com/ynwarcs/pdbconv

I also made a blog post describing the new format and what lead me to write the converter: ynwarcs.github.io/pdbconv-pdb-

Miloš boosted:
2024-08-10

Nice IDA leak LOLOLOL And the server still up? No one working on Saturday morning? OLOLOLOLOLOLOLOL

Miloš boosted:
2024-08-07

CPU bugs reached a level of yikes that speculation side channels can only dream of

ghostwriteattack.com/riscvuzz.

a) Address-handling: RISCVuzz finds different bugs around virtual address handling. The vse128.v instruction
on the C910 does not translate the provided virtual address to a physical address but instead interprets it directly as a physical address, giving attackers a physical write primitive (cf. Section VI). Additionally, on the C910, reading from
physically-backed virtual address ‘0’ locks the CPU, requiring
Miloš boosted:
2024-07-29

Micropatches for CVE-2023-23388 were written for all affected security-adopted versions of Windows with all available Windows Updates installed:

Windows 10 v21H1 - fully updated
Windows 10 v2004 - fully updated
Windows 10 v1909 - fully updated
Windows 10 v1809 - fully updated
Windows 10 v1803 - fully updated

Micropatches for CVE-2023-24871 were written for all affected security-adopted versions of Windows with all available Windows Updates installed:

Windows 10 v21H1 - fully updated
Windows 10 v2004 - fully updated

We would like to thank Miloš (@ynwarcs a.k.a. goodbyeselene) for sharing their analysis, POCs, and their prompt assistance with porting POCs to 32-bit systems, which all made it possible for us to create micropatches for these issues.

2024-07-07

Well, looks like native PDB files finally (unofficially) support compression. A few recent versions of msdia140.dll implement a new MSF format that stores PDB streams in compressed "chunks". It was fairly easy to reverse the implementation, though I have some past experience with the PDB format. Takeaways:

- zstd is used for compression, looks like the open source implementation without any tweaks.
- there doesn't seem to be a way to produce the files in this format at the moment, at least it looks like the code was compiled to only provide deserialization of the new format.
- decompression of chunks is done on-demand. this means that the format is pretty flexible, which allows to optimize for space/speed.(e.g. you can compress the entire stream in a single chunk and get the best compression ratio, but that means the entire stream has to be decompressed at runtime)

I'm gonna write up a converter with some simple compression strategies to see how the new format fares in practice, but that's probably going to take a few days. Hopefully MS comes out with something official soon.

Miloš boosted:
2024-07-01

Qualys does it again!

#regreSSHion: #RCE in #OpenSSH's server, on glibc-based #Linux systems
(CVE-2024-6387)

qualys.com/2024/07/01/cve-2024

2024-06-26

@AlesandroOrtiz wow, very similar to the famous path of exile bug: pathofexile.com/forum/view-thr

you could probably track it down via RenderDoc, on the first look it looks like garbage UV data being passed to the GPU but it could be a lot of different things

2024-06-25

the files are available somewhere on /r/reverseengineering (don't need to look too hard). there's no source code but there are unobfuscated static libraries with debug symbols, which is the next best thing obviously.

Security Explorations has done an immense job of researching PlayReady & Warbird in the past (security-explorations.com/micr), so it's no wonder that they were the ones to spot the leak.

2024-06-25

is there anything worse that could happen to a commercial obfuscator than getting its (almost) source code leaked?

Microsoft leak of PlayReady developer / Warbird libs:
seclists.org/fulldisclosure/20

Client Info

Server: https://mastodon.social
Version: 2025.04
Repository: https://github.com/cyevgeniy/lmst