CVE-2024-23803 a quick writeup zeifan.my/siemens_tecnom…

Just released the write-up for CVE-2024-4367, a bug I found recently in PDF.js (and hence in Firefox), resulting in arbitrary JavaScript execution when opening a malicious PDF. codeanlabs.com/blog/research/…

Our deep-dive, IOCs, and exploit for CVE-2023-34992, an unauth command injection as root, effecting #Fortinet #FortiSIEM appliances. horizon3.ai/attack-researc…

We disclose the exploit idea of virtualbox discovered in 2021. blog.pksecurity.io/2024/05/21/vir… written by Jinheon Lee

I wrote a blogpost on injecting code into a PPL process on Windows 11, without abusing any vulnerable driver. blog.slowerzs.net/posts/pplsyste…

Last week, Microsoft released a patch for CVE-2024-26238, a Windows 10 LPE reported by Guillaume André. You can read the advisory here: synacktiv.com/advisories/win…

Chaining hardcore bugs to take over chromium renderer. Always exciting :) zerodayinitiative.com/blog/2024/5/2/…

Our research team wrote an article with a detailed analysis of Safari RCE (CVE-2023-37450). Check it out! medium.com/@enki-techblog…… #safari #rce #cve202337450 #enki #whitehat

Recently I was writing up a blog about Secure Kernel and NT working together to initialize Kernel CFG. I realized there were a lot of concepts in SK I was unfamiliar with. Because of this I wrote a post on one of those topics - Secure Image Objects. Enjoy! connormcgarr.github.io/secure-images/

A second blog less than a week after? Well guess so! This time with CVE-2024-27822: macOS PackageKit Privilege Escalation though ZSH env files: khronokernel.com/macos/2024/06/…

Just because you get access denied accessing a folder, it doesn't mean you can't get access. A quick look at bypassing the security on the WindowsApps folder. tiraniddo.dev/2024/06/workin…

A funny story about a vulnerability I found last year. It was fixed in February this year, probably CVE-2024-21371. The interesting point is that I discovered it and completed the exploit based on a piece of source code disclosed in the high-quality documentation report of msrc🤣

Curious what Windows Internals tricks rootkits have leveraged throughout their history to achieve the necessary goals of concealing malicious activities, I've published a pdf with a breakdown of these tricks. It covers the following rootkit families. artemonsecurity.blogspot.com/2024/06/window…

Our latest post by one of our recent team additions, Luke Harding, revisits CVE-2023-48788 - a SQL injection for #Fortinet #FortiClient EMS. He details exploitation obstacles and payload crafting between the two mainline versions of the software. horizon3.ai/attack-researc…

As Microsoft is deprecating NTLM, we know many organizations can't just stop using this protocol. We have security patches that block exploitation of known NTLM-related vulnerabilities such as PetitPotam, PrinterBug and DFSCoerce; more are in the works. techcommunity.microsoft.com/t5/windows-ser…

#OffensiveCon24 videos are now up! youtube.com/playlist?list=…

My OffensiveCon 2024 talk about Exchange PowerShell Remoting is available. Includes a chain of 3 vulns to RCE (file write + file read + DLL load). youtu.be/AxNO2iA2fAg?si…

Thanks for the helpful comments from void *p, because I'm a little behind the current Linux kernel security and exploitation.

Just published some notes about porting a redis exploit to work on the musl mallocng heap: research.nccgroup.com/2024/06/11/pum…

This is a blog about how I exploited Tenda Ac8's 0day remote overflow into RCE via mipsel ROPing with multi-regs. It includes experience that I learn from 2 weeks of gdb-multiarch-ing, mipsrop-ing, QEMU-ing, IDA-ing, ifconfig-ing from scratch to CVE. 0reg.dev/blog/tenda-ac8…