When Burp LIES. On a recent red team I was testing a weird app with some complex routing crap happening, and I noticed some odd behavior in burp. The app was load balanced by a case sensitive front-end, ala awslb etc, and certain endpoints were being routed to case-insensitive apps, ala IIS. This matters as I was fuzzing pretty hard and passing in ffuf results to burp with --replay-proxy. After fuzzing for a while, I went back to my sitemap tab in burp to look for interesting requests and for some reason I couldn’t fine the applications landing page anymore.

Gandalf A few months ago someone sent me the “Gandalf” prompt injection challenge and I finally sat down to go through it. Complete with creepy AI generated “Gandalfs”(??), it’s an accessible CTF that people can even do from their phones… in bed… like me. I found this to be exceptionally fun because they are novel techniques and people come to their own, often unique solutions a variety of ways. To help get the creative juices flowing I read a few blog posts about prompt injection and went form there.

Download Master, pt 2 Alright so here are the fun ones: command injections and buffer overflows. Command Injections - CVE-2024-31162 URL Path parameters are not sanitized prior to their inclusion within system() calls, resulting in the ability for authenticated users to perform command injection attacks. The following action_mode values lead to unsafe system calls via the listed parameters: DM_ED2K_ADD ED2K_SERVER_IP and ED2K_SERVER_PORT DM_ED2K_REM ED2K_SERVER_IP and ED2K_SERVER_PORT DM_ED2K_CON ED2K_SERVER_IP and ED2K_SERVER_PORT DM_LANG

Asus, the gift that keeps on giving (cves) something something a cve horse in the mouth Remember back in the early 2000s, when download managers were all the rage? Well, turns out in 2024 Asus still has a product, aptly named “Download Master”. This “app” installs to a USB device on your router. As it turns out, it’s actually a full on linux environment running busybox… that’s installed onto your USB stick, lol.

Unsafe Inline MSBuild Tasks - Part 2 I wrote a post recently about a technique leveraging System.Reflection to pass CLI arguments into csc.exe when compiling MSBuild inline tasks. This isn’t my research, but uses a technique that seems to have been discovered(? idk) by the Social Engineering Toolkit (SET) guys. The goal of this technique is to allow the unsafe keyword to be used when building C# inline msbuild tasks via XML.

MSBuild’ing unsafe inline tasks Recently while doing a bit of research I came across a few blockers (classic)– the basic problem seemed like it should be fairly simple (also classic), and yet I googled fruitlessly. Reading innumerable stack overflow answers assured me, the problem was simple! For I must be the fool; how could so many accepted answers to what seemed to be my exact issue be mistaken? My question boiled down to this:

WAB! Recently when looking for some bugs to leverage red teaming, I found the following Windows binaries load several libraries from the application directory. Note that these files are also digitally signed by Microsoft. C:\Program Files\Windows Mail\wabmig.exe C:\Program Files\Windows Mail\wab.exe Attackers can leverage this behavior to perform DLL hijacking / proxying attacks and obtain code execution on a target system, establish persistence and/or distribute malware. Sigcheck output: PS C:\Program Files\Windows Mail> sigcheck .

Teams SSRF While on vacation in December, I was digging around against MS services for some bugs and discovered several SSRFs in MS cloud services. One of which I was awarded a $5000 USD bounty for, due to (presumably) targetting Teams and disclosing user authentication tokens to external services. Hell yeah! It was a pretty simple bug and now that it’s patched and sufficient time has passed, MS gave me the green light for publishing.

Asus, back at it again with the format strings - CVE-2023-41349 Last year I came across some weird format string issues in Asus’s “Advanced OpenVPN Configuration” functionality. I sent the bugs to Asus for a fix 2023/05/15, around the same time I submitted a few other exploitable DoS conditions. I never heard back about the CVE assignment and remembered today, nearing a year later. Anyway, here are the details– these ones are pretty funny because they not only DoS’d the VPN service, they straight up power cycled the device LOL.

Had a few questions lately at work about recon– what it looks like, how people do “discovery”, and what that entails. There’s some awesome posts like this one and this one which have great resources, so I usually send these over to people along with various tips and tricks. Through the years though, some of my favorite resources haven’t stood test of time and 404 or timeout. So, I’ll now add to the information vacuum.