In late September I reported an unauthenticated SSRF I’d found on Office.net to MSRC, only to receive a response that said I had included no reproduction steps, and therefore the report was invalid and would be closed.
Obviously, the report had reproduction steps. So I replied, directing them to the report (which included reproduction steps), and was met with the same response. The report was closed, and I was pretty miffed.
A smart catbox… sorta Recently, I have been getting into building stuff, and I’ve had the idea for a while to add some sort of air filter to one of my cats’ litter boxes. Why buy a smart box when you can make one? They’re both quite large, and one cat is particularly messy, so this was a fun project to help keep them healthy and happy, and cut down on mess and stank.
When Burp LIES. On a recent red team I was testing a weird app with some complex routing crap happening, and I noticed some odd behavior in burp. The app was load balanced by a case sensitive front-end, ala awslb etc, and certain endpoints were being routed to case-insensitive apps, ala IIS. This matters as I was fuzzing pretty hard and passing in ffuf results to burp with --replay-proxy. After fuzzing for a while, I went back to my sitemap tab in burp to look for interesting requests and for some reason I couldn’t fine the applications landing page anymore.
Gandalf A few months ago someone sent me the “Gandalf” prompt injection challenge and I finally sat down to go through it. Complete with creepy AI generated “Gandalfs”(??), it’s an accessible CTF that people can even do from their phones… in bed… like me.
I found this to be exceptionally fun because they are novel techniques and people come to their own, often unique solutions a variety of ways. To help get the creative juices flowing I read a few blog posts about prompt injection and went form there.
Download Master, pt 2 Alright so here are the fun ones: command injections and buffer overflows.
Command Injections - CVE-2024-31162 URL Path parameters are not sanitized prior to their inclusion within system() calls, resulting in the ability for authenticated users to perform command injection attacks.
The following action_mode values lead to unsafe system calls via the listed parameters:
DM_ED2K_ADD
ED2K_SERVER_IP and ED2K_SERVER_PORT DM_ED2K_REM
ED2K_SERVER_IP and ED2K_SERVER_PORT DM_ED2K_CON
ED2K_SERVER_IP and ED2K_SERVER_PORT DM_LANG
Asus, the gift that keeps on giving (cves) something something a cve horse in the mouth
Remember back in the early 2000s, when download managers were all the rage? Well, turns out in 2024 Asus still has a product, aptly named “Download Master”. This “app” installs to a USB device on your router. As it turns out, it’s actually a full on linux environment running busybox… that’s installed onto your USB stick, lol.
Unsafe Inline MSBuild Tasks - Part 2 I wrote a post recently about a technique leveraging System.Reflection to pass CLI arguments into csc.exe when compiling MSBuild inline tasks. This isn’t my research, but uses a technique that seems to have been discovered(? idk) by the Social Engineering Toolkit (SET) guys.
The goal of this technique is to allow the unsafe keyword to be used when building C# inline msbuild tasks via XML.
MSBuild’ing unsafe inline tasks Recently while doing a bit of research I came across a few blockers (classic)– the basic problem seemed like it should be fairly simple (also classic), and yet I googled fruitlessly.
Reading innumerable stack overflow answers assured me, the problem was simple! For I must be the fool; how could so many accepted answers to what seemed to be my exact issue be mistaken?
My question boiled down to this:
WAB! Recently when looking for some bugs to leverage red teaming, I found the following Windows binaries load several libraries from the application directory. Note that these files are also digitally signed by Microsoft.
C:\Program Files\Windows Mail\wabmig.exe C:\Program Files\Windows Mail\wab.exe Attackers can leverage this behavior to perform DLL hijacking / proxying attacks and obtain code execution on a target system, establish persistence and/or distribute malware.
Sigcheck output:
PS C:\Program Files\Windows Mail> sigcheck .
Teams SSRF While on vacation in December, I was digging around against MS services for some bugs and discovered several SSRFs in MS cloud services. One of which I was awarded a $5000 USD bounty for, due to (presumably) targetting Teams and disclosing user authentication tokens to external services.
Hell yeah!
It was a pretty simple bug and now that it’s patched and sufficient time has passed, MS gave me the green light for publishing.