Unauth HTTP SSRF in Nuance Ai Training Platform

I submitted another HTTP SSRF in MS services via MSRC recently, this time within an insecure api.php endpoint I found on train.digital.nuance.com. This was a full HTTP SSRF, capable of interacting with internal services, and could be used for both GET and POST requests, including sending full GET/POST bodies with arbitrary parameter/value pairs to arbitrary resources. Bounty? None. A few weeks after submission, MS responded that they confirmed the bug, were investigating the issue, and asked for any more information I could provide.

Unauthenticated SSRF in Office.net

In late September I reported an unauthenticated SSRF I’d found on Office.net to MSRC, only to receive a response that said I had included no reproduction steps, and therefore the report was invalid and would be closed. Obviously, the report had reproduction steps. So I replied, directing them to the report (which included reproduction steps), and was met with the same response. The report was closed, and I was pretty miffed.

Arduino Catbox

A smart catbox… sorta Recently, I have been getting into building stuff, and I’ve had the idea for a while to add some sort of air filter to one of my cats’ litter boxes. Why buy a smart box when you can make one? They’re both quite large, and one cat is particularly messy, so this was a fun project to help keep them healthy and happy, and cut down on mess and stank.

When BurpSuite Lies

When Burp LIES. On a recent red team I was testing a weird app with some complex routing crap happening, and I noticed some odd behavior in burp. The app was load balanced by a case sensitive front-end, ala awslb etc, and certain endpoints were being routed to case-insensitive apps, ala IIS. This matters as I was fuzzing pretty hard and passing in ffuf results to burp with --replay-proxy. After fuzzing for a while, I went back to my sitemap tab in burp to look for interesting requests and for some reason I couldn’t fine the applications landing page anymore.

Gandalf LLM / Prompt Injection

Gandalf A few months ago someone sent me the “Gandalf” prompt injection challenge and I finally sat down to go through it. Complete with creepy AI generated “Gandalfs”(??), it’s an accessible CTF that people can even do from their phones… in bed… like me. I found this to be exceptionally fun because they are novel techniques and people come to their own, often unique solutions a variety of ways. To help get the creative juices flowing I read a few blog posts about prompt injection and went form there.

Asus Download Master - Part 2: Command Injections, BoFs

Download Master, pt 2 Alright so here are the fun ones: command injections and buffer overflows. Command Injections - CVE-2024-31162 URL Path parameters are not sanitized prior to their inclusion within system() calls, resulting in the ability for authenticated users to perform command injection attacks. The following action_mode values lead to unsafe system calls via the listed parameters: DM_ED2K_ADD ED2K_SERVER_IP and ED2K_SERVER_PORT DM_ED2K_REM ED2K_SERVER_IP and ED2K_SERVER_PORT DM_ED2K_CON ED2K_SERVER_IP and ED2K_SERVER_PORT DM_LANG

Asus Download Master - Part 1: XSS, Uploads

Asus, the gift that keeps on giving (cves) something something a cve horse in the mouth Remember back in the early 2000s, when download managers were all the rage? Well, turns out in 2024 Asus still has a product, aptly named “Download Master”. This “app” installs to a USB device on your router. As it turns out, it’s actually a full on linux environment running busybox… that’s installed onto your USB stick, lol.

Msbuild'ing Unsafe Tasks - Pt. 2

Unsafe Inline MSBuild Tasks - Part 2 I wrote a post recently about a technique leveraging System.Reflection to pass CLI arguments into csc.exe when compiling MSBuild inline tasks. This isn’t my research, but uses a technique that seems to have been discovered(? idk) by the Social Engineering Toolkit (SET) guys. The goal of this technique is to allow the unsafe keyword to be used when building C# inline msbuild tasks via XML.

Msbuild'ing Unsafe Tasks

MSBuild’ing unsafe inline tasks Recently while doing a bit of research I came across a few blockers (classic)– the basic problem seemed like it should be fairly simple (also classic), and yet I googled fruitlessly. Reading innumerable stack overflow answers assured me, the problem was simple! For I must be the fool; how could so many accepted answers to what seemed to be my exact issue be mistaken? My question boiled down to this:

DLL Hijacks in Windows Contacts

WAB! Recently when looking for some bugs to leverage red teaming, I found the following Windows binaries load several libraries from the application directory. Note that these files are also digitally signed by Microsoft. C:\Program Files\Windows Mail\wabmig.exe C:\Program Files\Windows Mail\wab.exe Attackers can leverage this behavior to perform DLL hijacking / proxying attacks and obtain code execution on a target system, establish persistence and/or distribute malware. Sigcheck output: PS C:\Program Files\Windows Mail> sigcheck .