Microsoft Online Service Acknowledgements April 2020
In April 2020, I was proud to be included on the Microsoft Online Service Acknowledgements page. 🙂 https://msrc.microsoft.com/update-guide/en-us/acknowledgement/online
Blog
TrendMicro – CVE-2021-28646
I was reviewing TrendMicro products as part of an engagement and I found a permissions issue whereby a log file wasn’t configured correct permissions, and additionally I could take control of the permissions of the file. I reported this issue to the Trend team who issued two bulletins for products which are affected. SECURITY BULLETIN:Continue reading TrendMicro – CVE-2021-28646
Zyxel – CVE-2020-27667
Zyxel OneNetwork Utility V2.1.4C0 Towards the end of last year I reported a privilege escalation vulnerability to Zyxel which was found in their OneNetwork Utility which has now been fixed. This issue was easy to find and demonstrates the importance of validating applications for low hanging privilege escalation vectors. On installation, the application has weakContinue reading Zyxel – CVE-2020-27667
Utimaco – CVE-2020-26155
During a pentest last year I found an issue which affected the Windows installation product packages for the following products from Utimaco SecurityServer 3.x, 4.x up to version 4.31.1PaymentServer 3.x, 4.x up to version 4.33.0PaymentServer Hybrid 3.x, 4.x up to version 4.33.0Block-safe 2.0.0, 3.0.0CryptoServer CP5 5.0.0.0, 5.1.0.0, incl. CryptoServer CP5 Supporting CD and CryptoServer CP5Continue reading Utimaco – CVE-2020-26155
Siemens – CVE-2020-25245, CVE-2020-28392
After reviewing some Siemens software, I found a couple of issues which related to Insecure Folder Permissions which I reported to their security team. The Siemens team was very responsive and kept me informed throughout their review process. The issues which I reported were remediated and Siemens released two CVE’s and bulletins for which IContinue reading Siemens – CVE-2020-25245, CVE-2020-28392
VBA and Function Pointers
Having written a few posts and demonstrated some different methods of bypassing AMSI using VBA, here’s another small post demonstrating another technique which I found is possible as a result of some Advanced Googling… I was studying the courses by Sektor7 (all of which I recommend) and one of the topics covered is run timeContinue reading VBA and Function Pointers
Enumerating Process Modules in VBA
I’ve written a few posts which are all about AMSI and VBA recently and have hopefully shown that bypassing it is pretty trivial and can be done in a number of different ways. I just wanted to document one more combination of techniques that can be used to get the address of AMSIScanString and AmsiScanBufferContinue reading Enumerating Process Modules in VBA
AMSI in the HEAP x32
This write up is based upon the work of Matt Graeber @Mattifestation https://gist.github.com/mattifestation/ef0132ba4ae3cc136914da32a88106b9 Tools Used IDAhttps://www.hex-rays.com/products/ida/support/download_freeware/ Windbghttps://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/debugger-download-tools If we load up amsi.dll in IDA or equivalent tool and start looking at AmsiScanBuffer we can see that there is a check to see if the value which is pointed to via rbx equals 49534D41h (AMSI). IfContinue reading AMSI in the HEAP x32
Ordinal Numbers and VBA can be fun – who knew!
My previous couple of posts have all been centred around VBA, AMSI and Macros. This isn’t going to be different!. This makes for the easiest AMSI and Windows Defender bypass. Whilst reading through MSDN, which incidentally makes great bedtime reading…., I read that it was possible to use ordinal numbers with VBA when declaring functionsContinue reading Ordinal Numbers and VBA can be fun – who knew!
Are we nearly there yet? Walking Half the PEB with VBA
This is really just a variation on a theme, however I thought I’d write a quick post none the less. As previously stated the traditional way to get to AMSI function addresses was through LoadLibrary and then GetProcAddress. Microsoft blacklisted some function names to make using GetProcAddress unavailable which is why my my colleague andContinue reading Are we nearly there yet? Walking Half the PEB with VBA