[email protected]      0333 939 8080

Jumpsec Labs
Jumpsec Labs

JUMPSEC LABS

The JUMPSEC Lab is a place where the the technical team get creative and showcase their latest security research, publications, interesting news and general thoughts!  We love what we do and are passionate about security, with some great upcoming projects planned, bookmark our site and stick around to see what we are working on.

What’s in a Name? Writing custom DNS tunnelling protocol, exploiting unexpected AWS Lambda misconfiguration – in a web app Pen test (Part 2)

by Sunny Chau | Jun 13, 2024 | , , , ,

In Part 1 of the series we looked at how an AWS Lambda-powered feature was exploited in a web app penetration test initially leading to RCE and further on with out-of-band data exfiltration via DNS. Though the exact mechanism of achieving remote-code execution with Python was not discussed, we went in depth in how to return data as a result of the code being executed. Initially, with ascii-to-integer encoding I was able to find the username of the runtime user - sbx_userNNN. In the first blog...

read more

What’s in a Name? Writing custom DNS tunnelling protocol, exploiting unexpected AWS Lambda misconfiguration – in a web app Pen test (Part 1)

by Sunny Chau | Jun 6, 2024 | , , , ,

This is a war story of an AWS web application test where remote code execution was first obtained on the client's application. Then I needed to write my own DNS tunnelling 'protocol' to get the data out. Following a number of twists and turns I impersonated the application and attempted to laterally move within the AWS tenant. Before storytelling though, let's start with a public service announcement: The Public Service Announcement As the title suggests, I discovered that it was possible to...

read more

Advisory CVE-2023-43042 – IBM Backup Products Superuser Information Disclosure

by Max Corbridge | Dec 21, 2023 | , , , ,

Software: IBM SAN Volume Controller, IBM Storwize, IBM FlashSystem and IBM Storage Virtualize products Affected versions: 8.3 Vendor page: https://www.ibm.com/support/pages/node/7064976 CVE Reference: CVE-2023-43042 Published: 08/12/2023 CVSS 3.0 Score: 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Attack Vector: Network Credit: Max Corbridge Summary JUMPSEC’s Head of Adversarial Simulation (@CorbridgeMax) discovered that an unauthenticated user can determine whether the default superuser password...

read more

Advisory: IDOR in Microsoft Teams Allows for External Tenants to Introduce Malware

by Max Corbridge | Jun 21, 2023 | , , , ,

TL;DR Max Corbridge (@CorbridgeMax) and Tom Ellson (@tde_sec) of JUMPSEC’s Red Team recently discovered a vulnerability in the latest version of Microsoft Teams which allows for the possible introduction of malware into any organisations using Microsoft Teams in its default configuration. This is done by bypassing client-side security controls which prevent external tenants from sending files (malware in this case) to staff in your organisation. JUMPSEC has detailed remediation options, as...

read more

Car Hacking – Manual Bypass of Modern Rolling Code Implementations

by 0x5c4r3 | Jul 22, 2021 | ,

Introduction I recently researched modern algorithms used by keyfobs to open cars. Since most of the blogs online talking about the topic are unfortunately quite old and in general and do not precisely describe the exact path followed in detail, nor the code used. I thought that talking about my experience could be interesting and inspiring for other researchers. I won’t go in depth on certain topics and I will assume that the reader has a general background in basic signals theory and is...

read more

Pwning Windows Event Logging with YARA rules

by bats3c | Sep 4, 2020 |

The Event Log coupled with Windows Event Forwarding and Sysmon can be extremely powerful in the hands of defenders, allowing them to detect attackers every step of the way. Obviously this is an issue for the attackers. Before privilege escalation it is limited what we can do to evade event logging, but once privileges have been elevated it is an equal playing field. In the past I have released a method to evade this logging by loading a malicious kernel driver and hooking the NtTraceEvent...

read more

Defending Your Malware

by bats3c | Aug 11, 2020 |

Malware is an important part of an engagement, though as many security solutions are now evolving past rudimentary signature comparisons to using more advanced techniques to detect malicious activity, it is important that we as attackers understand the methods they are using and how we can avoid them. Consider the following code I wrote for example. #include <stdio.h> #include <windows.h> #include <wincrypt.h> #include <tlhelp32.h>...

read more

GitHub

JUMPSECLabs

Follow JumpsecLabs

Disclaimer

The information provided on this website is to be used for educational purposes only. The author is in no way responsible for any misuse of the information provided. Any actions and or activities related to the material contained within this website is solely your responsibility.

Jumpsec, Unit 3E – 3F, 33 – 34 Westpoint,
Warple Way, Acton
W3 0RG

To learn more about JUMPSEC's services please get in touch:

Give us a call: 0333 939 8080

Send us a message: [email protected]

To learn more about JUMPSEC'S services please get in touch:

Give us a call: 0333 939 8080

Send us a message: [email protected]

Jumpsec, Unit 3E – 3F, 33 – 34 Westpoint,
Warple Way, Acton, W3 0RG

© JUMPSEC 2020 | Privacy Policy
JUMPSEC Ltd. is a company registered in England and Wales. Registered Address: 1 Golden Court, Richmond, Surrey, TW9 1EU. Registration Number: 08327063