Research Archives | JUMPSEC LABS

Weaponize Your Word – Malicious Template Injection

by Max Clarke | Oct 30, 2024 | Detection, Initial Access, Red Teaming, Research, Windows

Weaponize Your Word - Malicious Template Injection Historically, files sent via email have been a common initial access technique employed by threat actors. Personally, I have seen emails containing malware prove effective, and in the case of an IR (Incident Response) involving a malware infection, it would be one of the first places I would look to identify the source of compromise. There are many techniques for bypassing an email solution to deploy malware on an endpoint, however an old...

How to Handle Development Projects in a Pentest Company

by Bjoern Schwabe | Aug 6, 2024 | Jumpsec, Research

If you are a pentester you probably never really think about programming. Instead you are testing what others have developed. However, every now and then a quick python or bash script is needed to exploit some stuff you have found, or automate a certain process you are using. Things become interesting when you are in a penetration testing company that has many strong penetration testers and everyone writes these scripts. Clearly each script solves a particular problem, either for the tester...

What’s in a Name? Writing custom DNS tunnelling protocol, exploiting unexpected AWS Lambda misconfiguration – in a web app Pen test (Part 2)

by Sunny Chau | Jun 13, 2024 | burpsuite, Exploitation, network, Research, Vulnerability

In Part 1 of the series we looked at how an AWS Lambda-powered feature was exploited in a web app penetration test initially leading to RCE and further on with out-of-band data exfiltration via DNS. Though the exact mechanism of achieving remote-code execution with Python was not discussed, we went in depth in how to return data as a result of the code being executed. Initially, with ascii-to-integer encoding I was able to find the username of the runtime user - sbx_userNNN. In the first blog...

What’s in a Name? Writing custom DNS tunnelling protocol, exploiting unexpected AWS Lambda misconfiguration – in a web app Pen test (Part 1)

by Sunny Chau | Jun 6, 2024 | burpsuite, Exploitation, network, Research, Vulnerability

This is a war story of an AWS web application test where remote code execution was first obtained on the client's application. Then I needed to write my own DNS tunnelling 'protocol' to get the data out. Following a number of twists and turns I impersonated the application and attempted to laterally move within the AWS tenant. Before storytelling though, let's start with a public service announcement: The Public Service Announcement As the title suggests, I discovered that it was possible to...

Advisory CVE-2023-43042 – IBM Backup Products Superuser Information Disclosure

by Max Corbridge | Dec 21, 2023 | Exploitation, Jumpsec, Research, Security Bug, Vulnerability

Software: IBM SAN Volume Controller, IBM Storwize, IBM FlashSystem and IBM Storage Virtualize products Affected versions: 8.3 Vendor page: https://www.ibm.com/support/pages/node/7064976 CVE Reference: CVE-2023-43042 Published: 08/12/2023 CVSS 3.0 Score: 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Attack Vector: Network Credit: Max Corbridge Summary JUMPSEC’s Head of Adversarial Simulation (@CorbridgeMax) discovered that an unauthenticated user can determine whether the default superuser password...

Advisory: IDOR in Microsoft Teams Allows for External Tenants to Introduce Malware

by Max Corbridge | Jun 21, 2023 | Exploitation, Research, Security Bug, Vulnerability, Windows

TL;DR Max Corbridge (@CorbridgeMax) and Tom Ellson (@tde_sec) of JUMPSEC’s Red Team recently discovered a vulnerability in the latest version of Microsoft Teams which allows for the possible introduction of malware into any organisations using Microsoft Teams in its default configuration. This is done by bypassing client-side security controls which prevent external tenants from sending files (malware in this case) to staff in your organisation. JUMPSEC has detailed remediation options, as...

Online Machine Learning: how to integrate user feedback

by Newt Tan | Dec 12, 2022 | Research

When designing and implementing a machine learning model, ensuring it is continually updated is a challenge that all engineers encounter. In this article, I explore the online machine learning technique that I used during a project and present how it was implemented for effective results. Choosing a machine learning method Machine learning solutions can be mainly split into offline and online methods. Online machine learning is a method in which data becomes available in a sequential...

Implementation and Dynamic Generation for Tasks in Apache Airflow

by Newt Tan | Nov 23, 2022 | Detection, Research

I recently worked on a project focused on log anomaly detection using manageable machine learning pipelines. The pipelines mainly include data collection --- feature extraction --- feature engineering --- detection/prediction --- updating (maintenance). It’s important to have a solid UI to manage the pipelines so I can easily review the chain of pipelines. After much research, I found many engineers recommended Airflow. In airflow, the core concept is the Directed Acyclic Graph...

JUMPSEC LABS

Weaponize Your Word – Malicious Template Injection

How to Handle Development Projects in a Pentest Company

What’s in a Name? Writing custom DNS tunnelling protocol, exploiting unexpected AWS Lambda misconfiguration – in a web app Pen test (Part 2)

What’s in a Name? Writing custom DNS tunnelling protocol, exploiting unexpected AWS Lambda misconfiguration – in a web app Pen test (Part 1)

Advisory CVE-2023-43042 – IBM Backup Products Superuser Information Disclosure

Online Machine Learning: how to integrate user feedback

Implementation and Dynamic Generation for Tasks in Apache Airflow

[Latest Posts]

[Categories]

GitHub

Follow JumpsecLabs

Disclaimer