Research Archives | JUMPSEC LABS

What’s in a Name? Writing custom DNS tunnelling protocol, exploiting unexpected AWS Lambda misconfiguration – in a web app Pen test (Part 2)

by Sunny Chau | Jun 13, 2024 | burpsuite, Exploitation, network, Research, Vulnerability

In Part 1 of the series we looked at how an AWS Lambda-powered feature was exploited in a web app penetration test initially leading to RCE and further on with out-of-band data exfiltration via DNS. Though the exact mechanism of achieving remote-code execution with Python was not discussed, we went in depth in how to return data as a result of the code being executed. Initially, with ascii-to-integer encoding I was able to find the username of the runtime user - sbx_userNNN. In the first blog...

What’s in a Name? Writing custom DNS tunnelling protocol, exploiting unexpected AWS Lambda misconfiguration – in a web app Pen test (Part 1)

by Sunny Chau | Jun 6, 2024 | burpsuite, Exploitation, network, Research, Vulnerability

This is a war story of an AWS web application test where remote code execution was first obtained on the client's application. Then I needed to write my own DNS tunnelling 'protocol' to get the data out. Following a number of twists and turns I impersonated the application and attempted to laterally move within the AWS tenant. Before storytelling though, let's start with a public service announcement: The Public Service Announcement As the title suggests, I discovered that it was possible to...

Advisory CVE-2023-43042 – IBM Backup Products Superuser Information Disclosure

by Max Corbridge | Dec 21, 2023 | Exploitation, Jumpsec, Research, Security Bug, Vulnerability

Software: IBM SAN Volume Controller, IBM Storwize, IBM FlashSystem and IBM Storage Virtualize products Affected versions: 8.3 Vendor page: https://www.ibm.com/support/pages/node/7064976 CVE Reference: CVE-2023-43042 Published: 08/12/2023 CVSS 3.0 Score: 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Attack Vector: Network Credit: Max Corbridge Summary JUMPSEC’s Head of Adversarial Simulation (@CorbridgeMax) discovered that an unauthenticated user can determine whether the default superuser password...

Advisory: IDOR in Microsoft Teams Allows for External Tenants to Introduce Malware

by Max Corbridge | Jun 21, 2023 | Exploitation, Research, Security Bug, Vulnerability, Windows

TL;DR Max Corbridge (@CorbridgeMax) and Tom Ellson (@tde_sec) of JUMPSEC’s Red Team recently discovered a vulnerability in the latest version of Microsoft Teams which allows for the possible introduction of malware into any organisations using Microsoft Teams in its default configuration. This is done by bypassing client-side security controls which prevent external tenants from sending files (malware in this case) to staff in your organisation. JUMPSEC has detailed remediation options, as...

Online Machine Learning: how to integrate user feedback

by Newt Tan | Dec 12, 2022 | Research

When designing and implementing a machine learning model, ensuring it is continually updated is a challenge that all engineers encounter. In this article, I explore the online machine learning technique that I used during a project and present how it was implemented for effective results. Choosing a machine learning method Machine learning solutions can be mainly split into offline and online methods. Online machine learning is a method in which data becomes available in a sequential...

Implementation and Dynamic Generation for Tasks in Apache Airflow

by Newt Tan | Nov 23, 2022 | Detection, Research

I recently worked on a project focused on log anomaly detection using manageable machine learning pipelines. The pipelines mainly include data collection --- feature extraction --- feature engineering --- detection/prediction --- updating (maintenance). It’s important to have a solid UI to manage the pipelines so I can easily review the chain of pipelines. After much research, I found many engineers recommended Airflow. In airflow, the core concept is the Directed Acyclic Graph...

Advisory CVE-2021-41551 Leostream Connection Broker – Authenticated Zip Slip

by lrckt | Jan 26, 2022 | Research, Security Bug, Vulnerability

Software: Leostream Connection BrokerAffected Versions: 9.0.40.17Vendor page: https://leostream.com/CVE Reference: CVE-2021-41551Published: 25/01/2022Attack Vector: path traversal, authenticatedCredits: Andrei Constantin Scutariu, Lenk Ratchakrit Seriamnuai, Andrea Malusardi Summary Leostream Connection Broker 9.0.40.17 allows administrators to conduct directory traversal attacks by uploading a ZIP file that contains a symbolic link. Mitigation The Leostream has released a patch for this...

Advisory CVE-2021-41550 Leostream Connection Broker – Authenticated Remote Code Execution

by lrckt | Jan 26, 2022 | Research, Security Bug, Vulnerability

Software: Leostream Connection BrokerAffected Versions: 9.0.40.17Vendor page: https://leostream.com/CVE Reference: CVE-2021-41550Published: 25/01/2022Attack Vector: Remote, authenticatedCredits: Andrei Constantin Scutariu, Lenk Ratchakrit Seriamnuai, Andrea Malusardi Summary As the Leostream Connection Broker version: 9.0.40.17 allowed an attacker to upload any content through Third Party Content functionality, it was found that the application allowed the listed filenames below the ability to...

JUMPSEC LABS

What’s in a Name? Writing custom DNS tunnelling protocol, exploiting unexpected AWS Lambda misconfiguration – in a web app Pen test (Part 2)

What’s in a Name? Writing custom DNS tunnelling protocol, exploiting unexpected AWS Lambda misconfiguration – in a web app Pen test (Part 1)

Advisory CVE-2023-43042 – IBM Backup Products Superuser Information Disclosure

Online Machine Learning: how to integrate user feedback

Implementation and Dynamic Generation for Tasks in Apache Airflow

Advisory CVE-2021-41551 Leostream Connection Broker – Authenticated Zip Slip

Advisory CVE-2021-41550 Leostream Connection Broker – Authenticated Remote Code Execution

[Latest Posts]

[Categories]

GitHub

Follow JumpsecLabs

Disclaimer