New article by our researcher @snovvcrash: "Python ❤️ SSPI: Teaching #Impacket to Respect Windows SSO".

🥷 Read the blog post and you'll fly under the radar of endpoint security mechanisms as well as custom network detection rules more easily.

https://swarm.ptsecurity.com/python-sspi-teaching-impacket-to-respect-windows-sso/

🖥 Yealink fixed a post-auth OS command injection in Yealink Meeting Server found by our researcher.

Read the advisory: https://www.yealink.com/en/trust-center/security-advisories/2f2b990211c440cf

💥 We have reproduced CVE-2023-22527 in Atlassian Confluence.

A template injection vulnerability allows an unauthenticated attacker to achieve RCE on an affected instance.

Update your software ASAP!

Atlassian Confluence - Remote Code Execution (CVE-2023-22527)

👤 by Rahul Maini & Harsh Jaiswal

CVE-2023-22527 is a critical vulnerability within Atlassian's Confluence Server and Data Center. This vulnerability has the potential to permit unauthenticated attackers to inject OGNL expressions into the Confluence Instance, thereby enabling the execution of arbitrary code and system commands.

📝 Contents:
● Technical Details
• Initial Analysis
• Identifying the Unauthenticated Attack Surface
● OGNL Expression Evaluation
● Remote Code Execution via OGNL Injection

https://blog.projectdiscovery.io/atlassian-confluence-ssti-remote-code-execution/

📖 New article by our researcher Nikita Sveshnikov: "Bypassing browser tracking protection for CORS misconfiguration abuse."

Read the blog post to learn how certain misconfigurations can be exploited despite the built-in anti-tracking mechanisms.

https://swarm.ptsecurity.com/bypassing-browser-tracking-protection-for-cors-misconfiguration-abuse/

PortSwigger's Top 10 web hacking techniques of 2023!

Welcome to the Top 10 Web Hacking Techniques of 2023, community-powered effort to identify the most important and innovative web security research published in the last year.

🥇 Smashing the state machine: the true potential of web race conditions
🥈 Exploiting Hardened .NET Deserialization
🥉 SMTP Smuggling - Spoofing E-Mails Worldwide
4️⃣ PHP filter chains: file read from error-based oracle
5️⃣ Exploiting HTTP Parsers Inconsistencies
6️⃣ HTTP Request Splitting vulnerabilities exploitation
7️⃣ How I Hacked Microsoft Teams and got $150,000 in Pwn2Own
8️⃣ From Akamai to F5 to NTLM... with love
9️⃣ Cookie Crumbles: Breaking and Fixing Web Session Integrity
🔟 can I speak to your manager? hacking root EPP servers to take control of zones

The entire nomination list you can find here: https://portswigger.net/research/top-10-web-hacking-techniques-of-2023-nominations-open

CVE-2024-27198 and CVE-2024-27199: JetBrains TeamCity Multiple Authentication Bypass Vulnerabilities (FIXED)

👤 by Rapid7

In February 2024, Rapid7’s vulnerability research team identified two new vulnerabilities affecting JetBrains TeamCity CI/CD server:

• CVE-2024-27198 is an authentication bypass vulnerability in the web component of TeamCity that arises from an alternative path issue (CWE-288) and has a CVSS base score of 9.8 (Critical).

• CVE-2024-27199 is an authentication bypass vulnerability in the web component of TeamCity that arises from a path traversal issue (CWE-22) and has a CVSS base score of 7.3 (High).

📝 Contents:
● Overview
● Impact
● Remediation
● Analysis
• CVE-2024-27198
• CVE-2024-27199
● Rapid7 customers
● Timeline

https://www.rapid7.com/blog/post/2024/03/04/etr-cve-2024-27198-and-cve-2024-27199-jetbrains-teamcity-multiple-authentication-bypass-vulnerabilities-fixed/

🎁 Source Code Disclosure in IIS 10.0! Almost.

There is a method to reveal the source code of some .NET apps. Here's how it works.

👉 https://swarm.ptsecurity.com/source-code-disclosure-in-asp-net-apps/

📱 New article by our researcher Andrey Pesnyak: "Android Jetpack Navigation: Deep Links Handling Exploitation"

Read about a flaw that allows an attacker to launch any fragments in a navigation graph associated with an exported activity.

https://swarm.ptsecurity.com/android-jetpack-navigation-deep-links-handling-exploitation/

🚀 We're excited to unveil a new tool developed by our researcher @kiber_io: APKd. Now, you can effortlessly download APKs from AppGallery, APKPure, and RuStore directly from the terminal!

Check it out here: https://github.com/kiber-io/apkd

🏭 We've tested the new RCE in Microsoft Outlook (CVE-2024-21378) in a production environment and confirm it works well!

A brief instruction for red teams:

1. Compile our enhanced DLL;
2. Use NetSPI's ruler and wait!

No back connect required!

🔥 📐📏

CVE-2024-3400 - Technical Analysis

👤 by Rapid7

Rapid7’sanalysis of this vulnerability has identified that the exploit is in fact an exploit chain, consisting of two distinct vulnerabilities: an arbitrary file creation vulnerability in the GlobalProtect web server, for which no discrete CVE has been assigned, and a command injection vulnerability in the device telemetry feature, designated as CVE-2024-3400.

If device telemetry is disabled, it is still possible to leverage the file creation vulnerability; at time of writing, however, Rapid7 has not identified an alternative way to leverage the file creation vulnerability for successful exploitation.

📝 Contents:
● Overview
● Analysis
• Rooting the Device
• Diffing the Patch
• Arbitrary File Creation
• Command Injection Exploitation
● IOCs
● Remediation

https://attackerkb.com/topics/SSTk336Tmf/cve-2024-3400/rapid7-analysis

🏜 We're live at GISEC2024 in Dubai, UAE!

Join PT SWARM for a master class on soldering your smart 🥤 opener or enjoy our ATM hacking contest! 📠

Catch us until April 25 at 5 PM! 🇦🇪

Exploiting CVE-2024-32002: RCE via git clone

👤 by Amal Murali

A new RCE in Git caught researcher's attention on a recent security feed, labeled CVE-2024-32002. The idea of an RCE being triggered through a simple git clone command fascinated him. Given Git’s ubiquity and the widespread use of the clone command, he was instantly intrigued. Could something as routine as cloning a repository really open the door to remote code execution? His curiosity was piqued, and he had to investigate. Plus, who doesn’t want an excuse to break stuff in the name of research?

What’s the fun in just reading about an RCE? He wanted to see it wreak havoc – maybe launch a rogue application, or worse, wipe out his directories. At least, he wanted it to pop his calculator. In this post, He will walk you through his journey of reversing the Git RCE, from initial discovery to crafting a working exploit.

📝 Contents:
● Basic Reconnaissance
• git under the hood
• Symlinks
● Digging into the source code
• Inspecting builtin/submodule--helper.c
• Inspecting t/t7406-submodule-update.sh
● Piecing everything together
● Getting the RCE
• Weaponizing a GitHub repository
● Working PoC

https://amalmurali.me/posts/git-rce/

🧧 Our researcher Igor Sak-Sakovskiy has discovered an XXE in Chrome and Safari by ChatGPT!

Bounty: $28,000 💸

Here is the write-up 👉 https://swarm.ptsecurity.com/xxe-chrome-safari-chatgpt/

✅ Did you know that XSLT injection can lead to file creation?

Check the tip!

High resolution tip and the .xsl file

😀 Simple way to bypass a WAF in Command Injections!

Also helps with length restrictions! 🚀

Source code

🔥 Our researcher Arseniy Sharoglazov has discovered two unauthenticated RCE vulnerabilities in Xerox WorkCentre!

Read more: https://swarm.ptsecurity.com/inside-xerox-workcentre-two-unauthenticated-rces/

🤖 New article by our researcher Nikita Petrov: "From opcode to code: how AI chatbots can help with decompilation".

Read the blog post: https://swarm.ptsecurity.com/from-opcode-to

Splitting the email atom: exploiting parsers to bypass access controls

👤 by Gareth Heyes

Some websites parse email addresses to extract the domain and infer which organisation the owner belongs to. This pattern makes email-address parser discrepancies critical. Predicting which domain an email will be routed to should be simple, but is actually ludicrously difficult - even for 'valid', RFC-compliant addresses.

In this paper author is going to show you how to turn email parsing discrepancies into access control bypasses and even RCE.

This paper is accompanied by a free online CTF, so you'll be able to try out your new skill set immediately.

📝 Contents:
● Introduction
● Creating email domain confusion
● Parser discrepancies
● Punycode
● Methodology/Tooling
● Defence
● Materials
● CTF
● Takeaways
● Timeline
● References

https://portswigger.net/research/splitting-the-email-atom