Hakuin: Injecting Brains Into Blind SQL Injection
SQL Injection (SQLI) is a pervasive web attack where malicious input is used to dynamically build SQL queries in a way that tricks the DB engine to perform unintended harmful operations. Among many potential exploitations, the hacker may opt to exfiltrate the application database (DB). The exfiltration process is straightforward when the web application responds […]
COMMSEC LAB: A Practical Approach to Advanced Code Obfuscation with MBA Expressions
One of the foundational blocks of current state-of-the-art code obfuscation are Mixed Boolean-Arithmetic (MBA) expressions: those combining both integer arithmetic and bitwise operators. Such expressions can be leveraged to arbitrarily increase the data-flow complexity of targeted code by iteratively applying rewrite rules and function identities which mess the syntax while preserving its semantic behavior. They […]
How NTLM Relay Ruins Your Exchange Servers
NTLM Relay is a classic attack against Windows systems. Although proposed many years ago, it is still a hot topic among red teams, especially in Active Directory environments. Exchange Server, as the most widely used mail server in the world, has also attracted more and more attention from attackers, many Exchange 0days with great impact […]
Cracking the Shield: Analyzing and Reverse Engineering Antivirus Signatures
Antivirus software are a black-box that are still used in every company as part of their defense infrastructure. We’ve created a tool to analyze and reverse engineer antivirus signatures. The motivation behind it is to better understand how antivirus software works and how it can be circumvented. By reverse engineering antivirus signatures, we gain valuable insight […]
An Ode to Rabbit Holes: Writing a New Decompiler Just for a Security Audit
When looking for vulnerabilities in products, we sometimes come across software running on seldom used technology without much documentation. We are then left with two choices: moving on, because going down this road will not offer a good return on investment of our time, or… ignore all common sense and dive down the rabbit hole […]
FrankeNAND – Extracting Info From Automotive Internet Units
Almost all modern cars have a connection to the Internet. Usually, Internet access is provided by a separate module that has a built-in eSIM and is connected to the cellular network and the vast majority of these modules are based on SoC from Qualcomm’s MDM series of processors. In this talk we will cover the […]
Lazarus Group’s Undercover Operations: Large-Scale Infection Campaigns 2022 – 2023
The Lazarus Group is one of the major threat actors targeting South Korea. In this talk, we will cover the activities of Lazarus Group’s threat campaigns in South Korea from at least 2022 to the present in 2023. KrCert/CC has detected the Lazarus group’s undercover information gathering activities targeting major companies in Korea. This campaign […]
Timekiller: Leveraging Asynchronous Clock to Escape from QEMU/KVM
Asynchronous clock is used extensively in hypervisors, which is designed to avoid the blocking of the calling thread, thereby improving the responsiveness of the software. There are many devices using asynchronous clock to process their task in QEMU, such as Network,USB,Disk and Crypto device. However, we find that a attacker can leverage asynchronous clock to […]
Rogue CDB: Escaping from VMware Workstation Through The Disk Controller
Disk controllers are an integral part of virtual machines on hypervisors like VMware Workstation. They are the bridge between the CPU and the hard disks or CD/DVDs. For most hypervisors, disk controllers are usually available in many models. There are emulated ones like 53c1030 PCI-X Fusion-MPT Dual Ultra320 SCSI and LSI53C895A, and paravirtual ones like […]
KeyBleed: Attacking the OneKey Mini
It’s hard to figure out which cryptocurrency wallets are more secure than others. Often good advice is to choose one that utilizes a Secure Element (like Ledger, ColdCard, OneKey, etc) as opposed to ones without that have been widely demonstrated to be easily dumped through fault injection (Trezor, KeepKey, etc). This talk will discuss how […]