ITSEC Newsletter
Posts
ITSEC Newsletter 2023-06-29

ITSEC Newsletter 2023-06-29

Red team is best team

Henrik Falk
June 29, 2023

Exploiting Noisy Oracles with Bayesian Inference

In cryptographic attacks, we often rely on abstracted information sources which we call “oracles”. Classic examples include the RSA parity oracle attack, which depends on an oracle disclosing the l…

research.nccgroup.com/2023/06/23/exploiting-noisy-oracles-with-bayesian-inference

"In practice, however, not all oracles are created equal: an oracle that comes from error messages may well be perfectly reliable, whereas one which relies on (say) timing side channels may have to deal with a non-negligible amount of noise. In this post, we’ll look at how to deal with noisy oracles, and how to mount attacks using them. The specific cases considered will be MAC validation and PKCS7 padding validation, two common cases where non-constant-time code can lead to dramatic attacks. However, the techniques discussed can be adapted to other contexts as well."

What is Tier Zero — Part 1

Tier Zero is a crucial group of assets in Active Directory (AD) and Azure. Its purpose is to protect the most critical components by…

posts.specterops.io/what-is-tier-zero-part-1-e0da9b7cdfca

"We want to make this process of determining Tier Zero easier for organizations. In this blog post series, we will explain how we define Tier Zero and explain what common assets we recommend to be part of Tier Zero."

Obscure Windows File Types

Do you know all of the default Windows file formats? I’ve certainly seen a few in my time, though I can’t say I’ve seen a corpus of all the samples in one place. As Binary Gold Grand Prix 4 (BGGP4) is starting up, I’m considering a Windows based submission and it would be in my best interest to document all of these in the same place.

remyhax.xyz/posts/obscure-win-files

"Enjoy a quick peek into the beauty of Windows computing. From the MZ for the DOS MZ executable and it’s oft used ?xml eXtensible Markup Language companion files, to the rare XEX2 Xbox 360 executable format utilized in the bootstrapping process for streaming media from Windows Media Center."

How-to: Reversing and debugging ISAPI modules

Recently, I had the privilege to write a detailed analysis of CVE-2023-34362, which is series of several vulnerabilities in the MOVEit file transfer application that lead to remote code execution. One of the several vulnerabilities involved an ISAPI module - specifically, the MoveITISAPI.dll ISAPI extension. One of the many vulnerabilities that comprised the MOVEit RCE was a header-injection issue, where the ISAPI application parsed headers differently than the .net application. This point is going to dig into how to analyze and reverse engineer an ISAPI-based service! This wasn’t the first time in the recent past I’d had to work on something written as an ISAPI module, and each time I feel like I have to start over and remember how it’s supposed to work. This time, I thought I’d combine my hastily-scrawled notes with some Googling, and try to write something that I (and others) can use in the future. As such, this will be a quick intro to ISAPI applications from the angle that matters to me - how to reverse engineer and debug them! I want to preface this with: I’m not a Windows developer, and I’ve never run an IIS server on purpose. That means that I am approaching this with brute-force ignorance! I don’t have a lot of background context nor do I know the correct terminology for a lot of this stuff. Instead, I’m going to treat these are typical DLLs from typical applications, and approach them as such.

www.skullsecurity.org/2023/how-to-reversing-and-debugging-isapi-modules

"Recently, I had the privilege to write a detailed analysis of CVE-2023-34362, which is series of several vulnerabilities in the MOVEit file transfer application that lead to remote code execution. One of the several vulnerabilities involved an ISAPI module - specifically, the MoveITISAPI.dll ISAPI extension. One of the many vulnerabilities that comprised the MOVEit RCE was a header-injection issue, where the ISAPI application parsed headers differently than the .net application. This point is going to dig into how to analyze and reverse engineer an ISAPI-based service!"