ITSEC Newsletter 2023-11-09

"Modern web apps are very prevalent these days, and by “modern” we mean web apps which make heavy use of JavaScript in the browser (a.k.a. the client). These apps are challenging for all security tools, including ZAP. Historically ZAP has been a MitM proxy which means it can see all of the communications between the browser and the target app, but it has not been able to see what is going on in the browser. ZAP can explore modern apps pretty effectively using the AJAX Spider and can find DOM XSS vulnerabilities by launching browsers. But we know that we could still do better, and based on our recent What Should We Focus On questionnaire we know it is your top priority too. So we have a brand new Client Side Integration add-on (also called the Client add-on for short) which helps ZAP understand what is going on inside the browser."

"In this post we're going to be taking a look at the state of contemporary kernel heap exploitation and how the new opt-in hardening feature added in the 6.6 Linux kernel, RANDOM_KMALLOC_CACHES, looks to address that. To provide some context to the problems RANDOM_KMALLOC_CACHES tries to address, we'll spend a bit of time covering the current heap exploitation meta. This actually ended up being reasonably in-depth (oops) and touches on general approaches to exploitation as well as current mitigations and techniques such as heap feng shui, cache reuse attacks, FUSE and making use of elastic objects. Armed with that information we'll then explore the new patch in detail, discuss how it addresses heap exploitation and have a bit of fun speculating how the meta might shift as a result of this."

"While reading the amazing Inline-Execute-PE by Octoberfest7, I noticed that to obtain the output from the PE being executed, the author needed to allocate a console, which results in a process being created (conhost.exe). Interestingly, the readme also states that a commercial C2 managed to avoid spawning a conhost.exe process by "fooling Windows into thinking it had a console." After reading this, I thought I might give it a try and attempt to achieve the same. This blogpost is the result of that research project, which took me three weeks of demanding work and led to some interesting results."