ITSEC Newsletter 2025-01-02

The following post will describe some technical attacks that can sometimes be performed against NFS shares. We will talk about security features of the NFS protocol, common configuration mistakes and how to abuse them. We developed some tooling that allows us for a better understanding of the configuration of NFS endpoints discovered on the network as well as to identify and abuse certain misconfigurations. Though we didn’t perform a security audit on the NFS code and all issues identified are related to how NFS is intended to work, we informed respective projects if noteworthy misconfigurations in their default setups have been discovered.

Logging correctly LDAP queries for threats detection is trickier than it seems. Blueteam guys should be careful when setting it up. For redteam guys, here are some tips to lower the chance of detection for your LDAP queries, especially for flagged ones like the one for AS-REP roastable users.

Userland exec replaces the existing process image within the current address space with a new one. It mimics the behavior of the system call execve, but the process structures describing the process image remain unchanged. In other words, the process name reported by system utilities will retain the old process name. This technique can be used to achieve stealth after gaining arbitrary code execution. It can also be used to execute binaries stored in noexec partitions.