ITSEC Newsletter
Posts
ITSEC Newsletter 2025-02-06

ITSEC Newsletter 2025-02-06

Henrik Falk
February 06, 2025

Windows Exploitation Tricks: Trapping Virtual Memory Access (2025 Update)

Back in 2021 I wrote a blog post about various ways you can build a virtual memory access trap primitive on Windows. The goal was to cause a reader or writer of a virtual memory address to halt for a significant (e.g. 1 or more seconds) amount of time, generally for the purpose of exploiting TOCTOU memory access bugs in the kernel. The solutions proposed in the blog post were to either map an SMB file on a remote server, or abuse the Cloud Filter API. This blog isn't going to provide new solutions, instead I wanted to highlight a new feature of Windows 11 24H2 that introduces the ability to abuse the SMB file server directly on the local machine, no remote server required. This change also introduces the ability to locally exploit vulnerabilities which are of the so-called "False File Immutability" bug class.

googleprojectzero.blogspot.com/2025/01/windows-exploitation-tricks-trapping.html

Further Adventures With CMPivot - Client Coercion

After learning about CMPivot’s potential for offensive operations, how much information it can pull from a client host (almost as if you’d be operating within the target itself) and more importantly for this post, how it achieves this, I always itched to go a little further than just using the queries for how they are meant to be used (i.e., data collection). This post will showcase a simple but effective way to use CMPivot to coerce authentication from an SCCM/ConfigMgr client host.

posts.specterops.io/further-adventures-with-cmpivot-client-coercion-38b878b740ac

How to prove false statements? (Part 1)

My interest was recently piqued by a new theoretical result by Khovratovich, Rothblum and Soukhanov entitled “How to Prove False Statements: Practical Attacks on Fiat-Shamir.” This is a doozy of a paper! It touches nearly every sensitive part of my brain: it urges us towards a better understanding of our theoretical models for proving security of protocols. It includes the words “practical” and “attacks” in the title! And most importantly it demonstrates a real (albeit wildly contrived) attack on the kinds of “ZK” (note: not actually ZK, more on that later) “proving systems” that we are now using inside of real systems like blockchains.

blog.cryptographyengineering.com/2025/02/04/how-to-prove-false-statements-part-1