Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Will Dormann is on Mastodon Profile picture
Will Dormann is on Mastodon
@wdormann
I play with vulnerabilities and exploits. I used to be here on Twitter but now I'm here: @wdormann@infosec.exchange https://t.co/hXggdAVkSQ
3 subscribers
Aug 28, 2023 7 tweets 5 min read
A note about what's going on here.
1) Word will render HTML (including MHT) content regardless of what comes before it. Plain text plays nicest.
2) When MHT content includes a <link rel=Edit-Time-Data> object that points to an undocumented ActiveMime blob, there's your Macro!
Note that the normal MotW-enabled Macro protections remain in place. (Macros on files from the internet aren't allowed these days)
The original MHT document has two obvious obfuscations.
1) The Edit-Time-Data link is URL encoded.
2) Its target is littered with extra spaces.
🤷‍♂️
Edit-Time-Data link from MHT content. %63%58%59%74%4C%76%6D%66%55%5F%66%69%6C%65%73%2F%69%6D%61%67%65%33%38%32%30%31%31%34%2E%6A%70%67 decodes to: cXYtLvmfU_files/image3820114.jpg
cXYtLvmfU_files/image3820114.jpg MIME section. Lots of extra spaces added.
Jul 21, 2023 24 tweets 10 min read
This complex CVE-2023-36884 exploit chain that some of us are looking at...
I can't tell if it's a decoy, or is nonsense written by ChatGPT, or triggers a new vulnerability but is otherwise broken, or has a an 0day exploit that is not reached, or is the real deal.
Thoughts? 🤔 I've not ruled out "Real", but for the life of me I can't get the exploit chain to work in its entirety.
Between what BlackBerry and Volexity describe, there are both parts missing, a bit of hand-waving, and some parts that simply seem broken.
BUT, let's look at the end parts...
Mar 30, 2023 5 tweets 3 min read
Anybody poking at this 3CX thing, check out news.sophos.com/en-us/2023/03/…

Value-added ffmpeg.dll has code added to DllMain() that causes d3dcompiler_47.dll to be loaded, and decrypted payload is decoded from there.
Wide string "AVMonitorRefreshEvent" is *not* in legit ffmpeg.dll Process monitor call stack of d3dcompiler_47.dll being loadecall in DllMain to loadMaliciousLibrary is not in the normalin loadMaliciousLibrary() function: v0 = 1; EventW = Crea Similarly, the malicious ffmpeg.dll will have the wide string "d3dcompiler_47.dll" in it, whereas the legit ffmpeg.dll does not.
Because, why should it? 😀 R:\wildcard\3cx>strings ffmpeg.dll | findstr /c:d3dcompiler_
Mar 29, 2023 5 tweets 3 min read
Speaking of avoiding Outlook...
Has anybody else noticed trouble recently with M365's Oauth2 authentication for SMTP, with Thunderbird at least?
IMAP seems fine, FWIW.
Login to server smtp.office365.com with username <emailaddress> failed. Error message: Login to server smtp.office365.com with usern This may be Thunderbird-specific, as Apple Mail seems to work fine. Apple mail screenshot of mail received via M365 SMTP
Mar 15, 2023 12 tweets 6 min read
Folks poking at CVE-2023-23397 ...
I can't seem to send any kind of calendar invite that's generated by MsgKit.
Microsoft Outlook reports:
Cannot send this meeting request.

You don't need an actual Exchange server to send such an invite do you?? Microsoft Outlook Cannot se... And just to clarify, even just taking the simplest sort of calendar invite MSG from MsgKit and attempting to save it as anything else (.ics, .vcs) w/ Outlook results in the same sort of error message. No SMTP / Exchange transport involved.
/me clicks "No" and waits for a solution Cannot send this meeting re...Was this information helpfu...
Mar 7, 2023 6 tweets 3 min read
The Microsoft update for CVE-2023-21716 was updated to suggest configuring Outlook to read mail in plain text as opposed to "Rich Text".
But despite calling it "Rich Text", Outlook doesn't use RTF for emails. It's TNEF.
Anyone know why this advice was added?
Spaghetti + Wall? Workarounds Use Microsoft O... Ok, yeah, thx to @jduck TNEF does indeed include compressed RTF data in it.
Now about that "Use Microsoft Outlook to reduce the risk of users opening RTF Files" part... 🤔 Screenshot of RTF file extr...
Jan 15, 2023 48 tweets 39 min read
Hey, Google's gotta make money somehow, yah know?
virustotal.com/gui/file/2de68… Google search for "obs...20/62 hits on VirusTotal fo... This is probably crazy, but hear me out...
What if, before Google pushes a paid advertisement link at customers, they checked with the Google-owned VirusTotal site to confirm that the site isn't distributing known malware?
You know, to at least pretend that they care...
🤔
Nov 29, 2022 8 tweets 5 min read
This is an EXCELLENT companion to my "Finding Privilege Escalation Vulnerabilities in Windows using Process Monitor" filter.
No need to do any of the work yourself. Let Spartacus do it for you!
vuls.cert.org/confluence/dis… Screenshot of Spartacus run...Modification of generated p...compilation of DLL: cl /LD ...Procmon log of planted IPHL... And now that I think about it, programmatic parsing of PML files and checking of filesystem ACLs can make the whole process of finding privilege escalation vulnerabilities on Windows require fewer brain cells.
This is more powerful than simply looking for not-found FileOpens
🤔 C:\Users\test\Documents\Spa...
Oct 18, 2022 22 tweets 8 min read
Answer me this, Twitter brain:
Why would the presence of an Authenticode signature that is both inherently invalid, and also definitely for different content, cause Windows to skip SmartScreen or other warning dialogs before executing a .JS file?
MotW is present in both cases. Can we do the same trick with a signed EXE file?
Sure! Why not?
We have a VM without internet connectivity, so we'll see a SmartScreen warning when we know it's being checked.
Signed calcxp.exe - ✅ (Checked w/ SmartScreen)
Modified a byte in sig - ❌ (No SmartScreen check)
😱
Sep 16, 2022 41 tweets 22 min read
The Microsoft recommended driver block rules page states that the driver block list "is applied to" HVCI-enabled devices.
Yet here is an HVCI-enabled system, and one of the drivers in the block list (WinRing0) is happily loaded.
I don't believe the docs.
docs.microsoft.com/en-us/windows/… Screenshot of HVCI-enabled ... The GUI for "Microsoft Vulnerable Driver Blocklist" isn't present unless you're running the "Dev Channel" Insider Preview for Windows 11.
Yet the documentation for Microsoft recommended driver block rules says that it gets applied to HVCI-enabled Win10.
Applies to: Windows 10 Win...
Aug 11, 2022 6 tweets 4 min read
Re: Cisco
I'd love to see everything go the un-phishable/un-fatigueable FIDO route.
Did you know that (at least with Chrome), you can use a MacBook's Touch ID sensor as a FIDO device?
And you don't need to enable OS-level unlocking, if that weirds you out.
stevemar.net/touch-id-as-a-… Screenshot of Apple Touch I... Let's take Microsoft 365, which I'm confident that several people use.
Surely they support FIDO MFA for logging in, right?
Oh...
It seems like we've got a long way to go here, huh? Screenshot of Microsoft 365...
Jul 5, 2022 8 tweets 3 min read
Even with "clever" vulnerabilities that one may discover, it's probably safe to assume that you're not the only person in the universe that knows about it.
But when you (yet again) accidentally find one that you weren't even looking for... For what it's worth, I downloaded ~100 recent ZIP samples from VirusTotal that had a positive detection and a LNK in them.
NONE of them used this technique for avoiding the MotW being written.
So I suppose that's good news for defenders that it's seemingly not being used in wild.
Jul 5, 2022 5 tweets 3 min read
What size of a dumpster fire does the ISO + LNK (or other) combo need to reach before something is done about it?
The oldest macOS copy I have handy understands that ISO contents should be treated the same as the ISO itself.
Mojave: EOL'd last year
Win11: Latest Insider Preview ImageImage The ISO in question here takes advantage of several default behaviors:
1) MotW doesn't get applied to ISO contents
2) Hidden files aren't displayed
3) .LNK file extensions are always hidden, regardless of the Explorer preference to hide known file extensions. Image
May 30, 2022 17 tweets 9 min read
OK, now that I have access to a computer, let's take a look at this Office 0day that folks are talking about.
It's very similar to the MSHTML CVE-2021-40444 vul from September:
1) Use of '!' at the end of the retrieved URI
2) Size of retrieved HTML must be 4096 bytes or larger The important difference is that this variant still works.
Let's look at the preview pane attack vector, like we did for CVE-2021-40444 since that one is more fun. Protected View be damned!
Here is Office 2019 on Win10, both with May 2022 updates.
Apr 26, 2022 6 tweets 4 min read
Yeah, so KrbRelayUp works quite swimmingly.
All an attacker needs is the ability to run code on a domain-joined host, and the result is that you get SYSTEM on that machine. If "Domain Controller: LDAP server signing requirements" is set to "Require signing", this appears to block the exploit at the stage of relaying kerberos authentication to LDAP.
Apr 7, 2022 6 tweets 3 min read
WatchGuard: "For the sake of not guiding potential threat actors... we are not sharing technical details about these flaws"
FBI: Threat Actors are using this in the wild.
WG 9.5 months after release: CVE-2022-23176
arstechnica.com/information-te… Why is this poor vendor behavior?
When an update is released people can compare the before- and after-patch code to see what has changed, exposing the vulnerability.
If things like CVE/CVSS are skipped, attackers have all that they need and defenders have nothing.
DON'T DO THIS!
Mar 31, 2022 11 tweets 7 min read
Can confirm! The #Spring4Shell exploit in the wild appears to work against the stock "Handling Form Submission" sample code from spring.io
If the sample code is vulnerable, then I suspect there are indeed real-world apps out there that are vulnerable to RCE... Ways that Cyber Kendra made this worse for everyone:
1) Sensational blog post indicating that this is going to ruin the internet (red flag!).
2) Linking to a git commit about deserialization that has absolutely nothing to do with the issue demonstrated by the original party.
Mar 30, 2022 4 tweets 3 min read
OK, where are we with Spring stuff?
1) CVE-2022-22963 is a thing, and it affects Spring Cloud Connector. It's RCE, so the CVSS score of 5.4 seems way off.
2) Spring4Shell / SpringShell, invented by Cyber Kendra, isn't a Spring vulnerability at all.
Does that sound about right? And just for the Twitter record, @VMwareTanzu assigned CVE-2022-22963 a CVSS score of 5.4
Yet it's an unauthenticated RCE vulnerability.
Which in my mind puts it closer to a 9.8.
Mar 16, 2022 4 tweets 2 min read
Oh, this is good.
Think you're typing into a pop-up window? Make sure that you try to drag it OUTSIDE OF the content area of the page first.
Surely normal human beings do this. But wait!
We security folks know that the content area of a browser is 100% under control of somebody else. We wouldn't design a system where a user must visually verify something within this space, right?
Let's look at a site that is apparently popular for some reason: Pinterest
Feb 23, 2022 5 tweets 3 min read
If you enabled Extended Protection for Authentication (EPA) for your AD CS server this summer to protect against PetitPotam, good for you.
If you haven't, well, I've got some bad news for you... Nothing more than a system on the same (V)LAN as a domain-joined host is required. No password knowledge necessary.
By using mitm6 + krbrelayx to relay a kerberos ticket to an AD CS that hasn't been locked down, we get a certificate that can get us to Domain Admin.
Dec 13, 2021 5 tweets 3 min read
I cannot stress how wrong the NVD / Mitre entry is for CVE-2021-44228.
The fact that you're running a current JRE version does NOT protect against RCE with log4j! How did the CVE entry get to be wrong?
Two days ago, @iamamoose corrected the vulnerability description in CVE: github.com/CVEProject/cve…
12 hours ago, the fix was reverted so that it's incorrect again:
github.com/CVEProject/cve…
Can anybody explain to my simple brain why?