|
James Forshaw
@
tiraniddo
United Kingdom
|
|
Security researcher in Google Project Zero. Author of Attacking Network Protocols. Tweets are my own etc. nostarch.com/networkprotoco….
|
|
|
4.729
Tweetovi
|
361
Pratim
|
31.115
Osobe koje vas prate
|
| Tweetovi |
| James Forshaw proslijedio/la je tweet | ||
|
Yarden Shafir
@yarden_shafir
|
2. velj |
|
Can your EDR detect symbolic link callback rootkits? Because ours sure as heck can't.
@aionescu and I wrote about these!
windows-internals.com/dkom-now-with-…
|
||
|
|
||
| James Forshaw proslijedio/la je tweet | ||
|
SandboxEscaper
@SandboxBear
|
31. sij |
|
I hope my last 3 write-ups have covered the subject of filesystem bugs enough. It talks about discovery using procmon, and also poc writing now. You can just copy paste from the poc on github for a lot of bugs I guess. I hope it helps get atleast one person into the field.
|
||
|
|
||
|
James Forshaw
@tiraniddo
|
1. velj |
|
You're just jealous you wouldn't be able to take part.
|
||
|
|
||
|
James Forshaw
@tiraniddo
|
31. sij |
|
I'm pretty sure the UK government also consider them an espionage threat, but are just more pragmatic. And no doubt we'll do a u-turn when we're begging the US for any sort of trade deal once the Tory scum need to find any a way to make it look like Brexit was worth it.
|
||
|
|
||
|
James Forshaw
@tiraniddo
|
30. sij |
|
ProcessWow64Information NtQueryInformationProcess info class?
|
||
|
|
||
| James Forshaw proslijedio/la je tweet | ||
|
j00ru//vx
@j00ru
|
30. sij |
|
Just published a follow-up to my Adobe Reader symbols story on the Project Zero blog. Turns out there's even more debug metadata to be found in some old (and new) builds, including private CoolType symbols. Enjoy! googleprojectzero.blogspot.com/2020/01/part-i…
|
||
|
|
||
|
James Forshaw
@tiraniddo
|
30. sij |
|
Pot, meet Kettle...
|
||
|
|
||
|
James Forshaw
@tiraniddo
|
30. sij |
|
A quick post on why you shouldn't use SYSTEM Tokens when you sandbox a process. Part 1 of N (where I haven't decided how big N is). tiraniddo.dev/2020/01/dont-u…
|
||
|
|
||
| James Forshaw proslijedio/la je tweet | ||
|
nedwill
@NedWilliamson
|
29. sij |
|
Excited to start the new year with CVE-2020-3842 :) It's a fun one and unlike the other bugs I reported so far so I'm looking forward to (responsibly) disclosing it. support.apple.com/en-us/HT210918
|
||
|
|
||
| James Forshaw proslijedio/la je tweet | ||
|
Bill Pollock -- shmooooocon
@billpollock
|
28. sij |
|
Time for a sale! nostarch.com/catalog/securi… @nostarch
|
||
|
|
||
|
James Forshaw
@tiraniddo
|
28. sij |
|
But I'm sure someone got promoted, so there's that.
|
||
|
|
||
|
James Forshaw
@tiraniddo
|
28. sij |
|
Yup. MS Windows QA (or lack thereof) strikes again.
|
||
|
|
||
|
James Forshaw
@tiraniddo
|
27. sij |
|
Whatever you do don't run the PS/NtObjectManager command '[NtApiDotNet.CreateUserProcess]::Fork("IgnoreSectionObject", 0)' on Windows 10 1909. I did and I was very sad, so just don't!
|
||
|
|
||
|
James Forshaw
@tiraniddo
|
27. sij |
|
You fitted the plug yourself, quite literally. Or you put a screw driver into the Earth Pin to lift the protection gate and carefully inserted the bare wire ;-)
|
||
|
|
||
|
James Forshaw
@tiraniddo
|
26. sij |
|
There's always something about classes with Security in the name which seem to do the opposite ;-)
|
||
|
|
||
|
James Forshaw
@tiraniddo
|
26. sij |
|
In the kernel you have an additional option, you can specify IO_STOP_ON_SYMLINK to IoCreateFileEx to stop the open if it encounters a reparse point. There's also the undocumented OBJ_DONT_REPARSE OBJECT_ATTRIBUTES flag, but that even stops on parsing the driver letter symlink :/
|
||
|
|
||
|
James Forshaw
@tiraniddo
|
26. sij |
|
Doing impersonation correctly helps massively ;-) But other techniques to mitigate are post-open checking of the resource location (if it's not what you expected there's probably a symlink involved) or checking the link count on the file (for hardlinks).
|
||
|
|
||
| James Forshaw proslijedio/la je tweet | ||
|
Julio Ureña
@JulioUrena
|
25. sij |
|
Just finished the writeup for my learning process to replicate the CVE-2019-19470, I also public the source code for exploit and a Masquerade-PEB C#. Hope you enjoy! plaintext.do/CVE-2019-19470… twitter.com/JulioUrena/sta…
|
||
|
|
||
|
James Forshaw
@tiraniddo
|
26. sij |
|
Shame, .NET serialization gadgets are meant to be free :-D. Still wouldn't surprise me if @thezdi said to take it down as there are rules on what you're suppose to share, even after the fix. But we call all surmise it's a WCF DataContract to BinFmt gadget ;-)
|
||
|
|
||
| James Forshaw proslijedio/la je tweet | ||
|
Bill Pollock -- shmooooocon
@billpollock
|
24. sij |
|
Advance copy. Coming soon! @nostarch pic.twitter.com/Ztp3gnEQ6l
|
||
|
|
||