Home
Recommended
Other Links
Introduction Many vulnerability writeups nowadays focus on the exploitation process when it comes to software bugs. The term “Exploit Developer” is also still used synonymously with Vulnerability Research, presumably coming from the early 2000s where bugs were easily discoverable and the community was just beginning to explore the art of exploitation. However nowadays with SDL and continuous fuzzing, the discovery of unknown vulnerabilities in crucial systems is getting more important, arguably more than the exploitation process.
A step-by-step guide for open source maintainers on how to handle vulnerability reports confidently from the start.
Key Points VanHelsing RaaS In recent weeks, a new and rapidly expanding ransomware-as-a-service (RaaS) program called VanHelsingRaaS has been making waves in the cybercrime world. Launched on March 7, 2025, this service has already demonstrated its rapid growth and deadly potential, having infected three victims within just two weeks of its introduction. Reputable affiliates can […]
Why hack one device, when you can hack all of them? By reverse-engineering and finding vulnerabilities in user-machine association flows for smart weighing machines, I was able to take over millions of internet-connected health devices. Hardware and web security are two halves of modern smart device security, and learning to hack both can yield impressive and scary results.
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data.
You can email the...
It’s us again!
Once again, we hear the collective groans - but we're back and with yet another merciless pwnage of an inspired and clearly comprehensive RCE solution - no, wait, it's another vuln in yet another backup and replication solution..
While we would enjoy a world in which we could be a little merciful - today we'll explore the painful world of blacklist-based security mechanisms. You can treat this post as a natural continuation of our CVE-2024-40711 writeup, which was written by fel
Introduction In this post, we’ll show precisely how to chain round-trip attacks and namespace confusion to achieve unauthenticated admin access on GitLab Enterprise by exploiting the ruby-saml library
# !exploitable Episode Three - Devfile Adventures
18 Mar 2025 - Posted by Francesco Lacerenza
## Introduction
I know, we have written it multiple times now, but in case you are just tuning in, Doyensec had found themselves on a cruise ship touring the Mediterranean for our company retreat. To...
I recently joined watchTowr, and it is, therefore, time - time for my first watchTowr Labs blogpost, previously teased in a tweet of a pre-auth RCE chain affecting some ‘unknown software’.
Joining the team, I wanted to maintain the trail of destruction left by the watchTowr Labs team, and so had to get my teeth into things quickly.
Two primary goals were clear:
1. Look at something completely new - I quickly realized that I've never looked at any CMS solution, and so could be a fun good star
STAR Labs Windows Exploitation Challenge Writeup Over the past few months, the STAR Labs team has been hosting a Windows exploitation challenge. I was lucky enough to solve it and got myself a ticket to Off-By-One conference. Here is my writeup for the challenge!
Analyzing the binary We are given a Windows kernel driver. Basic analysis shows that it is used to receive and save messages sent from usermode.
Important structures There are two key structures used in this driver: handle and message entry.
Cisco Talos Intelligence Group - Comprehensive Threat Intelligence
Mar 13 2025 @ 11:24 AM
Kri Dontje
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data.
You can email the...
This post highlights some new research, tricks and improvements on data smuggling techniques.
Critical authentication bypass vulnerabilities were discovered in ruby-saml up to version 1.17.0. See how they were uncovered.
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data.
You can email the...
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data.
You can email the...
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data.
You can email the...
Key Points Introduction APT-C-36, also known as Blind Eagle, is a threat group that engages in both espionage and cybercrime. It primarily targets organizations in Colombia and other Latin American countries. Active since 2018, this Advanced Persistent Threat (APT) group focuses on government institutions, financial organizations, and critical infrastructure. Blind Eagle is known for employing […]
# Exploiting Neverwinter Nights
Back in 2024, we looked for vulnerabilities in Neverwinter Nights : Enhanced Edition as a side research project. We found and reported multiple vulnerabilities to the publisher Beamdog. In this article we will detail how we can chain two vulnerabilities to obtain a...
# Node is a loader
Node.js supports C++ addons(may be referred to as native modules). They allow you to extend your module functionality using a shared object.
_Addons_ are dynamically-linked shared objects written in C++. The require() function can load addons as ordinary Node.js modules....
### Summary
A logical flaw in the pg_cron extension allows low-privileged users with ownership over pg_cron's job table or ability to change the value of cron.database_name to run arbitrary SQ...
# Case Study: How Hunters International and friends target your hypervisors
Hunters International is a Ransomware-as-a-Service (RaaS) operation that surfaced in October 2023, after acquiring the source code and infrastructure of the late Hive ransomware group. Today, according to publicly...
In this excerpt of a Trend Micro Vulnerability Research Service vulnerability report, Simon Humbert and Guy Lederfein of the Trend Micro Research Team detail a recently patched code execution vulnerability in the Microsoft Windows Key Distribution Center (KDC) Proxy. This bug was originally discov
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data.
You can email the...
# !exploitable Episode Two - Enter the Matrix
04 Mar 2025 - Posted by Dennis Goodlett
## Introduction
In case you are just tuning in, Doyensec has found themselves on a
cruse ship touring the Mediterranean. Unwinding, hanging out with colleagues and having
some fun. Part 1 covered our journey...
TL;DR ¶ In this post, I discuss the cost of Go’s panic and recover functions through a programme adapted from Joshua Bloch’s Effective Java book.
Abusing Java exceptions for control flow ¶ Even though my Java days are long gone and Go has been my language of predilection for a while, I still occasionally revisit Effective Java, Joshua Bloch’s seminal and award-winning book, and I never fail to rediscover nuggets of wisdom in it.
Research by: Itay Cohen (@megabeets_) Over the past few decades, hacktivism has been, in a lot of cases, characterized by minor website defacements and distributed denial-of-service (DDoS) attacks, which, while making headlines, had minimal lasting impact. However, in recent years, we have observed a significant shift in the nature of these activities. Groups that appear to […]
# !exploitable Episode Two - Enter the Matrix
27 Feb 2025 - Posted by Dennis Goodlett
## Introduction
In case you are just tuning in, Doyensec has found themselves on a
cruse ship touring the Mediterranean. Unwinding, hanging out with colleagues and having
some fun. Part 1 covered our journey...
As an industry, we believe that we’ve come to a common consensus after 25 years of circular debates - disclosure is terrible, information is actually dangerous, it’s best that it’s not shared, and the only way to really to ensure that no one ever uses information in a way that you don’t like (this part is key) is to make up terms for your way of doing things.
We have actively petitioned vendors to be more transparent, and we’re currently investing a lot of R&D time in the development of the bes
#### Withdraw
Loading…
# Modeling Microarchitectural Side Channel Attacks for Fun & Profit
#### Ravichandran, Joseph
Loading…
## Permalink
https://hdl.handle.net/2142/110288
## Description
TitleModeling Microarchitectural Side Channel Attacks for Fun & ProfitAuthor(s)Ravichandran,...
## Discovering Novel Microarchitectural Security Vulnerabilities in Modern Processors
##### Author(s)
Ravichandran, Joseph
DownloadThesis PDF (5.729Mb)
##### Advisor
Yan, Mengjia
##### Terms of use
##### Metadata
Show full item record
##### Abstract
For decades, computer security issues...
# Taking the relaying capabilities of multicast poisoning to the next level: tricking Windows SMB clients into falling back to WebDav
When performing LLMNR/mDNS/NBTNS poisoning in an Active Directory environment, it is fairly common to be able to trigger SMB authentications to an...
By: Dikla Barda, Roaman Zaikin & Oded Vanunu On February 24, Check Point Blockchain Threat Intel System observed a sophisticated attack on a DeFi protocol, Infini. Infini is a digital banking platform in the crypto space that offers its users savings yields and other financial services. The platform aims to make crypto assets more accessible […]
Highlights Introduction While the abuse of vulnerable drivers has been around for a while, those that can terminate arbitrary processes have drawn increasing attention in recent years. As Windows security continues to evolve, it has become more challenging for attackers to execute malicious code without being detected. As a result, the attackers often aim to […]
Research by Dikla Barda, Roman Ziakin and Oded Vanunu On February 21st, Check Point Blockchain Threat Intel System alerted on a critical attack log on the Ethereum blockchain network. The log indicated that the AI engine identify anomality change with this transaction and categorize it as critical attack in real time. It was indicated that […]
Executive Summary Why We Care about Sandbox Emulation As a discipline, information security involves a vast web of entry vectors, mitigations, and counter-mitigations. Among these, one of the most impactful points of conflict between attackers and defenders is what happens when binaries are subjected to sandbox emulation. Purely static analysis has been understood to be […]
Have you ever wondered how many vulnerabilities you've missed by a hair's breadth, due to a single flawed choice? We've just released Shadow Repeater, which enhances your manual testing with AI-powere
# LSA Secrets: revisiting secretsdump
When doing Windows or Active Directory security assessments, retrieving secrets stored on a compromised host constitutes a key step to move laterally within the network or increase one's privileges. The infamous `secretsdump.py` script from the impacket suite...
As you may have already heard, the HIPAA Security Rule is undergoing a much-needed update. We wanted to discuss what Covered Entities and Business Associates - now referred to as “Regulated Entities” - can expect as the new rule moves through the federal register phases of the Notice of Proposed Rul
### Summary
A vulnerability in PAN-OS OpenConfig allows an authenticated user to run arbitrary commands on the underlying OS. The commands are run as device administrator.
### Details
Palo A...
### Summary
In this report, we describe multiple vulnerabilities we discovered in Rsync.
The first pair of vulnerabilities are a [Heap Buffer Overflow](https://nvd.nist.gov/vuln/detail/cve-202...
I like PowerShell, I like it a lot! I like its versatility, its ease of use, its integration with the Windows operating system, but it also has a few features, such as AMSI, CLM, and other logging capabilities, that slow it down. You know, I’m thinking about the performance gain here. I believe my scripts could run a lot faster without them.
Can GitHub Issues Hijack Your AI? This post explores how ChatGPT Operator can be hijacked through prompt injection exploits on web pages, leading to unauthorized data leakage of personal information.
In the field of cybersecurity, vulnerability disclosure has long been regarded as a crucial step in safeguarding users. However, in practice, this process is fraught with controversy and contradictions. What truly constitutes “responsible disclosure”? When vendors dominate the public release of information and patch deployment, while security researchers invest substantial time and energy in negotiations, can this model still fulfill its intended purpose of protecting user security? In an era of rapidly advancing technology and escalating cyber threats, has the traditional vulnerability disclosure process become outdated?
In the increasingly intense offense and defense confrontation of 2024, security software has always been regarded as an important cornerstone of the corporate security defense line. However, these security softwares themselves may also have vulnerabilities and could be exploited by attackers as a springboard for intrusions to harm users. Over the years, incidents caused by security software have raised a question — can security software really be trusted?
The following is the eighth article of the “DARKNAVY INSIGHT | 2024 Annual Security Report”.
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data.
You can email the...
In recent years, the evolution of vulnerabilities and defense techniques has been continuous. From the days when a simple stack overflow could compromise a system, to the present day, where sophisticated techniques are necessary to bypass multiple layers of defense. The “shield” and the “spear” are in dynamic confrontation: whenever new defense measures are introduced, new attack methods emerge in response. The enhancement of defense mechanisms compels attackers to seek out new vulnerabilities, while the innovation of attack techniques propels the development of defense technologies
Does open source guarantee that there are no backdoors?
At the 1983 Turing Award ceremony, Ken Thompson raised this question. As one of only three legends to win the Turing Award before the age of 40, he demonstrated how to hack Unix systems compiled from harmless source code by implanting backdoors in compilers, remaining a tale frequently cited by hackers to this day.
In 2024, the XZ backdoor incident resurfaced this question. Under the nose of the open-source community, attackers successfully pushed the backdoored xz-utils 5.6.1 package into official repositories of several distributions like Debian and Fedora. Fortunately, engineer Andres Freund discovered and reported the abnormal behavior of xz-utils 5.6.1 in time. Although the community effectively stopped the backdoor’s spread, this heart-stopping crisis made every open-source user rethink the trust model in collaborative development.
