Random Adventures Through Infosec

For those breaking into the industry and seasoned veterans alike



The Current State of DDE

29 Jan 2018

The Current State of DDE Update #1 (1/29/2018) Hours after the release of this post, Matt Nelson unleashed a new technique to bypass the latest mitigation options made available by Microsoft. As a result, attackers can embed an Excel spreadsheet within OneNote in order to completely bypass the corresponding registry key intended to block DDE functionality. Furthermore, OneNote documents downloaded from external sources (e.g., the public Internet) are (still) not sandboxed by Protected View. I’ve added another item to the roadmap for my Office DDE payload generation tool, as I intend to automate this technique as well. TL;DR Microsoft pushed an update that disables DDE functionality within Word by default. However, this default setting can be nullified by setting a single registry key value. All other Office applications remain (relatively) vulnerable to DDE abuse attacks, but protection can be opted into by setting specific registry keys for each product. DDE Attacks: Origins Story The Dynamic Data Exchange (DDE) protocol exposes functionality that allows data to be transmitted and shared between applications/processes on Windows platforms. Back in 2014, James Kettle and Rohan Durve released a blog post describing the formula injection technique affecting Microsoft Excel, which can be abused in order...
Read more...

CSAW 2017 Quals - 'pilot' Writeup

23 Sep 2017

CSAW 2017 Quals - 'pilot' Writeup Each year, the cybersecurity students of New York University (NYU) host the Cyber Security Awareness Week (CSAW) capture-the-flag (CTF) competition, the largest student-run cybersecurity event in the world. This is a jeopardy-style CTF event with a variety of challenge types and thousands of competitors, comprised of both students and professionals. In this post, I’ll cover the first ‘pwn’ challenge of the competition, ‘pilot’. As the category name appropriately indicates, in order to obtain the flag, you need to pwn the target (in this case, a binary). So let’s dive in headfirst. The challenge description provides a connection string using netcat, a very versatile networking utility (often called the “TCP/IP swiss army knife”). nc pwn.chal.csaw.io 8464 Issuing this command, we are greeted with the following output: # nc pwn.chal.csaw.io 8464 [*]Welcome DropShip Pilot... [*]I am your assitant A.I.... [*]I will be guiding you through the tutorial.... [*]As a first step, lets learn how to land at the designated location.... [*]Your mission is to lead the dropship to the right location and execute sequence of instructions to save Marines & Medics... [*]Good Luck Pilot!.... [*]Location:0x7fff909878a0 [*]Command: Dust off your Aviators and throw on your jumpsuit, we’re...
Read more...

Another 'Getting Started in Security' Post

21 Aug 2017

Another 'Getting Started in Security' Post As stated in my “about me” page, there have been more than a few conversations that involved someone asking me how I successfully “broke” into the information security field and, more importantly, how they could as well. Although this topic has been covered quite a bit, I felt it would be beneficial to offer my two cents to others looking to follow a similar path. However, I would strongly recommend you read the following posts before diving into my content: So, you want to work in security? by Parisa Tabriz So you want to work in security (but are too lazy to read Parisa’s excellent essay) by Michal Zalewski Answers on how to get started in Security by Chris Gates How to become a pentester by Peter Van Eeckhoutte Foundation, Foundation, Foundation A significant portion of hacking is: Understanding how your target operates under normal circumstances (in many cases, the implementation does not strictly abide by the intended design); and Either manipulating the target to deviate from normal behavior or abuse the lax implementation to achieve a malicious goal. Although certainly not a novel concept, the message is vital to becoming a successful security...
Read more...