"In summary: once you base your security on some computed property, you can now exploit any flaws, differences or ambiguity in this computation. The more complex the computation is, the more dangerous it gets."
📝 Contents: • What is SAML? • Why should I care? • Why is SAML insecure? • Why is signing computed values dangerous? • The SAML vulnerability in practice • Why is SAML this way? • Vulnerability mitigation • How could SAML have been designed better? • More SAML weirdness • Why is SAML used if it sucks? • Action • Ignorance is bliss • Additional reading
NTLMrelaying to AD CS - On certificates, printers and a little hippo 👤by @_dirkjan
More Active Directory NTLM relaying wizardry from Dirk-jan, this time aggregating and unifying multiple different tools and techniques, culminating in the release of PKINITtools.
📝 Contents: • Background - the state of NTLM relaying • Exploring AD CS relaying • Abusing the obtained certificate - diving into PKINIT • Obtaining the NT hash of the impersonated computer account • Using S4U2Self to obtain access to the relayed machine • Other abuse avenues of PetitPotam • Defenses • Credits / Thanks / Tools
Youshould turn off autofill in your password manager 👤by @marektoth
11 of the 16 tested browser and password manager combinations, using default configurations and adhering to best-practices, could be compromised in one mouse click by the user, allowing attackers access to plain-text saved login credentials.
📝 Contents: • Autofill • Autofill in chromium-based browsers • Abuse of the autofill? Cross-Site Scripting (XSS) • Analysis of browsers and password managers • Limitation • Script and demo • Clickjacking KeePassXC-Browser • Potential risks for users • Potential risks for companies / Recommendation for InfoSec • Recommendation • Conclusion
Sequoia:A Local Privilege Escalation Vulnerability in Linux’s Filesystem Layer (CVE-2021-33909) 👤by Bharat Jogi
"The Qualys Research Team has discovered a size_t-to-int type conversion vulnerability in the Linux Kernel’s filesystem layer affecting most Linux operating systems. Any unprivileged user can gain root privileges on a vulnerable host by exploiting this vulnerability in a default configuration."
📝 Contents: • About Linux Filesystem • Impact • Disclosure Timeline • Proof of Concept Video • Technical Details • Solution • Qualys Coverage • Dashboard • Vendor References • Frequently Asked Questions (FAQs)
CVE-2021-28474:SHAREPOINT RCE VIA SERVER-SIDE CONTROL INTERPRETATION CONFLICT 👤by @thezdi
The vulnerability allows authenticated users to execute arbitrary .NET code on the server in the context of the service account of the SharePoint web application. By default, authenticated SharePoint users have all necessary permissions.
📝 Contents: • The Vulnerability • Exploitation • Proof of Concept • Getting Remote Code Execution • Conclusion