#windows

For their part, the U.S. did roll out new restrictions on the visas of any foreign individuals who misuse commercial spyware.

# Summary .be TEMP folder is vulnerable to DLL redirection attacks that allow the attacker to escalate privileges. # Details If the bundle is not run as admin, the user's TEMP folder is used and not the system TEMP folder. A utility is able to monitor the user's TEMP folder for changes and drop its own DLL into the .be/.Local folder immediately when the .be folder is created. When the burn engine elevates, the malicious DLL receives elevated privileges. # PoC As a standard, non-admin user: 1. Monitor the user's TEMP folder for changes using ReadDirectoryChangesW 1. On FILE_ACTION_ADDED, check if the folder name is .be 1. Create a folder in .be named after the bundle + .Local (e.g. MyInstaller.exe.Local) 1. Put the malicious COMCTL32.DLL in the .Local folder following the naming used for the real DLL (e.g. MyInstaller.exe.Local/x86_microsoft.windows.common-controls_.../COMCTL32.dll) 1. Do hacker things when the engine escalates and the malicious DLL is loaded Proper naming f...

# Summary .be TEMP folder is vulnerable to DLL redirection attacks that allow the attacker to escalate privileges. # Details If the bundle is not run as admin, the user's TEMP folder is used and not the system TEMP folder. A utility is able to monitor the user's TEMP folder for changes and drop its own DLL into the .be/.Local folder immediately when the .be folder is created. When the burn engine elevates, the malicious DLL receives elevated privileges. # PoC As a standard, non-admin user: 1. Monitor the user's TEMP folder for changes using ReadDirectoryChangesW 1. On FILE_ACTION_ADDED, check if the folder name is .be 1. Create a folder in .be named after the bundle + .Local (e.g. MyInstaller.exe.Local) 1. Put the malicious COMCTL32.DLL in the .Local folder following the naming used for the real DLL (e.g. MyInstaller.exe.Local/x86_microsoft.windows.common-controls_.../COMCTL32.dll) 1. Do hacker things when the engine escalates and the malicious DLL is loaded Proper naming f...

### Summary .be TEMP folder is vulnerable to DLL redirection attacks that allow the attacker to escalate privileges. ### Details If the bundle is not run as admin, the user's TEMP folder is used and not the system TEMP folder. A utility is able to monitor the user's TEMP folder for changes and drop its own DLL into the **.be/<bundle>.Local** folder immediately when the .be folder is created. When the burn engine elevates, the malicious DLL receives elevated privileges. ### PoC As a standard, non-admin user: 1. Monitor the user's TEMP folder for changes using ReadDirectoryChangesW 2. On FILE_ACTION_ADDED, check if the folder name is .be 3. Create a folder in .be named after the bundle + .Local (e.g. MyInstaller.exe.Local) 4. Put the malicious COMCTL32.DLL in the .Local folder following the naming used for the real DLL (e.g. MyInstaller.exe.Local/x86_microsoft.windows.common-controls_.../COMCTL32.dll) 5. Do hacker things when the engine escalates and the malicious DLL is loaded Proper...

REcon is a computer security conference with a focus on reverse engineering and advanced exploitation techniques. It will be held June 28th through the 30th, 2024, in Montreal, Canada.

KiTTY versions 0.76.1.13 and below suffer from a command injection vulnerability when getting a remote file through scp. It appears to leverage an ANSI escape sequence issue which is quite an interesting vector of attack.

Talos discovered a new, stealthy espionage campaign that has likely persisted since at least March 2021. The observed activity affects an Islamic non-profit organization using backdoors for a previously unreported malware family we have named “Zardoor.”

Passkeys are here to replace passwords. When they work, it’s a seamless vision of the future. But don’t ditch your old logins just yet.

The threat actors behind a loader malware called HijackLoader have added new techniques for defense evasion, as the malware continues to be increasingly used by other threat actors to deliver additional payloads and tooling. "The malware developer used a standard process hollowing technique coupled with an additional trigger that was activated by the parent process writing to a pipe,"

We look at a scam campaign on Facebook that continues to do the rounds, and how you can recover your compromised account.