πŸ”’
❌
There are new articles available, click to refresh the page.
Before yesterdayYLabs

Plung n Panda – APT Group

15 September 2022 at 14:14
By: Ylabs
Reading Time: 7 minutes β€œPlug N Panda” group (the name that has been chosen by Yarix R&D) is a newly observed group characterized by the use of Ransomware DLL sideloading (PlugX – Talisman) techniques to cover his tracks after carrying an attack and it is believed to originate from China. This APT was first observed in the first months […]

Analysis of a Command Injection in VBScript

14 July 2022 at 12:30
By: Ylabs
Reading Time: 7 minutes In this writeup we present the analysis and exploitation of a VBScript command injection vulnerability we stumbled upon during a penetration test on a .NET web application. What makes this vulnerability stand out is the fact that at first glance it could be mistaken for a common SQL injection. After a few exploitation attempts, we […]

Merry Hackmas: multiple vulnerabilities in MSI’s products

16 December 2021 at 16:30
By: Ylabs
Reading Time: 2 minutes This blog post serves as an advisory for a couple MSI’s products that are affected by multiple high-severity vulnerabilities in the driver components they are shipped with. All the vulnerabilities are triggered by sending specific IOCTL requests and will allow to: Directly interact with physical memory via the MmMapIoSpace function call, mapping physical memory into […]

Driver Buddy Reloaded

28 October 2021 at 15:30
By: Ylabs
Reading Time: 5 minutes As part of Yarix's continuous security research journey, during this year I’ve spent a good amount of time reverse-engineering Windows drivers and exploiting kernel-mode related vulnerabilities. While in the past there were (as far as I know), at least two good IDA plugins aiding in the reverse engineering process: DriverBuddy of NCC Group. win_driver_plugin of […]

Crucial’s MOD Utility LPE – CVE-2021-41285

30 September 2021 at 15:30
By: Ylabs
Reading Time: 7 minutes Crucial Ballistix MOD Utility is a software product that can be used to customize and control gaming systems, specifically LED colours and patterns, memory, temperature, and overclock.During my vulnerability research, I’ve discovered that this software utilizes a driver, MODAPI.sys, containing multiple vulnerabilities and allowing an attacker to achieve local privilege escalation from a low privileged […]

Homemade Fuzzing Platform Recipe

26 August 2021 at 15:30
By: Ylabs
Reading Time: 5 minutes It’s no secret that, since the beginning of the year, I’ve spent a good amount of time learning how to fuzz different Windows software, triaging crashes, filling CVE forms, writing harnesses and custom tools to aid in the process.Today I would like to sneak peek into my high-level process of designing a Homemade Fuzzing Platform, […]

Root Cause Analysis of a Printer’s Driver Vulnerability

29 July 2021 at 15:30
By: Ylabs
Reading Time: 8 minutes Last week SentinelOne disclosed a "high severity" flaw in HP, Samsung, and Xerox printer's drivers (CVE-2021-3438); the blog post highlighted a vulnerable strncpy operation with a user-controllable size parameter but it did not explain the reverse engineering nor the exploitation phase of the issue. With this blog post, I would like to analyse the vulnerability […]

Reverse Engineering & Exploiting Dell CVE-2021-21551

20 May 2021 at 15:30
By: Ylabs
Reading Time: 11 minutes At the beginning of the month, Sentinel One disclosed five high severity vulnerabilities in Dell’s firmware update driver.As the described vulnerability appeared not too complicated to exploit, a lot of fellow security researchers started weaponizing it. I was one of, if not the first tweeting about weaponizing it into a _SEP_TOKEN_PRIVILEGES overwrite exploit, and with […]

Chaining Bugs: NVIDIA GeForce Experience (GFE) Command Execution

13 May 2021 at 15:30
By: Ylabs
Reading Time: 5 minutes NVIDIA GeForce Experience (GFE) v.<= 3.21 is affected by an Arbitrary File Write vulnerability in the GameStream/ShadowPlay plugins, where log files are created using NT AUTHORITY\SYSTEM level permissions, which lead to Command Execution and Elevation of Privileges (EoP). NVIDIA Security Bulletin – April 2021 NVIDIA Acknowledgements Page Introduction Some time ago I was looking for […]

Malware Analysis: Ragnarok Ransomware

29 April 2021 at 15:30
By: Ylabs
Reading Time: 11 minutes The analysed sample is a malware employed by the Threat Actor known as Ragnarok. The ransomware is responsible for files’ encryption and it is typically executed, by the actors themselves, on the compromised machines. The name of the analysed executable is xs_high.exe, but others have been found used by the same ransomware family (such as […]
  • There are no more articles
❌