Raul Reyes Hernandez’s Post

I have successfully completed the “TeamViewer Log Forensics” course on Cyberexam platform 🎓🔍 Thanks to this course, I gained in-depth knowledge and practical skills in analyzing TeamViewer logs and incident investigation.💻 CyberExam

C-MOR Video Surveillance 5.2401 / 6.00PL01 Cross Site Scripting: C-MOR Video Surveillance versions 5.2401 and 6.00PL01 suffer from a persistent cross site scripting vulnerability.

my latest vulnerability report on bugcrowed has been accepted as a P3 #bugcrowed #bugbounty

Explore the formats and importance of Scheduled Tasks in forensics with our "Investigating Windows Scheduled Tasks" course. It includes an introduction, file format exploration, and many more. #C5W #DFIR #CCDFA #Infosec For details: https://lnkd.in/eBtjhbdH

-7- Outlook Unleashing RCE Chaos: CVE-2024-30103 & CVE-2024-38021 - Michael Gorelik, Arnold Osipov Sometimes, a vendor releases a patch fixing a vulnerability you are working on. Disappointing, isn't it? In this talk, Michael Gorelik and Arnold Osipov show how they turned two patches for Outlook issues back into vulnerabilities! First, the focus is Outlook custom forms — a feature allowing creation of tailored messages in emails. Under the hood, forms are COM objects, defining a new form type means creating a config file for it, with a value copied to the registry specifying the COM server handler for it. So, what if we make the key point at some DLL that we control? That's immediately RCE! To block this, Outlook uses a denylist that filters out registry keys allowing RCE like `inprocserver32`, `localserver`, etc. A vulnerability from earlier this year found the denylist matching fails if you specify an absolute path rather than a relative path (so a `\CLSID\...\inprocserver32=` is a-okay!). This allows hijacking any COM object in the registry. Luckily, this vulnerability has been patched. But, remember the premise of the talk? The patch disallowed starting the path with a backslash. So what did Michael and Arnold do? Add a backslash at the end! This works because `RegCreateKeyExA` deletes the last backslash in the path. However, this happens *after* the denylist check, which passes and so we have a vulnerability! Second, the talk looks at Outlook Moniker objects—those are "smart links" in Outlook, allowing you to send emails embedding special links like Ca lender invites, Excel files, etc. Being simple pointers, it is possible for malicious actors to send emails with references to remote files, potentially leaking NTLM credentials if the user clicks them. Fortunately, Outlook blocks these links. *Unfortunately*, earlier this year it was found that if you add an exclamation mark (!) at the end of the link, Outlook blocking won't work. The reason is a bit complicated, but in short—the link is being treated as a special kind of Moniker, triggering a different flow composed of a few functions, which are vulnerable to remote file access. This vulnerability was patched by installing a hook on a certain vulnerable function at the end of the flow. The hook checks if a certain flag is set, and if so, blocks the call. The flag is set at the beginning of a function earlier in the flow. So only when the two functions are chained, the call is blocked. Notice the issue? If another Moniker flow eventually reaches the vulnerable function without passing through the first one, the flag isn't set and the patch won't work! Indeed, the researchers discovered such a flow—a link within an image tag instead of a hyperlink While a bit convoluted for someone who hasn't touched COM objects for at least a decade, this is still an eye-opening talk on the possibility of finding vulnerabilities in patches. youtu.be/GwwxeY11xMI #DEFCON #Vulnerability #Outlook

With our Nmap Command Generator, you can simply say what you need Nmap to do, and we will generate the command for you.

Just finished the course “Operating System Forensics” by Jungwoo Ryoo! Check it out: https://lnkd.in/eZrh38Xe #computerforensics.

New open-source tools are emerging that can outsmart Endpoint Detection and Response (EDR) systems, giving bad actors free reign to move undetected across your network. 🚨 Discussion Topic: How can we stay one step ahead and stop these stealthy attacks before they happen? Love to hear your thoughts in the comments.

New challenge dropped by LetsDefend, on this challenge we will learn about CVE-2023-32315 which is Openfire Path Traversal that can be escalated to RCE and by analyzing provided pcap file, we can see how it worked in practical. Here is my write-up for this challenge!

Just finished the course “Operating System Forensics” by Jungwoo Ryoo! Check it out: https://lnkd.in/gUtcWwDA #computerforensics.