Introducing Goffloader: A Pure Go Implementation of an In-Memory COFFLoader and PE Loader
We are excited to announce the release of Goffloader, a pure Go implementation of an in-memory COFFLoader and PE loader. This tool is designed to facilitate the easy execution of Cobalt Strike BOFs and unmanaged PE files directly in memory without writing any files to disk. Goffloader aims to take ... Read More
Understanding the Impact of the new Apache Struts File Upload Vulnerability
Introduction Recently researcher Steven Seeley discovered a way to abuse the popular Apache Struts frameworks’ file upload functionality to achieve remote code execution. This bug, known as CVE-2023-50164, has been assigned a 9.8 CVSS score. No doubt this is causing some security practitioners to have flashbacks of the “good times” ... Read More
Signing and Encrypting with JSON Web Tokens
Cryptographic weaknesses often arise in applications when the core security concepts are misunderstood or misused by developers. For this reason, a thorough review of all cryptographic implementations can be a juicy target when designing an application or starting a security assessment. Often, cryptography is used in the context of communication ... Read More
Computer Account Relaying Vulnerabilities Part 2
Overview Recently I’ve been working on writing a custom SMB client that implements the initial handshake and NTLM authentication functionality to perform port fingerprinting within Chariot Identify, our attack surface management product. While reading through the SMB specification, I got to thinking about Computer AdminTo Computer vulnerabilities we have exploited ... Read More
Guest who? Insecure Azure Defaults!
Introduction Azure has an insecure default guest user setting, and your organization is probably using it. The default settings Azure provides would allow any user within the organization (including guest users) to invite guest users from any domain, bypassing any central identity management solutions (e.g. Okta, Auth0) and onboarding processes ... Read More
Hunting for Spring Core Exploitation
Background On March 30, 2022, Praetorian published remediation details for a remote code execution vulnerability for Spring Core on JDK9+ (CVE-2022-22965). A patch for vulnerable systems is now available and Praetorian has notified those affected through our Chariot offering. Hunting Opportunities Covering all our bases this early in the disclosure ... Read More
Spring Core on JDK9+ is vulnerable to remote code execution
Overview Spring Core on JDK9+ is vulnerable to remote code execution due to a bypass for CVE-2010-1622. At the time of writing, this vulnerability is unpatched in Spring Framework and there is a public proof-of-concept available. As we have remediation advice for customers (see below), we have elected to share ... Read More
Always Be Modeling: How to Threat Model Effectively
Introduction At Praetorian, we believe that good security advisors always dedicate the start of a security assessment toward understanding your product’s threat landscape. This is why we perform a baseline threat model before every engagement, including those that do not explicitly contain an in-depth threat model analysis. A baseline threat ... Read More
New Chariot Module Nosey Parker Released: An Artificial Intelligence Based Secrets Scanner That Out Sniffs the Competition
Motivation Sensitive information like passwords, API keys, access tokens, asymmetric private keys, client secrets and credentials are critical components of a secure internet. Virtually any programmatic task involving authentication or security requires developers to work with this kind of data. Unfortunately, this means that such secrets invariably find their way ... Read More
23 and Me: Offensive DNA and Nuclei Templates
As part of our launch of the Chariot platform, we have developed twenty-three Nuclei templates to identify new issues or exposures within external attack surfaces that we want to share back with the security community. Nuclei is an extremely powerful vulnerability scanner from ProjectDiscovery that leverages a YAML-based domain-specific language ... Read More