James Forshaw

@tiraniddo

Security researcher in Google Project Zero. Author of Attacking Network Protocols. Tweets are my own etc. .

United Kingdom
Vrijeme pridruživanja: srpanj 2009.

Medijski sadržaj

  1. 19. sij

    Thanks , for saving me from an evil PCAP!🤷‍♀️

    An error from Google Drive showing a PCAP for with an example of MS08-067 has been blocked.
  2. 7. sij

    For anyone interested in my presentation on Local RPC in .NET the HITB version is now up on YouTube.

  3. 20. pro 2019.

    Interestingly simple bug and a good demonstration of the difficulty working out the security of a COM services. Although I'd be wrong not to plug at this point as it'll show you the Launch Permissions + Integrity Level :-)

    Prikaži ovu nit
  4. 5. pro 2019.

    Interesting AppLocker security feature. If you enable the default DLL rules on an up to date Win10 your users can no longer download any executable file in any common web browser. Can you guess why?

    Edge browser window showing downloading Edge Canary is a virus.
  5. 8. stu 2019.
    Odgovor korisniku/ci
  6. 7. stu 2019.

    Not seen these before. Token security attributes which indicate if a process has be UAC auto elevated (LUA://HdAutoAp) and whether it's decended from an auto elevated app (LUA://DecHdAutoAp). Might be useful for detecting the results of UAC bypasses in the wild.

    View of access token of auto elevated task manager process showing security attributes LUA://HdAutoAp which indicates the process was auto elevated by UAC and LUA://DecHdAutoAp which is inherited across process creation and indicates processes which are descended from UAC auto elevated applications.
  7. 28. lis 2019.

    Impressed that when Microsoft said there are no new APIs in 1909 vs 1903 they seem accurate from an RPC attack surface perspective. Only 1 new server, and one new function in the AppX Deployment Server that I could identify. Of course might be deeper changes I can't detect.

    Using NtObjectManager Compare-RpcServer to compare RPC servers on Windows 10 1903 to 1909.
    Prikaži ovu nit
  8. 7. lis 2019.
    Odgovor korisniku/ci

    Have you configured symbols? You'll need a copy of DBGHELP.DLL from WinDBG to get remote symbols, see the screenshot. OVDN comes with a limited set of pre-cached symbols but everytime MS updates the COM libraries the offsets move. Also can your user open the PID?

  9. 23. ruj 2019.
    Odgovor korisnicima

    You can't assign an explicit IL to a file/key which is higher than your own IL. Relabel privilege bypasses that security check. I doubt it's something that useful, most of the time it's a service token with it which already has system IL.

    Demonstration of using relabel privilege.
  10. 19. ruj 2019.

    I wonder if it's possible for in Canary Wharf to be any more condescending about comic books and the people who read them. If you believe Wikipedia the term "Graphic Novel" seems to have been around for at least 60 years, and no doubt before that.

    Sign in Waterstones Canary Wharf which says "They're called graphic novels now" and continue to complain about superheroes.
  11. 10. ruj 2019.
    Odgovor korisniku/ci

    A quick check with Diaphora looks like it was probably a ref-counting/memory safety hazard issue. No doubt fuzzed. Think I'm off the hook 😂

  12. 10. ruj 2019.
    Odgovor korisnicima i sljedećem broju korisnika:

    Of course if you proceed to install Python then the alias changes to point to the installed store package. The DesktopAppInstaller is some Store crapware which MS have pushed out, it could very easily add new 'aliases' to get you to install stuff from the Store in the future.

  13. 10. ruj 2019.

    It's an execution alias . It's not _really_ a 0 byte file, it's a reparse point which is handles specially by CreateProcess. My Get-ExecutionAlias cmdlet gives you more info such as the package that gets started (Microsoft.DesktopAppInstaller).

  14. 29. kol 2019.
    Odgovor korisnicima

    I thought they were hammering Linux for FAT32 patents, not exFAT. Of course those patents expired and suddenly they had a new file system ready to go.

  15. 7. kol 2019.

    This is relevant to my interests.

  16. 13. svi 2019.

    Updated my presentation repo on github with presentations, including the latest one from 2019 on "Having Fun with COM"

    Don Box in the style of Andre the Giant.
  17. 11. svi 2019.
    Odgovor korisniku/ci

    Nice short list you've got there.... Sorry I couldn't resist ;-) I'm sure there's many IIDs which aren't in the registry, a merge might be useful. Also a link to the CSV if you don't want to run my tools

  18. 14. tra 2019.

    FYI regarding B4537DA9-3D03-4F6B-B594-52B2874EE9D0 :-)

  19. 11. tra 2019.

    The first step to recovery is realizing you have a problem.

    Picture of a biscoff biscuit sandwich with biscoff spread in the middle.
  20. 9. tra 2019.
    Odgovor korisniku/ci

Čini se da učitavanje traje već neko vrijeme.

Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.

    Možda bi vam se svidjelo i ovo:

    ·