Antivirus Evasion: Tearing AMSI Down With 3 Bytes Only

Antivirus evasion AMSI

This post aims on showcasing one of the many possible techniques for bypassing antivirus solutions through in-memory patching of AMSI instructions. Author: Matheus Alexandre Antimalware Scan Interface was first introduced by Microsoft in 2015 and initially deployed in early Windows 10 versions with the intention of providing an integrated channel for security products to interact […]

Attack of the clones 2: Git CLI remote code execution strikes back

Introduction This post is the second part of the story of a vulnerability that could be leveraged as a supply chain attack and used to hack millions of software developers around the world. We will describe all details about CVE-2020-26233, a vulnerability affecting all versions below 2.0.280 of Git Credential Manager Core in Github CLI […]

Attack of the clones: Git clients remote code execution

Introduction This post is a rather unusual story of a vulnerability that could be leveraged as a supply chain attack and used to attack millions of software developers around the world. It is also a tale of a bug collision that paid a bounty to one reporter and assigned the CVE to another! The main […]

Dissecting Ragnar Locker: The Case Of EDP

Introduction On April 13th 2020, news broke out in Portuguese media [1] that Energias de Portugal (EDP), the Portuguese multinational energy giant and one of the largest European operators in the energy & wind sectors, had been hit by a highly targeted ransomware attack (later identified as Ragnar Locker [2]), amid COVID-19 pandemic, while the […]

Security advisory: Mattermost Mobile for iOS v1.31.0 Authentication Token Leakage and Account Takeover

Advisory information Title: Mattermost Mobile for iOS Authentication Token Leakage and Account Takeover Advisory reference: BLAZE-05-2020 Product: Mattermost Mobile Client for iOS v1.31.0 (Build 293) CVE reference: CVE-2020-13891 Vendor reference: MMSA-2020-0022 Disclosure mode: Coordinated disclosure Product description Mattermost is a flexible, open source messaging platform that enables secure team collaboration. The product is used in […]

Security advisory: Mullvad VPN client for Windows 2020.3 local privilege escalation

Advisory information Title: Mullvad VPN client for Windows 2020.3 local privilege escalation Advisory reference: BLAZE-03-2020 Product: Mullvad 2020.3 for Windows CVE reference: CVE-2020-14197 Disclosure mode: Coordinated Product description Mullvad is a Sweden-based VPN provider with a strong focus on privacy. It has been in business for over 10 years and has a track record in […]

Security advisory: i2p for Windows local privilege escalation

Advisory information Title: i2p for Windows local privilege escalation Advisory reference: BLAZE-02-2020 Product: i2p 0.7.5 to 0.9.45 for Windows CVE reference: CVE-2020-13431 Disclosure mode: Coordinated Product description i2p (The Invisible Internet Project) is an anonymous network, exposing a simple layer that applications can use to anonymously and securely send messages to each other. Frequently, I2P […]

The never ending problems of local ASLR holes in Linux

Introduction Address Space Layout Randomization, or simply ASLR, is a probabilistic security defense that was released by the PaX Team in 2001 and introduced into upstream kernels in 2005 (2.6.12). As the name itself indicates, it randomly arranges the address space (thus addresses) of a running executable every time it is run, and does this […]

What you see is not what you get: when homographs attack

Introduction Since the introduction of Unicode in domain names (known as Internationalized Domain Names, or simply IDN) by ICANN over two decades ago, a series of brand new security implications were also brought into light together with the possibility of registering domain names using different alphabets and Unicode characters. When researching the feasibility of phishing […]