News

• Our longstanding privacy commitment with Siri - After Apple agreed to pay $95 million to settle Siri privacy lawsuit, the company has put out a statement to try to calm the public. Apple denied wrongdoing in the settlement, as it was likely easier and cheaper to settle than fight the case. I suspect the plaintiffs targeted advertisements related to the conversations near their phones are due to pervasive ad tech in other aspects of their phone, not Siri. Perhaps something like: Candy Crush, Tinder, MyFitnessPal: See the Thousands of Apps Hijacked to Spy on Your Location.
• How We Cracked a 512-Bit DKIM Key for Less Than $8 in the Cloud - RSA keys shorter than 1024 bits have been considered insecure for some time, but they are still in use in some places. In 2025, it only takes 86 hours with 8 cores to crack 512-bit RSA.

Techniques and Write-ups

• ADFS — Living in the Legacy of DRS - Adam chester with another banger. This post looks at ADFS OAuth2 support, Device Registration, Enterprise PRT, and more.
• CVE-2024-50603: Aviatrix Network Controller Command Injection Vulnerability - The cloud marketplaces can be a great source of otherwise hard to get software for cheap research. How many unexplored systems are out there waiting for CVEs?
• Exploitation Walkthrough and Techniques - Ivanti Connect Secure RCE (CVE-2025-0282) - Ivanti really needs to bring in some serious security experts to set up a fuzzing pipeline for their products, these types of vulnerabilities are not acceptable for a vendor of "secure edge" products with over a billion dollars in revenue.
• Backdooring Your Backdoors - Another $20 Domain, More Governments - Watchtowr was our favorite blog of 2024 and they look to have no plans on slowing down in 2025. "Hackers (and pentesters) very regularly download random code off the Internet, fire it at production systems and think they’re Neo from the Matrix." 🔥
• CVE-2024-54527: MediaLibraryService Full TCC Bypass, Dive Deep into AMFI - While Apple's Transparency Consent and Control (TCC) system is a good framework to protect user's from malware, it's not without its flaws. I would expect any well resourced attacker (i.e. nation state) would have a decent stock of TCC bypasses. PoC: CVE-2024-54527.
• Analyzing CVE-2024-44243, a macOS System Integrity Protection bypass through kernel extensions - More macOS exploitation, this time a system integrity protection (SIP) bypass via usermode filesystems, and ironically reported by Microsoft.
• The (Almost) Forgotten Vulnerable Driver - An old STOPzilla driver allows for arbitrary write to the kernel and is not (yet) included on the Windows bad driver list, but is on Living Off The Land Drivers (added 2025-01-10).
• A Day in the Life of a Prolific Voice Phishing Crew - Worth watching the video in the article. The crew uses a legitimate Apple service to convince the victim they are from apple before phishing his Apple ID credentials and 2nd factor via phishing site. This is all enabled by the ability to spoof phone numbers, which due to legacy phone infrastructure (STIR/SHAKEN can't come fast enough) is trivial to do.
• Hijacking Azure Machine Learning Notebooks (via Storage Accounts) - Cloud companies will use their own technology to build new features, and Azure Machine Learning (AML) is no exception. It uses an Azure Storage account to store the notebooks, which can be accessed by anyone with permissions to the underlying storage, regardless of AML permissions. Potential code execution and credential access was possible due to this.

Tools and Exploits

• CVE-2024-54498-PoC - Escape macOS Sandbox using sharedfilelistd exploit (patched in macOS 15.2, 14.7.2, 13.7.2)
• glibc_heap_exploitation_training - The resources for glibc Malloc heap exploitation course by Maxwell Dulin and Security Innovation.
• Information Stealer Masquerades as LDAPNightmare (CVE-2024-49113) PoC Exploit - This one is pretty obviously a "honeyPoC" but you should be using Ludus for PoC testing anyway.
• Sunder - Windows rootkit designed to work with BYOVD exploits.
• Rusty-PE-Packer - A robust Windows Process Executable Packer and Launcher implementation written in Rust for Windows x64 systems.
• Spyndicapped - COM ViewLogger — new malware keylogging technique.
• EmbedInHTML - Embed a file in HTML and have it autodownload using JavaScript.
• EarlyCascade - A PoC for Early Cascade process injection technique.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• Chrome Web Store is a mess - Forcing a restrictive/controlled browser should be required by any business. It's fairly simple to do with Chrome or a mobile device management (MDM) solution.
• StoneKeeper - an experimental EDR evasion framework for research purposes.
• Tetris in a PDF - "I learned a bit about PDF's JavaScript API and its implementations and realized there might be just enough I/O possibility there for a simple game." The author went on to create DOOM in a PDF.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.