Portcullis Labs is managed by the Portcullis Security Technical Team to provide easy access to our public tools and papers.
We built this website to share some of our knowledge. You’ll find several tools, papers and presentations mostly by security geeks, but all for security geeks.
- padmin to root: Roles on AIX (10/2/2015) - Following a recent post from a consultant at IBM discussing how how privileged access should be performed on VIOS, I figured it was time to share some of our research in this arena. Those of you that are regular readers will know that I love root. For those of you that are new, welcome aboard. […]
- CVE-2015-5119 Flash ByteArray UaF: A beginner’s walkthrough (9/24/2015) - This document is a written form of a workshop and presentation I gave at Portcullis Labs in late July 2015. It is a beginner’s walkthrough to understand the recent Flash bug that was discovered in Hacking Team’s pocket and given the sweet name of CVE-2015-5119. It was found and exploited by Vitaliy Toropov. Disclaimer: If […]
- GET IN THE RING0 (9/24/2015) - Presentation on how Windows kernel drivers work and where to look for vulnerabilities (as given at 44CON 2015).
- Blood in the water: Phishing with BeEF (9/18/2015) - Those of you that have been following the UK infosec market recently will have noticed an upturn in talk relating to “Red Team” style engagements. Unlike a traditional penetration test, the object of such an exercise is not to locate vulnerabilities (though of course that helps) but rather to exercise the “Blue Team” i.e. the […]
- Graham “@gsuberland” Sutherland’s 44CON presentation (9/11/2015) - Graham recently gave a presentation at 44CON’s community night entitled “GET IN THE RING0″ on the subject of Windows kernel drivers. His talk covered: Same basic concepts as writing usermode apps Some additional bits Talking between usermode / kernelmode Major functions, IRPs, IOCTLs Special concepts like IRQLs (mostly) officially documented on MSDN! (most of) the […]
- Burp Extension (8/26/2015) - At Portcullis, one of the more frequent assessments we perform are web application assessments. One of the main challenges we face during these assessments is to look for information that can either help escalate our privileges or allow us to gain access to different functionalities of the web application. Unauthorised access to functionality can often […]
- NOPC version 0.4.5 released (6/12/2015) - NOPC, the Nessus-based offline UNIX patch checker has had some changes made and been made available in our tools section. This article discusses the new features in detail and provides some working examples. Introduction There have been some updates to the NOPC tool. The latest version is now 0.4.5. Updated features and bug fixes Added Output […]
- SSL and Export Ciphers: Logjam and FREAK (5/28/2015) - Recent attacks have shown the risks of leaving legacy TLS encryption modes enabled. In this blog post, the risks of having export-grade cryptography enabled will be addressed. During the 90s very strict export regulations regarding cryptography were present in the United States of America. Due to this issue, some SSL implementations have deliberately weakened ciphers […]
- VENOM vulnerability (5/14/2015) - VENOM (Virtualised Environment Neglected Operations Manipulation) is a vulnerability that could allow an attacker to escape a guest virtual machine and access the host system, along with other virtual machines running on this system, and access their data. This could potentially allow an attacker to steal sensitive data on any of these virtual machines and […]
- uid=0 is deprecated: A trick unix-privesc-check doesn’t yet know (5/5/2015) - Just like Linux, the modern Solaris install doesn’t simply rely on UID/GID to determine privilege. Instead there are roles and profiles to contend with. The following is a loose explanation of how they work: User = user + group + user_attr + /etc/security/auth_attr + /etc/security/auth_attr.d/* user = Raw privileges (PRIV_DEFAULT + !PRIV_LIMIT) user_attr = List […]
- This way to 10.10.10.1: Playing with labelled switching (4/17/2015) - As a pentester, there are days when you’ll get asked to look at the ordinary, and there are days that you’ll be asked to look at something more challenging. This week was full of days that met the latter criteria and not the former. Whilst I can’t share the scope, Portcullis was asked to examine […]
- Testing against the kill chain on non-”red team” assessments (4/7/2015) - The following is a braindump of an idea I had as a result of the work I have been doing on Portcullis’ STAR offering. The question I set myself was, what testing could we perform, under our normal terms of engagement which would contribute to the “blue team” i.e. the system administrators and developers better […]
- Beware of empty paths (3/26/2015) - Consider the case of a setUID binary that runs as root and allows the caller to execute certain other scripts and binaries from a given restricted directory. The Portcullis Labs team recently spotted such a case and I was asked to take a look to determine exploitablity. What follows is a short analysis of what […]
- Fixing the links: Hardening the linker (2/20/2015) - As many of our regular readers will know, the Portcullis Labs team have a good deal of experience with reviewing the security of POSIX alike OS, and as a result, we’ve made some interesting discoveries in terms of how easy it can be to escalate ones privileges. As I discussed some time ago at CRESTCon, […]
- Detecting windows horizontal password guessing attacks in near real-time (2/16/2015) - When attempting to gain a foothold into a Windows Domain, an attacker will often attempt one or two likely passwords against every user in the Active Directory, a so-called horizontal password guessing attack. A small number of failed logons per user will usually not trigger a user account lockout policy and can be very effective. […]