SlideShare ist ein Scribd-Unternehmen logo

[CB21] ProxyLogon is Just the Tip of the Iceberg, A New Attack Surface on Microsoft Exchange Server! by Orange Tsai

CODE BLUE
CODE BLUE

Microsoft Exchange Server is an email solution widely deployed within government and enterprises, and it is an integral part of both their daily operations and security. Needless to say, vulnerabilities in Exchange have long been the Holy Grail for attackers, hence our security research on Exchange. Surprisingly, we've found not only critical vulnerabilities such as ProxyLogon, but a whole new attack surface of Exchange. This new attack surface is based on a significant change in Exchange Server 2013, where the fundamental protocol handler, Client Access Service (CAS), splits into frontend and backend. In this fundamental change of architecture, quite an amount of design debt was incurred, and, even worse, it introduced inconsistencies between contexts, leading us to discover this new attack surface. To unveil the beauty of this attack surface and our novel exploitation, we'll start by analyzing this architecture, followed by 7 vulnerabilities that consist of server-side bugs, client-side bugs, and crypto bugs found via this attack surface. In the end, these vulnerabilities are chained into 3 attack vectors that shine in different attack scenarios: ProxyLogon, ProxyShell, and ProxyOracle. These attack vectors enable any unauthenticated attacker to uncover plaintext passwords and even execute arbitrary code on Microsoft Exchange Servers through port 443, which is exposed to the Internet by ~400K Exchange Servers. This attack surface has its unparalleled impact for a reason: security researchers tend to find vulnerabilities from a certain perspective, such as digging for memory bugs, injections, or logic flaws, but we took a different approach by looking at Exchange from a high-level architectural view and captured this architecture-level attack surface, which yielded multiple vulnerabilities. We hope this brings a new paradigm to vulnerability research and inspires more security researchers to look into Exchange Server. Last but not least, we'll provide hardening actions to mitigate such types of 0days in Exchange.

Präsentationen & Vorträge
1 von 69
Downloaden Sie, um offline zu lesen
ProxyLogon is Just the Tip of the Iceberg A New Attack Surface on Microsoft Exchange Server! Orange Tsai
Orange Tsai • Orange Tsai, focusing on Web and Application 0-day research • Principal Security Researcher of DEVCORE • Captain of HITCON CTF Team • Speaker of Security Conferences • Black Hat USA & ASIA / DEFCON / HITB / HITCON … • Selected Awards and Honors: • 2017 - 1st place of Top 10 Web Hacking Techniques • 2018 - 1st place of Top 10 Web Hacking Techniques • 2019 - Winner of Pwnie Awards "Best Server-Side Bug" • 2021 - Champion and "Master of Pwn" of Pwn2Own • 2021 - Winner of Pwnie Awards "Best Server-Side Bug"
Why Target Exchange Server? 1. Mail servers always keep confidential secrets and Exchange Server is the most well-known mail solution for enterprises and governments worldwide 2. Has been the target for Nation-sponsored hackers for a long time (Equation Group😉) 3. More than 400,000 Exchange servers exposed on the Internet according to our survey
Our Works • We focus on the Exchange architecture and discover a new attack surface that no one proposed before. That's why we can pop 0days easily! • We discovered 8 vulnerabilities that covered server-side, client-side, and crypto bugs through this new attack surface, and chained into 3 attacks: 1. ProxyLogon: The most well-known pre-auth RCE chain 2. ProxyOracle: A plaintext-password recovery attacking chain 3. ProxyShell: The pre-auth RCE chain we demonstrated at Pwn2Own 2021
The Proxy Era of MS Exchange ProxyLogon • CVE-2021-26855 • CVE-2021-27065 ProxyNotFound • CVE-2021-28480 • CVE-2021-28481 ProxyToken • CVE-2021-33766 ProxyOracle • CVE-2021-31195 • CVE-2021-31196 Proxy???? • CVE-2021-33768 • CVE-2021-????? PrxoyShell • CVE-2021-34473 • CVE-2021-34523 • CVE-2021-31207
Exchange Architecture Backend Server Frontend Server 2000/2003 Mailbox Role Client Access Role Hub Transport Role Unified Messaging Role Edge Transport Role 2007/2010 Mailbox Role Client Access Role Edge Transport Role 2013 Edge Transport Role 2016/2019 Mailbox Role Mailbox Service Client Access Service
Where to Focus? • We focus on the Client Access Service (CAS) • CAS is a fundamental protocol handler in Microsoft Exchange Server. The Microsoft official documentation also indicates: "Mailbox servers contain the Client Access Services that accept client connections for all protocols. These frontend services are responsible for routing or proxying connections to the corresponding backend services"
where we focus on
Client Access Service in IIS Two websites?
Client Access Service in IIS
Exchange Architecture • Applications in Frontend include the ProxyModule • Parse incoming HTTP requests, apply protocol specified settings, and forward to the Backend • Applications in Backend include the BackendRehydrationModule • Receive and populate HTTP requests from the Frontend • Applications synchronizes the internal information between the Frontend and Backend by HTTP headers
IIS IIS Remote PowerShell RPC Proxy EWS, OWA ECP, OAB… Mailbox Database FrontEnd Service BackEnd Service HTTP/HTTPS IIS Modules Validation Module Logging Module IIS Modules Filter Module FBA Module Oauth Module … Rehydration Module RoutingUpdate Module RBAC Module HTTP Proxy Module
Our Ideas Could we access the Backend intentionally?
ProxyRequestHandler.cs BeginRequest AuthenticateRequest AuthorizeRequest MapRequestHandler EndRequest IHttpHandler LogRequest 1. Request Section > CopyHeadersToServerRequest > CopyCookiesToServerRequest > AddProtocolSpecificHeadersToServerRequest 2. Proxy Section > GetTargetBackEndServerUrl > CreateServerRequest > GetServerResponse 3. Response Section > CopyHeadersToClientResponse > CopyCookiesToClientResponse
Copy Client Headers 1. Request Section > CopyHeadersToServerRequest > CopyCookiesToServerRequest > AddProtocolSpecificHeadersToServerRequest 2. Proxy Section > GetTargetBackEndServerUrl > CreateServerRequest > GetServerResponse 3. Response Section > CopyHeadersToClientResponse > CopyCookiesToClientResponse BeginRequest AuthenticateRequest AuthorizeRequest MapRequestHandler EndRequest IHttpHandler LogRequest
HTTP Header Blacklists protected virtual bool ShouldCopyHeaderToServerRequest(string headerName) { return !string.Equals(headerName, "X-CommonAccessToken", OrdinalIgnoreCase) && !string.Equals(headerName, "X-IsFromCafe", OrdinalIgnoreCase) && !string.Equals(headerName, "X-SourceCafeServer", OrdinalIgnoreCase) && !string.Equals(headerName, "msExchProxyUri", OrdinalIgnoreCase) && !string.Equals(headerName, "X-MSExchangeActivityCtx", OrdinalIgnoreCase) && !string.Equals(headerName, "return-client-request-id", OrdinalIgnoreCase) && !string.Equals(headerName, "X-Forwarded-For", OrdinalIgnoreCase) && (!headerName.StartsWith("X-Backend-Diag-", OrdinalIgnoreCase) || this.ClientRequest.GetHttpRequestBase().IsProbeRequest()); } HttpProxyProxyRequestHandler.cs
Copy Client Cookies 1. Request Section > CopyHeadersToServerRequest > CopyCookiesToServerRequest > AddProtocolSpecificHeadersToServerRequest 2. Proxy Section > GetTargetBackEndServerUrl > CreateServerRequest > GetServerResponse 3. Response Section > CopyHeadersToClientResponse > CopyCookiesToClientResponse BeginRequest AuthenticateRequest AuthorizeRequest MapRequestHandler EndRequest IHttpHandler LogRequest
Add Special Headers 1. Request Section > CopyHeadersToServerRequest > CopyCookiesToServerRequest > AddProtocolSpecificHeadersToServerRequest 2. Proxy Section > GetTargetBackEndServerUrl > CreateServerRequest > GetServerResponse 3. Response Section > CopyHeadersToClientResponse > CopyCookiesToClientResponse BeginRequest AuthenticateRequest AuthorizeRequest MapRequestHandler EndRequest IHttpHandler LogRequest
Clone User Identity if (this.ClientRequest.IsAuthenticated) { CommonAccessToken commonAccessToken = AspNetHelper.FixupCommonAccessToken( this.HttpContext, this.AnchoredRoutingTarget.BackEndServer.Version); if (commonAccessToken != null) { headers["X-CommonAccessToken"] = commonAccessToken.Serialize( new int?(HttpProxySettings.CompressTokenMinimumSize.Value)); } } else if (this.ShouldBackendRequestBeAnonymous()) { headers["X-CommonAccessToken"] = new CommonAccessToken(9).Serialize(); } HttpProxyProxyRequestHandler.cs
Calculate Backend URL 1. Request Section > CopyHeadersToServerRequest > CopyCookiesToServerRequest > AddProtocolSpecificHeadersToServerRequest 2. Proxy Section > GetTargetBackEndServerUrl > CreateServerRequest > GetServerResponse 3. Response Section > CopyHeadersToClientResponse > CopyCookiesToClientResponse BeginRequest AuthenticateRequest AuthorizeRequest MapRequestHandler EndRequest IHttpHandler LogRequest
Create New HTTP Client 1. Request Section > CopyHeadersToServerRequest > CopyCookiesToServerRequest > AddProtocolSpecificHeadersToServerRequest 2. Proxy Section > GetTargetBackEndServerUrl > CreateServerRequest > GetServerResponse 3. Response Section > CopyHeadersToClientResponse > CopyCookiesToClientResponse BeginRequest AuthenticateRequest AuthorizeRequest MapRequestHandler EndRequest IHttpHandler LogRequest
Attach Authorization Header if (this.ProxyKerberosAuthentication) { // use origin Kerberos Authentication } else if (this.AuthBehavior.AuthState == AuthState.BackEndFullAuth || this. ShouldBackendRequestBeAnonymous() || (HttpProxySettings.TestBackEndSupportEnabled.Value && !string.IsNullOrEmpty(this.ClientRequest.Headers["TestBackEndUrl"]))) { // unauthenticated } else { serverRequest.Headers["Authorization"] = KerberosUtilities.GenerateKerberosAuthHeader( serverRequest.Address.Host, this.TraceContext, ref this.authenticationContext, ref this.kerberosChallenge); } HttpProxyProxyRequestHandler.cs
Generate Kerberos Ticket internal static string GenerateKerberosAuthHeader(string host, int traceContext, ref AuthenticationContext authenticationContext, ref string kerberosChallenge) { // … authenticationContext = new AuthenticationContext(); authenticationContext.InitializeForOutboundNegotiate(AuthenticationMechanism.Kerberos, "HTTP/" + host, null, null); SecurityStatus securityStatus = authenticationContext.NegotiateSecurityContext(inputBuffer, out bytes); return "Negotiate " + Encoding.ASCII.GetString(bytes); } HttpProxyKerberosUtilities.cs
The Actual Request Sent to Backend
Get Backend Response 1. Request Section > CopyHeadersToServerRequest > CopyCookiesToServerRequest > AddProtocolSpecificHeadersToServerRequest 2. Proxy Section > GetTargetBackEndServerUrl > CreateServerRequest > GetServerResponse 3. Response Section > CopyHeadersToClientResponse > CopyCookiesToClientResponse BeginRequest AuthenticateRequest AuthorizeRequest MapRequestHandler EndRequest IHttpHandler LogRequest
Copy Response to Client 1. Request Section > CopyHeadersToServerRequest > CopyCookiesToServerRequest > AddProtocolSpecificHeadersToServerRequest 2. Proxy Section > GetTargetBackEndServerUrl > CreateServerRequest > GetServerResponse 3. Response Section > CopyHeadersToClientResponse > CopyCookiesToClientResponse BeginRequest AuthenticateRequest AuthorizeRequest MapRequestHandler EndRequest IHttpHandler LogRequest
Backend Rehydration Module • IIS has implicitly done the Authentication and set the User.Identity to current HttpContext object private void OnAuthenticateRequest(object source, EventArgs args) { if (httpContext.Request.IsAuthenticated) { this.ProcessRequest(httpContext); } } private void ProcessRequest(HttpContext httpContext) { CommonAccessToken token; if (this.TryGetCommonAccessToken(httpContext, out token)) // … } BackendRehydrationModule.cs BeginRequest AuthenticateRequest AuthorizeRequest MapRequestHandler EndRequest IHttpHandler LogRequest
1 Restore Frontend User Identity 2 private bool TryGetCommonAccessToken(HttpContext httpContext, out CommonAccessToken token) { string text = httpContext.Request.Headers["X-CommonAccessToken"]; flag = this.IsTokenSerializationAllowed(httpContext.User.Identity as WindowsIdentity); if (!flag) throw new BackendRehydrationException(…) token = CommonAccessToken.Deserialize(text); httpContext.Items["Item-CommonAccessToken"] = token; SecurityAuthenticationBackendRehydrationModule.cs
1 Is Token Serialization Allowed? 2 private bool TryGetCommonAccessToken(HttpContext httpContext, out CommonAccessToken token) { string text = httpContext.Request.Headers["X-CommonAccessToken"]; flag = this.IsTokenSerializationAllowed(httpContext.User.Identity as WindowsIdentity); if (!flag) throw new BackendRehydrationException(…) token = CommonAccessToken.Deserialize(text); httpContext.Items["Item-CommonAccessToken"] = token; SecurityAuthenticationBackendRehydrationModule.cs
Check AD Extended Rights private bool IsTokenSerializationAllowed(WindowsIdentity windowsIdentity) { flag2 = LocalServer.AllowsTokenSerializationBy(clientSecurityContext); return flag2; } private static bool AllowsTokenSerializationBy(ClientSecurityContext clientContext) { return LocalServer.HasExtendedRightOnServer(clientContext, WellKnownGuid.TokenSerializationRightGuid); // ms-Exch-EPI-Token-Serialization } SecurityAuthenticationBackendRehydrationModule.cs
Auth-Flow in Summary 1. Frontend IIS authenticates the request (Windows or Basic authentication) and serializes the current Identity to X-CommonAccessToken HTTP header 2. Frontend generates a Kerberos ticket by its HTTP SPN to Authorization HTTP header 3. Frontend proxies the HTTP request to Backend 4. Backend IIS authenticates the request and check the authenticated user has TokenSerialization right 5. Backend rehydrates the user from X-CommonAccessToken HTTP header HTTP/HTTPS CAS Backend Module F Rehydration Module Module D Module E CAS Frontend HttpProxy Module Module A Module B Module C HTTP/HTTPS
Let's Start the Hack
ProxyLogon • The most well-known Exchange Server vulnerability in the world😩 • An unauthenticated attacker can execute arbitrary codes on Microsoft Exchange Server through an only exposed 443 port! • ProxyLogon is chained with 2 bugs: • CVE-2021-26855 - Pre-auth SSRF leads to Authentication Bypass • CVE-2021-27065 - Post-auth Arbitrary-File-Write leads to RCE
Where ProxyLogon Begin? 1. Request Section > CopyHeadersToServerRequest > CopyCookiesToServerRequest > AddProtocolSpecificHeadersToServerRequest 2. Proxy Section > GetTargetBackEndServerUrl > CreateServerRequest > GetServerResponse 3. Response Section > CopyHeadersToClientResponse > CopyCookiesToClientResponse BeginRequest AuthenticateRequest AuthorizeRequest MapRequestHandler EndRequest IHttpHandler LogRequest
Arbitrary Backend Assignment 1 2 protected override AnchorMailbox ResolveAnchorMailbox() { HttpCookie httpCookie = base.ClientRequest.Cookies["X-AnonResource-Backend"]; if (httpCookie != null) { this.savedBackendServer = httpCookie.Value; } return new ServerInfoAnchorMailbox( BackEndServer.FromString(this.savedBackendServer), this); } HttpProxyOwaResourceProxyRequestHandler.cs
https://[foo]@example.com:443/path#]:444/owa/auth/x.js
Super SSRF • What's the root cause about this arbitrary backend assignment? • The Exchange has to adapt the compatibility between new and old architectures, hence Exchange introduces the cookie • A Super SSRF • Control almost all the HTTP request and get all the response • Attach with a Kerberos Ticket with Exchange$ account privilege automatically • Leverage the backend internal API /ecp/proxylogon.ecp to obtain a valid Control Panel session and a file-write bug to get RCE
Demo https://youtu.be/SvjGMo9aMwE
ProxyOracle • An interesting Exchange Server exploit with different approach • An unauthenticated attacker can recover the victim's username and password in plaintext format simply by pushing the user open the malicious link • ProxyOracle is chained with 2 bugs: • CVE-2021-31195 - Reflected Cross-Site Scripting • CVE-2021-31196 - Padding Oracle Attack on Exchange Cookies Parsing
How Users Log-in OWA/ECP?
Form-Based Authentication IIS IIS Remote PowerShell RPC Proxy EWS/OWA ECP/OAB… Mailbox Database HTTP/HTTPS IIS Modules Validation Logging IIS Modules Filter FBA Oauth … Rehydration Routing Update RBAC HTTP Proxy Module
How FBA Cookies Looks Like cadataTTL cadataKey cadata cadataIV cadataSig
FbaModule Encryption Logic @key = GetServerSSLCert().GetPrivateKey() cadataSig = RSA(@key).Encrypt("Fba Rocks!") cadataIV = RSA(@key).Encrypt(GetRandomBytes(16)) cadataKey = RSA(@key).Encrypt(GetRandomBytes(16)) @timestamp = GetCurrentTimestamp() cadataTTL = AES_CBC(cadataKey, cadataIV).Encrypt(@timestamp) @blob = "Basic " + ToBase64String(UserName + ":" + Password) cadata = AES_CBC(cadataKey, cadataIV).Encrypt(@blob) PSEUDO CODE
FbaModule Encryption Logic private void ParseCadataCookies(HttpApplication httpApplication) { using (ICryptoTransform transform = aesCryptoServiceProvider.CreateDecryptor()) { try { byte[] array5 = Convert.FromBase64String(request.Cookies["cadata"].Value); bytes2 = transform.TransformFinalBlock(array5, 0, array5.Length); } catch (CryptographicException arg8) { return; } } } HttpProxyFbaModule.cs
The Oracle protected enum LogonReason { None, Logoff, InvalidCredentials, Timeout, ChangePasswordLogoff } FbaModule.cs Padding Error Padding Good Login Failure Login Success AES Decrypt /logon.aspx ?reason=2 Continue Login /logon.aspx ?reason=0
We can decrypt the cookies now But… How to get the client cookies?
We discover a new XSS to chain together However, all sensitive cookies are protected by HttpOnly😥
Take Over Client Requests Visit page /foo.gif Send response Proxy page /foo.gif Send response Send malicious mail to victim Trigger the XSS Set SSRF cookie Victim Exchange Attacker Open malicious mail Redirect to XSS page 1 2 3 4
Demo https://youtu.be/VuJvmJZxogc
ProxyShell • The exploit chain we demonstrated at Pwn2Own 2021 • An unauthenticated attacker can execute arbitrary commands on Microsoft Exchange Server through an only exposed 443 port! • ProxyShell is chained with 3 bugs: • CVE-2021-34473 - Pre-auth Path Confusion leads to ACL Bypass • CVE-2021-34523 - Elevation of Privilege on Exchange PowerShell Backend • CVE-2021-31207 - Post-auth Arbitrary-File-Write leads to RCE
Where ProxyShell Begin? 1. Request Section > CopyHeadersToServerRequest > CopyCookiesToServerRequest > AddProtocolSpecificHeadersToServerRequest 2. Proxy Section > GetTargetBackEndServerUrl > CreateServerRequest > GetServerResponse 3. Response Section > CopyHeadersToClientResponse > CopyCookiesToClientResponse BeginRequest AuthenticateRequest AuthorizeRequest MapRequestHandler EndRequest IHttpHandler LogRequest
ProxyShell • ProxyShell started with a Path Confusion bug on Exchange Server Explicit Logon feature • The feature is designed to enable users to open another mailbox/calendar and display it in a new browser window • The Exchange parsed the mailbox address and normalized the URL internally https://exchange/OWA/user@orange.local/Default.aspx
2 Extract Mailbox Address from URL 1 protected override AnchorMailbox ResolveAnchorMailbox() { if (RequestPathParser.IsAutodiscoverV2PreviewRequest(base.ClientRequest.Url.AbsolutePath)) text = base.ClientRequest.Params["Email"]; // … this.isExplicitLogonRequest = true; this.explicitLogonAddress = text; } public static bool IsAutodiscoverV2PreviewRequest(string path) { return path.EndsWith("/autodiscover.json", StringComparison.OrdinalIgnoreCase); } HttpProxyEwsAutodiscoverProxyRequestHandler.cs
The Fatal Erase protected override UriBuilder GetClientUrlForProxy() { string absoluteUri = base.ClientRequest.Url.AbsoluteUri; uri = UrlHelper.RemoveExplicitLogonFromUrlAbsoluteUri(absoluteUri, this.explicitLogonAddress); return new UriBuilder(uri); } public static string RemoveExplicitLogonFromUrlAbsoluteUri(string absoluteUri, string explicitLogonAddress) { string text = "/" + explicitLogonAddress; if (absoluteUri.IndexOf(text) != -1) return absoluteUri.Substring(0, num) + absoluteUri.Substring(num + text.Length); } HttpProxyEwsAutodiscoverProxyRequestHandler.cs 1 2
The actual part to be removed Explicit Logon pattern https://exchange/autodiscover/autodiscover.json?@foo.com/?& Email=autodiscover/autodiscover.json%3f@foo.com
The actual part to be removed Explicit Logon pattern https://exchange/autodiscover/autodiscover.json?@foo.com/?& Email=autodiscover/autodiscover.json%3f@foo.com
https://exchange:444/?& Email=autodiscover/autodiscover.json%3f@foo.com
Arbitrary Backend Access Again!
Exchange PowerShell Remoting • The Exchange PowerShell Remoting is a command-line interface that enables the automation of Exchange tasks • The Exchange PowerShell Remoting is built upon PowerShell API and uses the Runspace for isolations. All operations are based on WinRM protocol • Interact with the PowerShell Backend fails because there is no mailbox for the SYSTEM user • We found a piece of code extract Access-Token from URL
Extract Access Token from URL 2 1 private void OnAuthenticateRequest(object source, EventArgs args) { HttpContext httpContext = HttpContext.Current; if (httpContext.Request.IsAuthenticated) { if (string.IsNullOrEmpty(httpContext.Request.Headers["X-CommonAccessToken"])) { Uri url = httpContext.Request.Url; Exception ex = null; CommonAccessToken commonAccessToken = CommonAccessTokenFromUrl(httpContext. User.Identity.ToString(), url, out ex); } } } ConfigurationRemotePowershellBackendCmdletProxyModule.cs
Extract Access Token from URL private CommonAccessToken CommonAccessTokenFromUrl(string user, Uri requestURI, out Exception ex) { CommonAccessToken result = null; string text = LiveIdBasicAuthModule.GetNameValueCollectionFromUri( requestURI).Get("X-Rps-CAT"); result = CommonAccessToken.Deserialize(Uri.UnescapeDataString(text)); return result; } RemotePowershellBackendCmdletProxyModule.cs
Privilege Downgrade • An Elevation of Privilege (EOP) because we can access Exchange PowerShell Backend directly • The intention of this operation is to be a quick proxy for Internal Exchange PowerShell communications • Specify the Access-Token in X-Rps-CAT to Impersonate to any user • We use this Privilege Escalation to "downgrade" ourself from SYSTEM to Exchange Admin
Execute Arbitrary Exchange PowerShell as Admin And then?
Attack Exchange PowerShell • The last piece of the puzzle is to find a post-auth RCE to chain together • Since we are Exchange admin now, It's easy to abuse the Exchange PowerShell command New-MailboxExportRequest to export user's mailbox into an UNC path New-MailboxExportRequest –Mailbox orange@orange.local –FilePath 127.0.0.1C$pathtoshell.aspx
Put it All Together 1. Deliver our encoded WebShell payload by SMTP 2. Launch the native PowerShell and intercept the WinRM protocol • Rewrite the /PowerShell/ to /Autodiscover/ to trigger the Path Confusion bug • Add query string X-Rps-CAT with corresponding Exchange Admin Access Token 3. Execute commands inside the established PowerShell session • New-ManagementRoleAssignment to grant ourself Mailbox Import Export Role • New-MailboxExportRequest to write ASPX file into the local UNC path 4. Enjoy the shell
Demo https://youtu.be/FC6iHw258RI
Mitigations 1. Keep Exchange Server up-to-date and not externally facing the Internet (especially web part) 2. Microsoft has enhanced the CAS Frontend in April 2021 • The enhancement mitigated the authentication part of this attack surface and reduced the "pre-auth" effectively 3. Move to Office 365 Exchange Online😏(Just kidding)
orange_8361 orange@chroot.org Thanks! https://blog.orange.tw

Empfohlen

Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
malware analysis
malware analysismalware analysis
malware analysis20CS201AkashR
 
Cross Site Request Forgery (CSRF) Scripting Explained
Cross Site Request Forgery (CSRF) Scripting ExplainedCross Site Request Forgery (CSRF) Scripting Explained
Cross Site Request Forgery (CSRF) Scripting ExplainedValency Networks
 
Application Security
Application SecurityApplication Security
Application Securityflorinc
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionGoing Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionSoroush Dalili
 
Corporate Secret Challenge - CyberDefenders.org by Azad
Corporate Secret Challenge - CyberDefenders.org by AzadCorporate Secret Challenge - CyberDefenders.org by Azad
Corporate Secret Challenge - CyberDefenders.org by AzadAzad Mzuri
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraMathias Karlsson
 

Empfohlen

Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
malware analysis
malware analysismalware analysis
malware analysis20CS201AkashR
 
Cross Site Request Forgery (CSRF) Scripting Explained
Cross Site Request Forgery (CSRF) Scripting ExplainedCross Site Request Forgery (CSRF) Scripting Explained
Cross Site Request Forgery (CSRF) Scripting ExplainedValency Networks
 
Application Security
Application SecurityApplication Security
Application Securityflorinc
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionGoing Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionSoroush Dalili
 
Corporate Secret Challenge - CyberDefenders.org by Azad
Corporate Secret Challenge - CyberDefenders.org by AzadCorporate Secret Challenge - CyberDefenders.org by Azad
Corporate Secret Challenge - CyberDefenders.org by AzadAzad Mzuri
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraMathias Karlsson
 
Preventions of Email Hacking
Preventions of Email HackingPreventions of Email Hacking
Preventions of Email HackingUsman Khan
 
Basics of Server Side Template Injection
Basics of Server Side Template InjectionBasics of Server Side Template Injection
Basics of Server Side Template InjectionVandana Verma
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Ceh v5 module 19 evading ids firewall and honeypot
Ceh v5 module 19 evading ids firewall and honeypotCeh v5 module 19 evading ids firewall and honeypot
Ceh v5 module 19 evading ids firewall and honeypotVi Tính Hoàng Nam
 
Metasploit
MetasploitMetasploit
MetasploitLalith Sai
 
Introduction to Metasploit
Introduction to MetasploitIntroduction to Metasploit
Introduction to MetasploitGTU
 
Malware Classification and Analysis
Malware Classification and AnalysisMalware Classification and Analysis
Malware Classification and AnalysisPrashant Chopra
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionVishal Kumar
 
Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applicationsAdeel Javaid
 
Malicious Payloads vs Deep Visibility: A PowerShell Story
Malicious Payloads vs Deep Visibility: A PowerShell StoryMalicious Payloads vs Deep Visibility: A PowerShell Story
Malicious Payloads vs Deep Visibility: A PowerShell StoryDaniel Bohannon
 
Basic malware analysis
Basic malware analysisBasic malware analysis
Basic malware analysissecurityxploded
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made SimplePaul Melson
 
Session fixation
Session fixationSession fixation
Session fixationMuhammad Fahri
 
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...CODE BLUE
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing Priyanka Aash
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Amit Tyagi
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 
Basic malware analysis
Basic malware analysis Basic malware analysis
Basic malware analysis Cysinfo Cyber Security Community
 
Big datadc skyfall_preso_v2
Big datadc skyfall_preso_v2Big datadc skyfall_preso_v2
Big datadc skyfall_preso_v2abramsm
 
Skype for business mobility
Skype for business mobilitySkype for business mobility
Skype for business mobilityFabrizio Volpe
 

Weitere ähnliche Inhalte

Was ist angesagt?

Preventions of Email Hacking
Preventions of Email HackingPreventions of Email Hacking
Preventions of Email HackingUsman Khan
 
Basics of Server Side Template Injection
Basics of Server Side Template InjectionBasics of Server Side Template Injection
Basics of Server Side Template InjectionVandana Verma
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Ceh v5 module 19 evading ids firewall and honeypot
Ceh v5 module 19 evading ids firewall and honeypotCeh v5 module 19 evading ids firewall and honeypot
Ceh v5 module 19 evading ids firewall and honeypotVi Tính Hoàng Nam
 
Introduction to Metasploit
Introduction to MetasploitIntroduction to Metasploit
Introduction to MetasploitGTU
 
Malware Classification and Analysis
Malware Classification and AnalysisMalware Classification and Analysis
Malware Classification and AnalysisPrashant Chopra
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionVishal Kumar
 
Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applicationsAdeel Javaid
 
Malicious Payloads vs Deep Visibility: A PowerShell Story
Malicious Payloads vs Deep Visibility: A PowerShell StoryMalicious Payloads vs Deep Visibility: A PowerShell Story
Malicious Payloads vs Deep Visibility: A PowerShell StoryDaniel Bohannon
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made SimplePaul Melson
 
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...CODE BLUE
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing Priyanka Aash
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Amit Tyagi
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 

Was ist angesagt? (20)

Preventions of Email Hacking
Preventions of Email HackingPreventions of Email Hacking
Preventions of Email Hacking
 
Basics of Server Side Template Injection
Basics of Server Side Template InjectionBasics of Server Side Template Injection
Basics of Server Side Template Injection
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Ceh v5 module 19 evading ids firewall and honeypot
Ceh v5 module 19 evading ids firewall and honeypotCeh v5 module 19 evading ids firewall and honeypot
Ceh v5 module 19 evading ids firewall and honeypot
 
Metasploit
MetasploitMetasploit
Metasploit
 
Introduction to Metasploit
Introduction to MetasploitIntroduction to Metasploit
Introduction to Metasploit
 
Malware Classification and Analysis
Malware Classification and AnalysisMalware Classification and Analysis
Malware Classification and Analysis
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL Injection
 
Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applications
 
Malicious Payloads vs Deep Visibility: A PowerShell Story
Malicious Payloads vs Deep Visibility: A PowerShell StoryMalicious Payloads vs Deep Visibility: A PowerShell Story
Malicious Payloads vs Deep Visibility: A PowerShell Story
 
Basic malware analysis
Basic malware analysisBasic malware analysis
Basic malware analysis
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made Simple
 
Session fixation
Session fixationSession fixation
Session fixation
 
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
 
Basic malware analysis
Basic malware analysis Basic malware analysis
Basic malware analysis
 

Ähnlich wie [CB21] ProxyLogon is Just the Tip of the Iceberg, A New Attack Surface on Microsoft Exchange Server! by Orange Tsai

Big datadc skyfall_preso_v2
Big datadc skyfall_preso_v2Big datadc skyfall_preso_v2
Big datadc skyfall_preso_v2abramsm
 
Skype for business mobility
Skype for business mobilitySkype for business mobility
Skype for business mobilityFabrizio Volpe
 
Configuring kerberos based sso in weblogic
Configuring kerberos based sso in weblogicConfiguring kerberos based sso in weblogic
Configuring kerberos based sso in weblogicHarihara sarma
 
Aditya - Hacking Client Side Insecurities - ClubHack2008
Aditya - Hacking Client Side Insecurities - ClubHack2008Aditya - Hacking Client Side Insecurities - ClubHack2008
Aditya - Hacking Client Side Insecurities - ClubHack2008ClubHack
 
Tutorial: Building Your First App with MongoDB Stitch
Tutorial: Building Your First App with MongoDB StitchTutorial: Building Your First App with MongoDB Stitch
Tutorial: Building Your First App with MongoDB StitchMongoDB
 
Exploring Twitter's Finagle technology stack for microservices
Exploring Twitter's Finagle technology stack for microservicesExploring Twitter's Finagle technology stack for microservices
Exploring Twitter's Finagle technology stack for microservices💡 Tomasz Kogut
 
Meetup Microservices Commandments
Meetup Microservices CommandmentsMeetup Microservices Commandments
Meetup Microservices CommandmentsBill Zajac
 
MongoDB Stitch Introduction
MongoDB Stitch IntroductionMongoDB Stitch Introduction
MongoDB Stitch IntroductionMongoDB
 
Building Your First App with MongoDB Stitch
Building Your First App with MongoDB StitchBuilding Your First App with MongoDB Stitch
Building Your First App with MongoDB StitchMongoDB
 
Medium TechTalk — iOS
Medium TechTalk — iOSMedium TechTalk — iOS
Medium TechTalk — iOSjimmyatmedium
 
Managing microservices with Istio Service Mesh
Managing microservices with Istio Service MeshManaging microservices with Istio Service Mesh
Managing microservices with Istio Service MeshRafik HARABI
 
Debugging Microservices - QCON 2017
Debugging Microservices - QCON 2017Debugging Microservices - QCON 2017
Debugging Microservices - QCON 2017Idit Levine
 
Deploying and Managing PowerPivot for SharePoint
Deploying and Managing PowerPivot for SharePointDeploying and Managing PowerPivot for SharePoint
Deploying and Managing PowerPivot for SharePointDenny Lee
 
Architectural Commandments for Building & Running Microservices at Scale
Architectural Commandments for Building & Running Microservices at ScaleArchitectural Commandments for Building & Running Microservices at Scale
Architectural Commandments for Building & Running Microservices at ScaleBrian Wilson
 
Make Java Microservices Resilient with Istio - Mangesh - IBM - CC18
Make Java Microservices Resilient with Istio - Mangesh - IBM - CC18Make Java Microservices Resilient with Istio - Mangesh - IBM - CC18
Make Java Microservices Resilient with Istio - Mangesh - IBM - CC18CodeOps Technologies LLP
 
Applciation footprinting, discovery and enumeration
Applciation footprinting, discovery and enumerationApplciation footprinting, discovery and enumeration
Applciation footprinting, discovery and enumerationBlueinfy Solutions
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecuritiesamiable_indian
 
Unit 38 - Spring MVC Introduction.pptx
Unit 38 - Spring MVC Introduction.pptxUnit 38 - Spring MVC Introduction.pptx
Unit 38 - Spring MVC Introduction.pptxAbhijayKulshrestha1
 
Dealing with and learning from the sandbox
Dealing with and learning from the sandboxDealing with and learning from the sandbox
Dealing with and learning from the sandboxElaine Van Bergen
 

Ähnlich wie [CB21] ProxyLogon is Just the Tip of the Iceberg, A New Attack Surface on Microsoft Exchange Server! by Orange Tsai (20)

Big datadc skyfall_preso_v2
Big datadc skyfall_preso_v2Big datadc skyfall_preso_v2
Big datadc skyfall_preso_v2
 
Skype for business mobility
Skype for business mobilitySkype for business mobility
Skype for business mobility
 
Configuring kerberos based sso in weblogic
Configuring kerberos based sso in weblogicConfiguring kerberos based sso in weblogic
Configuring kerberos based sso in weblogic
 
Aditya - Hacking Client Side Insecurities - ClubHack2008
Aditya - Hacking Client Side Insecurities - ClubHack2008Aditya - Hacking Client Side Insecurities - ClubHack2008
Aditya - Hacking Client Side Insecurities - ClubHack2008
 
Tutorial: Building Your First App with MongoDB Stitch
Tutorial: Building Your First App with MongoDB StitchTutorial: Building Your First App with MongoDB Stitch
Tutorial: Building Your First App with MongoDB Stitch
 
Exploring Twitter's Finagle technology stack for microservices
Exploring Twitter's Finagle technology stack for microservicesExploring Twitter's Finagle technology stack for microservices
Exploring Twitter's Finagle technology stack for microservices
 
Meetup Microservices Commandments
Meetup Microservices CommandmentsMeetup Microservices Commandments
Meetup Microservices Commandments
 
MongoDB Stitch Introduction
MongoDB Stitch IntroductionMongoDB Stitch Introduction
MongoDB Stitch Introduction
 
Building Your First App with MongoDB Stitch
Building Your First App with MongoDB StitchBuilding Your First App with MongoDB Stitch
Building Your First App with MongoDB Stitch
 
Medium TechTalk — iOS
Medium TechTalk — iOSMedium TechTalk — iOS
Medium TechTalk — iOS
 
Managing microservices with Istio Service Mesh
Managing microservices with Istio Service MeshManaging microservices with Istio Service Mesh
Managing microservices with Istio Service Mesh
 
Debugging Microservices - QCON 2017
Debugging Microservices - QCON 2017Debugging Microservices - QCON 2017
Debugging Microservices - QCON 2017
 
Deploying and Managing PowerPivot for SharePoint
Deploying and Managing PowerPivot for SharePointDeploying and Managing PowerPivot for SharePoint
Deploying and Managing PowerPivot for SharePoint
 
Nick harris-sic-2011
Nick harris-sic-2011Nick harris-sic-2011
Nick harris-sic-2011
 
Architectural Commandments for Building & Running Microservices at Scale
Architectural Commandments for Building & Running Microservices at ScaleArchitectural Commandments for Building & Running Microservices at Scale
Architectural Commandments for Building & Running Microservices at Scale
 
Make Java Microservices Resilient with Istio - Mangesh - IBM - CC18
Make Java Microservices Resilient with Istio - Mangesh - IBM - CC18Make Java Microservices Resilient with Istio - Mangesh - IBM - CC18
Make Java Microservices Resilient with Istio - Mangesh - IBM - CC18
 
Applciation footprinting, discovery and enumeration
Applciation footprinting, discovery and enumerationApplciation footprinting, discovery and enumeration
Applciation footprinting, discovery and enumeration
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
 
Unit 38 - Spring MVC Introduction.pptx
Unit 38 - Spring MVC Introduction.pptxUnit 38 - Spring MVC Introduction.pptx
Unit 38 - Spring MVC Introduction.pptx
 
Dealing with and learning from the sandbox
Dealing with and learning from the sandboxDealing with and learning from the sandbox
Dealing with and learning from the sandbox
 

Mehr von CODE BLUE

[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...CODE BLUE
 
[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten NohlCODE BLUE
 
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...CODE BLUE
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之CODE BLUE
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo PupilloCODE BLUE
 
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman [cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman CODE BLUE
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫CODE BLUE
 
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...CODE BLUE
 
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka [cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka CODE BLUE
 
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...CODE BLUE
 
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...CODE BLUE
 
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...CODE BLUE
 
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...CODE BLUE
 
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也CODE BLUE
 
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...CODE BLUE
 
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...CODE BLUE
 

Mehr von CODE BLUE (20)

[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
 
[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl
 
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
 
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman [cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
 
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
 
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka [cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
 
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
 
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
 
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
 
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
 
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
 
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
 
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
 

Kürzlich hochgeladen

Uncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac FolorunsoUncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac FolorunsoKayode Fayemi
 
Aesthetic Colaba Mumbai Cst Call girls 📞 7738631006 Grant road Call Girls ❤️-...
Aesthetic Colaba Mumbai Cst Call girls 📞 7738631006 Grant road Call Girls ❤️-...Aesthetic Colaba Mumbai Cst Call girls 📞 7738631006 Grant road Call Girls ❤️-...
Aesthetic Colaba Mumbai Cst Call girls 📞 7738631006 Grant road Call Girls ❤️-...Pooja Nehwal
 
Presentation on Engagement in Book Clubs
Presentation on Engagement in Book ClubsPresentation on Engagement in Book Clubs
Presentation on Engagement in Book Clubssamaasim06
 
Dreaming Music Video Treatment _ Project & Portfolio III
Dreaming Music Video Treatment _ Project & Portfolio IIIDreaming Music Video Treatment _ Project & Portfolio III
Dreaming Music Video Treatment _ Project & Portfolio IIINhPhngng3
 
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdfAWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdfSkillCertProExams
 
Air breathing and respiratory adaptations in diver animals
Air breathing and respiratory adaptations in diver animalsAir breathing and respiratory adaptations in diver animals
Air breathing and respiratory adaptations in diver animalsaqsarehman5055
 
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdfThe workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdfSenaatti-kiinteistöt
 
Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)Chameera Dedduwage
 
Causes of poverty in France presentation.pptx
Causes of poverty in France presentation.pptxCauses of poverty in France presentation.pptx
Causes of poverty in France presentation.pptxCamilleBoulbin1
 
Sector 62, Noida Call girls :8448380779 Noida Escorts | 100% verified
Sector 62, Noida Call girls :8448380779 Noida Escorts | 100% verifiedSector 62, Noida Call girls :8448380779 Noida Escorts | 100% verified
Sector 62, Noida Call girls :8448380779 Noida Escorts | 100% verifiedDelhi Call girls
 
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort ServiceDelhi Call girls
 
Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...
Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...
Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...amilabibi1
 
SaaStr Workshop Wednesday w/ Lucas Price, Yardstick
SaaStr Workshop Wednesday w/ Lucas Price, YardstickSaaStr Workshop Wednesday w/ Lucas Price, Yardstick
SaaStr Workshop Wednesday w/ Lucas Price, Yardsticksaastr
 
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort ServiceDelhi Call girls
 
If this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New NigeriaIf this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New NigeriaKayode Fayemi
 
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptxChiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptxraffaeleoman
 
Report Writing Webinar Training
Report Writing Webinar TrainingReport Writing Webinar Training
Report Writing Webinar TrainingKylaCullinane
 
Dreaming Marissa Sánchez Music Video Treatment
Dreaming Marissa Sánchez Music Video TreatmentDreaming Marissa Sánchez Music Video Treatment
Dreaming Marissa Sánchez Music Video Treatmentnswingard
 
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...Delhi Call girls
 
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...Sheetaleventcompany
 

Kürzlich hochgeladen (20)

Uncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac FolorunsoUncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac Folorunso
 
Aesthetic Colaba Mumbai Cst Call girls 📞 7738631006 Grant road Call Girls ❤️-...
Aesthetic Colaba Mumbai Cst Call girls 📞 7738631006 Grant road Call Girls ❤️-...Aesthetic Colaba Mumbai Cst Call girls 📞 7738631006 Grant road Call Girls ❤️-...
Aesthetic Colaba Mumbai Cst Call girls 📞 7738631006 Grant road Call Girls ❤️-...
 
Presentation on Engagement in Book Clubs
Presentation on Engagement in Book ClubsPresentation on Engagement in Book Clubs
Presentation on Engagement in Book Clubs
 
Dreaming Music Video Treatment _ Project & Portfolio III
Dreaming Music Video Treatment _ Project & Portfolio IIIDreaming Music Video Treatment _ Project & Portfolio III
Dreaming Music Video Treatment _ Project & Portfolio III
 
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdfAWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
 
Air breathing and respiratory adaptations in diver animals
Air breathing and respiratory adaptations in diver animalsAir breathing and respiratory adaptations in diver animals
Air breathing and respiratory adaptations in diver animals
 
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdfThe workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
 
Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)
 
Causes of poverty in France presentation.pptx
Causes of poverty in France presentation.pptxCauses of poverty in France presentation.pptx
Causes of poverty in France presentation.pptx
 
Sector 62, Noida Call girls :8448380779 Noida Escorts | 100% verified
Sector 62, Noida Call girls :8448380779 Noida Escorts | 100% verifiedSector 62, Noida Call girls :8448380779 Noida Escorts | 100% verified
Sector 62, Noida Call girls :8448380779 Noida Escorts | 100% verified
 
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
 
Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...
Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...
Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...
 
SaaStr Workshop Wednesday w/ Lucas Price, Yardstick
SaaStr Workshop Wednesday w/ Lucas Price, YardstickSaaStr Workshop Wednesday w/ Lucas Price, Yardstick
SaaStr Workshop Wednesday w/ Lucas Price, Yardstick
 
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
 
If this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New NigeriaIf this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New Nigeria
 
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptxChiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
 
Report Writing Webinar Training
Report Writing Webinar TrainingReport Writing Webinar Training
Report Writing Webinar Training
 
Dreaming Marissa Sánchez Music Video Treatment
Dreaming Marissa Sánchez Music Video TreatmentDreaming Marissa Sánchez Music Video Treatment
Dreaming Marissa Sánchez Music Video Treatment
 
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
 
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
 

[CB21] ProxyLogon is Just the Tip of the Iceberg, A New Attack Surface on Microsoft Exchange Server! by Orange Tsai

  • 1. ProxyLogon is Just the Tip of the Iceberg A New Attack Surface on Microsoft Exchange Server! Orange Tsai
  • 2. Orange Tsai • Orange Tsai, focusing on Web and Application 0-day research • Principal Security Researcher of DEVCORE • Captain of HITCON CTF Team • Speaker of Security Conferences • Black Hat USA & ASIA / DEFCON / HITB / HITCON … • Selected Awards and Honors: • 2017 - 1st place of Top 10 Web Hacking Techniques • 2018 - 1st place of Top 10 Web Hacking Techniques • 2019 - Winner of Pwnie Awards "Best Server-Side Bug" • 2021 - Champion and "Master of Pwn" of Pwn2Own • 2021 - Winner of Pwnie Awards "Best Server-Side Bug"
  • 3. Why Target Exchange Server? 1. Mail servers always keep confidential secrets and Exchange Server is the most well-known mail solution for enterprises and governments worldwide 2. Has been the target for Nation-sponsored hackers for a long time (Equation Group😉) 3. More than 400,000 Exchange servers exposed on the Internet according to our survey
  • 4. Our Works • We focus on the Exchange architecture and discover a new attack surface that no one proposed before. That's why we can pop 0days easily! • We discovered 8 vulnerabilities that covered server-side, client-side, and crypto bugs through this new attack surface, and chained into 3 attacks: 1. ProxyLogon: The most well-known pre-auth RCE chain 2. ProxyOracle: A plaintext-password recovery attacking chain 3. ProxyShell: The pre-auth RCE chain we demonstrated at Pwn2Own 2021
  • 5. The Proxy Era of MS Exchange ProxyLogon • CVE-2021-26855 • CVE-2021-27065 ProxyNotFound • CVE-2021-28480 • CVE-2021-28481 ProxyToken • CVE-2021-33766 ProxyOracle • CVE-2021-31195 • CVE-2021-31196 Proxy???? • CVE-2021-33768 • CVE-2021-????? PrxoyShell • CVE-2021-34473 • CVE-2021-34523 • CVE-2021-31207
  • 6. Exchange Architecture Backend Server Frontend Server 2000/2003 Mailbox Role Client Access Role Hub Transport Role Unified Messaging Role Edge Transport Role 2007/2010 Mailbox Role Client Access Role Edge Transport Role 2013 Edge Transport Role 2016/2019 Mailbox Role Mailbox Service Client Access Service
  • 7. Where to Focus? • We focus on the Client Access Service (CAS) • CAS is a fundamental protocol handler in Microsoft Exchange Server. The Microsoft official documentation also indicates: "Mailbox servers contain the Client Access Services that accept client connections for all protocols. These frontend services are responsible for routing or proxying connections to the corresponding backend services"
  • 9. Client Access Service in IIS Two websites?
  • 11. Exchange Architecture • Applications in Frontend include the ProxyModule • Parse incoming HTTP requests, apply protocol specified settings, and forward to the Backend • Applications in Backend include the BackendRehydrationModule • Receive and populate HTTP requests from the Frontend • Applications synchronizes the internal information between the Frontend and Backend by HTTP headers
  • 12. IIS IIS Remote PowerShell RPC Proxy EWS, OWA ECP, OAB… Mailbox Database FrontEnd Service BackEnd Service HTTP/HTTPS IIS Modules Validation Module Logging Module IIS Modules Filter Module FBA Module Oauth Module … Rehydration Module RoutingUpdate Module RBAC Module HTTP Proxy Module
  • 13. Our Ideas Could we access the Backend intentionally?
  • 14. ProxyRequestHandler.cs BeginRequest AuthenticateRequest AuthorizeRequest MapRequestHandler EndRequest IHttpHandler LogRequest 1. Request Section > CopyHeadersToServerRequest > CopyCookiesToServerRequest > AddProtocolSpecificHeadersToServerRequest 2. Proxy Section > GetTargetBackEndServerUrl > CreateServerRequest > GetServerResponse 3. Response Section > CopyHeadersToClientResponse > CopyCookiesToClientResponse
  • 15. Copy Client Headers 1. Request Section > CopyHeadersToServerRequest > CopyCookiesToServerRequest > AddProtocolSpecificHeadersToServerRequest 2. Proxy Section > GetTargetBackEndServerUrl > CreateServerRequest > GetServerResponse 3. Response Section > CopyHeadersToClientResponse > CopyCookiesToClientResponse BeginRequest AuthenticateRequest AuthorizeRequest MapRequestHandler EndRequest IHttpHandler LogRequest
  • 16. HTTP Header Blacklists protected virtual bool ShouldCopyHeaderToServerRequest(string headerName) { return !string.Equals(headerName, "X-CommonAccessToken", OrdinalIgnoreCase) && !string.Equals(headerName, "X-IsFromCafe", OrdinalIgnoreCase) && !string.Equals(headerName, "X-SourceCafeServer", OrdinalIgnoreCase) && !string.Equals(headerName, "msExchProxyUri", OrdinalIgnoreCase) && !string.Equals(headerName, "X-MSExchangeActivityCtx", OrdinalIgnoreCase) && !string.Equals(headerName, "return-client-request-id", OrdinalIgnoreCase) && !string.Equals(headerName, "X-Forwarded-For", OrdinalIgnoreCase) && (!headerName.StartsWith("X-Backend-Diag-", OrdinalIgnoreCase) || this.ClientRequest.GetHttpRequestBase().IsProbeRequest()); } HttpProxyProxyRequestHandler.cs
  • 17. Copy Client Cookies 1. Request Section > CopyHeadersToServerRequest > CopyCookiesToServerRequest > AddProtocolSpecificHeadersToServerRequest 2. Proxy Section > GetTargetBackEndServerUrl > CreateServerRequest > GetServerResponse 3. Response Section > CopyHeadersToClientResponse > CopyCookiesToClientResponse BeginRequest AuthenticateRequest AuthorizeRequest MapRequestHandler EndRequest IHttpHandler LogRequest
  • 18. Add Special Headers 1. Request Section > CopyHeadersToServerRequest > CopyCookiesToServerRequest > AddProtocolSpecificHeadersToServerRequest 2. Proxy Section > GetTargetBackEndServerUrl > CreateServerRequest > GetServerResponse 3. Response Section > CopyHeadersToClientResponse > CopyCookiesToClientResponse BeginRequest AuthenticateRequest AuthorizeRequest MapRequestHandler EndRequest IHttpHandler LogRequest
  • 19. Clone User Identity if (this.ClientRequest.IsAuthenticated) { CommonAccessToken commonAccessToken = AspNetHelper.FixupCommonAccessToken( this.HttpContext, this.AnchoredRoutingTarget.BackEndServer.Version); if (commonAccessToken != null) { headers["X-CommonAccessToken"] = commonAccessToken.Serialize( new int?(HttpProxySettings.CompressTokenMinimumSize.Value)); } } else if (this.ShouldBackendRequestBeAnonymous()) { headers["X-CommonAccessToken"] = new CommonAccessToken(9).Serialize(); } HttpProxyProxyRequestHandler.cs
  • 20. Calculate Backend URL 1. Request Section > CopyHeadersToServerRequest > CopyCookiesToServerRequest > AddProtocolSpecificHeadersToServerRequest 2. Proxy Section > GetTargetBackEndServerUrl > CreateServerRequest > GetServerResponse 3. Response Section > CopyHeadersToClientResponse > CopyCookiesToClientResponse BeginRequest AuthenticateRequest AuthorizeRequest MapRequestHandler EndRequest IHttpHandler LogRequest
  • 21. Create New HTTP Client 1. Request Section > CopyHeadersToServerRequest > CopyCookiesToServerRequest > AddProtocolSpecificHeadersToServerRequest 2. Proxy Section > GetTargetBackEndServerUrl > CreateServerRequest > GetServerResponse 3. Response Section > CopyHeadersToClientResponse > CopyCookiesToClientResponse BeginRequest AuthenticateRequest AuthorizeRequest MapRequestHandler EndRequest IHttpHandler LogRequest
  • 22. Attach Authorization Header if (this.ProxyKerberosAuthentication) { // use origin Kerberos Authentication } else if (this.AuthBehavior.AuthState == AuthState.BackEndFullAuth || this. ShouldBackendRequestBeAnonymous() || (HttpProxySettings.TestBackEndSupportEnabled.Value && !string.IsNullOrEmpty(this.ClientRequest.Headers["TestBackEndUrl"]))) { // unauthenticated } else { serverRequest.Headers["Authorization"] = KerberosUtilities.GenerateKerberosAuthHeader( serverRequest.Address.Host, this.TraceContext, ref this.authenticationContext, ref this.kerberosChallenge); } HttpProxyProxyRequestHandler.cs
  • 23. Generate Kerberos Ticket internal static string GenerateKerberosAuthHeader(string host, int traceContext, ref AuthenticationContext authenticationContext, ref string kerberosChallenge) { // … authenticationContext = new AuthenticationContext(); authenticationContext.InitializeForOutboundNegotiate(AuthenticationMechanism.Kerberos, "HTTP/" + host, null, null); SecurityStatus securityStatus = authenticationContext.NegotiateSecurityContext(inputBuffer, out bytes); return "Negotiate " + Encoding.ASCII.GetString(bytes); } HttpProxyKerberosUtilities.cs
  • 24. The Actual Request Sent to Backend
  • 25. Get Backend Response 1. Request Section > CopyHeadersToServerRequest > CopyCookiesToServerRequest > AddProtocolSpecificHeadersToServerRequest 2. Proxy Section > GetTargetBackEndServerUrl > CreateServerRequest > GetServerResponse 3. Response Section > CopyHeadersToClientResponse > CopyCookiesToClientResponse BeginRequest AuthenticateRequest AuthorizeRequest MapRequestHandler EndRequest IHttpHandler LogRequest
  • 26. Copy Response to Client 1. Request Section > CopyHeadersToServerRequest > CopyCookiesToServerRequest > AddProtocolSpecificHeadersToServerRequest 2. Proxy Section > GetTargetBackEndServerUrl > CreateServerRequest > GetServerResponse 3. Response Section > CopyHeadersToClientResponse > CopyCookiesToClientResponse BeginRequest AuthenticateRequest AuthorizeRequest MapRequestHandler EndRequest IHttpHandler LogRequest
  • 27. Backend Rehydration Module • IIS has implicitly done the Authentication and set the User.Identity to current HttpContext object private void OnAuthenticateRequest(object source, EventArgs args) { if (httpContext.Request.IsAuthenticated) { this.ProcessRequest(httpContext); } } private void ProcessRequest(HttpContext httpContext) { CommonAccessToken token; if (this.TryGetCommonAccessToken(httpContext, out token)) // … } BackendRehydrationModule.cs BeginRequest AuthenticateRequest AuthorizeRequest MapRequestHandler EndRequest IHttpHandler LogRequest
  • 28. 1 Restore Frontend User Identity 2 private bool TryGetCommonAccessToken(HttpContext httpContext, out CommonAccessToken token) { string text = httpContext.Request.Headers["X-CommonAccessToken"]; flag = this.IsTokenSerializationAllowed(httpContext.User.Identity as WindowsIdentity); if (!flag) throw new BackendRehydrationException(…) token = CommonAccessToken.Deserialize(text); httpContext.Items["Item-CommonAccessToken"] = token; SecurityAuthenticationBackendRehydrationModule.cs
  • 29. 1 Is Token Serialization Allowed? 2 private bool TryGetCommonAccessToken(HttpContext httpContext, out CommonAccessToken token) { string text = httpContext.Request.Headers["X-CommonAccessToken"]; flag = this.IsTokenSerializationAllowed(httpContext.User.Identity as WindowsIdentity); if (!flag) throw new BackendRehydrationException(…) token = CommonAccessToken.Deserialize(text); httpContext.Items["Item-CommonAccessToken"] = token; SecurityAuthenticationBackendRehydrationModule.cs
  • 30. Check AD Extended Rights private bool IsTokenSerializationAllowed(WindowsIdentity windowsIdentity) { flag2 = LocalServer.AllowsTokenSerializationBy(clientSecurityContext); return flag2; } private static bool AllowsTokenSerializationBy(ClientSecurityContext clientContext) { return LocalServer.HasExtendedRightOnServer(clientContext, WellKnownGuid.TokenSerializationRightGuid); // ms-Exch-EPI-Token-Serialization } SecurityAuthenticationBackendRehydrationModule.cs
  • 31. Auth-Flow in Summary 1. Frontend IIS authenticates the request (Windows or Basic authentication) and serializes the current Identity to X-CommonAccessToken HTTP header 2. Frontend generates a Kerberos ticket by its HTTP SPN to Authorization HTTP header 3. Frontend proxies the HTTP request to Backend 4. Backend IIS authenticates the request and check the authenticated user has TokenSerialization right 5. Backend rehydrates the user from X-CommonAccessToken HTTP header HTTP/HTTPS CAS Backend Module F Rehydration Module Module D Module E CAS Frontend HttpProxy Module Module A Module B Module C HTTP/HTTPS
  • 33. ProxyLogon • The most well-known Exchange Server vulnerability in the world😩 • An unauthenticated attacker can execute arbitrary codes on Microsoft Exchange Server through an only exposed 443 port! • ProxyLogon is chained with 2 bugs: • CVE-2021-26855 - Pre-auth SSRF leads to Authentication Bypass • CVE-2021-27065 - Post-auth Arbitrary-File-Write leads to RCE
  • 34. Where ProxyLogon Begin? 1. Request Section > CopyHeadersToServerRequest > CopyCookiesToServerRequest > AddProtocolSpecificHeadersToServerRequest 2. Proxy Section > GetTargetBackEndServerUrl > CreateServerRequest > GetServerResponse 3. Response Section > CopyHeadersToClientResponse > CopyCookiesToClientResponse BeginRequest AuthenticateRequest AuthorizeRequest MapRequestHandler EndRequest IHttpHandler LogRequest
  • 35. Arbitrary Backend Assignment 1 2 protected override AnchorMailbox ResolveAnchorMailbox() { HttpCookie httpCookie = base.ClientRequest.Cookies["X-AnonResource-Backend"]; if (httpCookie != null) { this.savedBackendServer = httpCookie.Value; } return new ServerInfoAnchorMailbox( BackEndServer.FromString(this.savedBackendServer), this); } HttpProxyOwaResourceProxyRequestHandler.cs
  • 37. Super SSRF • What's the root cause about this arbitrary backend assignment? • The Exchange has to adapt the compatibility between new and old architectures, hence Exchange introduces the cookie • A Super SSRF • Control almost all the HTTP request and get all the response • Attach with a Kerberos Ticket with Exchange$ account privilege automatically • Leverage the backend internal API /ecp/proxylogon.ecp to obtain a valid Control Panel session and a file-write bug to get RCE
  • 39. ProxyOracle • An interesting Exchange Server exploit with different approach • An unauthenticated attacker can recover the victim's username and password in plaintext format simply by pushing the user open the malicious link • ProxyOracle is chained with 2 bugs: • CVE-2021-31195 - Reflected Cross-Site Scripting • CVE-2021-31196 - Padding Oracle Attack on Exchange Cookies Parsing
  • 40. How Users Log-in OWA/ECP?
  • 41. Form-Based Authentication IIS IIS Remote PowerShell RPC Proxy EWS/OWA ECP/OAB… Mailbox Database HTTP/HTTPS IIS Modules Validation Logging IIS Modules Filter FBA Oauth … Rehydration Routing Update RBAC HTTP Proxy Module
  • 42. How FBA Cookies Looks Like cadataTTL cadataKey cadata cadataIV cadataSig
  • 43. FbaModule Encryption Logic @key = GetServerSSLCert().GetPrivateKey() cadataSig = RSA(@key).Encrypt("Fba Rocks!") cadataIV = RSA(@key).Encrypt(GetRandomBytes(16)) cadataKey = RSA(@key).Encrypt(GetRandomBytes(16)) @timestamp = GetCurrentTimestamp() cadataTTL = AES_CBC(cadataKey, cadataIV).Encrypt(@timestamp) @blob = "Basic " + ToBase64String(UserName + ":" + Password) cadata = AES_CBC(cadataKey, cadataIV).Encrypt(@blob) PSEUDO CODE
  • 44.
  • 45. FbaModule Encryption Logic private void ParseCadataCookies(HttpApplication httpApplication) { using (ICryptoTransform transform = aesCryptoServiceProvider.CreateDecryptor()) { try { byte[] array5 = Convert.FromBase64String(request.Cookies["cadata"].Value); bytes2 = transform.TransformFinalBlock(array5, 0, array5.Length); } catch (CryptographicException arg8) { return; } } } HttpProxyFbaModule.cs
  • 46. The Oracle protected enum LogonReason { None, Logoff, InvalidCredentials, Timeout, ChangePasswordLogoff } FbaModule.cs Padding Error Padding Good Login Failure Login Success AES Decrypt /logon.aspx ?reason=2 Continue Login /logon.aspx ?reason=0
  • 47. We can decrypt the cookies now But… How to get the client cookies?
  • 48. We discover a new XSS to chain together However, all sensitive cookies are protected by HttpOnly😥
  • 49. Take Over Client Requests Visit page /foo.gif Send response Proxy page /foo.gif Send response Send malicious mail to victim Trigger the XSS Set SSRF cookie Victim Exchange Attacker Open malicious mail Redirect to XSS page 1 2 3 4
  • 51. ProxyShell • The exploit chain we demonstrated at Pwn2Own 2021 • An unauthenticated attacker can execute arbitrary commands on Microsoft Exchange Server through an only exposed 443 port! • ProxyShell is chained with 3 bugs: • CVE-2021-34473 - Pre-auth Path Confusion leads to ACL Bypass • CVE-2021-34523 - Elevation of Privilege on Exchange PowerShell Backend • CVE-2021-31207 - Post-auth Arbitrary-File-Write leads to RCE
  • 52. Where ProxyShell Begin? 1. Request Section > CopyHeadersToServerRequest > CopyCookiesToServerRequest > AddProtocolSpecificHeadersToServerRequest 2. Proxy Section > GetTargetBackEndServerUrl > CreateServerRequest > GetServerResponse 3. Response Section > CopyHeadersToClientResponse > CopyCookiesToClientResponse BeginRequest AuthenticateRequest AuthorizeRequest MapRequestHandler EndRequest IHttpHandler LogRequest
  • 53. ProxyShell • ProxyShell started with a Path Confusion bug on Exchange Server Explicit Logon feature • The feature is designed to enable users to open another mailbox/calendar and display it in a new browser window • The Exchange parsed the mailbox address and normalized the URL internally https://exchange/OWA/user@orange.local/Default.aspx
  • 54. 2 Extract Mailbox Address from URL 1 protected override AnchorMailbox ResolveAnchorMailbox() { if (RequestPathParser.IsAutodiscoverV2PreviewRequest(base.ClientRequest.Url.AbsolutePath)) text = base.ClientRequest.Params["Email"]; // … this.isExplicitLogonRequest = true; this.explicitLogonAddress = text; } public static bool IsAutodiscoverV2PreviewRequest(string path) { return path.EndsWith("/autodiscover.json", StringComparison.OrdinalIgnoreCase); } HttpProxyEwsAutodiscoverProxyRequestHandler.cs
  • 55. The Fatal Erase protected override UriBuilder GetClientUrlForProxy() { string absoluteUri = base.ClientRequest.Url.AbsoluteUri; uri = UrlHelper.RemoveExplicitLogonFromUrlAbsoluteUri(absoluteUri, this.explicitLogonAddress); return new UriBuilder(uri); } public static string RemoveExplicitLogonFromUrlAbsoluteUri(string absoluteUri, string explicitLogonAddress) { string text = "/" + explicitLogonAddress; if (absoluteUri.IndexOf(text) != -1) return absoluteUri.Substring(0, num) + absoluteUri.Substring(num + text.Length); } HttpProxyEwsAutodiscoverProxyRequestHandler.cs 1 2
  • 56. The actual part to be removed Explicit Logon pattern https://exchange/autodiscover/autodiscover.json?@foo.com/?& Email=autodiscover/autodiscover.json%3f@foo.com
  • 57. The actual part to be removed Explicit Logon pattern https://exchange/autodiscover/autodiscover.json?@foo.com/?& Email=autodiscover/autodiscover.json%3f@foo.com
  • 60. Exchange PowerShell Remoting • The Exchange PowerShell Remoting is a command-line interface that enables the automation of Exchange tasks • The Exchange PowerShell Remoting is built upon PowerShell API and uses the Runspace for isolations. All operations are based on WinRM protocol • Interact with the PowerShell Backend fails because there is no mailbox for the SYSTEM user • We found a piece of code extract Access-Token from URL
  • 61. Extract Access Token from URL 2 1 private void OnAuthenticateRequest(object source, EventArgs args) { HttpContext httpContext = HttpContext.Current; if (httpContext.Request.IsAuthenticated) { if (string.IsNullOrEmpty(httpContext.Request.Headers["X-CommonAccessToken"])) { Uri url = httpContext.Request.Url; Exception ex = null; CommonAccessToken commonAccessToken = CommonAccessTokenFromUrl(httpContext. User.Identity.ToString(), url, out ex); } } } ConfigurationRemotePowershellBackendCmdletProxyModule.cs
  • 62. Extract Access Token from URL private CommonAccessToken CommonAccessTokenFromUrl(string user, Uri requestURI, out Exception ex) { CommonAccessToken result = null; string text = LiveIdBasicAuthModule.GetNameValueCollectionFromUri( requestURI).Get("X-Rps-CAT"); result = CommonAccessToken.Deserialize(Uri.UnescapeDataString(text)); return result; } RemotePowershellBackendCmdletProxyModule.cs
  • 63. Privilege Downgrade • An Elevation of Privilege (EOP) because we can access Exchange PowerShell Backend directly • The intention of this operation is to be a quick proxy for Internal Exchange PowerShell communications • Specify the Access-Token in X-Rps-CAT to Impersonate to any user • We use this Privilege Escalation to "downgrade" ourself from SYSTEM to Exchange Admin
  • 64. Execute Arbitrary Exchange PowerShell as Admin And then?
  • 65. Attack Exchange PowerShell • The last piece of the puzzle is to find a post-auth RCE to chain together • Since we are Exchange admin now, It's easy to abuse the Exchange PowerShell command New-MailboxExportRequest to export user's mailbox into an UNC path New-MailboxExportRequest –Mailbox orange@orange.local –FilePath 127.0.0.1C$pathtoshell.aspx
  • 66. Put it All Together 1. Deliver our encoded WebShell payload by SMTP 2. Launch the native PowerShell and intercept the WinRM protocol • Rewrite the /PowerShell/ to /Autodiscover/ to trigger the Path Confusion bug • Add query string X-Rps-CAT with corresponding Exchange Admin Access Token 3. Execute commands inside the established PowerShell session • New-ManagementRoleAssignment to grant ourself Mailbox Import Export Role • New-MailboxExportRequest to write ASPX file into the local UNC path 4. Enjoy the shell
  • 68. Mitigations 1. Keep Exchange Server up-to-date and not externally facing the Internet (especially web part) 2. Microsoft has enhanced the CAS Frontend in April 2021 • The enhancement mitigated the authentication part of this attack surface and reduced the "pre-auth" effectively 3. Move to Office 365 Exchange Online😏(Just kidding)