Recently, I had the privilege to write a detailed analysis of
CVE-2023-34362,
which is series of several vulnerabilities in the MOVEit file transfer
application that lead to remote code execution. One of the several
vulnerabilities involved an ISAPI module - specifically, the MoveITISAPI.dll
ISAPI extension. One of the many vulnerabilities that comprised the MOVEit RCE
was a header-injection issue, where the ISAPI application parsed headers
differently than the .net application. This point is going to dig into how to
analyze and reverse engineer an ISAPI-based service!
This wasn’t the first time in the recent past I’d had to work on
something written as an ISAPI module, and each time I feel like I have to start
over and remember how it’s supposed to work. This time, I thought I’d combine
my hastily-scrawled notes with some Googling, and try to write something that I
(and others) can use in the future. As such, this will be a quick intro to
ISAPI applications from the angle that matters to me - how to reverse engineer
and debug them!
I want to preface this with: I’m not a Windows developer, and I’ve never run an
IIS server on purpose. That means that I am approaching this with brute-force
ignorance! I don’t have a lot of background context nor do I know the correct
terminology for a lot of this stuff. Instead, I’m going to treat these are
typical DLLs from typical applications, and approach them as such.
Continue reading →
Fork off: Three ways to deal with forking processes
Have you ever tested a Linux application that forks into multiple processes?
Isn’t it a pain? Whether you’re debugging, trying to see a process crash, or
trying to write an exploit, it can be super duper annoying!
In a few days, I’m giving a talk at NorthSec in Montreal. I asked some
co-workers to review my slides, and they commented that I have some neat
techniques to deal with forking, so I thought I’d share a couple!
Spoiler alert: The last one is the best, so you can just skip to that. :)
Continue reading →