Three zero days in three hours: Discovering CVE-2024-22086, CVE-2024-22087, and CVE-2024-22088

Zero-day exploits are discovered by security researchers, nation-states, cyber defense professionals, and hacktivist groups worldwide to infiltrate computer systems, networks, critical infrastructure, and Internet of Things (IoT) devices. As technology advances, cybercrime continues to spread into every global industry. This makes the race to find Zero-Day vulnerabilities crucial to the success of any organization. Positioned […]

Three zero days in three hours: Discovering CVE-2024-22086, CVE-2024-22087, and CVE-2024-22088 Read More »

Zero-Day Research: CVE-2023-51771 MicroHTTPServer Off-By-One Global Buffer Overflow

Unraveling a Subtle Yet Critical Vulnerability In the ever-evolving landscape of cybersecurity, certain vulnerabilities, though seemingly minor, can open the door to significant security breaches. At Skinny Research and Development, our team has delved deep into the nuances of one such issue: the off-by-one global buffer overflow. This vulnerability, while often overlooked due to its

Zero-Day Research: CVE-2023-51771 MicroHTTPServer Off-By-One Global Buffer Overflow Read More »

Zero-Day Research: CVE-2023-50965 MicroHttpServer Remote Buffer Overflow

introduction In the ever-evolving landscape of cybersecurity, where threats loom at every digital corner, Skinny Research and Development emerges as a beacon of innovation in the domain of zero-day research and vulnerability discovery. With a name that reflects our lean approach and focus on efficiency, Skinny R&D has demonstrated an uncanny ability to stay ahead

Zero-Day Research: CVE-2023-50965 MicroHttpServer Remote Buffer Overflow Read More »

Zero-Day Research: CVE-2023-48024 and CVE-2023-48025

Striking a harmonious balance between high-level abstraction and low-level hardware control, the C programming language proves to be efficient for resource-constrained embedded systems. C programs can be finely tuned to optimize memory usage and execution speed, a critical consideration in embedded applications where resources are at a premium.  Despite the many benefits of the C

Zero-Day Research: CVE-2023-48024 and CVE-2023-48025 Read More »

Zero-Day Research: ehttp Use-after-Free (CVE-2023-52266) and Out-of-Bounds Read (CVE-2023-52267)

The ehttp library advertises itself as a ‘simple HTTP server based on epoll’. The primary goal of the library is to provide an easy-to-use HTTP microservice with JSON support. The library supports HTTP 1.0/1.1 with GET and POST request methods. When utilizing a new library, I always execute various fuzz tests against the library to

Zero-Day Research: ehttp Use-after-Free (CVE-2023-52266) and Out-of-Bounds Read (CVE-2023-52267) Read More »

Mr. Radar: Layer 1 Recon

When assessing a building’s network security from an adversarial perspective, it can often be helpful to look for open network ports that are easily accessible. These ports can provide a means for an adversary to plug in a convert network device and may also provide the means by which further network compromise may be possible.

Mr. Radar: Layer 1 Recon Read More »

Live Stream: Automating Host Defense with the Teensy and USB Rubber Ducky

Live Stream Link: https://youtu.be/ydoIF4FnoFQApril 14th, 10am Central Time Links to Purchase the Teensy and USB Rubber Ducky https://www.pjrc.com/store/teensy40.html   https://shop.hak5.org/products/usb-rubber-ducky-deluxe Download the above file before the start of class and unzip it. File contains list of commands covered last week, the JS Ducky Encoder mentioned below, the phukdlib library, and an Arduino INO program for testing

Live Stream: Automating Host Defense with the Teensy and USB Rubber Ducky Read More »