In this blog post, I’ll discuss my analysis of CVE-2023-36563, a Microsoft WordPad Information Disclosure Vulnerability, from initial patch diff to working exploit. Then, I’ll discuss detection and mitigation strategies for preventing exploitation of this vulnerability. CVE-2023-36563 Overview Summary CVE-2023-36563’s flaw lies within legacy functionality to convert an OLE 1 storage object (OLESTREAM) to the new IStorage format. By crafting a file with a malicious OLE 1 LinkedObject, an attacker could coerce authentication to an untrusted server to steal NTLM hashes....
Background Protocol Buffers (Protobufs) are a language agnostic data serialization format that allow data to be safely and efficiently trasmitted or stored. Protobuf usage has exploded within the past several years. When testing web applications, mobile applications, and embedded devices alike, it’s increasingly likely you’ll encounter Protobuf data within requests like this: A normal binary Protobuf request You might have logically tried to fuzz these inputs as you would any other parameter, only to realize that things weren’t as simple as they appeared:...
If you want to get serious about finding impactful vulnerabilities through static analysis, it’s time to move beyond simply grep-ing through code bases. In this blog post, I’ll share my personal process for setting up a robust environment for Java static analysis of console applications, web applications, and Android applications. Once you’ve established this test environment, you’ll be able to take advantage of automatic code references, trace usages across a code base, and leverage source-to-sink analysis to find elusive vulnerabilities....