May 2022 Edition

Welcome to Nullcon’s Newsletter! With so much going on in the infosec industry, it’s often difficult to keep up with everything. Subscribe to our #MonthlyNewsletter to stay updated with current happenings.

Latest Updates in Cloud Sector

Spoofing Microsoft 365 Like It’s 1995

Phishing comprises 25% of all breaches making it one of the top ways for adversaries to enter networks. The phrase “defense-in-depth” means we provide multiple layers of defense that create hurdles adversaries must clear, reducing their chances for success. However, what if we could cut out the infrastructure pieces, skip past domain categorization, reputation and “bypass” all the target enterprise defenses with one command?—Microsoft has documentation on a feature named “Direct Send” which requires no authentication and may be sent from outside of the enterprise network. This article by Steve Borosh highlights the dangers posed by Microsoft Direct Send regarding spoofed phishing attacks and enables defenders to better protect their network.

Critical Zoom Vulnerabilities fixed last week required no user interaction

“User interaction is not required for a successful attack,” the researcher Fratric wrote. “The only ability an attacker needs is to be able to send messages to the victim over Zoom chat over Extensible Messaging and Presence Protocol (XMPP) protocol.” Tracked as CVE-2022-22786 and CVE-2022-22784, the vulnerabilities made it possible to perform attacks even when the victim took no action other than to have the client open. As detailed by Google Project Zero researcher, inconsistencies in how the Zoom client and Zoom servers parse XMPP messages made it possible to “smuggle” content in them that usually would be blocked. By combining those flaws with a glitch in the way Zoom’s code-signing verification works, Fratric achieved full code execution.

Cloudflare Pages, Part 1: The Fellowship of the Secret

Cloudflare Pages operates as a continuous deployment service triggered by commits to a connected Github or Gitlab repository. Since it’s so simple, it made the hackers James Hebden and Sean Yeoh look into it—deployments are automated, and Cloudflare’s global content network has good performance and reasonable pricing. The blog post covers the findings of command injection, container escapes, Github tokens, Cloudflare’s Github tokens and Cloudflare API keys to Cloudflare Organization, and Cloudflare’s Azure API tokens amongst other things written by a bunch of hackers with a motive of old crime curiosity.

Latest Updates in Infrastructure

MITRE Creates Framework for Supply Chain Security

Supply chain security has been popular in the wake of high-profile attacks like SolarWinds and Log4j, but till date there is no single, agreed-on way to define or measure it. With MITRE’s System of Trust (SoT) prototype framework, it is possible to maintain a standard methodology for evaluating suppliers, supplies and service providers. Best known in the cybersecurity sector for heading up the Common Vulnerabilities and Exposures (CVE), it identifies known software vulnerabilities and the Attack Framework that maps the common steps the threat groups use to infiltrate networks and breach systems. Each risk is scored using data measurements that are applied to a scoring algorithm. The resulting data scores identify the strengths and weaknesses of a supplier, for instance, against the specific risk categories.

DOing Harm

Windows Delivery Optimization allows one to get Windows updates and Microsoft Store Applications from additional sources apart from Microsoft such as other PCs on local network or PCs on the internet that are downloading the same files. It helps with traffic congestion and low-bandwidth environments; for instance in a remote location the ability to have a single PC download a 1GB update and distribute it to the other 100 PCs on one’s LAN is a good concept. This workflow allows Delivery Optimization to securely and efficiently deliver requested content to the calling device. It uses content metadata to determine all available locations to pull content from, as well as content verification. This metadata enables an advisory to learn about internal network topologies of all PC’s over the global with this feature enabled (default).

Certifried: Active Directory Domain Privilege Escalation (CVE-2022-26923)

Active Directory Certificate Services (AD CS) is a server role that functions as Microsoft’s public key infrastructure PKI implementation. It integrates tightly with Active Directory and enables the issuing of certificates, which are X.509-formatted digitally signed electronic documents that can be used for encryption, message signing, and/or authentication. The blog post dives into a recently patched Active Directory Domain Privilege Escalation vulnerability that Oliver Lyak reported through ZDI to Microsoft. In essence, the vulnerability allowed a low-privileged user to escalate privileges to domain administrator in a default Active Directory environment with the AD CS server role installed.

Latest Updates in Web Application

Gin and Juice Shop: Put your Scanner to the Test

It’s a little wonder, what is this Gin and Juice Shop? It is a website created by Carlos Montoya that, unlike a lot of other deliberately vulnerable websites, provides a realistic challenge for a scanner to navigate for real. It is filled with features such as single-use Cross-Site Request Forgery (CSRF) tokens, and plenty of JavaScript that we would expect nowadays. Furthermore, the Gin and Juice Shop is riddled with severe vulnerabilities. One can find everything from classics like Cross-Site Scripting (XSS) and Structured Query Language (SQLi), to tricky external service interactions using OAST testing.

Security Code Audit - For Fun and Fails

Wise men learn from other men’s mistakes! This blog post provides individuals with insights into the methods of auditing the product but also lists down common failures. It's not about the latest Remote Code Executions (RCEs) but rather providing a walkthrough of the whole security audit process. It inspires people to learn from common pitfalls and gives some inspiration for a proper mindset on security code auditing.

Improved Process Isolation in Firefox 100

In Windows 8, Microsoft introduced a new mitigation named ‘Process Mitigation System Call Disable Policy’ that an application can use to disable access to Win32k.sys (also known as Win32k Lockdown) system calls. Firefox runs the processes that render web content with quite a few restrictions on what they are allowed to do when running on Windows. Unfortunately, by default they still have access to the entire Windows API, which opens up a large attack surface. This article dives into the latest major milestone reached with Win32k Lockdown which greatly reduces the capabilities of the content process when running on Windows. Together with two major efforts (Fission and RLBox), it completes a sequence of large leaps forward that will significantly improve Firefox’s security.


About the Expert

Anant Shrivastava

Anant Shrivastava is an information security professional with 12+ yrs of corporate experience with expertise in Network, Mobile, Application, and Linux Security. During his career, he has been a speaker and a trainer at various international conferences (Black Hat -USA, ASIA, EU, Nullcon, c0c0n, and many more). Anant also leads Open Source projects such as Android Tamer and CodeVigilant. In his free time, he likes to participate in open communities targeted towards spreading information security knowledge such as null ( His work can be found at

Prashant Mahajan

Prashant Mahajan is a Director at Payatu Australia Pty Ltd. He has over a decade of experience with various aspects of Information Security including penetrating testing, vulnerability analysis, digital forensics, and incident response. He is also a developer of open-source tools such as ADRecon and AzureADRecon, a founder member of Null - The Open Security Community, and a frequent speaker at industry events and trainings.