Search
Send enquiry
Updates

Blog

Our employees frequently engage in research projects to live up to the high standard. They analyze the latest topics, methods and tools in interesting information security areas and prepare them in this context. The results of these activities contribute, for example, to projects, lectures at conferences, market overviews and articles for technical journals as well in advisories and zero-day-vulnerabilities.

Blog article

All blog articles
Red Teaming

The Key to COMpromise – Part 4

February 26, 2025 – In this final part of our series on COM hijacking, we will examine a custom-named pipe IPC protocol implemented by Bitdefender Total Security and detail our approach to reverse engineering it. We will explore how we could use COM hijacking and this custom communication to gain SYSTEM privileges (CVE-2023-6154). Additionally, we will examine how to mitigate the vulnerabilities discussed throughout this series of blog posts. Lastly, we will demonstrate how COM hijacking can be exploited to perform a Denial-of-Service (DoS) attack on security products.

Author: Alain Rödel and Kolja Grassmann

Learn more »
Red Teaming

The Key to COMpromise – Part 3

February 12, 2025 – In this third part of our blog post series, we will cover the details of two additional vulnerabilities we found based on COM hijacking. The first vulnerability impacted Webroot Endpoint Protect (CVE-2023-7241), allowing us to leverage an arbitrary file deletion to gain SYSTEM privileges. In the second case, we targeted Checkpoint Harmony (CVE-2024-24912) and used a file download primitive to gain SYSTEM privileges.

Author: Alain Rödel and Kolja Grassmann

Learn more »
Red Teaming

The Key to COMpromise – Part 2

January 29, 2025 – In this post, we will delve into how we exploited trust in AVG Internet Security (CVE-2024-6510) to gain elevated privileges.
But before that, the next section will detail how we overcame an allow-listing mechanism that initially disrupted our COM hijacking attempts.

Author: Alain Rödel and Kolja Grassmann

Learn more »
Red Teaming

TLPT: Bedroh­ungs­­­orientierte Penetra­tions­tests nach DORA

January 24, 2025 – Since January 17, 2025, the Digital Operational Resilience Act (DORA) has been put into practice. One important aspect of DORA is the requirement of regularly performing threat-led penetration tests (TLPT). Only selected entities within the financial sector are required to conduct TLPTs. Even though TLPTs sound like a new concept, they have actually existed in Germany since 2020 in form of TIBER tests. This blog post describes the concepts behind TLPTs and how they are conducted. Furthermore, alternatives for targeted and budget-oriented red team assessments are given.

Author: Michael Brügge

Learn more »
Red Teaming

The Key to COMpromise – Part 1

January 15, 2025 – In this series of blog posts, we cover how we could exploit five reputable security products to gain SYSTEM privileges with COM hijacking. If you’ve never heard of this, no worries. We introduce all relevant background information, describe our approach to reverse engineering the products’ internals, and explain how we finally exploited the vulnerabilities. We hope to shed some light on this undervalued attack surface.

Author: Alain Rödel and Kolja Grassmann

Learn more »

Vulnerability in Trend Micro Apex One (CVE-2024-55631)

January 8, 2025 – Our colleagues Frederik Reiter and Jan-Luca Gruber found a vulnerability in the Damage Cleanup Engine of Trend Micro Apex One, which allows and attacker to delete a folder with high privileges. This can be leveraged to escalate privileges in the context of SYSTEM.

Learn more »
Identity

Wer hat das Elster-Zertifikat weiterge­geben?

December 3, 2024 – The German government has introduced a government-provided electronic identity for its citizens, the BundID. Authentication for this ID can be – among other things – achieved using a certificate file that was introduced for submitting tax returns. However, many citizens share this certificate file either with people that do the taxes for them or with online services that provide easier interfaces for doing your taxes. As a result, many people’s online identities are at risk.

Author: Benjamin Häublein

Learn more »
Red Teaming

The Key to COMpromise – Part 4

February 26, 2025 – In this final part of our series on COM hijacking, we will examine a custom-named pipe IPC protocol implemented by Bitdefender Total Security and detail our approach to reverse engineering it. We will explore how we could use COM hijacking and this custom communication to gain SYSTEM privileges (CVE-2023-6154). Additionally, we will examine how to mitigate the vulnerabilities discussed throughout this series of blog posts. Lastly, we will demonstrate how COM hijacking can be exploited to perform a Denial-of-Service (DoS) attack on security products.

Author: Alain Rödel and Kolja Grassmann

Read more »
Red Teaming

The Key to COMpromise – Part 3

February 12, 2025 – In this third part of our blog post series, we will cover the details of two additional vulnerabilities we found based on COM hijacking. The first vulnerability impacted Webroot Endpoint Protect (CVE-2023-7241), allowing us to leverage an arbitrary file deletion to gain SYSTEM privileges. In the second case, we targeted Checkpoint Harmony (CVE-2024-24912) and used a file download primitive to gain SYSTEM privileges.

Author: Alain Rödel and Kolja Grassmann

Read more »
Red Teaming

The Key to COMpromise – Part 2

January 29, 2025 – In this post, we will delve into how we exploited trust in AVG Internet Security (CVE-2024-6510) to gain elevated privileges.
But before that, the next section will detail how we overcame an allow-listing mechanism that initially disrupted our COM hijacking attempts.

Author: Alain Rödel and Kolja Grassmann

Read more »
Red Teaming

TLPT: Bedroh­ungs­­­orientierte Penetra­tions­tests nach DORA

January 24, 2025 – Since January 17, 2025, the Digital Operational Resilience Act (DORA) has been put into practice. One important aspect of DORA is the requirement of regularly performing threat-led penetration tests (TLPT). Only selected entities within the financial sector are required to conduct TLPTs. Even though TLPTs sound like a new concept, they have actually existed in Germany since 2020 in form of TIBER tests. This blog post describes the concepts behind TLPTs and how they are conducted. Furthermore, alternatives for targeted and budget-oriented red team assessments are given.

Author: Michael Brügge

Read more »
Red Teaming

The Key to COMpromise – Part 1

January 15, 2025 – In this series of blog posts, we cover how we could exploit five reputable security products to gain SYSTEM privileges with COM hijacking. If you’ve never heard of this, no worries. We introduce all relevant background information, describe our approach to reverse engineering the products’ internals, and explain how we finally exploited the vulnerabilities. We hope to shed some light on this undervalued attack surface.

Author: Alain Rödel and Kolja Grassmann

Read more »

Vulnerability in Trend Micro Apex One (CVE-2024-55631)

January 8, 2025 – Our colleagues Frederik Reiter and Jan-Luca Gruber found a vulnerability in the Damage Cleanup Engine of Trend Micro Apex One, which allows and attacker to delete a folder with high privileges. This can be leveraged to escalate privileges in the context of SYSTEM.

Read more »
Identity

Wer hat das Elster-Zertifikat weiterge­geben?

December 3, 2024 – The German government has introduced a government-provided electronic identity for its citizens, the BundID. Authentication for this ID can be – among other things – achieved using a certificate file that was introduced for submitting tax returns. However, many citizens share this certificate file either with people that do the taxes for them or with online services that provide easier interfaces for doing your taxes. As a result, many people’s online identities are at risk.

Author: Benjamin Häublein

Read more »
Show all

Research
Red Teaming

The Key to COMpromise – Part 4

February 26, 2025 – In this final part of our series on COM hijacking, we will examine a custom-named pipe IPC protocol implemented by Bitdefender Total Security and detail our approach to reverse engineering it. We will explore how we could use COM hijacking and this custom communication to gain SYSTEM privileges (CVE-2023-6154). Additionally, we will examine how to mitigate the vulnerabilities discussed throughout this series of blog posts. Lastly, we will demonstrate how COM hijacking can be exploited to perform a Denial-of-Service (DoS) attack on security products.

Author: Alain Rödel and Kolja Grassmann

Read more »
Alle anzeigen

Advisories

Alle anzeigen

Vulnerabilities

cirosec follows this responsible disclosure policy when dealing with zero-day vulnerabilities found during research or customer projects. The goal is to balance the need of giving the vendor or open-source project enough time to develop and distribute a fix for the vulnerability with the need of the public to know about the security vulnerability. The policy is in accordance with industry-standard responsible disclosure practices. Our Responsible Disclosure Policy could be found here.

Alle anzeigen
Do you want to protect your systems? Feel free to get in touch with us.
Send Enquiry
Contact Details

Competent IT security consulting, pentests, incident response and training

cirosec GmbH
Ferdinand-Braun-Straße 4
74074 Heilbronn, Germany

Quicklinks
Social Media
Legal
Search
Search