This Week In Security: Iran’s ITG18, ProcMon For Linux, And Garbage Collection Fail – Hackaday
Even top-tier security professionals make catastrophic mistakes, and this time it was the operators at Irans ITG18. Were once again talking about the strange shadowy world of state sponsored hacking. This story comes from the IBM X-Force Incident Response Intelligence Services (IRIS). I suspect a Deadpool fan must work at IBM, but thats beside the point.
A server suspected to be used by ITG18 was incorrectly configured, and when data and training videos were stored there, that data was publicly accessible. Among the captured data was records of compromised accounts belonging to US and Greek military personnel.
The training videos also contained a few interesting tidbits. If a targeted account used two factor authentication, the attacker was to make a note and give up on gaining access to that account. If a Google account was breached, the practice was to start with Google Takeout, the service from Google that allows downloading all the data Google has collected related to that account. Yoiks.
Weve covered many kernel level exploits in this column, but never have we covered a guide quite like the one just published by Secfault Security. They attempt to bridge the gap between being a developer and an exploit author, walking us through the process of building an actual working exploit PoC based on a Google Project Zero write-up.
Microsoft is continuing to develop their Linux presence, this time by re-engineering Process Monitor as ProcMon for Linux. A bit of history, Process Monitor is part of the Sysinternals suite, originally developed by [Bryce Cogswell] and [Mark Russinovich], founders of Winternals. Incidentally, they also broke the Sony BMG rootkit story, using sysinternals tools. Less than a year after that story broke, Winternals was acquired by Microsoft, and while [Cogswell] has moved on, [Russonovich] has stayed with Microsoft, and is now the CTO of Azure.
ProcMon is written in C++, and released under the MIT license. It keeps track of the system calls happening on machine in real time, giving a detailed look at the activity of the system. Its useful for security, debugging, and troubleshooting performance issues. All in all, its a really handy tool, and should be a useful part of the sysadmins toolbox. The source is available under an OSI approved license, so the various distros should pick up and package ProcMon before long.
Windows Server supports a couple of ways to run processes in containers: HyperV containers, and Windows Server Containers. Its fairly widely accepted that virtualization based containerization provides a more secure isolation. That is, if a virtualized container is compromised, is far more difficult for an attacker to migrate out and attack the host machine, as compared to a kernel based containerization.
The news is a new way to escape a Windows Server Container. While not encountered as often as on a Linux machine, Windows does support symbolic links. Reading through the deep dive also makes it clear how much modern Windows machines are becoming POSIX machines with a Windows compatibility layer on top. For example, the C: directory is actually a global symlink to DeviceHarddiskVolumeX.
If a containerized process could create a global symlink, AKA one that pointed to the root directory, then the container escape would be trivial. As expected, the container security controls dont allow the isolated processes to create such a symlink during runtime. That said, there is a particular function that can be abused to create the global symlink. The specific function parameters have yet to be disclosed, in order to make in-the-wild exploitation just a bit more difficult.
The story of a security audit on a website caught my eye this week, put together by [Maxwell Dulin]. The password reset form is the focus here, and it has a few problems. The first one is a common flaw: the password reset form verifies whether a given email address is in the system. Its not the worst flaw, but it does give an attacker information he can guess email addresses, and gets confirmation when there is an account with that address.
The next flaw is a subtle one, the contents of the password reset email are generated using the host sent in the HTTP request. That normally works as expected: A user goes to ourwebsite.com/reset, inputs their email address, and submits the form to generate a password reset request. They get an email with a link back to ourwebsite.com that allows the password reset. An attacker, however, can send a malicious HTTP request to the password reset form, using someone elses address, and manipulate the Host value. The reset email now points to the injected host. If the user clicks the link in the email, the magic value is sent to host specified by the attacker, who can then go reset the users password.
The last flaw [Maxwell] found was the worst of the bunch. The reset token is confirmed when the user first clicks the link sent via email, but it isnt confirmed when the password is actually updated. You could create your own account, go through the password reset process, and then change the password reset form to point at another users account. Because the back-end sees you as already authenticated, it dutifully sets the new password, even if the account specified isnt yours.
None of us will likely use the little website that this audit was performed on, but the steps described and problems to look for are a good guide for anyone needing doing the same.
CVE-20191367 is an older bug at this point, found being exploited in the wild in 2019, and given a full write-up by Confiant. Its yet another vulnerability in Internet Explorers jscript engine. For a very brief review, jscript.dll is the deprecated IE implementation of Javascript. Its no longer the default implementation, but can be requested by a web page for compatibility purposes. It appears that jscript.dll is only accessible in Internet Explorer, and neither iteration of Edge support the legacy implementation at all.
This vuln was being actively used by state actors and was a watering hole style attack, where simply visiting the malicious site was enough to compromise. The next page of the write-up goes into the technical details. This is a class of vulnerability that we havent covered before. Its a use-after-free in a garbage collected language.
Garbage collection is the alternative to manually freeing memory when finished with it. One of the advantages is that it is supposed to make use-after-free bugs a thing of the past, so whats going on here? The garbage collection code in jscript.dll doesnt properly track the reference count in certain situations. This bug specifically deals with the Array.sort() callback function. Arguments to that function arent properly tracked, so the JS instance can be manipulated such that a GC sweep frees an object that will be later accessed.
For the exploit and further analysis of how this flaw was used in the wild, check out part 2 and part 3 of the full write-up.
See the article here:
This Week In Security: Iran's ITG18, ProcMon For Linux, And Garbage Collection Fail - Hackaday
- We Investigated Damage From Iran to a U.S. Naval Base. Heres What We Found. - WSJ - June 28th, 2026 [June 28th, 2026]
- U.S. says it hit targets in Iran as hostilities erupt over Hormuz for third day - The Washington Post - June 28th, 2026 [June 28th, 2026]
- U.S. launches additional Iran strikes as tensions flare up over Hormuz - NBC News - June 28th, 2026 [June 28th, 2026]
- Iran narrowly knocked out of tumultuous World Cup on Austrias last-second goal - AP News - June 28th, 2026 [June 28th, 2026]
- US airstrikes again hit Iran as Tehran strikes Bahrain and Kuwait, further imperiling interim deal - AP News - June 28th, 2026 [June 28th, 2026]
- The US and Iran exchange new attacks over Strait of Hormuz as Tehran tries to close competing route - Fortune - June 28th, 2026 [June 28th, 2026]
- Iran captain Mehdi Taremi accuses FIFA of staging disaster World Cup: No one helps us - The Athletic - The New York Times - June 28th, 2026 [June 28th, 2026]
- Kuwait and Bahrain say Iran targeted them with drone and missile strikes - AP News - June 28th, 2026 [June 28th, 2026]
- Is Iran eliminated from 2026 World Cup? Result hinges on Austria vs Algeria - Yahoo Sports - June 28th, 2026 [June 28th, 2026]
- US, Iran trade strikes: What to know, will it unravel the MoU? - Al Jazeera - June 28th, 2026 [June 28th, 2026]
- 2026 World Cup: Iran earns tie and immediately needs to leave U.S. - The Seattle Times - June 28th, 2026 [June 28th, 2026]
- Iran urge FIFA to stand up to really terrible World Cup treatment by US - Al Jazeera - June 28th, 2026 [June 28th, 2026]
- Iran and South Korea miss out on World Cup last 32 in dramatic third-place race - The Guardian - June 28th, 2026 [June 28th, 2026]
- Gulf countries strongly condemn Iran's drone attack on Bahrain as rising tensions threaten MOU - Fox News - June 28th, 2026 [June 28th, 2026]
- U.S. and Iran each announce retaliatory strikes in Iran, Kuwait and Bahrain - NPR - June 28th, 2026 [June 28th, 2026]
- Trump sows confusion on Iran war, bouncing from threats to negotiation and back again - NBC News - June 28th, 2026 [June 28th, 2026]
- Sirens sound over Kuwait as Iran targets country with drones and missiles - AP News - June 28th, 2026 [June 28th, 2026]
- Dispute over nuclear inspections shows how US and Iran are negotiating in public - AP News - June 28th, 2026 [June 28th, 2026]
- Centcom: US conducts additional strikes on Iran - The Hill - June 28th, 2026 [June 28th, 2026]
- US renews strikes on Iran after second tanker attack - The Telegraph - June 28th, 2026 [June 28th, 2026]
- Iran targets Bahrain and Kuwait with drones and missiles following US strikes - WRIC ABC 8News - June 28th, 2026 [June 28th, 2026]
- The Whiplash of Trumps Iran Capitulation - The Atlantic - June 28th, 2026 [June 28th, 2026]
- U.S. strikes Iran after Trump accuses Tehran of ceasefire violation in Strait of Hormuz - CNBC - June 28th, 2026 [June 28th, 2026]
- Iran attacks Bahrain and Kuwait following US strikes, threatens to end talks to end the war - Fox 59 - June 28th, 2026 [June 28th, 2026]
- Iran narrowly knocked out of tumultuous World Cup on Austrias last-second goal - Toronto Star - June 28th, 2026 [June 28th, 2026]
- U.S. strikes targets in Iran after Iranian drone attack on cargo ship, posing challenge to ceasefire - CBS News - June 28th, 2026 [June 28th, 2026]
- U.S. Strikes Iran in Retaliation for Attack on Vessel in Strait of Hormuz - The New York Times - June 28th, 2026 [June 28th, 2026]
- Trumps Gulf allies fear his Iran agreement is a disastrous turning point - CNN - June 28th, 2026 [June 28th, 2026]
- The U.S. has struck Iran to respond to a drone attack a day earlier on a cargo ship in the Strait of Hormuz, a provocation that President Donald Trump... - June 28th, 2026 [June 28th, 2026]
- Iran narrowly knocked out of World Cup after tumultuous contest on and off field - The Times of Israel - June 28th, 2026 [June 28th, 2026]
- Mideast Live Updates: Mediators Point to Progress After First Round of U.S.-Iran Talks - The New York Times - June 22nd, 2026 [June 22nd, 2026]
- Will the US and Iran go back to war, or could Trump walk away? - CNBC - June 22nd, 2026 [June 22nd, 2026]
- Iran leave note in dressing room thanking Los Angeles for World Cup hospitality - ESPN - June 22nd, 2026 [June 22nd, 2026]
- Shipping stalls in Strait of Hormuz after Iran declares key waterway closed again - CNBC - June 22nd, 2026 [June 22nd, 2026]
- US-Iran talks enter new phase after Trump's threats shake first day of negotiations - AP News - June 22nd, 2026 [June 22nd, 2026]
- UK PM Starmer Resigns, First Round Of US-Iran Talks, Iran Deal Scrutiny - NPR - June 22nd, 2026 [June 22nd, 2026]
- What are the key outcomes of the Iran-US talks in Switzerland, what next? - Al Jazeera - June 22nd, 2026 [June 22nd, 2026]
- Iran war day 115: Lebanon truce appears to hold as Switzerland talks end - Al Jazeera - June 22nd, 2026 [June 22nd, 2026]
- Iran hails progress as first day of talks with US conclude after shaky start - The Guardian - June 22nd, 2026 [June 22nd, 2026]
- As War With U.S. Eases, Iran Steps Up Hangings of Dissidents - WSJ - June 22nd, 2026 [June 22nd, 2026]
- Iran shows Trump just how hard making peace will be - CNN - June 22nd, 2026 [June 22nd, 2026]
- Part of our culture: Iran defying hardships and dreaming of first World Cup knockout round appearance - NBC News - June 22nd, 2026 [June 22nd, 2026]
- Iran feels oppressed at this World Cup its players are battling toward history anyway - The New York Times - June 22nd, 2026 [June 22nd, 2026]
- Two Iranian men share their thoughts on the negotiations between the U.S. and Iran - NPR - June 22nd, 2026 [June 22nd, 2026]
- Iran deny U.S. claim that team tried to bring Revolutionary Guard member to L.A. - ESPN - June 22nd, 2026 [June 22nd, 2026]
- Former diplomat on how Israelis are reacting to the U.S.-Iran talks - NPR - June 22nd, 2026 [June 22nd, 2026]
- Blockade lifted, assets to be returned to Iran in Swiss talks breakthrough - South China Morning Post - June 22nd, 2026 [June 22nd, 2026]
- Live - US, Iran agree on roadmap for final deal despite early tensions | Iran International - - June 22nd, 2026 [June 22nd, 2026]
- Catholic leaders hope end to Iran war is near after Trump, Iran reach agreement - Catholic Standard - June 22nd, 2026 [June 22nd, 2026]
- US and Iran make progress in talks, aim to keep Hormuz open - AFR - June 22nd, 2026 [June 22nd, 2026]
- Four months after the horrific Iran school bombing, fears grow that Trump and Hegseth will bury the truth - The Guardian - June 22nd, 2026 [June 22nd, 2026]
- Read the full text of Trump's preliminary U.S.-Iran agreement to end the war - NPR - June 22nd, 2026 [June 22nd, 2026]
- Major Progress Touted As U.S.-Iran High Level Talks Conclude After Disruption Over Trumps Threat - Forbes - June 22nd, 2026 [June 22nd, 2026]
- Trump hails Iran deal but conflict continues to cast long shadow over global economy - The Guardian - June 22nd, 2026 [June 22nd, 2026]
- Neither the War Nor Trumps Deal Terminated the Main Threats in Iran, Analysts Say - The New York Times - June 22nd, 2026 [June 22nd, 2026]
- What do Iran and the US stand to gain from their deal? Heres what to know - AP News - June 22nd, 2026 [June 22nd, 2026]
- A Look at the Text of the Agreement Between the United States and Iran - The New York Times - June 22nd, 2026 [June 22nd, 2026]
- Past and present World Cups collide as Beiranvand first gives Iran inspiration, then hope | Alexander Abnos - The Guardian - June 22nd, 2026 [June 22nd, 2026]
- US-Iran's first round of talks concludes despite Trump threatening strikes - France 24 - June 22nd, 2026 [June 22nd, 2026]
- Iran Cites Major Progress After All-Night Discussions With US - Bloomberg - June 22nd, 2026 [June 22nd, 2026]
- US and Iran Make Progress in Talks, Aim to Keep Hormuz Open - Bloomberg - June 22nd, 2026 [June 22nd, 2026]
- Trumps Deal Sidesteps Key Reasons He Went to War With Iran - WSJ - June 22nd, 2026 [June 22nd, 2026]
- Live updates: Iran launches retaliatory strikes on US targets in the Middle East - CNN - June 10th, 2026 [June 10th, 2026]
- Iran and Israel Halt Exchanges of Fire - WSJ - June 10th, 2026 [June 10th, 2026]
- U.S. retaliates against Iran after American helicopter downed near Strait of Hormuz - PBS - June 10th, 2026 [June 10th, 2026]
- China May wholesale inflation hits near 4-year high on Iran war-led higher input costs, AI boom - CNBC - June 10th, 2026 [June 10th, 2026]
- Opinion | The art of no deal with Iran - The Washington Post - June 10th, 2026 [June 10th, 2026]
- U.S. launches new attacks on Iran in response to downing of helicopter, CENTCOM says - NBC News - June 10th, 2026 [June 10th, 2026]
- U.S. Finishes Strikes On Iran Made In Response To Downed Helicopter - Forbes - June 10th, 2026 [June 10th, 2026]
- What Netanyahu and Israel want out of the war with Iran - NPR - June 10th, 2026 [June 10th, 2026]
- JD Vance claims US very close to peace deal with Iran - The Guardian - June 10th, 2026 [June 10th, 2026]
- US launches strikes on Iran in retaliation for downed helicopter - The Hill - June 10th, 2026 [June 10th, 2026]
- US strikes Iran in response to helicopter shootdown - DW - June 10th, 2026 [June 10th, 2026]
- Why Lebanon may hold the key to the future of the Iran war - CNN - June 10th, 2026 [June 10th, 2026]
- US launches strikes on Iran in response to downed Army helicopter - USA Today - June 10th, 2026 [June 10th, 2026]
- Iran says ticket allocation for World Cup withdrawn days before tournament - Reuters - June 10th, 2026 [June 10th, 2026]
- NYT: Iran will dilute rather than hand over uranium stockpile as part of deal with US - The Times of Israel - June 10th, 2026 [June 10th, 2026]
- U.S. and Iran Zero In on Four Nuclear Issues in Talks - The New York Times - June 10th, 2026 [June 10th, 2026]
- Israel and Iran trade strikes, imperiling already fragile ceasefire in war's 100th day - CBS News - June 10th, 2026 [June 10th, 2026]
- Trump vows to respond after Iran downed a U.S. Army helicopter near Strait of Hormuz - NPR - June 10th, 2026 [June 10th, 2026]