As part of our continuous pentesting offering, we try to identify solutions used by multiple clients to guide our research efforts to deliver the greatest impact. That is why, recently, we spent some time searching for vulnerabilities within Sitecore to find what we initially thought to be a 0-day, but ended up having been already patched some time earlier.
Continue reading Arbitrary web root file read in Sitecore before v10.4.0 rev. 010422Author: Alain Mowat
Getting code execution on Veeam through CVE-2023-27532
While several blog posts have shown how to retrieve credentials through this vulnerability, we decided to dig deeper and see whether it was possible to execute arbitrary code through this issue.
Continue reading Getting code execution on Veeam through CVE-2023-27532Exploiting stale ADIDNS entries
The correct IP address is sometimes all you need to exploit a remote target.
Continue reading Exploiting stale ADIDNS entriesProducing a POC for CVE-2022-42475 (Fortinet RCE)
Late last year a new remote code execution vulnerability was discovered in Fortinet’s SSLVPN service. Given the relative lack of information surrounding it at the time, and the fact I’d have some uninterrupted research time due to a lengthy flight, I decided to attempt to produce a POC for the vulnerability.
Continue reading Producing a POC for CVE-2022-42475 (Fortinet RCE)Internal security recommendations survey
During the first wave of Covid and most people locked up at home, I wanted to engage with my colleagues in various departments here at SCRT by having them answer a simple survey. The survey related to what actions they would recommend and prioritize in order to secure the information system of a random company, which had just received notification that a cyberattack was imminent.
Continue reading Internal security recommendations surveyStealing user passwords through a VPN’s SSO
Last year I got this idea that I should attempt to pay for my holidays to Japan by hunting for bounties in security appliances while in the plane. A full 10 hours of uninterrupted focus on one solution seemed like it should yield interesting results. So I started reverse engineering the Firewall of a relatively common brand which has a private bug bounty. Due to this reason, I won’t be giving out the full details of the issue I discovered, but I find the vulnerability to be quite interesting and worth discussing. So I attempt to do this here without breaching any disclosure terms…
Continue reading Stealing user passwords through a VPN’s SSOState of Pentesting 2020
To many people, pentesting (or hacking in a broader sense) is a dark art mastered by some and poorly understood by most. It has evolved quite substantially throughout the years, guided by new vulnerabilities, changing behaviours and maybe most importantly the development and release of new tools, be they offensive or defensive.
Continue reading State of Pentesting 2020Continuous Pentesting
At SCRT, we have been performing penetration tests for nearly 20 years now and have always tried to improve our methodologies to match client expectations and deliver the most accurate and useful results from each test we undertake.
Continue reading Continuous PentestingSCRT on Covid-19 and Remote Access / Working From Home
Like everybody, SCRT has been adjusting to life under Covid-19 over the last weeks. Thankfully, we’ve been prepared for working from home for quite some time now as many of us do so during normal circumstances anyways. This is however not the case for all companies and we’ve unfortunately been called in to help some of them deal with the unwanted consequences of poorly setting up their remote access (read: they got hacked). So here is a quick blog post detailing the main issues we see with remote access systems and what can be done to avoid them.
Continue reading SCRT on Covid-19 and Remote Access / Working From HomeCombining Request Smuggling and CBC Byte-flipping to stored-XSS
During a recent penetration test we stumbled upon a couple of issues which independently might not have warranted any attention, but when combined allowed to compromise other users by injecting arbitrary JavaScript into their browsers. It goes to show that even certain issues which might not always seem particularly interesting (such as self-XSS) can sometimes be exploited in meaningful ways. I’ll keep this mostly theoretical so as not to divulge any information on the actual targeted system.
Continue reading Combining Request Smuggling and CBC Byte-flipping to stored-XSS