Like everybody, SCRT has been adjusting to life under Covid-19 over the last weeks. Thankfully, we’ve been prepared for working from home for quite some time now as many of us do so during normal circumstances anyways. This is however not the case for all companies and we’ve unfortunately been called in to help some of them deal with the unwanted consequences of poorly setting up their remote access (read: they got hacked). So here is a quick blog post detailing the main issues we see with remote access systems and what can be done to avoid them.
Continue reading SCRT on Covid-19 and Remote Access / Working From HomeCombining Request Smuggling and CBC Byte-flipping to stored-XSS
During a recent penetration test we stumbled upon a couple of issues which independently might not have warranted any attention, but when combined allowed to compromise other users by injecting arbitrary JavaScript into their browsers. It goes to show that even certain issues which might not always seem particularly interesting (such as self-XSS) can sometimes be exploited in meaningful ways. I’ll keep this mostly theoretical so as not to divulge any information on the actual targeted system.
Continue reading Combining Request Smuggling and CBC Byte-flipping to stored-XSSSonicWall SRA and SMA vulnerabilities
Last year, Orange Tsai did some awesome research and discovered several vulnerabilities in SSL VPN providers which can allow an attacker to break into a network through the very device which is supposed to protect it. The vulnerable constructors were:
- Palo Alto
- Fortinet
- Pulse Secure
Public Intrusion Test of Swiss Post’s E-Voting System
Context
The Swiss Cantons have offered online voting to members of their electorate since 2004. Meanwhile, more than 200 binding trials at Federal votes and elections have taken place in 15 cantons over the years.
In order to expand online voting to a broader public, the Federal regulation obliges the Cantons to meet an additional set of requirements. These include the system feature of full verifiability, performing numerous audits and publishing the software components’ source code.
Continue reading Public Intrusion Test of Swiss Post’s E-Voting SystemMagento – RCE & Local File Read with low privilege admin rights
I regularly search for vulnerabilities on big services that allow it and have a Bug Bounty program. Here is a second paper which covers two vulnerabilities I discovered on Magento, a big ecommerce CMS that’s now part of Adobe Experience Cloud. These vulnerabilities have been responsibly disclosed to Magento team, and patched for Magento 2.3.0, 2.2.7 and 2.1.16.
Continue reading Magento – RCE & Local File Read with low privilege admin rightswinhttpd writeup: private heaps pwning on Windows
Following last week-end’s Insomni’hack teaser and popular demand, here is a detailed write-up for my winhttpd challenge, that implemented a custom multi-threaded httpd and was running on the latest version of Windows 10:
Continue reading winhttpd writeup: private heaps pwning on WindowsPHPMyAdmin multiple vulnerabilities
During an assignment, I found several serious vulnerabilities in phpMyAdmin, which is an application massively used to manage MariaDB and MySQL databases. One of them potentially leads to arbitrary code execution by exploiting a Local file inclusion, while the other is a CSRF allowing any table entry to be edited.
Continue reading PHPMyAdmin multiple vulnerabilitiesRemote Code Execution on a Facebook server
I regularly search for vulnerabilities on big services that allow it and have a Bug Bounty program. Here is my first paper which covers a vulnerability I discovered on one of Facebook’s servers.
While scanning an IP range that belongs to Facebook (199.201.65.0/24), I found a Sentry service hosted on 199.201.65.36, with the hostname sentryagreements.thefacebook.com. Sentry is a log collection web application, written in Python with the Django framework.
Continue reading Remote Code Execution on a Facebook serverInsomni’hack 2018 – vba03-strikeBack writeup
Here is a write-up for the challenge “vba03-strikeBack”, since none was posted yet on CTFtime.
All the source code for the malware and cookie logger are available on GitHub.
Continue reading Insomni’hack 2018 – vba03-strikeBack writeupWPA2 KRACK – What you should know so far … (in simple terms)
As most people, we have been waiting for the release of the technical details surrounding the WPA2 vulnerabilities discovered by Mathy Vanhoef (@vanhoefm).
While the details and the full paper (https://papers.mathyvanhoef.com/ccs2017.pdf) are now available, here is a summary aimed at providing the big picture as well as a few recommendations about this attack.
Continue reading WPA2 KRACK – What you should know so far … (in simple terms)