Blog
Posts
-
JNDI Injection Remote Code Execution via Path Manipulation in MemoryUserDatabaseFactory
In this blog post, I’m going to describe a
relative newvector to achieve remote code execution via a JNDI Injection that I found independently to other researchers. The concept of exploiting an object lookup process for a JNDI injection is nothing new. If you are unfamiliar with this, I invite you to read this excellent blog post written by Michael Stepankin.I decided to retire some of the content from Full Stack Web Attack, so if you enjoy this level of Java (and/or C#) analysis, feel free to sign up to my next class which will be held in Rome.
Read more... -
Eat What You Kill :: Pre-authenticated Remote Code Execution in VMWare NSX Manager
This blog post was authored by Sina Kheirkhah. Sina is a past student of the Full Stack Web Attack class.
VMWare NSX Manager is vulnerable to a pre-authenticated remote code execution vulnerability and at the time of writing,
Read more...will not be patched due to EOLthis was patched in VMSA-2022-0027. The following blog is a collaboration between myself and the Steven Seeley who has helped me tremendously along the way. -
IAM Whoever I Say IAM :: Infiltrating VMWare Workspace ONE Access Using a 0-Click Exploit
On March 2nd, I reported several security vulnerabilities to VMWare impacting their Identity Access Management (IAM) solution. In this blog post I will discuss some of the vulnerabilities I found, the motivation behind finding such vulnerabilities and how companies can protect themselves. The result of the research project concludes with a pre-authenticated remote root exploit chain nicknamed
Read more...Hekate. The advisories and patches for these vulnerabilities can be found in the references section. -
From Shared Dash to Root Bash :: Pre-Authenticated RCE in VMWare vRealize Operations Manager
On May 27th, I reported a handful of security vulnerabilities to VMWare impacting their vRealize Operations Management Suite (vROps) appliance. In this blog post I will discuss some of the vulnerabilities I found, the motivation behind finding such vulnerabilities and how companies can protect themselves. The result of the research project concludes with a pre-authenticated remote root exploit chain using seemingly weak vulnerabilities. VMware released an advisory and patched these vulnerabilities in VMSA-2022-0022.
Read more... -
ZohOwned :: A Critical Authentication Bypass on Zoho ManageEngine Desktop Central
On December 3, 2021, Zoho released a security advisory under CVE-2021-44515 for an authentication bypass in its ManageEngine Desktop Central and Desktop Central MSP products. On December 17, 2021, the FBI published a flash alert, including technical details and indicators of compromise (IOCs) used by threat actors. Shortly after, William Vu published an Attackerkb entry after doing some static analysis. Meanwhile during the whole of December, I was on holidays!
Read more... -
Unlocking the Vault :: Unauthenticated Remote Code Execution against CommVault Command Center
When Justin Kennedy and Brandon Perry asked me if I was interested in performing a little audit together, I couldn’t resist. Although time was limited, I decided to jump on board because true hacking collaboration is a rare commoditity these days.
Read more... -
Chasing a Dream :: Pre-authenticated Remote Code Execution in Dedecms
In this blog post, I’m going to share a technical review of Dedecms (or “Chasing a Dream” CMS as translated to English) including its attack surface and how it differs from other applications. Finally, I will finish off with a pre-authenticated remote code execution vulnerability impacting the v5.8.1 pre-release. This is an interesting piece of software because it dates back over 14 years since its initial release and PHP has changed a lot over the years.
An online search for “what is the biggest CMS in China” quickly reveals that multiple sources state that Dedecms is the most popular. However, these sources all but have one thing in common: they’re old.
Read more... -
Pwn2Own Vancouver 2021 :: Microsoft Exchange Server Remote Code Execution
In mid-November 2020 I discovered a logical remote code execution vulnerability in Microsoft Exchange Server that had a bizarre twist - it required a morpheus in the middle (MiTM) attack to take place before it could be triggered. I found this bug because I was looking for calls to
Read more...WebClient.DownloadFilein the hope to discover a server-side request forgery vulnerability since in some environments within exchange server, that type of vulnerability can have drastic impact. Later, I found out that SharePoint Server was also affected by essentially the same code pattern. -
Full Stack Web Attack 2021 :: Zero Day Give Away
This year I released a challenge for the Full Stack Web Attack class:
Whilst several people had solved the challenge, no one seemed to have discovered the zero-day that I left lurking! In this blog post I am going to disclose the details about the bug chain. This vulnerability was patched as CVE-2021-28169 and under certain environments it can lead to an elevation of privilege/access or even remote code execution!
Read more... -
Smarty Template Engine Multiple Sandbox Escape PHP Code Injection Vulnerabilities
In this blog post we explore two different sandbox escape vulnerabilities discovered in the Smarty Template Engine that can be leveraged by a context dependant attacker to execute arbitrary code. Then we explore how these vulnerabilities can be applyed to some applications that attempt to use the engine in a secure way.
Read more... -
Making Clouds Rain :: Remote Code Execution in Microsoft Office 365
When I joined Qihoo’s 360 Vulcan Team, one of the things I had free rein over was having the ability to choose an area of security research that has a high impact. Since I enjoy web security research a lot I decided to target cloud based technologies. At the time, I decided to target Microsoft’s cloud network because my understanding of .net was very limited and it gave me a chance to grow that technical capability.
Read more... -
A SmorgasHORDE of Vulnerabilities :: A Comparative Analysis of Discovery
Some time ago I performed an audit of the Horde Groupware Webmail suite of applications and found an interesting code pattern that facilitated the attack of 34+ remote code execution vulnerabilities. Additionally, Andrea Cardaci’s performed an audit around the same time and we seemed to miss each others bugs due to a difference in auditing styles.
Read more... -
SharePoint and Pwn :: Remote Code Execution Against SharePoint Server Abusing DataSet
When CVE-2020-1147 was released last week I was curious as to how this vulnerability manifested and how an attacker might achieve remote code execution with it. Since I’m somewhat familiar with SharePoint Server and .net, I decided to take a look.
Read more... -
SQL Injection Double Uppercut :: How to Achieve Remote Code Execution Against PostgreSQL
When I was researching exploit primitives for the SQL Injection vulnerabilities discovered in Cisco DCNM, I came across a generic technique to exploit SQL Injection vulnerabilities against a PostgreSQL database. When developing your exploit primitives, it’s always prefered to use an application technique, that doesn’t rely on some other underlying technology.
Read more... -
Strike Three :: Symlinking Your Way to Unauthenticated Access Against Cisco UCS Director
This is the final blog post to my series of attacks against Cisco software. If you haven’t seen the previous posts, I recommend you check them out here and here. Like always, we will start from an unauthenticated context and work our way up to full blown remote code execution as root and I will share some of the interesting discoveries along the way :-)
Read more... -
Silent Schneider :: Revealing a Hidden Patch in EcoStruxure Operator Terminal Expert
Last month, Chris and I competed at Pwn2Own Miami 2020 targeting several ICS applications. One of the applications that we targeted was the Schneider Electric EcoStruxure Operator Terminal Expert. This blog post talks about a silent patch that was introduced before the competition that subsequently killed several bugs in our exploit chain.
Read more... -
Busting Cisco's Beans :: Hardcoding Your Way to Hell
After the somewhat dismay of reporting to Cisco some other vulnerabilities in their Prime Infrastructure product, I decided to perform an audit on the Cisco Data Center Network Manager (DCNM) product. What I found should not only SHOCK you, but relive that 90’s remote root era that you all have been craving.
Read more... -
Attacking Unmarshallers :: JNDI Injection using Getter Based Deserialization Gadgets
I know you have pwned deserialization of untrusted data bugs before (if you haven’t what the hell, they are fun!), but have you pwned an entire REST framework due to a misconfigured marshaller? In this short blog post, we will reveal some quick research that was done based upon the excellent work perform by Doyensec.
Read more... -
Panic! at the Cisco :: Unauthenticated Remote Code Execution in Cisco Prime Infrastructure
Not all directory traversals are the same. The impact can range depending on what the traversal is used for and how much user interaction is needed. As you will find out, this simple bug class can be hard to spot in code and can have a devastating impact.
Read more... -
It's Not Our Sandbox :: Auditing Foxit Reader's PDF Printer For an Elevation of Privilege
Mid last year, I blogged about how I found an exploitable use-after-free in Foxit Reader and how I was able to gain remote code execution from that vulnerability. Then, as the second installment I blogged about a command injection in Foxit Reader SDK ActiveX. In the spirit of catching foxes, I decided to look at a new component in Foxit Reader later in that same year. To my (un)surprise, I was able to discover several vulnerabilities in this component that could allow for a limited elevation of privilege, one being particularly nasty. That lead to this, third installment.
Read more... -
ActiveX Exploitation in 2019 :: Instantiation is not Scripting
But didn’t Microsoft kill ActiveX? I hear you asking. Well they almost did. As most security practitioners know, ActiveX has had a long history of exploitation and its fair share of remote vulnerabilities. Microsoft themselves have had several ActiveX vulnerabilities disclosed along with many popular third party vendors. Microsoft released an update where they have essentially killed any scripting for ActiveX objects from a remote context.
Read more... -
WebExec Reloaded :: Cisco Webex Meetings Desktop App Update Service DLL Planting Elevation of Privilege Vulnerability
Some time ago Ron Bowes found a vulnerability in Cisco WebEx Meetings Desktop App that could allow local privilege escalation, or, if you have a user account you can use psexec to gain remote code execution as SYSTEM. He named the vulnerability WebExec (cute) and even gave it a pretty website! The problem? Well, it turns out the patch wasn’t so good…
Read more... -
Old School Pwning with New School Tricks :: Vanilla Forums domGetImages getimagesize Unserialize Remote Code Execution Vulnerability
Since I have been working on bug bounties for a while, I decided to finally take the dive into some vendor specific bounties recently. Some of these are on HackerOne and for me, this is a huge leap of faith because I am a bit of an old schooler in that I remember a time when security researchers couldn’t trust vendors, especially for judging impact and providing actionable information for their users to patch. After my experience with Vanilla, sadly, my stance is still the same. You simply cannot trust a vendor to provide actionable and accurate information.
Read more... -
You can't contain me! :: Analyzing and Exploiting an Elevation of Privilege Vulnerability in Docker for Windows
I have been continuing my journey of searching for windows breakout vulnerabilities in popular applications and one that I discovered in March I found interesting enough to share. Whilst kernel vulnerabilities are fun to discover, there are many core windows and third party applications that are fundamentally broken in regards to logic and makes for a lucrative means to gain a SYSTEM shell without having to bypass the several memory mitigations that stand in the way.
Read more... -
Foxes Among Us :: Foxit Reader Vulnerability Discovery and Exploitation
After discovering over 100 vulnerabilities in Foxit Reader, I figured it was about time I shared a full exploit chain that defeats ASLR and DEP. The first vulnerability is an uninitialized buffer that I found independently and was later killed by bit from meepwn. I leveraged this for an information leak to defeat ASLR. The second vulnerability is a use-after-free that I found, killed and leveraged for remote code execution.
Read more... -
Adobe, Me and an Arbitrary Free :: Analyzing the CVE-2018-4990 Zero-Day Exploit
Update! I originally titled this blog post ‘Adobe, Me and a Double Free’, however as a good friend of mine Ke Liu of Tencent’s Xuanwu LAB pointed out, this vulnerability is actually an out-of-bounds read that leads to two arbitrary free conditions. Therefore I have updated my analysis of the root cause as well as the exploitation.
I managed to get my hands on a sample of CVE-2018-4990. This was a zero-day exploit affecting Acrobat Reader that was recently patched by Adobe in apsb18-09. Anton Cherepanov at ESET wrote a marketing blog post on it (A tale of two zero-days) which was a
Read more...decent, pretty poor analysis and it was missing some important things for me, such as how was the bug actually exploited? -
Sharks in the Pool :: Mixed Object Exploitation in the Windows Kernel Pool
In the past I have spent a lot of time researching web related vulnerabilities and exploitation and whilst I’m relatively versed in usermode exploitation, I needed to get up to speed on windows kernel exploitation. To many times I have tested targets that have kernel device drivers that I have not targeted due to the sheer lack of knowledge. Gaining low privileged code execution is fun, but gaining ring 0 is better!
Read more... -
From Serialized to Shell :: Exploiting Google Web Toolkit with EL Injection
This is a follow up blog post to my previous post on auditing Google Web Toolkit (GWT). Today we are going to focus on a specific vulnerability that I found in a GWT endpoint that Matthias Kaiser helped me exploit. Please note that the code has been changed to protect the not so innocent whilst they patch.
Read more... -
From Serialized to Shell :: Auditing Google Web Toolkit
Recently I have been looking for vulnerabilities in a target that has some API’s developed with the Google Web Toolkit framework. This is the second time I’ve come up against a target using this technology so I figured it was about time I took some notes.
Its sufficient to say, that I have finally upheld my word. This blog post is more of a reference to my future self, but if some people get something out of it, then more power to them!
Read more... -
Word Up! Microsoft Word OneTableDocumentStream Underflow
Today, Microsoft released the MS16–148 to patch CVE-2016-7290, which addresses an integer underflow issue that I found. The underflow later triggers an out-of-bounds read during a copy operation which could result in a stack based buffer overflow outside of the
Read more...protected modewinword.exe process when a processing specially crafted binary document file. -
The Implied Security of memmove()
Calls to memmove that use a source buffer that is smaller than the destination buffer can be at times exploitable if the size value is bit aligned, is mapped in memory and that the original source buffer is also mapped in memory.
Read more... -
Once Upon a Type Confusion
Last week, Microsoft released the MS16–107 to patch CVE-2016-3363, which is a Type Confusion vulnerability within Microsoft Excel 2007, 2010, 2013 and 2016 both 32 and 64 bit versions. This post will show you how I determined the vulnerability class and some lightweight technical details around the vulnerability.
Read more...