• ActiveX Exploitation in 2019 :: Instantiation is not Scripting


    But didn’t Microsoft kill ActiveX? I hear you asking. Well they almost did. As most security practitioners know, ActiveX has had a long history of exploitation and its fair share of remote vulnerabilities. Microsoft themselves have had several ActiveX vulnerabilities disclosed along with many popular third party vendors. Microsoft released an update where they have essentially killed any scripting for ActiveX objects from a remote context.

  • WebExec Reloaded :: Cisco Webex Meetings Desktop App Update Service DLL Planting Elevation of Privilege Vulnerability

    Cisco Webex

    Some time ago Ron Bowes found a vulnerability in Cisco WebEx Meetings Desktop App that could allow local privilege escalation, or, if you have a user account you can use psexec to gain remote code execution as SYSTEM. He named the vulnerability WebExec (cute) and even gave it a pretty website! The problem? Well, it turns out the patch wasn’t so good…

  • Old School Pwning with New School Tricks :: Vanilla Forums domGetImages getimagesize Unserialize Remote Code Execution Vulnerability

    Vanilla Forums

    Since I have been working on bug bounties for a while, I decided to finally take the dive into some vendor specific bounties recently. Some of these are on HackerOne and for me, this is a huge leap of faith because I am a bit of an old schooler in that I remember a time when security researchers couldn’t trust vendors, especially for judging impact and providing actionable information for their users to patch. After my experiance with Vanilla, sadly, my stance is still the same. You simply cannot trust a vendor to provide actionable and accurate information.

  • You can't contain me! :: Analyzing and Exploiting an Elevation of Privilege Vulnerability in Docker for Windows

    Docker for Windows

    I have been continuing my journey of searching for windows breakout vulnerabilities in popular applications and one that I discovered in March I found interesting enough to share. Whilst kernel vulnerabilities are fun to discover, there are many core windows and third party applications that are fundamentally broken in regards to logic and makes for a lucrative means to gain a SYSTEM shell without having to bypass the several memory mitigations that stand in the way.

  • Foxes Among Us :: Foxit Reader Vulnerability Discovery and Exploitation

    Foxit Reader

    After discovering over 100 vulnerabilities in Foxit Reader, I figured it was about time I shared a full exploit chain that defeats ASLR and DEP. The first vulnerability is an uninitialized buffer that I found independently and was later killed by bit from meepwn. I leveraged this for an information leak to defeat ASLR. The second vulnerability is a use-after-free that I found, killed and leveraged for remote code execution.

  • Adobe, Me and an Arbitrary Free :: Analyzing the CVE-2018-4990 Zero-Day Exploit

    Acrobat Reader

    Update! I originally titled this blog post ‘Adobe, Me and a Double Free’, however as a good friend of mine Ke Liu of Tencent’s Xuanwu LAB pointed out, this vulnerability is actually an out-of-bounds read that leads to two arbitrary free conditions. Therefore I have updated my analysis of the root cause as well as the exploitation.

    I managed to get my hands on a sample of CVE-2018-4990. This was a zero-day exploit affecting Acrobat Reader that was recently patched by Adobe in apsb18-09. Anton Cherepanov at ESET wrote a marketing blog post on it (A tale of two zero-days) which was a decent, pretty poor analysis and it was missing some important things for me, such as how was the bug actually exploited?

  • Sharks in the Pool :: Mixed Object Exploitation in the Windows Kernel Pool

    Windows 7

    In the past I have spent a lot of time researching web related vulnerabilities and exploitation and whilst I'm relatively versed in usermode exploitation, I needed to get up to speed on windows kernel exploitation. To many times I have tested targets that have kernel device drivers that I have not targeted due to the sheer lack of knowledge. Gaining low privileged code execution is fun, but gaining ring 0 is better!

  • From Serialized to Shell :: Exploiting Google Web Toolkit with EL Injection

    Google Web Toolkit

    This is a follow up blog post to my on auditing Google Web Toolkit (GWT). Today we are going to focus on a specific vulnerability that I found in a GWT endpoint that Matthias Kaiser helped me exploit. Please note that the code has been changed to protect the not so innocent whilst they patch.

  • From Serialized to Shell :: Auditing Google Web Toolkit

    Google Web Toolkit

    Recently I have been looking for vulnerabilities in a target that has some API’s developed with the Google Web Toolkit framework. This is the second time I’ve come up against a target using this technology so I figured it was about time I took some notes.

    Its sufficient to say, that I have finally upheld my word. This blog post is more of a reference to my future self, but if some people get something out of it, then more power to them!

  • Word Up! Microsoft Word OneTableDocumentStream Underflow

    Microsoft Office WordToday, Microsoft released the MS16–148 to patch CVE-2016-7290, which addresses an integer underflow issue that I found. The underflow later triggers an out-of-bounds read during a copy operation which could result in a stack based buffer overflow outside of the protected mode winword.exe process when a processing specially crafted binary document file.

  • The Implied Security of memmove()

    tl;dr; Calls to memmove(); that use a source buffer that is smaller than the destination buffer can be at times exploitable if the size value is bit aligned, is mapped in memory and that the original source buffer is also mapped in memory.

  • Once Upon a Type Confusion

    Microsoft Office Excel Last week, Microsoft released the MS16–107 to patch CVE-2016-3363, which is a Type Confusion vulnerability within Microsoft Excel 2007, 2010, 2013 and 2016 both 32 and 64 bit versions. This post will show you how I determined the vulnerability class and some lightweight technical details around the vulnerability.