This is meant to be the first part of a 3-part series discussing the space & types of IP addresses, with a particular focus on what has changed between IPv4 and IPv6. In this first post I’ll take the audience through a historical tour of some developments within the IPv4 address space.Continue reading
Some weeks ago, Heinrich and I had the pleasure to participate in the heisec-Webinar “Emotet bei Heise – Lernen aus unseren Fehlern”. We really enjoyed the webinar and the (alas, due to the format: too short) discussions and we hope we could contribute to understand how to make Active Directory implementations out there a bit safer in the future.Continue reading
During security assessments we sometimes obtain access to a restricted shell on a target system. To advance further and gain complete control of the system, the next step is usually to break out of this shell. If the restricted shell provides access to certain system binaries, these binaries can often be exploited to perform such a break out. Here we would like to show an interesting example of such a break out by using the tcpdump binary. Continue reading “How to break out of restricted shells with tcpdump”Continue reading
While waiting for a download to complete, I stumbled across an interesting blogpost. The author describes a flaw in LibreOffice that allowed an attacker to execute code. Since this was quite recent, I was interested if my version is vulnerable to this attack and how they fixed it. Thus, I looked at the sources and luckily it was fixed. What I didn’t know before however was, that macros shipped with LibreOffice are executed without prompting the user, even on the highest macro security setting. So, if there would be a system macro from LibreOffice with a bug that allows to execute code, the user would not even get a prompt and the code would be executed right away. Therefor, I started to have a closer look at the source code and found out that exactly this is the case!
This post by Jeff (@jeffmakes) was delayed due to interferences with other projects but nevertheless, enjoy!
This year, it was my great honour to design the hardware for the Troopers19 badge.
We wanted to make a wifi-connected MicroPython-powered badge; something that would be fun to take home and hack on. It was a nice opportunity to use a microcontroller platform that I hadn’t tried before. I also used the project as a chance to finally migrate my PCB workflow from Eagle to Kicad. Inevitably it was a painful transition, which resulted in quite some delay to the project as I floundered around in the new tool, but it does mean the design files are in an open format which I hope will benefit the community of Troopers attendees and future badge designers!Continue reading
After the Emotet Incident at Heise, where ERNW has been consulted for Incident Response, we decided to start a blogpost series, in which we want to regularly report on current attacks that we observe. In particular we want to provide details about the utilized pieces of malware, different stages, and techniques used for the initial infection and lateral movement. We hope that this information might help you to detect ongoing incidents, apply countermeasures, and in the best case to figure out proactive countermeasures and security controls beforehand.
innovaphone fixed several vulnerabilities in two VoIP products that we disclosed a while ago. The affected products are the Linux Application Platform and the IPVA. Unfortunately, the release notes are not public (yet?) and the vendor does not include information about the vulnerabilities for the Linux Application Platform. Therefore, we decided to publish some more technical details for the issues. Continue reading “Multiple Vulnerabilities in innovaphone VoIP Products Fixed”
Again, Cisco released security advisories for their software-defined networking (SDN) solution called Application Centric Infrastructure (ACI). As before (see blog post here), the published advisories originated from research performed in our ACI lab. Continue reading “Security Advisories for Cisco ACI”Continue reading
In some organizations we work with a certain state of IPv6 deployment has been reached in the interim which includes, among others, the following aspects:
- the network infrastructure is IPv6-enabled (incl. interface addressing, routing [protocols] and the like).
- parts of supporting services (security functions, monitoring, system management) include IPv6 in a proper way.
- 3rd party providers have been contractually obliged to deliver their services in an “IPv6-enabled” mode (as opposed to only being “IPv6-capable” which was the standard requirement in many RFIs during earlier years).
It might then happen that networking people (who often are the initial motivators for deploying IPv6) in such organizations are stating, when asked about IPv6: “it’s [mostly] done”.
Point is that, alas, this does not necessarily mean that a single service or application is *actually using* IPv6, so while the above certainly constitutes an achievement it might not even be halfway through.