Multiple Vulnerabilities in UNIFY OpenScape Desk Phone CP600

We recently identified security issues in the UNIFY OpenScape Desk Phone CP600 HFA software. We disclosed the vulnerabilities to Unify, as a fix is now provided we want to give a brief overview of the vulnerability affecting the web interface.


We were able to identify the following vulnerabilities in the Web interface of the telephone:


  • Command Injection in Picture Delete function of OpenScape Desk Phone Webportal
  • Unauthenticated Arbitrary File Access in the OpenScape Desk Phone Webportal
  • Memory Corruption in the OpenScape Desk Phone Webservice
  • Missing Hardening of the OpenScape Desk Phone Webservice Binary
  • Cross Site Request Forgery Missing in the OpenScape Desk Phone Webservice


For this blog post we will take a look at the command injection and how we exploited it.


The fixed version is V1 R2.7.0. More information about the OpenScape CP Desk Phones including release notes can be found under:

Continue reading “Multiple Vulnerabilities in UNIFY OpenScape Desk Phone CP600”

Continue reading
Breaking, Misc

Vulnerabilities in Sitefinity WCMS – A Success Story of a Responsible Disclosure Process


For those who never heard of Sitefinity before, it is an ASP.NET-based Web Content Management System (WCMS), which is used to deploy and manage applications as other CMS‘s do. A bitter quick glance at Sitefinity and its advantages can be found in this overview.

Delving into the core of this blog post, recently I had the opportunity to look at Sitefinity WCMS in which I found two reflected Cross Site Scripting (XSS) (CVE-2018-17053 and CVE-2018-17056), a stored XSS (CVE-2018-17054) and an arbitrary file upload (CVE-2018-17055) vulnerabilities.

I admit that the vulnerabilities mentioned in here are classical ones, but because of the huge spectrum of the platform versions affected, I thought it would be helpful to send a loud signal to whomever are using Sitefinity, so they can apply fixes and be safe 😉

Continue reading “Vulnerabilities in Sitefinity WCMS – A Success Story of a Responsible Disclosure Process”

Continue reading

Spraying arbitrary objects into the non-paged pool

Recently, I had some time to play around with HEVD [1], an extremly vulnerable Windows driver available for 32-bit and 64-bit systems.

Since exploits for all vulnerabilities of the 32-bit variant are publically available, I was wondering why this is not the case for the 64-bit version, especially for the pool corruption and UAF vulnerabilities.

Continue reading “Spraying arbitrary objects into the non-paged pool”

Continue reading

A few notes on WordPress Security

Taking a look at the CVE List for WordPress, most vulnerabilities aren’t found within the WordPress core but inside of third-party plugins and themes.

Today, let’s talk about WordPress.

Performing a WordPress assessment might seem boring at first as core functionality [tested] and configuration does not allow for extensive security misconfigurations. Luckily, most instances use plugins and themes to add features not offered by the WordPress core.

In this blog post I would like to discuss the findings and how I discovered them. Also, I will describe different vendor responsiveness reaching from not responding at all, to not understanding the issue to fast and professional responses kindly asking for a review of the updated code ready for deployment. Continue reading “A few notes on WordPress Security”

Continue reading

Security of Busch-Jaeger IP Gateway

IoT is everywhere right now and there are a lot of products out there. I have been looking at an IP Gateway lately and found some serious issues. The Busch-Welcome IP-Gateway from Busch-Jaeger is one of the devices that bridges the gap between sensors and actors in your smart home and the network/Internet. It enables the communication to a door control system that implements various smart home functions. The device itself is offering an HTTP service to configure it, which is protected by a username and password. Some folks even actually expose the device and its login to the Internet. I tried to configure one of these lately and stumbled upon some security issues that I would like to discuss in this blog post.
Continue reading “Security of Busch-Jaeger IP Gateway”

Continue reading

Reversing and Patching .NET Binaries with Embedded References

Lately I’ve been analyzing a .NET binary that was quite interesting. It was a portable binary that shipped without any third-party dependencies. I started looking at the .NET assembly with ILSpy and noticed that there was not that much code that ILSpy found and there were a lot of references to classes/methods that were neither in the classes identified by ILSpy nor were they part of the .NET framework.

Continue reading “Reversing and Patching .NET Binaries with Embedded References”

Continue reading

Extracting data from an EMV (Chip-And-Pin) Card with NFC technology

This is a guest blog post by Salvador Mendoza.

During years, many different researches and attacks against digital and physical payment methods have been discussed. New security techniques and methodologies such as tokenization process attempts to reduce or prevent fraudulent transactions.

Continue reading “Extracting data from an EMV (Chip-And-Pin) Card with NFC technology”

Continue reading

AndroTickler: Tickling Vulnerabilities out of Android Apps

If you attack someone, they will defend themselves, but if you tickle them, they will eventually crack open. This surprisingly applies to Android apps as well! Therefore, I created AndroTickler, not to test apps against certain attacks or examine them for specific vulnerabilities, which developers would learn to avoid. However, it helps pentesters to analyze and test apps in their own style, but in a faster, easier and more flexible way. AndroTickler is a Swiss-Army-Knife pentesting tool for Android apps. It provides information gathering, static and dynamic analysis features, and also automates actions that pentesters frequently do and highly need during their pentests. In addition, it makes use of the powerful Frida to hook to the app and manipulate it in real-time.

Continue reading “AndroTickler: Tickling Vulnerabilities out of Android Apps”

Continue reading