Some time ago, one of our customers contacted us with a special request. For some legitimate reason, they needed to centrally collect certain certificates including their private keys which were distributed across many client systems running Windows and stored in the corresponding user stores. Unfortunately (only in this case, but actually good from a security perspective), the particular private keys were marked non-exportable making a native export in the context of the user impossible. As if this wasn’t enough, the extraction was supposed to be executed in the context of the current user (i.e. without administrative privileges) while not triggering the existing Anti Virus solution at all. Also, the certificates needed to be transferred to some trusted system where they could not be accessed in an unauthorized way. So let’s have a look how we tackled these problems:Continue reading
In one of the last pentests we’ve found an epmd (Erlang port mapper daemon) listening on a target system (tcp/4369). It is used to coordinate distributed erlang instances, but also can lead to a RCE, given one knows the so called “authentication cookie”. Usually, this cookie is located in ~/.erlang.cookie and is generated by erlang at the first start. If not modified or set manually it is a random string [A:Z] with a length of 20 characters. If an attacker gains this cookie, a RCE is quite easy – as I like to describe below.Continue reading
We recently identified a security issue in FireEye AX 5400, that also affected other products. We responsibly disclosed the bug to FireEye and a fix that addresses the issue has been released with version 7.7.7. The fix was also merged into the common core and is available as 8.0.1 for other products (i.e. FireEye EX).
The related release notes can be found here:
FireEye announced to post a 2017 Q3 notice with credit to us, too.Continue reading
The git-shell is a restricted shell maintained by the git developers and is meant to be used as the upstream peer in a git remote session over a ssh tunnel. The basic idea behind this shell is to restrict the allowed commands in a ssh session to the ones required by git which are as follows:
- Receives repository updates from the client.
- Pushes repository updates to the client.
- Pushes a repository archive to the client.
Besides those built-in commands, an administrator can also provide it’s own commands via shell scripts or other executable files. As those are typically completely custom, this post will concentrate on the built-in ones.
Note: This has nothing to do with the also recently fixed vulnerabilities in gitlab  .
This is the 3rd post in the series of Autonomic Network (AN), it will dedicated for discussing the vulnerabilities. I recommend reading the first 2 parts (part one, part two) to be familiar with the technology and how the proprietary protocol is constructed.
Initially we will discuss 2 of the reported CVEs, but later there is more CVEs to come 😉Continue reading
Puh…it’s been a long time since my last post, huh?
However, let’s get straight back to topic. Today, I want to issue a warning, especially in face of upcoming Troopers 2017 (less than two days to go, wooo! 10th anniversary!): be careful when using wireless equipment (presenters, mouses, keyboards,…), especially during Troopers, but also in daily use. Continue reading “This is Why Your Wireless Mouse Should Have a Tail and Your Presenter is a Fail”
This is the second part in the Autonomic Network series. We have introduced previously in our first part the Autonomic Network (AN), took a look about the needed configuration to run it on Cisco gear and what is the expected communication flow. In this post, we will dive deeper to have a closer look on the packets and how they are composed. Continue reading “Autonomic Networking – Part 2: Analysis”Continue reading
This is a 3-part series which introduces and analyzes Cisco’s implementation for Autonomic Network. In the 1st part, the technology is introduced and we have an overview about communication flow. In the 2nd part, Cisco’s proprietary protocol is reverse engineered 😉 then finally in the 3rd part, multiple vulnerabilities will be disclosed for the first time. If you’re aware of the technology, you can skip directly to part 2 where the action begins! Continue reading “Autonomic Networking – Part 1: Overview”Continue reading
Last year I encountered a slight variation of an internal port scan vulnerability for the CrystalReports component of SAP Business Objects. The original vulnerability was presented and disclosed by rapid7 in the talk “Hacking SAP Business Objects”. The corresponding slides can be found here. Continue reading “Information About SAP Security Note 2336795”Continue reading
Tavis did it again. As stated in the title it is possible to remotely execute commands via the Chrome extension for the popular meeting software Cisco WebEx. This post summarizes the most relevant information for you.Continue reading