On November 3rd, 2019, we have reported a critical vulnerability affecting the Android Bluetooth subsystem. This vulnerability has been assigned CVE-2020-0022 and was now patched in the latest security patch from February 2020. Continue reading “Critical Bluetooth Vulnerability in Android (CVE-2020-0022) – BlueFrag”
Continue readingCategory: Breaking
Jenkins – Groovy Sandbox breakout (SECURITY-1538 / CVE-2019-10393, CVE-2019-10394, CVE-2019-10399, CVE-2019-10400)
Recently, I discovered a sandbox breakout in the Groovy Sandbox used by the Jenkins script-security Plugin in their Pipeline Plugin for build scripts. We responsibly disclosed this vulnerability and in the current version of Jenkins it has been fixed and the according Jenkins Security Advisory 2019-09-12 has been published. In this blogpost I want to report a bit on the technical details of the vulnerability.
Continue readingHow to break out of restricted shells with tcpdump
During security assessments we sometimes obtain access to a restricted shell on a target system. To advance further and gain complete control of the system, the next step is usually to break out of this shell. If the restricted shell provides access to certain system binaries, these binaries can often be exploited to perform such a break out. Here we would like to show an interesting example of such a break out by using the tcpdump binary. Continue reading “How to break out of restricted shells with tcpdump”
Continue readingMultiple Vulnerabilities in innovaphone VoIP Products Fixed
Dear all,
innovaphone fixed several vulnerabilities in two VoIP products that we disclosed a while ago. The affected products are the Linux Application Platform and the IPVA. Unfortunately, the release notes are not public (yet?) and the vendor does not include information about the vulnerabilities for the Linux Application Platform. Therefore, we decided to publish some more technical details for the issues. Continue reading “Multiple Vulnerabilities in innovaphone VoIP Products Fixed”
Security Advisories for Cisco ACI
Again, Cisco released security advisories for their software-defined networking (SDN) solution called Application Centric Infrastructure (ACI). As before (see blog post here), the published advisories originated from research performed in our ACI lab. Continue reading “Security Advisories for Cisco ACI”
Continue readingOn the insecurity of math.random and it’s siblings
During code reviews we often see developers using weak RNGs like math.random() to generate cryptographic secrets. We think it is commonly known that weak random number generators (RNG) must not be used for any kind of secret and recommend using secure alternatives. I explicitly did not state a specific language yet, because basically every language offers both weak and strong RNGs.
So I asked myself: What if I use a weak RNG to generate a secret? Is it possible to recover the secret from some derived value, like a hash?
Continue reading “On the insecurity of math.random and it’s siblings”
Continue readingPlume Twitter Client URL Spoofing
It is possible to spoof the URLs that Plume will open to arbitrary locations because of how Plume parses URLs. The preview of an URL in a tweet will show the complete (at least the host name and the first few chars of the URL) but shortened URL. However, if the URL contains a semicolon (;) the URL that will be opened is the part after the semicolon. Continue reading “Plume Twitter Client URL Spoofing”
Continue readingPidgin, Word Documents, my Clipboard and I
Lately, I’ve experienced some weird Pidgin crashes when I was copy&pasting into chat windows. The strange part was: I didn’t even know what triggered the crash because I actually didn’t know what was in my clipboard at this exact point. This is a quick write-up of how I investigated the issue and some interesting properties I found out about clipboards.
Continue reading “Pidgin, Word Documents, my Clipboard and I”
Continue readingDumping Decrypted Documents from a North Korean PDF Reader
This is a write-up about how to use Frida to dump documents from a process after they have been loaded and decrypted. It’s a generic and very effective approach demonstrated on a piece of software from North Korea.
Continue reading “Dumping Decrypted Documents from a North Korean PDF Reader”
Continue readingMultiple Vulnerabilities in Nexus Repository Manager
Recently, we identified security issues in the Nexus Repository Manager software developed by Sonatype. The tested versions were OSS 3.12.1-01 and OSS 3.13.1-01.
The following issues could be identified:
- Multiple Cross-Site Scripting (CVE-2018-16619)
- Missing Access Controls (CVE-2018-16620)
- Java Expression Language Injection (CVE-2018-16621)
Continue reading “Multiple Vulnerabilities in Nexus Repository Manager”
Continue reading