During security assessments we sometimes obtain access to a restricted shell on a target system. To advance further and gain complete control of the system, the next step is usually to break out of this shell. If the restricted shell provides access to certain system binaries, these binaries can often be exploited to perform such a break out. Here we would like to show an interesting example of such a break out by using the tcpdump binary. Continue reading “How to break out of restricted shells with tcpdump”
Continue readingCategory: Breaking
Multiple Vulnerabilities in innovaphone VoIP Products Fixed
Dear all,
innovaphone fixed several vulnerabilities in two VoIP products that we disclosed a while ago. The affected products are the Linux Application Platform and the IPVA. Unfortunately, the release notes are not public (yet?) and the vendor does not include information about the vulnerabilities for the Linux Application Platform. Therefore, we decided to publish some more technical details for the issues. Continue reading “Multiple Vulnerabilities in innovaphone VoIP Products Fixed”
Security Advisories for Cisco ACI
Again, Cisco released security advisories for their software-defined networking (SDN) solution called Application Centric Infrastructure (ACI). As before (see blog post here), the published advisories originated from research performed in our ACI lab. Continue reading “Security Advisories for Cisco ACI”
Continue readingOn the insecurity of math.random and it’s siblings
During code reviews we often see developers using weak RNGs like math.random() to generate cryptographic secrets. We think it is commonly known that weak random number generators (RNG) must not be used for any kind of secret and recommend using secure alternatives. I explicitly did not state a specific language yet, because basically every language offers both weak and strong RNGs.
So I asked myself: What if I use a weak RNG to generate a secret? Is it possible to recover the secret from some derived value, like a hash?
Continue reading “On the insecurity of math.random and it’s siblings”
Continue readingPlume Twitter Client URL Spoofing
It is possible to spoof the URLs that Plume will open to arbitrary locations because of how Plume parses URLs. The preview of an URL in a tweet will show the complete (at least the host name and the first few chars of the URL) but shortened URL. However, if the URL contains a semicolon (;) the URL that will be opened is the part after the semicolon. Continue reading “Plume Twitter Client URL Spoofing”
Continue readingPidgin, Word Documents, my Clipboard and I
Lately, I’ve experienced some weird Pidgin crashes when I was copy&pasting into chat windows. The strange part was: I didn’t even know what triggered the crash because I actually didn’t know what was in my clipboard at this exact point. This is a quick write-up of how I investigated the issue and some interesting properties I found out about clipboards.
Continue reading “Pidgin, Word Documents, my Clipboard and I”
Continue readingDumping Decrypted Documents from a North Korean PDF Reader
This is a write-up about how to use Frida to dump documents from a process after they have been loaded and decrypted. It’s a generic and very effective approach demonstrated on a piece of software from North Korea.
Continue reading “Dumping Decrypted Documents from a North Korean PDF Reader”
Continue readingMultiple Vulnerabilities in Nexus Repository Manager
Recently, we identified security issues in the Nexus Repository Manager software developed by Sonatype. The tested versions were OSS 3.12.1-01 and OSS 3.13.1-01.
The following issues could be identified:
- Multiple Cross-Site Scripting (CVE-2018-16619)
- Missing Access Controls (CVE-2018-16620)
- Java Expression Language Injection (CVE-2018-16621)
Continue reading “Multiple Vulnerabilities in Nexus Repository Manager”
Continue readingMultiple Vulnerabilities in UNIFY OpenScape Desk Phone CP600
We recently identified security issues in the UNIFY OpenScape Desk Phone CP600 HFA software. We disclosed the vulnerabilities to Unify, as a fix is now provided we want to give a brief overview of the vulnerability affecting the web interface.
Continue reading “Multiple Vulnerabilities in UNIFY OpenScape Desk Phone CP600”
Continue readingVulnerabilities in Sitefinity WCMS – A Success Story of a Responsible Disclosure Process
Preface
For those who never heard of Sitefinity before, it is an ASP.NET-based Web Content Management System (WCMS), which is used to deploy and manage applications as other CMS‘s do. A bitter quick glance at Sitefinity and its advantages can be found in this overview.
Delving into the core of this blog post, recently I had the opportunity to look at Sitefinity WCMS in which I found two reflected Cross Site Scripting (XSS) (CVE-2018-17053 and CVE-2018-17056), a stored XSS (CVE-2018-17054) and an arbitrary file upload (CVE-2018-17055) vulnerabilities.
Continue reading