Last year I encountered a slight variation of an internal port scan vulnerability for the CrystalReports component of SAP Business Objects. The original vulnerability was presented and disclosed by rapid7 in the talk “Hacking SAP Business Objects”. The corresponding slides can be found here. Continue reading “Information About SAP Security Note 2336795”
Continue readingCategory: Breaking
Cisco: Magic WebEx URL Allows Arbitrary Remote Command Execution – Project Zero
Tavis did it again[1]. As stated in the title it is possible to remotely execute commands via the Chrome extension for the popular meeting software Cisco WebEx. This post summarizes the most relevant information for you.
Continue reading “Cisco: Magic WebEx URL Allows Arbitrary Remote Command Execution – Project Zero”
Continue readingInsomni’hack pwn50 write-up
Hi all,
i´ve looked a bit at the Insomni’hack CTF which took place on the 21st January and lasted for 36 hours.
For the sake of warming up a bit for our Troopers workshop Windows and Linux Exploitation,
I decided to create a write-up of the first pwn50 challenge.
To grab your own copy of the presented files you can also find it in our Github repository:
Continue reading “Insomni’hack pwn50 write-up”
Continue readingA short Addendum on the Mirai Botnet Blog Post
While doing heap research on Linux processes (results are going to be published soon), I came across the bot from the Mirai Botnet. As already mentioned in the blog post by Brian, the Mirai bot uses obfuscated configuration data which contains e.g. the CnC server. When now confronted only with a bot (e.g. in the context of a running task or the ELF binary), but without the according source code, the decryption of this configuration data for e.g. incident analysis purposes might not be easily possible (with the python script from the blog post), if the key has been changed.
But in this case that is not a problem at all, because Continue reading “A short Addendum on the Mirai Botnet Blog Post”
Analyzing yet another Smart Home device
As you have probably already recognized, some of us here at ERNW are doing research in the area of smart home technologies e.g. KNX. Recently, we took a deeper look into a device which is used to control a smart home system produced by the vendor BAB TECHNOLOGIE GmbH called “eibPort”. This device can be used to control smart home systems based on different technologies e.g. EnoCean or KNX depending on the version of the device. Continue reading “Analyzing yet another Smart Home device”
Continue readingResearch Diary: Blue Coat
As a part of our research time here at ERNW, last week we had an interesting time looking at one of the widespread and commonly adopted proxy appliance by many organizations Blue Coat Secure Gateway.
Continue reading “Research Diary: Blue Coat”
Continue readingSome Notes from the Lab – BlackNurse in the IPv6 Era
Since BlackNurse was released on 10th of November, we asked ourselves whether this problem does also apply to ICMPv6 traffic. To answer this question, Christian Tanck (one of our students) build a lab with several firewall appliances. Kudos to him for testing and the following blog post.
Continue reading “Some Notes from the Lab – BlackNurse in the IPv6 Era”
Continue readingResearch Diary: IP-Cameras Part 2
Hi everybody,
This is the second entry in our research diary on IP cameras. If you haven’t done so yet, you should read the first entry in advance. This time we focused more on analysis and exploitation.
Another entry vector
After running a vulnerability scan on both devices, it was revealed that the M1033 has multiple buffer overflow vulnerabilities (CVE-2012-5958 to CVE-2012-5965), which are readily exploitable via Metasploit. This gave us another shell (in addition to the root shell mentioned in the last post), though this time it was not a root shell. By using the find command, we searched for executables having the setuid or setgid bit set. We hoped to use one of those to escalate privileges. To do so yourself add the parameter -perm -4000 to find and it will search for files having the setuid bit set. If you try that on your own unix-like device, for example it should yield /bin/passwd which is perfectly reasonable as you’re able to change your password without being root.
Continue reading “Research Diary: IP-Cameras Part 2”
Continue readingResearch Diary: IP-Cameras
As you probably know we perform research on a regular basis at ERNW. This post is the first entry on our – Benjamin’s and Pascal’s – research diary. You might already have seen Oliver’s post on setting up an research environment or Brian’s posts on IoT botnets (here and here). With that in mind we want to take a look at one of the market leaders for network camera equipment: AXIS.
Continue reading “Research Diary: IP-Cameras”
Continue readingIoT the S is for Secure – Unknown Administration Interface in Wireless Plug
Dear Readers,
just recently i bought a wireless plug on Amazon with the main use of controlling my coffee machine with an app. The installation of the wireless plug was quite easy and only requires me to set my Wifi SSID and my passphrase – that’s it. But what happened behind the scenes? I visited the control interface of my router and saw that along with the other devices there was a new one with the network name HF-LPB100 and a local IP address in my case 192.168.0.235. First of all i wondered about the name itself, but ignored that and kept on looking for open ports.
Continue reading “IoT the S is for Secure – Unknown Administration Interface in Wireless Plug”
Continue reading