Breaking – Page 7 – Insinuator.net

October 5, 2017 by Daniel Mende

Erlang distribution RCE and a cookie bruteforcer

In one of the last pentests we’ve found an epmd (Erlang port mapper daemon) listening on a target system (tcp/4369). It is used to coordinate distributed erlang instances, but also can lead to a RCE, given one knows the so called “authentication cookie”. Usually, this cookie is located in ~/.erlang.cookie and is generated by erlang at the first start. If not modified or set manually it is a random string [A:Z] with a length of 20 characters. If an attacker gains this cookie, a RCE is quite easy – as I like to describe below.

Continue reading “Erlang distribution RCE and a cookie bruteforcer”

Breaking

September 13, 2017 by Prof. Dr.-Ing. Andreas Dewald

FireEye Security Bug: Connection to physical host and adjacent network possible during analysis in Live-Mode

We recently identified a security issue in FireEye AX 5400, that also affected other products. We responsibly disclosed the bug to FireEye and a fix that addresses the issue has been released with version 7.7.7. The fix was also merged into the common core and is available as 8.0.1 for other products (i.e. FireEye EX).

The related release notes can be found here:

FireEye announced to post a 2017 Q3 notice with credit to us, too.

Continue reading “FireEye Security Bug: Connection to physical host and adjacent network possible during analysis in Live-Mode”

Breaking

May 10, 2017 by Timo Schmid

Git Shell Bypass By Abusing Less (CVE-2017-8386)

The git-shell is a restricted shell maintained by the git developers and is meant to be used as the upstream peer in a git remote session over a ssh tunnel. The basic idea behind this shell is to restrict the allowed commands in a ssh session to the ones required by git which are as follows:

git-receive-pack
- Receives repository updates from the client.
git-upload-pack
- Pushes repository updates to the client.
git-upload-archive
- Pushes a repository archive to the client.

Besides those built-in commands, an administrator can also provide it’s own commands via shell scripts or other executable files. As those are typically completely custom, this post will concentrate on the built-in ones.

Note: This has nothing to do with the also recently fixed vulnerabilities in gitlab [1] [2].

Continue reading “Git Shell Bypass By Abusing Less (CVE-2017-8386)”

Breaking

April 13, 2017 by Omar Eissa

Autonomic Network Part 3: Vulnerabilities

This is the 3rd post in the series of Autonomic Network (AN), it will dedicated for discussing the vulnerabilities. I recommend reading the first 2 parts (part one, part two) to be familiar with the technology and how the proprietary protocol is constructed.

Initially we will discuss 2 of the reported CVEs, but later there is more CVEs to come 😉

Continue reading “Autonomic Network Part 3: Vulnerabilities”

Breaking

March 20, 2017 by Stefan Kiese

This is Why Your Wireless Mouse Should Have a Tail and Your Presenter is a Fail

Puh…it’s been a long time since my last post, huh?
However, let’s get straight back to topic. Today, I want to issue a warning, especially in face of upcoming Troopers 2017 (less than two days to go, wooo! 10th anniversary!): be careful when using wireless equipment (presenters, mouses, keyboards,…), especially during Troopers, but also in daily use. Continue reading “This is Why Your Wireless Mouse Should Have a Tail and Your Presenter is a Fail”

Breaking

March 20, 2017 by Omar Eissa

Autonomic Networking – Part 2: Analysis

This is the second part in the Autonomic Network series. We have introduced previously in our first part the Autonomic Network (AN), took a look about the needed configuration to run it on Cisco gear and what is the expected communication flow. In this post, we will dive deeper to have a closer look on the packets and how they are composed. Continue reading “Autonomic Networking – Part 2: Analysis”

Breaking

March 19, 2017 by Omar Eissa

Autonomic Networking – Part 1: Overview

This is a 3-part series which introduces and analyzes Cisco’s implementation for Autonomic Network. In the 1st part, the technology is introduced and we have an overview about communication flow. In the 2nd part, Cisco’s proprietary protocol is reverse engineered 😉 then finally in the 3rd part, multiple vulnerabilities will be disclosed for the first time. If you’re aware of the technology, you can skip directly to part 2 where the action begins! Continue reading “Autonomic Networking – Part 1: Overview”

Breaking

March 14, 2017 by Oliver Matula

Information About SAP Security Note 2336795

Last year I encountered a slight variation of an internal port scan vulnerability for the CrystalReports component of SAP Business Objects. The original vulnerability was presented and disclosed by rapid7 in the talk “Hacking SAP Business Objects”. The corresponding slides can be found here. Continue reading “Information About SAP Security Note 2336795”

Breaking

January 24, 2017 by Wojtek Przibylla

Cisco: Magic WebEx URL Allows Arbitrary Remote Command Execution – Project Zero

Tavis did it again[1]. As stated in the title it is possible to remotely execute commands via the Chrome extension for the popular meeting software Cisco WebEx. This post summarizes the most relevant information for you.

Continue reading “Cisco: Magic WebEx URL Allows Arbitrary Remote Command Execution – Project Zero”

Breaking

January 24, 2017 by Birk Kauer

Insomni’hack pwn50 write-up

Hi all,

i´ve looked a bit at the Insomni’hack CTF which took place on the 21st January and lasted for 36 hours.
For the sake of warming up a bit for our Troopers workshop Windows and Linux Exploitation,
I decided to create a write-up of the first pwn50 challenge.

To grab your own copy of the presented files you can also find it in our Github repository:

Continue reading “Insomni’hack pwn50 write-up”