Misc – Page 4 – Insinuator.net

Misc

November 13, 2020 by Birk Kauer

Forklift <=3.3.9 and <=3.4 Local Privilege Escalations on macOS (CVE-2020-15349/CVE-2020-27192)

I have started to have a look at my local installed helpers on macOS. These helpers are used as an interface for applications to perform privileged operations on the system. Thus, it is quite a nice attack surface to search for Local Privilege Escalations.

Forklift is an advanced dual pane file manager for macOS. It is well known under macOS power users.

As part of my investigation I identified vulnerabilities in Forklift allowing local privilege escalation.

By now all vulnerabilities are fixed by the vendor I can release the details: https://binarynights.com/versionhistory

Continue reading “Forklift <=3.3.9 and <=3.4 Local Privilege Escalations on macOS (CVE-2020-15349/CVE-2020-27192)”

Misc

November 5, 2020 by Julian Suleder

Apps on Prescription?! – Perspectives on Digital Health Applications (DiGA)

Some time ago, we carried out an evaluation of the Digital Health Applications Ordinance (Digitale-Gesundheitsanwendungen-Verordnung, DiGAV) for the Federal Chamber of Psychotherapists in Germany (Bundespsychotherapeutenkammer, BPtK) focusing on the security of digital health applications, often referred to as apps on prescription.

The audit was intended to determine to which extent security guidelines, security objectives, and best practices are adhered to by the requirements formulated by the ordinance, thus enabling the foundations to securely operate digital health applications. The main subject of the examination is whether requirements, including procedural requirements defined in the ordinance are sufficient to ensure security of digital health applications. The examination has shown that the requirements can be seen as positive. However, in order to be able to make reliable statements about the IT security of digital healthcare applications, further details and mechanisms should be clarified within the ordinance, which I would like to present in the following.

Continue reading “Apps on Prescription?! – Perspectives on Digital Health Applications (DiGA)”

Misc

October 15, 2020 by Oliver Matula

OpenSIS Vulnerabilities

OpenSIS is an open source student information system. Recently, it was affected by several vulnerabilities such as SQL injections, local file inclusions and incorrect access controls (CVE-2020-13380, CVE-2020-13381, CVE-2020-13382, CVE-2020-13383). That is why I got interested and also had a quick look at the application.

As part of this investigation, I discovered two vulnerabilities, an XSS vulnerability (CVE-2020-27409) in the file SideForStudent.php that got quickly fixed after being reported (see commit edca085 for the details; the commit is included in release v7.5) and some incorrect (i.e. non-existent) access controls for the password change functionality (CVE-2020-27408). In this blog post, I would like to focus on the second vulnerability and describe the tedious disclosure process that – in the end – lead to nothing but the implementation of some ineffective obfuscation mechanism.
Continue reading “OpenSIS Vulnerabilities”

Building, Misc

September 10, 2020 by Dr. Andreas Dewald

How can data from fitness trackers be obtained and analyzed with a forensic approach?

The use of Internet of Things devices is continuously increasing: People buy devices, such as smart assistants, to make their lives more comfortable or fitness trackers to assess sports activities. According to the Pew Research Center [1], every fifth American wears a device to track their fitness. In Germany, the number increases likewise. The increasing number of fitness trackers in use can also be seen in criminal proceedings, as there exist more and more cases where these devices provide evidence.

Which useful evidential information fitness trackers collect and how to analyze them forensically was part of a paper that we presented at WACCO 2020 this year [2]. The goal was to develop an open source program to support investigators analyzing data that fitness trackers provide and to give a general approach on how to analyze fitness trackers.

Continue reading “How can data from fitness trackers be obtained and analyzed with a forensic approach?”

Misc

September 9, 2020 by Sebastian Funke

Puppet Assessment Techniques

Hardening guides for different systems that can be managed by Puppet are easy to find, but not the guides for hardening Puppet itself.

The enterprise software configuration management (SCM) tool Puppet is valued by many SysAdmins and DevOps, e.g. at Google, for scalable, continuous and secure deployment of application server configuration files across large heterogeneous system landscapes and increasingly also as “end-to-end” compliance solution.

Disclaimer:
This blog post does not present anything new about Puppet security, but aims to raise security awareness and summarize useful attack and audit techniques for an internal black and whitebox infrastructure assessment of a Puppet Enterprise landscape.
Most information in this post were collected during and based-on a time-limited graybox Puppet landscape assessment (Puppet Enterprise version 6.4.0, on RHEL7).
Hence, there is no claim for completeness and the post shall not be considered as a fully fledged Puppet hardening guide.

Continue reading “Puppet Assessment Techniques”

Misc

September 2, 2020 by Nils Emmerich

Java Buffer Overflow with ByteBuffer (CVE-2020-2803) and Mutable MethodType (CVE-2020-2805) Sandbox Escapes

Years ago, Java could be used on websites trough applets. To make these applets secure and not let them access files or do other dangerous stuff, Java introduced the SecurityManager. Before some action was performed, the SecurityManager was asked if the code is privileged to perform this action. However, since the SecurityManager lives in the same running program and can be accessed via System.getSecurityManager(), there existed some ways to remove it. Continue reading “Java Buffer Overflow with ByteBuffer (CVE-2020-2803) and Mutable MethodType (CVE-2020-2805) Sandbox Escapes”

Misc

July 30, 2020 by Fabian Ullrich

Security Advisories for Nagios XI

In June 2020 we reported three vulnerabilities in Nagios XI 5.7.1 to the vendor.
The following CVE IDs were assigned to the issues :

CVE-2020-15901: Command Injection in Nagios XI web interface (RCE)
CVE-2020-15902: Cross Site Scripting (XSS)
CVE-2020-15903: Reserved, details will be given on vendor fix

CVE-2020-15901 and CVE-2020-15902 have meanwhile been fixed in version 5.7.2 according to the changelog on the Nagios website (https://www.nagios.com/downloads/nagios-xi/change-log/). CVE-2020-15903 is currently being worked on by the vendor and will probably be fixed in the near future.

Continue reading “Security Advisories for Nagios XI”

Misc

July 15, 2020 by Oliver Matula

QEMU, Unicorn, Zelos, and AFL

I should start by telling you that this post does not contain anything fundamentally new. Hence, if you already know the tools mentioned in the title, this post may probably not be for you. However, if you are not too familiar with these tools and want to understand a little bit more on how they work together, you should keep on reading.

First, let us get a high-level overview of the different tools. We begin with QEMU. QEMU is a piece of software to emulate hardware such as processors. Imagine, for example, that you are running an operating system such as Linux or Windows on a x86-64 machine and that you would like to analyze a binary that has been compiled for an ARM or MIPS processor. Of course, you can use static analysis on the binary, but if you want to find out more about the runtime behavior, well, it would be good to have a corresponding runtime environment. Continue reading “QEMU, Unicorn, Zelos, and AFL”

Misc

June 23, 2020 by Fabian Ullrich

Security Advisories for Ivanti DSM Suite

From the end of 2019 on, we reported two critical vulnerabilities in the Ivanti DSM Suite to the vendor. The following CVE IDs were assigned to the issues (but note that they have a status of RESERVED, i.e. titles and descriptions may change in the future):

CVE-2020-12441: Denial-of-Service (DoS) in Ivanti Service Manager HEAT Remote Control 7.4
CVE-2020-13793: Unsafe storage of AD credentials in Ivanti DSM netinst 5.1

The vulnerabilities have meanwhile been fixed and an updated software version can be downloaded here. Continue reading “Security Advisories for Ivanti DSM Suite”

Misc

March 26, 2020 by SadProcessor

Dog Whisperer Update

With the current situation, it’s not easy to find the right angle to start this blog post, so I won’t even try… but with Troopers cancelled, my Bloodhound workshop went down the drain, and I didn’t get a chance to meet or catch up with all of you and share my latest BloodHound adventures. So I decided to write a quick post to share all this…

Continue reading “Dog Whisperer Update”