Recently, I discovered a sandbox breakout in the Groovy Sandbox used by the Jenkins script-security Plugin in their Pipeline Plugin for build scripts. We responsibly disclosed this vulnerability and in the current version of Jenkins it has been fixed and the according Jenkins Security Advisory 2019-09-12 has been published. In this blogpost I want to report a bit on the technical details of the vulnerability.
Continue readingTag: disclosure
Multiple Vulnerabilities in Nexus Repository Manager
Recently, we identified security issues in the Nexus Repository Manager software developed by Sonatype. The tested versions were OSS 3.12.1-01 and OSS 3.13.1-01.
The following issues could be identified:
- Multiple Cross-Site Scripting (CVE-2018-16619)
- Missing Access Controls (CVE-2018-16620)
- Java Expression Language Injection (CVE-2018-16621)
Continue reading “Multiple Vulnerabilities in Nexus Repository Manager”
Continue readingMultiple Vulnerabilities in UNIFY OpenScape Desk Phone CP600
We recently identified security issues in the UNIFY OpenScape Desk Phone CP600 HFA software. We disclosed the vulnerabilities to Unify, as a fix is now provided we want to give a brief overview of the vulnerability affecting the web interface.
Continue reading “Multiple Vulnerabilities in UNIFY OpenScape Desk Phone CP600”
Continue readingSquirrelmail Full Disclosure – TROOPERS18
Birk an me basically fully disclosed a 0day in Squirrelmail yesterday. This is a short Q&A to answer the most common questions about the issue to calm you all down a little bit. 😉
Continue reading “Squirrelmail Full Disclosure – TROOPERS18”
Continue readingInformation About SAP Security Note 2336795
Last year I encountered a slight variation of an internal port scan vulnerability for the CrystalReports component of SAP Business Objects. The original vulnerability was presented and disclosed by rapid7 in the talk “Hacking SAP Business Objects”. The corresponding slides can be found here. Continue reading “Information About SAP Security Note 2336795”
Continue readingAnalyzing yet another Smart Home device
As you have probably already recognized, some of us here at ERNW are doing research in the area of smart home technologies e.g. KNX. Recently, we took a deeper look into a device which is used to control a smart home system produced by the vendor BAB TECHNOLOGIE GmbH called “eibPort”. This device can be used to control smart home systems based on different technologies e.g. EnoCean or KNX depending on the version of the device. Continue reading “Analyzing yet another Smart Home device”
Continue readingLinq Injection – From Attacking Filters to Code Execution
Some of you (especially the .Net guys) might have heard of the query language Linq (Language Integrated Query) used by Microsoft .Net applications and web sites. It’s used to access data from various sources like databases, files and internal lists. It can internally transform the accessed data in application objects and provides filter mechanisms similar to SQL. As it is used directly inside the application source code, it will be processed at compile time and not interpreted at runtime. While this provides a great type safety and almost no attack surface for injection attacks (except from possible handling problems in the different backends), it is extremely difficult to implement a dynamic filter system (e.g. for datatables which should allow users to select the column to filter on). That’s probably the reason why Scott Guthrie (Executive Vice President of the Cloud and Enterprise group in Microsoft, also one of the founders of the .Net project) presented the System.Linq.Dynamic package as part of the VS-2008 samples in 2008. This library allows to build Linq queries at runtime and therefore simplify dynamic filters. But as you may know, dynamic interpretation of languages based on user input is most of the time not the best option….
Continue reading “Linq Injection – From Attacking Filters to Code Execution”
Continue readingDameWare Vulnerability
In course of a recent research project, I had a look at SolarWinds DameWare, which is a commercial Remote Access Software product running on Windows Server. I identified a remote file download vulnerability in the download function for the client software that can be exploited remotely and unauthenticated and that allows to download arbitrary files from the server that is running the software.
Continue reading “DameWare Vulnerability”
Continue readingBMC BladeLogic: CVE-2016-1542 and CVE-2016-1543
Hi everyone,
Hope those of you who attended Troopers16 enjoyed it as much as we did! In this post I want to summarize my Troopers16 talk and provide you with some details about freshly assigned CVE-2016-1542 and CVE-2016-1543 related to BMC BladeLogic software.
Continue reading “BMC BladeLogic: CVE-2016-1542 and CVE-2016-1543”
Classic Web Vulns Found in Google Search Appliance 7.4
Hi all,
I’ve recently found some sort of classic web vulnerabilities in the Google Search Appliance (GSA) and as they are now fixed [0][1][2], I’d like to share them with you.
First of all, some infrastructure details about the GSA itself. The GSA is used by companies to apply the Google search algorithms to their internal documents without publishing them to cloud providers. To accomplish this task, the GSA provides multiple interfaces including a search interface, an administrative interface and multiple interfaces to index the organization’s data. Continue reading “Classic Web Vulns Found in Google Search Appliance 7.4”
Continue reading