We discovered a private key for accessing an IBM Hardware Management Console (HMC) during a recent red team engagement. The IBM Hardware Management Console (HMC) is a dedicated management system used to control and manage IBM servers, especially those running on Power Systems (like IBM Power9/Power10) and mainframes (z Systems). After brief research, we identified two security vulnerabilities that can be leveraged to gain root access to the HMC.
Continue readingTag: vulnerability
Hilarious Buffer Overflow Mitigation and TCL Injection in CheckPoint Gaia Portal
Hey there,
I am going to disclose two bug classes I found a while ago in CheckPoint R77.30: Two buffer overflows in the username (no shit) and HTTP method of a request to the administrative UI pre-auth and some interesting injections into the TCL web interface.
Continue reading “Hilarious Buffer Overflow Mitigation and TCL Injection in CheckPoint Gaia Portal”
Continue readingVMware NSX-T MITM Vulnerability (CVE-2020-3993)
NSX-T is a Software-Defined-Networking (SDN) solution of VMware which, as its basic functionality, supports spanning logical networks across VMs on distributed ESXi and KVM hypervisors. The central controller of the SDN is the NSX-T Manager Cluster which is responsible for deploying the network configurations to the hypervisor hosts.
This summer, I looked into the mechanism which is used to add new KVM hypervisor nodes to the SDN via the NSX-T Manager. By tracing what happens on the KVM host, I discovered that the KVM hypervisor got instructed to download the NSX-T software packages from the NSX-T Manager via unencrypted HTTP and install them without any verification. This enables a Man-in-the-Middle (MITM) attacker on the network path to replace the downloaded packages with malicious ones and compromise the KVM hosts.
After disclosing this issue to VMware, they developed fixes and published the vulnerability in VMSA-2020-0023 assigning a CVSSv3 base score of 7.5.
Continue reading “VMware NSX-T MITM Vulnerability (CVE-2020-3993)”
Continue readingForklift <=3.3.9 and <=3.4 Local Privilege Escalations on macOS (CVE-2020-15349/CVE-2020-27192)
I have started to have a look at my local installed helpers on macOS. These helpers are used as an interface for applications to perform privileged operations on the system. Thus, it is quite a nice attack surface to search for Local Privilege Escalations.
Forklift is an advanced dual pane file manager for macOS. It is well known under macOS power users.
As part of my investigation I identified vulnerabilities in Forklift allowing local privilege escalation.
By now all vulnerabilities are fixed by the vendor I can release the details: https://binarynights.com/versionhistory
Continue readingJenkins – Groovy Sandbox breakout (SECURITY-1538 / CVE-2019-10393, CVE-2019-10394, CVE-2019-10399, CVE-2019-10400)
Recently, I discovered a sandbox breakout in the Groovy Sandbox used by the Jenkins script-security Plugin in their Pipeline Plugin for build scripts. We responsibly disclosed this vulnerability and in the current version of Jenkins it has been fixed and the according Jenkins Security Advisory 2019-09-12 has been published. In this blogpost I want to report a bit on the technical details of the vulnerability.
Continue readingLibreOffice – A Python Interpreter (code execution vulnerability CVE-2019-9848)
While waiting for a download to complete, I stumbled across an interesting blogpost. The author describes a flaw in LibreOffice that allowed an attacker to execute code. Since this was quite recent, I was interested if my version is vulnerable to this attack and how they fixed it. Thus, I looked at the sources and luckily it was fixed. What I didn’t know before however was, that macros shipped with LibreOffice are executed without prompting the user, even on the highest macro security setting. So, if there would be a system macro from LibreOffice with a bug that allows to execute code, the user would not even get a prompt and the code would be executed right away. Therefor, I started to have a closer look at the source code and found out that exactly this is the case!
Continue reading “LibreOffice – A Python Interpreter (code execution vulnerability CVE-2019-9848)”
Continue readingMultiple Vulnerabilities in Nexus Repository Manager
Recently, we identified security issues in the Nexus Repository Manager software developed by Sonatype. The tested versions were OSS 3.12.1-01 and OSS 3.13.1-01.
The following issues could be identified:
- Multiple Cross-Site Scripting (CVE-2018-16619)
- Missing Access Controls (CVE-2018-16620)
- Java Expression Language Injection (CVE-2018-16621)
Continue reading “Multiple Vulnerabilities in Nexus Repository Manager”
Continue readingSquirrelmail Full Disclosure – TROOPERS18
Birk an me basically fully disclosed a 0day in Squirrelmail yesterday. This is a short Q&A to answer the most common questions about the issue to calm you all down a little bit. 😉
Continue reading “Squirrelmail Full Disclosure – TROOPERS18”
Continue readingFireEye Security Bug: Connection to physical host and adjacent network possible during analysis in Live-Mode
We recently identified a security issue in FireEye AX 5400, that also affected other products. We responsibly disclosed the bug to FireEye and a fix that addresses the issue has been released with version 7.7.7. The fix was also merged into the common core and is available as 8.0.1 for other products (i.e. FireEye EX).
The related release notes can be found here:
- https://docs.fireeye.com/docs/docs_en/AX/sw/7.7.7/RN/AX_RN_7.7.7_en.pdf
- https://docs.fireeye.com/docs/docs_en/EX/sw/8.0.1/RN/EX_RN_8.0.1_en.pdf
FireEye announced to post a 2017 Q3 notice with credit to us, too.
Continue readingAutonomic Network Part 3: Vulnerabilities
This is the 3rd post in the series of Autonomic Network (AN), it will dedicated for discussing the vulnerabilities. I recommend reading the first 2 parts (part one, part two) to be familiar with the technology and how the proprietary protocol is constructed.
Initially we will discuss 2 of the reported CVEs, but later there is more CVEs to come 😉
Continue reading “Autonomic Network Part 3: Vulnerabilities”
Continue reading