vulnerability – Insinuator.net

May 8, 2025 by Matthias Ortmann

Disclosure: Input Validation Vulnerabilities in Microsoft Bookings

In a recent customer project, we discovered vulnerabilities in Microsoft Bookings, an online appointment scheduling tool integrated into Microsoft 365, allowing companies to have customers book meetings in available times themselves. The findings originate from insufficient input validation on the public meeting scheduling endpoint. Although Microsoft has largely mitigated this vulnerability, our analysis provides important insights into potential risks and areas for improvement.

Continue reading “Disclosure: Input Validation Vulnerabilities in Microsoft Bookings”

Breaking

May 5, 2025 by Florian Port

Full Disclosure: Multiple Rundeck Job Command Injections

During a red-teaming-style customer project, we managed to get access to an Rundeck API token. Rundeck is a job scheduler and runbook automation platform designed to automate routine IT tasks across multiple systems. At first, we were excited about this API token because if we could create new Rundeck jobs, we could execute arbitrary code on the Rundeck nodes and move laterally from there. However, it turned out that with this token we only had permissions to run existing jobs.

Continue reading “Full Disclosure: Multiple Rundeck Job Command Injections”

Breaking

April 25, 2025 by Malte Heinzelmann

Vulnerability Disclosure: Restricted Shell Breakout (CVE-2025-1950) and Privilege Escalation (CVE-2025-1951) in IBM Power Hardware Management Console (HMC)

We discovered a private key for accessing an IBM Hardware Management Console (HMC) during a recent red team engagement. The IBM Hardware Management Console (HMC) is a dedicated management system used to control and manage IBM servers, especially those running on Power Systems (like IBM Power9/Power10) and mainframes (z Systems). After brief research, we identified two security vulnerabilities that can be leveraged to gain root access to the HMC.

Continue reading “Vulnerability Disclosure: Restricted Shell Breakout (CVE-2025-1950) and Privilege Escalation (CVE-2025-1951) in IBM Power Hardware Management Console (HMC)”

Misc

December 16, 2022 by Florian Grunow

Hilarious Buffer Overflow Mitigation and TCL Injection in CheckPoint Gaia Portal

Hey there,

I am going to disclose two bug classes I found a while ago in CheckPoint R77.30: Two buffer overflows in the username (no shit) and HTTP method of a request to the administrative UI pre-auth and some interesting injections into the TCL web interface.

Continue reading “Hilarious Buffer Overflow Mitigation and TCL Injection in CheckPoint Gaia Portal”

Breaking

November 26, 2020 by Kevin Kelpen

VMware NSX-T MITM Vulnerability (CVE-2020-3993)

NSX-T is a Software-Defined-Networking (SDN) solution of VMware which, as its basic functionality, supports spanning logical networks across VMs on distributed ESXi and KVM hypervisors. The central controller of the SDN is the NSX-T Manager Cluster which is responsible for deploying the network configurations to the hypervisor hosts.

This summer, I looked into the mechanism which is used to add new KVM hypervisor nodes to the SDN via the NSX-T Manager. By tracing what happens on the KVM host, I discovered that the KVM hypervisor got instructed to download the NSX-T software packages from the NSX-T Manager via unencrypted HTTP and install them without any verification. This enables a Man-in-the-Middle (MITM) attacker on the network path to replace the downloaded packages with malicious ones and compromise the KVM hosts.

After disclosing this issue to VMware, they developed fixes and published the vulnerability in VMSA-2020-0023 assigning a CVSSv3 base score of 7.5.

Continue reading “VMware NSX-T MITM Vulnerability (CVE-2020-3993)”

Misc

November 13, 2020 by Birk Kauer

Forklift <=3.3.9 and <=3.4 Local Privilege Escalations on macOS (CVE-2020-15349/CVE-2020-27192)

I have started to have a look at my local installed helpers on macOS. These helpers are used as an interface for applications to perform privileged operations on the system. Thus, it is quite a nice attack surface to search for Local Privilege Escalations.

Forklift is an advanced dual pane file manager for macOS. It is well known under macOS power users.

As part of my investigation I identified vulnerabilities in Forklift allowing local privilege escalation.

By now all vulnerabilities are fixed by the vendor I can release the details: https://binarynights.com/versionhistory

Continue reading “Forklift <=3.3.9 and <=3.4 Local Privilege Escalations on macOS (CVE-2020-15349/CVE-2020-27192)”

Breaking

September 20, 2019 by Nils Emmerich

Jenkins – Groovy Sandbox breakout (SECURITY-1538 / CVE-2019-10393, CVE-2019-10394, CVE-2019-10399, CVE-2019-10400)

Recently, I discovered a sandbox breakout in the Groovy Sandbox used by the Jenkins script-security Plugin in their Pipeline Plugin for build scripts. We responsibly disclosed this vulnerability and in the current version of Jenkins it has been fixed and the according Jenkins Security Advisory 2019-09-12 has been published. In this blogpost I want to report a bit on the technical details of the vulnerability.

Continue reading “Jenkins – Groovy Sandbox breakout (SECURITY-1538 / CVE-2019-10393, CVE-2019-10394, CVE-2019-10399, CVE-2019-10400)”

Misc

July 26, 2019 by Nils Emmerich

LibreOffice – A Python Interpreter (code execution vulnerability CVE-2019-9848)

While waiting for a download to complete, I stumbled across an interesting blogpost. The author describes a flaw in LibreOffice that allowed an attacker to execute code. Since this was quite recent, I was interested if my version is vulnerable to this attack and how they fixed it. Thus, I looked at the sources and luckily it was fixed. What I didn’t know before however was, that macros shipped with LibreOffice are executed without prompting the user, even on the highest macro security setting. So, if there would be a system macro from LibreOffice with a bug that allows to execute code, the user would not even get a prompt and the code would be executed right away. Therefor, I started to have a closer look at the source code and found out that exactly this is the case!

Continue reading “LibreOffice – A Python Interpreter (code execution vulnerability CVE-2019-9848)”

Breaking

November 14, 2018 by Tillmann Oßwald

Multiple Vulnerabilities in Nexus Repository Manager

Recently, we identified security issues in the Nexus Repository Manager software developed by Sonatype. The tested versions were OSS 3.12.1-01 and OSS 3.13.1-01.

The following issues could be identified:

Multiple Cross-Site Scripting (CVE-2018-16619)
Missing Access Controls (CVE-2018-16620)
Java Expression Language Injection (CVE-2018-16621)

Continue reading “Multiple Vulnerabilities in Nexus Repository Manager”

Breaking

March 15, 2018 by Florian Grunow

Squirrelmail Full Disclosure – TROOPERS18

Birk an me basically fully disclosed a 0day in Squirrelmail yesterday. This is a short Q&A to answer the most common questions about the issue to calm you all down a little bit. 😉

Continue reading “Squirrelmail Full Disclosure – TROOPERS18”