Jul 31, 2015

Compromised by Endpoint Protection

This was originally posted on blogger here. In a recent research project, Markus Wulftange of Code White discovered several critical vulnerabilities in the Symantec Endpoint Protection (SEP) suite 12.1, affecting versions prior to 12.1 RU6 MP1 (see SYM15-007). As with any centralized enterprise management solution, compromising a management server is quite attractive for an attacker, as it generally allows some kind of control over its managed clients. Taking control of the manager can yield a takeover of the whole enterprise network.

Jun 9, 2015

Reading/Writing files with MSSQL's OPENROWSET

This was originally posted on blogger here. Unfortunately, Microsoft SQL Server’s SQL dialect Transact-SQL does not support reading and writing files in an easy way as opposed to MySQL’s LOAD_FILE() function and INTO OUTFILE clause. Of course, with xp_cmdshell being enabled, you can read and write files using OS commands. However, one is not always blessed with the CONTROL SERVER permission, which is generally only granted with the sysadmin role. But if you happen to have the ADMINISTER BULK OPERATIONS permission (implied by the bulkadmin role), then OPENROWSET is a viable option for both reading and writing files.

May 20, 2015

by David Elze &

CVE-2015-2079: Arbitrary Command Execution in Usermin

This was originally posted on blogger here. While performing a penetration test for a customer, I stumbled across a command execution vulnerability in Usermin that is pretty trivial to identify and to exploit. The interesting part is that this vulnerability survived for almost 13 years. Introduction According to the Usermin Homepage: Usermin is a web-based interface for webmail, password changing, mail filters, fetchmail and much more. It is designed for use by regular non-root users on a Unix system, and limits them to tasks that they would be able to perform if logged in via SSH or at the console.

May 8, 2015

CVE-2015-0935: PHP Object Injection in Bomgar Remote Support Portal

This was originally posted on blogger here. Serialization is often used to convert objects into a string representation for communication or to save them for later use. However, deserialization in PHP has certain side effects, which can be exploited by an attacker who is able to provide the data to be deserialized. This post will give you an insight on the deserialization of untrusted data vulnerability in the Bomgar Remote Support Portal 14.

Mar 9, 2015

$@|sh – Or: Getting a shell environment from Runtime.exec

This was originally posted on blogger here. If you happen to have command execution via Java’s Runtime.exec on a Unix system, you may already have noticed that it doesn’t behave like a normal shell. Although simple commands like ls -al, uname -a, or netstat -ant work fine, more complex commands and especially commands with indispensable features like pipes, redirections, quoting, or expansions do not work at all. Well, the reason for that is that the command passed to Runtime.

Mar 2, 2015

Exploiting the hidden Saxon XSLT Parser in Ektron CMS

This was originally posted on blogger here. Another vulnerability I came across was in Ektron CMS. It’s a .NET-based Web CMS System. If you want to find running instances try “inurl:/workarea filetype:asmx” at Google. The interesting thing about is that Microsoft already reported the initial vulnerability as MSVR12-016 (CVE-2012-5357), but I found a different vector to exploit it. Summary From US CERT VU#110652: Ektron Content Management System version 8.5, 8.7, and 9.

Feb 25, 2015

How I could (i)pass your client security

This was originally posted on blogger here. Half a year ago I stumbled over a software called iPass Open Mobile during a Windows Client security review. iPass Open Mobile helps you in getting network connectivity over Wifi-Hotspots, modem, DSL, etc. It’s widely deployed on Windows Clients in large corporations. Summary From US CERT VU#110652: The iPass Open Mobile Windows Client versions 2.4.4 and earlier allows Remote Code Execution as SYSTEM. It utilizes named pipes for interprocess communication.