May 8, 2015

CVE-2015-0935: PHP Object Injection in Bomgar Remote Support Portal

This was originally posted on blogger here. Serialization is often used to convert objects into a string representation for communication or to save them for later use. However, deserialization in PHP has certain side effects, which can be exploited by an attacker who is able to provide the data to be deserialized. This post will give you an insight on the deserialization of untrusted data vulnerability in the Bomgar Remote Support Portal 14.

Mar 9, 2015

$@|sh – Or: Getting a shell environment from Runtime.exec

This was originally posted on blogger here. If you happen to have command execution via Java’s Runtime.exec on a Unix system, you may already have noticed that it doesn’t behave like a normal shell. Although simple commands like ls -al, uname -a, or netstat -ant work fine, more complex commands and especially commands with indispensable features like pipes, redirections, quoting, or expansions do not work at all. Well, the reason for that is that the command passed to Runtime.

Mar 2, 2015

Exploiting the hidden Saxon XSLT Parser in Ektron CMS

This was originally posted on blogger here. Another vulnerability I came across was in Ektron CMS. It’s a .NET-based Web CMS System. If you want to find running instances try “inurl:/workarea filetype:asmx” at Google. The interesting thing about is that Microsoft already reported the initial vulnerability as MSVR12-016 (CVE-2012-5357), but I found a different vector to exploit it. Summary From US CERT VU#110652: Ektron Content Management System version 8.5, 8.7, and 9.

Feb 25, 2015

How I could (i)pass your client security

This was originally posted on blogger here. Half a year ago I stumbled over a software called iPass Open Mobile during a Windows Client security review. iPass Open Mobile helps you in getting network connectivity over Wifi-Hotspots, modem, DSL, etc. It’s widely deployed on Windows Clients in large corporations. Summary From US CERT VU#110652: The iPass Open Mobile Windows Client versions 2.4.4 and earlier allows Remote Code Execution as SYSTEM. It utilizes named pipes for interprocess communication.