New article "How we bypassed bytenode and decompiled Node.js (V8) bytecode in Ghidra" by our researcher Sergey Fedonin.
https://swarm.ptsecurity.com/how-we-bypassed-bytenode-and-decompiled-node-js-bytecode-in-ghidra/
https://swarm.ptsecurity.com/how-we-bypassed-bytenode-and-decompiled-node-js-bytecode-in-ghidra/
ExifTool CVE-2021-22204 - Arbitrary Code Execution discovered by @vakzz.
The story of finding an ImageTragick-esque vulnerability, originally in gitlab. Go down the rabbit hole of image parsing with perl!
Contents:
• Background
• The Bug
• Additional Formats
• Bonus Formats
• References
https://devcraft.io/2021/05/04/exiftool-arbitrary-code-execution-cve-2021-22204.html
The story of finding an ImageTragick-esque vulnerability, originally in gitlab. Go down the rabbit hole of image parsing with perl!
Contents:
• Background
• The Bug
• Additional Formats
• Bonus Formats
• References
https://devcraft.io/2021/05/04/exiftool-arbitrary-code-execution-cve-2021-22204.html
devcraft.io
ExifTool CVE-2021-22204 - Arbitrary Code Execution
Background
NoSQL Injections in Rocket.Chat 3.12.1: How A Small Leak Grounds A Rocket by Paul Gerste
RCE on Rocket.Chat servers via MongoDB noSQLi. Valid account required.
Contents:
• Impact
• Technical Details
• MongoDB Injection Primer
• NoSQL Injection #1: Taking Over a Regular User
• NoSQL Injection #2: Elevating Privileges
• From Admin to Remote Code Execution
• Mitigation
• Timeline
• Summary
https://blog.sonarsource.com/nosql-injections-in-rocket-chat/
RCE on Rocket.Chat servers via MongoDB noSQLi. Valid account required.
Contents:
• Impact
• Technical Details
• MongoDB Injection Primer
• NoSQL Injection #1: Taking Over a Regular User
• NoSQL Injection #2: Elevating Privileges
• From Admin to Remote Code Execution
• Mitigation
• Timeline
• Summary
https://blog.sonarsource.com/nosql-injections-in-rocket-chat/
Sonarsource
NoSQL Injections in Rocket.Chat 3.12.1: How A Small Leak Grounds A Rocket
We recently discovered vulnerabilities in Rocket.Chat, a popular team communications solution, that could be used to take over Rock.Chat instances.
New article: Decompiling Node.js in Ghidra by our researcher Vladimir Kononovich.
This is the second article in the series dedicated to covering the technical details of our plugin to decompile bytenode JSC files (serialized Node.js bytecode).
https://swarm.ptsecurity.com/decompiling-node-js-in-ghidra/
This is the second article in the series dedicated to covering the technical details of our plugin to decompile bytenode JSC files (serialized Node.js bytecode).
https://swarm.ptsecurity.com/decompiling-node-js-in-ghidra/
HTTP Request Smuggling via higher HTTP versions by @emil_lerner as presented at PHDays 2021.
HTTP request smuggling reinvented with multiple novel approaches implemented in a new tool http2smugl.
Contents:
• HTTP Request Smuggling basic concepts
• HTTP Request Smuggling exploitation scenarios
• HTTP/2 body transfer
• content-length conflicts actual length
• no content-length forwarding
• content-length conflicting transfer-encoding
• HTTP/2 header validation
• new lines in headers
• less strict validation
• Detection ideas
• False positive
• Varnish
• RFC 8441
• Haproxy & nghttp2
• Open problem
• H2O http3 (QUIC)
• Automation
• Further research
Slideshow: https://www.slideshare.net/neexemil/http-request-smuggling-via-higher-http-versions
Video Presentation: https://standoff365.com/phdays10/schedule/tech/http-request-smuggling-via-higher-http-versions/
HTTP request smuggling reinvented with multiple novel approaches implemented in a new tool http2smugl.
Contents:
• HTTP Request Smuggling basic concepts
• HTTP Request Smuggling exploitation scenarios
• HTTP/2 body transfer
• content-length conflicts actual length
• no content-length forwarding
• content-length conflicting transfer-encoding
• HTTP/2 header validation
• new lines in headers
• less strict validation
• Detection ideas
• False positive
• Varnish
• RFC 8441
• Haproxy & nghttp2
• Open problem
• H2O http3 (QUIC)
• Automation
• Further research
Slideshow: https://www.slideshare.net/neexemil/http-request-smuggling-via-higher-http-versions
Video Presentation: https://standoff365.com/phdays10/schedule/tech/http-request-smuggling-via-higher-http-versions/
Slideshare
HTTP Request Smuggling via higher HTTP versions
This document summarizes HTTP request smuggling vulnerabilities. It explains how an attacker can craft a single HTTP request that is parsed differently by the frontend and backend servers, allowing the backend to interpret additional hidden requests. Several…
We continue our series of articles dedicated to decompiling Node.js bytecode with a new article by Natalya Tlyapova: Creating a Ghidra processor module in SLEIGH using V8 bytecode as an example.
https://swarm.ptsecurity.com/creating-a-ghidra-processor-module-in-sleigh-using-v8-bytecode-as-an-example/
https://swarm.ptsecurity.com/creating-a-ghidra-processor-module-in-sleigh-using-v8-bytecode-as-an-example/
PT SWARM
Creating a Ghidra processor module in SLEIGH using V8 bytecode as an example
Last year our team had to analyze V8 bytecode. Back then, there were no tools in place to decompile such code and facilitate convenient navigation over it. We decided to try writing a processor module for the Ghidra framework. Thanks to the features of the…
"13 Nagios Vulnerabilities, #7 will SHOCK you!" by Samir Ghanem
Gaining access to Nagios XI server results in upstream compromise of management server, i.e. every other customer monitored. Exploitation facilitated with soygun tool.
Contents:
• TL;DR
• Why Nagios?
• What is Nagios?
• The Code
• Challenge Accepted
• What are we trying to achieve?
• Step 1: RCE on Nagios XI server from low privilege Nagios XI user (CVE-2020-28648)
• Step 2: Elevate privileges to ‘root’ on Nagios XI server (CVE-2020-28910)
• Step 3: Trigger XSS by tainting data returned to Nagios Fusion from XI (CVE-2020-28903)
• Step 4: Authenticated remote code execution on Nagios Fusion (CVE-2020-28905)
• Step 5: Elevate privileges from apache to root using the ‘cmd_subsys.php’ (CVE-2020-28902)
• Step 6: Get list of “fused” XI servers and exploit them using Step 1 and 2
• PoC or Attack Platform
• SoyGun
• Command & Control (C2)
• SoyGun Implant
• DeadDrop
• Demo
• Disclosure and Afterthoughts
• Full Vulnerabilities List
https://skylightcyber.com/2021/05/20/13-nagios-vulnerabilities-7-will-shock-you/
Gaining access to Nagios XI server results in upstream compromise of management server, i.e. every other customer monitored. Exploitation facilitated with soygun tool.
Contents:
• TL;DR
• Why Nagios?
• What is Nagios?
• The Code
• Challenge Accepted
• What are we trying to achieve?
• Step 1: RCE on Nagios XI server from low privilege Nagios XI user (CVE-2020-28648)
• Step 2: Elevate privileges to ‘root’ on Nagios XI server (CVE-2020-28910)
• Step 3: Trigger XSS by tainting data returned to Nagios Fusion from XI (CVE-2020-28903)
• Step 4: Authenticated remote code execution on Nagios Fusion (CVE-2020-28905)
• Step 5: Elevate privileges from apache to root using the ‘cmd_subsys.php’ (CVE-2020-28902)
• Step 6: Get list of “fused” XI servers and exploit them using Step 1 and 2
• PoC or Attack Platform
• SoyGun
• Command & Control (C2)
• SoyGun Implant
• DeadDrop
• Demo
• Disclosure and Afterthoughts
• Full Vulnerabilities List
https://skylightcyber.com/2021/05/20/13-nagios-vulnerabilities-7-will-shock-you/
Skylightcyber
Skylight Cyber | 13 Nagios Vulnerabilities, #7 will SHOCK you!
Ever wondered what synergy looks like? Read how we discovered and combined a few lame(ish) vulnerabilities in Nagios to create an over-the-top attack platform for upstream attacks.
Fortinet fixed a Post-Auth RCE in FortiWeb (CVE-2021-22123) found by our researcher Andrey Medov.
This vulnerability was part of an Unauth RCE chain submitted together with CVE-2020-29015 (Unauth SQL Injection), which was fixed by Fortinet earlier.
Advisory: https://www.fortiguard.com/psirt/FG-IR-20-120
Subscribe to the PT SWARM Twitter to get updates about all of the latest vulnerabilities discovered by us.
This vulnerability was part of an Unauth RCE chain submitted together with CVE-2020-29015 (Unauth SQL Injection), which was fixed by Fortinet earlier.
Advisory: https://www.fortiguard.com/psirt/FG-IR-20-120
Subscribe to the PT SWARM Twitter to get updates about all of the latest vulnerabilities discovered by us.
New Article: "Guide to P-code Injection: Changing the intermediate representation of code on the fly in Ghidra" by Vyacheslav Moskvin.
The final piece of the four part series about creating a Ghidra plugin to decompile Node.js bytecode is now out!
https://swarm.ptsecurity.com/guide-to-p-code-injection/
The final piece of the four part series about creating a Ghidra plugin to decompile Node.js bytecode is now out!
https://swarm.ptsecurity.com/guide-to-p-code-injection/
CVE-2021-31181: MicroSoft SharePoint webpart interpretation conflict RCE vulnerability
To quote @thezdi: "this vulnerability could be used by an authenticated user to execute arbitrary code on the server in the context of the service account of the SharePoint web application. For a successful attack, the attacker must have SPBasePermissions.ManageLists permissions on any SharePoint site. By default, any authenticated user can create their own site where they have the necessary permission."
Contents:
• The Vulnerability
• Proof of Concept
• Getting Remote Code Execution
• Conclusion
https://www.zerodayinitiative.com/blog/2021/6/1/cve-2021-31181-microsoft-sharepoint-webpart-interpretation-conflict-remote-code-execution-vulnerability
To quote @thezdi: "this vulnerability could be used by an authenticated user to execute arbitrary code on the server in the context of the service account of the SharePoint web application. For a successful attack, the attacker must have SPBasePermissions.ManageLists permissions on any SharePoint site. By default, any authenticated user can create their own site where they have the necessary permission."
Contents:
• The Vulnerability
• Proof of Concept
• Getting Remote Code Execution
• Conclusion
https://www.zerodayinitiative.com/blog/2021/6/1/cve-2021-31181-microsoft-sharepoint-webpart-interpretation-conflict-remote-code-execution-vulnerability
Zero Day Initiative
Zero Day Initiative — CVE-2021-31181: Microsoft SharePoint WebPart Interpretation Conflict Remote Code Execution Vulnerability
In May of 2021, Microsoft released a patch to correct CVE-2021-31181 – a remote code execution bug in the supported versions of Microsoft SharePoint Server. This bug was reported to the ZDI program by an anonymous researcher and is also known as ZDI-21…
"Active Directory forest trusts part 2 - Trust transitivity and finding a trust bypass" by @_dirkjan.
Detailed description of CVE-2020-0665, a logic flaw, which allowed the bypassing of the SID filtering mechanism, leading to the compromise of hosts in transitively trusted forests.
Contents:
• Some important points
• Forging inter-realm tickets and Wireshark debugging
• Do you need to use inter-realm tickets?
• Which keys do I need for inter-realm tickets
• Debugging Kerberos the easy way
• Trust transitivity
• Trust transitivity - new domain discovery
• Trust transitivity, adding our own SIDs to the trust
• How many domains are there in a domain?
• Do you trust this domain? [Y/n]
• Designing a new forest trust attack
• Executing the forest trust bypass
• Obtaining the local SID
• Becoming a domain
• Executing the chain
• Disclosure and patch notes
https://dirkjanm.io/active-directory-forest-trusts-part-two-trust-transitivity/
Detailed description of CVE-2020-0665, a logic flaw, which allowed the bypassing of the SID filtering mechanism, leading to the compromise of hosts in transitively trusted forests.
Contents:
• Some important points
• Forging inter-realm tickets and Wireshark debugging
• Do you need to use inter-realm tickets?
• Which keys do I need for inter-realm tickets
• Debugging Kerberos the easy way
• Trust transitivity
• Trust transitivity - new domain discovery
• Trust transitivity, adding our own SIDs to the trust
• How many domains are there in a domain?
• Do you trust this domain? [Y/n]
• Designing a new forest trust attack
• Executing the forest trust bypass
• Obtaining the local SID
• Becoming a domain
• Executing the chain
• Disclosure and patch notes
https://dirkjanm.io/active-directory-forest-trusts-part-two-trust-transitivity/
dirkjanm.io
Active Directory forest trusts part 2 - Trust transitivity and finding a trust bypass
In my first personal blog post in 2018 I wrote about Active Directory forest trusts and how they work under the hood. Part two of the series was since then promised but never delivered. I researched this topic again in 2019 and ended up finding a logic flaw…
LEXSS: Bypassing Lexical Parsing Security Controls
👤 by Chris Davis of @Bishop Fox
"By using special HTML tags that leverage HTML parsing logic, it is possible to achieve cross-site scripting (XSS) even in instances where lexical parsers are used to nullify dangerous content. The primary goal in exploiting these types of XSS vulnerabilities is to get the sanitizing lexical parser to view the data as text data and not computer instructions (e.g., JavaScript instructions)."
📝 Contents:
• Introduction to Key Concepts
• Cross-site Scripting (XSS) Protections
• Cross-site Scripting (XSS) Protections via Lexical Parsing
• How the Data Flows Through the HTML Parser
• The Concept of the HTML Parser's Context State
• Namespaces – Foreign Content and Leveraging the Unexpected Behavior
• Sanitizing Lexical Parsing Flow
• Test Case 1 = TinyMCE XSS
• Test Case 2 = Froala XSS
• Prevention
• Conclusion
• Resources
Read the article
👤 by Chris Davis of @Bishop Fox
"By using special HTML tags that leverage HTML parsing logic, it is possible to achieve cross-site scripting (XSS) even in instances where lexical parsers are used to nullify dangerous content. The primary goal in exploiting these types of XSS vulnerabilities is to get the sanitizing lexical parser to view the data as text data and not computer instructions (e.g., JavaScript instructions)."
📝 Contents:
• Introduction to Key Concepts
• Cross-site Scripting (XSS) Protections
• Cross-site Scripting (XSS) Protections via Lexical Parsing
• How the Data Flows Through the HTML Parser
• The Concept of the HTML Parser's Context State
• Namespaces – Foreign Content and Leveraging the Unexpected Behavior
• Sanitizing Lexical Parsing Flow
• Test Case 1 = TinyMCE XSS
• Test Case 2 = Froala XSS
• Prevention
• Conclusion
• Resources
Read the article
Bishop Fox
LEXSS: Bypassing Lexical Parsing Security Controls
Technical details of achieving cross-site scripting (XSS) attacks by using HTML parsing logic where lexical parsers are used to nullify dangerous content.
Pre-auth RCE in ForgeRock OpenAM (CVE-2021-35464)
👤 by Michael Stepankin aka @artsploit
The story of discovering and exploiting a java deserialization vulnerability leading to RCE in ForgeRock OpenAM.
PoC:
• The Story
• Obtaining Code & Decompiling
• Source code analysis
• Jato
• Testing on bug bounty (and failing)
• Building a custom gadget chain
• Let's get this bread
• The patch
• Key takeaways
https://portswigger.net/research/pre-auth-rce-in-forgerock-openam-cve-2021-35464
👤 by Michael Stepankin aka @artsploit
The story of discovering and exploiting a java deserialization vulnerability leading to RCE in ForgeRock OpenAM.
PoC:
GET /openam/oauth2/..;/ccversion/Version?jato.pageSession=[serialized_object]
📝 Contents:• The Story
• Obtaining Code & Decompiling
• Source code analysis
• Jato
• Testing on bug bounty (and failing)
• Building a custom gadget chain
• Let's get this bread
• The patch
• Key takeaways
https://portswigger.net/research/pre-auth-rce-in-forgerock-openam-cve-2021-35464
RARLAB fixed a MITM (CVE-2021-35052) in WinRAR found by our researcher Igor Sak-Sakovskiy.
This attack could be leveraged to achieve code execution on a user's machine.
Advisory: https://win-rar.com/singlenewsview.html?L=0&tx_ttnews%5Btt_news%5D=165&cHash=1
This attack could be leveraged to achieve code execution on a user's machine.
Advisory: https://win-rar.com/singlenewsview.html?L=0&tx_ttnews%5Btt_news%5D=165&cHash=1
CVE-2021-28474: SHAREPOINT RCE VIA SERVER-SIDE CONTROL INTERPRETATION CONFLICT
👤 by @thezdi
The vulnerability allows authenticated users to execute arbitrary .NET code on the server in the context of the service account of the SharePoint web application. By default, authenticated SharePoint users have all necessary permissions.
📝 Contents:
• The Vulnerability
• Exploitation
• Proof of Concept
• Getting Remote Code Execution
• Conclusion
https://www.zerodayinitiative.com/blog/2021/7/7/cve-2021-28474-sharepoint-remote-code-execution-via-server-side-control-interpretation-conflict
👤 by @thezdi
The vulnerability allows authenticated users to execute arbitrary .NET code on the server in the context of the service account of the SharePoint web application. By default, authenticated SharePoint users have all necessary permissions.
📝 Contents:
• The Vulnerability
• Exploitation
• Proof of Concept
• Getting Remote Code Execution
• Conclusion
https://www.zerodayinitiative.com/blog/2021/7/7/cve-2021-28474-sharepoint-remote-code-execution-via-server-side-control-interpretation-conflict
Zero Day Initiative
Zero Day Initiative — CVE-2021-28474: SharePoint Remote Code Execution via Server-Side Control Interpretation Conflict
In May of 2021, Microsoft released a patch to correct CVE-2021-28474 , a remote code execution bug in supported versions of Microsoft SharePoint Server. This bug was reported to ZDI by an anonymous researcher and is also known as ZDI-21-574 . This blog…
Remote code execution in cdnjs of Cloudflare
👤 by @ryotkak
A path traversal in Cloudfare's cdnjs library update server during archive extraction could be used to execute arbitrary commands, and as a result, cdnjs could be completely compromised, affecting around 12.7% of all websites on the internet once caches are expired.
📝 Contents:
• Preface
• TL;DR
• About cdnjs
• Reason for investigation
• Initial investigation
• Investigation of automatic update
• Path traversal
• Demonstration of vulnerability
• Incident
• Determinate impact
• Conclusion
• Timeline
https://blog.ryotak.me/post/cdnjs-remote-code-execution-en/
👤 by @ryotkak
A path traversal in Cloudfare's cdnjs library update server during archive extraction could be used to execute arbitrary commands, and as a result, cdnjs could be completely compromised, affecting around 12.7% of all websites on the internet once caches are expired.
📝 Contents:
• Preface
• TL;DR
• About cdnjs
• Reason for investigation
• Initial investigation
• Investigation of automatic update
• Path traversal
• Demonstration of vulnerability
• Incident
• Determinate impact
• Conclusion
• Timeline
https://blog.ryotak.me/post/cdnjs-remote-code-execution-en/
blog.ryotak.net
Remote code execution in cdnjs of Cloudflare
Preface
(日本語版も公開されています。)
Cloudflare, which runs cdnjs, is running a “Vulnerability Disclosure Program” on HackerOne, which allows hackers to perform vulnerability assessments.
This article describes vulnerabilities reported through this program and published…
(日本語版も公開されています。)
Cloudflare, which runs cdnjs, is running a “Vulnerability Disclosure Program” on HackerOne, which allows hackers to perform vulnerability assessments.
This article describes vulnerabilities reported through this program and published…
Sequoia: A Local Privilege Escalation Vulnerability in Linux’s Filesystem Layer (CVE-2021-33909)
👤 by Bharat Jogi
"The Qualys Research Team has discovered a size_t-to-int type conversion vulnerability in the Linux Kernel’s filesystem layer affecting most Linux operating systems. Any unprivileged user can gain root privileges on a vulnerable host by exploiting this vulnerability in a default configuration."
📝 Contents:
• About Linux Filesystem
• Impact
• Disclosure Timeline
• Proof of Concept Video
• Technical Details
• Solution
• Qualys Coverage
• Dashboard
• Vendor References
• Frequently Asked Questions (FAQs)
https://blog.qualys.com/vulnerabilities-threat-research/2021/07/20/sequoia-a-local-privilege-escalation-vulnerability-in-linuxs-filesystem-layer-cve-2021-33909
👤 by Bharat Jogi
"The Qualys Research Team has discovered a size_t-to-int type conversion vulnerability in the Linux Kernel’s filesystem layer affecting most Linux operating systems. Any unprivileged user can gain root privileges on a vulnerable host by exploiting this vulnerability in a default configuration."
📝 Contents:
• About Linux Filesystem
• Impact
• Disclosure Timeline
• Proof of Concept Video
• Technical Details
• Solution
• Qualys Coverage
• Dashboard
• Vendor References
• Frequently Asked Questions (FAQs)
https://blog.qualys.com/vulnerabilities-threat-research/2021/07/20/sequoia-a-local-privilege-escalation-vulnerability-in-linuxs-filesystem-layer-cve-2021-33909
Qualys
Sequoia: A Local Privilege Escalation Vulnerability in Linux’s Filesystem Layer (CVE-2021-33909) | Qualys
The Qualys Research Team has discovered a size_t-to-int type conversion vulnerability in the Linux Kernel’s filesystem layer affecting most Linux operating systems. Any unprivileged user can gain root…
Cisco fixed a Post-Auth RCE (CVE-2021-1518) in Firepower Device Manager found by our researchers Nikita Abramov and Mikhail Klyuchnikov.
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fdm-rce-Rx6vVurq
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fdm-rce-Rx6vVurq