Releases

Article

Extracting BitLocker keys from a TPM

by Denis Andzakovic • Mar 13 2019

By default, Microsoft BitLocker protected OS drives can be accessed by sniffing the LPC bus, retrieving the volume master key when it’s returned by the TPM, and using the retrieved VMK to decrypt the protected drive. This post will look at extracting the clear-text key from a TPM chip by sniffing the LPC bus, either with a logic analyzer or a cheap FPGA board. This post demonstrates the attack against an HP laptop logic board using a TPM1.2 chip and a Surface Pro 3 using a TPM2.0 chip. From bus wiring through to volume decryption. Source code included.

Advisory

Kanboard 1.2.7 Multiple Vulnerabilities

by Will Boucher • Feb 11 2019

Kanboard 1.2.7 contains multiple vulnerabilities. The vulnerabilities include CSV account import cross site request forgery which allows an unauthenticated attacker to create a new administrative user. Cross site request forgery 2FA deactivation, allowing an unauthenticated attacker to disable an account’s 2FA configuration. A lack of integrity checking or transport layer encryption enforced on plugins enables remote code execution by a malicious admin. Other vulnerabilities include: session privilege retention, 2FA bypass, database user_id and pre-2FA information disclosure.

read more
Advisory

Go-pandoc - LUA filter remote code execution

by Denis Andzakovic • Jan 29 2019

Go-pandoc is vulnerable to remote code execution through a user included LUA filter. An attacker can upload a LUA file to a known location on the file system due to a predictable temporary directory being used when handling certain file type includes. The uploaded LUA file can then be used as a filter in a subsequent request, allowing for the execution of arbitrary LUA code.

read more
Advisory

Rsync Daemon - parse_arguments Out-Of-Bounds read

by Denis Andzakovic • Dec 17 2018

An attacker may send the rsync daemon a crafted packet, triggering an out-of-bound memory read in the argument handling code.

read more
Article

Office 365 Audit Logging and Email scams

by Rob Armstrong • Nov 30 2018

We’re coming across more and more instances of Office 365 accounts with suspicious activity. Unfortunately the logging defaults in Office 365 are unsatisfactory and a little additional configuration is required to improve the effectiveness of the logging, especially in regards to user activity.

Advisory

Microsoft DirectX Memory Corruption (CVE-2018-8563)

by Scott Bell • Nov 14 2018

A memory corruption vulnerability exists in Microsoft DirectX. The corruption happens as a result of the incorrect handling of text, while running CSS tranformations, resulting in an out-of-bounds-read. It is possible to trigger this vulnerability remotely via Internet Explorer. An attacker can use this vulnerability to disclose memory of a victim’s machine. Generally, such vulnerability is chained with a Remote Code Execution vulnerability and used to bypass common defenses.

read more
Article

Adventures with the Ducati CAN bus

by Denis Andzakovic • Nov 12 2018

In this article I’ll be taking a look at the CAN bus network in a 2009 Ducati 848. How to find the bus, confirm the high and low lines with a scope and analyse messages with a Linux box and socket-CAN. The aim of the game is to identify a way to get onto the bus, and then analyse the messages going across the bus. We’ll end up figuring out how to log the throttle position and RPM data, how the immobilizer is implemented and how to bypass it.

Article

Extracting JavaScript from Sourcemaps

by Denis Andzakovic • Sep 7 2018

Sourcemaps are intended to make debugging minified JavaScript less of a pain. This article will take a closer look at Sourcemaps and discuss retrieving the original source code tree from a downloaded Sourcemap file.

Article

Shells - brought to you by the letter 'R'

by Will Boucher • Jul 23 2018

Can you tell me how to get, how to get shells on OpenCPU…

Advisory

Network Manager VPNC - Privilege Escalation (CVE-2018-10900)

by Denis Andzakovic • Jul 21 2018

The Network Manager VPNC plugin is vulnerable to a privilege escalation attack. A new line character can be used to inject a Password helper parameter into the configuration data passed to VPNC, allowing an attacker to execute arbitrary commands as root.

read more
Advisory

Oracle WebLogic - Multiple SAML Vulnerabilities (CVE-2018-2998/CVE-2018-2933)

by Denis Andzakovic • Jul 18 2018

Two vulnerabilities were discovered within the Oracle WebLogic SAML service provider authentication mechanism. By inserting an XML comment into the SAML NameID tag, an attacker can coerce the SAML service provider to log in as another user. Additionally, WebLogic does not require signed SAML assertions in the default configuration. By omitting the signature portions from a SAML assertion, an attacker can craft an arbitrary SAML assertion and bypass the authentication mechanism.

read more
Advisory

Manage Engine OpManager Multiple Authenticated RCE Vulnerabilities

by Denis Andzakovic • Jun 19 2018

Pulse Security has identified two vulnerabilities in the ManageEngine OpManager software currently being exploited in the wild, and one observational note. This document details the vulnerabilities and the indicators of compromise that may be used to identify these exploits.

read more
Advisory

Microsoft Internet Explorer EnterBlock Memory Corruption (CVE-2018-8249)

by Scott Bell • Jun 18 2018

A memory corruption vulnerability exists in Microsoft Internet Explorer. The corruption happens due to the destruction and reuse of an element processed by Internet Explorer. An attacker can use this vulnerability to obtain Remote Code Execution and compromise a victim’s machine. Microsoft fixed this vulnerability in the June 2018 patch cycle. Pulse Security recommends applying the latest updates to mitigate this vulnerability.

read more
Advisory

Phusion Passenger chown() race privilege escalation (CVE-2018-12029)

by Denis Andzakovic • Jun 13 2018

Phusion Passenger’s Nginx module is vulnerable to a privilege escalation vulnerability when run with a non-standard passenger_instance_registry_dir configuration. A vulnerability exists when creating the control_process.pid file, specifically when the file’s owner is changed from root. An attacker can use this behavior to escalate privileges from the www-data user to the root user when Nginx is restarted.

read more
Article

Red Team vs Pentest

by Denis Andzakovic • Jun 1 2018

When it comes to offensive security, engagements can be broadly broken up into two categories: Penetration testing and red teaming. Understanding the differences between the two is essential when attempting to verify the security of an application, network or organisation.

Advisory

Microsoft Internet Explorer Hyperlink Memory Corruption (CVE-2018-8118)

by Scott Bell • Apr 30 2018

A memory corruption vulnerability exists in Microsoft Internet Explorer. The corruption happens as a result of the destruction and reuse of an element processed by Internet Explorer. An attacker can use this vulnerability to obtain Remote Code Execution and compromise a victim’s machine.

read more
Advisory

Pi-hole < v3.3 Multiple Vulnerabilities

by Denis Andzakovic • Apr 15 2018

Multiple vulnerabilities were discovered in Pi-Hole, a DNS blocker solution. Vulnerabilities included remote code execution, cross-site scripting, sql injection, privilege escalation and stack-based buffer overflow.

read more
Advisory

Microsoft Edge / Internet Explorer SVG Memory Corruption (CVE-2018-0932)

by Scott Bell • Mar 14 2018

A memory corruption vulnerability exists in Microsoft Edge and Internet Explorer. The corruption happens as a result of incorrect handling of SVG attributes. An attacker can use this vulnerability to disclose memory of a victim’s machine. Generally, such vulnerability is chained with a Remote Code Execution vulnerability and used to bypass common defenses.

read more