Advisories

CVE-2020-1337 – PrintDemon is dead, long live PrintDemon!

Banner Image by Sergio KalisiakTL; DR: I will explain, in details, how to trigger PrintDemon exploit and dissect how I’ve discovered a new 0-day; Microsoft Windows EoP CVE-2020-1337, a bypass of PrintDemon’s recent patch via a Junction Directory (TOCTOU).ContentsPrintDemon primer, how the exploit works?PrinterPort WritePrinter Shadow Job FileBinary Diffing CVE-2020-1048 Patch CVE-2020-1337 – A bypass of CVE-2020-1048’s patch Conclusion Affected Systems Disclosure TimelineAfter Yarden Shafir’s & Alex Ionescu’s posts (PrintDemon, FaxHell) and their call to action,...

Posted By

A tale of a kiosk escape: ‘Sricam CMS’ Stack Buffer Overflow

TL;DR: Shenzhen Sricctv Technology Sricam CMS (SricamPC.exe) <= v.1.0.0.53(4) and DeviceViewer (DeviceViewer.exe) <= v.3.10.12.0 (CVE-2019-11563) are affected by a local Stack Buffer Overflow. By creating a specially crafted "Username" and copying its value in the "User/mail" login field, an attacker will be able to gain arbitrary code execution in the context of the currently logged-in user.Please Note: by default, Sricam CMS requires elevation and runs in High Integrity mode; exploitation of the above software will result in a compromise...

Posted By

Tabletopia: from XSS to RCE

During this period of social isolation, a friend of mine proposed to play some online "board games". He proposed “Tabletopia”: a cool sandbox virtual table with more than 800 board games.Tabletopia is both accessible from its own website and from the Steam’s platform.While my friends decided to play from their browser, I’ve opted for the Steam version. We joined a room and started a game; at one point we were messing around with some in-game cards when , for...

Posted By

Rubyzip insecure ZIP handling & Metasploit RCE (CVE-2019-5624)

This is a re-posting of the original article "On insecure zip handling, Rubyzip and Metasploit RCE (CVE-2019-5624)" that I have wrote on DoyensecDuring one of our projects we had the opportunity to audit a Ruby-on-Rails (RoR) web application handling zip files using the Rubyzip gem. Zip files have always been an interesting entrypoint to triggering multiple vulnerability types, including path traversals and symlink file overwrite attacks. As the library under testing had symlink processing disabled, we focused on path...

Posted By

Telegram Secret Chat Bug

For whom is following me on Twitter this is not a news, yesterday I was complaining about a Telegram “Feature” in the secret chat context, while for whom doesn’t this should serve as a write-up of the bug that I have discovered (The bug is nothing fancy but something I think people should, at least, know). Telegram Secret Chat If you are not practical with the concept of Telegram’s Secret Chat: “Secret chats are meant for people who want more secrecy than...

Posted By

The Curse of the Antivirus Solution

This is the main article for the VirIT Explorer Local Privilege Escalation Exploit's, if you are not interested in the methodology and the story behind this vulnerability you can directly jump to the end and reach the exploit section. As a penetration tester I've realized that Antivirus Solutions are often insecure, they can be easily bypassed and they do not fully protect your system; sometimes they also make you more vulnerable and this is the case. I will always recommend AV...

Posted By

Phorum – Full Disclosure

Reporter VoidSec Security TeamAdvisory VoidSec-16-002Date of contact 03-03-162nd date of contact 16-03-163rd date of contact 04-04-16Vendor last reply 03-03-16Date of public disclosure 21-04-16Product Phorum Open Source PHP Forum SoftwareVersion 5.2.20  Download the Report [EN] Introduction The purpose of the present project is to assess the security posture of some important aspects of Phorum Forum Software. Phorum is open source forum software with a penchant for speed. Phorum's very flexible hook and module system can satisfy every web master's needs. During the web application security assessment for Phorum, VoidSec assessed the following systems...

Posted By

LinkedIn – CSV Excel formula injection

We are proud to publish an undisclosed vulnerability affecting LinkedIn and in particular its "CSV Export" function. Following our Vulnerability Disclosure Policy Agreement, LinkedIn Security Team has been informed about this specific issue and this vulnerability will be published without a working PoC. LinkedIn's users can exports all their connections into a CSV file, that due to some missing filters (escaping output), could allows an attacker to execute a command on the user machine. An attacker can create a LinkedIn profile embedding...

Posted By

Avactis – Full Disclosure

Advisory: VoidSec-16-001Date of contact: 19-01-162nd date of contact: 23-01-16Vendor reply: N/ADate of public disclosure: 12-04-16Product: Avactis PHP Shopping CartVersion: 4.7.9.Next.47900Vendor: Avactis  Download the Report [EN] Introduction Avactis is an open source ecommerce Shopping Cart software. The purpose of the present project is to assess the security posture of some important aspects of Avactis PHP Shopping Cart. The activity is performed through Web Application Penetration Test using Grey Box approach.Vulnerabilities:Spreading of Files with Malicious Extensions on Upload New Design and Execution in some circumstances Non-Admin PHP...

Posted By

Aethra Botnet

What do an old log file, Wordpress, “some” routers and some Italian ISP have in common? Apparently nothing but let me explain from the beginning and you will notice how interesting elements can be discovered, starting from an insignificant event. Friday, February 13, 2015: I was performing ordinary maintenance on my personal website and, while I was analyzing the statistics and logs, I noticed a "strange" recurring pattern:Anyone who has ever run a WordPress can recognize in this extract of...

Posted By