voidsec2021-05-10T08:37:17+02:00NVIDIA GeForce Experience (GFE) v.<= 3.21 is affected by an Arbitrary File Write vulnerability in the GameStream/ShadowPlay plugins, where log files are created using NT AUTHORITY\SYSTEM level permissions, which lead to Command Execution and Elevation of Privileges (EoP).
NVIDIA Security Bulletin – April 2021
NVIDIA Acknowledgements Page
This blog post is a re-post of the original article “Chaining Bugs: CVE‑2021‑1079 - NVIDIA GeForce Experience (GFE) Command Execution” that I have written for Yarix on YLabs.
Some time ago I was looking...
This blog post is a re-post of the original article “Fuzzing: FastStone Image Viewer & CVE-2021-26236” that I have written for Yarix on YLabs.
In my precedent blog post I’ve introduced “fuzzing” from a theoretical point of view. As I’ve previously anticipated, today I’m going to disclose the fuzzing methodology, process and samples that led me to discover five different vulnerabilities in FastStone Image Viewer v.<=7.5. I’ll also go over the root cause analysis of CVE-2021-26236 and how to achieve...
voidsec2020-11-20T08:42:40+01:00TL; DR: this blog post serves as an advisory for both:
CVE-2020-28054: An Authorization Bypass vulnerability affecting JamoDat – TSMManager Collector v. <= 22.214.171.124
A Stack Based Buffer Overflow affecting IBM Tivoli Storage Manager - ITSM Administrator Client Command Line Administrative Interface (dsmadmc.exe) Version 5, Release 2, Level 0.1.
Unfortunately, after I had one of the rudest encounters with an Hackerone’s triager, these are the takeaways:
IBM Tivoli Storage Manager has reached its end of life support and will not...
CVE-2020-1337 – PrintDemon is dead, long live PrintDemon!
voidsec2020-08-12T12:32:14+02:00Banner Image by Sergio Kalisiak
TL; DR: I will explain, in details, how to trigger PrintDemon exploit and dissect how I’ve discovered a new 0-day; Microsoft Windows EoP CVE-2020-1337, a bypass of PrintDemon’s recent patch via a Junction Directory (TOCTOU).
PrintDemon primer, how the exploit works?
Shadow Job File
Binary Diffing CVE-2020-1048 Patch
CVE-2020-1337 – A bypass of CVE-2020-1048’s patch
After Yarden Shafir’s & Alex Ionescu’s posts (PrintDemon, FaxHell) and their call to action,...
A tale of a kiosk escape: ‘Sricam CMS’ Stack Buffer Overflow
voidsec2020-05-14T09:36:19+02:00TL;DR: Shenzhen Sricctv Technology Sricam CMS (SricamPC.exe) <= v.126.96.36.199(4) and DeviceViewer (DeviceViewer.exe) <= v.188.8.131.52 (CVE-2019-11563) are affected by a local Stack Buffer Overflow. By creating a specially crafted "Username" and copying its value in the "User/mail" login field, an attacker will be able to gain arbitrary code execution in the context of the currently logged-in user.
Please Note: by default, Sricam CMS requires elevation and runs in High Integrity mode; exploitation of the above software will result in a compromise...
voidsec2020-05-09T10:15:58+02:00During this period of social isolation, a friend of mine proposed to play some online "board games". He proposed “Tabletopia”: a cool sandbox virtual table with more than 800 board games.
Tabletopia is both accessible from its own website and from the Steam’s platform.
While my friends decided to play from their browser, I’ve opted for the Steam version. We joined a room and started a game; at one point we were messing around with some in-game cards when , for...
Rubyzip insecure ZIP handling & Metasploit RCE (CVE-2019-5624)
This is a re-posting of the original article "On insecure zip handling, Rubyzip and Metasploit RCE (CVE-2019-5624)" that I have wrote on Doyensec
During one of our projects we had the opportunity to audit a Ruby-on-Rails (RoR) web application handling zip files using the Rubyzip gem. Zip files have always been an interesting entrypoint to triggering multiple vulnerability types, including path traversals and symlink file overwrite attacks. As the library under testing had symlink processing disabled, we focused on path...
voidsec2018-08-30T13:11:09+02:00For whom is following me on Twitter this is not a news, yesterday I was complaining about a Telegram “Feature” in the secret chat context, while for whom doesn’t this should serve as a write-up of the bug that I have discovered (The bug is nothing fancy but something I think people should, at least, know).
Telegram Secret Chat
If you are not practical with the concept of Telegram’s Secret Chat:
“Secret chats are meant for people who want more secrecy than...
voidsec2019-08-31T13:58:19+02:00This is the main article for the VirIT Explorer Local Privilege Escalation Exploit's, if you are not interested in the methodology and the story behind this vulnerability you can directly jump to the end and reach the exploit section.
As a penetration tester I've realized that Antivirus Solutions are often insecure, they can be easily bypassed and they do not fully protect your system; sometimes they also make you more vulnerable and this is the case.
I will always recommend AV...
VoidSec Security Team
Date of contact
2nd date of contact
3rd date of contact
Vendor last reply
Date of public disclosure
Phorum Open Source PHP Forum Software
Download the Report [EN]
The purpose of the present project is to assess the security posture of some important aspects of Phorum Forum Software.
Phorum is open source forum software with a penchant for speed. Phorum's very flexible hook and module system can satisfy every web master's needs.
During the web application security assessment for Phorum, VoidSec assessed the following systems...