CVE-2020-1337 – PrintDemon is dead, long live PrintDemon!
voidsec2020-08-12T12:32:14+00:00Banner Image by Sergio KalisiakTL; DR: I will explain, in details, how to trigger PrintDemon exploit and dissect how I’ve discovered a new 0-day; Microsoft Windows EoP CVE-2020-1337, a bypass of PrintDemon’s recent patch via a Junction Directory (TOCTOU).ContentsPrintDemon primer, how the exploit works?PrinterPort
Shadow Job FileBinary Diffing CVE-2020-1048 Patch
CVE-2020-1337 – A bypass of CVE-2020-1048’s patch
Disclosure TimelineAfter Yarden Shafir’s & Alex Ionescu’s posts (PrintDemon, FaxHell) and their call to action,...
A tale of a kiosk escape: ‘Sricam CMS’ Stack Buffer Overflow
voidsec2020-05-14T09:36:19+00:00TL;DR: Shenzhen Sricctv Technology Sricam CMS (SricamPC.exe) <= v.18.104.22.168(4) and DeviceViewer (DeviceViewer.exe) <= v.22.214.171.124 (CVE-2019-11563) are affected by a local Stack Buffer Overflow. By creating a specially crafted "Username" and copying its value in the "User/mail" login field, an attacker will be able to gain arbitrary code execution in the context of the currently logged-in user.Please Note: by default, Sricam CMS requires elevation and runs in High Integrity mode; exploitation of the above software will result in a compromise...
voidsec2020-05-09T10:15:58+00:00During this period of social isolation, a friend of mine proposed to play some online "board games". He proposed “Tabletopia”: a cool sandbox virtual table with more than 800 board games.Tabletopia is both accessible from its own website and from the Steam’s platform.While my friends decided to play from their browser, I’ve opted for the Steam version. We joined a room and started a game; at one point we were messing around with some in-game cards when , for...
Rubyzip insecure ZIP handling & Metasploit RCE (CVE-2019-5624)
voidsec2019-04-24T15:41:06+00:00 This is a re-posting of the original article "On insecure zip handling, Rubyzip and Metasploit RCE (CVE-2019-5624)" that I have wrote on DoyensecDuring one of our projects we had the opportunity to audit a Ruby-on-Rails (RoR) web application handling zip files using the Rubyzip gem. Zip files have always been an interesting entrypoint to triggering multiple vulnerability types, including path traversals and symlink file overwrite attacks. As the library under testing had symlink processing disabled, we focused on path...
voidsec2018-08-30T13:11:09+00:00For whom is following me on Twitter this is not a news, yesterday I was complaining about a Telegram “Feature” in the secret chat context, while for whom doesn’t this should serve as a write-up of the bug that I have discovered (The bug is nothing fancy but something I think people should, at least, know).
Telegram Secret Chat
If you are not practical with the concept of Telegram’s Secret Chat:
“Secret chats are meant for people who want more secrecy than...
voidsec2019-08-31T13:58:19+00:00This is the main article for the VirIT Explorer Local Privilege Escalation Exploit's, if you are not interested in the methodology and the story behind this vulnerability you can directly jump to the end and reach the exploit section.
As a penetration tester I've realized that Antivirus Solutions are often insecure, they can be easily bypassed and they do not fully protect your system; sometimes they also make you more vulnerable and this is the case.
I will always recommend AV...
VoidSec Security TeamAdvisory
VoidSec-16-002Date of contact
03-03-162nd date of contact
16-03-163rd date of contact
04-04-16Vendor last reply
03-03-16Date of public disclosure
Phorum Open Source PHP Forum SoftwareVersion
Download the Report [EN]
The purpose of the present project is to assess the security posture of some important aspects of Phorum Forum Software.
Phorum is open source forum software with a penchant for speed. Phorum's very flexible hook and module system can satisfy every web master's needs.
During the web application security assessment for Phorum, VoidSec assessed the following systems...
voidsec2019-08-31T14:00:12+00:00We are proud to publish an undisclosed vulnerability affecting LinkedIn and in particular its "CSV Export" function.
Following our Vulnerability Disclosure Policy Agreement, LinkedIn Security Team has been informed about this specific issue and this vulnerability will be published without a working PoC.
LinkedIn's users can exports all their connections into a CSV file, that due to some missing filters (escaping output), could allows an attacker to execute a command on the user machine.
An attacker can create a LinkedIn profile embedding...
VoidSec-16-001Date of contact:
19-01-162nd date of contact:
N/ADate of public disclosure:
Avactis PHP Shopping CartVersion:
Download the Report [EN]
Avactis is an open source ecommerce Shopping Cart software. The purpose of the present project is to assess the security posture of some important aspects of Avactis PHP Shopping Cart. The activity is performed through Web Application Penetration Test using Grey Box approach.Vulnerabilities:Spreading of Files with Malicious Extensions on Upload New Design and Execution in some
voidsec2016-12-12T19:22:14+00:00What do an old log file, Wordpress, “some” routers and some Italian ISP have in common?
Apparently nothing but let me explain from the beginning and you will notice how interesting elements can be discovered, starting from an insignificant event.
Friday, February 13, 2015: I was performing ordinary maintenance on my personal website and, while I was analyzing the statistics and logs, I noticed a "strange" recurring pattern:Anyone who has ever run a WordPress can recognize in this extract of...