This blog post is a re-post of the original article “Fuzzing: FastStone Image Viewer & CVE-2021-26236” that I have written for Yarix on YLabs.
In my precedent blog post I’ve introduced “fuzzing” from a theoretical point of view. As I’ve previously anticipated, today I’m going to disclose the fuzzing methodology, process and samples that led me to discover five different vulnerabilities in FastStone Image Viewer v.<=7.5. I’ll also go over the root cause analysis of CVE-2021-26236 and how to achieve...
Software Testing Methodologies & Approaches to Fuzzing
voidsec2022-01-14T09:02:11+01:00This blog post is part of a series and a re-posting of the original article “Fuzzing 101” that I have written for Yarix on YLabs.
In this article, I would like to introduce fuzz testing as part of a vast overview of software testing approaches used to discover bugs and vulnerabilities within applications, protocols, file formats and more.
With an ever-increasing number of vulnerabilities discovered during the years, many organizations still spend little budget and effort to produce and ensure...
voidsec2022-01-14T09:29:38+01:00We are proud to announce that ECG got its first major update.
ECG: is the first and single commercial solution (Static Source Code Scanner) able to analyze & detect real and complex security vulnerabilities in TCL/ADP source-code.
ECG's v2.0 New Features
On-Premises Deploy: Scan your code repository on your secure and highly-scalable offline appliance with a local ECG's installation to comply with strict code privacy policies.
API Support: Easily integrate ECG's automated security testing into your continuous integration (CI/CD) and delivery tools. Manage your...
voidsec2022-01-14T09:04:08+01:00TL; DR: this blog post serves as an advisory for both:
CVE-2020-28054: An Authorization Bypass vulnerability affecting JamoDat – TSMManager Collector v. <= 220.127.116.11
A Stack Based Buffer Overflow affecting IBM Tivoli Storage Manager - ITSM Administrator Client Command Line Administrative Interface (dsmadmc.exe) Version 5, Release 2, Level 0.1.
Unfortunately, after I had one of the rudest encounters with an Hackerone’s triager, these are the takeaways:
IBM Tivoli Storage Manager has reached its end of life support and will not...
voidsec2022-01-14T09:04:43+01:00Following a recent engagement, I had the opportunity to check and verify some possible vulnerabilities on an ASP .NET application. Despite not being the deepest technical nor innovative blog post you could find on the net, I have decided to post it anyway in order to explain the methodology I adopt to verify possible vulnerabilities.
If you are into grey-box approach (Source Code Review and Dynamic Analysis, SAST/DAST), new to ASP .NET applications or you are planning to take AWAE,...
CVE-2020-1337 – PrintDemon is dead, long live PrintDemon!
voidsec2022-01-14T09:05:26+01:00Banner Image by Sergio Kalisiak
TL; DR: I will explain, in details, how to trigger PrintDemon exploit and dissect how I’ve discovered a new 0-day; Microsoft Windows EoP CVE-2020-1337, a bypass of PrintDemon’s recent patch via a Junction Directory (TOCTOU).
After Yarden Shafir’s & Alex Ionescu’s posts (PrintDemon, FaxHell) and their call to action, I’ve started diving into the PrintDemon exploit. PrintDemon is the catching name for Microsoft CVE-2020-1048: Windows Print Spooler Elevation of Privilege Vulnerability which is affecting (according to...
A tale of a kiosk escape: ‘Sricam CMS’ Stack Buffer Overflow
voidsec2022-01-14T09:06:03+01:00TL;DR: Shenzhen Sricctv Technology Sricam CMS (SricamPC.exe) <= v.18.104.22.168(4) and DeviceViewer (DeviceViewer.exe) <= v.22.214.171.124 (CVE-2019-11563) are affected by a local Stack Buffer Overflow. By creating a specially crafted "Username" and copying its value in the "User/mail" login field, an attacker will be able to gain arbitrary code execution in the context of the currently logged-in user.
Please Note: by default, Sricam CMS requires elevation and runs in High Integrity mode; exploitation of the above software will result in a compromise...
voidsec2022-01-14T09:06:35+01:00During this period of social isolation, a friend of mine proposed to play some online "board games". He proposed “Tabletopia”: a cool sandbox virtual table with more than 800 board games.
Tabletopia is both accessible from its own website and from the Steam’s platform.
While my friends decided to play from their browser, I’ve opted for the Steam version. We joined a room and started a game; at one point we were messing around with some in-game cards when , for...
voidsec2022-01-14T09:07:05+01:00Assignment #7: Custom Shellcode Crypter
Seventh and last SLAE’s assignment requires to create a custom shellcode crypter.
Since I had to implement an entire encryption schema both in python as an helper and in assembly as the main decryption routine, I've opted for something simple. I've chosen the Tiny Encryption Algorithm (TEA) as it does not require large IV or SBOX initialization vectors (adding a huge overhead to my shellcode's decoding routine), because it's tiny and not too complex to re-implement.
voidsec2022-01-14T09:07:26+01:00Assignment #6: Polymorphic Shellcode
Sixth SLAE’s assignment requires to create three different (polymorphic) shellcodes version starting from published Shell Storm's examples.
I've decided to take this three in exam:
http://shell-storm.org/shellcode/files/shellcode-752.php - linux/x86 execve ("/bin/sh") - 21 bytes
http://shell-storm.org/shellcode/files/shellcode-624.php - linux/x86 setuid(0) + chmod("/etc/shadow",0666) - 37 bytes
http://shell-storm.org/shellcode/files/shellcode-231.php - linux/x86 open cd-rom loop (follows "/dev/cdrom" symlink) - 39 bytes
As always, all the code is also available on GitHub.
Stay updated, join VoidSec's Telegram Channel: https://t.me/voidsec_updates
xor ecx, ecx
push 0x68732f2f ...