SAP refused to disclose which CVEs were assigned to vulnerabilities reported by our researcher Mikhail Klyuchnikov, if any.

Three subsequent letters remain unanswered.

We believe the CVEs to be CVE-2021-33690 (CVSS 9.9) and CVE-2021-33691 (CVSS 6.9) in the August hotfix.

Join the discussion on Twitter: https://twitter.com/ptswarm/status/1433070547399757824

RCE on a backend IIS server via file upload with an atypical file extension.

More community curated payloads can be found at https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Upload%20Insecure%20Files/Extension%20ASP

Critical Vulnerability in HAProxy (CVE-2021-40346): Integer Overflow Enables HTTP Smuggling
👤 by Ori Hollander and Or Peles

The vulnerability, CVE-2021-40346, is an Integer Overflow, triggerable via the Content-Length HTTP header, that makes it possible to conduct HTTP Request Smuggling attacks.

📝 Contents:
• Technical Background
• HTTP Request Smuggling
• HAProxy’s HTTP request processing phases (simplified)
• Attack Scenario – Bypassing http-request ACLs
• What happens inside HAProxy
• Getting the HTTP response for the smuggled request
• Attack demonstration – ACL bypass
• Vulnerability Details
• Automating the Discovery
• Fixes and Workarounds

https://jfrog.com/blog/critical-vulnerability-in-haproxy-cve-2021-40346-integer-overflow-enables-http-smuggling/

The complete GraphQL Security Guide: Fixing the 13 most common GraphQL Vulnerabilities to make your API production ready
👤 by @jensneuse_de

The complete GraphQL security guide. 'Nuff said.

📝 Contents:
• The 13 most common GraphQL Vulnerabilities
• Solving the 13 most common GraphQL Vulnerabilities for private APIs
• Solving the 13 most common GraphQL Vulnerabilities for public APIs

https://wundergraph.com/blog/the_complete_graphql_security_guide_fixing_the_13_most_common_graphql_vulnerabilities_to_make_your_api_production_ready

PAX Technology fixed three vulnerabilities discovered by our researcher Artem Ivachev.

When chained together these vulnerabilities allow the interception of user card data and the sending of arbitrary data to the processing of the acquiring bank.💰

SAP fixed Post-Auth RCE (CVE-2021-38163) in SAP NetWeaver found by our researcher Mikhail Klyuchnikov.

CVSS 9.9 🔥

No credits from SAP again.

Advisory: https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=585106405

RCE in Citrix ShareFile Storage Zones Controller (CVE-2021-22941) – A Walk-Through
👤 by Markus Wulftange

The vulnerability is triggerable when processing user upload requests, which can lead to Unauthorized RCE.

📝 Contents:
• Background
• The Travelogue
• Finding A Path From Sink To Source
• Are We Still on Track?
• What's in the backpack?
• Running With Razor
• Timeline and fix

https://codewhitesec.blogspot.com/2021/09/citrix-sharefile-rce-cve-2021-22941.html

We are thrilled to announce the following presentations at @hardwear_io, @blackhatevents, #POC2021 and @hackinparis

Autodiscovering the Great Leak
👤 by Amit Serper

The design flaw within the Autodiscover protocol that makes it possible for an attacker who controls top-level Autodiscover domains (or has the ability to conduct a DNS-poisoning attack using these domains), to get valid domain credentials from leaky Autodiscover requests.

📝 Contents:
• Executive summary
• Introduction
• What is Autodiscover?
• Abusing the Leak
• The ol’ switcheroo
• Mitigation
• Conclusion

https://www.guardicore.com/labs/autodiscovering-the-great-leak/

"A tale of making internet pollution free" - Exploiting Client-Side Prototype Pollution in the wild
👤 by Mohan Sri Rama Krishna P, Sergey Bobrov, Terjanq, Beomjin Lee, Masato Kinugawa, Nikita Stupin, Rahul Maini, Harsh Jaiswal, Mikhail Egorov, Melar Dev, Michał Bentkowski, Filedescriptor, Olivier, William Bowling, Ian Bouchard

In JavaScript, an object inherits methods and properties from its prototype. Prototype Pollution it’s the situation when extra properties are added to a prototype of base
objects. Based on the application logic, prototype pollution leads to other vulnerabilities from RCE to SQL. This technical write-up touch the tools researchers are created, challenges they faced, and case studies during the whole process.

📝 Contents:
• Introduction
• Methodology
• Detection
• Case 1
• Selenium Bot
• Browser Extension
• Case 2
• Identifying the vulnerable library
• Blocking the JS resource request in Firefox
• Debugger Breakpoint on setter
• Finding Script Gadgets
• What is a script gadget?
• Keyword search and Source Code Review
• Filedescriptor’s untrusted-types extension
• Report
• Store vulnerable libraries and gadgets in database
• Case Studies
• Case Study 1: CodeQL for fun and profit
• Case Study 2: Prototype Pollution on Jira Service Management 4.16.0, <4.18.0(fix bypass)
• Case Study 3: XSS on apple.com found using chrome extension by Rahul and Harsh
• Case Study 4: HubSpot Analytics
• Case Study 5: Segment Analytics Pollution by Masato Kinugawa
• Mitigations

https://blog.s1r1us.ninja/research/PP

New article: "Cisco Hyperflex: How We Got RCE Through Login Form and Other Findings"

Read more about critical vulnerabilities (CVSS 9.8, 7.3 and 5.3) found by our researchers
Nikita Abramov & Mikhail Klyuchnikov:

https://swarm.ptsecurity.com/cisco-hyperflex-how-we-got-rce-through-login-form-and-other-findings/

Chasing a Dream :: Pre-authenticated Remote Code Execution in Dedecms
👤 by Steven Seeley

Technical review of Chinese CMS “Dedecms” including its attack surface and how it differs from other applications. In the end, the author ends up with a pre-authenticated remote code execution vulnerability impacting the v5.8.1 pre-release.

📝 Contents:
• Threat Modeling
• Defense in Depth
• Finding a pre-authenticated endpoint
• ShowMsg Remote Code Execution Vulnerability
• Summary
• Vulnerability Analysis
• Proof of Concept
• Reporting
• Conclusion
• References

https://srcincite.io/blog/2021/09/30/chasing-a-dream-pwning-the-biggest-cms-in-china.html

We have reproduced the fresh CVE-2021-41773 Path Traversal vulnerability in Apache 2.4.49.

If files outside of the document root are not protected by "require all denied" these requests can succeed.

Patch ASAP!

https://httpd.apache.org/security/vulnerabilities_24.html

CVE-2021-26420: Remote Code Execution in Sharepoint via workflow compilation
👤 by The ZDI Research Team

In June of 2021, Microsoft released a patch to correct CVE-2021-26420 – a remote code execution bug in the supported versions of Microsoft SharePoint Server. This bug was reported to the ZDI program by an anonymous researcher and is also known as ZDI-21-755. This blog takes a deeper look at the root cause of this vulnerability.
This vulnerability could be used by an authenticated user to execute arbitrary .NET code on the server in the context and permissions of the service account of a SharePoint web application. For a successful attack, the attacker should have “Manage Lists” permissions on any SharePoint site. By default, any authenticated user can create their own site where they have the necessary permissions.

📝 Contents:
• The Vulnerability
• Proof of Concept
• Achieving Remote Code Execution
• Conclusion

https://www.zerodayinitiative.com/blog/2021/10/5/cve-2021-26420-remote-code-execution-in-sharepoint-via-workflow-compilation

We are pleased to present the utility developed by our researcher Philip Nikiforov for Flutter apps traffic monitoring.

Just make app trust installed certificates by repacking it with reFlutter and hunt bugs using Burp Suite. No root, no VPN, no more hassle!

https://github.com/ptswarm/reFlutter

Building a POC for CVE-2021-40438

👤 by Firzen

A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier. The author of the article found a way to exploit it

📝 Contents:
• The Patch
• How to exploit?
• How uds_path is being set?
• Success
• Conclusion and Remarks

https://firzen.de/building-a-poc-for-cve-2021-40438

New article: "WinRAR’s vulnerable trialware: when free software isn’t free" by our researcher Igor Sak-Sakovskiy.

In this article, we show how vulnerabilities in trialware could beсome a gate for hackers.

https://swarm.ptsecurity.com/winrars-vulnerable-trialware-when-free-software-isnt-free/

PHP-FPM Local Root Vulnerability

👤 by Charles Fol

PHP-FPM (FastCGI Process Manager) is the official PHP FastCGI server. It is used in conjunction with an HTTP server such as Apache or NGINX to handle the processing of PHP files. It generally listens for connections over either a UNIX socket or on TCP port 9000. When the HTTP server needs to run a PHP file, it will forward parameters, such as the file path, PHP variables, and configuration to PHP-FPM, which will send back a response.

A low-privilege process can read and write an array of pointers used by the main process, running as root, through shared memory. An attacker can leverage this problem to change a 32-bit integer from zero to one in the main process's memory, or clear a memory region. By leveraging the primitive multiple times, it is possible to reach another bug, make the main process execute code, and thus escalate privileges.

Due to the growing adoption of NGINX instead of Apache, a good look at PHP-FPM was in order. An oversight in the design of the shared memory region lead to half-decent exploitation primitives, which in turn lead to a root privilege escalation.

📝 Contents:
• Introduction
• Overview of the bug
• Overview of PHP-FPM
• Main process and workers
• Scoreboards
• IPC through SHM
• Proecss scoreboard management and the bad primitive
• An example
• Exploitation
• Tailoring the primitive
• Reaching the heap: setting catch_workers_output
• Good enough ?
• All your bases
• Persistent worker control
• Capping the number of workers
• Closed FD
• Error-free PHP
• Problem-free exploitation tactics
• Managing streams: zlog_stream
• Unreachable heap overflow
• Faking the streams, getting root
• Heap overflow
• Arbitrary write
• Demo
• Vulnerable versions
• Conclusion and Remarks

https://ambionics.io/blog/php-fpm-local-root

Discourse SNS webhook RCE

👤 by joernchen

Discourse is the open source discussion platform built for the next decade of the Internet. It can be used as a: mailing list, discussion forum, long-form chat room etc

A validation bug in the upstream aws-sdk-sns gem can lead to RCE in Discourse via a maliciously crafted request.

https://0day.click/recipe/discourse-sns-rce/

If you are unlucky to have Hermes bytecode within your React Native Android app apk take a chance to look into iOS app package: there are uncompiled javascript can be found instead.

Sitecore Experience Platform Pre-Auth RCE

👤 by Shubham Shah

In this blog post, research team detail a pre-authentication RCE vulnerability that affects Sitecore XP versions from 7.5 Initial Release to Sitecore XP 8.2 Update-7.
Sitecore’s Experience Platform (XP) is an enterprise content management system (CMS). This CMS is used heavily by enterprises, including many of the companies within the fortune 500.
The vulnerability is applicable to all Sitecore systems running affected versions, including single-instance and multi-instance environments, Managed Cloud environments, and all Sitecore server roles (Content Delivery, Content Editing, Reporting, Processing, etc.), which are exposed to the Internet.

📝 Contents:
• Intro
• What is Sitecore Experience Platform?
• Mapping out the attack surface
• Discovering the RCE
• Remediation Advice
• Conclusion

https://blog.assetnote.io/2021/11/02/sitecore-rce/