While performing a penetration test for a customer, I stumbled across a command execution vulnerability in Usermin that is pretty trivial to identify and to exploit. The interesting part is that this vulnerability survived for almost 13 years.
May 20, 2015
May 8, 2015
CVE-2015-0935: PHP Object Injection in Bomgar Remote Support Portal
Serialization is often used to convert objects into a string representation for communication or to save them for later use. However, deserialization in PHP has certain side-effects, which can be exploited by an attacker who is able to provide the data to be deserialized.
This post will give you an insight on the deserialization of untrusted data vulnerability in the Bomgar Remote Support Portal 14.3.1 (US CERT VU#978652, CVE-2015-0935), which is part of Bomgar's appliance-based remote support software. It covers details on the weakness of Deserializion of Untrusted Data (CWE-502) in PHP applications in general, as well as specific details on the vulnerability and its exploitation in the Bomgar Remote Support Portal 14.3.1.
March 9, 2015
$@|sh – Or: Getting a shell environment from Runtime.exec
If you happen to have command execution via Java's Runtime.exec
on a Unix system, you may already have noticed that it doesn't behave like a normal shell. Although simple commands like ls -al
, uname -a
, or netstat -ant
work fine, more complex commands and especially commands with indispensable features like pipes, redirections, quoting, or expansions do not work at all.
Well, the reason for that is that the command passed to Runtime.exec
is not executed by a shell. Instead, if you dig down though the Java source code, you'll end up in the UNIXProcess class, which reveals that calling Runtime.exec
results in a fork
and exec
call on Unix platforms.
Nonetheless, I'll show you a way to still get commands executed in a proper shell.
March 2, 2015
Exploiting the hidden Saxon XSLT Parser in Ektron CMS
Another vulnerability I came across was in Ektron CMS. It's a .NET-based Web CMS System. If you want to find running instances try "inurl:/workarea filetype:asmx" at Google. The interesting thing about is that Microsoft already reported the initial vulnerability as MSVR12-016 (CVE-2012-5357), but I found a different vector to exploit it.
February 25, 2015
How I could (i)pass your client security
Half a year ago I stumbled over a software called iPass Open Mobile during a Windows Client security review. iPass Open Mobile helps you in getting network connectivity over Wifi-Hotspots, modem, DSL, etc. It's widely deployed on Windows Clients in large corporations.