CVE-2018-11235 git RCE

Recently I was working on a git repository that contained numerous submodules. At this point I realised that I did not know how submodules worked and decided to dive into the submodule system to gain a better understanding. During this process of discovery I came across a vulnerability in the submodule system, which lead to Remote Code Execution (RCE) in git when a submodule was initialised. This allowed for reliable exploitation of the host that was cloning my malicious repository, and ultimately gave me RCE in GitHub Pages and CVE-2018-11235 for git.

Read More…

CVE-2017-17405 RCE in Ruby's FTP lib

The FTP library in Ruby did not validate remote filenames and blindly passed these to the kernel.open function. This created a remotely exploitable vulnerability. Since the filenames were supplied by the remote FTP server, it was possible to create a malicious server that could exploit this vulnerability when a vulnerable Ruby client connected and tried to download a file. This was assigned CVE-2017-17405 and patched by the Ruby team on 14 December 2017.

Read More…

Quick win with GraphQL

“GraphQL is a query language for APIs and a runtime for fulfilling those queries with your existing data” - graphql.org The GraphQL query language allows developers to easily write front-end queries, using a JSON like syntax, to retrieve data from the back-end. The big plus here that a single API end-point can return multiple types and formats of data based on the contents of the query. This simplicity has resulted in a steady adaption of GraphQL.

Read More…

Cross Posting - Other Blog Posts

Before creating this blog, I had the opportunity to create numerous posts under the SensePost blog. These cover a few topics including mobile apps, web apps and infrastructure. Here is a list of those posts, in chronological order, with a brief abstract about each post.

Read More…

netstat without netstat

Recently I was doing an assessment in a locked down and restricted environment. One of the first actions you tend to do when landing a shell on a [linux] box is to do some reconnaissance. This is both on host and network, as you want to determine what new access this host has given you. Normally you would run netstat, ifconfig, ip route etc to determine if the compromised host is connected to any other hosts and to determine if there are other network segments you do not know about.

Read More…

Polycom HDX Series RCE

When doing external assessments you spend a decent amount of time footprinting your target and finding possible avenues of attack. Given a large corporate, you are pretty likely to hit video conferencing end-points. This post details a vulnerability in one of these video conferencing systems, the Polycom HDX series. I identified this vulnerability while still at SensePost and reported it to Polycom. The vulnerability was acknowledged and we were informed that a patch would be issued.

Read More…

MSWord - Obfuscation with Field Codes

A few weeks back Saif El-Sherei and I posted on the SensePost blog about DDE and getting command exec in MSWord without macros. This post got way more attention than we initially expected it would. Since then DDE has been used in phishing and malware campaigns, as well as legitimate red-team engagements. With the rapid rise in attacks using DDE, detection has been stepped up and most AV engines have basic DDE detection built in.

Read More…

Phishing with OAuth and o365/Azure

Typically phishing has provided a low tech approach to getting access to credentials and services. The mainfocus up until now has been on getting username&passwords or tricking users into executing code. Subsequently, user awareness has gone up and users are better at identifying suspicious pages. Experience has shown that the click-through rate on emails have remained high, while users have been (slightly) less likely to enter credentials and more likely to report the phishing page.

Read More…