Abstract Those who follow our blog know that we like Geutebruck cameras: we found many trivial RCE on their products since 2016. A few months ago two attendees (Guillaume Gronnier and Romain Luyer from CEIS) of one of our pentest training found new ways to exploit two old RCE we found two years ago ! We dug further and found an additional way and as a bonus a stored XSS has even been found by an attendee.
Again, RandoriSec was at Hack In The Box for the 2019 edition in Amsterdam! It was really great! The first 3 days of the event are dedicated for the trainings. About that, we heard that the training from Nicolas Grégoire (aka @Agarri) was really great and got very good feedback from the attendees. If you want to improve your skills on Burp Suite Pro, you should attend this training.
La semaine dernière j’ai participé à la table ronde de la conférence du CLUSIF “Gestion des incidents de sécurité : résilience et amélioration.” Mon intervention présentait un travail de recherche effectué en 2016-2017, qui peut se résumer par une question: comment éviter que des biais cognitifs ou organisationnels n’impactent la gestion de la sécurité? En général les décisions en sécurité se prennent sur la base d’avis d’experts, de fournisseurs, de benchmarks ou de discussions avec les pairs.
Nous avons écrit un article sur les outils open-source et gratuits pour l’audit d’intrusions d’applications web qui a été publié dans le hors-série n.97 du magazine Linux Magazine sur “Les bonnes pratiques du développement sécurisé” publié l’été dernier. Le magazine vient d’ailleurs d’être réédité. Nous avions opté pour une licence CC dans le but de mettre l’article à disposition de tout le monde dès l’expiration des droits d’auteur. C’est chose faite !
The March 23th, Guillaume Lopes gave a talk at BSides Dublin about how to bypass the payment on Google Play Billing API. Synopsis: In 2017, the estimated global in-app purchase revenue was projected to exceed $37 billion. Just in the Google Play Store, for 2018, more than 200 000 apps are offering in-app purchases. However, the Google Play Billing API is not offering a sufficient level of protection in order to ensure the security of the payment transactions.
Dirk-jan Mollema, a pentester working for Foxit, found a very clever attack allowing any user, owning an Exchange mailbox, to obtain Domain Admin privileges. The attack has been unveiled last week, strangely without a lot of media coverage (but things seem to change, the daily blogpost of the SANS ISC covered the subject yesterday). As there is still no fix (think software patch to install) from Microsoft, the term “0day” is around.
Guillaume Lopes (@Guillaume_Lopes) and Davy Douhine (@ddouhine), senior pentesters, will share many techniques, tips and tricks to deliver to pentesters, bug bounty researchers or just curious a 100% hands-on 2 days mobile training. Goal is to introduce tools (Adb, Apktool, Jadx, Cycript, Frida, Hopper, Needle, etc.) and techniques to help you to work faster and in a more efficient way in the mobile (Android and iOS) ecosystem. This is the exact training that you would have liked to have before wasting your precious time trying and failing while testing.
Client side validation Client side validation is a common weakness found during penetration tests and security audits performed by Randorisec. Because client side is by definition… on the user side, it can be altered by the user and sometimes it can be done quite easily. Netflix Parental Control PIN A few months ago we figured out that the Netflix parental control PIN was very easy to bypass: Hey kids !
Abstract A few weeks ago we came across high-end IP cameras made by Geutebruck, a “leading German manufacturer and developer of high-quality, intelligent video security solutions” and found a RCE affecting version 18.104.22.168 and prior versions of E2 series IP cameras. In fact it is the third time we find a a RCE on this product line. One in 2016, another one in 2017 and now a new one in 2018.
As Google defines it “Google Play Billing is a service that lets you sell digital content from inside an Android app, or in-app.“ It can be used to sell one-time products like additional game levels, premium loot boxes, media files or subscriptions like online magazines or music streaming services. But what could possibly go wrong when this service is doing client side validation ? Guillaume worked on this for Checkmarx and published a complete blog post explaining the results and the detailed steps to bypass the InApp Billing process and obtain unlimited credits: https://www.