responsible_disclosure

Client side validation strikes again: PIN code bypass !

Client side validation Client side validation is a common weakness found during penetration tests and security audits performed by Randorisec. Because client side is by definition… on the user side, it can be altered by the user and sometimes it can be done quite easily. Netflix Parental Control PIN A few months ago we figured out that the Netflix parental control PIN was very easy to bypass: Hey kids !

Continue reading

[s03e01] RCE on Geutebruck IP Cameras

Abstract A few weeks ago we came across high-end IP cameras made by Geutebruck, a “leading German manufacturer and developer of high-quality, intelligent video security solutions” and found a RCE affecting version 1.12.0.24 and prior versions of E2 series IP cameras. In fact it is the third time we find a a RCE on this product line. One in 2016, another one in 2017 and now a new one in 2018.

Continue reading

Get Freebies by Abusing the Android InApp Billing API

As Google defines it “Google Play Billing is a service that lets you sell digital content from inside an Android app, or in-app.“ It can be used to sell one-time products like additional game levels, premium loot boxes, media files or subscriptions like online magazines or music streaming services. But what could possibly go wrong when this service is doing client side validation ? Guillaume worked on this for Checkmarx and published a complete blog post explaining the results and the detailed steps to bypass the InApp Billing process and obtain unlimited credits: https://www.

Continue reading

[0day] Anonymous RCE on Geutebruck IP Cameras - again

Abstract A few months ago during a pentest, with Nicolas Mattiocco of Greenlock, we came across high-end IP cameras made by Geutebruck, a “leading German manufacturer and developer of high-quality, intelligent video security solutions” and found 3 RCE: a blind SQL Injection, a SSRF, a CSRF and a stored XSS affecting version 1.12.0.4 and prior versions. We’ve choose to “responsible disclose” these 0day vulnerabilities, directly to Geutebruck and the ICS-CERT (Industrial Control Systems Cyber Emergency Response Team).

Continue reading

[0day] Digium Asterisk OS Command Injection Vulnerability

Abstract Last summer during a pentest for a client we came across a product made by an international provider of intercom systems which uses the very popular Asterisk communication software and found a trivial remote command execution vulnerability in its latest GUI (2.1.0). This product is used in many very sensitive environments like prisons and official buildings. We’ve choose to “responsible disclose” them, directly to Digium and the ICS-CERT (Industrial Control Systems Cyber Emergency Response Team).

Continue reading

[Conference] Industrial Hacking at DeepINTEL

We will be speaking about Industrial Hacking at DeepINTEL in Vienna this week! Here is the pitch: A few months ago a client asked us to assess the security of the ICS (Industrial Control Systems) of a brand new datacenter. As we were no industrial guys we discovered a whole new world and we tried and failed many times before owning the system. ”_Industrial DIY_“ tries to show how a small team of pentesters managed to assess the security of industrial systems (ICS/SCADA/BMS) and how to protect these critical infrastructures against a few major threats.

Continue reading

[0day] LogicalDOC - from guest to root

LogicalDOC is a DMS (Document Management System) available either in a community (and free) edition, or in a professional (and expensive) version. This type of product is normally used to share and access doc from « everywhere » as they say on their website: « Your documents – Always accessible, from anywhere, at any time » which means web interfaces widely open on the internet. During a pentest, we found that a client used one of this product (in community version 7.

Continue reading

TheHive pentest

Do you know TheHive and Cortex ? TheHive is a free and open-source security incident response platform which relies on Cortex to analyze observables (IP, email addresses, domain names, etc…). Thanks to TheHive Project we had the chance to pentest these software a few weeks ago. TheHive team has decided to jointly publish the report with the last version of TheHive (Buckfast 2) and Cortex (1.0.2). Here are the blog posts at TheHive project: one talking about TheHive, the other about Cortex and here is the report.

Continue reading

[0day] Anonymous RCE on Geutebruck IP Cameras

Abstract Last summer during a pentest for a client we came across high-end IP cameras made by Geutebruck, a “leading German manufacturer and developer of high-quality, intelligent video security solutions” (source: http://www.sourcesecurity.com/companies/enhanced-company-listing/geutebruck-gmbh.html) and found a trivial remote command execution vulnerability (0day) affecting version 1.11.0.12 and prior versions. We’ve choose to “responsible disclose” it, directly to Geutebruck and the ICS-CERT (Industrial Control Systems Cyber Emergency Response Team). Probably the best option as the Mirai botnet was actively exploiting IP cams at that time.

Continue reading

[0day] Authentication Bypass on Belden Hirschmann GECKO switches

Abstract Last summer during a pentest for a client we came across industrial switches made by Hirschmann: a Belden Brand, (which) provides the industry with leading Ethernet networking technology and sets the industrial networking standards for quality, reliability and service. (Source: http://www.belden.com/aboutbelden/brands/Hirschmann.cfm ) and found a few unknown vulnerabilities (0day) affecting version 2.0.00 and prior versions. We’ve choose to “responsible disclose” them, directly to Hirschmann and the ICS-CERT (Industrial Control Systems Cyber Emergency Response Team).

Continue reading