0day

[PrivExchange] From user to domain admin in less than 60sec !

Dirk-jan Mollema, a pentester working for Foxit, found a very clever attack allowing any user, owning an Exchange mailbox, to obtain Domain Admin privileges. The attack has been unveiled last week, strangely without a lot of media coverage (but things seem to change, the daily blogpost of the SANS ISC covered the subject yesterday). As there is still no fix (think software patch to install) from Microsoft, the term “0day” is around.

Continue reading

[s03e01] RCE on Geutebruck IP Cameras

Abstract A few weeks ago we came across high-end IP cameras made by Geutebruck, a “leading German manufacturer and developer of high-quality, intelligent video security solutions” and found a RCE affecting version 1.12.0.24 and prior versions of E2 series IP cameras. In fact it is the third time we find a a RCE on this product line. One in 2016, another one in 2017 and now a new one in 2018.

Continue reading

[0day] Anonymous RCE on Geutebruck IP Cameras - again

Abstract A few months ago during a pentest, with Nicolas Mattiocco of Greenlock, we came across high-end IP cameras made by Geutebruck, a “leading German manufacturer and developer of high-quality, intelligent video security solutions” and found 3 RCE: a blind SQL Injection, a SSRF, a CSRF and a stored XSS affecting version 1.12.0.4 and prior versions. We’ve choose to “responsible disclose” these 0day vulnerabilities, directly to Geutebruck and the ICS-CERT (Industrial Control Systems Cyber Emergency Response Team).

Continue reading

[0day] Digium Asterisk OS Command Injection Vulnerability

Abstract Last summer during a pentest for a client we came across a product made by an international provider of intercom systems which uses the very popular Asterisk communication software and found a trivial remote command execution vulnerability in its latest GUI (2.1.0). This product is used in many very sensitive environments like prisons and official buildings. We’ve choose to “responsible disclose” them, directly to Digium and the ICS-CERT (Industrial Control Systems Cyber Emergency Response Team).

Continue reading

[0day] LogicalDOC - from guest to root

LogicalDOC is a DMS (Document Management System) available either in a community (and free) edition, or in a professional (and expensive) version. This type of product is normally used to share and access doc from « everywhere » as they say on their website: « Your documents – Always accessible, from anywhere, at any time » which means web interfaces widely open on the internet. During a pentest, we found that a client used one of this product (in community version 7.

Continue reading

[0day] Bull/IBM AIX Clusterwatch/Watchware vulnerabilities

Bull/IBM Clusterwatch/Watchware is a VERY VERY OLD tool used by sysadmins to manage their AIX clusters. Marble effect in the web banner and questionable font: it smells the 90s ! Tool is mainly a web app with CGIs (shell scripts and binaries) and we have found three vulnerabilities in it: Trivial admin credentials Authenticated user can write on the system file Authenticated user can inject OS commands By combining these three vulnerabilities an attacker can fully compromise servers running Watchware.

Continue reading

[0day] Anonymous RCE on Geutebruck IP Cameras

Abstract Last summer during a pentest for a client we came across high-end IP cameras made by Geutebruck, a “leading German manufacturer and developer of high-quality, intelligent video security solutions” (source: http://www.sourcesecurity.com/companies/enhanced-company-listing/geutebruck-gmbh.html) and found a trivial remote command execution vulnerability (0day) affecting version 1.11.0.12 and prior versions. We’ve choose to “responsible disclose” it, directly to Geutebruck and the ICS-CERT (Industrial Control Systems Cyber Emergency Response Team). Probably the best option as the Mirai botnet was actively exploiting IP cams at that time.

Continue reading

[0day] Authentication Bypass on Belden Hirschmann GECKO switches

Abstract Last summer during a pentest for a client we came across industrial switches made by Hirschmann: a Belden Brand, (which) provides the industry with leading Ethernet networking technology and sets the industrial networking standards for quality, reliability and service. (Source: http://www.belden.com/aboutbelden/brands/Hirschmann.cfm ) and found a few unknown vulnerabilities (0day) affecting version 2.0.00 and prior versions. We’ve choose to “responsible disclose” them, directly to Hirschmann and the ICS-CERT (Industrial Control Systems Cyber Emergency Response Team).

Continue reading