Jump to content


  • Content count

  • Joined

  • Last visited

Community Reputation

46 Excellent

About osirium

  • Rank
    Registered user
  1. Using open-uri? Check your code - you're playing with fire! " Ruby’s OpenURI is an easy-to-use wrapper for net/http, net/https and net/ftp. As far as I know it’s the most popular way to read URL content, make a GET request or download a file. require "open-uri" internally patches Kernel.open leaving you one step away from remote code execution and reading local files! Here are some examples: open(params[:url]) is remote code execution for url=|ls Didn’t you know if it starts with a pipe Ruby executes it?! Ouch. " Source: https://sakurity.com/blog/2015/02/28/openuri.html
  2. CVE-2017-14955: Win a Race Against Check_mk to Dump All Your Login Data " The authors of check_mk have fixed a quite interesting vulnerability, which I have recently reported to them, called CVE-2017-14955 (sorry no fancy name here) affecting the old stable version 1.2.8p25 and below of both check_mk and check_mk Enterprise. It’s basically about a Race Condition vulnerability affecting the login functionality, which in the end leads to the disclosure of authentication credentials to an unauthenticated user. " Source: https://www.rcesecurity.com/2017/10/cve-2017-14955-win-a-race-against-check-mk-to-dump-all-your-login-data/
  3. Hi, Just curious if you were able to successfully use this tool. Gave it a couple of tries but from some whatever reasons didn't work as expected. Thanks.
  4. Aside with this bug, with WP core 4.8.1 was an undisclosed XSS vector into the oembed default module but searching for details I got only silence on the tube.
  5. " Extensible Stylesheet Language Transformations (XSLT) vulnerabilities can have serious consequences for the affected applications, often resulting in remote code execution. " Source: https://www.contextis.com/blog/xslt-server-side-injection-attacks
  6. PENETRATION TESTING FLASH APPS (AKA “HOW TO CHEAT AT BLACKJACK”) " In this post, we will walk through detailed steps to intercept, review, modify, and replay flash-based web apps. For demonstration purposes, I’ve selected a blackjack-style card game. We will work to control what cards are dealt, as well as how a score is calculated. " Source: https://privsec.blog/penetration-testing-flash-apps-aka-how-to-cheat-at-blackjack/
  7. How can I use CSS-in-JS securely? " CSS-in-JS is an exciting new technology that completely eliminates the need for CSS class names. It makes it possible to add styles directly to your components, using the full power of CSS. Unfortunately, it also promotes interpolation of unescaped props into that CSS, opening you up to injection attacks. And CSS injection attacks are a major security hazard. " Source: https://reactarmory.com/answers/how-can-i-use-css-in-js-securely
  8. Advanced Flash Vulnerabilities in Youtube " ...Flash has been replaced by new javascript/html5 features. These features introduce complexity and new kind of vulnerabilities like bad CORS implementation, DOM XSSes triggered by postMessage or XHR requests, active mixed content… Learning from Flash mistakes can help design and implement more secure javascript applications. The new Youtube html5 Api is mostly a porting of the Youtube Flash Api to javascript, making it interesting to study. In fact, I was able to find XSSes in the Youtube html5 Api using my knowledge of the Flash Api. " Source: https://opnsec.com/2017/08/advanced-flash-vulnerabilities-in-youtube/
  9. DeLux Edition: Getting root privileges on the eLux Thin Client OS Designed as a secure, streamlined environment for users to access applications such as a browser, Citrix and terminal services, the vendor describes eLux as: “… a hardware-independent operating system for cloud computing environments. It is based on a write protected file system and therefore secure against computer viruses and other malware without using special Antivirus Software. eLux® has been continuously developed and enhanced for more than 15 years." Source: https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/august/delux-edition-getting-root-privileges-on-the-elux-thin-client-os/
  10. Leveraging Duo Security’s Default Configuration to Bypass Two-Factor Authentication " Few things are more frustrating as an attacker than running up against widely implemented two-factor authentication (2FA). Even with valid credentials, without a valid two-factor authentication code or push acknowledgement, logging in to a protected service and abusing its capabilities or harvesting information isn’t possible. But what if instead of attacking the application, we first attacked how the two-factor authentication was implemented? In this blog post, we’ll discuss how one particular 2FA solution – by Duo Security – can have its default configuration leveraged to allow a log in without 2FA and how to mitigate against this tactic. " Source: https://appsecconsulting.com/blog/leveraging-duo-securitys-default-configuration-to-bypass-two-factor-authent
  11. CVE-2017-6327: Symantec Messaging Gateway <= 10.6.3-2 unauthenticated root RCE " This is an advisory for CVE-2017-6327 which is an unauthenticated remote code execution flaw in the web interface of Symantec Messaging Gateway prior to and including version 10.6.3-2, which can be used to execute commands as root. Symantec Messaging Gateway, formerly known as Brightmail, is a linux-based anti-spam/security product for e-mail servers. It is deployed as a physical device or with ESX in close proximity to the servers it is designed to protect. " PS. The advisory says something regards a fully automated python file which can be used to p0wn vulnerable targets but probably won't be released for well-understood reasons. Source: http://seclists.org/fulldisclosure/2017/Aug/28
  12. Summary: " SecGen creates vulnerable virtual machines so students can learn security penetration testing techniques. Boxes like Metasploitable2 are always the same, this project uses Vagrant, Puppet, and Ruby to quickly create randomly vulnerable virtual machines that can be used for learning or for hosting CTF events. " Source: https://github.com/cliffe/SecGen
  13. G-Scout: OSS tool to assess the security of Google Cloud Platform (GCP) environment configurations " G-Scout is a tool to help assess the security of Google Cloud Platform (GCP) environment configurations. By leveraging the Google Cloud API, G-Scout automatically gathers a variety of configuration data and analyzes this data to determine security risks. It produces HTML output, which allows for convenient browsing of results. The audited data relates to: IAM roles Compute engine instances Storage buckets Firewall rules SQL and noSQL databases Service account keys G-Scout also allows users to create and customize rulesets simply by creating Python functions. " Source: https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2017/august/introducing-g-scout/
  14. Arbitrary code execution via crafted ssh:// in Git """ A malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim and an attempt to visit the URL can result in any program that exists on the victim's machine being executed. Such a URL could be placed in the .gitmodules file of a malicious project, and an unsuspecting victim could be tricked into running "git clone --recurse-submodules" to trigger the vulnerability. """ Source: http://blog.recurity-labs.com/2017-08-10/scm-vulns https://www.mail-archive.com/linux-kernel@vger.kernel.org/msg1466490.html
  15. Writing my first shellcode - iptables -P INPUT ACCEPT " I've recently started to look into basic application security concepts using the imho excellent material from OpenSecurityTraining.info. In this blogpost I'd like to share my first piece of shellcode executing iptables -P INPUT ACCEPT. **Background** After practically learning how to exploit a simple stackoverflow I wanted to see if I could write my own shellcode. I somehow came across the shellcode repository at shell-storm.org and wanted to develop something that wasn't already in there and is somehow useful. There are multiple entries which execute iptables -F. However, as far as I know, this only flushes all rules from all tables, but doesn't change the default policies. So it may drop all rules, but if a server's default policy is DROP you'll cut the machine off the internet. Mission failed. My idea was to write a piece of shellcode that would change the default policy of the INPUT chain to ACCEPT, i.e. run iptables -P INPUT ACCEPT. Writing shellcode First of all, I'd like to say that I'm not an 1337 sh3llc0d3 3Xp3rt. I read about some basics and tried to understand other people's shellcode and their tricks. So feedback is very welcome! Simply leave a comment or send me an e-mail. The goal is to run /sbin/iptables -P INPUT ACCEPT. At this point we assume that the exploited application has enough privileges to execute this command. Otherwise you might want to add some setuid(0) code or so. " Source: https://0day.work/writing-my-first-shellcode-iptables-p-input-accept/