In this blog post, we will explore how we can exploit CNEXT, but blind, covering the cases where we have a file read primitive, but cannot get the output.
In this blog post, we will explore a new way of exploiting the vulnerability on PHP, using direct calls to iconv(), and illustrate the vulnerability by targeting Roundcube, a popular PHP webmail.
A few months ago, I stumbled upon a 24 years old buffer overflow in the glibc, the base library for linux programs. Despite being reachable in multiple well-known libraries or executables, it proved rarely exploitable — while it didn't provide much leeway, it required hard-to-achieve preconditions. Looking for targets lead mainly to disappointment. On PHP however, the bug shone, and proved useful in exploiting its engine in two different ways.
Early this year we had the opportunity to pentest Watchguard firewalls (XTM, Firebox) for a red team engagement. This blogpost will follow the journey in which I discover 5 vulnerabilities - 2 patched along the way - and build 8 distinct exploits, and finally obtain an unpatched pre-authentication remote root 0-day on every WatchGuard Firebox/XTM appliance.
Several flaws have been identified in the latest version of Magento 2, allowing an attacker to obtain complete control over the server. We're now releasing the exploit for the unauthenticated SQL injection. We'll release the details for the RCE vulnerability at a later time.
Prestashop 1.6.1.19 sessions can be read and written by an attacker, resulting in a range of vulnerabilities including privilege escalation and remote code execution.
Few months ago Ambionics Security team had the chance to audit Oracle PeopleSoft solutions. PeopleSoft applications contain a lot of unauthenticated endpoints with several not well documented XXE vulnerabilities. We'll show how you can get a full SYSTEM shell from that.
Ambionics Security team discovered a pre-authentication SQL Injection in TYPO3 News module. This module is the 20th most used module of TYPO3 with almost 60,000 downloads.
Some times ago the Ambionics team encountered a very old instance of Grails which contained a plugin to generate PDFs from Groovy templates. Upon looking for the plugin's source code we discovered an XXE vulnerability.
As a new year comes, it is a good time to review two high impact vulnerabilities that were discovered four years apart, but that are in fact rooted in the same piece of code.
A cookie is a piece of information deposited on a web user’s hard drive by the server of the website they are browsing. It contains several data points: the name of the server which deposited it, a unique ID number, possibly an expiry date. This information is sometimes hosted on the computer in a simple text file the server then accesses to read and write information.
Two types of Cookies are deposited and/or read from the Site:
An audience-measuring cookie (Google Analytics) which allows it to analyze the User’s browsing and measure the audience of the Site (number of visits, number of pages seen, visitors’ activity on the Site, frequency of return visits on the Site).
A User interface customization cookie that allows for the language chosen by the User by clicking the appropriate flag (French or English) to be remembered.
The User is informed that:
The audience-measuring cookie (Google Analytics) is valid for 12 months starting from its initial deposit on the User’s terminal.
The User interface customization cookie is valid for 12 months starting from its initial deposit on the User’s terminal.
The User is informed that they may oppose the deposit and/or consultation of cookies using their browser’s settings prior to their deposit and one by one.
Each browser’s settings are different, the User can find the steps to follow to manage cookies in the Help section of their browser.