Skip to main content

Security Research

Advisories

Bug Title CVE/Ref Vendor/Software Date
Hacking an altcoin node for ̶f̶u̶n̶ ̶a̶n̶d̶ profit N/A WarCon III - Warsaw June 2018
SQL Injection Information Disclosure ZDI-CAN-4409 Trend Micro SafeSync for Enterprise Mar 2017
SQL Injection Remote Code Execution ZDI-CAN-4642/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4643/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4644/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4645/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4646/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4647/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4648/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4649/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4650/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4651/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4652/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4653/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4654/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4656/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4657/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4658/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4659/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4660/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4661/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4662/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4663/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4664/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4665/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4666/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4667/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4668/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4670/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4672/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4676/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4678/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4680/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4682/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4685/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4686/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4687/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4688/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4690/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4691/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4692/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4693/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
Unrestricted File Upload Remote Code Execution ZDI-CAN-4780/CVE-2017-14079 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4781/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4782/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4783/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
Unrestricted File Upload Remote Code Execution ZDI-CAN-4784/CVE-2017-14079 Trend Micro Mobile Security for Enterprise Sep 2017
Unrestricted File Upload Remote Code Execution ZDI-CAN-4785/CVE-2017-14079 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4786/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4786/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4788/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4790/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4791/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4792/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4793/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4794/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4796/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4797/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4801/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4803/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4804/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
Unrestricted File Upload Remote Code Execution ZDI-CAN-4805/CVE-2017-14079 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4806/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4679/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4683/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
Remote Agent Configuration Settings Information Disclosure ZDI-CAN-4283 Trend Micro Data Loss Prevention Management Server <= 5.6 Apr 2017
dlpCrawlerServerInvoker Deserialization of Untrusted Data ZDI-CAN-4284 Trend Micro Data Loss Prevention Management Server <= 5.6 Apr 2017
listLogDatas SQL Injection ZDI-CAN-4141 Trend Micro Data Loss Prevention Management Server <= 5.6 Apr 2017
listEndPointDocScanResultLIs SQL Injection ZDI-CAN-4142 Trend Micro Data Loss Prevention Management Server <= 5.6 Apr 2017
listReportDatas SQL Injection ZDI-CAN-4143 Trend Micro Data Loss Prevention Management Server <= 5.6 Apr 2017
listRoleDatas SQL Injection ZDI-CAN-4144 Trend Micro Data Loss Prevention Management Server <= 5.6 Apr 2017
getSourceAcquisitionHistory SQL Injection ZDI-CAN-4145 Trend Micro Data Loss Prevention Management Server <= 5.6 Apr 2017
listFingerprints SQL Injection ZDI-CAN-4131 Trend Micro Data Loss Prevention Management Server <= 5.6 Apr 2017
listReportDefs SQL Injection ZDI-CAN-4133 Trend Micro Data Loss Prevention Management Server <= 5.6 Apr 2017
listEndpoints SQL Injection ZDI-CAN-4134 Trend Micro Data Loss Prevention Management Server <= 5.6 Apr 2017
listEntities SQL Injection ZDI-CAN-4136 Trend Micro Data Loss Prevention Management Server <= 5.6 Apr 2017
listKeywords SQL Injection ZDI-CAN-4137 Trend Micro Data Loss Prevention Management Server <= 5.6 Apr 2017
fileAttribList SQL Injection ZDI-CAN-4146 Trend Micro Data Loss Prevention Management Server <= 5.6 Apr 2017
importComplianceTemplate XXE Processing File Disclosure ZDI-CAN-4138 Trend Micro Data Loss Prevention Management Server <= 5.6 Apr 2017
dataManagementList Remote File Delete DoS ZDI-CAN-4120 Trend Micro Data Loss Prevention Management Server <= 5.6 Apr 2017
exportdatatojsp Directory Trevrsal File Disclosure ZDI-CAN-4119 Trend Micro Data Loss Prevention Management Server <= 5.6 Apr 2017
Session Generation Authentication Bypass CVE-2016-8584 Trend Micro Threat Discovery Appliance <= 2.6.1062r1 Apr 2017
Directory Traversal Authentication Bypass CVE-2016-7552 Trend Micro Threat Discovery Appliance <= 2.6.1062r1 Apr 2017
Command Injection Remote Code Execution CVE-2016-8586 Trend Micro Threat Discovery Appliance <= 2.6.1062r1 Apr 2017
Information Disclosure CVE-2016-7547 Trend Micro Threat Discovery Appliance <= 2.6.1062r1 Apr 2017
Command Injection Remote Code Execution CVE-2016-8585 Trend Micro Threat Discovery Appliance <= 2.6.1062r1 Apr 2017
dlp_policy_upload.cgi Remote Code Execution CVE-2016-8587 Trend Micro Threat Discovery Appliance <= 2.6.1062r1 Apr 2017
hotfix_upload.cgi Command Injection Remote Code Execution CVE-2016-8588 Trend Micro Threat Discovery Appliance <= 2.6.1062r1 Apr 2017
log_query_dlp.cgi Command Injection Remote Code Execution CVE-2016-8589 Trend Micro Threat Discovery Appliance <= 2.6.1062r1 Apr 2017
log_query_dae.cgi Command Injection Remote Code Execution CVE-2016-8590 Trend Micro Threat Discovery Appliance <= 2.6.1062r1 Apr 2017
log_query.cgi Command Injection Remote Code Execution CVE-2016-8591 Trend Micro Threat Discovery Appliance <= 2.6.1062r1 Apr 2017
log_query_system.cgi Command Injection Remote Code Execution CVE-2016-8592 Trend Micro Threat Discovery Appliance <= 2.6.1062r1 Apr 2017
upload.cgi Remote Code Execution Vulnerability CVE-2016-8593 Trend Micro Threat Discovery Appliance <= 2.6.1062r1 Apr 2017
Reflected Cross Site Scripting CVE-2017-5599 eClinicalWorks Patient Portal 7.0 build 13 Jan 2017
SQL Injection CVE-2017-5598 eClinicalWorks healow@work 8.0 build 8 Jan 2017
SQL Injection CVE-2017-5570 eClinicalWorks Patient Portal 7.0 build 13 Jan 2017
SQL Injection CVE-2017-5569 eClinicalWorks Patient Portal 7.0 build 13 Jan 2017
UXSS CVE-2016-8011 McAfee Endpoint Security 10.2 and SiteAdvisor Enterprise 3.5 Dec 2016
Unauthenticated Remote Code Execution CVE-2016-9796 Alcatel Lucent Omnivista 8770 2.0, 2.6, 3.0 and 3.1 Dec 2016
Privilege Escalation CVE-2016-2246 HP ThinPro 4.4, 5.0, 5.1, 5.2, 5.2.1, 6.0, 6.1 Oct 2016
PDF Library Information Disclosure CVE-2016-3374 Microsoft Windows 8.1, Windows Server 2012, Windows RT 8.1, Windows Server 2012 R2, and Windows 10 Oct 2016
Predictable Session CVE-2015-3326 Trend Micro SMEX 10 SP2 May 2016
ReDoS CVE-2015-2526 Microsoft .NET Framework 4.5, 4.5.1, 4.5.2 and 4.6 September 2015
External JAR Injection CVE-2015-2630 Oracle e-Business Suite 11.5.10.2, 12.0.6, 12.1.3 July 2015
Multiple Vulnerabilities CVE-2015-2159 / CVE-2015-2160 / CVE-2015-2161 / CVE-2015-2162 / CVE-2015-2163 / CVE-2015-2164 / CVE-2015-2240 FootPrints Service Core 11.0, 11.1, 11.6, 11.5 May 2015
Root shell access - Kiosk Bypass n/a HP Thin Pro OS - T6X44017 Apr 2015
Remote Code Execution and multiple vulnerabilities CVE-2014-5287/5288 Kemp Load Master (load balancer) v.7.1-16 Apr 2015
Multiple vulnerabilities CVE-2014-0844, CVE-2014-0845 and CVE-2014-0846 IBM Rational Doors Next Generation, Composer and Requirements Feb 2014
Reflected Cross Site Scripting CVE-2013-6956 Juniper - Junos Pulse Secure Access Service - SA700, SA2000, SA2500, SA4000, FIPS SA4000, SA4500, FIPS SA4500, SA6000, FIPS SA6000, SA6500, FIPS SA6500, MAG2600, MAG4610, MAG6610, and MAG6611 Apr 2014
Multiple vulnerabilities CVE-2014-0844, CVE-2014-0845 and CVE-2014-0846 IBM Rational Doors Next Generation, Composer and Requirements Feb 2014
WAF Bypass n/a Barracuda Web Application Firewall Oct 2013
Multiple Reflected XSS, 2 ESRI - ArcGIS for Server 10.1, 10.2 Sep 2013
Unrestricted File Upload CVE-2013-5221 ESRI - ArcGIS for Server 10.1, 10.2 Sep 2013
Cross Context Scripting (XCS) - about:history - Remote Code Execution TBA Maxthon Dec 2012
Cross Context Scripting (XCS) - RSS - Remote Code Execution TBA Maxthon Dec 2012
Privileged API Available On i.maxthon.com TBA Maxthon Dec 2012
Cross Context Scripting (XCS) - Bookmark Toolbar and Bookmark Sidebar TBA Maxthon Dec 2012
Incorrect Executable File Handling and Same Origin Policy Implementation TBA Maxthon Dec 2012
Same of Origin Policy Bypass - browser:home TBA Avant Browser Dec 2012
Cross Context Scripting - browser:home - Most Visited And History Tabs TBA Avant Browser Dec 2012
Avant Browser - Stored Cross Site Scripting - Feed Reader (browser://localhost/lst?*) TBA Avant Browser Dec 2012
CSRF 2012-0550 Oracle GlassFish Server Apr 2012
Multiple Cross Site Scripting 2012-0551 Oracle GlassFish Server Apr 2012
Use After Free 2011-4152 Opera Oct 2011
DOM Cross Site Scripting 2011-2133 Adobe RoboHelp 9 Aug 2011
ParanoidFragmentSink allows javascript: URLs in chrome documents pdf (section 2.8) 2010-1585 Mozilla Firefox / Thunderbird Mar 2011
Session Fixation 2010-4437 Oracle WebLogic Server Mar 2011
Multiple Cross Site Scripting Vulnerabilities 2010-2406 Oracle eBusiness Application Oct 2010
HTTP Response Splitting 2010-3514 Oracle Sun Java System Web Server Oct 2010
SOP Bypass 2010-3573 Oracle JRE java.net.URLConnection Oct 2010
XML Entity and XML Injections 2009-3960 Multiple Adobe Products Feb 2010
Chrome Privilege Code Execution Update Scanner Aug 2009
Chrome Privilege Code Execution Coolpreviews Aug 2009
Stored Cross Site Scripting 2008-4725 Opera Oct 2008
Stored Cross Site Scripting Google Analytics Oct 2008
Local File Disclosure 2008-2045 SugarCRM Apr 2008
Reflected Cross Site Scripting DotNetNuke Aug 2006

Presentations

Presentation Download Conferences Date
I Got 99 Trends and a # is All of Them! How We Found Over 100 RCE Vulnerabilities in Trend Micro Software pdf slideshare Hack In The Box 2017 Amsterdam April 2017
Augmented Reality in your web proxy slideshare HackPra Allstars - OWASP App Sec EU 2013 (Hamburg) August 2013
Cross Context Scripting attacks and exploitation slideshare HackPra (Ruhr-Universit├Ąt Bochum) November 2012
Window Shopping: Browser Bug Hunting in 2012 pdf . slideshare Hack In the Box 2012 (Amsterdam) May 2012
Bridging The Gap: Security and software testing pdf . slideshare ANZTB Test Conference 2011 (Auckland) Mar 2010
Defending Against Application Level DoS Attacks pdf . slideshare OWASP New Zealand Day 2010 (Auckland) Jul 2010
Exploiting Firefox Extensions pdf . slideshare . video OWASP AppSec Asia & SecurityByte 2009 (Gurgaon, IN)

DEFCON 17 (Las Vegas, US)

EUSecWest 2009 (London, UK)
Nov 2009
Reversing JavaScript zip . slideshare OWASP New Zealand Chapter Mar 2009
None More Black: The Dark Side of SEO pdf . slideshare Ruxcon 2008 (Sydney, AU)

Kiwicon II (Wellington, NZ)
Oct 2008
Browser Security ppt . slideshare OWASP New Zealand Chapter Sep 2008
Black Energy 1.8 - Russian botnet package analysis ppt . slideshare Hack In The Bush (Internal Training) May 2008
Web Spam Techniques ppt . slideshare OWASP New Zealand Chapter Apr 2008
XPath Injection ppt . slideshare OWASP New Zealand Chapter Feb 2008
Ajax Security ppt . slideshare OWASP New Zealand Chapter Dec 2007

White Papers

White Paper Title Download Date
Leveraging XSRF with Apache "Compatibility with older browser" feature and Java Applet pdf Oct 2010
Cross Context Scripting with Firefox pdf Apr 2010
Exploiting Cross Context Scripting Vulnerabilities pdf Apr 2010

Minor tools

Tool Download Date
BurpCSJ extension for Burp Pro web proxy github Aug 2013
sed v0.2 - Search Engine De-optimisation page zip Nov 2008
specialK - simple web folder scanner written in Perl zip Jul 2008

Popular posts from this blog

Pwning a thin client in less than two minutes

Have you ever encountered a zero client or a thin client? It looks something like this...

If yes, keep reading below, if not, then if you encounter one, you know what you can do if you read below...

The model above is a T520, produced by HP - this model and other similar models are typically employed to support a medium/large VDI (Virtual Desktop Infrastructure) enterprise.

These clients run a Linux-based HP ThinPro OS by default and I had a chance to play with image version T6X44017 in particular, which is fun to play with it, since you can get a root shell in a very short time without knowing any password...

Normally, HP ThinPro OS interface is configured in a kiosk mode, as the concept of a thin/zero client is based on using a thick client to connect to another resource. For this purpose, a standard user does not need to authenticate to the thin client per se and would just need to perform a connection - e.g. VMware Horizon View. The user will eventually authenticate through the c…

UXSS in McAfee Endpoint Security, www.mcafee.com and some extra goodies...

During the HITB2017AMS talk given in Amsterdam with @Steventseeley, I promised that I would have disclosed vulnerabilities affecting a security vendor product other than Trend Micro.

For those who have come to my blog for the first time and are looking at "insecurities" of security vendors, you might be interested as well on how we found 200+ remote code execution vulnerabilities in Trend Micro software...

But this blog post is dedicated to two McAfee products instead: McAfee Endpoint Security and SiteAdvisor Enterprise (now part of McAfee Endpoint Security). For simplicity, I will just refer to McAfee Endpoint Security for the rest of this post.

First let's demonstrate a particular type of XSS, a UXSS, considering that fact that it only affects the McAfee Endpoint Security plugin and does not depend on a particular web site or web application.

There are two different injection points:

-UXSS when user visits a red labelled web site - the payload is rendered in the BlockP…

Microsoft .NET MVC ReDoS (Denial of Service) Vulnerability - CVE-2015-2526 (MS15-101)

Microsoft released a security bulletin (MS15-101) describing a .NET MVC Denial of Service vulnerability (CVE-2015-2526) that I reported back in April. This blog post analyses the vulnerability in details, starting from the theory and then providing a PoC exploit against a MVC web application developed with Visual Studio 2013.
For those of you who want to see the bug, you can directly skip to the last part of this post or watch the video directly... ;-)

A bit of theory

The .NET framework (4.5 tested version) uses backtracking regular expression matcher when performing a match against an expression. Backtracking is based on the NFA (non-deterministic finite automata) algorithm engine which is designed to validate all input states. By providing an “evil” regex expression – an expression for which the engine can be forced to calculate an exponential number of states - it is possible to force the engine to calculate an exponential number of states, leading to a condition defined such as “ca…