malerisch.net

During the HITB2017AMS talk given in Amsterdam with  @Steventseeley , I promised that I would have disclosed vulnerabilities affecting a security vendor product other than Trend Micro. For those who have come to my blog for the first time and are looking at "insecurities" of security vendors, you might be interested as well on how we found 200+ remote code execution vulnerabilities in Trend Micro software ... But this blog post is dedicated to two McAfee products instead: McAfee Endpoint Security and SiteAdvisor Enterprise (now part of McAfee Endpoint Security). For simplicity, I will just refer to McAfee Endpoint Security for the rest of this post. First let's demonstrate a particular type of XSS, a UXSS, considering that fact that it only affects the McAfee Endpoint Security plugin and does not depend on a particular web site or web application. There are two different injection points: - UXSS when user visits a red labelled web site - the payload is rendere

In the last few months, I have been testing several Trend Micro products with Steven Seeley ( @steventseeley ). Together, we have found more than 200+ RCE (Remote Code Execution) vulnerabilities and for the first time we presented the outcome of our research at Hack In The Box 2017 Amsterdam  in April. The presentation is available as a PDF or as a Slideshare . Since it was not possible to cover all discovered vulnerabilities with a single presentation, this blog post will cover and analyze a further vulnerability that did not make it to the slides, and which affects the Trend Micro Threat Discovery Appliance (TDA) product. CVE-2016-8584 - TDA Session Generation Authentication Bypass This was an interesting vulnerability, discovered after observing that two consecutive login attempts against the web interface returned the same session_id token. Following this observation, our inference was that time factor played a role. After further analysis and reversing of the TDA libra

Back in 2015, I have published a blog post titled " Pwning a thin client in less two minutes " which attracted a lot of curiosity from the Internet and which was also featured in the  HACKADAY  blog. Today, together with Vincent Hutsebaut ( @vhutsebaut ), we are releasing a further technique to pwn the same thin client and get a root shell without authentication, in less than one minute! The attack detailed below is a typical kiosk attack which consists in a local privilege escalation which affects different versions of HP Thin Pro OS (HP ThinPro 4.4, HP ThinPro 5.0, HP ThinPro 5.1, HP ThinPro 5.2, HP ThinPro 5.2.1, HP ThinPro 6.0, HP ThinPro 6.1). The vulnerability (CVE-2016-2246) has been patched by HP and a technical bulletin has been published . HP stated that they have fixed the issue before our report was sent to them and were on the way to publish a security bulletin when we contacted them. Since the patch is out, let's dive into the vulnerability, which i

In the last year, as a personal research project, I started to look more into browsers and decided to fuzz some high-level targets, such as Edge and IE11, together with Steven Seeley ( @steventseeley ). I have to admit that it is quite hard nowadays to approach this kind of research, especially with limited time and resources (just few virtual machines running at home…), but nevertheless it became an incredible learning experience. Given our constraints, the fuzzing focus was to target other things than common targeted components, such as DOM, JavaScript and so on, so we decided to go for the PDF file format. One of the interesting conditions that we found was the one that has just been patched by Microsoft and detailed in the MS16-115  security bulletin. The vulnerability is an out-of-bounds read which can lead to memory information disclosure. The technical advisory can be found at Steven Seeley's web site:  http://srcincite.io/advisories/src-2016-0039/ . References