malerisch.net

During the HITB2017AMS talk given in Amsterdam with  @Steventseeley , I promised that I would have disclosed vulnerabilities affecting a security vendor product other than Trend Micro. For those who have come to my blog for the first time and are looking at "insecurities" of security vendors, you might be interested as well on how we found 200+ remote code execution vulnerabilities in Trend Micro software ... But this blog post is dedicated to two McAfee products instead: McAfee Endpoint Security and SiteAdvisor Enterprise (now part of McAfee Endpoint Security). For simplicity, I will just refer to McAfee Endpoint Security for the rest of this post. First let's demonstrate a particular type of XSS, a UXSS, considering that fact that it only affects the McAfee Endpoint Security plugin and does not depend on a particular web site or web application. There are two different injection points: - UXSS when user visits a red labelled web site - the payload is rendere

Kemp virtual load master is a virtual load-balancer appliance which comes with a web administrative interface. I had a chance to test it and this blog post summarises some of the most interesting vulnerabilities I have discovered and which have not been published yet. For those of you who want to try it as well, you can get a free trial version here:  http://kemptechnologies.com/server-load-balancing-appliances/virtual-loadbalancer/vlm-download By default, Kemp web administrative interface is protected by Basic authentication, so the vulnerabilities discussed in the post below can either be exploited attacking an authenticated user via CSRF or XSS based attacks. The following vulnerabilities were discovered when looking at Kemp Load Master v.7.1-16 and some of them should be fixed in the latest version (7.1-20b or later). Change logs of the fixed issues can be found at the following page: " PD-2183 Functions have been added to sanitize input in the WUI in order to   reso

Details Vendor Site: Maxthon (www.maxthon.com) Date: December, 5 2012 – CVE (TBA) Affected Software: Maxthon 3.4.5.2000 and previous versions Status: Unpatched (at the time of publishing) Researcher: Roberto Suggi Liverani -  @malerisch PDF version: Maxthon_multiple_vulnerabilities_advisory.pdf Cross Context Scripting Cross Context Scripting   (XCS) is a particular code injection attack vector where the injection occurs from an untrusted zone (e.g. Internet) into a privileged browser zone. In this case, it is possible to inject arbitrary JavaScript/HTML code from an untrusted page into Maxthon browser privileged zone - mx://res/*. Description A malicious user can inject arbitrary JavaScript/HTML code via multiple RSS feed elements. Vulnerable elements are the following: <title> element: JavaScript injection using HTML encoded payload <link> element: JavaScript injection using javascript: pseudouri <description> element: JavaScript injectio

Details Vendor Site: Maxthon (www.maxthon.com) Date: December, 5 2012 – CVE (TBA) Affected Software: Maxthon 3.4.5.2000 and previous versions Status: Unpatched (at the time of publishing) Researcher: Roberto Suggi Liverani - @malerisch PDF version:  Maxthon_multiple_vulnerabilities_advisory.pdf Cross Context Scripting Cross Context Scripting  (XCS) is a particular code injection attack vector where the injection occurs from an untrusted zone (e.g. Internet) into a privileged browser zone. In this case, it is possible to inject arbitrary JavaScript/HTML code from an untrusted page into Maxthon browser privileged zone - mx://res/*. Description A malicious user can inject arbitrary JavaScript/HTML code through the websites visited with the Maxthon browser. The code injection is rendered into the History page (about:history), which displays URL and a short description of the visited pages. A malicious user can inject JavaScript/HTML content by using the location.hash p

Following disclosure of Oracle bugs , here is another bug found in Oracle GlassFish Server 3.1.1. The interesting part of this advisory is the exploit. When looking at the features of the Oracle GlassFish Server, I have noticed that with a XSS it would be possible to steal the session token and bypass HTTPOnly protection. I have found this condition to be true if a user is authenticated to the REST interface, which does not have the same security controls of the main web administrative interface. Quite an interesting point to keep in consideration when testing applications that come with a standard interface and a REST interface as well. Details Vendor Site: Oracle (www.oracle.com) Date: April, 19th 2012 – CVE 2012-0551 Affected Software: Oracle GlassFish Server 3.1.1 (build 12) Researcher: Roberto Suggi Liverani PDF version: http://www.security-assessment.com/files/documents/advisory/Oracle_GlassFish_Server_Multiple_XSS.pdf Description Security-Assessment.com has discover

Time for some disclosure. Below, details of a CSRF bug discovered in Oracle GlassFish Server 3.1.1 few months ago. Interesting to observe that Oracle rates this as the third most critical bug fixed among the Oracle Sun Products. I guess that's because of the exploit which was included in the original report and which I am releasing as part of this advisory. I found a curios angle to exploit this bug, as arbitrary file upload of a WAR archive can be performed. A quite cool way to exploit a CSRF and own Oracle GlassFish, if you ask me :-). Enjoy. Details Vendor Site:  Oracle (www.oracle.com) Date:  April, 19th 2012 – CVE 2012-0550 Affected Software:  Oracle GlassFish Server 3.1.1 (build 12) Researcher:  Roberto Suggi Liverani PDF version:  http://www.security-assessment.com/files/documents/advisory/Oracle_GlassFish_Server_REST_CSRF.pdf Description Security-Assessment.com has discovered that the Oracle GlassFish Server REST interface is vulnerable to Cross Site Request F