Posts

Showing posts with the label vulnerabilities

D-Link Router CVE-2021-27342 Timing Side-Channel Attack Vulnerability Writeup

Image
I recently bought a new DIR-842 home router, and immediately (as any hacker would) started toying with it - I can’t call it mine until I pop a shell on it. Rather quickly I found I can enable telnet through the admin web gui, and then connect to telnet with an admin user. But that was too easy, so let’s see if we can find a bug/vulnerability. easy work getting a shell I continued looking for a bug in the router’s telnet implementation because it’s an attractive target: it’s remotely accessible, and as learned by previously connecting as system admin, it runs with high privileges. Also, instead of searching for a memory corruption vulnerability, I focused on finding a more easily exploitable logic vulnerability. CVE-2021-27342 Brute Force Protection Bypass The router’s telnet authentication is protected with an anti-brute force mechanism that limits an attacker’s password guessing speed by delaying the “access denied” response of failed logins. However, this protection’s implementation

uTorrent CVE-2020-8437 Vulnerability And Exploit Overview

Image
The world’s most popular torrent client, uTorrent, contained a security vulnerability — later to be called CVE-2020-8437— that could be exploited by a remote attacker to crash and corrupt any uTorrent instance connected to the internet. As white-hat hackers, my friend (who wishes to remain anonymous) and I reported this vulnerability as soon as we found it and it was quickly fixed. Now, after ample time has been given for users to update, it’s safe to disclose an overview of the vulnerability and how to exploit it. Torrent Protocol - What You Need To Know Torrent downloads utilize simultaneous connections to multiple peers (other people downloading the same file), creating a decentralized download network that benefits the collective peer group. Each peer can upload and download data to and from any other peer, eliminating any single point of failure or bandwidth bottleneck, resulting in a faster and more stable download for all peers. Peers communicate with each other using the BitTor

Zero Day Discovery and Infosec Success Celebrations

Image
With the world in quarantine and isolation because of COVID-19, I decided to publish a blog post reminding us of more cheerful times. Take yourself back to the last time you spent weeks hammering away at a seemingly impossible challenge, and quickly fast-forward to when you finished that problem. Do you remember your intense excitement and satisfaction? How did you celebrate your success? I asked security researchers how they celebrate finding 0days, APTs in the wild, new malware, and other big successes.  Here are the results. Thomas Roth @StackSmashing Founder of leveldown , co-founder of keylabsio "I once had a celebratory cake for an 0day" "otherwise I tend to [celebrate] with a nice beer in the evening :)" Thomas's celebratory 0day cake Ashley Shen @ashley_shen_920 Security Engineer at Google Threat Analysis Group "I usually celebrate with picking a restaurant from my do-eat list and have a good meal with friends :)"

Integer Overflow Reference: Min & Max Values

Image
A reference for when working with integers, and looking for integer overflows and underflows. When an integer type, such as an int or unsigned short , overflows (the variable is given a value greater than the maximum value it can hold), the integer "wraps around" and becomes the minimum value the type can store. Similarly, when an integer type underflows (the variable is given a value smaller than the maximum value it can hold), the integer "wraps around" and becomes the maximum value the type can store. Use the chart below to find the minimum and maximum values each type can hold. Size Chart Type Size In Bytes Minimum Value Maximum Value char 1 byte -128 +127 unsigned char 1 byte 0 +255 short 2 bytes -32,768 +32,767 unsigned short 2 bytes 0 +65,535 int 4 bytes -2,147,483,648 +2,147,483,647 long 4 bytes -2,147,483,648 +2,147,483,647 unsigned int 4 bytes 0 +4,294,967,295 unsigned long 4 bytes 0 +4,

CVE-2019-17421 Privilege Escalation Vulnerability In Zoho's OpManager & Firewall Analyzer

Image
Target 🎯 Vendor 🏭 ManageEngine which is a division in Zoho Corp. creates IT management software and tools. The company is a major player in IT management with over 90 tools, and 3 million users served in over 190 countries. Products 💿 Two of ManageEngine's popular products are it's network firewall analyzer and network monitoring software respectively named ManageEngine Firewall Analyzer and ManageEngine OpManager. Vulnerability CVE-2019-17421 affects both (and possibly more) of these products. Vulnerability ⚡ After I set these programs as my research targets, I installed their free trial version, and began mapping out the attack surface. The first thing I noticed is that the program runs as root. This is great for our purposes as this means any local vulnerability will lead to LPE (Local Privilege Escalation). To achieve my goal of finding a security bug, I am no longer limited to only the remotely accessible attack surface. Next, I found the program de

Stack Overflow CVE-2019-17424 Vulnerability Write-Up and RCE Exploit Walk Through

Image
Stack Overflow CVE-2019-17424 Vulnerability Write-Up and RCE Exploit Walk Through This is Part 2 in a 4 part series about my process hunting for vulnerabilities in a network auditing tool (used to protect networks by detecting and fixing security holes), and fully exploiting one of the vulnerabilities I found. I recommend reading the series in ascending numeric order. Link to part 1 here . Links to parts 3, and 4 at the end of this post. This post describes how I found CVE-2019-17424 and successfully exploited the vulnerability in the precompiled, packaged product. Vulnerability ⚡ Reader’s Exercise 🔎 I found CVE-2019-17424 by manually reviewing the source code of nipper-ng. Provided below is an excerpt from the source code containing only the vulnerable function. You are welcome to take it as an exercise to find the vulnerability in the code below: Notice: The vulnerability in the code above is identified in the paragraph below. If you want to try to find the vuln