PT SWARM

2021-07-16 12:37:18 PoC for a boolean-based SQLi in Rapid7 Nexpose <= 6.6.48 (CVE-2020-7383)

https://nexpose.local:3780/data/discoveryAsset/config/folderPath?path=[sqli] Open / Comment

2021-07-16 11:27:20 Remote code execution in cdnjs of Cloudflare
by @ryotkak

A path traversal in Cloudfare's cdnjs library update server during archive extraction could be used to execute arbitrary commands, and as a result, cdnjs could be completely compromised, affecting around 12.7% of all websites on the internet once caches are expired.

Contents:
• Preface
• TL;DR
• About cdnjs
• Reason for investigation
• Initial investigation
• Investigation of automatic update
• Path traversal
• Demonstration of vulnerability
• Incident
• Determinate impact
• Conclusion
• Timeline

https://blog.ryotak.me/post/cdnjs-remote-code-execution-en/ Open / Comment

2021-07-09 11:53:02 CVE-2021-28474: SHAREPOINT RCE VIA SERVER-SIDE CONTROL INTERPRETATION CONFLICT
by @thezdi

The vulnerability allows authenticated users to execute arbitrary .NET code on the server in the context of the service account of the SharePoint web application. By default, authenticated SharePoint users have all necessary permissions.

Contents:
• The Vulnerability
• Exploitation
• Proof of Concept
• Getting Remote Code Execution
• Conclusion

https://www.zerodayinitiative.com/blog/2021/7/7/cve-2021-28474-sharepoint-remote-code-execution-via-server-side-control-interpretation-conflict Open / Comment

2021-07-07 17:28:57 PoC for SSRF in IBM QRadar SIEM (CVE-2020-4786)

GET /console/chartServer?output=image&data=http://127.0.0.1:8080 Open / Comment

2021-07-01 16:34:49 RARLAB fixed a MITM (CVE-2021-35052) in WinRAR found by our researcher Igor Sak-Sakovskiy.

This attack could be leveraged to achieve code execution on a user's machine.

Advisory: https://win-rar.com/singlenewsview.html?L=0&tx_ttnews%5Btt_news%5D=165&cHash=1 Open / Comment

2021-06-29 16:17:30 Pre-auth RCE in ForgeRock OpenAM (CVE-2021-35464)
by Michael Stepankin aka @artsploit

The story of discovering and exploiting a java deserialization vulnerability leading to RCE in ForgeRock OpenAM.

PoC: GET /openam/oauth2/..;/ccversion/Version?jato.pageSession=[serialized_object]

Contents:
• The Story
• Obtaining Code & Decompiling
• Source code analysis
• Jato
• Testing on bug bounty (and failing)
• Building a custom gadget chain
• Let's get this bread
• The patch
• Key takeaways

https://portswigger.net/research/pre-auth-rce-in-forgerock-openam-cve-2021-35464 Open / Comment

2021-06-24 16:34:08 PoC for XSS in Cisco ASA (CVE-2020-3580)


POST /+CSCOE+/saml/sp/acs?tgname=a HTTP/1.1
Host: ciscoASA.local
Content-Type: application/x-www-form-urlencoded
Content-Length: 44

SAMLResponse="> Open / Comment

2021-06-23 18:36:39 LEXSS: Bypassing Lexical Parsing Security Controls
by Chris Davis of @Bishop Fox

"By using special HTML tags that leverage HTML parsing logic, it is possible to achieve cross-site scripting (XSS) even in instances where lexical parsers are used to nullify dangerous content. The primary goal in exploiting these types of XSS vulnerabilities is to get the sanitizing lexical parser to view the data as text data and not computer instructions (e.g., JavaScript instructions)."

Contents:
• Introduction to Key Concepts
• Cross-site Scripting (XSS) Protections
• Cross-site Scripting (XSS) Protections via Lexical Parsing
• How the Data Flows Through the HTML Parser
• The Concept of the HTML Parser's Context State
• Namespaces – Foreign Content and Leveraging the Unexpected Behavior
• Sanitizing Lexical Parsing Flow
• Test Case 1 = TinyMCE XSS
• Test Case 2 = Froala XSS
• Prevention
• Conclusion
• Resources

Read the article Open / Comment

2021-06-11 14:58:14 "Active Directory forest trusts part 2 - Trust transitivity and finding a trust bypass" by @_dirkjan.

Detailed description of CVE-2020-0665, a logic flaw, which allowed the bypassing of the SID filtering mechanism, leading to the compromise of hosts in transitively trusted forests.

Contents:
• Some important points
• Forging inter-realm tickets and Wireshark debugging
• Do you need to use inter-realm tickets?
• Which keys do I need for inter-realm tickets
• Debugging Kerberos the easy way
• Trust transitivity
• Trust transitivity - new domain discovery
• Trust transitivity, adding our own SIDs to the trust
• How many domains are there in a domain?
• Do you trust this domain? [Y/n]
• Designing a new forest trust attack
• Executing the forest trust bypass
• Obtaining the local SID
• Becoming a domain
• Executing the chain
• Disclosure and patch notes

https://dirkjanm.io/active-directory-forest-trusts-part-two-trust-transitivity/ Open / Comment

2021-06-03 10:14:15 CVE-2021-31181: MicroSoft SharePoint webpart interpretation conflict RCE vulnerability

To quote @thezdi: "this vulnerability could be used by an authenticated user to execute arbitrary code on the server in the context of the service account of the SharePoint web application. For a successful attack, the attacker must have SPBasePermissions.ManageLists permissions on any SharePoint site. By default, any authenticated user can create their own site where they have the necessary permission."

Contents:
• The Vulnerability
• Proof of Concept
• Getting Remote Code Execution
• Conclusion

https://www.zerodayinitiative.com/blog/2021/6/1/cve-2021-31181-microsoft-sharepoint-webpart-interpretation-conflict-remote-code-execution-vulnerability Open / Comment