PT SWARM

2021-06-02 17:56:02 New Article: "Guide to P-code Injection: Changing the intermediate representation of code on the fly in Ghidra" by Vyacheslav Moskvin.

The final piece of the four part series about creating a Ghidra plugin to decompile Node.js bytecode is now out!

https://swarm.ptsecurity.com/guide-to-p-code-injection/ Open / Comment

2021-06-02 09:43:38 Fortinet fixed a Post-Auth RCE in FortiWeb (CVE-2021-22123) found by our researcher Andrey Medov.

This vulnerability was part of an Unauth RCE chain submitted together with CVE-2020-29015 (Unauth SQL Injection), which was fixed by Fortinet earlier.

Advisory: https://www.fortiguard.com/psirt/FG-IR-20-120

Subscribe to the PT SWARM Twitter to get updates about all of the latest vulnerabilities discovered by us. Open / Comment

2021-05-27 20:17:10 "13 Nagios Vulnerabilities, #7 will SHOCK you!" by Samir Ghanem

Gaining access to Nagios XI server results in upstream compromise of management server, i.e. every other customer monitored. Exploitation facilitated with soygun tool.

Contents:
• TL;DR
• Why Nagios?
• What is Nagios?
• The Code
• Challenge Accepted
• What are we trying to achieve?
• Step 1: RCE on Nagios XI server from low privilege Nagios XI user (CVE-2020-28648)
• Step 2: Elevate privileges to ‘root’ on Nagios XI server (CVE-2020-28910)
• Step 3: Trigger XSS by tainting data returned to Nagios Fusion from XI (CVE-2020-28903)
• Step 4: Authenticated remote code execution on Nagios Fusion (CVE-2020-28905)
• Step 5: Elevate privileges from apache to root using the ‘cmd_subsys.php’ (CVE-2020-28902)
• Step 6: Get list of “fused” XI servers and exploit them using Step 1 and 2
• PoC or Attack Platform
• SoyGun
• Command & Control (C2)
• SoyGun Implant
• DeadDrop
• Demo
• Disclosure and Afterthoughts
• Full Vulnerabilities List

https://skylightcyber.com/2021/05/20/13-nagios-vulnerabilities-7-will-shock-you/ Open / Comment

2021-05-27 17:58:13 We continue our series of articles dedicated to decompiling Node.js bytecode with a new article by Natalya Tlyapova: Creating a Ghidra processor module in SLEIGH using V8 bytecode as an example.

https://swarm.ptsecurity.com/creating-a-ghidra-processor-module-in-sleigh-using-v8-bytecode-as-an-example/ Open / Comment

2021-05-26 11:50:16 HTTP Request Smuggling via higher HTTP versions by @emil_lerner as presented at PHDays 2021.

HTTP request smuggling reinvented with multiple novel approaches implemented in a new tool http2smugl.

Contents:
• HTTP Request Smuggling basic concepts
• HTTP Request Smuggling exploitation scenarios
• HTTP/2 body transfer
• content-length conflicts actual length
• no content-length forwarding
• content-length conflicting transfer-encoding
• HTTP/2 header validation
• new lines in headers
• less strict validation
• Detection ideas
• False positive
• Varnish
• RFC 8441
• Haproxy & nghttp2
• Open problem
• H2O http3 (QUIC)
• Automation
• Further research

Slideshow: https://www.slideshare.net/neexemil/http-request-smuggling-via-higher-http-versions

Video Presentation: https://standoff365.com/phdays10/schedule/tech/http-request-smuggling-via-higher-http-versions/ Open / Comment

2021-05-24 11:42:50 New article: Decompiling Node.js in Ghidra by our researcher Vladimir Kononovich.

This is the second article in the series dedicated to covering the technical details of our plugin to decompile bytenode JSC files (serialized Node.js bytecode).

https://swarm.ptsecurity.com/decompiling-node-js-in-ghidra/ Open / Comment

2021-05-18 20:43:42 NoSQL Injections in Rocket.Chat 3.12.1: How A Small Leak Grounds A Rocket by Paul Gerste

RCE on Rocket.Chat servers via MongoDB noSQLi. Valid account required.

Contents:
• Impact
• Technical Details
• MongoDB Injection Primer
• NoSQL Injection #1: Taking Over a Regular User
• NoSQL Injection #2: Elevating Privileges
• From Admin to Remote Code Execution
• Mitigation
• Timeline
• Summary

https://blog.sonarsource.com/nosql-injections-in-rocket-chat/ Open / Comment

2021-05-17 22:44:30 ExifTool CVE-2021-22204 - Arbitrary Code Execution discovered by @vakzz.

The story of finding an ImageTragick-esque vulnerability, originally in gitlab. Go down the rabbit hole of image parsing with perl!

Contents:
• Background
• The Bug
• Additional Formats
• Bonus Formats
• References

https://devcraft.io/2021/05/04/exiftool-arbitrary-code-execution-cve-2021-22204.html Open / Comment

2021-05-13 19:07:20 New article "How we bypassed bytenode and decompiled Node.js (V8) bytecode in Ghidra" by our researcher Sergey Fedonin.

https://swarm.ptsecurity.com/how-we-bypassed-bytenode-and-decompiled-node-js-bytecode-in-ghidra/ Open / Comment

2021-05-11 19:01:12 VMware fixed an Unauth RCE in vRealize Business for Cloud (CVE-2021-21984) found by our researcher Egor Dimitrenko.

Advisory: https://www.vmware.com/security/advisories/VMSA-2021-0007.html Open / Comment