PT SWARM

2021-05-06 16:51:34 Cisco fixed two Unauth RCEs and an Arbitrary File Upload in HyperFlex HX Data Platform found by our researchers Nikita Abramov and Mikhail Klyuchnikov.

CVE-2021-1497
CVE-2021-1498
CVE-2021-1499

Advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-hyperflex-rce-TjjNrkpR Open / Comment

2021-05-04 10:20:28 "Detecting and annoying Burp users" by @dustriorg

Some fun and innovative ways to keep pesky Burp users at bay.

Contents:
• Detecting Burp users
• Detecting the web interface
• Detecting the TLS man-in-the-middle
• TLS ciphers support
• JA3
• Infinitely chunked responses
• Detecting the Burp browser extension recording
• Brotli compression
• User-agent of the embedded browser
• Hackvector
• Breaking stuff in Burp
• Breaking the crawler
• Confusing Burp's active scan
• Breaking the decoding
• Breaking the Intruder

https://www.dustri.org/b/detecting-and-annoying-burp-users.html Open / Comment

2021-04-29 17:20:46 Cisco fixed an Unauth DoS in Adaptive Security Appliance and Firepower Threat Defense found by our researcher Nikita Abramov.

Assigned CVEs: CVE-2021-1445, CVE-2021-1504

Advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-ftd-vpn-dos-fpBcpEcD Open / Comment

2021-04-27 15:22:13 "All Your Macs are belong to us" by @objective_see - how and why an unsigned, unnotarized, script-based proof of concept application could trivially and reliably sidestep all of macOS’s relevant security mechanisms (File Quarantine, Gatekeeper, and Notarization Requirements) … even on a fully patched M1 macOS system, reverting protection from running malicious code to a pre-2007 era.

Contents:
• Outline
• Background
• File Quarantine
• Gatekeeper
• Notarization Requirements
• Quarantine Attribute
• Problem(s) In Paradise
• Root Cause Analysis
• To The Logs!
• To The Disassembler & Debugger!
• A Recap
• In the Wild
• The Patch
• Protections
• Detections
• Conclusions

https://objective-see.com/blog/blog_0x64.html Open / Comment

2021-04-22 10:36:49 "Exploiting vulnerabilities in Cellebrite UFED and Physical Analyzer from an app's perspective" by @moxie.

What happens when a data extraction application falls under security scrutiny? Multiple exploits challenging the product's business model, possible copyright infringement, and a sassy tongue-in-cheek narration of events.

Contents:
• The background
• The rite place at the Celleb…rite time
• The software
• The exploits
• The copyright
• The completely unrelated

https://signal.org/blog/cellebrite-vulnerabilities/ Open / Comment

2021-04-19 12:47:46 Remote exploitation of a man-in-the-disk vulnerability in WhatsApp (CVE-2021-24027).

TL;DR: Leak External Storage (/sdcard), remotely collect TLS cryptographic material, MitM WhatsApp communications, RCE on victim device, extract keys used for end-to-end encrypted user communications.

Contents:
• Intro
• The Android Media Store Content Provider
• The Chrome CVE-2020-6516 Same-Origin-Policy bypass
• Session Resumption and Pre-Shared Keys in TLS 1.3
• Session Resumption and the Master Secret in TLS 1.2
• The WhatsApp TLS Man-in-the-Disk Vulnerabilities
• From TLS secrets collection to Remote Code Execution
• Stealing the victim's Noise protocol key pair
• Conclusion and future work
• References

https://census-labs.com/news/2021/04/14/whatsapp-mitd-remote-exploitation-CVE-2021-24027/ Open / Comment

2021-04-16 15:47:42 1-Click RCE on Telegram, Nextcloud, VLC, Libre-/OpenOffice, Bitcoin/Dogecoin Wallets, Wireshark and Mumble via user supplied URLs by @positive_sec.

Contents:
• Introduction
• Root cause: user-supplied URLs opened by the OS
• Finding vulnerable features is straightforward
• Operating systems and desktop environments have different URL opening behaviors
• Windows 10 19042
• Xubuntu 20.04
• Other Linux Operating Systems + Snap
• Mac (Catalina 10.15.6)
• Vulnerabilities
• Nextcloud
• Telegram
• VLC
• Open-/LibreOffice
• Mumble
• Bitcoin/Dogecoin Wallets
• Wireshark
• Bonus-Vulnerability: WinSCP
• Systematic mitigation requires contributions from OS, Framework, and Application maintainers
• Conclusion

https://positive.security/blog/url-open-rce Open / Comment

2021-04-16 11:41:16 Windows non-interactive remote BSOD via NULL dereference in tcpip!Ipv6pReassembleDatagram (CVE-2021-24086), from patch diffing and reversing tcpip.sys to PoC, by @doar_e.

Contents:
• Introduction
• TL;DR
• Recon
• Diffing Microsoft patches in 2021
• Reverse-engineering tcpip.sys
• Baby steps
• High level overview
• Zooming out
• NET_BUFFER & NET_BUFFER_LIST
• The mechanics of parsing an IPv6 packet
• The mechanics of IPv6 fragmentation
• Theory vs practice: Ipv6pReceiveFragment
• Hiding in plain sight
• Manufacturing a packet of the death: chasing phantoms
• Manufacturing a packet of the death: leap of faith
• Conclusion
• Bonus: CVE-2021-24074

https://doar-e.github.io/blog/2021/04/15/reverse-engineering-tcpipsys-mechanics-of-a-packet-of-the-death-cve-2021-24086/ Open / Comment

2021-04-13 19:21:17 New article "From 0 to RCE: Cockpit CMS" by our researcher Nikita Petrov.

The story of discovering an unauth NoSQL injection and abusing it to retrieve admin hashes, change passwords, and execute commands!

https://swarm.ptsecurity.com/rce-cockpit-cms/ Open / Comment

2021-04-13 13:21:19 ELECTRIC CHROME - CVE-2020-6418 on Tesla Model 3

@HawaiiFive0day got RCE on his brand new Tesla due to chrome's patch gap via porting an @Exodusintel google chrome exploit. A sandbox escape is in the works!

Contents:
• Identifying and building the vulnerable V8
• Sidebar: Changing commits
• Running the exploit
• Why doesn’t it work?
• Troubleshooting with git bisect
• Pointer Compression
• Starting from scratch
• Building fakeobj
• Expanding to arbitrary read/write
• Disassembling a JIT-compiled function, with a surprise
• Running shellcode via WebAssembly
• Further Improvements
• Conclusion

https://leethax0.rs/2021/04/ElectricChrome/ Open / Comment