PT SWARM

2022-07-06 18:35:19 Useful Burp Suite hotkeys to find flaws only Ninja sees Open / Comment

2022-07-06 15:57:44 Account hijacking using "dirty dancing" in sign-in OAuth-flows

by Frans Rosén


Combining response-type switching, invalid state and redirect-uri quirks using OAuth, with third-party javascript-inclusions has multiple vulnerable scenarios where authorization codes or tokens could leak to an attacker. This could be used in attacks for single-click account takeovers. Frans Rosén, Security Advisor at Detectify goes through three different scenarios found in the wild below and also suggests ways to reduce the risk.


Contents:
• Background
• Current state and assumptions about OAuth credential leakage
• Explanation of different OAuth-dances
• Response modes
• A theory: stealing tokens through postMessage
• It took a lot of time to get here
• Non-happy paths in the OAuth-dance
• Break state intentionally
• Response-type/Response-mode switching
• Redirect-uri case shifting
• Redirect-uri path appending
• Redirect-uri parameter appending
• Redirect-uri leftovers or misconfigurations
• I ended up on a non-happy path. Now what?
• Here be more time
• URL-leaking gadgets
• Other ideas for leaking URLs
• A page on a domain that routes any postMessage to its opener
• Conclusion
• How can we fix this?
• How to reduce the risk


https://labs.detectify.com/2022/07/06/account-hijacking-using-dirty-dancing-in-sign-in-oauth-flows/ Open / Comment

2022-06-30 16:27:37 Zoneminder fixed a Post-Auth RCE found by our researcher Ilya Yatsenko (@fulc2um).

See details in the advisory https://github.com/ZoneMinder/zoneminder/releases/tag/1.36.16 Open / Comment

2022-06-23 13:22:31 We have reproduced CVE-2022-31626, an RCE in PHP <= 7.4.29 which can be triggered via a rogue MySQL/MariaDB server!

It's a Heap Overflow, works with MySQLi/PDO, and doesn't require LOAD LOCAL INFILE.

The PoC https://github.com/CFandR-github/PHP-binary-bugs/tree/main/cve_2022_31626_remote_exploit Open / Comment

2022-06-17 17:20:22 Invision Community fixed an SSRF vulnerability (CVE-2021-40604) found by Mikhail Klyuchnikov!

Timeline:
06/23/2021 - The advisory is published
06/24/2021 - Requested CVE via MITRE
06/13/2022 - CVE was assigned

The PoC

The "gkey" param is an unfollow token. Open / Comment

2022-06-06 16:43:39 Everyone learned to run pip install colorama to exploit Atlassian Confluence RCE (CVE-2022-26134), so let’s see how the vulnerability works under the hood.

Here we show our simplified payload which demonstrates a workflow inside the vulnerable code. Open / Comment

2022-06-04 08:59:37 Active Exploitation of Confluence CVE-2022-26134

by Rapid7

On June 2, 2022, Atlassian published a security advisory for CVE-2022-26134, a critical unauthenticated remote code execution vulnerability in Confluence Server and Confluence Data Center. The vulnerability was unpatched when it was published on June 2. As of June 3, both patches and a temporary workaround are available.
CVE-2022-26314 is an unauthenticated and remote OGNL injection vulnerability resulting in code execution in the context of the Confluence server (typically the confluence user on Linux installations). Given the nature of the vulnerability, internet-facing Confluence servers are at very high risk.

Contents:
• Technical analysis
•• The vulnerability
•• Root cause
•• The patch
•• Payloads
• Mitigation guidance

https://www.rapid7.com/ja/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/ Open / Comment

2022-06-02 17:58:11 PoC for a Post-Auth SQL-Injection (CVE-2022-0757) in Nexpose Vulnerability Scanner <= 6.6.128

Default port: 3780
Default username: nxadmin
Affected handler: /data/asset/filterAssets Open / Comment

2022-06-01 14:24:14 From open redirect to RCE in one week

by Anton ???

In this write-up the author tells a story of chaining multiple vulnerabilities to achieve RCE on several hosts of Mail.ru (VK). The exploit chain consists of following bugs: Open Redirect, Unsafe Deserialization, Kohana hack, LFI for Logs.

Contents:
* Intro
* Functionality that caught my attention
* Possible scenarios
* Open redirect
* Deserialization
* Kohana
* Chaining all together
* Logs
* Null bytes
* Last poison

https://medium.com/@byq/from-open-redirect-to-rce-in-one-week-66a7f73fd082 Open / Comment

2022-05-24 19:14:41 New research by Alexander Popov: "A Kernel Hacker Meets Fuchsia OS"

Fuchsia OS is based on the Zircon microkernel and developed by Google. Alexander assessed it from the attacker's point of view.

Read the article: https://swarm.ptsecurity.com/a-kernel-hacker-meets-fuchsia-os/ Open / Comment