PT SWARM

2021-11-30 16:57:14 The persistent XSS in any message in vBulletin! Patched from 13 Apr 2021. The vulnerability was found by our researcher
Igor Sak-Sakovskiy.

PoC: [VIDEO="aaa;000"]a[FONT="a onmouseover=alert(location) a"]a[/FONT]a[/VIDEO]

Advisory: https://www.vbulletin.org/forum/showthread.php?t=328715 Open / Comment

2021-11-24 19:15:33 The way to bypass XSS WAF in ASP.NET web applications. Open / Comment

2021-11-23 11:11:01 Exploiting CSP in Webkit to Break Authentication & Authorization

by Sachin/Prakash

The bug in the CSP implementation of WebKit, a browser engine used by Safari web browser lead to that an attacker able to steal codes/access_tokens or any other secrets that were part of the leaked URI& This allowed to carry out attacks including but not limited to account takeovers, CSRF, and sensitive information disclosure.

Contents:
• TLDR;
• Single Sign-On (SSO)
• Content Security Policy (CSP)
• CSP Violation Reports
• Root Cause of the Vulnerability
• How can this be exploited in SSO
• Responsible Disclosure to Safari
• Setting up PoC
• Playground
• Impact
• Roadblocks
• Stats
• Fixes
• Browsers' Mitigation Strategies
• Bypasses & a new 0day
• DEMO
• Key Takeaways
• Timeline

https://threatnix.io/blog/exploiting-csp-in-webkit-to-break-authentication-authorization/ Open / Comment

2021-11-22 18:04:04 Some notes about Microsoft Exchange Deserialization RCE (CVE-2021–42321)

by Peterjson

Post-Auth Deserialization RCE in Microsoft Exchange Server 2016 and 2019. The vulnerability occurs due to issues with the validation of cmdlet arguments

Contents:
• Intro
• The Sink
• The Source
• Full Exploit
• Improvement

https://peterjson.medium.com/some-notes-about-microsoft-exchange-deserialization-rce-cve-2021-42321-110d04e8852 Open / Comment

2021-11-17 17:24:13 Cisco fixed an Unauth DoS (CVE-2021-34704) in Cisco ASA and Cisco FTD found by our researcher Nikita Abramov.

A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition.

Shodan: 242,070 results

Advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asafdt-webvpn-dos-KSqJAKPA Open / Comment

2021-11-10 17:48:41 Zoom fixed two post-auth RCE (CVE-2021-34416, CVE-2021-34414) and remote system crash (CVE-2021-34415) in Zoom on-premise Meeting Connector found by our researchers Nikita Abramov and Egor Dimitrenko.

Advisory: https://explore.zoom.us/en/trust/security/security-bulletin/ Open / Comment

2021-11-05 16:29:35 How to exploit CVE-2021-40539 on ManageEngine ADSelfService Plus

by Antoine Cervoise, Wilfried Bécard

ADSS offers multiple functionalities such as managing password policies for administrators or self password reset/account unlock for Active Directory users.
In this article research team explore the details of several vulnerabilities that allow an unauthenticated attacker to execute arbitrary code on the server.

Contents:
• First steps
• Authentication Bypass
• Arbitrary file upload through the API
• Arguments injection
• Chaining everything together to get code execution
• Conclusion

https://www.synacktiv.com/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html Open / Comment

2021-11-03 17:23:07 Sitecore Experience Platform Pre-Auth RCE

by Shubham Shah

In this blog post, research team detail a pre-authentication RCE vulnerability that affects Sitecore XP versions from 7.5 Initial Release to Sitecore XP 8.2 Update-7.
Sitecore’s Experience Platform (XP) is an enterprise content management system (CMS). This CMS is used heavily by enterprises, including many of the companies within the fortune 500.
The vulnerability is applicable to all Sitecore systems running affected versions, including single-instance and multi-instance environments, Managed Cloud environments, and all Sitecore server roles (Content Delivery, Content Editing, Reporting, Processing, etc.), which are exposed to the Internet.

Contents:
• Intro
• What is Sitecore Experience Platform?
• Mapping out the attack surface
• Discovering the RCE
• Remediation Advice
• Conclusion

https://blog.assetnote.io/2021/11/02/sitecore-rce/ Open / Comment

2021-10-28 17:02:42 If you are unlucky to have Hermes bytecode within your React Native Android app apk take a chance to look into iOS app package: there are uncompiled javascript can be found instead. Open / Comment

2021-10-26 12:56:41 Discourse SNS webhook RCE

by joernchen

Discourse is the open source discussion platform built for the next decade of the Internet. It can be used as a: mailing list, discussion forum, long-form chat room etc

A validation bug in the upstream aws-sdk-sns gem can lead to RCE in Discourse via a maliciously crafted request.

https://0day.click/recipe/discourse-sns-rce/ Open / Comment