Channel address:
Categories:
Technologies
Language: English
Subscribers:
2.98K
Description from channel
Positive Technologies Offensive Team: twitter.com/ptswarm
This is the channel where we share articles/vulnerabilities/scripts/etc, not necessarily authored by us, that we find interesting
Ratings & Reviews
Reviews can be left only by registered users. All reviews are moderated by admins.
5 stars
0
4 stars
0
3 stars
0
2 stars
1
1 stars
2
The latest Messages 9
2021-08-31 12:22:55
PROXYTOKEN: AN AUTHENTICATION BYPASS IN MICROSOFT EXCHANGE SERVER by Simon Zuckerbraun
With this vulnerability, an unauthenticated attacker can perform configuration actions on mailboxes belonging to arbitrary users, for example copying all emails addressed to a target account and forwarding them to an attacker-controlled account. The vulnerability arises due to the authentication module not being loaded on the back end.
Contents:
• The Trigger
• Understanding the Root Cause
• Bagging a Canary
• Conclusion
https://www.zerodayinitiative.com/blog/2021/8/30/proxytoken-an-authentication-bypass-in-microsoft-exchange-server
650 views09:22
2021-08-23 17:45:06
Citrix has removed the acknowledgement of our researcher Mikhail Klyuchnikov who discovered and reported CVE-2019-19781 - the Citrix ADC RCE!
Current: https://support.citrix.com/article/CTX267027
Mar 2021: http://web.archive.org/web/20210321090412/https://support.citrix.com/article/CTX267027
1.2K views14:45
2021-08-12 18:53:02
MyBB fixed a Persistent XSS (CVE-2021-27279) in MyBB < 1.8.25 found by our researcher Igor Sak-Sakovskiy.
RCE is possible when chained with CVE-2021-27890, reported by Simon Scannell & Carl Smith.
Advisory: https://mybb.com/versions/1.8.25/
468 views15:53
2021-08-04 17:30:50
Site-wide CSRF using the GraphQL API
4.5K views14:30
2021-08-04 12:50:52
SAML is insecure by design
by @joonas_fi
"In summary: once you base your security on some computed property, you can now exploit any flaws, differences or ambiguity in this computation. The more complex the computation is, the more dangerous it gets."
Contents:
• What is SAML?
• Why should I care?
• Why is SAML insecure?
• Why is signing computed values dangerous?
• The SAML vulnerability in practice
• Why is SAML this way?
• Vulnerability mitigation
• How could SAML have been designed better?
• More SAML weirdness
• Why is SAML used if it sucks?
• Action
• Ignorance is bliss
• Additional reading
https://joonas.fi/2021/08/saml-is-insecure-by-design/
1.1K views09:50
2021-07-29 17:02:34
We would like to share with the community some uncommon but not unique cases from our experience. Let us know if you like this format.
Stored XSS using .xbl files.
1.1K views14:02
2021-07-29 15:54:57
NTLM relaying to AD CS - On certificates, printers and a little hippo
by @_dirkjan
More Active Directory NTLM relaying wizardry from Dirk-jan, this time aggregating and unifying multiple different tools and techniques, culminating in the release of PKINITtools.
Contents:
• Background - the state of NTLM relaying
• Exploring AD CS relaying
• Abusing the obtained certificate - diving into PKINIT
• Obtaining the NT hash of the impersonated computer account
• Using S4U2Self to obtain access to the relayed machine
• Other abuse avenues of PetitPotam
• Defenses
• Credits / Thanks / Tools
https://dirkjanm.io/ntlm-relaying-to-ad-certificate-services/
1.1K views12:54
2021-07-28 12:46:24
You should turn off autofill in your password manager
by @marektoth
11 of the 16 tested browser and password manager combinations, using default configurations and adhering to best-practices, could be compromised in one mouse click by the user, allowing attackers access to plain-text saved login credentials.
Contents:
• Autofill
• Autofill in chromium-based browsers
• Abuse of the autofill? Cross-Site Scripting (XSS)
• Analysis of browsers and password managers
• Limitation
• Script and demo
• Clickjacking KeePassXC-Browser
• Potential risks for users
• Potential risks for companies / Recommendation for InfoSec
• Recommendation
• Conclusion
https://marektoth.com/blog/password-managers-autofill/
1.0K views09:46
2021-07-22 16:44:25
Cisco fixed a Post-Auth RCE (CVE-2021-1518) in Firepower Device Manager found by our researchers Nikita Abramov and Mikhail Klyuchnikov.
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fdm-rce-Rx6vVurq
1.1K views13:44
2021-07-21 18:09:14
Sequoia:
A Local Privilege Escalation Vulnerability in Linux’s Filesystem Layer (CVE-2021-33909)
by Bharat Jogi
"The Qualys Research Team has discovered a size_t-to-int type conversion vulnerability in the Linux Kernel’s filesystem layer affecting most Linux operating systems. Any unprivileged user can gain root privileges on a vulnerable host by exploiting this vulnerability in a default configuration."
Contents:
• About Linux Filesystem
• Impact
• Disclosure Timeline
• Proof of Concept Video
• Technical Details
• Solution
• Qualys Coverage
• Dashboard
• Vendor References
• Frequently Asked Questions (FAQs)
https://blog.qualys.com/vulnerabilities-threat-research/2021/07/20/sequoia-a-local-privilege-escalation-vulnerability-in-linuxs-filesystem-layer-cve-2021-33909
1.0K viewsedited 15:09