Clément Notin Pentester / Offensive Security Officer I share with you my daily discoveries around pentesting and red teaming.

Security pitfalls in authenticating users and protecting secrets with biometry on mobile devices (Apple & Android)

Security pitfalls in authenticating users and protecting secrets with biometry on mobile devices (Apple & Android) feature image

In a previous post we presented Windows Hello which is the solution to protect secrets and authenticate users using biometry (fingerprint, face recognition, iris…) on modern Microsoft Windows.

Biometry in the consumer world was first introduced on mobile devices, and especially Apple and Android platforms. Therefore, we will see here what they offer, and security pitfalls similar to the one highlighted in Windows Hello.

Read more...

When Windows Hello fails at securely authenticating users and protecting credentials

When Windows Hello fails at securely authenticating users and protecting credentials feature image

In this post I will show you how to bypass Windows Hello based authentication in some Windows desktop apps.

Read more...

Credential theft without admin or touching LSASS with Kekeo by abusing CredSSP / TSPKG (RDP SSO)

Credential theft without admin or touching LSASS with Kekeo by abusing CredSSP / TSPKG (RDP SSO) feature image

If you have compromised a Windows host, and cannot or do not want to, dump clear-text passwords using traditional techniques (e.g. mimikatz’s sekurlsa::logonpasswords, or LSASS dumping), you should check out the credential delegations settings. If enabled, it allows to obtain clear-text passwords without touching the LSASS process or even without having administrator rights (limited to the current user’s password then)!

You have to use @gentilkiwi’s “kekeo” tool and its tsssp module! “mimikatz” is not even required here!

Read more...

Splunk Universal Forwarder Hijacking 2: SplunkWhisperer2

Splunk Universal Forwarder Hijacking 2: SplunkWhisperer2 feature image

You may have deployed Splunk Universal Forwarders on your systems to forward to your SIEM, but what if they are not properly secured and could be hijacked? Attackers could leverage them to remotely execute code (RCE)!

I share two new tools to demonstrate this technique.

Read more...

CVE-2018-3621 Intel Driver & Support Assistant: Drivers information disclosure bug through incorrect validation of the Origin header in local API requests (< 3.6.0.4)

CVE-2018-3621 Intel Driver & Support Assistant: Drivers information disclosure bug through incorrect validation of the Origin header in local API requests (< 3.6.0.4) feature image

Intel Driver & Support Assistant allows users to manage and update their drivers from Intel’s website.

It runs locally an API server available on dsalocal.intel.com which resolves to 127.0.0.1. Intel website requests this API and the CORS mechanism mandates that the Origin header is added to the request so the server can verify it, and allow or deny the request.

Read more...

Security analysis of Chrome prompting for Windows password before disclosing passwords

Security analysis of Chrome prompting for Windows password before disclosing passwords feature image

Chrome now prompts for the Windows password before disclosing the passwords it manages: is it really more secure? Can it be bypassed?

Read more...

CVE-2018-15481 UCOPIA Wireless Appliance restricted shell escape (< 5.1.13)

CVE-2018-15481 UCOPIA Wireless Appliance restricted shell escape (< 5.1.13) feature image

Administrators can connect to their UCOPIA Wireless Appliance using the SSH (TCP/22) or Web SSH (TCP/222) interfaces. The system shell is restricted through the usage of rbash and clish: specific commands or flags are disallowed on purpose, therefore a malicious administrator might want to escape from this shell in order to execute arbitrary commands.

The vulnerability lies in the handling of the ~/.ssh/config file on the UCOPIA system: OpenSSH reads this file when connecting to other machines through SSH. However, a malicious administrator could abuse the LocalCommand instruction to start a sh shell locally after establishing the connection, and therefore obtaining an unrestricted shell.

Read more...

[french] MISC : « WebAuthn » : enfin la fin des mots de passe ?

[french] MISC : « WebAuthn » : enfin la fin des mots de passe ? feature image

« WebAuthn » pour « Web Authentication » est le nouveau standard du W3C, dont l’objectif est de remplacer U2F pour enfin permettre de s’authentifier sans mot de passe. Comment fonctionne-t-il ? Et va-t-il réussir à s’imposer ?

Read more...

CVE-2017-17743 UCOPIA Wireless Appliance restricted shell escape (< 5.1.11 / 5.0.19 / 4.4.20)

CVE-2017-17743 UCOPIA Wireless Appliance restricted shell escape (< 5.1.11 / 5.0.19 / 4.4.20) feature image

Administrators can connect to their UCOPIA Wireless Appliance using the SSH (TCP/22) or Web SSH (TCP/222) interfaces. The system shell is restricted through the usage of rbash and clish: specific commands or flags are disallowed on purpose, therefore a malicious administrator might want to escape from this shell in order to execute arbitrary commands.

The vulnerability lies in the handling of the .bashrc file: rbash reads and executes this file before starting the restricted shell. However, the malicious admin has several techniques to write arbitrary contents to this file.

Read more...

CVE-2017-7344 Fortinet FortiClient Windows privilege escalation at logon

CVE-2017-7344 Fortinet FortiClient Windows privilege escalation at logon feature image

This vulnerability affects the Fortinet FortiClient program. FortiClient is a client program used to connect to SSL/IPsec VPN endpoints.

A setting, disabled by default, enables FortiClient on the logon screen to allow users to connect to a VPN profile before logon. An attacker, with physical, or remote (e.g. through TSE, VNC…), access to a machine with FortiClient and this feature enabled, can obtain SYSTEM level privileges from the lock screen. No account or prior knowledge is required.

The vulnerability lies in the confirmation dialog shown when the server certificate is not valid (e.g. default auto-signed certificate, or Man-In-The-Middle with SSL/TLS interception situation).

Read more...