Clément Notin Pentester / Offensive Security Officer I share with you my daily discoveries around pentesting and red teaming.

Splunk Universal Forwarder Hijacking 2: SplunkWhisperer2

Splunk Universal Forwarder Hijacking 2: SplunkWhisperer2 feature image

You may have deployed Splunk Universal Forwarders on your systems to forward to your SIEM, but what if they are not properly secured and could be hijacked? Attackers could leverage them to remotely execute code (RCE)!

I share two new tools to demonstrate this technique.

Read more...

CVE-2018-3621 Intel Driver & Support Assistant: Drivers information disclosure bug through incorrect validation of the Origin header in local API requests (< 3.6.0.4)

CVE-2018-3621 Intel Driver & Support Assistant: Drivers information disclosure bug through incorrect validation of the Origin header in local API requests (< 3.6.0.4) feature image

Intel Driver & Support Assistant allows users to manage and update their drivers from Intel’s website.

It runs locally an API server available on dsalocal.intel.com which resolves to 127.0.0.1. Intel website requests this API and the CORS mechanism mandates that the Origin header is added to the request so the server can verify it, and allow or deny the request.

Read more...

Security analysis of Chrome prompting for Windows password before disclosing passwords

Security analysis of Chrome prompting for Windows password before disclosing passwords feature image

Chrome now prompts for the Windows password before disclosing the passwords it manages: is it really more secure? Can it be bypassed?

Read more...

CVE-2018-15481 UCOPIA Wireless Appliance restricted shell escape (< 5.1.13)

CVE-2018-15481 UCOPIA Wireless Appliance restricted shell escape (< 5.1.13) feature image

Administrators can connect to their UCOPIA Wireless Appliance using the SSH (TCP/22) or Web SSH (TCP/222) interfaces. The system shell is restricted through the usage of rbash and clish: specific commands or flags are disallowed on purpose, therefore a malicious administrator might want to escape from this shell in order to execute arbitrary commands.

The vulnerability lies in the handling of the ~/.ssh/config file on the UCOPIA system: OpenSSH reads this file when connecting to other machines through SSH. However, a malicious administrator could abuse the LocalCommand instruction to start a sh shell locally after establishing the connection, and therefore obtaining an unrestricted shell.

Read more...

[french] MISC : « WebAuthn » : enfin la fin des mots de passe ?

[french] MISC : « WebAuthn » : enfin la fin des mots de passe ? feature image

« WebAuthn » pour « Web Authentication » est le nouveau standard du W3C, dont l’objectif est de remplacer U2F pour enfin permettre de s’authentifier sans mot de passe. Comment fonctionne-t-il ? Et va-t-il réussir à s’imposer ?

Read more...

CVE-2017-17743 UCOPIA Wireless Appliance restricted shell escape (< 5.1.11 / 5.0.19 / 4.4.20)

CVE-2017-17743 UCOPIA Wireless Appliance restricted shell escape (< 5.1.11 / 5.0.19 / 4.4.20) feature image

Administrators can connect to their UCOPIA Wireless Appliance using the SSH (TCP/22) or Web SSH (TCP/222) interfaces. The system shell is restricted through the usage of rbash and clish: specific commands or flags are disallowed on purpose, therefore a malicious administrator might want to escape from this shell in order to execute arbitrary commands.

The vulnerability lies in the handling of the .bashrc file: rbash reads and executes this file before starting the restricted shell. However, the malicious admin has several techniques to write arbitrary contents to this file.

Read more...

CVE-2017-7344 Fortinet FortiClient Windows privilege escalation at logon

CVE-2017-7344 Fortinet FortiClient Windows privilege escalation at logon feature image

This vulnerability affects the Fortinet FortiClient program. FortiClient is a client program used to connect to SSL/IPsec VPN endpoints.

A setting, disabled by default, enables FortiClient on the logon screen to allow users to connect to a VPN profile before logon. An attacker, with physical, or remote (e.g. through TSE, VNC…), access to a machine with FortiClient and this feature enabled, can obtain SYSTEM level privileges from the lock screen. No account or prior knowledge is required.

The vulnerability lies in the confirmation dialog shown when the server certificate is not valid (e.g. default auto-signed certificate, or Man-In-The-Middle with SSL/TLS interception situation).

Read more...

[french] Conférence "failles de sécurité des clouds et serveurs IoT"

[french] Conférence "failles de sécurité des clouds et serveurs IoT" feature image

Je suis intervenu à l’ESIEE Paris pour une conférence “Cybersécurité & IoT : enjeux et perspectives”. Retrouvez ma présentation en vidéo captée à l’occasion d’un CTlive.

Read more...

Burp extension "Scan manual insertion point"

Burp extension "Scan manual insertion point" feature image

The “Scan manual insertion point” Burp extension lets the user select a region of a request (typically a parameter value), and via the context menu do an active scan of just the insertion point defined by that selection. It is similar with the “actively scan defined insertion points” feature in the context menu of the Intruder, without the burden of having to send the request to the Intruder.

Just right click on a request and select “Scan manual insertion point”.

Read more...

[french] MISC : post-exploitation Windows avec Metasploit

[french] MISC : post-exploitation Windows avec Metasploit feature image

Pour un pentester, c’est toujours un plaisir d’obtenir un shell grâce à un exploit ou un phishing bien mené ! Les novices s’arrêtent ici et considèrent leur objectif atteint, mais comme le rappelle Carlos Perez dans le titre de son blog : « shell is only the beginning » !

Read more...