I share with you my discoveries around pentesting and security research.

CVE-2019-1172 Disclosure of Azure AD personal account auth token to malicious websites when using the recommended browser extension 2/2

CVE-2019-1172 Disclosure of Azure AD personal account auth token to malicious websites when using the recommended browser extension 2/2 feature image

Second part of the article about CVE-2019-1172 where we will deep-dive through reverse-engineering to finally understand how it works and discover the cause of the vulnerability. We will also review the patch via binary diffing.

Read more...

CVE-2019-1172 Disclosure of Azure AD personal account auth token to malicious websites when using the recommended browser extension 1/2

CVE-2019-1172 Disclosure of Azure AD personal account auth token to malicious websites when using the recommended browser extension 1/2 feature image

CVE-2019-1172 is the first vulnerability I discovered in Windows and it allows the disclosure of Azure AD personal account auth token to malicious websites when using the recommended browser extension.
The vulnerability lies in an incorrect check of the origin of a web request: “login.live.com” is the only authorized host, however “login.live.com.example.com” (under the control of “example.com”) is also accepted!

This is a classic and unimpressive issue. But in this post, I will explain how I discovered it and I think the journey is more interesting than the end result here. I will also give details about the vulnerability and share a PoC.
Also, it may look easy once finished and summarized in an article, but note that I discovered almost everything on the fly! So can you 😉

Read more...

CVE-2020-4311 IBM Tivoli Monitoring weak folder permissions

CVE-2020-4311 IBM Tivoli Monitoring weak folder permissions feature image

Story of how I discovered a DLL planting vulnerability in IBM Tivoli Monitoring, due to dangerous default folder permissions. Including PoC steps.

Read more...

Server-Side Template Injection (SSTI) in ASP.NET Razor

Server-Side Template Injection (SSTI) in ASP.NET Razor feature image

Server-Side Template Injection (SSTI) are vulnerabilities in web templating engines where attackers can inject code eventually leading to Remote-Code Execution (RCE).

I have discovered that the ASP.NET Razor templating engine can be vulnerable too when improperly used leading to execution of arbitrary code.

Read more...

Security pitfalls in authenticating users and protecting secrets with biometry on mobile devices (Apple & Android)

Security pitfalls in authenticating users and protecting secrets with biometry on mobile devices (Apple & Android) feature image

In a previous post we presented Windows Hello which is the solution to protect secrets and authenticate users using biometry (fingerprint, face recognition, iris…) on modern Microsoft Windows.

Biometry in the consumer world was first introduced on mobile devices, and especially Apple and Android platforms. Therefore, we will see here what they offer, and security pitfalls similar to the one highlighted in Windows Hello.

Read more...

When Windows Hello fails at securely authenticating users and protecting credentials

When Windows Hello fails at securely authenticating users and protecting credentials feature image

In this post I will show you how to bypass Windows Hello based authentication in some Windows desktop apps.

Read more...

CVE-2019-1172 Windows Azure Active Directory user token disclosure

CVE-2019-1172 Windows Azure Active Directory user token disclosure feature image

An information disclosure vulnerability exists in Azure Active Directory (AAD) Microsoft Account (MSA) during the login request session. An attacker who successfully exploited the vulnerability could take over a user’s account.

Read more...

Credential theft without admin or touching LSASS with Kekeo by abusing CredSSP / TSPKG (RDP SSO)

Credential theft without admin or touching LSASS with Kekeo by abusing CredSSP / TSPKG (RDP SSO) feature image

If you have compromised a Windows host, and cannot or do not want to, dump clear-text passwords using traditional techniques (e.g. mimikatz’s sekurlsa::logonpasswords, or LSASS dumping), you should check out the credential delegations settings. If enabled, it allows to obtain clear-text passwords without touching the LSASS process or even without having administrator rights (limited to the current user’s password then)!

You have to use @gentilkiwi’s “kekeo” tool and its tsssp module! “mimikatz” is not even required here!

Read more...

Splunk Universal Forwarder Hijacking 2: SplunkWhisperer2

Splunk Universal Forwarder Hijacking 2: SplunkWhisperer2 feature image

You may have deployed Splunk Universal Forwarders on your systems to forward to your SIEM, but what if they are not properly secured and could be hijacked? Attackers could leverage them to remotely execute code (RCE)!

I share two new tools to demonstrate this technique.

Read more...

CVE-2018-3621 Intel Driver & Support Assistant: Drivers information disclosure bug through incorrect validation of the Origin header in local API requests (< 3.6.0.4)

CVE-2018-3621 Intel Driver & Support Assistant: Drivers information disclosure bug through incorrect validation of the Origin header in local API requests (< 3.6.0.4) feature image

Intel Driver & Support Assistant allows users to manage and update their drivers from Intel’s website.

It runs locally an API server available on dsalocal.intel.com which resolves to 127.0.0.1. Intel website requests this API and the CORS mechanism mandates that the Origin header is added to the request so the server can verify it, and allow or deny the request.

Read more...