Sharing my discoveries in pentesting and security research.

Server-Side Template Injection (SSTI) in ASP.NET Razor

Server-Side Template Injection (SSTI) in ASP.NET Razor feature image

Server-Side Template Injection (SSTI) are vulnerabilities in web templating engines where attackers can inject code eventually leading to Remote-Code Execution (RCE).

I have discovered that the ASP.NET Razor templating engine can be vulnerable too when improperly used leading to execution of arbitrary code.

Read more...

Security pitfalls in authenticating users and protecting secrets with biometry on mobile devices (Apple & Android)

Security pitfalls in authenticating users and protecting secrets with biometry on mobile devices (Apple & Android) feature image

In a previous post we presented Windows Hello which is the solution to protect secrets and authenticate users using biometry (fingerprint, face recognition, iris…) on modern Microsoft Windows.

Biometry in the consumer world was first introduced on mobile devices, and especially Apple and Android platforms. Therefore, we will see here what they offer, and security pitfalls similar to the one highlighted in Windows Hello.

Read more...

When Windows Hello fails at securely authenticating users and protecting credentials

When Windows Hello fails at securely authenticating users and protecting credentials feature image

In this post I will show you how to bypass Windows Hello based authentication in some Windows desktop apps.

Read more...

CVE-2019-1172 Windows Azure Active Directory user token disclosure

CVE-2019-1172 Windows Azure Active Directory user token disclosure feature image

An information disclosure vulnerability exists in Azure Active Directory (AAD) Microsoft Account (MSA) during the login request session. An attacker who successfully exploited the vulnerability could take over a user’s account.

Read more...

Credential theft without admin or touching LSASS with Kekeo by abusing CredSSP / TSPKG (RDP SSO)

Credential theft without admin or touching LSASS with Kekeo by abusing CredSSP / TSPKG (RDP SSO) feature image

If you have compromised a Windows host, and cannot or do not want to, dump clear-text passwords using traditional techniques (e.g. mimikatz’s sekurlsa::logonpasswords, or LSASS dumping), you should check out the credential delegations settings. If enabled, it allows to obtain clear-text passwords without touching the LSASS process or even without having administrator rights (limited to the current user’s password then)!

You have to use @gentilkiwi’s “kekeo” tool and its tsssp module! “mimikatz” is not even required here!

Read more...

Splunk Universal Forwarder Hijacking 2: SplunkWhisperer2

Splunk Universal Forwarder Hijacking 2: SplunkWhisperer2 feature image

You may have deployed Splunk Universal Forwarders on your systems to forward to your SIEM, but what if they are not properly secured and could be hijacked? Attackers could leverage them to remotely execute code (RCE)!

I share two new tools to demonstrate this technique.

Read more...

CVE-2018-3621 Intel Driver & Support Assistant: Drivers information disclosure bug through incorrect validation of the Origin header in local API requests (< 3.6.0.4)

CVE-2018-3621 Intel Driver & Support Assistant: Drivers information disclosure bug through incorrect validation of the Origin header in local API requests (< 3.6.0.4) feature image

Intel Driver & Support Assistant allows users to manage and update their drivers from Intel’s website.

It runs locally an API server available on dsalocal.intel.com which resolves to 127.0.0.1. Intel website requests this API and the CORS mechanism mandates that the Origin header is added to the request so the server can verify it, and allow or deny the request.

Read more...

Security analysis of Chrome prompting for Windows password before disclosing passwords

Security analysis of Chrome prompting for Windows password before disclosing passwords feature image

Chrome now prompts for the Windows password before disclosing the passwords it manages: is it really more secure? Can it be bypassed?

Read more...

CVE-2018-15481 UCOPIA Wireless Appliance restricted shell escape (< 5.1.13)

CVE-2018-15481 UCOPIA Wireless Appliance restricted shell escape (< 5.1.13) feature image

Administrators can connect to their UCOPIA Wireless Appliance using the SSH (TCP/22) or Web SSH (TCP/222) interfaces. The system shell is restricted through the usage of rbash and clish: specific commands or flags are disallowed on purpose, therefore a malicious administrator might want to escape from this shell in order to execute arbitrary commands.

The vulnerability lies in the handling of the ~/.ssh/config file on the UCOPIA system: OpenSSH reads this file when connecting to other machines through SSH. However, a malicious administrator could abuse the LocalCommand instruction to start a sh shell locally after establishing the connection, and therefore obtaining an unrestricted shell.

Read more...

[french] MISC : « WebAuthn » : enfin la fin des mots de passe ?

[french] MISC : « WebAuthn » : enfin la fin des mots de passe ? feature image

« WebAuthn » pour « Web Authentication » est le nouveau standard du W3C, dont l’objectif est de remplacer U2F pour enfin permettre de s’authentifier sans mot de passe. Comment fonctionne-t-il ? Et va-t-il réussir à s’imposer ?

Read more...