I share with you my discoveries around pentesting and security research.

CVE-2017-17743 UCOPIA Wireless Appliance restricted shell escape (< 5.1.11 / 5.0.19 / 4.4.20)

CVE-2017-17743 UCOPIA Wireless Appliance restricted shell escape (< 5.1.11 / 5.0.19 / 4.4.20) feature image

Administrators can connect to their UCOPIA Wireless Appliance using the SSH (TCP/22) or Web SSH (TCP/222) interfaces. The system shell is restricted through the usage of rbash and clish: specific commands or flags are disallowed on purpose, therefore a malicious administrator might want to escape from this shell in order to execute arbitrary commands.

The vulnerability lies in the handling of the .bashrc file: rbash reads and executes this file before starting the restricted shell. However, the malicious admin has several techniques to write arbitrary contents to this file.

Read more...

CVE-2017-7344 Fortinet FortiClient Windows privilege escalation at logon

CVE-2017-7344 Fortinet FortiClient Windows privilege escalation at logon feature image

This vulnerability affects the Fortinet FortiClient program. FortiClient is a client program used to connect to SSL/IPsec VPN endpoints.

A setting, disabled by default, enables FortiClient on the logon screen to allow users to connect to a VPN profile before logon. An attacker, with physical, or remote (e.g. through TSE, VNC…), access to a machine with FortiClient and this feature enabled, can obtain SYSTEM level privileges from the lock screen. No account or prior knowledge is required.

The vulnerability lies in the confirmation dialog shown when the server certificate is not valid (e.g. default auto-signed certificate, or Man-In-The-Middle with SSL/TLS interception situation).

Read more...

[french] Conférence "failles de sécurité des clouds et serveurs IoT"

[french] Conférence "failles de sécurité des clouds et serveurs IoT" feature image

Je suis intervenu à l’ESIEE Paris pour une conférence “Cybersécurité & IoT : enjeux et perspectives”. Retrouvez ma présentation en vidéo captée à l’occasion d’un CTlive.

Read more...

Burp extension "Scan manual insertion point"

Burp extension "Scan manual insertion point" feature image

The “Scan manual insertion point” Burp extension lets the user select a region of a request (typically a parameter value), and via the context menu do an active scan of just the insertion point defined by that selection. It is similar with the “actively scan defined insertion points” feature in the context menu of the Intruder, without the burden of having to send the request to the Intruder.

Just select your insertion point within a request, right click and select “Scan manual insertion point”.

Read more...

[french] MISC : post-exploitation Windows avec Metasploit

[french] MISC : post-exploitation Windows avec Metasploit feature image

Pour un pentester, c’est toujours un plaisir d’obtenir un shell grâce à un exploit ou un phishing bien mené ! Les novices s’arrêtent ici et considèrent leur objectif atteint, mais comme le rappelle Carlos Perez dans le titre de son blog : « shell is only the beginning » !

Read more...

CVE-2016-5007 Spring Security / MVC Path Matching Inconsistency

CVE-2016-5007 Spring Security / MVC Path Matching Inconsistency feature image

Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space trimming in path segments, can lead Spring Security to not recognize certain paths as not protected that are in fact mapped to Spring MVC controllers that should be protected. The problem is compounded by the fact that the Spring Framework provides richer features with regards to pattern matching as well as by the fact that pattern matching in each Spring Security and the Spring Framework can easily be customized creating additional differences.

Read more...

[french] Conférence "Les outils du test d'intrusion"

[french] Conférence "Les outils du test d'intrusion" feature image

Je suis intervenu chez While42 pour une conférence “Les outils du test d’intrusion”. Retrouvez ma présentation en vidéo captée à l’occasion d’un CTlive.

Read more...

[french] Conférence-démonstrations à l’ANAJ-IHEDN

[french] Conférence-démonstrations à l’ANAJ-IHEDN feature image

Je suis intervenu à l’ANAJ-IHDEN (Association Nationale des Auditeurs Jeunes de l’Institut des Hautes Études de Défense Nationale) pour la conférence “Quelles techniques d’attaque et contre-mesures dans le Cyber ?”, que vous pouvez revoir en vidéo.

Read more...

[french] Podcast Comptoir Sécu sur l'ARJEL

[french] Podcast Comptoir Sécu sur l'ARJEL feature image

Je suis intervenu dans le podcast Le Comptoir Sécu. Il s’agissait de l’épisode 30 au sujet de l’ARJEL.

Read more...