Administrators can connect to their UCOPIA Wireless Appliance using the SSH (TCP/22) or Web SSH (TCP/222) interfaces. The system shell is restricted through the usage of rbash and clish: specific commands or flags are disallowed on purpose, therefore a malicious administrator might want to escape from this shell in order to execute arbitrary commands.

The vulnerability lies in the handling of the .bashrc file: rbash reads and executes this file before starting the restricted shell. However, the malicious admin has several techniques to write arbitrary contents to this file.

This vulnerability affects the Fortinet FortiClient program. FortiClient is a client program used to connect to SSL/IPsec VPN endpoints.

A setting, disabled by default, enables FortiClient on the logon screen to allow users to connect to a VPN profile before logon. An attacker, with physical, or remote (e.g. through TSE, VNC…), access to a machine with FortiClient and this feature enabled, can obtain SYSTEM level privileges from the lock screen. No account or prior knowledge is required.

The vulnerability lies in the confirmation dialog shown when the server certificate is not valid (e.g. default auto-signed certificate, or Man-In-The-Middle with SSL/TLS interception situation).

Je suis intervenu à l’ESIEE Paris pour une conférence “Cybersécurité & IoT : enjeux et perspectives”. Retrouvez ma présentation en vidéo captée à l’occasion d’un CTlive.

The “Scan manual insertion point” Burp extension lets the user select a region of a request (typically a parameter value), and via the context menu do an active scan of just the insertion point defined by that selection. It is similar with the “actively scan defined insertion points” feature in the context menu of the Intruder, without the burden of having to send the request to the Intruder.

Just select your insertion point within a request, right click and select “Scan manual insertion point”.

Pour un pentester, c’est toujours un plaisir d’obtenir un shell grâce à un exploit ou un phishing bien mené ! Les novices s’arrêtent ici et considèrent leur objectif atteint, mais comme le rappelle Carlos Perez dans le titre de son blog : « shell is only the beginning » !

Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space trimming in path segments, can lead Spring Security to not recognize certain paths as not protected that are in fact mapped to Spring MVC controllers that should be protected. The problem is compounded by the fact that the Spring Framework provides richer features with regards to pattern matching as well as by the fact that pattern matching in each Spring Security and the Spring Framework can easily be customized creating additional differences.

Je suis intervenu chez While42 pour une conférence “Les outils du test d’intrusion”. Retrouvez ma présentation en vidéo captée à l’occasion d’un CTlive.

Je suis intervenu à l’ANAJ-IHDEN (Association Nationale des Auditeurs Jeunes de l’Institut des Hautes Études de Défense Nationale) pour la conférence “Quelles techniques d’attaque et contre-mesures dans le Cyber ?”, que vous pouvez revoir en vidéo.

Je suis intervenu dans le podcast Le Comptoir Sécu. Il s’agissait de l’épisode 30 au sujet de l’ARJEL.