Latest News & Research

  • Blog

    Flaws en bugs. Voorkom last-minute verrassingen

    David Vaartjes ism Cordny Nederkoorn 4 juli, 2018

    Wanneer er in de media wordt gesproken over cybersecurity vliegen de termen zoals flaws, bugs, vulnerabilities en exploits je om de oren.

    Het is belangrijk om te weten dat binnen de applicatiebeveiliging de termen flaws en bugs niet hetzelfde zijn. In deze blog lichten we de verschillen toe en geven we onze visie over hoe je flaws tijdig kan voorkomen.
    read more...

  • Blog

    Living off the land: stealing NetNTLM hashes

    Yorick Koster, May 2018

    Recently, leaking of NetNTLM hashes has gained some renewed attention. This is partly because Microsoft released a fix for Outlook/Office to address an issue reported by Will Dormann from CERT/CC. Will found that Office will leak NetNTLM hashes when processing RTF documents containing specially crafted OLE objects. In addition, Check Point found that a similar attack is possible using PDF files.

    Leaking of hashes is not new, reports of it go back to at least March, 1997. It is caused by a design flaw in Windows related to their single sign-on implementation. If a server requests for the user to authenticate, Windows will try to do so using the user's credentials. This way the user doesn't need to provide his/her credentials for each individual server. The downside is that any server can request authentication and Windows will happily comply.
    read more...

  • Advisory

    Seagate Media Server path traversal vulnerability

    Yorick Koster, September 2017

    Seagate Personal Cloud is a consumer-grade Network-Attached Storage device (NAS). It was found that Seagate Media Server is vulnerable to path traversal that allows unauthenticated attackers to download arbitrary files from the NAS. Since Seagate Media Server runs with root privileges it is possible to exploit this issue to retrieve sensitive information from the NAS.
    read more...

  • Advisory

    Seagate Media Server stored Cross-Site Scripting vulnerability

    Yorick Koster, September 2017

    Seagate Personal Cloud is a consumer-grade Network-Attached Storage device (NAS). By default Seagate Media Server allows unauthenticated users to upload files to a public share. Once a file is uploaded it can also be downloaded again from the NAS.

    No restrictions are enforced on which file types a user can upload, any type of file can be uploaded including executable files & HTML files. File downloads are directly handled by Lighttpd and because of this file are processed based on its (MIME) type. An attacker can upload an HTML file and cause Lighttpd to treat the file as a regular web page. Consequently, uploading an HTML file can be used to execute a stored Cross-Site Scripting attack.
    read more...

  • Advisory

    Seagate Personal Cloud allows moving of arbitrary files

    Yorick Koster, September 2017

    Seagate Personal Cloud is a consumer-grade Network-Attached Storage device (NAS). It was found that the web application used to manage the NAS contains a vulnerability that allows an unauthenticated attacker to move arbitrary files. The move operation is done with root privileges, which basically allows moving any file to any location. The only limitation is that the destination path resides on the same file system as the source path.
    read more...

  • Advisory

    Cross-Site Scripting vulnerability in Zimbra Collaboration Suite due to the way it handles attachment links

    Stephan Kaag, January 2018

    A Cross-Site Scripting (XSS) vulnerability was found in Zimbra Collaboration Suite (ZCS). This issue allows an attacker to perform a wide variety of actions such as performing arbitrary actions on their behalf or presenting a fake login screen to collect usernames and passwords. In order to exploit this issue, the attacker has to lure a victim into opening a specially crafted email in ZCS.
    read more...

  • Advisory

    Seagate Media Server allows deleting of arbitrary files and folders

    Yorick Koster, September 2017

    Seagate Personal Cloud is a consumer-grade Network-Attached Storage device (NAS). It was found that Seagate Media Server can be used by unauthenticated attackers to delete arbitrary files and folders on the NAS. Since Seagate Media Server is running with root privileges it is possible to remove almost any file on the NAS. The application lacks protection against CSRF attacks, and is accessible via the personalcloud.local domain name. Due to this it is possible to exploit this issue via a malicious website without requiring the NAS to be directly accessible over the internet.
    read more...

  • Advisory

    Seagate Media Server multiple command injection vulnerabilities

    Yorick Koster, September 2017

    Seagate Personal Cloud is a consumer-grade Network-Attached Storage device (NAS). It was found that Seagate Media Server is vulnerable to command injection that allows an unauthenticated attacker to run arbitrary commands with root privileges. The application lacks protection against CSRF attacks, and is accessible via the personalcloud.local domain name. Due to this it is possible to exploit this issue via a malicious website without requiring the NAS to be directly accessible over the internet.
    read more...

  • Blog

    Spot The Bug challenge 2018 warm-up

    Sipke Mellema, January 2018

    Every now and then Securify publishes a Spot The Bug challenge to help people improve their bugfinding skills. Also, it's just fun to do. In this blog post you can find a warm-up up for the upcoming challenge! The code stems from a vulnerability that was encountered in the wild.

    The code contains a vulnerability for bypassing an HMAC check. Note that this is a warm-up challenge and no prices are given for solutions (since it's given below).
    read more...

  • Advisory

    Authentication bypass in Kaseya VSA

    Kin Hung Cheng, Robert Hartshorn, May 2017

    A security vulnerability was found in Kaseya VSA that allows users to view remote computers that they are not authorised to view. Using this vulnerability a user that is authenticated to view at least one remote computer can view ever machines in the Kaseya application.
    read more...

  • Advisory

    Code execution in Kaseya VSA

    Kin Hung Cheng, Robert Hartshorn, May 2017

    A security vulnerability was found in Kaseya VSA file upload file functionality. Using this vulnerability an authenticated user in a Kaseya VSA environment is able to upload arbitrary files onto the server. This functionality can lead to remote code execution with an asp shell.
    read more...

  • Advisory

    Arbitrary file read in Kaseya VSA

    Kin Hung Cheng, Robert Hartshorn, May 2017

    A security vulnerability was found in Kaseya VSA file download file functionality. Using this vulnerability an authenticated user in a Kaseya VSA environment is able to download arbitrary files from the server (including source code of Kaseya, the database backups, configuration files, and even windows files).
    read more...

  • Advisory

    Broken TLS certificate pinning in VTech DigiGo Kid Connect app

    Sipke Mellema, September 2017

    VTech's DigiGo is a hand held smart device for children. The device contains a chat application chatting with friends and family, called Kid Connect. The app has a broken certificate pinning implementation that allows a man in the middle attack on text sent by the chat app.
    read more...

  • Advisory

    Multiple vulnerabilities in VTech DigiGo allow browser overlay attack

    Sipke Mellema, September 2017

    VTech's DigiGo is a hand held smart device for children. The device contains a browser that allows children to connect to websites on a whitelist. Attackers can remotely add an entry to the whitelist to perform a persistent overlay attack on the browser app.
    read more...

  • Advisory

    Broken TLS certificate validation in VTech DigiGo browser

    Sipke Mellema, September 2017

    VTech's DigiGo is a hand held smart device for children. The web browser included in the DigiGo does not validate TLS certificates when creating secure connections, allowing man in the middle attacks on web traffic.
    read more...

  • Advisory

    Clickjacking vulnerability in CSRF error page pfSense

    Yorick Koster, November 2017

    pfSense is a free and open source firewall and router. It was found that the pfSense WebGUI is vulnerable to Clickjacking. By tricking an authenticated admin into interacting with a specially crafted webpage it is possible for an attacker to execute arbitrary code in the WebGUI. Since the WebGUI runs as the root user, this will result in a full compromise of the pfSense instance.
    read more...

  • Advisory

    Reflected Cross-Site Scripting in BVNetwork's 404 error handler

    Robert Hartshorn, May 2017

    Multiple cross site scripting vectors were found in BVNetwork's 404handler. BVNetwork is a 404-error handler page designed for and recommended by EPiServer framework. EPiServer framework is designed to be used as an ecommerce and digital marketing CMS. This product according to EPI's nugget server has over 35k downloads: BV Network 404 handler on nuget.episerver.com This vulnerability allows an attacker to perform a wide variety of actions, such as stealing Administrators' session tokens, or performing arbitrary actions on their behalf.
    read more...

  • Advisory

    Cross-Site Scripting vulnerability in Zimbra Collaboration Suite

    Stephan Kaag, April 2017

    A Cross-Site Scripting vulnerability was found in Zimbra Collaboration Suite (ZCS). This issue allows an attacker to perform a wide variety of actions such as performing arbitrary actions on their behalf or presenting a fake login screen to collect usernames and passwords. In order to exploit this issue, the attacker has to lure a victim into opening a specially crafted email in ZCS.
    read more...

  • Advisory

    Xamarin Studio for Mac API documentation update affected by local privilege escalation

    Yorick Koster, April 2017

    Xamarin Studio is an Integrated Development Environment (IDE) used to create iOS, Mac and Android applications. Xamarin Studio supports developments in C# and F# (by default). The API documentation update mechanism of Xamarin Studio for Mac is installed as setuid root. This update mechanism contains several flaws that could be leveraged by a local attacker to gain elevated (root) privileges.
    read more...

  • Advisory

    Buffer over-read vulnerability in Virtuozzo Power Panel (VZPP) and Automator

    Sipke Mellema, July 2017

    Virtuozzo Power Panel is a solution that allows customers of service providers to manage their virtual environments. Virtuozzo Automator is an administrative tool for managing the service provider's virtual infrastructure. Both products are affected by a buffer over-read vulnerability that allows attackers to read random server memory.
    read more...

Bespreek uw project met ons →