Latest News & Research

  • Advisory

    Seagate Media Server allows deleting of arbitrary files and folders

    Yorick Koster, September 2017

    Seagate Personal Cloud is a consumer-grade Network-Attached Storage device (NAS). It was found that Seagate Media Server can be used by unauthenticated attackers to delete arbitrary files and folders on the NAS. Since Seagate Media Server is running with root privileges it is possible to remove almost any file on the NAS. The application lacks protection against CSRF attacks, and is accessible via the personalcloud.local domain name. Due to this it is possible to exploit this issue via a malicious website without requiring the NAS to be directly accessible over the internet.
    read more...

  • Advisory

    Seagate Media Server multiple command injection vulnerabilities

    Yorick Koster, September 2017

    Seagate Personal Cloud is a consumer-grade Network-Attached Storage device (NAS). It was found that Seagate Media Server is vulnerable to command injection that allows an unauthenticated attacker to run arbitrary commands with root privileges. The application lacks protection against CSRF attacks, and is accessible via the personalcloud.local domain name. Due to this it is possible to exploit this issue via a malicious website without requiring the NAS to be directly accessible over the internet.
    read more...

  • Blog

    Spot The Bug challenge 2018 warm-up

    Sipke Mellema, January 2018

    Every now and then Securify publishes a Spot The Bug challenge to help people improve their bugfinding skills. Also, it's just fun to do. In this blog post you can find a warm-up up for the upcoming challenge! The code stems from a vulnerability that was encountered in the wild.

    The code contains a vulnerability for bypassing an HMAC check. Note that this is a warm-up challenge and no prices are given for solutions (since it's given below).
    read more...

  • Advisory

    Authentication bypass in Kaseya VSA

    Kin Hung Cheng, Robert Hartshorn, May 2017

    A security vulnerability was found in Kaseya VSA that allows users to view remote computers that they are not authorised to view. Using this vulnerability a user that is authenticated to view at least one remote computer can view ever machines in the Kaseya application.
    read more...

  • Advisory

    Code execution in Kaseya VSA

    Kin Hung Cheng, Robert Hartshorn, May 2017

    A security vulnerability was found in Kaseya VSA file upload file functionality. Using this vulnerability an authenticated user in a Kaseya VSA environment is able to upload arbitrary files onto the server. This functionality can lead to remote code execution with an asp shell.
    read more...

  • Advisory

    Arbitrary file read in Kaseya VSA

    Kin Hung Cheng, Robert Hartshorn, May 2017

    A security vulnerability was found in Kaseya VSA file download file functionality. Using this vulnerability an authenticated user in a Kaseya VSA environment is able to download arbitrary files from the server (including source code of Kaseya, the database backups, configuration files, and even windows files).
    read more...

  • Advisory

    Broken TLS certificate pinning in VTech DigiGo Kid Connect app

    Sipke Mellema, September 2017

    VTech's DigiGo is a hand held smart device for children. The device contains a chat application chatting with friends and family, called Kid Connect. The app has a broken certificate pinning implementation that allows a man in the middle attack on text sent by the chat app.
    read more...

  • Advisory

    Multiple vulnerabilities in VTech DigiGo allow browser overlay attack

    Sipke Mellema, September 2017

    VTech's DigiGo is a hand held smart device for children. The device contains a browser that allows children to connect to websites on a whitelist. Attackers can remotely add an entry to the whitelist to perform a persistent overlay attack on the browser app.
    read more...

  • Advisory

    Broken TLS certificate validation in VTech DigiGo browser

    Sipke Mellema, September 2017

    VTech's DigiGo is a hand held smart device for children. The web browser included in the DigiGo does not validate TLS certificates when creating secure connections, allowing man in the middle attacks on web traffic.
    read more...

  • Advisory

    Clickjacking vulnerability in CSRF error page pfSense

    Yorick Koster, November 2017

    pfSense is a free and open source firewall and router. It was found that the pfSense WebGUI is vulnerable to Clickjacking. By tricking an authenticated admin into interacting with a specially crafted webpage it is possible for an attacker to execute arbitrary code in the WebGUI. Since the WebGUI runs as the root user, this will result in a full compromise of the pfSense instance.
    read more...

  • Advisory

    Reflected Cross-Site Scripting in BVNetwork's 404 error handler

    Robert Hartshorn, May 2017

    Multiple cross site scripting vectors were found in BVNetwork's 404handler. BVNetwork is a 404-error handler page designed for and recommended by EPiServer framework. EPiServer framework is designed to be used as an ecommerce and digital marketing CMS. This product according to EPI's nugget server has over 35k downloads: BV Network 404 handler on nuget.episerver.com This vulnerability allows an attacker to perform a wide variety of actions, such as stealing Administrators' session tokens, or performing arbitrary actions on their behalf.
    read more...

  • Advisory

    Cross-Site Scripting vulnerability in Zimbra Collaboration Suite

    Stephan Kaag, April 2017

    A Cross-Site Scripting vulnerability was found in Zimbra Collaboration Suite (ZCS). This issue allows an attacker to perform a wide variety of actions such as performing arbitrary actions on their behalf or presenting a fake login screen to collect usernames and passwords. In order to exploit this issue, the attacker has to lure a victim into opening a specially crafted email in ZCS.
    read more...

  • Advisory

    Xamarin Studio for Mac API documentation update affected by local privilege escalation

    Yorick Koster, April 2017

    Xamarin Studio is an Integrated Development Environment (IDE) used to create iOS, Mac and Android applications. Xamarin Studio supports developments in C# and F# (by default). The API documentation update mechanism of Xamarin Studio for Mac is installed as setuid root. This update mechanism contains several flaws that could be leveraged by a local attacker to gain elevated (root) privileges.
    read more...

  • Advisory

    Buffer over-read vulnerability in Virtuozzo Power Panel (VZPP) and Automator

    Sipke Mellema, July 2017

    Virtuozzo Power Panel is a solution that allows customers of service providers to manage their virtual environments. Virtuozzo Automator is an administrative tool for managing the service provider's virtual infrastructure. Both products are affected by a buffer over-read vulnerability that allows attackers to read random server memory.
    read more...

  • Advisory

    InsomniaX loader allows loading of arbitrary Kernel Extensions

    Yorick Koster, April 2017

    It was found that the loader application bundled with InsomniaX can be used to load arbitrary Kernel Extensions (kext). The loader is normally used to load a kext file that is needed to disable the Lid Sleep. A flaw has been found in the loader that allows a local attacker to load (or unload) any arbitrary kext file.
    read more...

  • Advisory

    SyntaxHighlight MediaWiki extension allows injection of arbitrary Pygments options

    Yorick Koster, February 2017

    A vulnerability was found in the SyntaxHighlight MediaWiki extension. Using this vulnerability it is possible for an anonymous attacker to pass arbitrary options to the Pygments library. By specifying specially crafted options, it is possible for an attacker to trigger a (stored) Cross-Site Scripting condition. In addition, it allows the creating of arbitrary files containing user-controllable data. Depending on the server configuration, this can be used by an anonymous attacker to execute arbitrary PHP code.
    read more...

  • Advisory

    Local privilege escalation vulnerability in HideMyAss Pro VPN client v3.x for macOS

    Han Sahin, April 2017

    A local privilege escalation vulnerability has been found in the helper binary com.privax.hmaprovpn.helper that ships with HideMyAss Pro VPN v3.3.0.3 for macOS. The helper is installed setuid root and uses the openvpn binary to create VPN profiles and connections. The helper fails to perform signature check's on the openvpn file, which is owned by the user that installed the client. This allows malware on the system to replace the openvpn binary and run arbitrary code as root.
    read more...

  • Advisory

    Multiple local privilege escalation vulnerabilities in HideMyAss Pro VPN client v2.x for OS X

    Han Sahin, April 2017

    Multiple local privilege escalation vulnerabilities were found in the helper binary HMAHelper that ships with HideMyAss Pro VPN for OS X. The helper is installed setuid root and responsible for loading Kernel Extensions (kext) and managing VPN firewall rules. These issues can be leveraged by a local attacker to gain elevated (root) privileges.
    read more...

  • Advisory

    Authentication bypass vulnerability in Western Digital My Cloud allows escalation to admin privileges

    Remco Vermeulen, April 2017

    It was discovered that the Western Digital My Cloud is affected by an authentication bypass vulnerability. An unauthenticated attacker can exploit this vulnerability to authenticate as an admin user without needing to provide a password, thereby gaining full control of the My Cloud device.
    read more...

  • Advisory

    Cross-Site Request Forgery in WordPress Connection Information

    Yorick Koster, July 2016

    The FTP/SSH form functionality of WordPress was found to be vulnerable to Cross-Site Request Forgery. This vulnerability can be used to overwrite the FTP or SSH connection settings of the affected WordPress site. An attacker can use this issue to trick an Administrator into logging into the attacker's FTP or SSH server, disclosing his/her login credentials to the attacker. In order to exploit this vulnerability, the attacker has to lure/force a logged on WordPress Administrator into opening a malicious website.
    read more...

Werk met ons →