Latest News & Research

  • Advisory

    Ivanti Workspace Control Application Whitelist bypass via PowerGrid /SEE command line argument

    Yorick Koster, August 2018

    It was found that the PowerGrid application can be used to run arbitrary commands via the /SEE command line option. An attacker can abuse this issue to bypass Application Whitelisting in order to run arbitrary code on the target machine.
    read more...

  • Advisory

    Stored credentials Ivanti Workspace Control can be retrieved from Registry

    Yorick Koster, August 2018

    A flaw was found in Workspace Control that allows a local unprivileged user to retrieve the database or Relay server credentials from the Windows Registry. These credentials are encrypted, however the encryption that is used is reversible.
    read more...

  • Advisory

    Ivanti Workspace Control Data Security bypass via localhost UNC path

    Yorick Koster, August 2018

    Ivanti Workspace Control contains a flaw where it is possible to access folders that should be protected by Data Security. A local attacker can bypass these restrictions using localhost UNC paths. Depending on the NTFS permissions it may be possible for local users to access files and folders that should be protected using Data Protection.
    read more...

  • Advisory

    Ivanti Workspace Control local privilege escalation via Named Pipe

    Yorick Koster, August 2018

    It was found that Ivanti Workspace Control allows a local (unprivileged) attacker to run arbitrary commands with Administrator privileges. This issue can be exploited by spawning a new Composer process, injecting a malicious thread in this process. This thread connects to a Named Pipe and sends an instruction to a service to launch an attacker-defined application with elevated privileges.
    read more...

  • Advisory

    Ivanti Workspace Control Application Whitelist bypass via PowerGrid /RWS command line argument

    Yorick Koster, August 2018

    It was found that the PowerGrid application will execute rundll32.exe from a relative path when it is started with the /RWS command line option. An attacker can abuse this issue to bypass Application Whitelisting in order to run arbitrary code on the target machine.
    read more...

  • Advisory

    Authentication bypass vulnerability in Western Digital My Cloud allows escalation to admin privileges

    Remco Vermeulen, September 2018

    It was discovered that the Western Digital My Cloud is affected by an authentication bypass vulnerability. An unauthenticated attacker can exploit this vulnerability to authenticate as an admin user without needing to provide a password, thereby gaining full control of the My Cloud device.
    read more...

  • Blog

    Cross-Site Scripting in a Content Security Policy world

    Yorick Koster, September 2018

    A large number of bypasses have been documented after the introduction of Content Security Policy. Most of which are the result of an overly permissive policy; not really a weakness in Content Security Policy itself. Often the goal of a bypass is to run some arbitrary JavaScript. In this blog I'll show that Content Security Policy is not a silver bullet for mitigating Cross-Site Scripting. Even with the most restrictive policy it is often possible to do bad things if an application is affected by Cross-Site Scripting. Consequently, Cross-Site Scripting issues should always be addressed regardless whether a policy is configured or not.
    read more...

  • Blog

    Strings considered harmful

    Remco Vermeulen, September 2018

    With our Inline service we support Agile development teams with building great, but secure applications. A large part of the work is performing code reviews to catch bugs or flaws (see this great blogpost outlining the differences) with security ramifications before they reach production.

    The code reviews provide a great opportunity to catch issues early, but also present a great opportunity to advise software engineers on how and when to apply security best-practices. From our experience these interactions really help the team in becoming more security aware.
    read more...

  • Advisory

    Seagate Personal Cloud multiple information disclosure vulnerabilities

    Yorick Koster, September 2017

    Seagate Personal Cloud is a consumer-grade Network-Attached Storage device (NAS). It was found that the web application used to manage the NAS is affected by various unauthenticated information disclosure vulnerabilities. The device is configured to trust any CORS origin, and is accessible via the personalcloud.local domain name. Due to this it is possible for any website to gain access to this information. While this information doesn't allow an attacker to compromise the NAS, the information can be used to stage more targeted attacks.
    read more...

  • Blog

    Ten tips after a year of pentesting

    Hamza Boulanouar, September 2018

    For the past years I was very hesitant about my future career choices. Originally, I'm a developer but I liked security and hacking a lot. I was doing all kinds of CTFs in my spare time. For my bachelor degree I had to do a final project (thesis) and thought it might be the best moment to shift into the (professional) security world. I finished my internship at Securify and was offered a job/traineeship. I've learned a lot in the last year and I would like to share some tips. The following tips are in no particular order and might even be applied to some other disciplines.
    read more...

  • Blog

    Staying positive about false negatives

    Sipke Mellema, September 2018

    For the past four years I've been kicking ass at Securify. These 40-hour hacking sprees resulted in hundreds of vulnerabilities that made a lot of customers very happy. But "even I" make mistakes. Sometimes.

    This blog article is about two examples of false negatives. Things that didn't seem buggy but were. Bugs that seemed to be fixed but weren't. Some nasty stuff that I hope we all can learn from. For obvious reasons I can't share actual customer code, so I'll give some examples in partial pseudo-code.
    read more...

  • Blog

    Click me if you can, Office social engineering with embedded objects

    Yorick Koster, August 2018

    Microsoft Office documents provide attackers with a variety of ways to trick victims into running arbitrary code. Of course an attacker could try to exploit an Office vulnerability, but it is more common to send victims Office documents containing malicious macros, or documents containing embedded (Packager) executable files. In this blog two techniques are demonstrated that can be used to trick victims into running malicious code.
    read more...

  • Advisory

    Seagate Media Server multiple SQL injection vulnerabilities

    Yorick Koster, September 2017

    Seagate Personal Cloud is a consumer-grade Network-Attached Storage device (NAS). It was found that Seagate Media Server is affected by multiple SQL injection vulnerabilities. An unauthenticated attacker can exploit this issue to retrieve or modify arbitrary data in the database used by Seagate Media Server. Seagate Media Server uses a separate SQLite3 database, which limits what the attacker can do with this issue.
    read more...

  • Blog

    Flaws en bugs. Voorkom last-minute verrassingen

    David Vaartjes ism Cordny Nederkoorn 4 juli, 2018

    Wanneer er in de media wordt gesproken over cybersecurity vliegen de termen zoals flaws, bugs, vulnerabilities en exploits je om de oren.

    Het is belangrijk om te weten dat binnen de applicatiebeveiliging de termen flaws en bugs niet hetzelfde zijn. In deze blog lichten we de verschillen toe en geven we onze visie over hoe je flaws tijdig kan voorkomen.
    read more...

  • Blog

    Living off the land: stealing NetNTLM hashes

    Yorick Koster, May 2018

    Recently, leaking of NetNTLM hashes has gained some renewed attention. This is partly because Microsoft released a fix for Outlook/Office to address an issue reported by Will Dormann from CERT/CC. Will found that Office will leak NetNTLM hashes when processing RTF documents containing specially crafted OLE objects. In addition, Check Point found that a similar attack is possible using PDF files.

    Leaking of hashes is not new, reports of it go back to at least March, 1997. It is caused by a design flaw in Windows related to their single sign-on implementation. If a server requests for the user to authenticate, Windows will try to do so using the user's credentials. This way the user doesn't need to provide his/her credentials for each individual server. The downside is that any server can request authentication and Windows will happily comply.
    read more...

  • Advisory

    Seagate Media Server path traversal vulnerability

    Yorick Koster, September 2017

    Seagate Personal Cloud is a consumer-grade Network-Attached Storage device (NAS). It was found that Seagate Media Server is vulnerable to path traversal that allows unauthenticated attackers to download arbitrary files from the NAS. Since Seagate Media Server runs with root privileges it is possible to exploit this issue to retrieve sensitive information from the NAS.
    read more...

  • Advisory

    Seagate Media Server stored Cross-Site Scripting vulnerability

    Yorick Koster, September 2017

    Seagate Personal Cloud is a consumer-grade Network-Attached Storage device (NAS). By default Seagate Media Server allows unauthenticated users to upload files to a public share. Once a file is uploaded it can also be downloaded again from the NAS.

    No restrictions are enforced on which file types a user can upload, any type of file can be uploaded including executable files & HTML files. File downloads are directly handled by Lighttpd and because of this file are processed based on its (MIME) type. An attacker can upload an HTML file and cause Lighttpd to treat the file as a regular web page. Consequently, uploading an HTML file can be used to execute a stored Cross-Site Scripting attack.
    read more...

  • Advisory

    Seagate Personal Cloud allows moving of arbitrary files

    Yorick Koster, September 2017

    Seagate Personal Cloud is a consumer-grade Network-Attached Storage device (NAS). It was found that the web application used to manage the NAS contains a vulnerability that allows an unauthenticated attacker to move arbitrary files. The move operation is done with root privileges, which basically allows moving any file to any location. The only limitation is that the destination path resides on the same file system as the source path.
    read more...

  • Advisory

    Cross-Site Scripting vulnerability in Zimbra Collaboration Suite due to the way it handles attachment links

    Stephan Kaag, January 2018

    A Cross-Site Scripting (XSS) vulnerability was found in Zimbra Collaboration Suite (ZCS). This issue allows an attacker to perform a wide variety of actions such as performing arbitrary actions on their behalf or presenting a fake login screen to collect usernames and passwords. In order to exploit this issue, the attacker has to lure a victim into opening a specially crafted email in ZCS.
    read more...

  • Advisory

    Seagate Media Server allows deleting of arbitrary files and folders

    Yorick Koster, September 2017

    Seagate Personal Cloud is a consumer-grade Network-Attached Storage device (NAS). It was found that Seagate Media Server can be used by unauthenticated attackers to delete arbitrary files and folders on the NAS. Since Seagate Media Server is running with root privileges it is possible to remove almost any file on the NAS. The application lacks protection against CSRF attacks, and is accessible via the personalcloud.local domain name. Due to this it is possible to exploit this issue via a malicious website without requiring the NAS to be directly accessible over the internet.
    read more...

Bespreek uw project met ons →