Category：Tech Editorials

#CVE #Pwn2Own #IoT

Your printer is not your printer ! - Hacking Printers at Pwn2Own Part II

angelboy

2023-11-06

We identified Pre-auth RCE vulnerabilities in Canon printers (CVE-2023-0853, CVE-2023-0854) and also discovered Pre-auth RCE flaws in HP printers, which led to our achievement of the Master of Pwn title at Pwn2Own Toronto 2022. This article will detail the vulnerabilities and exploitation methods for both Canon and HP printers.

#CVE #Pwn2Own #IoT

Your printer is not your printer ! - Hacking Printers at Pwn2Own Part I

angelboy

2023-10-05

In 2021, we found Pre-auth RCE vulnerabilities(CVE-2022-24673 and CVE-2022-3942) in Canon and HP printers, and vulnerability(CVE-2021-44734) in Lexmark. We used these vulnerabilities to exploit Canon ImageCLASS MF644Cdw, HP Color LaserJet Pro MFP M283fdw and Lexmark MC3224i in Pwn2Own Austin 2021. Following we will describe the details of the Canon and HP vulnerabilities and exploitation.

#Google

[REL] A Journey Into Hacking Google Search Appliance

2023-07-07

The Google Search Appliance (hereinafter referred to as GSA) is an enterprise search device launched by Google in 2002, used for indexing and retrieving internal or public network information

#Advisory #CVE #RCE #Exchange #Pwn2Own

A New Attack Surface on MS Exchange Part 4 - ProxyRelay!

orange

2022-10-19

With the prior knowledge in mind, I come up with a simple idea. It’s common to see multiple Exchange Servers in corporate networks for high availability and site resilience. Can we relay the NTLM authentication among Exchange Servers?

#CVE #BugBounty #Vulnerability

Let's Dance in the Cache - Destabilizing Hash Table on Microsoft IIS

orange

2022-08-18

We have also proved this attack works naturally on Microsoft Exchange Server. By leveraging the default activated Exchange Active Monitoring service, we can enter HealthMailbox's mailbox without passwords!

#RCE #NAS #IoT #Pwn2Own

Your NAS is not your NAS !

angelboy

2022-03-28

We have successfully found a serious vulnerability in the NAS, and successfully wrote a proof-of-concept, which proved that it can be exploited on many NAS such as Synology, QNAP and Asustor.

#Advisory #CVE #RCE #Exchange #Pwn2Own

A New Attack Surface on MS Exchange Part 3 - ProxyShell!

orange

2021-08-22

ProxyShell: The exploit chain we demonstrated at Pwn2Own 2021 to take over Exchange and earn $200,000 bounty

#Advisory #CVE #RCE #Exchange

A New Attack Surface on MS Exchange Part 2 - ProxyOracle!

orange

2021-08-06

ProxyOracle! The attack on Exchange Server to recover any user's password in plaintext format

#Advisory #CVE #RCE #Exchange #SSRF #Pwn2Own

A New Attack Surface on MS Exchange Part 1 - ProxyLogon!

orange

2021-08-06

ProxyLogon! The most severe and impactful vulnerability in the Exchange Server history ever.

#Advisory #CVE #RCE #Facebook #BugBounty

How I Hacked Facebook Again! Unauthenticated RCE on MobileIron MDM

orange

2020-09-12

This post is about my research this March, which talks about how I found vulnerabilities on a leading Mobile Device Management product and bypassed several limitations to achieve unauthenticated RCE. All the vulnerabilities have been reported to the vendor and got fixed in June. After that, we kept monitoring large corporations to track the overall fixing progress and then found that Facebook didn't keep up with the patch for more than 2 weeks, so we dropped a shell on Facebook and reported to their Bug Bounty program!

#Advisory #VPN #RCE

Attacking SSL VPN - Part 3: The Golden Pulse Secure SSL VPN RCE Chain, with Twitter as Case Study!

orange

2019-09-02

7 vulnerabilities in Pulse Secure SSL VPN: CVE-2019-11510, CVE-2019-11542, CVE-2019-11539, CVE-2019-11538, CVE-2019-11508, CVE-2019-11540, CVE-2019-11507

#Advisory #VPN #RCE

Attacking SSL VPN - Part 2: Breaking the Fortigate SSL VPN

meh

2019-08-09

Last month, we talked about Palo Alto Networks GlobalProtect RCE as an appetizer. Today, here comes the main dish!

#Advisory #VPN #RCE #BugBounty

Attacking SSL VPN - Part 1: PreAuth RCE on Palo Alto GlobalProtect, with Uber as Case Study!

orange

2019-07-17

We would like to talk about the vulnerability which we accidentally discovered during our Red Team assessment services on Palo Alto SSL VPN.

#Advisory

Operation Crack: Hacking IDA Pro Installer PRNG from an Unusual Way

shaolin

2019-06-21

Is it possible to install IDA Pro without kowning installation password? Linux or MacOS version can find the password directly; Windows version only need 10 minutes to calculate the password. The following is the detailed process.

#Advisory #CVE #RCE

Hacking Jenkins Part 2 - Abusing Meta Programming for Unauthenticated RCE!(EN)

orange

2019-02-19

After Jenkins released the [Security Advisory](https://jenkins.io/security/advisory/2018-12-05/#SECURITY-595) and fixed the dynamic routing vulnerability on 2018-12-05, I started to organize my notes in order to write this Hacking Jenkins series. While reviewing notes, I found another exploitation way on a gadget that I failed to exploit before! Therefore, the part two is the story for that! This is also one of my favorite exploits and is really worth reading :)

#Advisory #CVE #infoleak #SSRF

Hacking Jenkins Part 1 - Play with Dynamic Routing (EN)

orange

2019-01-16

This article is mainly about a brief security review on Jenkins in the last year. During this review, we found 5 vulnerabilities including: CVE-2018-1999002(Arbitrary file read vulnerability), CVE-2018-1000600(CSRF and missing permission checks in GitHub Plugin), CVE-2018-1999046(Unauthorized users could access agent logs), CVE-2018-1000861(Code execution through crafted URLs), CVE-2019-pending(Sandbox Bypass in Script Security and Pipeline Plugins)

#Advisory #Exim #RCE #CVE

Exim Off-by-one RCE: Exploiting CVE-2018-6789 with Fully Mitigations Bypassing

meh

2018-03-06

We reported an overflow vulnerability in the base64 decode function of Exim on 5 February, 2018, identified as CVE-2018-6789. This bug exists since the first commit of exim, hence ALL versions are affected. According to our research, it can be leveraged to gain Pre-auth Remote Code Execution and at least 400k servers are at risk. Patched version 4.90.1 is already released and we suggest to upgrade exim immediately.

#Advisory #CVE #Vulnerability

Sandstorm Security Review

shaolin

2018-01-26

In order to leverage the vulnerabilities, we put part of efforts into review of Sandstorm's source codes, and tried to escape the sandbox to impact the whole server...

#Advisory #Exim #RCE #CVE

Road to Exim RCE - Abusing Unsafe Memory Allocator in the Most Popular MTA

meh

2017-12-11

On 23 November, 2017, we reported two vulnerabilities to Exim. These bugs exist in the SMTP daemon and attackers do not need to be authenticated, including CVE-2017-16943 for a use-after-free (UAF) vulnerability, which leads to Remote Code Execution (RCE); and CVE-2017-16944 for a Denial-of-Service (DoS) vulnerability.

#Advisory #Facebook #BugBounty #RCE #CVE

Advisory: Accellion File Transfer Appliance Vulnerability

orange

2016-09-22

According to a public data reconnaissance, there are currently 1,217 FTA servers online around the world, most of which are located in the US, followed by Canada, Australia, UK, and Singapore. Determine from the domain name and SSL Certificate of these servers, FTA is widely used by governmental bodies, educational institutions, enterprises, including several well-known brands.

#Facebook #BugBounty #RCE #Backdoor #Reconnaissance #Pentest

How I Hacked Facebook, and Found Someone's Backdoor Script

orange

2016-04-21

Bug Bounty Hunting from Pentest View, and How to Find Remote Code Execution and Someone's Backdoor on Facebook Server...

BLOG

Tech Editorials

angelboy

angelboy

orange

orange

angelboy

orange

orange

orange

orange

orange

meh

orange

shaolin

orange

orange

meh

shaolin

meh

orange

orange