To properly assess the security of a web application, it’s important to analyze it with regard to the server it will run on. Many things depend on the server, from processing user requests to the easiest way of achieving RCE. Armed with knowledge about the server, we can identify vulnerabilities in an application and make it more secure.
In this article we’ll look at Jetty, a well-known web server and Java web container that is typically deployed behind an Apache or NGINX proxy server. Here’s what we’ll cover:
How to find paths to all web applications on the server.
How to achieve RCE using an XML file.
How to bypass a web application firewall and remain unnoticed.
Last year we found a lot of exciting vulnerabilities in VMware products. They were disclosed to the vendor, responsibly and have been patched. It’ll be a couple of articles, that disclose the details of the most critical flaws. This article covers unauthenticated RCEs in VMware View Planner (CVE-2021-21978) and in VMware vRealize Business for Cloud (CVE-2021-21984).
We want to thank VMware and their security response center for responsible cooperation. During the collaboration and communication, we figured out, that the main goal of their approach to take care of their customers and users.
In February 2021, we had the opportunity to assess the HyperFlex HX platform from Cisco during a routine customer engagement. This resulted in the detection of three significant vulnerabilities. In this article we discuss our findings and will explain why they exist in the platform, how they can be exploited and the significance of these vulnerabilities.
The vulnerabilities discussed have been assigned CVE ID’s and considered in Cisco’s subsequent Security Advisories (1, 2). These are:
Since the PoC for the VMware vCenter RCE (CVE-2021-21972) is now readily available, we’re publishing our article covering all of the technical details.
In fall of 2020, I discovered couple vulnerabilities in the vSphere Client component of VMware vCenter. These vulnerabilities allowed non-authorized clients to execute arbitrary commands and send requests on behalf of the targeted server via various protocols:
Unauthorized file upload leading to remote code execution (RCE) (CVE-2021- 21972)
An unauthorized server-side request forgery (SSRF) vulnerabilities (CVE-2021-21973)
In this article, I will cover how I discovered the VMware vSphere client RCE vulnerability, divulge the technical details, and explain how it can be exploited on various platforms.
Palo Alto Networks next-generation firewall (NGFW) is one of the leading enterprise firewalls used by companies around the world to protect against various cyber-attacks. It runs on its own operating system «PAN-OS».
In this article, we will analyze the vulnerabilities that lead to:
This August, I discovered three vulnerabilities in McAfee ePolicy Orchestrator (ePO) version 5.10.0. McAfee ePO is software that helps IT administrators unify security management across endpoints, networks, data, and compliance solutions from McAfee and third-party solutions. McAfee ePO provides flexible automated management capabilities for identifying, handling, and responding to security issues and threats.
My testing uncovered three vulnerabilities:
A CSRF + SSRF + MITM chain that, if successfully exploited, allows an attacker who is not logged in to perform remote code execution on the server
Remote code execution by a logged-in user as the result of a ZipSlip attack
Today we will be analysing multiple vulnerabilities that we found in a component of Checkpoint Security Management, which is used in Check Point products. The component in question is the ICA Management Tool.
This is Big-IP, an application delivery and security services platform by F5 Networks, namely its Traffic Management User Interface (TMUI). In this article I will show how I’ve managed to discover CVE-2020-5902, an Unauthenticated Remote Command Execution vulnerability, in its web interface.
The CVE-2020-5902 vulnerability has been assigned a CVSS score of 10, the highest possible. According to the Threat Intelligence Services of Positive Technologies, before the fixes there were more than 8,000 devices available on the Internet and vulnerable to this issue.
Many of you have probably heard of the CVE-2019-19781 vulnerability that I discovered at the end of last year. It is a critical vulnerability in Citrix ADC that allows unauthorized users to execute arbitrary operating system commands.
It caused quite a stir when Citrix released its guidelines for addressing the vulnerability since approximately 80,000 companies from around the globe were threatened by the problem. Another reason why the vulnerability attracted so much attention because Citrix ADC is installed on the border between external and internal organization networks. Thus, when a hacker exploits the CVE-2019-19781 vulnerability, he or she simultaneously gains access to the targeted company’s internal network and is able to develop attacks on the private segment of the network.