PT SWARM

How we bypassed bytenode and decompiled Node.js bytecode in Ghidra

Written by Sergey Fedonin on May 13, 2021

I build robots for fun.
Rick Sanchez

It’s common knowledge that in 2019 the NSA decided to open source its reverse engineering framework known as Ghidra. Due to its versatility, it quickly became popular among security researchers. This article is one of many to come dedicated to covering the technical details of the ghidra_nodejs plugin for Ghidra, developed by our team. The plugin’s main job is to parse, disassemble and decompile NodeJS Bytenode (.jsc) binaries. The focus of this article is the V8 bytecode and the relevant source code entities. A brief description of the plugin is also provided, which will be expanded upon in greater detail in subsequent articles.

From 0 to RCE: Cockpit CMS

Written by Nikita Petrov on April 13, 2021

Our team searched for bugs in the source code of Cockpit, an open-source content management system. Here is the description of Cockpit from its official site:

Cockpit is a headless CMS with an API-first approach that puts content first. It is designed to simplify the process of publication by separating content management from content consumption on the client side.
Cockpit is focusing just on the back-end work to manage content. Rather than worry about delivery of content through pages, its goal is to provide structured content across different channels via a simple API.

While investigating the Cockpit source code, we discovered numerous vulnerabilities. Attackers could exploit them to take control of any user account and perform remote code execution.

In this article, I will talk about the technical details and demonstrate how these vulnerabilities can be exploited.

Unauthorized RCE in VMware vCenter

Written by Mikhail Klyuchnikov on February 24, 2021

Since the PoC for the VMware vCenter RCE (CVE-2021-21972) is now readily available, we’re publishing our article covering all of the technical details.

In fall of 2020, I discovered couple vulnerabilities in the vSphere Client component of VMware vCenter. These vulnerabilities allowed non-authorized clients to execute arbitrary commands and send requests on behalf of the targeted server via various protocols:

Unauthorized file upload leading to remote code execution (RCE) (CVE-2021- 21972)
An unauthorized server-side request forgery (SSRF) vulnerabilities (CVE-2021-21973)

In this article, I will cover how I discovered the VMware vSphere client RCE vulnerability, divulge the technical details, and explain how it can be exploited on various platforms.

Swarm of Palo Alto PAN-OS vulnerabilities

Written by Mikhail Klyuchnikov and Nikita Abramov on February 11, 2021

Palo Alto Networks next-generation firewall (NGFW) is one of the leading enterprise firewalls used by companies around the world to protect against various cyber-attacks. It runs on its own operating system «PAN-OS».

In this article, we will analyze the vulnerabilities that lead to:

Arbitrary OS command execution by an authorized user — CVE-2020-2037 and CVE-2020-2038
DoS by an unauthorized user — CVE-2020-2039
Reflected Cross Site Scripting (XSS) — CVE-2020-2036

Using these vulnerabilities, an attacker can gain access to sensitive data, disrupt the availability of firewall components or gain access to internal network segments.

Vulnerabilities in McAfee ePolicy Orchestrator

Written by Mikhail Klyuchnikov on December 7, 2020

This August, I discovered three vulnerabilities in McAfee ePolicy Orchestrator (ePO) version 5.10.0. McAfee ePO is software that helps IT administrators unify security management across endpoints, networks, data, and compliance solutions from McAfee and third-party solutions. McAfee ePO provides flexible automated management capabilities for identifying, handling, and responding to security issues and threats.

My testing uncovered three vulnerabilities:

A CSRF + SSRF + MITM chain that, if successfully exploited, allows an attacker who is not logged in to perform remote code execution on the server
Remote code execution by a logged-in user as the result of a ZipSlip attack
Reflected XSS

Vulnerabilities in Checkpoint ICA Management Tool

Written by Mikhail Klyuchnikov and Nikita Abramov on November 25, 2020

Today we will be analysing multiple vulnerabilities that we found in a component of Checkpoint Security Management, which is used in Check Point products. The component in question is the ICA Management Tool.

Path Traversal on Citrix XenMobile Server

Written by Andrey Medov on November 16, 2020

Citrix Endpoint Management, aka XenMobile, is used for managing employee mobile devices and mobile applications. Usually it is deployed on the network perimeter and has access to the internal network due to Active Directory integration. This makes XenMobile a prime target for security research.

During such research a path traversal vulnerability was discovered. This vulnerability allowed an unauthorized user to read arbitrary files, including configuration files containing passwords.

Advanced MSSQL Injection Tricks

Written by PT SWARM Team on November 12, 2020

We compiled a list of several techniques for improved exploition of MSSQL injections. All the vectors have been tested on at least three of the latest versions of Microsoft SQL Server: 2019, 2017, 2016SP2.

Remote Desktop Services Shadowing – Beyond the Shadowed Session

Written by Roman Maximov on October 29, 2020

From time to time in certain situations one needs to have a possibility to view a customer’s user screen to make some proofed screenshots or to get access to an open GUI application window which contains secrets for lateral movement while the legitimate user is connected via RDP and you don’t want to kick them out of the session.

There is a number of third-party software such as VNC, radmin, TeamViewer, etc. on the market to achieve it, but it involves additional actions such as binary delivery, its installation and so on. Moreover, these actions are too noisy and leave a lot of garbage on a remote host.

Luckily, Windows-based systems have an awesome built-in feature (as part of Remote Desktop Protocol) that is unfairly ignored or forgotten. It is called Remote Desktop Services Shadowing.

IDA Pro Tips to Add to Your Bag of Tricks

Written by Vyacheslav Moskvin on September 3, 2020

IDA Pro is the most common software for reverse engineering in the industry. It can decompile the five most common architectures (x86/x64/ARM/PowerPC/MIPS), disassemble more than a hundred rare architectures, and debug most of them.

This article is a selection of my favorite tips for IDA Pro. Let’s get to it!