Tag: Web Application Security

Exploiting Arbitrary Object Instantiations in PHP without Custom Classes

Written by Arseniy Sharoglazov on July 14, 2022

During an internal penetration test, I discovered an unauthenticated Arbitrary Object Instantiation vulnerability in LAM (LDAP Account Manager), a PHP application.

PHP’s Arbitrary Object Instantiation is a flaw in which an attacker can create arbitrary objects. This flaw can come in all shapes and sizes. In my case, the vulnerable code could have been shortened to one simple construction:

new $_GET['a']($_GET['b']);

That’s it. There was nothing else there, and I had zero custom classes to give me a code execution or a file upload. In this article, I explain how I was able to get a Remote Code Execution via this construction.

Catching bugs in VMware: Carbon Black Cloud Workload Appliance and vRealize Operations Manager

Written by Egor Dimitrenko on February 25, 2022

Last year we found a lot of exciting vulnerabilities in VMware products. The vendor was notified and they have since been patched. This is the second part of our research. This article covers an Authentication Bypass in VMware Carbon Black Cloud Workload Appliance (CVE-2021-21978) and an exploit chain in VMware vRealize Operations (CVE-2021-21975, CVE-2021-22023, CVE-2021-21983) which led to Remote Code Execution.

Hunting for bugs in VMware: View Planner and vRealize Business for Cloud

Written by Mikhail Klyuchnikov and Egor Dimitrenko on February 15, 2022

Last year we found a lot of exciting vulnerabilities in VMware products. They were disclosed to the vendor, responsibly and have been patched. It’ll be a couple of articles, that disclose the details of the most critical flaws. This article covers unauthenticated RCEs in VMware View Planner (CVE-2021-21978) and in VMware vRealize Business for Cloud (CVE-2021-21984).

We want to thank VMware and their security response center for responsible cooperation. During the collaboration and communication, we figured out, that the main goal of their approach to take care of their customers and users.

Fuzzing for XSS via nested parsers condition

Written by Igor Sak-Sakovskiy on December 29, 2021

When communicating online, we constantly use emoticons and put text in bold. Some of us encounter markdown on Telegram or GitHub, while forum-dwellers might be more familiar with BBCode.

All this is made possible by parsers, which find a special string (code/tag/character) in messages and convert it into beautiful text using HTML. And as we know, wherever there is HTML, there can be XSS.

This article reveals our novel technique for finding sanitization issues that could lead to XSS attacks. We show how to fuzz and detect issues in the HTML parsers with nested conditions. This technique allowed us to find a bunch of vulnerabilities in the popular products that no one had noticed before.

The technique was presented at Power Of Community 2021.

Cisco Hyperflex: How We Got RCE Through Login Form and Other Findings

Written by Nikita Abramov and Mikhail Klyuchnikov on September 29, 2021

In February 2021, we had the opportunity to assess the HyperFlex HX platform from Cisco during a routine customer engagement. This resulted in the detection of three significant vulnerabilities. In this article we discuss our findings and will explain why they exist in the platform, how they can be exploited and the significance of these vulnerabilities.

The vulnerabilities discussed have been assigned CVE ID’s and considered in Cisco’s subsequent Security Advisories (1, 2). These are:

CVE-2021-1497
Cisco HyperFlex HX Installer Virtual Machine Command Injection Vulnerability (CVSS Base Score: 9.8);
CVE-2021-1498
Cisco HyperFlex HX Data Platform Command Injection Vulnerability (CVSS Base Score: 7.3);
CVE-2021-1499
the Cisco HyperFlex the HX the Data Platform the Upload the File Vulnerability (CVSS Base Score: 5.3)

From 0 to RCE: Cockpit CMS

Written by Nikita Petrov on April 13, 2021

Our team searched for bugs in the source code of Cockpit, an open-source content management system. Here is the description of Cockpit from its official site:

Cockpit is a headless CMS with an API-first approach that puts content first. It is designed to simplify the process of publication by separating content management from content consumption on the client side.
Cockpit is focusing just on the back-end work to manage content. Rather than worry about delivery of content through pages, its goal is to provide structured content across different channels via a simple API.

While investigating the Cockpit source code, we discovered numerous vulnerabilities. Attackers could exploit them to take control of any user account and perform remote code execution.

In this article, I will talk about the technical details and demonstrate how these vulnerabilities can be exploited.

Unauthorized RCE in VMware vCenter

Written by Mikhail Klyuchnikov on February 24, 2021

Since the PoC for the VMware vCenter RCE (CVE-2021-21972) is now readily available, we’re publishing our article covering all of the technical details.

In fall of 2020, I discovered couple vulnerabilities in the vSphere Client component of VMware vCenter. These vulnerabilities allowed non-authorized clients to execute arbitrary commands and send requests on behalf of the targeted server via various protocols:

Unauthorized file upload leading to remote code execution (RCE) (CVE-2021- 21972)
An unauthorized server-side request forgery (SSRF) vulnerabilities (CVE-2021-21973)

In this article, I will cover how I discovered the VMware vSphere client RCE vulnerability, divulge the technical details, and explain how it can be exploited on various platforms.

Swarm of Palo Alto PAN-OS vulnerabilities

Written by Mikhail Klyuchnikov and Nikita Abramov on February 11, 2021

Palo Alto Networks next-generation firewall (NGFW) is one of the leading enterprise firewalls used by companies around the world to protect against various cyber-attacks. It runs on its own operating system «PAN-OS».

In this article, we will analyze the vulnerabilities that lead to:

Arbitrary OS command execution by an authorized user — CVE-2020-2037 and CVE-2020-2038
DoS by an unauthorized user — CVE-2020-2039
Reflected Cross Site Scripting (XSS) — CVE-2020-2036

Using these vulnerabilities, an attacker can gain access to sensitive data, disrupt the availability of firewall components or gain access to internal network segments.

Vulnerabilities in McAfee ePolicy Orchestrator

Written by Mikhail Klyuchnikov on December 7, 2020

This August, I discovered three vulnerabilities in McAfee ePolicy Orchestrator (ePO) version 5.10.0. McAfee ePO is software that helps IT administrators unify security management across endpoints, networks, data, and compliance solutions from McAfee and third-party solutions. McAfee ePO provides flexible automated management capabilities for identifying, handling, and responding to security issues and threats.

My testing uncovered three vulnerabilities:

A CSRF + SSRF + MITM chain that, if successfully exploited, allows an attacker who is not logged in to perform remote code execution on the server
Remote code execution by a logged-in user as the result of a ZipSlip attack
Reflected XSS

Vulnerabilities in Checkpoint ICA Management Tool

Written by Mikhail Klyuchnikov and Nikita Abramov on November 25, 2020

Today we will be analysing multiple vulnerabilities that we found in a component of Checkpoint Security Management, which is used in Check Point products. The component in question is the ICA Management Tool.