HackDig : Dig high-quality web security articles for hackers

Vulnerabilities in GNU Readline Fixed

Recently I discovered some vulnerabilities in GNU Readline. These bugs have been fixed in GNU Readline version 8.1. The case of identifying the vulnerabilities was rather interesting. I wanted to fuzz another program and wrote a quick harness to test if my setup works. This test harness used GNU Readline to read input from stdin and passed the data along to
Publish At:2020-10-07 06:27 | Read:102 | Comments:0 | Tags:Breaking disclosure fuzzing

ERNW White Paper 69 – Safety Impact of Vulnerabilities in Insulin Pumps

With this blog post I am pleased to announce the publication of a new ERNW White Paper [1]. The paper is about severe vulnerabilities in an insulin pump we assessed during project ManiMed and we are proud to publish this subset of the results today. Manipulating Medical Devices The German Federal Office for Information Security (BSI), in its role as the Fed
Publish At:2020-09-11 09:06 | Read:264 | Comments:0 | Tags:Breaking disclosure ERNW white paper medical

ACM WiSec 2020

Last week I attended ACM WiSec. Of course, only virtually. The first virtual conference I attended. Coincidentally, it was also the first conference I presented at. While the experience was quite different from a “real” conference, the organizers did a great job to make the experience as good as possible with, for example, a mattermost instance t
Publish At:2020-07-26 15:58 | Read:423 | Comments:0 | Tags:Breaking Building Events

CVE-2020-0022 an Android 8.0-9.0 Bluetooth Zero-Click RCE – BlueFrag

Nowadays, Bluetooth is an integral part of mobile devices. Smartphones interconnect with smartwatches and wireless headphones. By default, most devices are configured to accept Bluetooth connections from any nearby unauthenticated device. Bluetooth packets are processed by the Bluetooth chip (also called a controller), and then passed to the host (Android, L
Publish At:2020-05-03 08:57 | Read:737 | Comments:0 | Tags:Breaking Android BlueFrag Bluetooth exploit

Medical Device Security: HL7v2 Injections in Patient Monitors

Digital networking is already widespread in many areas of life. In the healthcare industry, a clear trend towards networked devices is noticeable, so that the number of high-tech medical devices in hospitals is steadily increasing. In this blog post, we want to elucidate a vulnerability we identified during the security assessment of a patient monitor. The d
Publish At:2020-05-03 08:57 | Read:721 | Comments:0 | Tags:Breaking disclosure medical

DNS exfiltration case study

Lately, we came across a remote code execution in a Tomcat web service by utilizing Expression Language. The vulnerable POST body field expected a number. When sending ${1+2} instead, the web site included a Java error message about a failed conversion to java.lang.Long from java.lang.String with value "3". From that error message we learned a couple of thin
Publish At:2020-03-04 10:31 | Read:605 | Comments:0 | Tags:Breaking Building DNS Dora Exfiltration

Critical Bluetooth Vulnerability in Android (CVE-2020-0022)

On November 3rd, 2019, we have reported a critical vulnerability affecting the Android Bluetooth subsystem. This vulnerability has been assigned CVE-2020-0022 and was now patched in the latest security patch from February 2020. The security impact is as follows: On Android 8.0 to 9.0, a remote attacker within proximity can silently execute arbitrary code wi
Publish At:2020-02-06 17:15 | Read:628 | Comments:0 | Tags:Breaking Vulnerability

Jenkins – Groovy Sandbox breakout (SECURITY-1538 / CVE-2019-10393, CVE-2019-10394, CVE-2019-10399, CVE-2019-10400)

Recently, I discovered a sandbox breakout in the Groovy Sandbox used by the Jenkins script-security Plugin in their Pipeline Plugin for build scripts. We responsibly disclosed this vulnerability and in the current version of Jenkins it has been fixed and the according Jenkins Security Advisory 2019-09-12 has been published. In this blogpost I want to report
Publish At:2019-09-20 12:15 | Read:1135 | Comments:0 | Tags:Breaking advisory Break Out disclosure vulnerability

Security Advisories for Cisco ACI

Again, Cisco released security advisories for their software-defined networking (SDN) solution called Application Centric Infrastructure (ACI). As before (see blog post here), the published advisories originated from research performed in our ACI lab. The following advisories have been published: Cisco Nexus 9000 Series Fabric Switches ACI Mode Fabric Infras
Publish At:2019-09-19 17:15 | Read:1344 | Comments:0 | Tags:Breaking advisory Cisco

Multiple Vulnerabilities in innovaphone VoIP Products Fixed

Dear all, innovaphone fixed several vulnerabilities in two VoIP products that we disclosed a while ago. The affected products are the Linux Application Platform and the IPVA. Unfortunately, the release notes are not public (yet?) and the vendor does not include information about the vulnerabilities for the Linux Application Platform. Therefore, we decided t
Publish At:2019-09-19 17:15 | Read:920 | Comments:0 | Tags:Breaking VoIP

How to break out of restricted shells with tcpdump

During security assessments we sometimes obtain access to a restricted shell on a target system. To advance further and gain complete control of the system, the next step is usually to break out of this shell. If the restricted shell provides access to certain system binaries, these binaries can often be exploited to perform such a break out. Here we would l
Publish At:2019-09-19 17:15 | Read:1062 | Comments:0 | Tags:Breaking Break Out Restricted Shell

Tools

Tag Cloud