-
Dell KACE K1000 Remote Code Execution – the Story of Bug K1-18652
This is the story of an unauthenticated RCE affecting one of Dropbox’s in scope vendors during last year’s H1-3120 event. It’s one of my more recon-intensive, yet simple, vulnerabilities, and it (probably) helped me to become MVH by the end of the day ;-). TL;DR It’s all about an undisclosed but fixed bug in the…
/
-
H1-3120: MVH! (H1 Event Guide for Newbies)
Here’s another late post about my coolest bug bounty achievement so far! In May I’ve participated in HackerOne’s H1-3120 in the beautiful city of Amsterdam with the goal to break some Dropbox stuff. It was a really tough target, but I still managed to find some juicy bugs! According to d0nutptr of the Dropbox team,…
/
-
H1-415: Hacking My Way Into the Top 4 of the Day
I’ve always wanted to visit San Francisco! So I was really happy about an email from HackerOne inviting me to this beautiful city in April. But they did not cover all the costs for my international flights and the hotel room just for my personal city trip – they had something really nasty in mind:…
/
-
H1-212 CTF: Breaking the Teapot!
With the h1-212 CTF, HackerOne offered a really cool chance to win a visit to New York City to hack on some exclusive targets in a top secret location. To be honest, I’m not a CTF guy at all, but this incentive caught my attention. The only thing one had to do in order to…
/
-
CVE-2017-14955: Win a Race Against Check_mk to Dump All Your Login Data
The authors of check_mk have fixed a quite interesting vulnerability, which I have recently reported to them, called CVE-2017-14955 (sorry no fancy name here) affecting the oldstable version 1.2.8p25 and below of both check_mk and check_mk Enterprise. It’s basically about a Race Condition vulnerability affecting the login functionality, which in the end leads to the disclosure…
/
-
CVE-2017-14956: AlienVault USM Leaks Sensitive Compliance Information via CSRF
I usually try to avoid blogging about Cross-Site Request Forgery and Cross-Site Scripting vulnerabilities, just because they are basically everywhere – except if they can be used to achieve something cool 😉 In this specific case I have found a particularly interesting CSRF vulnerability, which allows attackers to extract very sensitive compliance information…from a costly…
/
-
Upgrade from LFI to RCE via PHP Sessions
I recently came across an interesting Local File Inclusion vulnerability in a private bug bounty program which I was able to upgrade to a Remote Code Execution. The interesting fact about this and what makes it different is that the underlying operating system was pretty hardened and almost all usual ways to upgrade your LFI…
/
-
OK Google, Give Me All Your Internal DNS Information!
In late January, I have found and reported a Server-Side Request Forgery (SSRF) vulnerability on toolbox.googleapps.com to Google’s VRP, which could be used to discover and query internal Google DNS servers to extract all kinds of corporate information like used internal IP addresses across the company as well as A and NS records exposing all kinds of hosts like…
/
-
RCESEC-2016-012: Mattermost <= 3.5.1 Error Page Cross-Site Scripting / Content Injection
I’m quite busy with bug bounties lately, but sometimes I still discover stuff, which might also be interesting for the rest of you ;-). So here’s quick writeup about a quite interesting vulnerability in the open source Slack-alternative Mattermost, which I have found in December last year and coordinated with the Mattermost team. You can also read about the full advisory…
/