Security Research | RCE Security

Articles

Feb 16, 2026

When Audits Fail Part 2: From Pre-Auth SSRF to RCE in TRUfusion Enterprise

A pre-auth SSRF in TRUfusion Enterprise (CVE-2025-32355) allows external attackers to reach internal-only services via a misconfigured reverse proxy. This enables access to the internal Axis2 file-upload service "WsPortalV6UpDwAxis2Impl" using default credentials, while a path traversal in upload path handling (CVE-2025-59793) enables arbitrary file writes to web-accessible directories. Chained together, these flaws enable unauthenticated remote code execution.

Nov 19, 2025

Exploiting A Pre-Auth RCE in W3 Total Cache For WordPress <= 2.9.1 (CVE-2025-9501)

We recently came across a very brief vulnerability announcement made by WPScan about CVE-2025-9501, which is described as an "Unauthenticated Command Injection" in the quite famous W3 Total Cache plugin for WordPress affecting all versions up to 2.8.13. This immediately caught our attention because with 1+ million active installations, it is one of the more wide-spread plugins, which we've also encountered numerous times in our customer pentests.

Sep 30, 2025

When Audits Fail Part 1: Four Critical Pre-Auth Vulnerabilities in TRUfusion Enterprise

In early 2025, we encountered a mission-critical software component called TRUfusion Enterprise on the perimeter of one of our customers that is used to transfer highly sensitive data. Since Rocket Software claims that they are undergoing regular audits and also follow secure coding guidelines, we didn't expect to find much but to our surprise, it took us just two minutes to discover the first totally unsophisticated, but critical pre-auth path traversal vulnerability that already gave us admin rights.

Jun 30, 2025

What the NULL?! Pre-Auth Wing FTP Server RCE (CVE-2025-47812)

While performing a penetration test for one of our Continuous Penetration Testing customers, we've found a Wing FTP server instance that allowed anonymous connections. It was almost the only interesting thing exposed, but we still wanted to get a foothold into their perimeter and provide the customer with an impactful finding.

Apr 10, 2025

SAP Emarsys SDK for Android Sensitive Data Leak (CVE-2023-6542)

In late 2023, we've discovered and coordinated a quite interesting vulnerability affecting the Emarsys SDK for Android versions 3.6.1 and below with the respective vendor, SAP. While the overall coordination process went smoothly, the security advisory published by SAP only had a brief and partially misleading description of the vulnerability: Due to the lack of proper authorization checks in Emarsys SDK for Android, an attacker can call a particular activity and can forward himself web pages and/or deep links without any validation directly from the host application.

Aug 26, 2024

WordPress GiveWP POP to RCE (CVE-2024-5932)

A few days ago, Wordfence published a blog post about a PHP Object Injection vulnerability affecting the popular Wordpress Plugin GiveWP in all versions donor_meta->get_meta() method. Bypassing stripslashes\_deep One thing that does not immediately stand out but will get important later is the usage of stripslashes_deep during the validation of the $user_info array, which contains the vulnerable user_title attribute: Why is that important?

Jul 3, 2023

Patch Diffing CVE-2023-28121 to Compromise a WooCommerce

Back in March 2023, I noticed an interesting security advisory that was published by Wordfence about a critical "Authentication Bypass and Privilege Escalation" (aka CVE-2023-28121) affecting the "WooCommerce Payments" plugin which has more than 600.000 active installs according to WordPress. Since one of my customers was running a WooCommerce instance with the vulnerable version of the plugin, but there wasn't a publicly available PoC/exploit back then, I decided to look at it and build an exploit for it.

Apr 12, 2023

SecurePwn Part 2: Leaking Remote Memory Contents (CVE-2023-22897)

While my last finding affecting SecurePoint's UTM was quite interesting already, I was hit by a really hard OpenSSL Heartbleed flashback with this one. The following exploit works against both the admin portal on port 11115 as well as the user portal on port 443.

Apr 11, 2023

SecurePwn Part 1: Bypassing SecurePoint UTM's Authentication (CVE-2023-22620)

While working on a recent customer engagement, I discovered two fascinating and somewhat weird bugs in SecurePoint's UTM firewall solution. The first one, aka CVE-2023-22620, is rated critical for an attacker to bypass the entire authentication and gain access to the firewall's administrative panel.

Dec 1, 2022

From Zero to Hero Part 2: From SQL Injection to RCE on Intel DCM (CVE-2022-21225)

Introduction You've probably enjoyed my previous post about bypassing Intel DCM's authentication mechanism to gain unauthorized access. This gave us the lowest possible "Guest" privileges in the DCM console.

Nov 23, 2022

From Zero to Hero Part 1: Bypassing Intel DCM's Authentication by Spoofing Kerberos and LDAP Responses (CVE-2022-33942)

TL;DR Intel's Data Center Manager Console is a real-time monitoring and management all-in-one console that allows you to manage your entire data center. This small series of two blog posts covers an entire vulnerability chain that goes from an unauthenticated user to full remote code execution against Intel's Data Center Manager (up to version 4.1.1.45749).

Jul 22, 2022

WordPress Transposh: Exploiting a Blind SQL Injection via XSS

Introduction You probably have read about my recent swamp of CVEs affecting a WordPress plugin called Transposh Translation Filter, which resulted in more than $30,000 in bounties: [\[CVE-2021-24910\] Transposh &: It's still a limitation, but easy to work around: we're just going to replace the required comparison characters with a between x and y. We don't actually care about " and & since the payload doesn't really require them.

Apr 22, 2022

AWAE Course and OSWE Exam Review

Introduction This is a review of the Advanced Web Attacks and Exploitation (WEB-300) course and its OSWE exam by Offensive-Security. I've taken this course because I was curious about what secret tricks this course will offer for its money, especially considering that I've done a lot of source code reviews in different languages already.

Nov 13, 2020

Smuggling an (Un)exploitable XSS

This is the story about how I've chained a seemingly uninteresting request smuggling vulnerability with an even more uninteresting header-based XSS to redirect network-internal web site users without any user interaction to arbitrary pages. This post also introduces a 0day in ArcGis Enterprise Server.

Sep 14, 2020

CVE-2020-16171: Exploiting Acronis Cyber Backup for Fun and Emails

You have probably read one or more blog posts about SSRFs, many being escalated to RCE. While this might be the ultimate goal, this post is about an often overlooked impact of SSRFs: application logic impact.

Jul 22, 2020

Bug Bounty Platforms vs. GDPR: A Case Study

What Do Bug Bounty Platforms Store About Their Hackers? I do care a lot about data protection and privacy things. I've also been in the situation, where a bug bounty platform was able to track me down due to an incident, which was the initial trigger to ask myself: How did they do it?

Sep 10, 2019

H1-4420: From Quiz to Admin - Chaining Two 0-Days to Compromise An Uber Wordpress

TL;DR While doing recon for H1-4420, I stumbled upon a Wordpress blog that had a plugin enabled called SlickQuiz. Although the latest version 1.3.7.1 was installed and I haven't found any publicly disclosed vulnerabilities, it still somehow sounded like a bad idea to run a plugin that hasn't been tested with the last three major versions of Wordpress.

Jun 20, 2019

About a Sucuri RCE...and How Not to Handle Bug Bounty Reports

TL;DR Sucuri is a self-proclaimed "most recommended website security service among web professionals" offering protection, monitoring and malware removal services. They **ran** a Bug Bounty program on HackerOne and also blogged about how important security reports are.

May 13, 2019

CVE-2018-7841: Schneider Electric U.Motion Builder Remote Code Execution 0-day

I came across an unauthenticated Remote Code Execution vulnerability (called CVE-2018-7841) on an IoT device which was apparently using a component provided by Schneider Electric called U.Motion Builder. While I've found it using my usual BurpSuite foo, I later noticed that there is already a public advisory about a very similar looking issue published by ZDI named Schneider Electric U.Motion Builder track\_import\_export SQL Injection Remote Code Execution Vulnerability (ZDI-17-378) aka CVE-2018-7765).

Apr 9, 2019

Dell KACE K1000 Remote Code Execution - the Story of Bug K1-18652

This is the story of an unauthenticated RCE affecting one of Dropbox's in scope vendors during last year's H1-3120 event. It's one of my more recon-intensive, yet simple, vulnerabilities, and it (probably) helped me to become MVH by the end of the day ;-).

Jun 29, 2018

H1-3120: MVH! (H1 Event Guide for Newbies)

Here's another late post about my coolest bug bounty achievement so far! In May I've participated in HackerOne's H1-3120 in the beautiful city of Amsterdam with the goal to break some Dropbox stuff.

May 3, 2018

H1-415: Hacking My Way Into the Top 4 of the Day

I've always wanted to visit San Francisco! So I was really happy about an email from HackerOne inviting me to this beautiful city in April. But they did not cover all the costs for my international flights and the hotel room just for my personal city trip - they had something really nasty in mind: hacking Oath!

Oct 18, 2017

CVE-2017-14955: Win a Race Against Check_mk to Dump All Your Login Data

The authors of check\_mk have fixed a quite interesting vulnerability, which I have recently reported to them, called CVE-2017-14955 (sorry no fancy name here) affecting the oldstable version 1.2.8p25 and below of both check\_mk and check\_mk Enterprise. It's basically about a Race Condition vulnerability affecting the login functionality, which in the end leads to the disclosure of authentication credentials to an unauthenticated user.

Oct 13, 2017

CVE-2017-14956: AlienVault USM Leaks Sensitive Compliance Information via CSRF

I usually try to avoid blogging about Cross-Site Request Forgery and Cross-Site Scripting vulnerabilities, just because they are basically everywhere - except if they can be used to achieve something cool ;-) In this specific case I have found a particularly interesting CSRF vulnerability, which allows attackers to extract very sensitive compliance information...from a costly security appliance! Security Appliances are vulnerable too!

Aug 28, 2017

Upgrade from LFI to RCE via PHP Sessions

I recently came across an interesting Local File Inclusion vulnerability in a private bug bounty program which I was able to upgrade to a Remote Code Execution. The interesting fact about this and what makes it different is that the underlying operating system was pretty hardened and almost all usual ways to upgrade your LFI were blocked or failed silently.

Mar 1, 2017

OK Google, Give Me All Your Internal DNS Information!

In late January, I have found and reported a Server-Side Request Forgery (SSRF) vulnerability on toolbox.googleapps.com to Google's VRP, which could be used to discover and query internal Google DNS servers to extract all kinds of corporate information like used internal IP addresses across the company as well as A and NS records exposing all kinds of hosts like Google's Active Directory structures and also a fancy Minecraft server! :-) So here's a quick write-up about the vulnerability.

Jun 27, 2016

SLAE Course and Exam Review

As you may have noticed, I have posted a couple of articles about my SecurityTube Linux Assembly Expert exam during the last months. Now that I have successfully completed the course, I just want to share my thoughts about it for those of you who think about taking the course but are unsure if it's the right one.

Apr 28, 2016

SLAE: Custom Crypter (Linux/x86)

Do you want to fool antivirus software? When you look through hacking forums for a solution to this, you will likely encounter the term "crypter". You will also find this tool in the arsenal of every advanced penetration tester and it is the obvious standard for an advanced persistent threat (APT).

Apr 12, 2016

SLAE: Polymorphic Shellcodes (Linux/x86)

Question: How can signature-based Intrusion Detection systems be defeated? Answer: Using polymorphic shellcodes! This might sound really crazy and cyber, but it has nothing to do with inventing fancy new hacking techniques, it's rather about puzzling.

Feb 23, 2016

Ubiquiti Bug Bounty: UniFi v3.2.10 Generic CSRF Protection Bypass

Better late than never. This article will give you some insights about my discovered generic Cross-Site Request Forgery Protection Bypass in Ubiquiti's UniFi v3.2.10 and below, as published some time earlier this year on HackerOne.

Sep 16, 2015

CVE-2015-5956: Bypassing the TYPO3 Core XSS Filter

TYPO3 is the most widely used enterprise content management system with more than 500.000 installations. I have recently discovered a Non-Persistent Cross-Site Scripting vulnerability in its core and disclosed the details of the vulnerability publicly as CVE-2015-5956.

Sep 3, 2015

CVE-2014-7216: A Journey Through Yahoo''s Bug Bounty Program

I have published another security advisory about a vulnerability, which I have "recently" reported to Yahoo! via their Bug-Bounty program hosted by HackerOne. So this blog post is about the technical details of the CVE-2014-7216 (which is not very thrilling), but more about my experience with Yahoo's Bug Bounty program.

Aug 13, 2015

SLAE: Dissecting Msfvenom Payloads (Linux/x86)

One very common tool among penetration testers is Metasploit, which includes a lot of nice exploits and payloads. The 5th assignment of the SecurityTube Linux Assembly Expert certification is about Metasploit shellcode analyses for Linux/x86 target systems.

Jan 18, 2015

SLAE: Custom RBIX Shellcode Encoder/Decoder

Anti-Virus and Intrusion Detection Systems could become really nasty during a penetration test. They are often responsible for unstable or ineffective exploit payloads, system lock-downs or even angry penetration testers ;-) .

Nov 20, 2014

Google Bug Bounty: Nice Catch on Google Cloud Platform Live

It's been a while since I've published my last article, this is mainly because I'm currently working on a nice project overseas in Asia and enjoying this relaxed life here a little bit. Therefore I also keep this blog post a little short, because it's just for the record.

Aug 23, 2014

SLAE: Egg Hunters (Linux/x86)

Happy Easter everyone! Have you already found all your hidden eggs? No?

Jul 25, 2014

SLAE: Shell Reverse TCP Shellcode (Linux/x86)

Now Mario meets Luigi....or what's a bind without a reverse shellcode? I've spend some extra time again to reduce the shellcode size and make it fully register aware, so that this shellcode could handle every exploit-scenario.

Jul 13, 2014

SLAE: Shell Bind TCP Shellcode (Linux/x86)

Do you like uncommon challenges? At least I do, and that's the reason why I've signed up for the SecurityTube Linux Assembly Expert training. But what's this all about ?

May 31, 2014

Easy File Management Web Server v5.3 Exploit-Kung Fu

During the last few days a lot of nice Remote Exploits have been released over at Exploit-DB by one of my followers Harold aka superkojiman targeting applications by EFS Software Inc. First of all: Kudos to Harold, you did a really nice job :-)!

Apr 26, 2014

Magix Bug Bounty: magix.com (RCE, SQLi) and xara.com (LFI, XSS)

The German Magix Software GmbH rewarded me with a Hall of Fame listing and a free Magix Music Maker 2014 Premium license for my reports of several serious security issues in the online infrastructures of magix.com and xara.com, which could be used to break both sites entirely: At this point, I'd like to thank the Magix Security Team for their really fast and always transparent responses and the good coordination process as a whole. This is a perfect example of how the communication between the bug bounty operator and the researcher can satisfy both parties.

Mar 2, 2014

CVE-2014-2206: GetGo Download Manager HTTP Response Header Buffer Overflow Remote Code Execution

I've published another security advisory about a remote code execution vulnerability with a CVSS score of 10,0 today. Affected are all available versions of the GetGo Download Manager, so if you're still using this software you should immediately switch to a more secure one, because the GetGo project is dead, but still high-rated by cnet.com.

Feb 19, 2014

VideoCharge Studio v2.12.3.685 GetHttpResponse() Remote Code Execution

I'm focusing on exploit development at the moment and it's time to raise the level to my personal next challenge: I've rm -rf'ed my Windows XP virtual machine! Now I'm happy to announce and document my first full VirtualProtect() ROP Remote Code Execution Exploit, which bypasses all known security mechanisms on Windows 7 - like SafeSEH, ASLR and DEP.

Jan 21, 2014

Mandriva, Netcup, Teamdrive and Wallstreet-Online Fix XSS Vulnerabilities

It's 2014 and I have to tidy up my discovery archive a bit ;-) . Before joining the Internetwache.org project I have coordinated all found vulnerabilities by myself and these are the last ones which have been fixed in late 2013.

Nov 27, 2013

CVE-2013-3934: Kingsoft Office Writer v2012 8.1.0.3385 Buffer Overflow SafeSEH Bypass Exploit

Hello readers, Pop a calculator here, pop one there! I'm focusing on exploit development at the moment, because I love calculators ;-). My exploit targets the vulnerability described in CVE-2013-3934: Stack-based buffer overflow in Kingsoft Writer 2012 8.1.0.3030, as used in Kingsoft Office 2013 before 9.1.0.4256, allows remote attackers to execute arbitrary code via a long font name in a WPS file.

Nov 16, 2013

CVE-2013-6356: Avira Secure Backup v1.0.0.1 Buffer Overflow - Anatomy of a Vulnerability

Hello Followers, Avira is one of the leading Anti-Virus vendors and also the biggest one in Germany. Security is their daily business and they've done a quite nice job in hardening their products.

Oct 21, 2013

CVE-2013-5702: Watchguard Server Center v11.7.4 Multiple XSS Vulnerabilities

Great news from the vulnerability front! I'm happy to see that the quality of vulnerability coordination with Watchguard evolved to my satisfaction during the past few months and the following new vulnerability disclosure proves that.

Sep 26, 2013

PayPal Bug Bounty: PayPaltech.com E-Mail Injection'

Bag the bug! I've reported another interesting vulnerability to the PayPal site security team in May 2013 affecting their domain www.paypaltech.com, which is in scope of the official Bug Bounty program.

Sep 8, 2013

CVE-2013-5701: Watchguard Server Center v11.7.4 wgpr.dll Local Privileges Escalation Vulnerability

Hello readers, this is my first article in a series about vulnerabilities in Watchguard products. Watchguard is a self-proclaimed NextGen Security vendor building security appliances for complete network protection.

Jul 1, 2013

WinAmp v5.64 Fixes Several Code Execution Vulnerabilities (CVE-2013-4694, CVE-2013-4695)

In early June I've reported several security vulnerabilities in Nullsoft's flagship product WinAmp to the devs. I received an amazing fast answer from the WinAmp Team acknowledging all reported security vulnerabilities.

Jun 8, 2013

Microsoft Fixes 7 XSS Flaws on MSN

Earlier this year, I've reported 7 XSS flaws on different pages of the Dutch MSN Entertainment site to the Microsoft Security Response Center (MSRC case #14103cl) and immediately received a response - not as fast as HP did previously on my HP IMC flaw - but still very fast ;-). In contrast to Google or Facebook, Microsoft does not provide any kind of bugbounty program - they'd probably lose too much money with such a program :-D - just joking!

May 5, 2013

ABBS Audio Media Player v3.1 WinALL Exploit

A few weeks ago, one of my followers asked me if I can help him writing a functional exploit for the current version of the Audio Media Player by ABBS because he's experiencing problems with successfully exploiting a NULL-byte issue. All exploits that are available over at the Exploit Database like this one or even this Metasploit module are either only working on specific versions of Windows or are not working with the current version of the application.

May 1, 2013

OSCP Course and Exam Review

As you may have noticed - it went quiet on my blog in the last few weeks. I was heavily working on the challenging Offensive-Security Labs to obtain my **O**ffensive-**S**ecurity **C**ertified **P**rofessional (OSCP) certification.

Apr 13, 2013

PayPal Bug Bounty: PayPaltech.com XSS

Great news! Today I received the second payment for another valid Cross-Site Scripting vulnerability covered by PayPal's bug bounty program. This time the domain www.paypaltech.com was affected, which provides scripts and samples used for Instant Payment Notifications (IPNs).

Mar 26, 2013

Bezirk-Niederbayern.de Fixes Critical SQL-Injection Flaw After 8 Months - Are We Ready For CyberWar?

That's amazing bad. Where should I start? In July 2012 I've reported a critical SQL - Injection flaw on the official website of Lower Bavaria alongside another small XSS flaw to the owner of the website.

Mar 16, 2013

TÜV-Nord Fixes Multiple XSS Flaws after Consulting the Data Security Officer of Niedersachsen

Hello readers! Take a moment and read the following article on Wikipedia about the German TÜV which is described as: TÜVs (German pronunciation: \[ˈtʏf\]; short for German: Technischer Überwachungs-Verein, English: Technical Inspection Association) are German organizations that work to validate the safety of products of all kinds to protect humans and the environment against hazards.

Mar 13, 2013

CVE-2014-2087: Free Download Manager CDownloads_Deleted:: UpdateDownload() Remote Code Execution

I've discovered another 0day Remote Code Execution flaw in a CNET.com Top10 software of its category, which has been downloaded more than 6 million times right now. Affected Versions and CVSS I've successfully verified the vulnerability in the following versions (but any older versions may be affected too): Free Download Manager v3.9.3 build 1360 (latest) Free Download Manager v3.8 build 1173 Free Download Manager v3.0 build 852 The CVSS score is 9,3 (AV:N/AC:M/Au:N/C:C/I:C/A:C) because there is a little bit of user interaction needed.

Mar 5, 2013

HP Intelligent Management Center v5.1: Bypassing javax.faces.ViewState CSRF Protection

Have you read my last advisory about the HP Intelligent Management Center v5.1 E0202 topoContent.jsf Non-Persistent Cross-Site Scripting Vulnerability ? You should do! Taken by itself it's not even an interesting vulnerability.

Jan 9, 2013

Marc O'Polo and United Cinemas International Fix XSS Security Flaws

Another day, some new XSS flaws. At first the big fashion label Marc O'Polo fixed a major Cross-Site Scripting issue in their online shop system. Good news, because a malicious attacker was able to use this security hole to hijack (and steal) every account including all personal customer details.

Nov 27, 2012

Bavarian Social Democratic Party Fixes Several Security Flaws

In early November, I found several Cross-Site Scripting vulnerabilites on the official website of the bavarian social democrats (also called "SPD" - which is the oldest political party in Germany) and immediately notified the official press office about the flaws. It took some days until I received an answer, which is OK for such a big government-run website...honestly ?

Nov 19, 2012

FormatFactory v3.0.1 Profile File Handling Buffer Overflow Exploit

Here's a working exploit for an already disclosed bug - including SafeSEH Bypass - and for the actual version, which is still vulnerable. Sadly. An important side - note!

Nov 9, 2012

Bypassing SafeSEH Memory Protection in Zoner Photo Studio v15

My last advisory IA42 "Zoner Photo Studio v15 Build3 (Zps.exe) Registry Value Parsing Local Buffer Overflow" looks like a general exploitable vulnerability, but it is quite interesting to exploit because there is a major memory protection in use: SafeSEH. But first of all, let's have a look at the PoC-Script, which demonstrates the vulnerability: The application loads the value from the "Issuer" Registry key during the launch and crashes: May the exploit development begin.

Oct 10, 2012

(PayPal) Bug Bounty - A handy way to secure your website

Great news! A few months ago I submitted a Cross-Site Scripting Vulnerability to the official Bug Bounty program of PayPal: It was accepted, fixed, and fully paid out, and I was very excited about the nice bounty :-).

Sep 30, 2012

Hamburg.de fixes security flaw within hours!

Hamburg.de - The website of the most beautiful city in Germany which is famous for its big port and its amazing atmosphere. Some days ago I had found a Non-Persistent Cross-Site Scripting vulnerability on this website and informed the team of Hamburg.de about the flaw in detail.

Sep 23, 2012

NCMedia Sound Editor Pro v7.5.1 Windows 7 Exploit

First of all...thanks b33f from fuzzysecurity.com for your hint which helped a lot in solving the reliability issue of my last exploit :-) ! In my last article I wrote about a missing **reliable** way of executing shellcode.

Sep 16, 2012

Exploiting the NCMedia Sound Editor Pro v7.5.1 MRUList201202.dat File Handling Vulnerability with the help of mona.py

My latest finding: A classic buffer overflow. And this time I've used the great mona.py script created by the corelan team to exploit the vulnerability. It helps to find memory addresses for all of your stack adjustment needs (beside this, the script has got a lot of other powerful functions too).

Jun 10, 2012

[CVE-2012-3238] Astaro Security Gateway <= v8.304 Persistent Cross-Site Scripting Vulnerability

Hello readers. This time I've found a quite interesting vulnerability in the widely spread firewall appliance "Astaro Security Gateway" (ASG) which is now maintained by Sophos. Although it only has got an assigned CVSSv2 Score of 3,5 (AV:N/AC:M/Au:S/C:N/I:P/A:N), it offers some possibilities to a remote attacker.

Jun 8, 2012

Critical vulnerability on Kiel.de fixed

www.kiel.de - the website of the state capital of "Schleswig-Holstein" in northern Germany which is very famous for the "Kieler Woche". Some weeks ago I stumbled over a critical SQL-Injection vulnerability on their website and immediatley notified the webmaster about the flaw and its importance.

May 18, 2012

Mozilla fixes Cross-Site Scripting Vulnerability on the Developer Network

In April, I stumbled over a Cross-Site Scripting vulnerability on the Mozilla Developer Network! Due to improper input validation mechanisms an attacker could temporarily inject own code into user browser sessions with required user interaction using manipulated URLs: which could then be used e.g.

Apr 30, 2012

SUSE fixes XSS flaw

Some days ago...I have found a Cross-Site Scripting Vulnerability on www.suse.com - the home of the famous Linux distribution. Using this bug, an attacker could temporarily inject arbitrary code with required user interaction into the context of the website and therefor a successful exploitation of the vulnerability allows for example cookie theft, session hijacking or (visible) client side context manipulation.

Apr 11, 2012

sachsen-anhalt.de - Cross-Site Scripting Vulnerability

This time I have found a non-persistent xss vulnerability on one of Germany's country-government websites. Immediatley after the finding (on 2012-03-11), I have noticed the webmaster about the vulnerability, but....no reaction.

Mar 30, 2012

eCPPT Course and Exam Review

Great news! I just received an email from Armando Romeo from eLearnSecurity that I have PASSED the eCPPT exam :-)!!! In December 2011 I decided to take the course "Certified Professional Penetration Tester" provided by eLearnSecurity which is - according to many posts on ethicalhacker.net - a very good preparation for the highly challenging OSCP from Offensive-Security, which I will take next :-).

Mar 21, 2012

Ricoh DC Software DL-10 FTP Server (SR10.exe) Remote Buffer Overflow Vulnerability

This time I've found a more critical vulnerability with a CVSSv2 score of 7,5 coordinated by Secunia.com which has already been published on 2012-03-01, but due to a very unfortunate way of communication by Secunia, I haven't been informed about the release of the advisory - that's the reason for the late article on it :-( But anyways, this vulnerability is a perfect example of how not to react to confidentially reported security issues: Ricoh did not response to any of Secunia's notifications since my discovery and reporting of the bug on 2012-02-05. Even if it's not one of their flagship products, there are always customers who take care of their entire network security and who don't like security breaches at all!

Mar 9, 2012

Macro Toolworks v7.5.0 ... and how to launch a calc.exe

Hello readers, I recently found a local buffer overflow vulnerability in Pitrinec Macro Toolworks v7.5.0, which is very easy to exploit at all. For demonstration purposes I will show you one possible way of getting your own shellcode to run using this overflow.

Dec 16, 2011

Buffer Overflow Exploitation: Jump to shellcode via PUSH ESP, RET

Another possible way to jump to shellcode is using the PUSH ESP, RET technique. If you've got no usable CALLs or JMPs to ESP for some reasons, you can first use a PUSH ESP to put the address of ESP onto the Stack and after that RET that value to the EIP.

Dec 10, 2011

Buffer Overflow Exploitation: Jump to Shellcode via CALL ESP

In my first tutorial I've taken a JMP ESP from some system .dll called WMVCore.dll. Since this isn't a reliable jump, because the WMVCore.dll might differ from OS version to OS version, it would be more reliable to take one from a loaded application DLL.

Dec 8, 2011

Stack Manipulation Using POP RET

Exploiting is a very interesting topic and there are many ways of manipulating the stack. One of those ways is using the POP, RET functions. Using the "Free MP3 CD Ripper" - Exploit from my first tutorial, I would like to show how a POP RET is basically working (and displayed in IDA), since these are useful commands if the shellcode is not directly placed @ the ESP, but only some bytes away from it on the stack, like ESP+4 or ESP+8...The modified Python script helps to show how jumping to shellcode via a POP, RET will work: The .wav gets filled by our usual 4112 bytes of junk first.

Nov 30, 2011

Buffer Overflow Exploitation: A Real World Example

Hello readers again! Since I am still getting deeper into penetration tests in AppSec, it helps quite a lot to write about things to get new ideas and thoughts - so I decided to write a little tutorial on how a buffer overflow basically works using a real world example.