Posts

Showing posts with the label CVE

Stack Overflow CVE-2019-17424 Vulnerability Write-Up and RCE Exploit Walk Through

Image
Stack Overflow CVE-2019-17424 Vulnerability Write-Up and RCE Exploit Walk Through This is Part 2 in a 4 part series about my process hunting for vulnerabilities in a network auditing tool (used to protect networks by detecting and fixing security holes), and fully exploiting one of the vulnerabilities I found. I recommend reading the series in ascending numeric order. Link to part 1 here. Links to parts 3, and 4 at the end of this post.

This post describes how I found CVE-2019-17424 and successfully exploited the vulnerability in the precompiled, packaged product.
Vulnerability ⚡ Reader’s Exercise 🔎 I found CVE-2019-17424 by manually reviewing the source code of nipper-ng. Provided below is an excerpt from the source code containing only the vulnerable function. You are welcome to take it as an exercise to find the vulnerability in the code below:

Notice: The vulnerability in the code above is identified in the paragraph below. If you want to try to find the vulnerability yourself, o…

Attacking The Network's Security Core - Hunting For Vulnerabilities In A Network Security Tool

Image
A network can only be as secure as the tools used to secure it Overview This is Part 1 in a 4 part series about my process hunting for vulnerabilities in a network auditing tool (used to protect networks by detecting and fixing security holes) and fully exploiting one of the vulnerabilities I found. I recommend reading the series in ascending numeric order. Links to parts 2, 3, and 4 at the end of this post.
Target 🎯I decided to look for (and successfully found) vulnerabilities in network security tool, as a vulnerability in such a tool could allow attackers to hide themselves in an otherwise secure network, or even be exploited for lateral movement.

One such network security tool that came to mind is Nipper-ng, a firewall security auditing tool and firewall configuration parser. In addition to being a security product itself, Nipper-ng is used behind the scenes in other security products such as ManageEngine's OpManager and Firewall Analyzer. The tool is also included in all i…

Serv-U CVE-2019-12181 Patch Analysis

Image
TL;DR 👓 The patch in Serv-U FTP server version 15.1.7 that fixes my vulnerability (CVE-2019-12181), does so properly. Continue reading to for a walkthrough of the patch analysis.

This blog post depends on knowledge and context from this blog post, please read it before continuing.
Motivation 🧠 I was told by a smart and trusted @yoavalon that failed patches are a norm in our industry, and I should therefore ensure the vulnerability I found is properly fixed in the latest allegedly safe version of the program.
Potentially Inadequate Fixes 👎 It is possible (and depending on the security mindset of the company, maybe even probable) to unsuccessfully fix a vulnerability or even introduce a new vulnerability in a patch. For example, if some filtering logic is added to block malicious input from the user, it is worth ensuring the filter can't be bypassed.

Analysis Process 🔬 The first thing I did was check if my initial POC code worked on the patched Serv-U 15.1.7. Thankfully it didn…

CVE-2019-12181 Serv-U Exploit Writeup

Image
Tl;dr: I found a privilege escalation 0day (CVE-2019-12181) in the Serv-U FTP Server through command injection.

POC code available here
Target 🎯 I searched for a program that isn't too niche and market specific that it hasn't had time to develop its security. Yet, I didn't want to commit long months of research to find a vulnerability in an extremely popular program that has already been reviewed by many security researchers. I came across Serv-U FTP Server from shodan and decided to pursue this target after seeing the respectable number of over 168,000 instances running worldwide exposed to the Internet.

As its name suggests, Serv-U FTP Server is an FTP server; but it also has a web interface for easy file management and a web admin interface.
Serv-U is available both for Linux and Windows. On Linux, the ftp server is a SUID executable and runs as root. Therefore, even an attack that can only be executed locally is still a threat as it will give the attacker…