Attacking The Network's Security Core - Hunting For Vulnerabilities In A Network Security Tool

A network can only be as secure as the tools used to secure it Overview This is Part 1 in a 4 part series about my process hunting for vulnerabilities in a network auditing tool (used to protect networks by detecting and fixing security holes) and fully exploiting one of the vulnerabilities I found. I recommend reading the series in ascending numeric order. Links to parts 2, 3, and 4 at the end of this post.
Target 🎯I decided to look for (and successfully found) vulnerabilities in network security tool, as a vulnerability in such a tool could allow attackers to hide themselves in an otherwise secure network, or even be exploited for lateral movement.

One such network security tool that came to mind is Nipper-ng, a firewall security auditing tool and firewall configuration parser. In addition to being a security product itself, Nipper-ng is used behind the scenes in other security products such as ManageEngine's OpManager and Firewall Analyzer. The tool is also included in all i…

Simplest Fibonacci Assembly Code

Tl;Dr There is an insanely cool, simple and elegant way to calculate Fibonacci numbers in assembly using only 2 opcodes!

Full disclosure: this post is inspired by chapter two of the book "xchg rax, rax".
Fibonacci Numbers Just a simple review: Fibonacci Numbers are calculated with the formula below.

So for example to get the 3'rd Fibonacci number, we need to sum the 2nd and 1st Fibonacci numbers.
The Code πŸ‘¨‍πŸ’»πŸ‘©‍πŸ’» Behold! Below is the most elegant code you will ever see for in assembly

Source available here.
Explanation🧠 The magic happens in the XADD opcode which is an "xchg (exchange)" and "add"  operation in one opcode. It works exactly as you would expect: first exchange the two operands, and then add them saving the result to the first operand. Official Intel documentation here.

Next, the "loop" opcode changes the code flow to jump back and re-execute the xadd opcode multiple times.
Understanding ✔ To completely understand why and ho…

Serv-U CVE-2019-12181 Patch Analysis

TL;DR πŸ‘“ The patch in Serv-U FTP server version 15.1.7 that fixes my vulnerability (CVE-2019-12181), does so properly. Continue reading to for a walkthrough of the patch analysis.

This blog post depends on knowledge and context from this blog post, please read it before continuing.
Motivation 🧠 I was told by a smart and trusted @yoavalon that failed patches are a norm in our industry, and I should therefore ensure the vulnerability I found is properly fixed in the latest allegedly safe version of the program.
Potentially Inadequate Fixes πŸ‘Ž It is possible (and depending on the security mindset of the company, maybe even probable) to unsuccessfully fix a vulnerability or even introduce a new vulnerability in a patch. For example, if some filtering logic is added to block malicious input from the user, it is worth ensuring the filter can't be bypassed.

Analysis Process πŸ”¬ The first thing I did was check if my initial POC code worked on the patched Serv-U 15.1.7. Thankfully it didn…

CVE-2019-12181 Serv-U Exploit Writeup

Tl;dr: I found a privilege escalation 0day (CVE-2019-12181) in the Serv-U FTP Server through command injection.

POC code available here
Target 🎯 I searched for a program that isn't too niche and market specific that it hasn't had time to develop its security. Yet, I didn't want to commit long months of research to find a vulnerability in an extremely popular program that has already been reviewed by many security researchers. I came across Serv-U FTP Server from shodan and decided to pursue this target after seeing the respectable number of over 168,000 instances running worldwide exposed to the Internet.

As its name suggests, Serv-U FTP Server is an FTP server; but it also has a web interface for easy file management and a web admin interface.
Serv-U is available both for Linux and Windows. On Linux, the ftp server is a SUID executable and runs as root. Therefore, even an attack that can only be executed locally is still a threat as it will give the attacker…

Garbage CAN!

I often take breaks from vulnerability hunting, and occasionally I find myself doing some really random things.

For example, I stumbled across this poster and decided to make a version of my own. I wanted to make one that is slightly more offensive so that it can be gifted to a good friend. Here is the final result:

I used this image by PTNorbert with its free commercial license

Vulnerability Research Tools

In this post I compiled all the popular vulnerability research tools. In each category I first listed the tool(s) I personally use, and then followed with alternatives. I do not encourage pirating but all of the payed programs can be found on pirate websites.
Disassemblers and Reverse Engineering Tools Disassemblers decode machine instructions in binary into their readable assembly representation. The following programs have evolved beyond simple disassembly to become full platforms for reverse engineering with features such as custom symbol naming, graphically viewing code flow, and listing references in the assembly to functions and data. The more advanced tools also support decompilation which is the process of converting the assembly into higher level code such as C or C++.
IDA Pro Costs around $2000 for a license with multiple decompilers (free trial available)  A limited feature freeware version is available here.Supports decompiling~170 community sourced plugins hereMy persona…

What Value Is Stored In Uninitialized Variables?

The value in an uninitialized variable is one of: zero, a compiler dependent value (such as 0xCC's in visual studio), or data previously stored in that memory location (old data).
Types of Uninitialized Variables And Their Values Classic C/C++ Uninitialized Stack Variables The classic type of uninitialized variables are local function variables written in a low level language (such as C/C++). You would think when these variables are left uninitalized they would simply save the last value they were give. However, there is a catch: when code is compiled in debug mode, the compiler may inject its own code that initializes empty variables to a default value.
This is done to protect against vulnerabilities (more on this later), and to more easily detect bugs by giving the variable a bogus value that can be easily identified as uninitialized if it is for example printed to the screen.

Below, a  program compiled with Visual Studio in debug mode prints an uninitialized variable. Code c…