Latest Blog Posts
Acknowledged by Lievensberg
https://www.lievensbergziekenhuis.nl/paginas/141-disclaimer.html
Share this:
JS via Images
Recently I saw an awesome research by Ange Albertini in abusing a GIF file and injecting JS inside. You can download his code from here The following code is a custom made gif , yet abused by our JS payload.
(more…)
Share this:
Acknowledged by Facebook
I was able to find a tiny session management vulnerability in the Oculus website and Yay! got acknowledged by Facebook 🙂
https://www.facebook.com/whitehat/thanks/
Share this:
Escalating Local Privileges Using Mobile Partner
Mobile Partner is a very popular software that ships with Huawei internet dongles. Recently I noticed the fact that the “Mobile Partner” directory and all subdirectories, files by default has full permissions granted the Users group. This means that any User in your system can plant a malicious executable and escalate privileges when the Administrator runs Mobile Partner. Why not bind the exe using msfpayload or msfvenom? 😉
Proof of Concept
By default in my dongle I had Mobile Partner 11.302.09.00.03 and if you are using versions below you might find out that this folder and it’s contents has been granted full permissions not only to the Users group but also to Everyone which means any random user can plant anything inside this directory.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 |
C:\Program Files (x86)>cacls "Mobile Partner" C:\Program Files (x86)\Mobile Partner Everyone:(OI)(CI)F BUILTIN\Users:(OI)(CI)F NT SERVICE\TrustedInstaller:(ID)F NT SERVICE\TrustedInstaller:(CI)(IO)(ID)F NT AUTHORITY\SYSTEM:(ID)F NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(ID)F BUILTIN\Administrators:(ID)F BUILTIN\Administrators:(OI)(CI)(IO)(ID)F CREATOR OWNER:(OI)(CI)(IO)(ID)F APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(ID)R APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(ID)(special access:) GENERIC_READ GENERIC_EXECUTE C:\Program Files>cd "Mobile Partner" C:\Program Files (x86)\Mobile Partner>cacls "Mobile Partner.exe" C:\Program Files (x86)\Mobile Partner\Mobile Partner.exe Everyone:F BUILTIN\Users:F NT AUTHORITY\SYSTEM:(ID)F BUILTIN\Administrators:(ID)F APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(ID)R |
Share this:
Rewarded by Freshdesk
I was able to find out few web application related security issues in the Freshdesk website. They had a responsible disclosure policy, so I was able to report them. http://freshdesk.com/security
Share this:
MySQL name_const Crash
This is a small crash I found in MySQL 5.0.45 in the name_const function. I’ve tested this in a Windows 8 environment. However this function won’t allow performing select queries in latest versions. In older versions greater than or equal to 5.0.12 you can reproduce this issue.
I fuzzed the name_const() function and I noticed that when performing a conditional statement inside a sub query we can make the MySQL application freeze. Once we press ^c twice we get the error message. (more…)
