ush.it - a beautiful place

Aerohive HiveManager Classic Privilege Escalation Vulnerability

September 4, 2017 at 5:12 pm - Filed under Hacks - 706 words, reading time ~2 minutes - Permalink - Comments

Sandro "guly" Zaccarini found a critical vulnerability in Aerohive HiveManager Classic 8.1r1. The vulnerability allows a local unprivileged user, normally restricted in a Tenant-environment, to execute code on underlying system.

QNAP QTS Domain Privilege Escalation Vulnerability

March 22, 2017 at 4:49 pm - Filed under Hacks - 1222 words, reading time ~4 minutes - Permalink - Comments

Pasquale "sid" Fiorillo found a critical vulnerability in QNAP QTS allowing the recovery of the Domain Admin password. Such password is "encrypted" with XOR and the key is a single byte! Any web application or extraneous software running in your QNAP system can access such configuration file and jeopardize your entire network if the NAS uses domain authentication for it's users.

Veeam Backup & Replication Local Privilege Escalation Vulnerability

October 8, 2015 at 5:02 pm - Filed under Hacks - 1737 words, reading time ~5 minutes - Permalink - Comments

Pasquale "sid" Fiorillo found a critical vulnerability in Veeam Backup & Replication version 6, 7 and 8. At the time of writing this impact a very large of updated and outdated/legacy Veeam deployments. The vulnerability allows a local unprivileged user of a Windows guest to gain Local and/or Domain Administrator access when VeeamVixProxy is active, the de-facto default in VMWare and Hyper-V environments.

ARC v2011-12-01 Multiple vulnerabilities

November 22, 2012 at 11:34 am - Filed under Hacks - 1408 words, reading time ~4 minutes - Permalink - Comments

Simone "negator" Onofri and Luca "beinux3" Napolitano found multiple issues in ARC2, providing RDF and SPARQL functionalities to PHP applications and working with MySQL as backend. Found vulnerabilities include SQL Injection and XSS.

Pixelpost (Calendar addon 1.1.6) 1.7.3 Multiple vulnerabilities

April 7, 2011 at 5:46 pm - Filed under Hacks - 1033 words, reading time ~3 minutes - Permalink - Comments

Simone "negator" Onofri found multiple issues in a nice image gallery script that was going to use for his personal purposes, perhaps it's better to wait a couple of releases before using this in production. Since the vendor was not responsive this is a forced release. Found vulnerabilities include Blind SQL Injection and XSS.

Vtiger CRM 5.2.0 Multiple Vulnerabilities

November 16, 2010 at 10:46 pm - Filed under Hacks - 1279 words, reading time ~4 minutes - Permalink - Comments

Giovanni "evilaliv3" Pellerano and Alessandro "jekil" Tanasi found multiple vulnerabilities in Vtiger CRM 5.2.0, a software we already audited in the past. High impact (for a web application) findings include a Remote Command Execution issue (thanks to a possible bypass in the file upload extension blacklist) and a Local File Inclusion that can be exploited by unauthenticated users. Two separate Cross Site Scripting issues have been found, the first on the login.

Nginx, Varnish, Cherokee, thttpd, mini-httpd, WEBrick, Orion, AOLserver, Yaws and Boa log escape sequence injection

January 11, 2010 at 2:16 am - Filed under Hacks, Language EN - 2587 words, reading time ~8 minutes - Permalink - Comments

If you have read our previous article Jetty 6.x and 7.x Multiple Vulnerabilities your are already familiar to an attack vector called log escape sequence injection. It allows remote attackers to remotely exploit terminal emulator vulnerabilities that may happen when displaying in an unsafe manner files containing escape sequences. While the real issue belong to the terminals, programs that does not sanitize outputs make this vector relevant in the real world.

Jetty 6.x and 7.x Multiple Vulnerabilities

October 25, 2009 at 5:00 am - Filed under Hacks, Language EN - 2607 words, reading time ~8 minutes - Permalink - Comments

Jetty is a pure Java application server used by big players like Google (Google AppEngine, Google Web Toolkit) and many projects and products like Eclipse, Alfresco Developers, Bea WebLogic Business Connect and WebLogic Event Server, Cisco Subscriber Edge Services Manager, Sybase EAServer, Apache Geronimo, HP OpenView Interconnect Tools and HP Openview Self-Healing, JFox, Zimbra Desktop and others (here a more complete list http://docs.codehaus.org/display/JETTY/Jetty+Powered). Finding a bug in such a wildspread component is something definitely interesting as the exploitation scenarios are many. We were procrastinating a little too much on this advisory but a CORE advisory burned some of our research and this month we found the time to contact the vendor and follow our disclosure procedure. As always enjoy the reading!

Vtiger CRM 5.0.4 Multiple Vulnerabilities

August 18, 2009 at 3:55 pm - Filed under Hacks, Language EN - 1780 words, reading time ~5 minutes - Permalink - Comments

In our publication PHP filesystem attack vectors - Take Two we highlighted some issues that can occur in applications written in PHP that make use of filesystem operations. This advisory for the Vtiger CRM, version 5.0.4, application is an example on how such generic issues can impact the security of a real world application.

PHP filesystem attack vectors - Take Two

July 26, 2009 at 2:31 am - Filed under Hacks, Language EN - 2669 words, reading time ~8 minutes - Permalink - Comments

Did you enjoyed our previous "PHP filesystem attack vectors" research? This is the second part and continuation of that paper and highlight new ways to evade filters using some path normalization issues. Have a nice reading!

SugarCRM 5.2.0e Remote Code Execution

June 13, 2009 at 6:44 pm - Filed under Hacks, Language EN - 1524 words, reading time ~5 minutes - Permalink - Comments

FormMail 1.92 Multiple Vulnerabilities

May 12, 2009 at 4:19 am - Filed under Hacks, Language EN - 1928 words, reading time ~6 minutes - Permalink - Comments

Do you remember FormMail? I hope so. It's PERL code belonging to the past, the glorious 1995 Internet era. FromMail is a CGI script used to create contact forms, but not a common one, it's historical with millions of downloads and has a dedicated Wikipedia page (http://en.wikipedia.org/wiki/FormMail). By the way it's still used in both small and big deployments. FromMail development stopped in 1996, with the exception of security updates and the last security issue is from April 19, 2002. Now one could expect a software to be bugfree after 13 years of feature freeze and "stable" status. Well.. this is why we are here : ) Don't expect code execution, just enjoy the reading.

⌫ Previous entries
Reed's Alert! Got something burning? Tell USH team.
THP USH Wisec DigitalBullets