Background: While conducting a penetration test of a client’s external network, I discovered three separate instances of information disclosure in VMware’s Horizon Access Web Portal. An unauthenticated user could access information such as internal domain names, the Connection Server’s internal hostname, or the gateway’s internal IP address. Version Tested 4.7.0 CVE Number CVE-2019-5513 Security Advisoriess VMSA-2019-0003 – […]
Background While conducting a penetration test for a customer, I encountered an unused developer forum using JForum version 2.1.8 and started looking for vulnerabilities within the application. Version Tested: 2.1.8 CVE Number: CVE-2019-7550 Security Advisories: None Issue When creating a new user within the application, the browser sends a GET request to the server to check if a […]
Background In previous roles focused on malware analysis and defense, a recurring trend observed across the industry has been the rise of fileless malware, particularly the use of mshta.exe as an infection vector. As the focus shifts toward offensive security, this technique is worth revisiting for its relevance in red teaming and adversary simulation exercises. […]
From Jonathan Swift’s fake almanac in 1708 to the modern Dihydrogen monoxide joke, hoaxes have been around for as long as humans have enjoyed deceiving each other for fun. The ease of communication via technology has made hoaxes and scams even more prevalent, evolving from word-of-mouth and chain email to Instagram, WhatsApp, and Facebook. Users are constantly falling […]
Just over a month ago, Marriott International, one of the world’s largest hotel chains, announced that there was unauthorized access to the database, which contained guest information relating to reservations at Starwood properties on or before September 10, 2018. Among the hotels under the Starwood brand are the W Hotels, St. Regis, Sheraton, Westin, and Design […]
Background: Recently I’ve seen a decent number of privilege escalations occurring on Windows due to permission issues and using symlinks. The work from Ryan Hanson from Atredis on the Cylance privilege escalation and Windows Standard Collector privilege escalation really inspired me to research more into this issue and potentially find some myself. After several weeks of researching the usage of symlinks, […]
CVE Numbers: CVE-2018-0437 – Cisco Umbrella ERC releases prior to 2.1.118 and Cisco Umbrella CVE-2018-0438 – Cisco Umbrella ERC releases prior to 2.1.127 Versions Tested: Umbrella Roaming Client 2.0.168 Security Advisories: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-umbrella-priv https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-umbrella-file-read Binary Planting: The Umbrella Roaming Client from Cisco OpenDNS includes a service named Umbrella_RC which is executed as SYSTEM on startup. This service consumes several files within […]
Security awareness training is broken. Read the news any day of the week and you can find articles talking about breaches, ransomware attacks, and countless records stolen resulting in identity theft victims. Our users are continuing to click suspicious links, open attachments they weren’t expecting, and falling for the call to action. Attackers know that […]
Exploits for network devices including routers, switches, and firewalls have been around for as long as networking has been a thing. It seems like every week a researcher discloses a new vulnerability or publishes proof of concept (PoC) code online for these types of devices, and that is exactly what is happening in this article. […]
Introduction Finding Linux servers heavily reliant on Sudo rules for daily management tasks is a common occurrence. While not necessarily bad, Sudo rules can quickly become security’s worst nightmare. Before discussing the security implications, let’s first discuss what Sudo is. Defining Sudo What is Sudo? Sudo, which stands for “superuser do!,” is a program that […]