In Part 1 of the series we looked at how an AWS Lambda-powered feature was exploited in a web app penetration test initially leading to RCE and further on with out-of-band data exfiltration via DNS. Though the exact mechanism of achieving remote-code execution with Python was not discussed, we went in depth in how to return data as a result of the code being executed. Initially, with ascii-to-integer encoding I was able to find the username of the runtime user - sbx_userNNN. In the first blog...
JUMPSEC LABS
The JUMPSEC Lab is a place where the technical team get creative and showcase their latest security research, publications, interesting news and general thoughts! We love what we do and are passionate about security, with some great upcoming projects planned, bookmark our site and stick around to see what we are working on.
What’s in a Name? Writing custom DNS tunnelling protocol, exploiting unexpected AWS Lambda misconfiguration – in a web app Pen test (Part 1)
This is a war story of an AWS web application test where remote code execution was first obtained on the client's application. Then I needed to write my own DNS tunnelling 'protocol' to get the data out. Following a number of twists and turns I impersonated the application and attempted to laterally move within the AWS tenant. Before storytelling though, let's start with a public service announcement: The Public Service Announcement As the title suggests, I discovered that it was possible to...
Advisory CVE-2023-43042 – IBM Backup Products Superuser Information Disclosure
Software: IBM SAN Volume Controller, IBM Storwize, IBM FlashSystem and IBM Storage Virtualize products Affected versions: 8.3 Vendor page: https://www.ibm.com/support/pages/node/7064976 CVE Reference: CVE-2023-43042 Published: 08/12/2023 CVSS 3.0 Score: 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Attack Vector: Network Credit: Max Corbridge Summary JUMPSEC’s Head of Adversarial Simulation (@CorbridgeMax) discovered that an unauthenticated user can determine whether the default superuser password...
Advisory: IDOR in Microsoft Teams Allows for External Tenants to Introduce Malware
TL;DR Max Corbridge (@CorbridgeMax) and Tom Ellson (@tde_sec) of JUMPSEC’s Red Team recently discovered a vulnerability in the latest version of Microsoft Teams which allows for the possible introduction of malware into any organisations using Microsoft Teams in its default configuration. This is done by bypassing client-side security controls which prevent external tenants from sending files (malware in this case) to staff in your organisation. JUMPSEC has detailed remediation options, as...
Advisory CVE-2023-30382 – Half-Life Local Privilege Escalation
Software: Half-Life Affected versions: Latest (<= build 5433873), at the time of writing Vendor page: www.valvesoftware.com CVE Reference: CVE-2023-30382 Published: 23/05/2023 CVSS 3.1 Score: 8.2 AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H Attack Vector: Local Credit: Ryan Saridar Summary An attacker can leverage a stack-based buffer overflow via Half-Life’s command line arguments to compromise the account of any local user who launches the game. Technical details hl.exe does not adequately perform...
Butting Heads with a Threat Actor on an Engagement
After compromising a sensitive external server JUMPSEC’s Red Team found that they were not the first ones there…
Advisory CVE-2022-37832 – Mutiny Network Monitoring Appliance hardcoded credentials
Software: Mutiny Network Monitoring Appliance Affected versions: <= 7.2.0-10855 Vendor page: www.mutiny.com CVE Reference: CVE-2022-37832 Published: 16/12/2022 CVSS 3.1 Score: 10.0 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Attack Vector: Network Credit: Ryan Saridar Summary An attacker can log in as root remotely to the appliance via SSH. Mitigation Upgrade to version 7.2.0-10855 onwards to remediate the problem. Technical details Before version 7.2.0-10855, the SSH service allows password login...
Advisory CVE-2021-41551 Leostream Connection Broker – Authenticated Zip Slip
Software: Leostream Connection BrokerAffected Versions: 9.0.40.17Vendor page: https://leostream.com/CVE Reference: CVE-2021-41551Published: 25/01/2022Attack Vector: path traversal, authenticatedCredits: Andrei Constantin Scutariu, Lenk Ratchakrit Seriamnuai, Andrea Malusardi Summary Leostream Connection Broker 9.0.40.17 allows administrators to conduct directory traversal attacks by uploading a ZIP file that contains a symbolic link. Mitigation The Leostream has released a patch for this...
Disclaimer
The information provided on this website is to be used for educational purposes only. The author is in no way responsible for any misuse of the information provided. Any actions and or activities related to the material contained within this website is solely your responsibility.