GoSecure Blog

Martin Lemay

Mr. Martin Lemay, CISA, OSCP, OSCE, GXPN, GMOB is a full time security consultant and penetration tester for the security firm GoSecure Canada Inc.  He is actively involved in all aspects of security validation mandates including internal and external infrastructure testing, application security assessment, social engineering and physical access intrusion.  Since his enrollment at GoSecure Canada Inc., he performed numerous mandates in the banking, insurance, airline, energy, telecoms and mid to large scale retail industries.  Involved in the security world, he also spoke and trained security topics for schools, colleges and participated in various security events in Canada.

Recent Posts

VMware Horizon (V4H/V4PA) desktop agent privilege escalation vulnerability (CVE-2017-4946)

The story of a privileged handle...

Context

As virtualization technology continues to become the corporate standard, the popularity of Virtual Desktop Infrastructure (VDI) in large enterprises has been increasing. These automated environments can provision desktops and applications from the internal and external network on top of virtualization technology without an IT administrator’s input. There are many components involved in a VDI infrastructure, but one specifically caught our attention on a customer mandate back in September 2017: the Windows "vmwagent.exe".

On this particular mandate, we had to escape the VDI environment with developer access and without local administrative access. The customer had done a great job at image hardening; services, applications and operating systems were well configured and patched, with up-to-date antivirus software, behavior monitoring, and strong passwords. Faced with this situation, we decided to perform a quick look around with the popular Process Explorer from the
Read More

Topics: vulnerability, windows, enterprise, exploitation, pentest, privilege-escalation

Your credentials at risk with Lansweeper 5

As a penetration testers, we rarely have to find ‘zero day’ vulnerabilities or perform ‘bug hunting’ in order to compromise Windows Active Directory Domains. However, in one of these rare cases while performing an internal penetration test for a client, we had to do so.  Lansweeper is an inventory software that scans your network in order to gather system information such as patch level, network interfaces, resources status, etc.   We were fairly surprised during this test when we were able to access Lansweeper 5's dashboard with a regular user account.  Our customer was actually shocked and swore that he had configured only Domain Admin access on this Web interface.  According to him, a recent update must have reset the login permission on the dashboard.  At first, we were doubtful that explanation would hold up to scrutiny. Our curiosity increased when we realized that Domain Admin accounts, SSH keys, Linux root passwords and all the “juicy stuff” one normally finds in a password vault is stored on a Lansweeper server.  The result of our experimentation: Three vulnerabilities were identified that led to the full compromise of our customer’s network infrastructure. Later that week, our client sent us a copy of an email exchange with Lansweeper (formerly Hemoco) confirming the issues reported and that everything should be fixed by version 6.

Read More

Topics: cryptography, exploitation, lansweeper, password

Subscribe to Email Updates

Recent Posts