GoSecure Blog

FindSecBugs officially an OWASP project

Over the years, Find Security Bugs - or FindSecBugs in short - has evolved from a limited static-analysis tool to one with solid coverage of bug patterns. In this post, we will present the latest milestone from the project: arrival in the OWASP family, some figures and details regarding its new release.

Read More

Topics: code review, static analysis, java, owasp

Contribute to Open Source with Hacktoberfest at GoSecure!

GoSecure is encouraging everyone to join Hacktoberfest. GoSecure has multiple projects open to external contributions. For this specific event, we have tagged issues that are accessible to newcomers with the official tag [hacktoberfest].

In addition to the official Hacktoberfest swag, we will send you stickers from the respective projects you have contributed to.

Read More

Topics: malboxes, pyrdp, find-sec-bugs, open-source

Butor Portal Arbitrary File Download Vulnerability (CVE-2019-13343)

TLDR: It is frightening, a patch was made available the same day it was disclosed and everybody should update their servers. 

Impact

Butor Portal is affected by a Path Traversal vulnerability leading to pre-authentication arbitrary file downloads. Every file that can be read by the local user running the Butor Portal Web service could be exfiltrated by an anonymous attacker.

With the ability of reading most files on a server, an unauthenticated attacker could not only fully compromise the Butor application, but also the underlying infrastructure such as the database or the LDAP server using credentials stored in plain text in configuration files.

Exploitation of this vulnerability does not require advanced skill and can be automated.

Read More

Topics: appsec, code review, vulnerability

Drugs, Guns, Fake documents, Hitmen... What I expected and much more!

This is the continuity of my first blog post How I Indexed the Darknet and Pastebin During My First University Internship. The GoSecure Torscraper was developed about 1 year ago. Due to a few issues, the entirety of the project was dockerized to simplify the installation procedure (~4-8 lines instead of 4 pages of documentation) and to automate the whole scraping process. With this upgrade, it makes the tool easier to use by everyone. Once the project was dockerized, I started analyzing the collected data and it goes without saying that it was the most interesting part of this project.

Read More

Topics: Research, darknet, threat-intelligence

Fuzzing Closed Source PDF Viewers

This blog post covers typical problems which arise when fuzzing closed source PDF viewers and possible approaches to these problems. Hereby it focuses on both: Input-Minimization and Non-Terminating programs.

The approaches were found and implemented as part of my master thesis which I have written at TU Darmstadt, Germany in cooperation with Fraunhofer SIT.

Read More

Topics: windows, binary analysis, dynamic analysis, fuzzing, pdf

Automating local DTD discovery for XXE exploitation

Last month, we presented at Hack In Paris (France) a XML External Entities (XXE) exploitation workshop. It showcase methods to exploit XXE with numerous obstacles. Today, we present our method to exploit XXEs with a local Document Type Declaration (DTD) file. More specifically, how we built a huge list of reusable DTD files.

Read More

Topics: appsec, tool, web, pentest

Java Remote Code Execution Potpourri

Some time ago; we published a blog about jenkins-fsb, a preconfigured Jenkins instance for efficiently using the plug-in, Find Security Bugs. In that blog post, there was an indication about multiple vulnerabilities having been found but not disclosed. Well, today we are sharing more details about the process of finding four different kinds of remote code execution in modern Java applications. Remote execution in Java can happen under different circumstances and all the findings presented here are all different from one another. This shows that while some code execution vulnerabilities are easy to detect, some of them require a thorough inspection.

Read More

Topics: code review, vulnerability, web, java

ESI Injection Part 2: Abusing specific implementations

Last year, we published a blog post about the injection of ESI tags in pages to fool the web cache proxy, and in August 2018, our colleague Louis Dion-Marcil spoke at Defcon about the discovery of the ESI Injection uncovered by the GoSecure intrusion testing team. For those interested, the presentation has been released on the Defcon YouTube channel. Defcon and Black Hat gave us an opportunity to unveil how ESI implementations can lead to session leakage through the client web browser without any malicious JavaScript. ESI is a specification that defines statements in the form of XML tags that are interpreted by the caching server. Those statements describe the content assembly of web pages by composing various HTML fragments from external resources. An attacker can abuse this mechanism by injecting a malicious tag inside an intercepted web page.

Read More

Topics: cybersecurity, security, ESI tags, GoSecure

Abusing Unsafe Defaults in Active Directory Domain Services: A Real-World Case Study

This past July, Kevin Robertson from NetSPI released a blog post entitled, "Beyond LLMNR/NBNS Spoofing – Exploiting Active Directory-Integrated DNS," which introduced a new technique (to us at least) targeting weak default access control in Active Directory Domain Services. At GoSecure, since most of our engagements require some level of Active Directory security assessment, we followed our interest and decided to find a way to reliably exploit it.

Read More

Topics: pentest, Active Directory, NTLM

RDP Man-in-the-Middle - Smile! You're on Camera

As part of our four-month internship at GoSecure, we chose to work on creating a Remote Desktop Protocol (RDP) honeypot. To achieve this, we used a Linux server with an RDP man-in-the-middle (MITM) program that redirects traffic to a real Windows Server.

When searching for tools, we found RDPY, a Python RDP library with a MITM implementation. However, RDPY had several limitations both in features and design choices for our use case. This led us to create our own library, which reuses some parts and concepts from RDPY.

In this blog post, we will showcase our newly release open-source project, PyRDP, which is usable both as a MITM and as a library to experiment with the protocol. We will demonstrate both use cases by describing an incident we had with a malicious user that compromised our honeypot.

Read More

Topics: malware, Research, Honeypot, RDP, tool, man-in-the-middle

Subscribe to Email Updates

Recent Posts