Latest News & Research

  • Blog

    Sophisticated Google Play BankBot Trojan campaigns

    Max Kersten, Han Sahin, May 2017

    Throughout 2015 and 2016, Android banking Trojans were primarily distributed outside the Google Play Store by using SMSishing, phishing e-mails and rogue websites, often dropping APKs related to Adobe Flash Player.

    The focus of the Android banking malware in Google Play is different from any other Android malware we have investigated. Usually, Android banking malware is spread with the goal to convince users to install it based on the top rated app name and icon such as 'Super Mario Run', 'Flash Player' or 'WhatsApp'. The approach of the Google Play campaigns is different: everything is designed to gain the trust of the user. Even a fake Facebook profile to pretend to be an actual company, aided in this process. After the installation, the application does not immediately show its true colours, in fact the malicious activities are postponed for a couple of minutes so users can for example first use the app to open funny videos or watch the latest news.

    Knowing the biggest change in the modus operandi, there is one question that remains: how did the Google Play Bankbot campaign look like?
    read more...

  • Advisory

    SyntaxHighlight MediaWiki extension allows injection of arbitrary Pygments options

    Yorick Koster, February 2017

    A vulnerability was found in the SyntaxHighlight MediaWiki extension. Using this vulnerability it is possible for an anonymous attacker to pass arbitrary options to the Pygments library. By specifying specially crafted options, it is possible for an attacker to trigger a (stored) Cross-Site Scripting condition. In addition, it allows the creating of arbitrary files containing user-controllable data. Depending on the server configuration, this can be used by an anonymous attacker to execute arbitrary PHP code.
    read more...

  • Advisory

    Local privilege escalation vulnerability in HideMyAss Pro VPN client v3.x for macOS

    Han Sahin, April 2017

    A local privilege escalation vulnerability has been found in the helper binary com.privax.hmaprovpn.helper that ships with HideMyAss Pro VPN v3.3.0.3 for macOS. The helper is installed setuid root and uses the openvpn binary to create VPN profiles and connections. The helper fails to perform signature check's on the openvpn file, which is owned by the user that installed the client. This allows malware on the system to replace the openvpn binary and run arbitrary code as root.
    read more...

  • Advisory

    Multiple local privilege escalation vulnerabilities in HideMyAss Pro VPN client v2.x for OS X

    Han Sahin, April 2017

    Multiple local privilege escalation vulnerabilities were found in the helper binary HMAHelper that ships with HideMyAss Pro VPN for OS X. The helper is installed setuid root and responsible for loading Kernel Extensions (kext) and managing VPN firewall rules. These issues can be leveraged by a local attacker to gain elevated (root) privileges.
    read more...

  • Advisory

    Authentication bypass vulnerability in Western Digital My Cloud allows escalation to admin privileges

    Remco Vermeulen, April 2017

    It was discovered that the Western Digital My Cloud is affected by an authentication bypass vulnerability. An unauthenticated attacker can exploit this vulnerability to authenticate as an admin user without needing to provide a password, thereby gaining full control of the My Cloud device.
    read more...

  • Advisory

    Cross-Site Request Forgery in WordPress Connection Information

    Yorick Koster, July 2016

    The FTP/SSH form functionality of WordPress was found to be vulnerable to Cross-Site Request Forgery. This vulnerability can be used to overwrite the FTP or SSH connection settings of the affected WordPress site. An attacker can use this issue to trick an Administrator into logging into the attacker's FTP or SSH server, disclosing his/her login credentials to the attacker. In order to exploit this vulnerability, the attacker has to lure/force a logged on WordPress Administrator into opening a malicious website.
    read more...

  • Advisory

    Persistent Cross-Site Scripting in Scriptler Jenkins Plugin

    Burak Kelebek, April 2017

    A Cross-Site Scripting vulnerability was found in the Scriptler Jenkins plugin. This vulnerability allows an attacker to perform a wide variety of actions, such as stealing Administrators' session tokens, or performing arbitrary actions on their behalf. In order to exploit this issue, an authenticated attacker has to inject arbitrary HTML in the description of a Scriptler script and wait for an admin to visit the script overview page. By combining this vulnerability with the reported Cross-Site Request Forgery vulnerability it is possible for an unauthenticated attacker to exploit this issue by luring an authenticated administrator into visiting a specially crafted page.
    read more...

  • Blog

    Banking malware in Google Play targeting many new apps

    Niels Croese, April 2017

    While casually browsing my daily notifications on Koodous I found banking malware on Google Play, which has many new banking app targets in its configuration. A new sample was flagged by one of my BankBot rules: Funny Videos 2017. It struck me as different than the usual BankBot samples since it was tagged as using DexProtector, a tool to heavily obfuscate APKs. In addition the app name wasn't the usual popular name (i.e. Flash Player, HD Coded or Google Play Update), so I figured I'd check it out a bit more.
    read more...

  • Advisory

    Microsoft Office OneNote 2007 DLL side loading vulnerability

    Yorick Koster, September 2015

    A DLL side loading vulnerability was found in Microsoft Office OneNote 2007. This issue can be exploited by loading the Microsoft Office OneNote Mobile ActiveSync Provider for Desktop object as an embedded OLE object. When instantiating the object Windows will try to load the DLL ceutil.dll from the current working directory. If an attacker convinces the user to open a specially crafted (Office) document from a directory also containing the attacker's DLL file, it is possible to execute arbitrary code with the privileges of the target user. This can potentially result in the attacker taking complete control of the affected system.
    read more...

  • Advisory

    Multiple local privilege escalation vulnerabilities in Proxifier for Mac

    Yorick Koster, April 2017

    Multiple local privileges escalation vulnerabilities were found in the KLoader binary that ships with Proxifier. KLoader is responsible for loading a Kernel Extension (kext). KLoader is installed setuid root, it accepts one or two command line arguments that are used in a number of system commands. These arguments are used in an insecure manner allowing a local attacker to elevate its privileges. In addition, the environment is not properly sanitized, which also introduces an possibility to run arbitrary commands with elevated privileges.
    read more...

  • Blog

    Scripting with ZAP: adding a new header to each scan request

    Burak Kelebek, March 2017

    ZAP has scripting support that allows programmatical access to code and data structures but also to automatically modify requests and responses passing through ZAP's proxy or Active Scanner. Sometimes it can be useful to automatically add a (header) value to each request passing through the proxy or Active Scanner for monitoring purposes. This can be achieved with ZAP's scripting capabilities.
    read more...

  • Advisory

    Microsoft Edge Fetch API allows setting of arbitrary request headers

    Yorick Koster, January 2017

    It was found that the Fetch API in Microsoft Edge allows websites to set arbitrary HTTP request headers, including the Content-Length, and Host headers. Amongst others, a malicious website can use this issue to bypass the same origin policy, read HTTP response headers, or initiate arbitrary HTTP requests from the victim's browser (HTTP request smuggling).
    read more...

  • Advisory

    Stack-based buffer overflow in Western Digital My Cloud allows for remote code execution

    Remco Vermeulen, January 2017

    It was discovered that the Western Digital My Cloud is vulnerable to a stack-based buffer overflow in the authentication mechanism. By exploiting this vulnerability it is possible for an unauthenticated attacker to run arbitrary code with root privileges.
    read more...

  • Advisory

    Western Digital My Cloud vulnerable to Cross-Site Request Forgery vulnerability

    Remco Vermeulen, January 2017

    It was discovered that the Western Digital My Cloud is affected by Cross-Site Request Forgery. This issue can be combined with a command injection vulnerability (see advisory SFY201703) to gain complete control (root access) of the affected device.
    read more...

  • Advisory

    Western Digital My Cloud vulnerable to multiple command injection vulnerabilities

    Remco Vermeulen, January 2017


    read more...

  • Advisory

    Cross-Site Request Forgery in WordPress Press This function allows DoS

    Sipke Mellema, July 2016

    A Cross-Site Request Forgery (CSRF) vulnerability exists on the Press This page of WordPress. This issue can be used to create a Denial of Service (DoS) condition if an authenticated administrator visits a malicious URL.
    read more...

  • Advisory

    WordPress audio playlist functionality is affected by Cross-Site Scripting

    Yorick Koster, July 2016

    Two Cross-Site Scripting vulnerabilities exists in the playlist functionality of WordPress. These issues can be exploited by convincing an Editor or Administrator into uploading a malicious MP3 file. Once uploaded the issues can be triggered by a Contributor or higher using the playlist shortcode.
    read more...

  • Advisory

    Multiple persistent Cross-Site Scripting vulnerabilities in osTicket

    Han Sahin, July 2016

    Two persistent Cross-Site Scripting vulnerabilities have been found in osTicket. These issues exists due to the lack of output encoding on user input. These vulnerabilities allow an attacker to inject malicious JavaScript code into the application. This code will then be executed within the browser of a user who views the dashboard. The attacker-supplied code can perform a wide variety of actions, such as stealing victims' session tokens or login credentials, performing arbitrary actions on their behalf.
    read more...

  • Blog

    Marcher - Android banking Trojan on the rise

    Pham Duy Phuc, Niels Croese & Han Sahin, February 2017

    The past months many different banking Trojans for the Android platform have received media attention. One of these, called Marcher, seems to be especially active with different samples appearing on a daily basis. This malware variant also appears to be technically superior to many other banking Trojans being able to use its overlay attack even on Android 6, which has technical improvements compared to the previous Android versions to prevent such attacks.
    read more...

  • Blog

    AutoRun is dead, long live AutoRun

    Yorick Koster, February 2017

    This blog explains how the Windows AutoRun feature can be exploited to run arbitrary code. While running software automatically is no longer possible on recent versions of Windows there are still possibilities to trick a user into running malicious software from a USB thumb drive - handy if you're Red Teaming for example. In this blog I'll explain how this can be done using an USB armory. Note that this technique can also be done using other similar devices, but the armory's form factor makes it especially suitable for this purpose.
    read more...

Work with us →