Latest News & Research

  • Advisory

    Clickjacking vulnerability in CSRF error page pfSense

    Yorick Koster, November 2017

    pfSense is a free and open source firewall and router. It was found that the pfSense WebGUI is vulnerable to Clickjacking. By tricking an authenticated admin into interacting with a specially crafted webpage it is possible for an attacker to execute arbitrary code in the WebGUI. Since the WebGUI runs as the root user, this will result in a full compromise of the pfSense instance.
    read more...

  • Advisory

    Reflective Cross-Site Scripting in BVNetwork's 404 error handler

    Robert Hartshorn, May 2017

    Multiple cross site scripting vectors were found in BVNetwork's 404handler. BVNetwork is a 404-error handler page designed for and recommended by EPiServer framework. EPiServer framework is designed to be used as an ecommerce and digital marketing CMS. This product according to EPI's nugget server has over 35k downloads: BV Network 404 handler on nuget.episerver.com This vulnerability allows an attacker to perform a wide variety of actions, such as stealing Administrators' session tokens, or performing arbitrary actions on their behalf.
    read more...

  • Advisory

    Cross-Site Scripting vulnerability in Zimbra Collaboration Suite

    Stephan Kaag, April 2017

    A Cross-Site Scripting vulnerability was found in Zimbra Collaboration Suite (ZCS). This issue allows an attacker to perform a wide variety of actions such as performing arbitrary actions on their behalf or presenting a fake login screen to collect usernames and passwords. In order to exploit this issue, the attacker has to lure a victim into opening a specially crafted email in ZCS.
    read more...

  • Advisory

    Xamarin Studio for Mac API documentation update affected by local privilege escalation

    Yorick Koster, April 2017

    Xamarin Studio is an Integrated Development Environment (IDE) used to create iOS, Mac and Android applications. Xamarin Studio supports developments in C# and F# (by default). The API documentation update mechanism of Xamarin Studio for Mac is installed as setuid root. This update mechanism contains several flaws that could be leveraged by a local attacker to gain elevated (root) privileges.
    read more...

  • Advisory

    Buffer over-read vulnerability in Virtuozzo Power Panel (VZPP) and Automator

    Sipke Mellema, July 2017

    Virtuozzo Power Panel is a solution that allows customers of service providers to manage their virtual environments. Virtuozzo Automator is an administrative tool for managing the service provider's virtual infrastructure. Both products are affected by a buffer over-read vulnerability that allows attackers to read random server memory.
    read more...

  • Advisory

    InsomniaX loader allows loading of arbitrary Kernel Extensions

    Yorick Koster, April 2017

    It was found that the loader application bundled with InsomniaX can be used to load arbitrary Kernel Extensions (kext). The loader is normally used to load a kext file that is needed to disable the Lid Sleep. A flaw has been found in the loader that allows a local attacker to load (or unload) any arbitrary kext file.
    read more...

  • Advisory

    SyntaxHighlight MediaWiki extension allows injection of arbitrary Pygments options

    Yorick Koster, February 2017

    A vulnerability was found in the SyntaxHighlight MediaWiki extension. Using this vulnerability it is possible for an anonymous attacker to pass arbitrary options to the Pygments library. By specifying specially crafted options, it is possible for an attacker to trigger a (stored) Cross-Site Scripting condition. In addition, it allows the creating of arbitrary files containing user-controllable data. Depending on the server configuration, this can be used by an anonymous attacker to execute arbitrary PHP code.
    read more...

  • Advisory

    Local privilege escalation vulnerability in HideMyAss Pro VPN client v3.x for macOS

    Han Sahin, April 2017

    A local privilege escalation vulnerability has been found in the helper binary com.privax.hmaprovpn.helper that ships with HideMyAss Pro VPN v3.3.0.3 for macOS. The helper is installed setuid root and uses the openvpn binary to create VPN profiles and connections. The helper fails to perform signature check's on the openvpn file, which is owned by the user that installed the client. This allows malware on the system to replace the openvpn binary and run arbitrary code as root.
    read more...

  • Advisory

    Multiple local privilege escalation vulnerabilities in HideMyAss Pro VPN client v2.x for OS X

    Han Sahin, April 2017

    Multiple local privilege escalation vulnerabilities were found in the helper binary HMAHelper that ships with HideMyAss Pro VPN for OS X. The helper is installed setuid root and responsible for loading Kernel Extensions (kext) and managing VPN firewall rules. These issues can be leveraged by a local attacker to gain elevated (root) privileges.
    read more...

  • Advisory

    Authentication bypass vulnerability in Western Digital My Cloud allows escalation to admin privileges

    Remco Vermeulen, April 2017

    It was discovered that the Western Digital My Cloud is affected by an authentication bypass vulnerability. An unauthenticated attacker can exploit this vulnerability to authenticate as an admin user without needing to provide a password, thereby gaining full control of the My Cloud device.
    read more...

  • Advisory

    Cross-Site Request Forgery in WordPress Connection Information

    Yorick Koster, July 2016

    The FTP/SSH form functionality of WordPress was found to be vulnerable to Cross-Site Request Forgery. This vulnerability can be used to overwrite the FTP or SSH connection settings of the affected WordPress site. An attacker can use this issue to trick an Administrator into logging into the attacker's FTP or SSH server, disclosing his/her login credentials to the attacker. In order to exploit this vulnerability, the attacker has to lure/force a logged on WordPress Administrator into opening a malicious website.
    read more...

  • Advisory

    Persistent Cross-Site Scripting in Scriptler Jenkins Plugin

    Burak Kelebek, April 2017

    A Cross-Site Scripting vulnerability was found in the Scriptler Jenkins plugin. This vulnerability allows an attacker to perform a wide variety of actions, such as stealing Administrators' session tokens, or performing arbitrary actions on their behalf. In order to exploit this issue, an authenticated attacker has to inject arbitrary HTML in the description of a Scriptler script and wait for an admin to visit the script overview page. By combining this vulnerability with the reported Cross-Site Request Forgery vulnerability it is possible for an unauthenticated attacker to exploit this issue by luring an authenticated administrator into visiting a specially crafted page.
    read more...

  • Advisory

    Microsoft Office OneNote 2007 DLL side loading vulnerability

    Yorick Koster, September 2015

    A DLL side loading vulnerability was found in Microsoft Office OneNote 2007. This issue can be exploited by loading the Microsoft Office OneNote Mobile ActiveSync Provider for Desktop object as an embedded OLE object. When instantiating the object Windows will try to load the DLL ceutil.dll from the current working directory. If an attacker convinces the user to open a specially crafted (Office) document from a directory also containing the attacker's DLL file, it is possible to execute arbitrary code with the privileges of the target user. This can potentially result in the attacker taking complete control of the affected system.
    read more...

  • Advisory

    Multiple local privilege escalation vulnerabilities in Proxifier for Mac

    Yorick Koster, April 2017

    Multiple local privileges escalation vulnerabilities were found in the KLoader binary that ships with Proxifier. KLoader is responsible for loading a Kernel Extension (kext). KLoader is installed setuid root, it accepts one or two command line arguments that are used in a number of system commands. These arguments are used in an insecure manner allowing a local attacker to elevate its privileges. In addition, the environment is not properly sanitized, which also introduces an possibility to run arbitrary commands with elevated privileges.
    read more...

  • Blog

    Scripting with ZAP: adding a new header to each scan request

    Burak Kelebek, March 2017

    ZAP has scripting support that allows programmatical access to code and data structures but also to automatically modify requests and responses passing through ZAP's proxy or Active Scanner. Sometimes it can be useful to automatically add a (header) value to each request passing through the proxy or Active Scanner for monitoring purposes. This can be achieved with ZAP's scripting capabilities.
    read more...

  • Advisory

    Microsoft Edge Fetch API allows setting of arbitrary request headers

    Yorick Koster, January 2017

    It was found that the Fetch API in Microsoft Edge allows websites to set arbitrary HTTP request headers, including the Content-Length, and Host headers. Amongst others, a malicious website can use this issue to bypass the same origin policy, read HTTP response headers, or initiate arbitrary HTTP requests from the victim's browser (HTTP request smuggling).
    read more...

  • Advisory

    Stack-based buffer overflow in Western Digital My Cloud allows for remote code execution

    Remco Vermeulen, January 2017

    It was discovered that the Western Digital My Cloud is vulnerable to a stack-based buffer overflow in the authentication mechanism. By exploiting this vulnerability it is possible for an unauthenticated attacker to run arbitrary code with root privileges.
    read more...

  • Advisory

    Western Digital My Cloud vulnerable to Cross-Site Request Forgery vulnerability

    Remco Vermeulen, January 2017

    It was discovered that the Western Digital My Cloud is affected by Cross-Site Request Forgery. This issue can be combined with a command injection vulnerability (see advisory SFY201703) to gain complete control (root access) of the affected device.
    read more...

  • Advisory

    Western Digital My Cloud vulnerable to multiple command injection vulnerabilities

    Remco Vermeulen, January 2017


    read more...

  • Advisory

    Cross-Site Request Forgery in WordPress Press This function allows DoS

    Sipke Mellema, July 2016

    A Cross-Site Request Forgery (CSRF) vulnerability exists on the Press This page of WordPress. This issue can be used to create a Denial of Service (DoS) condition if an authenticated administrator visits a malicious URL.
    read more...

Work with us →