Cisco® Email Security Appliance (Cisco® ESA) Non-RFC MIME Format Executable Attachment Bypass (CSCvh03786) (CVE-2018-0419)

Author: Liam Romanis In October 2017 InteliSecure were performing penetration testing activities for an important client.  One of the tasks involved performing tests against the client’s E-Mail content analysis systems. Various types of E-Mail were sent with attached executable files compressed and encrypted in various ways. These were blocked by the content analysis device, Cisco® Email Security Appliance (Cisco® ESA), previously known as Ironport. In addition, E-Mails were sent with…

Exploiting Same Origin Method Execution Vulnerabilities

Recently it came to my attention that it was possible to abuse JSONP callbacks using a vulnerability known as SOME – Same Origin Method Execution which can be used by an attacker to widely abuse a user’s trust between the web application and the intended flow of execution. For example, using the SOME attack it is possible for an attacker to trick a user to visiting a malicious web-page which…

[IRCCloud] History and Another XSS Bug Bounty

Personally, I have been a user of IRC since 2004 on some private networks and some other well-known ones such as Freenode. However, it was always inconvenient to have to set up an IRC Bouncer, so when IRCCloud came around, I was excited to try it and see if it provided me with a method of staying connected to all the required networks without having to download a new client…

[IRCCloud] Inadequate input validation on API endpoint leading to self denial of service and increased system load

So as you do, I was just looking around, manually fuzzing some Web Sockets requests, seeing if I could get any sort of XSS, Remote IRC Command Injection or SQLi mainly – ended up that I didn’t find much there that worse worth noting. So I started seeing if their logic was all alright, so one of their requests looked similar to: {“_reqid”:1234, “cid”:5678, “to”: “#treehouse”, “msg”:”test”, “method”:”say”} I thought,…

Execute Shellcode, Bypassing Anti-Virus | InteliSecure

Hello, I am going to demonstrate a little trick to allow you to bypass anti-virus and execute shellcode, this is a publicly known trick that I did not discover. The shellcode I am going to use for this example is the common Metasploit Windows Bind TCP shell, however any shellcode can be used, I have simply chosen this one for simplicity. As I’m sure you’re all aware, the standard Metasploit…

Proxmark3 vs Ultralight C

There have been no secrets this week while I’ve been trying to add Mifare Ultralight C support to the Proxmark. Ultralight C cards are HF (13.56MHz) tags that are part of the Mifare family.  This week has been an interesting learning process, and it has corrected some misconceptions I had about the card.  For those interested you can follow my progress at http://www.proxmark.org/forum/viewtopic.php?id=1946.  But I will summarise my findings below: Ultralight C…

Proxmark3 vs Kantech ioProx

Earlier today we released a patch into the Proxmark3 community for initial support of the LF 125kHz ioProx tags from Kantech.  Current operations are FSK-demodulation and card/tag cloning. Not much is revealed about this type of tag, and only limited data can be found on its data sheet.  Kantech state that readers/cards are compatible with standard 26-bit Wiegand and Kantech Extended Secure Format (XSF). But it is difficult to find…

Ubertooth – Bluetooth Sniffing Updated for 2014!

Earlier I noticed this tweet on my twitter feed: Ubertooth release: https://t.co/cCYHNf34Yc I know it’s been a long time coming, I promise not to leave it so long next time. — Dominic Spill (@dominicgs) February 20, 2014 So I thought I would walk you through the update, which has improved Operating System support, improved Bluetooth Low Energy (BTLE) support, and GitHub integration to make community development easier….

NDProxy Privilege Escalation (CVE-2013-5065)

Introduction In the last few days everyone is raving about CVE-2013-5065, a new Windows XP/2k3 privilege escalation, well documented by FireEye. Googling around, we came across a Twitter message which contained a link to a Chinese vulnerability analysis and PoC for CVE-2013-5065. Exploit POC: #include “windows.h” #include “stdio.h” void main(){ HANDLE hdev=CreateFile(“\\.\NDProxy”,GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ|FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0 , NULL); if hdev==INVALID_HANDLE_VALUE){ printf(“CreateFile Failed: %d/n”,GetLastError()); } DWORD InBuf [0x15] = {0}; DWORD dwRetbytes…

What is 2G, 3G, 4G?

Introduction With all the recent fuss over 4G / LTE.  Pentura thought a nice blog post highlighting the changes and developments of mobile infrastructure would be interesting for our readers.  Below is a high-level description of the 2G, 3G, 3G-Femto and finally 4G networks. 2G 2G (GSM/GPRS) is the initial backbone for all mobile infrastructure.  At the front end it comprises of a Radio Tower (BTS) , and the Base…