Research

Research 2017-11-03T13:57:57+00:00

What’s next for Data breaches?

Security advisory, tools and more…

Tor Browser Deanonymization With SMB

12 September 2018|Tags: |

Tor Browser version < 8.0 and Firefox version < 62 / < 60.2.0esr are affected by an information disclosure vulnerability that allows remote attackers to bypass the intended anonymity feature and discover a client IP address. The vulnerability affects Windows users only and needs user interaction to be exploited.

Mac OS X Local Javascript Quarantine Bypass

27 September 2017|Tags: |

Mac OS X contains a vulnerability that allows the bypass of the Apple Quarantine and the execution of arbitrary Javascript code without restrictions. Basically, Apple's Quarantine works by setting an extended attribute to downloaded files (and also to files extracted from downloaded archive/image) that tells the system to open/execute those files in a restricted environment. For example, a quarantined html file won't be able to load local resources. The vulnerability is in one html file, part of the Mac OS X core, that is prone to a DOM Based XSS allowing the execution of arbitrary javascript commands in its (unrestricted) context.

Squirrelmail Remote Code Execution

19 April 2017|Tags: |

Squirrelmail version 1.4.22 (and probably prior) is vulnerable to a remote code execution vulnerability because it fails to sanitize a string before passing it to a popen call. It's possible to exploit this vulnerability to execute arbitrary shell commands on the remote server. The problem is in Deliver_SendMail.class.php on initStream function that uses escapeshellcmd() to sanitize the sendmail command before executing it. The use of escapeshellcmd() is not correct in this case since it don't escapes whitespaces allowing the injection of arbitrary command parameters.

Microsoft Remote Desktop Client for Mac Remote Code Execution

7 December 2016|Tags: |

A vulnerability exists in Microsoft Remote Desktop for Mac that allows a remote attacker to execute arbitrary code on the target machine. User interaction is needed to exploit this issue, but a single click on a link (sent via mail, iMessage, etc.) is sufficient to trigger the vulnerability. Microsoft Remote Desktop Client for Mac OS X (ver 8.0.32 and probably prior) allows a malicious Terminal Server to read and write any file in the home directory of the connecting user. The vulnerability exists to the way the application handles rdp urls. In the rdp url schema it's possible to specify a parameter that will make the user's home directory accessible to the server without any warning or confirmation request. If an attacker can trick a user to open a malicious rdp url, he/she can read and write any file within the victim's home directory.

Apple Safari for Mac OS X SVG local XXE

6 July 2016|Tags: |

Safari for Mac OS X is prone to an XXE vulnerability when processing crafted SVG images. An attacker may use this vulnerability to steal files from local computer by tricking a user into opening and SVG image from a local location (ie USB key). This vulnerability is mitigated by the file quarantine and do not work with downloaded files.

Htcap beta 1.0, now it’s a vulnerability scanner

26 February 2016|Tags: |

Htcap is a web application scanner able to crawl single page application (SPA) in a recursive manner by intercepting ajax calls and DOM changes. Htcap is not just another vulnerability scanner since it's focused mainly on the crawling process and uses external tools to discover vulnerabilities. It's designed to be a tool for both manual and automated penetration test of modern web applications.

Symphony CMS Multiple Vulnerabilities

8 February 2016|Tags: |

The contentAjaxQuery class suffers from a SQL-Injection vulnerability because the request parameter "query" is used to build a sql query without beeing properly sanitized. In order to exploit this issue, an attaccker must be logged into the application as a non-privileged user.

Lychee remote code execution

15 April 2015|Tags: |

Lychee version 2.7.1 and probably below suffers from remote code execution vulnerability. The vulnerability resides in the importUrl function that fails to restrict file types due to the lack of file extension validation. Since the imported file is stored in a web-readable directory where php files can be executed, remote code execution can be achieved.

DokuWiki persistent Cross Site Scripting

23 March 2015|Tags: |

DokuWiki version 2014-09-29c (and probably prior) is vulnerable to Persistent Cross Site Scriptng in the admin page. An attacker may use this vulnerability to execute javascript in the context of a logged admin user. Since the vulnerable page has forms with the CSRF token (the same for all requests), a full backend compromise may be possible.

Mibew messenger multiple XSS

24 January 2012|Tags: |

Mibew messenger version 1.6.4 an probably below is vulnerable to multiple XSS (and persistent XSS). They are all an POSTs and can be exploited due to the lack of CSRF protection

Subscribe to our mailing list

* indicates required
Email Format

Old Stuff

Those are our works for the past years, they link to Securityfocus or Packetstorm

Secunia Security Advisory 29675

Posted Apr 16, 2008

Secunia Security Advisory – poplix has reported some vulnerabilities in Parallels VZPP, which can be exploited by malicious people to conduct cross-site request forgery attacks and potentially compromise a vulnerable system.


Secunia Security Advisory 28239

Posted Dec 28, 2007

Secunia Security Advisory – poplix has discovered a vulnerability in PDFlib, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise an application using the library.


pdflib-overflows.txt

Posted Dec 24, 2007

pdflib, a library used for generating PDFs on the fly, suffers from multiple buffer overflow vulnerabilities due to the use of strcpy().


gwcheck.c

Posted Dec 24, 2007

gwcheck is a simple program that checks if a host in an ethernet network is a gateway to Internet.


gmailsteal_remote.scpt.txt

Posted Sep 30, 2007

This script can be used to steal G-Mail’s keychained password by injecting javascript into Safari. When executed it opens G-Mail’s login page, reads the saved password and sends it to a logging server by creating an hidden iframe into G-Mail’s page.


gmailsteal_local.scpt.txt

Posted Sep 30, 2007

This script can be used to steal G-Mail’s keychained password by injecting javascript into Safari. When executed it opens G-Mail’s login page, reads the saved password and prompts it into an alert box.


cotv2-dos.txt

Posted Feb 6, 2007

cotv 2.0 suffers from a client-side denial of service vulnerability due to a lack of validation. Demonstration exploit included.


Secunia Security Advisory 23332

Posted Dec 14, 2006

Secunia Security Advisory – poplix has reported a vulnerability in D-LINK DWL-2000AP+, which can be exploited by malicious people to cause a DoS (Denial of Service).


Secunia Security Advisory 22674

Posted Nov 3, 2006

Secunia Security Advisory – poplix has discovered a vulnerability in iodine’s client, which can be exploited by malicious people to compromise a user’s system.


eNM-0.0.1.txt

Posted Oct 31, 2006

easy notes manager (eNM) version 0.0.1 is affected by multiple SQL injection issues. POC included that demonstrates how to bypass authentication.


tripp-alpha0.2.tar.gz

Posted Jun 26, 2006

TRIPP is a utility to rewrite incoming and outgoing IP packets. Since it can rewrite both headers and payload, it can be used to configure the tcp/ip stack behavior in order to perform various tasks mainly intended for network tests, simulations and development.


payload-rewrite_exploit.txt

Posted Jun 26, 2006

Small whitepaper discussing how to use payload rewriting to exploit remote buffer overflow vulnerabilities.


tripp-alpha0.1.tar.gz

Posted Feb 22, 2006

TRIPP is a utility to rewrite incoming and outgoing IP packets. Since it can rewrite both headers and payload, it can be used to configure the tcp/ip stack behavior in order to perform various tasks mainly intended for network tests, simulations and development.


p0fspoof.txt

Posted Feb 14, 2006

A paper discussing passive OS fingerprinting and spoofing OpenBSD pf “os” rulesets.


authsyn.tgz

Posted Feb 14, 2006

proof-of-concept tool for performing passive OS fingerprint spoofing to bypass OpenBSD pf firewall rules.


tripp_test.1c.tar.gz

Posted May 7, 2005

TRIPP is a utility to rewrite outgoing IP packets. Since it can rewrite both header and payload data, it combines functionality found in iptables as well as netsed. This can be useful for performing replay attacks, altering your own OS fingerprint, or for bypassing remote firewalls.