How to prevent domain verification bypasses of your server certificates using CAA and account URI binding and how to monitor problems?

In 2023, there was an attack on the Russian chat platform jabber.ru. The attack was going on for half a year from April to October and targeted three servers from the jabber.ru network operated at the hosting providers Hetzner and Linode in Germany. A later analysis showed that the attackers were able to have server certificates issued for hosts and have used these for attacking the communication. The attack was presumably carried out by state actors. How were the attackers able to have certificates issued and how could this have been prevented or at least detected early?

Weiterlesen…

Kiosk-Modus-Bypass bei Hotel-Check-in-Terminal mit Ariane Allegro Scenario Player

Ein Threat-Modelling-Workshop verschlug uns an einen entfernt gelegenen Ort mit neuem Hotel. Das Hotel war so klein, dass es kein Personal für den Check-in gab, dafür aber ein Selbstbedienungs-Terminal für den Check-in. Es passierte, was passieren musste.

Das Hotel-Check-in-Terminal basiert auf dem Ariane Allegro Scenario Player. Die Software läuft in einem Kiosk-Modus. Bei Eingabe eines Anführungszeichens in die Gästesuche stürzte die Anwendung ab und beendete den Kiosk-Modus. Dadurch war ein Zugriff auf den Windows-Desktop möglich. Nach Angaben von Ariane war in dem neuen Hotel eine alte Softwareversion installiert.

Nach Eigenangaben von Ariane Systems, ist Ariane "der weltweit führende Anbieter von Self-Check-in und Check-out Lösungen für die Hotelbranche. [...] Ariane bedient derzeit 3.000 Hotels und 500.000 Zimmer in mehr als 25 Ländern. Dazu gehört ein Drittel der 100 größten Hotelketten weltweit."

Weiterlesen…

Preisgabe von Tastenschloss-Codes bei Check-in-Terminal von IBIS-Hotel

Nach einem Hackerkongress in Hamburg stellte Pentagrid fest, dass ein Check-in-Terminal eines IBIS-Budget-Hotels die Tastencodes von fast der Hälfte der Hotelzimmer preisgab, wenn ein Benutzer nach einer bestimmten Form einer nicht alphanumerischen Buchungsnummer suchte. Der Zugang zu den Hotelzimmern ermöglicht den Diebstahl von Wertsachen, insbesondere wenn Low-Budget-Hotelzimmer nicht mit einem Zimmersafe ausgestattet sind. Der Hotelkettenbetreiber Accor hat das Problem nach eigenen Angaben mittlerweile behoben.

Weiterlesen…

SQL-Injektion in Hafenverwaltung YABOOK erlaubt Umgehung der Authentisierung

YABOOK ist eine webbasierte Software von News-Solutions zur Verwaltung von Anliegerplätzen in Häfen. Einige Häfen nutzen diese Lösung als gehostete Applikation oder auch als On-Prem-Installation. Bei einer Sicherheitsuntersuchung stellte Pentagrid eine SQL-Injection in der Login-Maske der Webanwendung fest, die eine Authentisierungsumgehung ermöglichte. Dieses Sicherheitsproblem ist behoben.

Weiterlesen…

Multiple vulnerabilities in Lantronix EDS-MD IoT gateway for medical devices

Pentagrid identified several vulnerabilities in Lantronix's EDS-MD product during a penetration test. The EDS-MD is an IoT gateway for medical devices and equipment. The vulnerabilities include an authenticated command injection, cross-site request forgery, missing authentication for the AES-encrypted communication, cross-site scripting vulnerabilities, outdated software components, and more.

Weiterlesen…

Remote code execution and elevation of local privileges in Mitel Unify OpenStage and OpenScape VoIP phones

During a research project, Pentagrid identified multiple vulnerabilities in the OpenStage and OpenScape VoIP phone series. The combination of insecure defaults and implementation weaknesses allows a remote compromise and the elevation of privileges for a network-local attacker on phones with an unhardened default configuration. Compromising a phone does not only allow to wiretap phone calls, but could also be abused to access microphones for listening to rooms. The vulnerabilities affect a wide range of devices. Pentagrid assumes that many small companies don't use a hardened configuration and are likely affected.

Weiterlesen…

Nothing new, still broken, insecure by default since then: Python's e-mail libraries and certificate verification

Today, basically every e-mail provider supports TLS for their services and programmatically accessing e-mail services with Python code using TLS-wrapped clients is common. Python offers three libraries shipped with a standard installation for handling e-mail transfer. These modules are smtplib, imaplib, and poplib. While Python programming is usually straightforward, using these Python libraries require passing a magic parameter in the right way to use secure communication. If one has just read the summary on Stackoverflow, read a tutorial that does not mention security settings, or asked ChatGPT not specifically enough, it results in programs that do not defeat active attackers in a machine-in-the-middle (MITM) position. Our journey started, when we wrote an e-mail monitoring plugin in Python and ended for the time being with the notification of various open source projects.

Weiterlesen…

Persistent cross-site scripting vulnerabilities in Liferay Portal

In 2023 we found multiple vulnerabilities in Liferay Portal, a digital experience platform for enterprise websites. It is a free and open-source software project. A few thousand installations on the Internet not suppressing the Liferay-Portal HTTP response header can be found via special purpose search engines.

The Liferay Portal in the Community Version is the foundation for the web interface of Liechtenstein's electronic health portal. That's the reason we got involved with the portal software – not as a customer pentest project, but out of interest. We wrote a blog post about the Liechtenstein's electronic health portal (blog post is in German). We reported our findings regarding the Liferay Portal to Liferay in order to get them addressed. Now we are releasing technical details about the vulnerabilities.

Weiterlesen…

Archive Pwn tool released

When extracting archive formats there are many things that can go wrong. While some unarchiving tools and libraries protect from malicious archives that include path traversal attacks, other might not or at least not in the default configuration. We wrote a tool to create such archives with path traversal attacks in Python.

Weiterlesen…

Wind River VxWorks tarExtract directory traversal vulnerability (CVE-2023-38346)

Today we publish an advisory for a specific function in Wind River's VxWorks operating system.

VxWorks is a real-time operating system used in many embedded devices in high-availability environments with high safety and security requirements. This includes important industrial, medical, airospace, networking and automotive devices. For example, NASA's Curiosity rover currently deployed on planet Mars is using Wind River's VxWorks operating system.

The vulnerability is triggered when VxWorks' tarExtract function is used on untrusted tar archive files. The official VxWorks advisory can be found on the Wind River website.

Weiterlesen…