Recently we've been tasked to do an analysis of a web application firewall (WAF) of the vendor Ergon, namely the Airlock WAF regarding the effectivness of filtering. One idea was to see what happens when OWASP Core Rule Set (CRS) tests are run against it. This is the story of how we approached this, which payloads went through and how impossible it is to tell if that's good or bad now.
Hackvertor is a standalone tool and more importantly for us an extension for the penetration testing tool Portswigger Burp Suite by Gareth Heyes of the Portswigger Research team, which performs dynamic data conversions. For example, the tool can be used to encode data fields as Base64 before Burp sends a HTTP POST request to a server. This happens automatically and there is no need to manually convert anything or copy and pasting between different windows.
We had an example in our blog, where we generated Swiss social security numbers for a pentest and explained how to program custom Hackvertor tags. There are all kinds of tags already available inside Hackvertor and users can also code their own custom tags. Nowadays Hackvertor has it's own public tag store, where users can submit custom tags. Pentagrid provided two custom tags that made it into the Hackvertor tag store. One tag is for calculating the check-digit of EAN-13 numbers and another is for Time-based one-time password (TOTP) calculation.
In 2023, there was an attack on the Russian chat platform jabber.ru. The attack was going on for half a year from April to October and targeted three servers from the jabber.ru network operated at the hosting providers Hetzner and Linode in Germany. A later analysis showed that the attackers were able to have server certificates issued for hosts and have used these for attacking the communication. The attack was presumably carried out by state actors. How were the attackers able to have certificates issued and how could this have been prevented or at least detected early?
A threat modeling workshop took us to a remote location where there was a new hotel. It was so small that there was no check-in staff, but a check-in terminal for self-service. What was bound to happen, happened.
The hotel check-in terminal is running an Ariane Allegro Scenario Player in a kiosk mode and the application crashed when entering a single quote character into the guest search. The application crash allowed access to the underlying Windows Desktop. According to Ariane, an outdated software version was installed in the new hotel.
According to the vendor Ariane Systems, "Ariane is the world leader in providing self-check-in and out solutions for the hotel industry. [...] Ariane currently serves 3,000 hotels and 500,000 rooms in more than 25 countries. This includes one-third of the top 100 global hotel chains."
After a hacker congress in Hamburg, Pentagrid noticed that an IBIS Budget hotel check-in terminal leaked room keypad codes of almost half of the hotel rooms, when a users searches for a specific form of a non-alphanumeric booking number. Access to hotel rooms would allow the theft of valuables, especially if low-budget hotel rooms are not equipped with a room safe. The hotel chain operator Accor has fixed the problem in the meantime.
YABOOK is a web-based software by News-Solutions for managing wharves in ports. Hosting of the solution is usually done via a service provider or it is self-hosted by the ports. During a security investigation, Pentagrid discovered an SQL injection in the login mask of the web application, which enabled authentication bypass. This security issue has been resolved.
Pentagrid identified several vulnerabilities in Lantronix's EDS-MD product during a penetration test. The EDS-MD is an IoT gateway for medical devices and equipment. The vulnerabilities include an authenticated command injection, cross-site request forgery, missing authentication for the AES-encrypted communication, cross-site scripting vulnerabilities, outdated software components, and more.
During a research project, Pentagrid identified multiple vulnerabilities in the OpenStage and OpenScape VoIP phone series. The combination of insecure defaults and implementation weaknesses allows a remote compromise and the elevation of privileges for a network-local attacker on phones with an unhardened default configuration. Compromising a phone does not only allow to wiretap phone calls, but could also be abused to access microphones for listening to rooms. The vulnerabilities affect a wide range of devices. Pentagrid assumes that many small companies don't use a hardened configuration and are likely affected.
Today, basically every e-mail provider supports TLS for their services and programmatically accessing e-mail services with Python code using TLS-wrapped clients is common. Python offers three libraries shipped with a standard installation for handling e-mail transfer. These modules are smtplib, imaplib, and poplib. While Python programming is usually straightforward, using these Python libraries require passing a magic parameter in the right way to use secure communication. If one has just read the summary on Stackoverflow, read a tutorial that does not mention security settings, or asked ChatGPT not specifically enough, it results in programs that do not defeat active attackers in a machine-in-the-middle (MITM) position. Our journey started, when we wrote an e-mail monitoring plugin in Python and ended for the time being with the notification of various open source projects.
In 2023 we found multiple vulnerabilities in Liferay Portal, a digital experience platform for enterprise websites. It is a free and open-source software project. A few thousand installations on the Internet not suppressing the Liferay-Portal HTTP response header can be found via special purpose search engines.
The Liferay Portal in the Community Version is the foundation for the web interface of Liechtenstein's electronic health portal. That's the reason we got involved with the portal software – not as a customer pentest project, but out of interest. We wrote a blog post about the Liechtenstein's electronic health portal (blog post is in German). We reported our findings regarding the Liferay Portal to Liferay in order to get them addressed. Now we are releasing technical details about the vulnerabilities.