Hack2Win eXtreme Warm Up
In our upcoming Hack2Win eXtreme event in Hong Kong we will be asking contest participants to come and try their skills breaking into devices and software, showing their abilities in finding vulnerabilities in iOS and Android, as well as in Chrome and Firefox. In preparation for the event, we are ... Read More
beVX Conference Challenge – HiTB
During the event of Hack In the Box, we launched an ARM reverse engineering and exploitation challenge and gave the attendees the change to win great prizes. The challenge was divided into two parts, a file – can be downloaded from here: https://www.beyondsecurity.com/bevxcon/bevx-challenge-10 – that you had to download and ... Read More
SSD Advisory – QRadar Remote Command Execution
Vulnerability Summary Multiple vulnerabilities in QRadar allow a remote unauthenticated attackers to cause the product to execute arbitrary commands. Each vulnerability on its own is not as strong as their chaining – which allows a user to change from unauthenticated to authenticated access, to running commands, and finally running these ... Read More
SSD Advisory – Linux AF_LLC Double Free
Vulnerability Summary A use after free vulnerability in AF_LLC allows local attackers to control the flow of code that the kernel executes, allowing them to cause it to run arbitrary code and gain elevated privileges. Vendor Response The vulnerability was reported to the Kernel Security, which asked us to contact ... Read More
SSD Advisory – TrustPort Management Unauthenticated Remote Code Execution
Vulnerability Summary Multiple vulnerabilities in TrustPort’s management product allow remote unauthenticated attackers to cause the product to execute arbitrary code. TrustPort Management “offers you an effective and practical way to install centrally, configure and update antivirus software in your network and it enables mass administration of TrustPort products. Central administration ... Read More
SSD Advisory – Vigor ACS Unsafe Flex AMF Java Object Deserialization
Vulnerability Summary A vulnerability in Vigor ACS allows unauthenticated users to cause the product to execute arbitrary code. VigorACS 2 “is a powerful centralized management software for Vigor Routers and VigorAPs, it is an integrated solution for configuring, monitoring, and maintenance of multiple Vigor devices from a single portal. VigorACS ... Read More
SSD Advisory – Western Digital My Cloud Pro Series PR2100 Authenticated RCE
Vulnerability Summary A vulnerability in the Western Digital My Cloud Pro Series PR2100 allows authenticated users to execute commands arbitrary commands. Credit An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program. Vendor Response The vendor was notified on the 28th of November 2017, and ... Read More
SSD Advisory – AppWeb Authentication Bypass (Digest, Basic and Forms)
Vulnerability Summary A critical vulnerability in the EmbedThis HTTP library, and Appweb versions 5.5.x, 6.x, and 7.x including the latest version present in the git repository. In detail, due to a logic flaw, with a forged HTTP request it is possible to bypass the authentication for form and digest login ... Read More
VK Messenger (VKontakte) vk:// URI Handler Commands Execution
Vulnerability Summary The following describes a vulnerability in VK Messenger that is triggered via the exploitation of improperly handled URI. VK (VKontakte; [..], meaning InContact) is “an online social media and social networking service. It is available in several languages. VK allows users to message each other publicly or privately, ... Read More
beVX Conference Challenge
During the event of OffensiveCon, we launched a reverse engineering and encryption challenge and gave the attendees the change to win great prizes. The challenge was divided into two parts, a file – can be downloaded from here: https://www.beyondsecurity.com/bevxcon/bevx-challenge-1 – that you had to download and reverse engineer and server ... Read More