CVE-2020-3974: Privilege escalation in VMWare Fusion

2020-07-17 12:00 | Cees Elzinga

This post documents two bugs in VMware Fusion for macOS. By combining the bugs we bypass all protections. This allows any user to escalate his privileges to root.

Privilege escalation in Little Snitch for macOS

2020-07-13 10:20 | Cees Elzinga

Continuing our macOS series we take a look at Little Snitch. In this post we show that installing this popular firewall can make you more vulnerable to local attackers.

Privilege escalation in ExpressVPN for macOS

2020-06-22 10:00 | Cees Elzinga

As macOS continues to become more prevalent in enterprise environments, I decided to investigate various popular applications looking for security problems. Today we will look at a local privilege escalation in ExpressVPN.

CVE-2020-8948: Local privilege escalation in Sierra Wireless EM7455

2020-05-04 09:45 | Simon van Beest & Mads Joensen

In this post, we describe a local privilege escalation, CVE-2020-8948, in the Sierra Wireless EM7455 network module (and others). The post demonstrates how easy it is to make a mistake when setting folder permissions and how this can be leveraged into a local privilege escalation.

CVE-2019-8855 and CVE-2020-3889: macOS and protected files

2020-04-03 11:10 | Lasse Trolle Borup

In this post I will document two simple logic bugs I reported to Apple last year. The first, CVE-2019-8855, had been previously found by their own team and a fix was deployed last year. The second, CVE-2020-3889 was fixed in the latest security update. The two bugs are very similar, and both can be exploited with a few commands in a terminal. They are quite simple, and they demonstrate that sometimes a security boundary can be challenged with some guesswork, without knowing all the intricate details of the implementation.

CVE-2019-19793: AppGate SDP, Part 2: Authenticated RCE

2020-03-06 12:00 | Lasse Trolle Borup

This is the second of two posts documenting a vulnerability we reported to Cyxtera (now AppGate) in June last year. The first post covered the Local Privilege Escalation aspect of the issue, and in this post I will describe the Authenticated RCE attack vector of the issue.

CVE-2019-19793: AppGate SDP, Part 1: Local Privilege Escalation

2020-02-05 10:17 | Lasse Trolle Borup

This is part one of two posts documenting a vulnerability we reported to Cyxtera (now AppGate) in June last year. In this post I will describe the Local Privilege Escalation attack vector of this bug and in part 2 I will describe how it can be exploited remotely

Multiple privilege escalations in FortiClient for Linux

2020-01-28 10:00 | Cees Elzinga

This post continues our research in FortiClient but focuses on the Linux client. Although it's the same product, the implementation is completely different and we will start our research from scratch. We identified multiple security issues.

CVE-2019-17650: Privilege escalation in FortiClient for Mac

2020-01-14 10:30 | Lasse Trolle Borup

This post documents another local privilege escalation vulnerability we found in a security product for MacOS last year. This time it’s in FortiClient for Mac, an application containing Endpoint Protection and VPN functionality.

Multiple privilege escalations in ESET's Cyber Security

2019-12-23 11:00 | Cees Elzinga

Macs are becoming more and more prevalent in enterprise environments. Connecting them to the network makes them a part of the security perimeter, and therefore possible candidates for an attacker’s attempt to gain a foothold in the enterprise. For this reason, we are sometimes tasked to perform security analysis of these devices. This detailed blog post documents 4 vulnerabilities we found in ESET products for macOS.

CVE-2019-0086: Local Privilege Escalation in Dynamic Application Loader

2019-11-14 11:00 | Lasse Trolle Borup

Most laptops we come across in enterprise environments are loaded with software from different third-party vendors. Since a lot of the hardware components in laptops are from Intel, drivers and software services from Intel are a common sight in our engagements. In this post we document a Local Privilege Escalation bug we found in one of these services.

Your complex password might be unsafe: Hashcat and statistics used to analyze 500 million leaked passwords

2019-08-12 11:43 | Gustav Jensen

From analyzing 500 million leaked passwords, we discover how the common rules of creating passwords seem to follow distinct patterns. This means, that as we are trying to make our passwords increasingly more complex by using uppercases and digits, it actually does the exact opposite. The emerging patterns derived from our dataset make bruteforcing much more likely to succeed.

3/3 Yousee/TDC homebox - attacking via the browser

2018-12-21 08:30 | Hjalte Ableskov

This is part three in a series of blog posts documenting the bugs I found when exploring the YouSee/TDC HomeBox. The post will show the steps I took to turn a few separate issues into an external attack via a user's browser, resulting in a full root compromise of the device.

2/3 Yousee/TDC homebox - attacking via the browser

2018-09-26 10:00 | Lasse Trolle Borup

This is part two in a series of blog posts documenting the bugs I found when exploring the YouSee/TDC HomeBox. The post will show the steps I took to turn a few separate issues into an external attack via a user's browser, resulting in a full root compromise of the device.

1/3 Yousee/TDC homebox - attacking via the browser

2018-08-30 09:30 | Lasse Trolle Borup

This is part one in a series of blog posts documenting the bugs I found when exploring the YouSee/TDC HomeBox. The post will show the steps I took to turn a few separate issues into an external attack via a user's browser, resulting in a full root compromise of the device.

Weaponizing a bug in the Linksys Velop

2018-09-21 09:35 | Mads Joensen

From vulnerability to persistence across firmware updates. A case study on the Linksys Velop.

Linksys Velop and some bonus CGI scripts

2018-09-19 12:40 | Lasse Trolle Borup

Sometimes very simple vulnerabilities slip through into production. In this post, we will go through how we found such a vulnerability in the Linksys Velop router, and show how it can be exploited by an external attacker via a local user’s browser.

Asus Lyra Mini and a problematic patch process

2018-08-31 11:00 | Lasse Trolle Borup

A bug in the Asus Lyra Mini and our following communication with Asus gave us a glimpse into how security fixes are rolled out for Asus products. In this post, we will go through how we found the bug and what we learned about Asus' patching process from reporting the bug.

Honeypots were getting hacked

2018-06-29 10:30 | Nichlas Holm Jørgensen

We are actively maintaining a honeypot research project with various systems scattered across the internet. These systems emulate different vulnerable services, and we are happy to say they are getting "hacked" on a regular basis :-). This blogpost is a story of how we recently became aware of "new" offensive tricks by analysing data from this defensive research project.

Transforming text and bypassing Device Guard

2018-06-20 13:30 | Lasse Trolle Borup

In this post, we will describe a Device Guard User Mode Code Integrity (UMCI) bypass that we submitted to Microsoft in February. It has now been added as a deny rule in the Device Guard deployment guide. For more context about Device Guard refer to the documentation or some of my earlier posts.

Yet another IBM Notes bug

2018-05-30 10:20 - Updated 2018-06-07 13:05 | Lasse Trolle Borup

Though IBM Notes (formerly Lotus Notes) is a product fading from use, the IBM Notes client is still a common sight in Danish organisations, most likely to support older database or intranet solutions still present in the network. Therefore, fixing security bugs in a timely manner is still important.

A simple Device Guard bypass

2018-05-14 10:05 | Lasse Trolle Borup

In this post, we will describe a Device Guard User Mode Code Integrity (UMCI) bypass we submitted to Microsoft in February. It has now been added as a deny rule to the bypass policy in the Device Guard deployment guide. For more context about Device Guard refer to the documentation or our last posts.

CEO Fraud Log Analysis

2018-05-07 11:30 | Nichlas Jørgensen

There are many ways to "hunt" for evil in log files. During a recent investigation of a CEO fraud incident, we tried out a new idea that involved geolocation for successful authentication attempts vs. time of authentication.

Device Guard and PcaCertificate, part 2

2018-04-24 11:37 | Lasse Trolle Borup

Application whitelisting is a strong control. Implemented correctly it will stop unskilled attackers before they get a foothold in the network, and slow down or trigger detection for skilled attackers.

In this post we show how to use a vulnerable signed executable to bypass improperly implemented Device Guard policies to bootstrap the loading of unsigned executables.

Device Guard and PcaCertificate, part 1

2018-04-11 11:05 | Lasse Trolle Borup

Application whitelisting is a strong control. Implemented correctly it will stop unskilled attackers before they get a foothold in the network, and slow down or trigger detection for skilled attackers. But for application whitelisting to be successful, it has to be implemented correctly.

CVE-2020-8948: Local privilege escalation in Sierra Wireless EM7455

2020-05-04 09:45 | Simon van Beest & Mads Joensen

CVE-2019-17650: Privilege escalation in FortiClient for Mac

2020-01-14 10:30 | Lasse Trolle Borup

Multiple privilege escalations in ESET's Cyber Security

2019-12-23 11:00 | Cees Elzinga

1/3 Yousee/TDC homebox - attacking via the browser

CEO Fraud Log Analysis