Kai Ullrich

How the search for deser bugs in #SAP sent @kaidentity down a rabbit hole where he winded up stumbling upon a completely unrelated unauth'ed admin access #CVE-2021-21481 codewhitesec.blogspot.com/2021/06/about-…

Unauth'd admin access to #SAP #Netweaver? Our very own @kaidentity has you covered, see #CVE-2021-21481 and SAP Security Note 3022422. Better patch than sorry. Our customers got their heads-up already and we'll publish a detailed blog post when appropriate.

@TwitterSupport I truly cannot fathom why this access would ever even exist. This is like an employee having access to unencrypted credit card or bank account numbers. Companies know not to do this. How did Twitter not know this was unacceptably risky??

Once upon a time there was a #Sophos XG Firewall N-day that had @ramoliks and @niph_ dig deep until they got RCE, a 0-day and a comprehensive blog post. #CVE-2020-12271 #CVE-2020-15504 codewhitesec.blogspot.com/2020/07/sophos…

@timstrazz @CVEnew @4Dgifts @typo3 Maybe this helps: siberas.de/blog/2017/04/1… Or read some documentation about the Extbase framework. Without basic TYPO3 architecture knowledge you probably can't understand.

@kaidentity @CVEnew @4Dgifts @typo3 Any POC for this? Sounds like it's deep into how TYPO3 handles plugins? I'm not understanding the overall description for this if it's making calls from the controller, vs the description seems to indicate this vuln is unsanitized input from the captcha which could cause RCE?

CVE-2019-16699 The sr_freecap (aka freeCap CAPTCHA) extension 2.4.5 and below and 2.5.2 and below for TYPO3 fails to sanitize user input, which allows execution of arbitrary Extbase actions, resulting in Remote Code Execution. cve.mitre.org/cgi-bin/cvenam…

@timstrazz @CVEnew @4Dgifts @typo3 An extension might want to make its controller actions accessible to anonymous callers, like some kind of API. The problem here was that you could make the extension call every controller action of every extension in the system. Now it's been restricted to its own controllers.

@kaidentity @CVEnew @4Dgifts @typo3 E.g. - if an attacker in this case could have controlled 'vendorName' / 'extensionName' - why have the paths to them controlling 'pluginName', 'controllerName', 'actionName' and 'formatName' not also been patched in a similar manner? (Maybe this is obvious, I just don't see it)

@timstrazz @CVEnew @4Dgifts @typo3 The fix makes sure you can only call actions of controllers from the very same extension (and I think there is only one controller). In order to exploit this, you need be able to call controller actions from core extensions. Setting $vendorName=SRBR prevents this.

@CVEnew Wait what? What was the fix? Am I missing something? Looks like a version bump with nothing actually changed or have I not had enough coffee today? cc/ @4Dgifts @typo3 @kaidentity

TYPO3-EXT-SA-2019-018: Remote Code Execution in extension "freeCap CAPTCHA" (sr_freecap) typo3.org/security/advis…

It is always good to take a 2nd look at existing vulns. So @mwulftange found a new rock-solid exploitation technique for the Telerik UI framework (hint: affects an Avast product ;) Enjoy: codewhitesec.blogspot.com/2019/02/teleri… #CVE-2017-11317

Write-ups on three recent WebLogic #javadeser RCEs (translated from chinese): translate.google.com/translate?sl=a… translate.google.com/translate?hl=e…

We have published the RichFaces vulnerability details on the @codewhitesec blog at codewhitesec.blogspot.com/2018/05/poor-r…

Interested in Advanced Java Exploitation? Check out our new blog post about exploiting Adobe ColdFusion codewhitesec.blogspot.com/2018/03/exploi…

@cyberApostle Thanks

Check out my post about handcrafted gadgets and a groovy 2.4.5 gadget codewhitesec.blogspot.de/2018/01/handcr…