Vulnerabilities

SHAREIt Uncontrolled Memory Allocation

SHAREIt Uncontrolled Memory Allocation

Security, Vulnerabilities
Introduction Last year, I wanted to check out some vulnerabilities that aren't really common and came across CWE-789 which is for Uncontrolled Memory Allocation. As of May 1, 2020, there are 135,422 CVEs recorded in total, 929 CVEs recorded for vulnerabilities containing the keyword "memory consumption" and 399 CVEs recorded for vulnerabilities containing the keyword "memory allocation": This means the vulnerability classification selected builds up around only 0.98% of the whole CVE database. While looking into potential vectors based from the examples given found in the CWE-789 page, I ended up listing down software applications that might have undiscovered vulnerabilities and found two zero-days labeled as CVE-2019-14941 and CVE-2019-15234. The main thing that made me in
The Potential of Finding Privilege Escalation Vulnerabilities Through CWE-347

The Potential of Finding Privilege Escalation Vulnerabilities Through CWE-347

Security, Vulnerabilities
I found the concept of privilege escalation attacks quite interesting because in theory, it's easy to understand the goal but it actually requires creativity to execute or even discover. While doing research, I came across CWE-347 that was assigned to "Improper Verification of Cryptographic Signature". Its description follows as "The software does not verify, or incorrectly verifies, the cryptographic signature for data". Having a thought about this, if we talk about verifying cryptographic signature for data, we point out the integrity of the data involved or simply, "is the data tampered or not?" If you've seen the example code given in the CWE-347 page, you'll notice that the verification of the cryptographic signature of data can be in the form of checking if a downloaded file w...
Exploiting Programs That Keep Storing Sensitive Information in Memory

Exploiting Programs That Keep Storing Sensitive Information in Memory

Security, Vulnerabilities
Introduction While studying for Offensive Security's Cracking the Perimeter last 2018, I encountered proof of concept exploits relating to recovery of sensitive information from memory. A popular tool that actually does this in Windows is mimikatz however, this article will be presenting more about vulnerabilities on 3rd party applications instead of the one intended for what mimikatz targets. This type of vulnerability is described more through CWE-316: Cleartext Storage of Sensitive Information in Memory and you'll actually be surprised that a lot of applications are still vulnerable to this type of issue. Looking more into the vulnerability Before I even bothered to discover the same type of vulnerability from other applications, I tried to check out what programs were already disc...
Hacking the Dutch Government – Responsible Disclosure

Hacking the Dutch Government – Responsible Disclosure

Security, Vulnerabilities
... and all I got was a lousy t-shirt The Dutch Government "Rijksoverheid" has this responsible disclosure program where if you manage to find a vulnerability in one of their systems, they reward you with a shirt having a small logo of their National Cyber Security Centre (NCSC) together with "I hacked the Dutch Government and all I got was this lousy t-shirt". Quite humorous eh? So visiting one of their websites I've managed to find a CHANGELOG.txt which is a file commonly left when an administrator installs and doesn't clean up. This CHANGLOG.txt basically shows critical information. Seeing that the current Drupal version installed is 7.43 (which is already outdated), one might think that this should be vulnerable to CVE-2018-7600 or "Drupalgeddon", a vulnerability that ...
Trovisio Responsible Disclosure – Password Hash Leakage

Trovisio Responsible Disclosure – Password Hash Leakage

Security, Vulnerabilities
Getting another opportunity to become part of a hall of fame for security related contributions is pretty cool and this was because of a very simple bug which was not noticed during the development of the system. Last time I saw this kind of issue was a few months ago when I was working on a back-end system for a client and finding this again on another website basically means that it's probably common out there. During my initial non-intrusive information gathering, I found a lot of API links which made me test them for some basic responses and they seemed pretty secure until I opened the console of Chrome. After noticing that the APIs were throwing console logs, I visited a few pages and guess what popped up? It was the password hash! This happened when the page "Account Se...