Vtiger CRM 5.2.0 Multiple Vulnerabilities @ Ush.it

Posted on December 04, 2010 in Research • Tagged with vtiger • 4 min read

With the Ush.it team we published an advisory about “Vtiger CRM 5.2.0 Multiple Vulnerabilities”. The original is here and you can download it here.

Vtiger CRM 5.2.0 Multiple Vulnerabilities

Name              Multiple Vulnerabilities in Vtiger CRM
Systems Affected  Vtiger CRM 5.2.0 and possibly earlier versions
Severity          Medium
Impact (CVSSv2)   Medium 9/10, vector: (AV:N/AC:L/Au:N/C:P/I:P/A:C)
Vendor            http://www.vtigercrm.com
Advisory          http://www.ush.it/team/ush/hack-vtigercrm_520/vtigercrm_520.txt
Authors           Giovanni "evilaliv3" Pellerano (evilaliv3 AT ush DOT it)
                  Alessandro "jekil" Tanasi (alessandro AT …

Continue reading

DEFCON 18 CTF quals - Forensic 200 writeup

Posted on July 01, 2010 in Blog • Tagged with CTF, DEFCON, quals • 6 min read

Second forensic challange of the DEFCON 18 CTF qualifications: the suggestion was “find the key” and the related file is here. (Mirrors: #1)

Trying to identify the file.

$ file f200_02b7b50f575759cff7.tar.lzma
f200_02b7b50f575759cff7.tar.lzma: data

So we can try to trust the file extension.

$ unlzma -d f200_02b7b50f575759cff7.tar.lzma

$ tar xvf f200_02b7b50f575759cff7.tar
IMG_0001.png
IMG_0002.png
IMG_0003.png
IMG_0004.png
IMG_0005.png
IMG_0006.png
IMG_0007.png
IMG_0008.png
IMG_0009.png
IMG_0010.png
IMG_0011.png
IMG_0012.png
IMG_0013.png
IMG_0014.png
IMG_0015.png
IMG_0016.png
IMG_0017.png
IMG_0018.png
IMG_0019.png
IMG_0020.png
IMG_0021.png
IMG_0022.png
IMG_0023.png …

Continue reading

DEFCON 18 CTF quals - Forensic 100 writeup

Posted on June 19, 2010 in Blog • Tagged with CTF, DEFCON, quals • 6 min read

Some times ago i get a lot of fun at DEFCON 18 CTF qualifications with a group of really skilled friends. Now a bit later, here is my writeup for some challenges.

First forensic challange of the DEFCON 18 CTF qualifications: the suggestion was “find the key” and the related file is here. (Mirrors: #1, #2)

$ file f100_6db079ca91c4860f.bin
f100_6db079ca91c4860f.bin: x86 boot sector; partition 1: ID=0x7,
starthead 0, startsector 31, 31558 sectors, extended partition table
(last)11, code offset 0x0

Now take a look at the partition table.

$ xxd -l 512 f100_6db079ca91c4860f.bin
0000000: 0000 0000 0000 0000 …

Continue reading

hostmap 0.2.2 released

Posted on May 09, 2010 in Tools • Tagged with discovery, dns enumeration, dns name, virtual host • 1 min read

I am glad to release hostmap version 0.2.2.
In this version there are a lot of bug fixes and some new features.

Introduction

hostmap is a free, automatic, hostnames and virtual hosts discovery tool written in Ruby and licensed under GNU General Public License version 3 (GPLv3). It’s goal is to enumerate all hostnames and configured virtual hosts on an IP address. The primary users of hostmap are professionals performing vulnerability assessments and penetration tests.

Changes

Some of the new features include:

  • Fixed hostname dictionary “big” list name.
  • Fixed DNS AXFR zone transfer check that was prone …

Continue reading

Nginx, Varnish, Cherokee, thttpd, mini-httpd, WEBrick, Orion, AOLserver, Yaws and Boa log escape sequence injection @ Ush.it

Posted on January 10, 2010 in Research • Tagged with injection, log escape, log escape sequence injection • 9 min read

With the Ush.it team we published an advisory about “Nginx, Varnish, Cherokee, thttpd, mini-httpd, WEBrick, Orion, AOLserver, Yaws and Boa log escape sequence injection”. The original post is here and can be downloaded from here.

Nginx, Varnish, Cherokee, thttpd, mini-httpd, WEBrick, Orion, AOLserver,
Yaws and Boa log escape sequence injection

 Name              Nginx, Varnish, Cherokee, thttpd, mini-httpd, WEBrick,
                   Orion, AOLserver, Yaws and Boa log escape sequence
                   injection
 Systems Affected  nginx 0.7.64
                   Varnish 2.0.6
                   Cherokee 0.99.30
                   mini_httpd 1.19
                   thttpd 2.25b0
                   WEBrick 1.3.1
                   Orion 2.0.7
                   AOLserver 4.5.1
                   Yaws …

Continue reading