Linux ptrace introduction AKA injecting into sshd for fun

If there is one thing I've come to appreciate over this past few weeks, it's just how much support you are provided from the Win32 API. That being said, I wanted to tackle some Linux process injection, with the aim of loading a shared object into another process address space without having to resort to LD_PRELOAD, or stopping the process. The goal I set myself was quite simple, could I recover plain text credentials from the sshd process using ptrace. Granted, this is a bit of an arbitrary goa... Read More »

Foomatic-RIP (CVE-2015-8560)

Just a quick writeup today, recently I uncovered an issue in the Foomatic-RIP package. The bug can be found within the "filter/foomatic-rip/util.c" source and is due to the whitelist used within the following line: const char* shellescapes = "|&!$\'\"`#*?()[]{}"; This blacklist is used to sanitise characters that are later passed to the libc system() call. It seems that this blacklist is missing the ; character, which means that if we can influence an argument passed to footmatic-rip which is... Read More »

MS15-099 - Sharepoint XSS

Recently during a review of Sharepoint, I came across a vulnerability discovered by the Fortinet team and published on their blog here: The post contained information on what a successful exploit would look like, but provided no final exploit for verification or testing. After a bit of review, I found the following POC code which, when triggered, shows a simple alert dialog box: http"http://"http://onmouseover=alert(... Read More »

From CSV to Meterpreter

As many of you have probably seen, last year Context published research into spreadsheet applications such as Excel which render CSV files (and their embedded formula) when opened. If you haven't, I suggest stopping and reading Many web applications provide a user with an option to export data to a CSV file format, and when the data can be influenced by an attacker (registration names, analytics etc), you are facing a pot... Read More »