Vulnerability
From Discovery to Disclosure: ReCrystallize Server Vulnerabilities
TL&DR – While on an assessment, I found an instance of ReCrystallize Server. It had many problems, some of which had to do with insufficient hardening on the client’s side while others were new vulnerabilities I found that when chained together, achieve Remote Code Execution (RCE). These vulnerabilities were disclosed to ReCrystallize Software and MITRE. Besides the disclosed vulnerabilities, some “features” were also used for malicious purposes. The replication and…
The hunt for Chromium issue 1072171
The last few months I’ve been studying Chrome’s v8 internals and exploits with the focus of finding a type confusion bug. The good news is that I found one, so the fuzzing and analysis efforts didn’t go to waste. The bad news is that I can reliably trigger the vulnerability but I haven’t found a way to weaponise it yet. If you don’t have prior knowledge of v8, I encourage…
The power of variant analysis (Semmle QL) CVE-2019-15937 and CVE-2019-15938
This post will try to do a small introduction to the QL language using real-world vulnerabilities that I found in the past, and it will end with a small challenge using QL. A few months ago, I heard of Semmle QL for the first time, what they do is perform multiple code analysis techniques against source code, and dump these results into a database. Then using the QL language, you…
Google Docs XSS – no bounty today
A few days ago, during one of those nights with the baby crying at 2:00 am and the only thing you can do is to read emails, I realised that Gmail shows the content of compressed files when reading them in Google Docs. As often is the case at SensePost, the “think evil ™” came to me and I started to ponder the possibilities of injecting HTML inside the file…
Page 1 of 1