exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 22 of 22 RSS Feed

Files from Sven Freund

First Active2015-09-04
Last Active2016-09-27
Deactivating Endpoint Protection Software In An Unauthorized Manner (Revisited)
Posted Sep 27, 2016
Authored by Matthias Deeg, Sven Freund

In this paper, the authors describe how the violation of secure design principles can cause authentication bypass vulnerabilities that were found in current endpoint protection software products of different vendors in 2015. All the discussed security vulnerabilities have been reported to the manufacturers of the affected software products according to our responsible disclosure policy and were publicly disclosed in several SySS security advisories and in a talk at the IT security conference DeepSec 2015.

tags | paper, local, vulnerability, bypass
SHA-256 | 16bdb44dfe3a5da3e0a9b5376b22c5274d1bfbf4ba7e2ff6870b90b93b63eb07
innovaphone IP222 11r2 sr9 Brute Force
Posted Mar 24, 2016
Authored by Sven Freund | Site syss.de

The innovaphone IP222 provides a password protected administration interface, which can be accessed via a web browser. Although the basic authentication was disabled and instead the digest authentication is used, it is still possible to perform brute-force attacks against the password authentication process.

tags | exploit, web
SHA-256 | 5a2d36d564fe004b8101678bcdc007666e0547fe8e23b7a50847efbc69680872
innovaphone IP222 11r2 sr9 Download Denial Of Service
Posted Mar 24, 2016
Authored by Sven Freund | Site syss.de

At startup the innovaphone IP222 sends an HTTP request for a special PNG file to the involved server system. After the download has finished, the image is displayed on the phone by selecting the receiver screen in the menu. Providing a large image file (6.9 MB) within the download process and selecting the receiver screen on the phone will lead to a crash of the application and cause a denial of service condition. Remote code execution via this security vulnerability may also be possible, but was not confirmed by the SySS GmbH.

tags | exploit, remote, web, denial of service, code execution
SHA-256 | 082b8f3575ba36bdc1044ed8d817104a1afb0c9d70e9163c8f9dfb60e5762b1a
innovaphone IP222 UDP Denial Of Service
Posted Mar 24, 2016
Authored by Sven Freund | Site syss.de

The innovaphone IP222 offers different protocols, like H.323 or SIP, to fulfil the various requirements. The discovered vulnerability was found in the protocol SIP/UDP. Therefore a specially crafted SIP request to the open 5060/UDP port causes a denial of service condition by crashing the innovaphone IP222 phone immediately. Remote code execution via this security vulnerability may also be possible, but was not confirmed by the SySS GmbH.

tags | exploit, remote, denial of service, udp, code execution, protocol
SHA-256 | cfc0d7614928d7e4d648a995ef8fdeb119a75e0ac44cc1cd7ece00e5e46a6931
perfact::mpa Persistent Cross Site Scripting
Posted Mar 1, 2016
Authored by Matthias Deeg, Sven Freund | Site syss.de

The SySS GmbH found out that different functions of the web application perfact::mpa are prone to persistent cross-site scripting attacks due to insufficient user input validation.

tags | exploit, web, xss
SHA-256 | 3de9ebd0a6d7d71bc98db0dbfca47d2036e6cb55c8c5730f0710bc34b796c3d7
perfact::mpa Insecure Direct Object Reference
Posted Mar 1, 2016
Authored by Matthias Deeg, Sven Freund | Site syss.de

The SySS GmbH found out that different resources of the web application perfact::mpa can be directly accessed by the correct URL due to improper user authorization checks. That is, unauthorized users can access different functions of the perfact::mpa web application.

tags | exploit, web
SHA-256 | 9ddb061b9a0b9ab1cc362d42499ce13c2180721efde797ef3793f8df0246c9b2
perfact::mpa Open Redirect
Posted Mar 1, 2016
Authored by Matthias Deeg, Sven Freund | Site syss.de

The SySS GmbH found out that the web application perfact:mpa accepts user-controlled input via the URL parameter "redir" that can be used to redirect victims to an arbitrary site which simplifies so-called phishing attacks.

tags | exploit, web, arbitrary
SHA-256 | 1240006c91f037df38cbcd2cbcc641d8f0ac32f2445fa4d65f159730f692deb7
perfact::mpa Insecure Direct Object Reference
Posted Mar 1, 2016
Authored by Matthias Deeg, Sven Freund | Site syss.de

The SySS GmbH found out that any logged in user is able to download valid VPN configuration files of arbitrary existing remote sessions. All an intruder needs to know is the URL with the dynamic parameter "brsessid". Due to the modification of this incremental increasing integer value, it is possible to enumerate and download a valid VPN configuration file for every existing remote session.

tags | exploit, remote, arbitrary
SHA-256 | 0395cba8a67f491b8450abca96173ea16da49abe7cd6b3f2d88cf3e02d04710c
perfact::mpa Cross Site Request Forgery
Posted Mar 1, 2016
Authored by Matthias Deeg, Sven Freund | Site syss.de

The tested web application perfact::mpa offers no protection against cross-site request forgery (CSRF) attacks. This kind of attack forces end users respectively their web browsers to perform unwanted actions in a web application context in which they are currently authenticated.

tags | exploit, web, csrf
SHA-256 | 2b1425b7f0db4e14f7b33d9778f0a59b7e1c1b93b42771c51ac1b69ae8116af3
perfact::mpa Insecure Direct Object Reference
Posted Mar 1, 2016
Authored by Matthias Deeg, Sven Freund | Site syss.de

SySS GmbH found out that unauthorized users are able to download arbitrary files of other users that have been uploaded via the file upload functionality. As the file names of uploaded files are incremental integer values, it is possible to enumerate and download all uploaded files without any authorization.

tags | exploit, arbitrary, file upload
SHA-256 | b599bdab77ad574016e3a7c31c5ca968b8a2daac827a37f269eb26e143e5fe99
perfact::mpa Reflected Cross Site Scripting
Posted Mar 1, 2016
Authored by Matthias Deeg, Sven Freund | Site syss.de

SySS GmbH found out that the request new user and translation functionalities of the web application perfact::mpa are prone to reflected cross-site scripting attacks.

tags | exploit, web, xss
SHA-256 | c41cae5aadb2813a38940d61e582bbde74c6eac30c32083652ec5ccf789a03e0
Kaspersky Small Office Security 13.0.4.233 Authentication Bypass
Posted Oct 1, 2015
Authored by Matthias Deeg, Sven Freund | Site syss.de

By analyzing the password-based authentication for unloading the Kaspersky Small Office Security protection, the SySS GmbH found out, that the password comparison is done within the process avp.exe (actually within the module avpmain.dll), which runs or can be run in the context of the current Windows user, who can also be a standard, limited user. This fact allows a further analysis and the manipulation of the password comparison during runtime without administrative privileges, as every user is able to debug and manipulate the processes running with her user privileges. In order to bypass the password-based authentication to deactivate the protection of Kaspersky Small Office Security in an unauthorized manner, an attacker only has to patch this password comparison, so that it always returns true, for example by comparing the correct unload password with itself or by modifying the program control flow.

tags | advisory
systems | windows
SHA-256 | f56f7f4ad60158ad733a4f73ea4635638de505c45f25ef6e8047b7a8a8e5a7ce
Kaspersky Endpoint Security For Windows 8.1.0.1042 / 10.2.1.23 Unsalted Hash
Posted Oct 1, 2015
Authored by Matthias Deeg, Sven Freund | Site syss.de

The SySS GmbH found out that the admin password for protecting different functions of the Kaspersky Endpoint Security software, like managing backups or stopping protection services, is stored as raw, unsalted MD5 hash value in the Windows registry.

tags | exploit, registry
systems | windows
SHA-256 | 8a7c74b5cbb75ec15cb0f9a3938c69c29a10c97069f7ba7e4871500310fbc21c
Kaspersky Endpoint Security For Windows 8.1.0.1042 / 10.2.1.23 Authentication Bypass
Posted Oct 1, 2015
Authored by Matthias Deeg, Sven Freund | Site syss.de

By analyzing the password-based authentication for unloading the Kaspersky Endpoint Security for Windows protection, the SySS GmbH found out, that the password comparison is done within the process avp.exe, which runs or can be run in the context of the current Windows user, who can also be a standard, limited user. This fact allows a further analysis and the manipulation of the password comparison during runtime without administrative privileges, as every user is able to debug and manipulate the processes running with her user privileges. In order to bypass the password-based authentication to deactivate the protection of Kaspersky Endpoint Security for Windows in an unauthorized manner, an attacker only has to patch this password comparison, so that it always returns true, for example by comparing the correct unload password with itself or by modifying the program control flow.

tags | advisory
systems | windows
SHA-256 | 2d0462fc09a2607d7ee16b44834d6ec901e61cace833e168b9102654473f32bc
Kaspersky Anti-Virus 15.0.1.415 Unsalted Hash
Posted Oct 1, 2015
Authored by Matthias Deeg, Sven Freund | Site syss.de

The SySS GmbH found out that the administrator password for protecting different functions of the Kaspersky Anti-Virus software, like managing backups or stopping protection services, is stored as raw, unsalted MD5 hash value in the Windows registry.

tags | exploit, registry, virus
systems | windows
SHA-256 | ea3ba68c2445280d74bd945ec27706a66dc51e94a333bf175519fd2093dc8a5e
Kaspersky Anti-Virus 15.0.1.415 Authentication Bypass
Posted Oct 1, 2015
Authored by Matthias Deeg, Sven Freund | Site syss.de

By analyzing the password-based authentication for unloading the Kaspersky Anti-Virus protection, the SySS GmbH found out, that the password comparison is done within the process avp.exe (actually within the used module shell_service.dll), which runs or can be run in the context of the current Windows user, who can also be a standard, limited user. This fact allows a further analysis and the manipulation of the password comparison during runtime without administrative privileges, as every user is able to debug and manipulate the processes running with her user privileges. In order to bypass the password-based authentication to deactivate the protection of Kaspersky Anti-Virus in an unauthorized manner, an attacker only has to patch this password comparison, so that it always returns true, for example by comparing the correct unload password with itself or by modifying the program control flow.

tags | advisory, virus
systems | windows
SHA-256 | 554441351ca1092de802550ffa43352381d6c7482cd5373295ac4d9310a088aa
Kaspersky Internet Security 15.0.2.361 Unsalted Hash
Posted Oct 1, 2015
Authored by Matthias Deeg, Sven Freund | Site syss.de

The SySS GmbH found out that the administrator password for protecting different functions of the Kaspersky Internet Security software, like managing backups or stopping protection services, is stored as raw, unsalted MD5 hash value in the Windows registry.

tags | exploit, registry
systems | windows
SHA-256 | 1de91bfb49d3f0e7cd83b46395378df631ea2882433f6e879dd0b109e920970e
Kaspersky Internet Security 15.0.2.361 Authentication Bypass
Posted Oct 1, 2015
Authored by Matthias Deeg, Sven Freund | Site syss.de

By analyzing the password-based authentication for unloading the Kaspersky Internet Security protection, the SySS GmbH found out, that the password comparison is done within the process avp.exe (actually within the used module shell_service.dll), which runs or can be run in the context of the current Windows user, who can also be a standard, limited user. This fact allows a further analysis and the manipulation of the password comparison during runtime without administrative privileges, as every user is able to debug and manipulate the processes running with her user privileges. In order to bypass the password-based authentication to deactivate the protection of Kaspersky Internet Security in an unauthorized manner, an attacker only has to patch this password comparison, so that it always returns true, for example by comparing the correct unload password with itself or by modifying the program control flow.

tags | advisory
systems | windows
SHA-256 | 15965bde1ae5e842c07d11a1778e4a501e0cade94ff4d28bf4c19ef058f87c30
Kaspersky Total Security 15.0.1.415 Unsalted Hash
Posted Oct 1, 2015
Authored by Matthias Deeg, Sven Freund | Site syss.de

The SySS GmbH found out that the administrator password for protecting different functions of the Kaspersky Total Security software, like managing backups or stopping protection services, is stored as raw, unsalted MD5 hash value in the Windows registry.

tags | exploit, registry
systems | windows
SHA-256 | bb0133dfea19da32e1adc63779e910d52d60547b085a50a1b291be2d89764758
Kaspersky Total Security 15.0.1.415 Authentication Bypass
Posted Oct 1, 2015
Authored by Matthias Deeg, Sven Freund | Site syss.de

By analyzing the password-based authentication for unloading the Kaspersky Total Security protection, the SySS GmbH found out, that the password comparison is done within the process avp.exe (actually within the used module shell_service.dll), which runs or can be run in the context of the current Windows user, who can also be a standard, limited user. This fact allows a further analysis and the manipulation of the password comparison during runtime without administrative privileges, as every user is able to debug and manipulate the processes running with her user privileges. In order to bypass the password-based authentication to deactivate the protection of Kaspersky Total Security in an unauthorized manner, an attacker only has to patch this password comparison, so that it always returns true, for example by comparing the correct unload password with itself or by modifying the program control flow.

tags | advisory
systems | windows
SHA-256 | b12d3e03fd22c3e9658d41432c039d1d5f73a44ea1032e75289b6f1261bafbdf
Kaspersky Small Office Security 13.0.4.233 Unsalted Hash
Posted Oct 1, 2015
Authored by Matthias Deeg, Sven Freund | Site syss.de

The SySS GmbH found out that the administrator password for protecting different functions of the Kaspersky Small Office Security software, like managing backups or stopping protection services, is stored as raw, unsalted MD5 hash value in the Windows registry.

tags | exploit, registry
systems | windows
SHA-256 | f9313aec301a7c3586f846924c4e87db8f5ea73a5ca80b220b990f5e9dca66c1
Avaya one-X Agent 2.5 SP2 Cryptography Issues
Posted Sep 4, 2015
Authored by Sven Freund | Site syss.de

Avaya one-X Agent version 2.5 SP2 suffers from having a hard-coded key and various cryptography use issues.

tags | advisory
SHA-256 | bf140d213af14199a880bdd1f929e50c95c139713cf6105f06c8ac6b71462212
Page 1 of 1
Back1Next

File Archive:

January 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    0 Files
  • 2
    Jan 2nd
    13 Files
  • 3
    Jan 3rd
    5 Files
  • 4
    Jan 4th
    5 Files
  • 5
    Jan 5th
    9 Files
  • 6
    Jan 6th
    5 Files
  • 7
    Jan 7th
    0 Files
  • 8
    Jan 8th
    0 Files
  • 9
    Jan 9th
    18 Files
  • 10
    Jan 10th
    31 Files
  • 11
    Jan 11th
    30 Files
  • 12
    Jan 12th
    33 Files
  • 13
    Jan 13th
    25 Files
  • 14
    Jan 14th
    0 Files
  • 15
    Jan 15th
    0 Files
  • 16
    Jan 16th
    7 Files
  • 17
    Jan 17th
    25 Files
  • 18
    Jan 18th
    38 Files
  • 19
    Jan 19th
    6 Files
  • 20
    Jan 20th
    21 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    24 Files
  • 24
    Jan 24th
    68 Files
  • 25
    Jan 25th
    22 Files
  • 26
    Jan 26th
    20 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close