Exploit the possiblities
Showing 1 - 22 of 22 RSS Feed

Files from Sven Freund

First Active2015-09-04
Last Active2016-09-27
Deactivating Endpoint Protection Software In An Unauthorized Manner (Revisited)
Posted Sep 27, 2016
Authored by Matthias Deeg, Sven Freund

In this paper, the authors describe how the violation of secure design principles can cause authentication bypass vulnerabilities that were found in current endpoint protection software products of different vendors in 2015. All the discussed security vulnerabilities have been reported to the manufacturers of the affected software products according to our responsible disclosure policy and were publicly disclosed in several SySS security advisories and in a talk at the IT security conference DeepSec 2015.

tags | paper, local, vulnerability, bypass
MD5 | 38830fe267b188fd72a1344628a1ad82
innovaphone IP222 11r2 sr9 Brute Force
Posted Mar 24, 2016
Authored by Sven Freund

The innovaphone IP222 provides a password protected administration interface, which can be accessed via a web browser. Although the basic authentication was disabled and instead the digest authentication is used, it is still possible to perform brute-force attacks against the password authentication process.

tags | exploit, web
MD5 | e5488a05f98ad76cc4e1c2aa52baf97d
innovaphone IP222 11r2 sr9 Download Denial Of Service
Posted Mar 24, 2016
Authored by Sven Freund

At startup the innovaphone IP222 sends an HTTP request for a special PNG file to the involved server system. After the download has finished, the image is displayed on the phone by selecting the receiver screen in the menu. Providing a large image file (6.9 MB) within the download process and selecting the receiver screen on the phone will lead to a crash of the application and cause a denial of service condition. Remote code execution via this security vulnerability may also be possible, but was not confirmed by the SySS GmbH.

tags | exploit, remote, web, denial of service, code execution
MD5 | badbdfb0296507727dfaf5488f0ac0fe
innovaphone IP222 UDP Denial Of Service
Posted Mar 24, 2016
Authored by Sven Freund

The innovaphone IP222 offers different protocols, like H.323 or SIP, to fulfil the various requirements. The discovered vulnerability was found in the protocol SIP/UDP. Therefore a specially crafted SIP request to the open 5060/UDP port causes a denial of service condition by crashing the innovaphone IP222 phone immediately. Remote code execution via this security vulnerability may also be possible, but was not confirmed by the SySS GmbH.

tags | exploit, remote, denial of service, udp, code execution, protocol
MD5 | 6a5aaadbf8b51db5d4dc5583cbfbfa1c
perfact::mpa Persistent Cross Site Scripting
Posted Mar 1, 2016
Authored by Matthias Deeg, Sven Freund

The SySS GmbH found out that different functions of the web application perfact::mpa are prone to persistent cross-site scripting attacks due to insufficient user input validation.

tags | exploit, web, xss
MD5 | 395d8c6ac2a94747a5fd66073b16b801
perfact::mpa Insecure Direct Object Reference
Posted Mar 1, 2016
Authored by Matthias Deeg, Sven Freund

The SySS GmbH found out that different resources of the web application perfact::mpa can be directly accessed by the correct URL due to improper user authorization checks. That is, unauthorized users can access different functions of the perfact::mpa web application.

tags | exploit, web
MD5 | 4aa1d62edf7f18c1ddd9cfae562d5f2a
perfact::mpa Open Redirect
Posted Mar 1, 2016
Authored by Matthias Deeg, Sven Freund

The SySS GmbH found out that the web application perfact:mpa accepts user-controlled input via the URL parameter "redir" that can be used to redirect victims to an arbitrary site which simplifies so-called phishing attacks.

tags | exploit, web, arbitrary
MD5 | a36409ba1638534f55441d4e6d66c48d
perfact::mpa Insecure Direct Object Reference
Posted Mar 1, 2016
Authored by Matthias Deeg, Sven Freund

The SySS GmbH found out that any logged in user is able to download valid VPN configuration files of arbitrary existing remote sessions. All an intruder needs to know is the URL with the dynamic parameter "brsessid". Due to the modification of this incremental increasing integer value, it is possible to enumerate and download a valid VPN configuration file for every existing remote session.

tags | exploit, remote, arbitrary
MD5 | bd6687c30d8cf65256ea36411f6d8bfd
perfact::mpa Cross Site Request Forgery
Posted Mar 1, 2016
Authored by Matthias Deeg, Sven Freund

The tested web application perfact::mpa offers no protection against cross-site request forgery (CSRF) attacks. This kind of attack forces end users respectively their web browsers to perform unwanted actions in a web application context in which they are currently authenticated.

tags | exploit, web, csrf
MD5 | daf2d017144129e99597de33fb726147
perfact::mpa Insecure Direct Object Reference
Posted Mar 1, 2016
Authored by Matthias Deeg, Sven Freund

SySS GmbH found out that unauthorized users are able to download arbitrary files of other users that have been uploaded via the file upload functionality. As the file names of uploaded files are incremental integer values, it is possible to enumerate and download all uploaded files without any authorization.

tags | exploit, arbitrary, file upload
MD5 | 144e141f58e04e5f34a3cd1065a4e29a
perfact::mpa Reflected Cross Site Scripting
Posted Mar 1, 2016
Authored by Matthias Deeg, Sven Freund

SySS GmbH found out that the request new user and translation functionalities of the web application perfact::mpa are prone to reflected cross-site scripting attacks.

tags | exploit, web, xss
MD5 | 90e4d95861b1c3c40a936470c24a1c83
Kaspersky Small Office Security 13.0.4.233 Authentication Bypass
Posted Oct 1, 2015
Authored by Matthias Deeg, Sven Freund

By analyzing the password-based authentication for unloading the Kaspersky Small Office Security protection, the SySS GmbH found out, that the password comparison is done within the process avp.exe (actually within the module avpmain.dll), which runs or can be run in the context of the current Windows user, who can also be a standard, limited user. This fact allows a further analysis and the manipulation of the password comparison during runtime without administrative privileges, as every user is able to debug and manipulate the processes running with her user privileges. In order to bypass the password-based authentication to deactivate the protection of Kaspersky Small Office Security in an unauthorized manner, an attacker only has to patch this password comparison, so that it always returns true, for example by comparing the correct unload password with itself or by modifying the program control flow.

tags | advisory
systems | windows
MD5 | 5e46fdc705611011780a067f3a7e2b49
Kaspersky Endpoint Security For Windows 8.1.0.1042 / 10.2.1.23 Unsalted Hash
Posted Oct 1, 2015
Authored by Matthias Deeg, Sven Freund

The SySS GmbH found out that the admin password for protecting different functions of the Kaspersky Endpoint Security software, like managing backups or stopping protection services, is stored as raw, unsalted MD5 hash value in the Windows registry.

tags | exploit, registry
systems | windows
MD5 | 046ea318b27a89b15f537db5a397f8e5
Kaspersky Endpoint Security For Windows 8.1.0.1042 / 10.2.1.23 Authentication Bypass
Posted Oct 1, 2015
Authored by Matthias Deeg, Sven Freund

By analyzing the password-based authentication for unloading the Kaspersky Endpoint Security for Windows protection, the SySS GmbH found out, that the password comparison is done within the process avp.exe, which runs or can be run in the context of the current Windows user, who can also be a standard, limited user. This fact allows a further analysis and the manipulation of the password comparison during runtime without administrative privileges, as every user is able to debug and manipulate the processes running with her user privileges. In order to bypass the password-based authentication to deactivate the protection of Kaspersky Endpoint Security for Windows in an unauthorized manner, an attacker only has to patch this password comparison, so that it always returns true, for example by comparing the correct unload password with itself or by modifying the program control flow.

tags | advisory
systems | windows
MD5 | 1086f747be3eb0c4c2fe2cf3b6779064
Kaspersky Anti-Virus 15.0.1.415 Unsalted Hash
Posted Oct 1, 2015
Authored by Matthias Deeg, Sven Freund

The SySS GmbH found out that the administrator password for protecting different functions of the Kaspersky Anti-Virus software, like managing backups or stopping protection services, is stored as raw, unsalted MD5 hash value in the Windows registry.

tags | exploit, registry, virus
systems | windows
MD5 | 369760ef08cc2b83d83527f99b2c5299
Kaspersky Anti-Virus 15.0.1.415 Authentication Bypass
Posted Oct 1, 2015
Authored by Matthias Deeg, Sven Freund

By analyzing the password-based authentication for unloading the Kaspersky Anti-Virus protection, the SySS GmbH found out, that the password comparison is done within the process avp.exe (actually within the used module shell_service.dll), which runs or can be run in the context of the current Windows user, who can also be a standard, limited user. This fact allows a further analysis and the manipulation of the password comparison during runtime without administrative privileges, as every user is able to debug and manipulate the processes running with her user privileges. In order to bypass the password-based authentication to deactivate the protection of Kaspersky Anti-Virus in an unauthorized manner, an attacker only has to patch this password comparison, so that it always returns true, for example by comparing the correct unload password with itself or by modifying the program control flow.

tags | advisory, virus
systems | windows
MD5 | dbe91bf95bd0bc4235598ff893194b09
Kaspersky Internet Security 15.0.2.361 Unsalted Hash
Posted Oct 1, 2015
Authored by Matthias Deeg, Sven Freund

The SySS GmbH found out that the administrator password for protecting different functions of the Kaspersky Internet Security software, like managing backups or stopping protection services, is stored as raw, unsalted MD5 hash value in the Windows registry.

tags | exploit, registry
systems | windows
MD5 | f880e334aba51f05b55d115bc9c61d3b
Kaspersky Internet Security 15.0.2.361 Authentication Bypass
Posted Oct 1, 2015
Authored by Matthias Deeg, Sven Freund

By analyzing the password-based authentication for unloading the Kaspersky Internet Security protection, the SySS GmbH found out, that the password comparison is done within the process avp.exe (actually within the used module shell_service.dll), which runs or can be run in the context of the current Windows user, who can also be a standard, limited user. This fact allows a further analysis and the manipulation of the password comparison during runtime without administrative privileges, as every user is able to debug and manipulate the processes running with her user privileges. In order to bypass the password-based authentication to deactivate the protection of Kaspersky Internet Security in an unauthorized manner, an attacker only has to patch this password comparison, so that it always returns true, for example by comparing the correct unload password with itself or by modifying the program control flow.

tags | advisory
systems | windows
MD5 | 83058e3c88e6bdcf0882c306620e66bd
Kaspersky Total Security 15.0.1.415 Unsalted Hash
Posted Oct 1, 2015
Authored by Matthias Deeg, Sven Freund

The SySS GmbH found out that the administrator password for protecting different functions of the Kaspersky Total Security software, like managing backups or stopping protection services, is stored as raw, unsalted MD5 hash value in the Windows registry.

tags | exploit, registry
systems | windows
MD5 | 30409400e9eb6a41ab0a7c7c0c4323c2
Kaspersky Total Security 15.0.1.415 Authentication Bypass
Posted Oct 1, 2015
Authored by Matthias Deeg, Sven Freund

By analyzing the password-based authentication for unloading the Kaspersky Total Security protection, the SySS GmbH found out, that the password comparison is done within the process avp.exe (actually within the used module shell_service.dll), which runs or can be run in the context of the current Windows user, who can also be a standard, limited user. This fact allows a further analysis and the manipulation of the password comparison during runtime without administrative privileges, as every user is able to debug and manipulate the processes running with her user privileges. In order to bypass the password-based authentication to deactivate the protection of Kaspersky Total Security in an unauthorized manner, an attacker only has to patch this password comparison, so that it always returns true, for example by comparing the correct unload password with itself or by modifying the program control flow.

tags | advisory
systems | windows
MD5 | a4bdd4397fdcaf468c04a3e0387e5123
Kaspersky Small Office Security 13.0.4.233 Unsalted Hash
Posted Oct 1, 2015
Authored by Matthias Deeg, Sven Freund

The SySS GmbH found out that the administrator password for protecting different functions of the Kaspersky Small Office Security software, like managing backups or stopping protection services, is stored as raw, unsalted MD5 hash value in the Windows registry.

tags | exploit, registry
systems | windows
MD5 | 3c76465f7d59e37e5f167f1a8b4492a3
Avaya one-X Agent 2.5 SP2 Cryptography Issues
Posted Sep 4, 2015
Authored by Sven Freund

Avaya one-X Agent version 2.5 SP2 suffers from having a hard-coded key and various cryptography use issues.

tags | advisory
MD5 | 663999172b27a59db9403ab6303b9932
Page 1 of 1
Back1Next

File Archive:

December 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    15 Files
  • 2
    Dec 2nd
    2 Files
  • 3
    Dec 3rd
    1 Files
  • 4
    Dec 4th
    15 Files
  • 5
    Dec 5th
    15 Files
  • 6
    Dec 6th
    18 Files
  • 7
    Dec 7th
    17 Files
  • 8
    Dec 8th
    15 Files
  • 9
    Dec 9th
    13 Files
  • 10
    Dec 10th
    4 Files
  • 11
    Dec 11th
    41 Files
  • 12
    Dec 12th
    42 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close