what you don't know can hurt you
Showing 1 - 17 of 17 RSS Feed

Files from Felix Wilhelm

First Active2010-11-20
Last Active2020-10-13
Kubernetes AWS IAM Integration Issues
Posted Oct 13, 2020
Authored by Google Security Research, Felix Wilhelm

Kubernetes has multiple issues in aws-iam-authenticator where lax controls can lead to a lower security posture.

tags | advisory
MD5 | 0efac33980805dcdab8d64773d7981d5
Hashicorp Vault GCP IAM Integration Authentication Bypass
Posted Oct 6, 2020
Authored by Google Security Research, Felix Wilhelm

HashiCorp Vault's GCP authentication method can be bypassed on gce type roles that do not specify bound_service_accounts. Vault does not enforce that the compute_engine data in a signed JWT token has any relationship to the service account that created the token. This makes it possible to impersonate arbitrary GCE instances, by creating a JWT token with a faked compute_engine struct, using an arbitrary attacker controlled service account.

tags | exploit, arbitrary
advisories | CVE-2020-16251
MD5 | 7b83f776aff7e235a44aa2d4f4125bb8
Hashicorp Vault AWS IAM Integration Authentication Bypass
Posted Oct 6, 2020
Authored by Google Security Research, Felix Wilhelm

HashiCorp Vault's AWS IAM authentication method can be bypassed by sending a serialized request to the STS AssumeRoleWithWebIdentity method as part of the authentication flow. The request triggers a JSON encoded response from the STS server, which can contain a fully-attacker controlled fake GetCallerIdentityResponse as part of its body. As the Vault response parser ignores non-xml content before and after the malicious response, this can be used to spoof arbitrary AWS identities and roles.

tags | exploit, arbitrary, spoof
advisories | CVE-2020-16250
MD5 | c2e3c92a813a0ec7ee985df9b624b079
Apache2 mod_proxy_uwsgi Incorrect Request Handling
Posted Aug 31, 2020
Authored by Google Security Research, Felix Wilhelm

Apache2 suffers from an incorrect handling of large requests issue in mod_proxy_uwsgi.

tags | advisory
advisories | CVE-2020-11984
MD5 | 794813ee73c7fb742550accd8b61f2e2
Node.js Hostname Verification Bypass
Posted Jun 3, 2020
Authored by Google Security Research, Felix Wilhelm

Insecure TLS session reuse can lead to a hostname verification bypass in Node.js.

tags | exploit
MD5 | 9bde5356a44eb307d096d404cbcdc1d0
haproxy hpack-tbl.c Out-Of-Bounds Write
Posted Apr 21, 2020
Authored by Google Security Research, Felix Wilhelm

The haproxy hpack implementation in hpack-tbl.c handles 0-length HTTP headers incorrectly. This can lead to a fully controlled relative out-of-bounds write when processing a malicious HTTP2 request (or response).

tags | exploit, web
advisories | CVE-2020-11100
MD5 | ec4200ed138e11159b83e1a1d18ff6d3
Git Credential Helper Protocol Newline Injection
Posted Apr 15, 2020
Authored by Google Security Research, Felix Wilhelm

A git clone action can leak cached / stored credentials for github.com to example.com due to insecure handling of newlines in the credential helper protocol.

tags | exploit, protocol
advisories | CVE-2020-5260
MD5 | c958ad3ac0a7a989d1f7f2c9f24fadb6
KVM VMX Preemption Timer Use-After-Free
Posted Feb 16, 2019
Authored by Google Security Research, Felix Wilhelm

KVM suffers from a use-after-free vulnerability after using the emulated VMX preemption timer.

tags | exploit
advisories | CVE-2019-7221
MD5 | a0d1f27f5e38bc4b60b7e3417a578978
KVM kvm_inject_page_fault Uninitialized Memory Leak
Posted Feb 16, 2019
Authored by Google Security Research, Felix Wilhelm

KVM suffers from an uninitialized memory leak vulnerability in kvm_inject_page_fault.

tags | exploit, memory leak
advisories | CVE-2019-7222
MD5 | d143badc5670e32e28cf7e6fb40d4424
Evince CBT File Command Injection
Posted Feb 7, 2019
Authored by Sebastian Krahmer, Brendan Coles, Matlink, Felix Wilhelm | Site metasploit.com

This Metasploit module exploits a command injection vulnerability in Evince before version 3.24.1 when opening comic book `.cbt` files. Some file manager software, such as Nautilus and Atril, may allow automatic exploitation without user interaction due to thumbnailer preview functionality. Note that limited space is available for the payload.

tags | exploit
advisories | CVE-2017-1000083
MD5 | 518ed0c670d289725a426edf1b4243c3
NetworkManager Daemon Command Execution
Posted Sep 6, 2018
Authored by Sameer Goyal, Felix Wilhelm

This is a small tutorial write up that provides a DynoRoot exploit proof of concept.

tags | exploit, proof of concept
advisories | CVE-2018-1111
MD5 | 34564033c2577542c76d3de9c82d2615
Xen xen-netback xenvif_set_hash_mapping Integer Overflow
Posted Aug 17, 2018
Authored by Google Security Research, Felix Wilhelm

Xen suffers from an integer overflow vulnerability in xen-netback xenvif_set_hash_mapping.

tags | advisory, overflow
MD5 | 056a37f9c265e3d9566b012c2ea95423
KVM Nest Virtualization L1 Guest Privilege Escalation
Posted Jun 25, 2018
Authored by Google Security Research, Felix Wilhelm

When KVM (on Intel) virtualizes another hypervisor as L1 VM it does not verify that VMX instructions from the L1 VM (which trigger a VM exit and are emulated by L0 KVM) are coming from ring 0.

tags | exploit
MD5 | 52237ddbf09d9e8e93706408732deecf
DHCP Client Command Injection (DynoRoot)
Posted Jun 12, 2018
Authored by Felix Wilhelm | Site metasploit.com

This Metasploit module exploits the DynoRoot vulnerability, a flaw in how the NetworkManager integration script included in the DHCP client in Red Hat Enterprise Linux 6 and 7, Fedora 28, and earlier processes DHCP options. A malicious DHCP server, or an attacker on the local network able to spoof DHCP responses, could use this flaw to execute arbitrary commands with root privileges on systems using NetworkManager and configured to obtain network configuration using the DHCP protocol.

tags | exploit, arbitrary, local, root, spoof, protocol
systems | linux, redhat, fedora
advisories | CVE-2018-1111
MD5 | 5260d2ef5bb8f8bbc5edbc0ec7cb7c67
EMC Replication Manager / Network Module Remote Code Execution
Posted Oct 4, 2016
Authored by Felix Wilhelm | Site emc.com

EMC Replication Manager (RM) is affected by a remote code execution vulnerability that may be exploited by an attacker to compromise an affected system. A remote unauthenticated attacker may execute arbitrary commands on an RM Client, with high privileges, by starting a rogue RM Server that connects to the RM Client and executes the malicious script/payload that is placed in an SMB share, by the attacker, that is accessible to the RM Client. Affected include EMC Replication Manager versions prior to 5.5.3 on all supported OS, EMC Network Module for Microsoft version 3.x, and EMC Networker Module for Microsoft version 8.2.x.

tags | advisory, remote, arbitrary, code execution
advisories | CVE-2016-0913
MD5 | 4196d1c352856a42a93ca08de065887a
Action Pack DoS / SQL Injection / Code Execution
Posted Jan 8, 2013
Authored by Jonathan Rudenberg, Ben Murphy, Bryan Helmkamp, Magnus Holm, Charlie Somerville, Aaron Patterson, Darcy Laycock, Benoist Claassen, Felix Wilhelm

There are multiple weaknesses in the parameter parsing code for Ruby on Rails which allows attackers to bypass authentication systems, inject arbitrary SQL, inject and execute arbitrary code, or perform a denial of service attack on a Rails application.

tags | advisory, denial of service, arbitrary, sql injection, ruby
advisories | CVE-2013-0156
MD5 | 85e44204ba7170674ab3b48f8e9aa554
CakePHP 1.3.5 / 1.2.8 Cache Corruption Exploit
Posted Nov 20, 2010
Authored by tdz, Felix Wilhelm | Site metasploit.com

CakePHP is a popular PHP framework for building web applications. The Security component of CakePHP is vulnerable to an unserialize attack which could be abused to allow unauthenticated attackers to execute arbitrary code with the permissions of the webserver. Versions less than and equal to 1.3.5 and 1.2.8 are affected.

tags | exploit, web, arbitrary, php
advisories | OSVDB-69352
MD5 | 27a4713b86a9f2dc74fea03d6d22680a
Page 1 of 1

File Archive:

October 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    25 Files
  • 2
    Oct 2nd
    13 Files
  • 3
    Oct 3rd
    1 Files
  • 4
    Oct 4th
    1 Files
  • 5
    Oct 5th
    15 Files
  • 6
    Oct 6th
    15 Files
  • 7
    Oct 7th
    15 Files
  • 8
    Oct 8th
    11 Files
  • 9
    Oct 9th
    3 Files
  • 10
    Oct 10th
    1 Files
  • 11
    Oct 11th
    1 Files
  • 12
    Oct 12th
    8 Files
  • 13
    Oct 13th
    12 Files
  • 14
    Oct 14th
    23 Files
  • 15
    Oct 15th
    4 Files
  • 16
    Oct 16th
    13 Files
  • 17
    Oct 17th
    1 Files
  • 18
    Oct 18th
    1 Files
  • 19
    Oct 19th
    27 Files
  • 20
    Oct 20th
    41 Files
  • 21
    Oct 21st
    18 Files
  • 22
    Oct 22nd
    16 Files
  • 23
    Oct 23rd
    2 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2020 Packet Storm. All rights reserved.

Security Services
Hosting By