exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 25 of 26 RSS Feed

Files from Bernhard Mueller

Email addressb.mueller at sec-consult.com
First Active2005-10-26
Last Active2018-04-13
Smashing Smart Contracts
Posted Apr 13, 2018
Authored by Bernhard Mueller

This pop-scientific conference paper introduces Mythril, a security analysis tool for Ethereum smart contracts, and its symbolic execution backend LASER-Ethereum. The first part of the paper explains symbolic execution of Ethereum bytecode in a largely formal manner. The second part showcases the vulnerability detection modules already implemented in Mythril. The modules use a pragmatic mix of static analysis, symbolic analysis and control flow checking.

tags | paper
SHA-256 | 8a7fc1857be351bac85ed32986c92e1568085599649c4da76ee6420d59f718c5
Hacking Soft Tokens - Advanced Reverse Engineering On Android
Posted Aug 25, 2016
Authored by Bernhard Mueller

Traditional hardware 2FA tokens are increasingly being replaced by "soft" tokens – software OTP generators packaged into regular smartphone apps that run on iOS or Android. This is more convenient for users but also exposes the tokens to attacks by mobile malware and manual attacks. To compensate for these risks, many software token vendor apply a combination of obfuscation, anti-tampering, and cryptography. The question is, how effective are these measures in protecting the users' data? In this paper, the author shows different kinds of attacks that can be used to reverse engineer OTP algorithms and extract the stored secrets. Techniques range from classical static and dynamic analysis to custom kernel sandboxes and full-system emulation. The author demonstrates proof-of-concept exploits for current soft tokens of major vendors, and explain methods of assessing the effectiveness of a given set of obfuscation.

tags | paper
SHA-256 | dfddec2a3011688d5204b41866d859bf209f9d75098433f3997a79ab1b4de264
Cisco Unified Communications Manager Command Execution
Posted Aug 13, 2015
Authored by Bernhard Mueller

Cisco Unified Communications Manager versions prior to 11.0.1, 10.5.2, and 9.2 suffer from multiple command execution vulnerabilities.

tags | exploit, vulnerability, file inclusion
systems | cisco
advisories | CVE-2014-6271
SHA-256 | 2657de5609ab33edc3daabf9e0594e967f1578315006fc819d72a4d7f3cd226d
SysAid Server Arbitrary File Disclosure
Posted Dec 24, 2014
Authored by Bernhard Mueller

SysAid Server is vulnerable to an unauthenticated file disclosure attack that allows an anonymous attacker to read arbitrary files on the system. An attacker exploiting this issue can compromise SysAid user accounts and gain access to important system files. When SysAid is configured to use LDAP authentication it is possible to gain read access to the entire Active Directory or obtain domain admin privileges. Versions prior to 14.4.2 are affected.

tags | exploit, arbitrary
SHA-256 | ded991f6a9fd1cb08e39b8b26dfe55e2a04cb8d72fba867c880da92c562ade8f
IBM System Director Agent DLL Injection
Posted Dec 7, 2012
Authored by Kingcope, Bernhard Mueller, juan vazquez | Site metasploit.com

This Metasploit module abuses the "wmicimsv" service on IBM System Director Agent 5.20.3 to accomplish arbitrary DLL injection and execute arbitrary code with SYSTEM privileges. In order to accomplish remote DLL injection it uses a WebDAV service as disclosed by kingcope on December 2012. Because of this, the target host must have the WebClient service (WebDAV Mini-Redirector) enabled. It is enabled and automatically started by default on Windows XP SP3, but disabled by default on Windows 2003 SP2.

tags | exploit, remote, arbitrary
systems | windows
advisories | CVE-2009-0880, OSVDB-52616, OSVDB-88102
SHA-256 | 57ad1d7f1d323cfb6acd126a3292c26cbc21aecfac9b4ae0aa47d8c45a07aaad
dotDefender WAF 4.26 Format String
Posted Nov 16, 2012
Authored by Bernhard Mueller | Site sec-consult.com

Applicure dotDefender WAF versions 4.26 and below suffer from a format string vulnerability.

tags | advisory
SHA-256 | b0d30665e6fdf30c97b86937ab446b3cbc76ca5d1425fb453916aa7205a4a6cb
ModSecurity 2.6.8 Bypass
Posted Oct 17, 2012
Authored by Bernhard Mueller | Site sec-consult.com

ModSecurity versions 2.6.8 and below suffer from a bypass vulnerability.

tags | exploit, bypass
SHA-256 | 66c7ba1fb6e21281df0d67d03466172c7721ec5b0b8347c4d7e744906b811185
SEC Consult - Symbian S60 / Nokia CODECs
Posted Jul 7, 2009
Authored by Bernhard Mueller | Site sec-consult.com

SEC Consult Security Advisory 20090707-0 - Multiple memory corruption vulnerabilities have been identified in multimedia codecs used by the RealPlayer and MMS viewer on Nokia's Symbian/S60 based smartphones. An attacker could leverage these bugs to gain control of the program counter register and execute arbitrary code on a target smartphone. The bugs can be triggered directly inside the MMS viewer of the target, by sending an MMS with an embedded video file.

tags | advisory, arbitrary, vulnerability
SHA-256 | aeaa346858f3d297167128f3741765a3b8de649f8ac8e79ef104a8614c5c1bc6
Whitepaper Called From 0 To 0 Day On Symbian
Posted Jul 6, 2009
Authored by Bernhard Mueller | Site sec-consult.com

Whitepaper called From 0 To 0 Day On Symbian - Finding Low Level Vulnerabilities On Symbian Smartphones.

tags | paper, vulnerability
SHA-256 | 9f84cc111e30835b5b7e8fbc5e38e756d4e282500b242481eca7fe284fc5a2df
Nortel Contact Center Manager Authentication Bypass
Posted May 27, 2009
Authored by Bernhard Mueller | Site sec-consult.com

SEC Consult Security Advisory 20090525-0 - The Nortel Contact Center Manager server version 6.0 suffers from an authentication bypass vulnerability.

tags | advisory, bypass
SHA-256 | 983ea312515d8fc13a674dd0481967d73dbc7ab8781412dcd68339905b846a46
IBM Director Privilege Escalation
Posted Mar 10, 2009
Authored by Bernhard Mueller | Site sec-consult.com

SEC Consult Security Advisory 20090305-2 - IBM Director for Windows versions 5.20.3 Service Update 2 and below suffer from a local privilege escalation vulnerability.

tags | exploit, local
systems | windows
SHA-256 | 2c4bdf15757ef2a4d79baa1f93e9076442d2eb8f9826084c908501199c234703
IBM Directory CIM Denial Of Service
Posted Mar 10, 2009
Authored by Bernhard Mueller | Site sec-consult.com

SEC Consult Security Advisory 20090305-1 - IBM Director for Windows versions 5.20.3 Service Update 2 and below suffer from a remote denial of service vulnerability.

tags | advisory, remote, denial of service
systems | windows
SHA-256 | 6ec03fbbc9d5a504fb1686b5770ec4c08945779d3dfcac2447a621f6e80a6a21
SEC-CONSULT Security Advisory 20081219-0
Posted Dec 30, 2008
Authored by Bernhard Mueller | Site sec-consult.com

SEC-CONSULT Security Advisory 20081219-0 - Fujitsu-Siemens WebTransactions is vulnerable to remote command injection due to insufficient input validation. Under certain conditions, WBPublish.exe passes unvalidated user input to the system() function when cleaning up temporary session data. This vulnerability allows an attacker to execute arbitrary commands on the affected system. The vulnerability does not require prior authentication and can be exploited from a web browser.

tags | advisory, remote, web, arbitrary
SHA-256 | 4fcccde253345cf5e3f0f4106c7f74d8b15fb08e20a6c514630001cb3f299309
SEC Consult Security Advisory 20081210-0
Posted Dec 10, 2008
Authored by Bernhard Mueller | Site sec-consult.com

SEC Consult Security Advisory 20081210-0 - By calling the extended stored procedure sp_replwritetovarbin, an attacker can write limited values to arbitrary locations in process memory. This vulnerability has been described in a prior security advisory for MS SQL Server 2000.

tags | advisory, arbitrary
SHA-256 | 35360a7acfa1a99b8a092110b58250c85ed5ca8c4ccd0d0b760cbb8a46b38a39
SEC Consult Security Advisory SA-20081109-0
Posted Dec 9, 2008
Authored by Bernhard Mueller | Site sec-consult.com

SEC Consult Security Advisory 20081209-0 - Microsoft SQL Server suffers from a limited memory overwrite vulnerability.By calling the extended stored procedure sp_replwritetovarbin, and supplying several uninitialized variables as parameters, it is possible to trigger a memory write to a controlled location. Depending on the underlying Windows version, it is / may be possible to use this vulnerability to execute arbitrary code in the context of the vulnerable SQL server process. In a default configuration, the sp_replwritetovarbin stored procedure is accessible by anyone. The vulnerability can be exploited by an authenticated user with a direct database connection, or via SQL injection in a vulnerable web application. Versions 8.00.2039 and below are affected.

tags | advisory, web, arbitrary, sql injection
systems | windows
SHA-256 | a3cd08ebd8f3b29b9b481794aeae14f29fef4640ab1d53fdd05d480b010bfc47
Whitepaper-DNS-node-redelegation.pdf
Posted Aug 8, 2008
Authored by Bernhard Mueller | Site sec-consult.com

This whitepaper details a way of making DNS cache poisoning / response spoofing attacks more reliable. A caching server will store any NS delegation RRs if it receives a delegation which is "closer" to the answer than the nameservers it already knows. By spoofing replies that contain a delegation for a single node, the nameserver will eventually cache the delegation when we hit the right transfer id.

tags | paper, spoof
SHA-256 | abbfbe58cec35345e772a4e4a619f470fd28ce8a650d46a2ece0e7973192ec4c
SA-20071204-0.txt
Posted Dec 6, 2007
Authored by Bernhard Mueller | Site sec-consult.com

SEC Consult Security Advisory 20071204-0 - SonicWALL Global VPN Client suffers from a format string vulnerability that can be triggered by supplying a specially crafted configuration file. Versions below 4.0.0.830 are vulnerable.

tags | advisory
SHA-256 | b97b54d87bbc935b01eccf81c297be574aecaedace6de6a4b4127979150d7bba
SA-20071101-0.txt
Posted Nov 1, 2007
Authored by Bernhard Mueller | Site sec-consult.com

SEC Consult Security Advisory 20071101-0 - The SonicWALL SSL-VPN solution comes with various ActiveX Controls which allows users to access the VPN with Internet Explorer. These controls contain various vulnerabilities. Some details provided. Vulnerable versions include SonicWALL SSL-VPN 1.3.0.3, WebCacheCleaner ActiveX Control 1.3.0.3, and NeLaunchCtrl ActiveX Control 2.1.0.49.

tags | exploit, vulnerability, activex
SHA-256 | b43c0aec3d769dbce9e0724d5a99830b17f328ef1c8aa8f7aaea4b93f308d5cd
SA-20071031-0.txt
Posted Oct 31, 2007
Authored by Bernhard Mueller | Site sec-consult.com

SEC Consult Security Advisory 20071031-0 - The Perdition Mail Retrieval Proxy versions 1.17 and below suffer from a format string vulnerability.

tags | advisory
SHA-256 | 4efe9018c77b580c8c0bdf7897b14f170b94aec142d3cc6dc57eb1e1f9e4d1f1
SA-20070309-0.txt
Posted Mar 13, 2007
Authored by Bernhard Mueller, S.Streichbier | Site sec-consult.com

SEC-CONSULT Security Advisory 20070309-0 - Starting with version 5, MySQL provides access to the database metadata. When using functions that operate on strings in combination with subselects on information_schema tables and additional sorting of the results with the ORDER BY clause, a null-pointer dereferencation takes place causing a segmentation fault. This allows an attacker to crash the MySQL database. Versions below 5.0.37 are affected.

tags | advisory
SHA-256 | d00c6845f154920b81fdf6e0a349fb00b0670947308e18f0a2d4970997894dbb
php-exec.txt
Posted Oct 27, 2006
Authored by Bernhard Mueller | Site sec-consult.com

POC exploit for the PHP exec, system, popen file descriptor bug that overwrites Apache's log file.

tags | exploit, php
SHA-256 | b21b5612f3dfa05f10f1e95eb766c9a109f1aa1f7878f56b937c1a95c857c4b4
SEC-20060512-0.txt
Posted May 21, 2006
Authored by Bernhard Mueller | Site sec-consult.com

SEC-CONSULT Security Advisory 20060512-0 - The Symantec Enterprise Firewall leaks internal IPs of natted machines in response to certain HTTP requests. Version 8.0 is vulnerable.

tags | exploit, web
SHA-256 | 807aa7028b29ee6916e21a15ef082d41db7b0c19a41584be3677e3145973e8e1
SA-20060413-0.txt
Posted Apr 19, 2006
Authored by Bernhard Mueller | Site sec-consult.com

SEC-CONSULT Security Advisory 20060413-0 title: Opera Browser versions less than or equal to 8.52 CSS Attribute Integer Wrap and buffer overflow

tags | advisory, overflow
SHA-256 | dcd897dcb4d39d9b5637377385db693ba270ea31b7ef988a7b4ecf1ccb586ecb
SEC-20051107-1.txt
Posted Nov 8, 2005
Authored by Bernhard Mueller | Site sec-consult.com

SEC-CONSULT Security Advisory 20051107-1 - SEC Consult has found that parameters to ActionDefineFunction (ACTIONRECORD 0x9b) in the Macromedia Flash Plugin are not properly sanitized. Loading a specially crafted SWF leads to an improper memory access condition which can be used to crash flash player or may be exploited as a vector for code execution. This issue is similar to CVE-2005-2628 (as reported by eEye Digital Security on November 4, 2005) but affects a different function. Versions affected: flash.ocx 7.0.19.0 and earlier, libflashplayer.so before 7.0.25.0.

tags | exploit, code execution
SHA-256 | 8e6fb046a48b15f155e81ed751344b5482c9f52a4be9ea7157fd0da5cedddaa6
SEC-20051107-0.txt
Posted Nov 8, 2005
Authored by Bernhard Mueller | Site sec-consult.com

SEC-CONSULT Security Advisory 20051107-0 - toendaCMS allows for theft of CMS usernames and passwords (XML database mode), session theft (XML database mode), directory traversal attacks (XML database mode), and arbitrary file uploads. Versions below 0.6.2 are affected.

tags | exploit, arbitrary, file upload
SHA-256 | 144222686022b8b1399ddb13787fcc507b4e08544d5c7ae39a117d7c50b31914
Page 1 of 2
Back12Next

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close