what you don't know can hurt you
Showing 1 - 25 of 26 RSS Feed

Files from Bernhard Mueller

Email addressb.mueller at sec-consult.com
First Active2005-10-26
Last Active2018-04-13
Smashing Smart Contracts
Posted Apr 13, 2018
Authored by Bernhard Mueller

This pop-scientific conference paper introduces Mythril, a security analysis tool for Ethereum smart contracts, and its symbolic execution backend LASER-Ethereum. The first part of the paper explains symbolic execution of Ethereum bytecode in a largely formal manner. The second part showcases the vulnerability detection modules already implemented in Mythril. The modules use a pragmatic mix of static analysis, symbolic analysis and control flow checking.

tags | paper
MD5 | 689b059f5f52ffa4211e9e02e8310af5
Hacking Soft Tokens - Advanced Reverse Engineering On Android
Posted Aug 25, 2016
Authored by Bernhard Mueller

Traditional hardware 2FA tokens are increasingly being replaced by "soft" tokens – software OTP generators packaged into regular smartphone apps that run on iOS or Android. This is more convenient for users but also exposes the tokens to attacks by mobile malware and manual attacks. To compensate for these risks, many software token vendor apply a combination of obfuscation, anti-tampering, and cryptography. The question is, how effective are these measures in protecting the users' data? In this paper, the author shows different kinds of attacks that can be used to reverse engineer OTP algorithms and extract the stored secrets. Techniques range from classical static and dynamic analysis to custom kernel sandboxes and full-system emulation. The author demonstrates proof-of-concept exploits for current soft tokens of major vendors, and explain methods of assessing the effectiveness of a given set of obfuscation.

tags | paper
MD5 | a9db1a7fe90c1cb8eb650f278285bd57
Cisco Unified Communications Manager Command Execution
Posted Aug 13, 2015
Authored by Bernhard Mueller

Cisco Unified Communications Manager versions prior to 11.0.1, 10.5.2, and 9.2 suffer from multiple command execution vulnerabilities.

tags | exploit, vulnerability, file inclusion
systems | cisco
advisories | CVE-2014-6271
MD5 | 087de88cbc5124421a285bf18e1d7595
SysAid Server Arbitrary File Disclosure
Posted Dec 24, 2014
Authored by Bernhard Mueller

SysAid Server is vulnerable to an unauthenticated file disclosure attack that allows an anonymous attacker to read arbitrary files on the system. An attacker exploiting this issue can compromise SysAid user accounts and gain access to important system files. When SysAid is configured to use LDAP authentication it is possible to gain read access to the entire Active Directory or obtain domain admin privileges. Versions prior to 14.4.2 are affected.

tags | exploit, arbitrary
MD5 | 5f5e368a98c27289c0121817317afa70
IBM System Director Agent DLL Injection
Posted Dec 7, 2012
Authored by Kingcope, Bernhard Mueller, juan vazquez | Site metasploit.com

This Metasploit module abuses the "wmicimsv" service on IBM System Director Agent 5.20.3 to accomplish arbitrary DLL injection and execute arbitrary code with SYSTEM privileges. In order to accomplish remote DLL injection it uses a WebDAV service as disclosed by kingcope on December 2012. Because of this, the target host must have the WebClient service (WebDAV Mini-Redirector) enabled. It is enabled and automatically started by default on Windows XP SP3, but disabled by default on Windows 2003 SP2.

tags | exploit, remote, arbitrary
systems | windows, xp
advisories | CVE-2009-0880, OSVDB-52616, OSVDB-88102
MD5 | 1b5e33138c767b2b05228cc23a11ff0f
dotDefender WAF 4.26 Format String
Posted Nov 16, 2012
Authored by Bernhard Mueller | Site sec-consult.com

Applicure dotDefender WAF versions 4.26 and below suffer from a format string vulnerability.

tags | advisory
MD5 | 6ddbce0bb1d4a694a440233f185a5d1f
ModSecurity 2.6.8 Bypass
Posted Oct 17, 2012
Authored by Bernhard Mueller | Site sec-consult.com

ModSecurity versions 2.6.8 and below suffer from a bypass vulnerability.

tags | exploit, bypass
MD5 | a61be83daabf4811b1eb7d84e9c13433
SEC Consult - Symbian S60 / Nokia CODECs
Posted Jul 7, 2009
Authored by Bernhard Mueller | Site sec-consult.com

SEC Consult Security Advisory 20090707-0 - Multiple memory corruption vulnerabilities have been identified in multimedia codecs used by the RealPlayer and MMS viewer on Nokia's Symbian/S60 based smartphones. An attacker could leverage these bugs to gain control of the program counter register and execute arbitrary code on a target smartphone. The bugs can be triggered directly inside the MMS viewer of the target, by sending an MMS with an embedded video file.

tags | advisory, arbitrary, vulnerability
MD5 | 3d363acfbc73b85a3232abf888dfe354
Whitepaper Called From 0 To 0 Day On Symbian
Posted Jul 6, 2009
Authored by Bernhard Mueller | Site sec-consult.com

Whitepaper called From 0 To 0 Day On Symbian - Finding Low Level Vulnerabilities On Symbian Smartphones.

tags | paper, vulnerability
MD5 | c1cb013822fd2846a8426bfcb98c5d69
Nortel Contact Center Manager Authentication Bypass
Posted May 27, 2009
Authored by Bernhard Mueller | Site sec-consult.com

SEC Consult Security Advisory 20090525-0 - The Nortel Contact Center Manager server version 6.0 suffers from an authentication bypass vulnerability.

tags | advisory, bypass
MD5 | 10787677a4020346866b695d84f0393f
IBM Director Privilege Escalation
Posted Mar 10, 2009
Authored by Bernhard Mueller | Site sec-consult.com

SEC Consult Security Advisory 20090305-2 - IBM Director for Windows versions 5.20.3 Service Update 2 and below suffer from a local privilege escalation vulnerability.

tags | exploit, local
systems | windows
MD5 | af11a26010b5a7a75bd41039776595d8
IBM Directory CIM Denial Of Service
Posted Mar 10, 2009
Authored by Bernhard Mueller | Site sec-consult.com

SEC Consult Security Advisory 20090305-1 - IBM Director for Windows versions 5.20.3 Service Update 2 and below suffer from a remote denial of service vulnerability.

tags | advisory, remote, denial of service
systems | windows
MD5 | 9b19c268da73ec46103cd32a1bcd09ce
SEC-CONSULT Security Advisory 20081219-0
Posted Dec 30, 2008
Authored by Bernhard Mueller | Site sec-consult.com

SEC-CONSULT Security Advisory 20081219-0 - Fujitsu-Siemens WebTransactions is vulnerable to remote command injection due to insufficient input validation. Under certain conditions, WBPublish.exe passes unvalidated user input to the system() function when cleaning up temporary session data. This vulnerability allows an attacker to execute arbitrary commands on the affected system. The vulnerability does not require prior authentication and can be exploited from a web browser.

tags | advisory, remote, web, arbitrary
MD5 | 690e99b452a88438cf858afe765e8bb5
SEC Consult Security Advisory 20081210-0
Posted Dec 10, 2008
Authored by Bernhard Mueller | Site sec-consult.com

SEC Consult Security Advisory 20081210-0 - By calling the extended stored procedure sp_replwritetovarbin, an attacker can write limited values to arbitrary locations in process memory. This vulnerability has been described in a prior security advisory for MS SQL Server 2000.

tags | advisory, arbitrary
MD5 | 100b389de53df5833f845321a44aaa62
SEC Consult Security Advisory SA-20081109-0
Posted Dec 9, 2008
Authored by Bernhard Mueller | Site sec-consult.com

SEC Consult Security Advisory 20081209-0 - Microsoft SQL Server suffers from a limited memory overwrite vulnerability.By calling the extended stored procedure sp_replwritetovarbin, and supplying several uninitialized variables as parameters, it is possible to trigger a memory write to a controlled location. Depending on the underlying Windows version, it is / may be possible to use this vulnerability to execute arbitrary code in the context of the vulnerable SQL server process. In a default configuration, the sp_replwritetovarbin stored procedure is accessible by anyone. The vulnerability can be exploited by an authenticated user with a direct database connection, or via SQL injection in a vulnerable web application. Versions 8.00.2039 and below are affected.

tags | advisory, web, arbitrary, sql injection
systems | windows
MD5 | 40dcb1354e0bf37319f474c7057b717d
Whitepaper-DNS-node-redelegation.pdf
Posted Aug 8, 2008
Authored by Bernhard Mueller | Site sec-consult.com

This whitepaper details a way of making DNS cache poisoning / response spoofing attacks more reliable. A caching server will store any NS delegation RRs if it receives a delegation which is "closer" to the answer than the nameservers it already knows. By spoofing replies that contain a delegation for a single node, the nameserver will eventually cache the delegation when we hit the right transfer id.

tags | paper, spoof
MD5 | fa6643451e5ff1239e120a363c571802
SA-20071204-0.txt
Posted Dec 6, 2007
Authored by Bernhard Mueller | Site sec-consult.com

SEC Consult Security Advisory 20071204-0 - SonicWALL Global VPN Client suffers from a format string vulnerability that can be triggered by supplying a specially crafted configuration file. Versions below 4.0.0.830 are vulnerable.

tags | advisory
MD5 | c4bf2e45ab9a3c6e640061f665f3024d
SA-20071101-0.txt
Posted Nov 1, 2007
Authored by Bernhard Mueller | Site sec-consult.com

SEC Consult Security Advisory 20071101-0 - The SonicWALL SSL-VPN solution comes with various ActiveX Controls which allows users to access the VPN with Internet Explorer. These controls contain various vulnerabilities. Some details provided. Vulnerable versions include SonicWALL SSL-VPN 1.3.0.3, WebCacheCleaner ActiveX Control 1.3.0.3, and NeLaunchCtrl ActiveX Control 2.1.0.49.

tags | exploit, vulnerability, activex
MD5 | 4d8c8385c3e51e858ef006e53fd8e09c
SA-20071031-0.txt
Posted Oct 31, 2007
Authored by Bernhard Mueller | Site sec-consult.com

SEC Consult Security Advisory 20071031-0 - The Perdition Mail Retrieval Proxy versions 1.17 and below suffer from a format string vulnerability.

tags | advisory
MD5 | 8b94c6a2ea934c2582c4c95be156a6a6
SA-20070309-0.txt
Posted Mar 13, 2007
Authored by Bernhard Mueller, S.Streichbier | Site sec-consult.com

SEC-CONSULT Security Advisory 20070309-0 - Starting with version 5, MySQL provides access to the database metadata. When using functions that operate on strings in combination with subselects on information_schema tables and additional sorting of the results with the ORDER BY clause, a null-pointer dereferencation takes place causing a segmentation fault. This allows an attacker to crash the MySQL database. Versions below 5.0.37 are affected.

tags | advisory
MD5 | dc17b12aac7afeadc3dec710fdb0b1c5
php-exec.txt
Posted Oct 27, 2006
Authored by Bernhard Mueller | Site sec-consult.com

POC exploit for the PHP exec, system, popen file descriptor bug that overwrites Apache's log file.

tags | exploit, php
MD5 | a390fba453b9ff9a40e79e9f68932ebf
SEC-20060512-0.txt
Posted May 21, 2006
Authored by Bernhard Mueller | Site sec-consult.com

SEC-CONSULT Security Advisory 20060512-0 - The Symantec Enterprise Firewall leaks internal IPs of natted machines in response to certain HTTP requests. Version 8.0 is vulnerable.

tags | exploit, web
MD5 | 45efb7adcb6dbcfec7f0bab930904131
SA-20060413-0.txt
Posted Apr 19, 2006
Authored by Bernhard Mueller | Site sec-consult.com

SEC-CONSULT Security Advisory 20060413-0 title: Opera Browser versions less than or equal to 8.52 CSS Attribute Integer Wrap and buffer overflow

tags | advisory, overflow
MD5 | b6915f0ce24926539456d5984eda7afe
SEC-20051107-1.txt
Posted Nov 8, 2005
Authored by Bernhard Mueller | Site sec-consult.com

SEC-CONSULT Security Advisory 20051107-1 - SEC Consult has found that parameters to ActionDefineFunction (ACTIONRECORD 0x9b) in the Macromedia Flash Plugin are not properly sanitized. Loading a specially crafted SWF leads to an improper memory access condition which can be used to crash flash player or may be exploited as a vector for code execution. This issue is similar to CVE-2005-2628 (as reported by eEye Digital Security on November 4, 2005) but affects a different function. Versions affected: flash.ocx 7.0.19.0 and earlier, libflashplayer.so before 7.0.25.0.

tags | exploit, code execution
MD5 | 264599e1850c14e2756e29db80b22319
SEC-20051107-0.txt
Posted Nov 8, 2005
Authored by Bernhard Mueller | Site sec-consult.com

SEC-CONSULT Security Advisory 20051107-0 - toendaCMS allows for theft of CMS usernames and passwords (XML database mode), session theft (XML database mode), directory traversal attacks (XML database mode), and arbitrary file uploads. Versions below 0.6.2 are affected.

tags | exploit, arbitrary, file upload
MD5 | 6844189f4d71a6ff5a7e18d4ca8b49b4
Page 1 of 2
Back12Next

File Archive:

November 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    2 Files
  • 2
    Nov 2nd
    9 Files
  • 3
    Nov 3rd
    15 Files
  • 4
    Nov 4th
    90 Files
  • 5
    Nov 5th
    22 Files
  • 6
    Nov 6th
    16 Files
  • 7
    Nov 7th
    1 Files
  • 8
    Nov 8th
    1 Files
  • 9
    Nov 9th
    40 Files
  • 10
    Nov 10th
    27 Files
  • 11
    Nov 11th
    28 Files
  • 12
    Nov 12th
    13 Files
  • 13
    Nov 13th
    18 Files
  • 14
    Nov 14th
    2 Files
  • 15
    Nov 15th
    2 Files
  • 16
    Nov 16th
    29 Files
  • 17
    Nov 17th
    15 Files
  • 18
    Nov 18th
    15 Files
  • 19
    Nov 19th
    21 Files
  • 20
    Nov 20th
    16 Files
  • 21
    Nov 21st
    1 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    19 Files
  • 24
    Nov 24th
    32 Files
  • 25
    Nov 25th
    7 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close