Log4Shell — critical vulnerability in Java logging library Log4j

December 15th, 2021

On November 24th a critical vulnerability (zero-day vulnerability) in Log4j was reported to Apache. It was later (10th December) made public under the name Log4Shell (CVE-2021-44228); it can be exploited effortlessly remotely and allows an attacker to execute his own code (RCE). Among others, Amazon, Apple, Tesla, Twitter, Steam, etc. were successfully attacked. Due to the ease of exploitation and severe consequences, the BSI (German Federal Office for Information Security) has already issued the highest warning level "red" on Saturday the 11th of December.

Read More

How to use an undocumented ILIAS version 4.x, <5.0.21, <5.1.17, <5.2.3 security vulnerability to gain RCE

June 9th, 2020

ILIAS is a free and open source learning platform which can be used to create and distribute web-based teaching and learning materials. It is often used by universities and companies for e-learning. This blog post describes how we discovered an old ILIAS vulnerability which has no CVE entry, therefore might be overlooked. Vulnerable: all 4.x, <5.0.21, <5.1.17, <5.2.3 versions. Releases 5.3 and newer are not vulnerable! Patched April 2017. Access to file import from XML needed, e.g. by having course administration rights.

Read More

Testing the “Netatmo Welcome” Smart Camera — Hardware Hacking

April 25th, 2019

Netatmo Welcome is a smart camera, which is capable of recognizing faces, streaming recordings into the cloud or alerting the owner in case of a burglary. As part of ongoing research into the Internet of Things security, we continued our analysis of the camera and did some hardware hacking. We were able to get a root shell on the camera and can now deploy our own Linux or android images on the camera. We also found out that the IPsec mode means a constant VPN connection, which the manufacturer uses to send commands to the camera but can/could be used to access each camera remotely. With knowledge of how the password protection is working, everyone can get access. All you need is a USB to RS232 converter.

Read More

Testing the “Netatmo Welcome” Smart Camera

September 20th, 2018

Netatmo Welcome is a smart camera, which is capable of recognizing faces, streaming recordings into the cloud or alerting the owner in case of a burglary. As part of ongoing research into the Internet of Things security, we performed static and dynamic analysis of the Android and Linux app as well as of the camera itself.

Read More

Deobfuscating VBA & PowerShell Scripts of an Emotet Trojan Downloader

September 1st, 2017

We analyzed a recent wave of phishing mails trying to spread the Emotet banking trojan via malicious Word documents. This post provides details of the obfuscation methods used in the VBA macro and the PowerShell script contained within the Word documents.

Read More

Practical Tips for OWASP Top 10 2017 #7: Insufficient Attack Protection

May 20th, 2017

The preliminary release of the OWASP Top 10 - 2017 in April 2017 has stirred up quite a bit of controversy over the inclusion of a new entry titled "A7 - Insufficient Attack Protection". Aside from taxonomical problems (a lack of protection is not a vulnerability in itself), the description for the entry explicitly recommends solutions such as Web Application Firewalls (WAFs) and Runtime Application Self-Protection (RASP) products. The likely result is that many decision makers will take the shortcut of buying a WAF and putting a checkmark next to A7 on the Top 10 list.

Read More

How we found a tcpdump vulnerability using cloud fuzzing

March 20th, 2017

Fuzzing is a method to identify software bugs and vulnerabilities. The current development shows a trend to move fuzzing into the cloud, as cloud fuzzing offers a fuzzing speed increase and lots of extra flexibility compared to classic fuzzing. In this tutorial, we go through the full process of cloud (Amazon Cloud) fuzzing. This means deployment, fuzzing and retrieving the results using the softScheck Cloud Fuzzing Framework (sCFF). We identify a vulnerability present in tcpdump version 4.9 running on Ubuntu 16.04. We analyze the bug and write a patch which closes that vulnerability. Readers can download sCFF and follow the tutorial step by step.

Read More

Privacy Analysis of Windows 10 Enterprise at Telemetry Level 0

January 25th, 2017

The focus of this research is to analyze the amount of privacy provided in Windows 10 when using the most restrictive privacy settings available. Windows 10 has been observed to establish encrypted connections to Microsoft servers without a direct related user interaction. softScheck already identified this traffic in an earlier analysis. Now our goal is to analyze the communication by monitoring the data being sent.

Read More

Reverse Engineering the TP-Link HS110

July 29th, 2016

The TP-Link HS110 Wi-Fi is a cloud-enabled power plug that can be turned on and off remotely via app and offers energy monitoring and scheduling capabilities. As part of ongoing research into Internet of Things security, we performed a security analysis by reverse engineering the device firmware and Android app, sniffing app-to-device and device-to-app communications and fuzzing the proprietary protocols being used.

Read More