[s04e01] RCE on Geutebruck IP Cameras

Davy Douhine June 4, 2019 0day

Abstract

Those who follow our blog know that we like Geutebruck cameras: we found many trivial RCE on their products since 2016.

[PrivExchange] From user to domain admin in less than 60sec !

Davy Douhine January 28, 2019 0day

Dirk-jan Mollema, a pentester working for Foxit, found a very clever attack allowing any user, owning an Exchange mailbox, to obtain Domain Admin privileges.

[s03e01] RCE on Geutebruck IP Cameras

Davy Douhine December 18, 2018 0day

Abstract

A few weeks ago we came across high-end IP cameras made by Geutebruck, a “leading German manufacturer and developer of high-quality, intelligent video security solutions” and found a RCE affecting version 1.12.0.24 and prior versions of E2 series IP cameras.

[0day] Anonymous RCE on Geutebruck IP Cameras - again

Davy Douhine March 20, 2018 0day

Abstract

A few months ago during a pentest, with Nicolas Mattiocco of Greenlock, we came across high-end IP cameras made by Geutebruck, a “leading German manufacturer and developer of high-quality, intelligent video security solutions” and found 3 RCE: a blind SQL Injection, a SSRF, a CSRF and a stored XSS affecting version 1.12.0.4 and prior versions. We’ve choose to “responsible disclose” these 0day vulnerabilities, directly to Geutebruck and the ICS-CERT (Industrial Control Systems Cyber Emergency Response Team). Since then a new firmware has been released (1.12.0.19) to fix that, ICS-CERT has released an advisory and 6 CVE (CVE-2018-7532 - CVE-2018-7528 - CVE-2018-7524 - CVE-2018-7520 - CVE-2018-7516 - CVE-2018-7512) have been assigned.

[0day] Digium Asterisk OS Command Injection Vulnerability

Davy Douhine December 6, 2017 0day

Abstract

Last summer during a pentest for a client we came across a product made by an international provider of intercom systems which uses the very popular Asterisk communication software and found a trivial remote command execution vulnerability in its latest GUI (2.1.0).

[0day] LogicalDOC - from guest to root

Florent July 28, 2017 0day

LogicalDOC is a DMS (Document Management System) available either in a community (and free) edition, or in a professional (and expensive) version. This type of product is normally used to share and access doc from « everywhere » as they say on their website: « Your documents – Always accessible, from anywhere, at any time » which means web interfaces widely open on the internet.

[0day] Bull/IBM AIX Clusterwatch/Watchware vulnerabilities

Davy Douhine March 7, 2017 0day

Bull/IBM Clusterwatch/Watchware is a VERY VERY OLD tool used by sysadmins to manage their AIX clusters.

Marble effect in the web banner and questionable font: it smells the 90s !

[0day] Anonymous RCE on Geutebruck IP Cameras

Davy Douhine February 15, 2017 0day

Abstract

Last summer during a pentest for a client we came across high-end IP cameras made by Geutebruck, a “leading German manufacturer and developer of high-quality, intelligent video security solutions” (source: [http://www.sourcesecurity.com/companies/enhanced-company-listing/geutebruck-gmbh.html] (http://www.sourcesecurity.com/companies/enhanced-company-listing/geutebruck-gmbh.html)) and found a trivial remote command execution vulnerability (0day) affecting version 1.11.0.12 and prior versions. We’ve choose to “responsible disclose” it, directly to Geutebruck and the ICS-CERT (Industrial Control Systems Cyber Emergency Response Team). Probably the best option as the Mirai botnet was actively exploiting IP cams at that time. Since then a new firmware has been released (1.11.0.12) to patch that, ICS-CERT has released an advisory and a CVE (CVE-2017-5173) has been assigned.

[0day] Authentication Bypass on Belden Hirschmann GECKO switches

Davy Douhine February 2, 2017 0day

Abstract

Last summer during a pentest for a client we came across industrial switches made by Hirschmann: a Belden Brand, (which) provides the industry with leading Ethernet networking technology and sets the industrial networking standards for quality, reliability and service. (Source: http://www.belden.com/aboutbelden/brands/Hirschmann.cfm ) and found a few unknown vulnerabilities (0day) affecting version 2.0.00 and prior versions. We’ve choose to “responsible disclose” them, directly to Hirschmann and the ICS-CERT (Industrial Control Systems Cyber Emergency Response Team). Since then a new firmware has been released (2.0.01) to patch one of them (the most critical). ICS-CERT has released an advisory and a CVE (CVE-2017-5163) has been assigned.

Categories

Tags