Get Freebies by Abusing the Android InApp Billing API Davy Douhine 11 Décembre 2018 Publications As Google defines it Google Play Billing is a service that lets you sell digital content from inside an Android app, or in-app. En savoir plus
[0day] Anonymous RCE on Geutebruck IP Cameras - again Davy Douhine 20 Mars 2018 0day Abstract A few months ago during a pentest, with Nicolas Mattiocco of Greenlock, we came across high-end IP cameras made by Geutebruck, a “leading German manufacturer and developer of high-quality, intelligent video security solutions” and found 3 RCE: a blind SQL Injection, a SSRF, a CSRF and a stored XSS affecting version 1.12.0.4 and prior versions. We’ve choose to “responsible disclose” these 0day vulnerabilities, directly to Geutebruck and the ICS-CERT (Industrial Control Systems Cyber Emergency Response Team). Since then a new firmware has been released (1.12.0.19) to fix that, ICS-CERT has released an advisory and 6 CVE (CVE-2018-7532 - CVE-2018-7528 - CVE-2018-7524 - CVE-2018-7520 - CVE-2018-7516 - CVE-2018-7512) have been assigned. En savoir plus
[0day] Digium Asterisk OS Command Injection Vulnerability Davy Douhine 6 Décembre 2017 0day Abstract Last summer during a pentest for a client we came across a product made by an international provider of intercom systems which uses the very popular Asterisk communication software and found a trivial remote command execution vulnerability in its latest GUI (2.1.0). En savoir plus
[Conference] Industrial Hacking at DeepINTEL Davy Douhine 18 Septembre 2017 Conference We will be speaking about Industrial Hacking at DeepINTEL in Vienna this week! Here is the pitch: A few months ago a client asked us to assess the security of the ICS (Industrial Control Systems) of a brand new datacenter. As we were no industrial guys we discovered a whole new world and we tried and failed many times before owning the system. ”Industrial DIY“ tries to show how a small team of pentesters managed to assess the security of industrial systems (ICS/SCADA/BMS) and how to protect these critical infrastructures against a few major threats. En savoir plus
[0day] LogicalDOC - from guest to root Florent 28 Juillet 2017 0day LogicalDOC is a DMS (Document Management System) available either in a community (and free) edition, or in a professional (and expensive) version. This type of product is normally used to share and access doc from « everywhere » as they say on their website: « Your documents – Always accessible, from anywhere, at any time » which means web interfaces widely open on the internet. En savoir plus
TheHive pentest Davy Douhine 20 Avril 2017 Pentest Do you know TheHive and Cortex? TheHive is a free and open-source security incident response platform which relies on Cortex to analyze observables (IP, email addresses, domain names, etc…). En savoir plus
[0day] Anonymous RCE on Geutebruck IP Cameras Davy Douhine 15 Février 2017 0day Abstract Last summer during a pentest for a client we came across high-end IP cameras made by Geutebruck, a “leading German manufacturer and developer of high-quality, intelligent video security solutions” (source: [http://www.sourcesecurity.com/companies/enhanced-company-listing/geutebruck-gmbh.html] (http://www.sourcesecurity.com/companies/enhanced-company-listing/geutebruck-gmbh.html)) and found a trivial remote command execution vulnerability (0day) affecting version 1.11.0.12 and prior versions. We’ve choose to “responsible disclose” it, directly to Geutebruck and the ICS-CERT (Industrial Control Systems Cyber Emergency Response Team). Probably the best option as the Mirai botnet was actively exploiting IP cams at that time. Since then a new firmware has been released (1.11.0.12) to patch that, ICS-CERT has released an advisory and a CVE (CVE-2017-5173) has been assigned. En savoir plus
[0day] Authentication Bypass on Belden Hirschmann GECKO switches Davy Douhine 2 Février 2017 0day Abstract Last summer during a pentest for a client we came across industrial switches made by Hirschmann: a Belden Brand, (which) provides the industry with leading Ethernet networking technology and sets the industrial networking standards for quality, reliability and service. (Source: http://www.belden.com/aboutbelden/brands/Hirschmann.cfm ) and found a few unknown vulnerabilities (0day) affecting version 2.0.00 and prior versions. We’ve choose to “responsible disclose” them, directly to Hirschmann and the ICS-CERT (Industrial Control Systems Cyber Emergency Response Team). Since then a new firmware has been released (2.0.01) to patch one of them (the most critical). ICS-CERT has released an advisory and a CVE (CVE-2017-5163) has been assigned. En savoir plus
