Author：LoRexxar’@Knownsec 404 Team
Date: September 23, 2020
Chinese Version: https://paper.seebug.org/1339/
Since mankind invented tools, mankind has been exploring how to do anything more conveniently and quickly. In the process of scientific and technological development, mankind keeps on trial，error, and thinking. So there is a great modern technological era. In the security field, every security researcher is constantly exploring how to automatically solve security problems in various fields in the process of research. Among them, automated code auditing is the most important part of security automation.
This time we will talk about the development history of automated code audit. …
Author：Longofo@Knownsec 404 Team
Date: July 10, 2020
Chinese Version: https://paper.seebug.org/1271/
F5 BIG-IP has recently suffered a serious RCE vulnerability. The main public entrypoint is the tmsh and hsqldb. There are many uses and analysis of tmsh. If you have reproduced the use of tmsh, you should know that this place is used. Some tasteless, tmsh will not be analyzed later, mainly look at the use of hsqldb. The use of hsqldb poc has been published, but the https of java hsqldb has been unable to reproduce, try There is no way to do it in various ways, so I have to change other ideas. …
Author: LoRexxar’@Knownsec 404 Team
Date: March 31,2020.
Chinese Version: https://paper.seebug.org/1267
This article was originally completed on March 31, 2020. Because it involves 0day utilization, it was reported to the vendor on March 31, 2020, and released after the 90-day vulnerability disclosure period.
A few days ago, I accidentally saw a vulnerability report submitted on Hackerone. In this vulnerability, the vulnerability discoverer proposed a very interesting use. The author makes use of a type confusion vulnerability of GMP and cooperates with the corresponding utilization chain to construct a code execution of mybb. Here we take a look at this vulnerability.
Some details of the following article, thanks to the vulnerability discoverer @taoguangchen for his help. …
Author: Badcode and Longofo@Knownsec 404 Team
Chinese Version: https://paper.seebug.org/1260/
At the beginning of September 2019, we responded to the Nexus Repository Manager 2.x command injection vulnerability (CVE-2019–5475). The general reason and steps for recurrence are on Hackerone. It was announced that after emergency response to this vulnerability, we analyzed the patch to fix the vulnerability and found that the repair was incomplete and could still be bypassed. This article records two bypasses of the vulnerability. Although the fix version was released twice early, the official second update announcement is too slow https://support.sonatype.com/hc/en-us/articles/360033490774, so now we post this article.
Author: Heige(a.k.a Superhei) of KnownSec 404 Team
Date: May 25,2020
We had released ZoomEye’s historical data API query interface in ZoomEye 2020 that had launched in January this year: https://medium.com/@80vul/zoomeye-2020-has-started-8414d6aaf38. Next, I will introduce some examples of using ZoomEye History API to capture the traces of APT team attacks.
Instructions for using the historical query API interface: https://www.zoomeye.org/doc#history-ip-search ,Of course we have also updated our ZoomEye SDK support history api: https://github.com/knownsec/ZoomEye.
Before the cases are explained, I must explain the ZoomEye online data update mode again: it is the overwrite update mode. Many malware teams, including many apt teams, will abandon the C2 server immediately after it is discovered. …
Author：LoRexxar@Knownsec 404 Team
Time: May 11, 2020
Chinese version: https://paper.seebug.org/1197/
I took a look at the third Web Open of the null pointer this weekend, and after a little research, I found that this is the latest version of the DZ3.4 environment with almost default configuration. We need to pwn it in such a DZ under almost real environment. This moment raised my interest, and then we will sort out the penetration process together.
The difference from the default environment is that we have two additional conditions. 1. The backend of the web environment is Windows; 2. …
Author：Longofo@Knownsec 404 Team
Time: April 27, 2020
Fastjson doesn’t have a cve number, so it’s difficult to find the timeline. At first,I wrote something slowly. Fortunately, fastjson is open source and there are hard work records of other security researchers. This article will give the key updates and vulnerability timelines related to Fastjson and the vulnerabilities,I will test and explain some of the more classic vulnerabilities, and give some check payloads and rce payloads.
You can refer to fastjson process analysis written by @Lucifaer. I will not write it here, and it will occupy a lot of space. In this article said that fastjson has byte code generated using ASM. Since many classes are not native in actual use, fastjson serializes/deserializes most classes will be processed by ASM. …
Author：Longofo@ Knownsec 404 Team
Time: April 8, 2020
Nexus Repository Manager 3 recently exposed two El expression parsing vulnerabilities, cve-2020–10199 and cve-2020–10204, both of which are found by GitHub security Lab team’s @pwntester. I didn’t track the vulnerability of nexus3 before, so diff had a headache at that time. In addition, the nexus3 bug and security fix are all mixed together, which makes it harder to guess the location of the vulnerability. Later, I reappeared cve-2020–10204 with @r00t4dm, cve-2020–10204 is a bypass of cve-2018–16621. After that, others reappeared cve-2020–10199. The root causes of these three vulnerabilities are the same. In fact, there are more than these three. The official may have fixed several such vulnerabilities. Since history is not easy to trace back, it is only a possibility. Through the following analysis, we can see it. There is also the previous CVE-2019–7238, this is a jexl expression parsing, I will analyze it together here, explain the repair problems to it. I have seen some analysis before, the article said that this vulnerability was fixed by adding a permission. Maybe it was really only a permission at that time, but the newer version I tested, adding the permission seems useless. …
Author：SungLin@Knownsec 404 Team
Time: April 2, 2020
On March 12, 2020, Microsoft confirmed that a critical vulnerability affecting the SMBv3 protocol exists in the latest version of Windows 10, and assigned it with CVE-2020–0796, which could allow an attacker to remotely execute the code on the SMB server or client. On March 13 they announced the poc that can cause BSOD, and on March 30, the poc that can promote local privileges was released . Here we analyze the poc that promotes local privileges.
The vulnerability exists in the srv2.sys driver. Because SMB does not properly handle compressed data packets, the function
Srv2DecompressData is called when processing the decompressed data packets. The compressed data size of the compressed data header,
Offset, is not checked for legality, which results in the addition of a small amount of memory.
SmbCompressionDecompress can be used later for data processing. Using this smaller piece of memory can cause copy overflow or out-of-bounds access. When executing a local program, you can obtain the current offset address of the
token + 0x40 of the local program that is sent to the SMB server by compressing the data. After that, the offset address is in the kernel memory that is copied when the data is decompressed, and the token is modified in the kernel through a carefully constructed memory layout to enhance the permissions. …
Author：Longofo@Knownsec 404 Team
Time: March 27, 2020
A vulnerability on Liferay Portal JSON Web Service RCE was previously posted on CODE WHITE. At first, my friends were dealing with this vulnerability, and I went to see it later. Liferay Portal uses Flexjson library for JSON Web Service processing in 6.1 and 6.2 versions, and replaced it with Jodd Json after version 7.
In summary, the vulnerability is: Liferay Portal provides Json Web Service service. For some endpoints that can be called, if a method provides Object parameter type, then we can construct an exploitable malicious class that conforms to Java Beans and pass the constructed json deserialization string, Liferay will automatically call the setter method of the malicious class and the default constructor when deserializing. However, there are still some details, and I feels quite interesting. …