bypassing security restrictions
play

BYPASSING SECURITY RESTRICTIONS TH THE E CASE ASE OF F CVE - PowerPoint PPT Presentation

Oct 16, 2023 •18 likes •178 views

BYPASSING SECURITY RESTRICTIONS TH THE E CASE ASE OF F CVE VE-2018 2018-5955 5955 Whoami Ad Adam Nu Nurudin ini CEH, ITIL L V3, 3, CCNA, CCNP, CASP, PCI-DS DSS, B , BSC-IT IT Lead Security Researcher @ Netwatch Technologies

  1. BYPASSING SECURITY RESTRICTIONS TH THE E CASE ASE OF F CVE VE-2018 2018-5955 5955

  2. Whoami • Ad Adam Nu Nurudin ini CEH, ITIL L V3, 3, CCNA, CCNP, CASP, PCI-DS DSS, B , BSC-IT IT Lead Security Researcher @ Netwatch Technologies Project Consultant, Information Security Architects Ltd Member, Cybersecurity Resilience Service Team Web Application Penetration Tester

  3. INTR IN TROD ODUCTION TION The following presentation describes an unauthenticated action in GitStack that allows a remote attacker to add new users and then trigger remote code execution. CVE-ID CVE-2018-5955 Description An issue was discovered in GitStack through 2.3.10. User controlled input is not sufficiently filtered, allowing an unauthenticated attacker to add a user to the server via the username and password fields to the rest/user/ URI. Source: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5955 Vulnerability y Discl sclose sed by: y: An independent security researcher, Kacper Szurek, reported the vulnerability to Beyond Security's SSD Vendor resp sponse se “Since October 17, 2017, we have tried to contact GitStack many times and have received a response, but have not provided details about the solution or workaround.”

  4. GitStack is a web application that allows • users to set up your own private Git server. This means you can create a version • control system with no content. GitStack makes it easy to keep your • server up to date. It is really Git for Windows and is compatible with any other Git client. GitStack is completely free for small teams.

  5. EXPL EXPLOIT AVAI AVAILABI ABILITY https://www.exploit-db.com/exploits/43777/ https://www.rapid7.com/db/modules/exploit/windows/htt p/gitstack_rce Source: https://nvd.nist.gov/vuln/detail/CVE-2018-5955

  6. UPC PCLOSE SE WITH CVE VE-2018 2018-5955 5955 In vulnerable versions of GitStack, a flaw in Authentication.class.php allows unauthenticated remote code execution since $_SERVER['PHP_AUTH_PW'] is passed directly to an exec function.

  7. UPC PCLOSE SE WITH CVE VE-2018 2018-5955 5955 To exploit the vulnerability, the repository web interface must be enabled, a repository must exist, and a user must have access to the repository. Note: A passwd file should be created by GitStack for local user accounts. Default location: C:\GitStack\data\passwdfile. Once an attacker adds a user to the server, he can enable the web repository feature.

  8. UPC PCLOSE SE WITH CVE VE-2018 2018-5955 5955 Now, an attacker can create a repository from a remote location and prevent others from accessing our new repository. In the repository, an attacker can upload a backdoor and use it to execute code: 1. View users Use the GET method to directly view the user list of the GitStack repository, and there is an unauthorized access information disclosure vulnerability.

  9. UPC PCLOSE SE WITH CVE VE-2018 2018-5955 5955 2. Create user Through the POST method, specifying the username and password can directly add the repository user, and there is any user added vulnerability:

  10. UPC PCLOSE SE WITH CVE VE-2018 2018-5955 5955 2. Create user

  11. UPC PCLOSE SE WITH CVE VE-2018 2018-5955 5955 3. Create a repository arbitrarily Directly POST a name to create the corresponding project, But CSRF_TOKEN is required in POST data. CSRF_TOKEN is obtained as follows, visit the landing page, such as http://$IP/registration/login/?next=/gitstack/ view the source code:

  12. UPC PCLOSE SE WITH CVE VE-2018 2018-5955 5955 3. Create a repository arbitrarily

  13. UPC PCLOSE SE WITH CVE VE-2018 2018-5955 5955 4. Add user to any repository You can add it by following this format: POST http://$IP/rest/repository/”repository name”/user/”user name”/

  14. Remote co command exe xecu cution vu vulnerability By default, the GitStack Web Interface is enabled. Access http://xx/web/index.php An unauthenticated user can upload reverse shell payload to the gitstack repository to compromise the web application and the server hosting it. DE DEMO | MO | 5m 5mins ns

  15. PR PROAC ACTIVE VE REM EMED EDIAT ATION Focus on development best practices like OWASP Top 10 Application Security Risks – 2017 In this scenario the presenter believes A2:2017 Broken Authentication A5:2017 Broken Access Control A6:2017 Security Misconfiguration

  16. Thank k You Quest stions s & Answ swers

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Bypassing Web Application Firewalls an approach for pentesters KHALIL BIJJOU SECURITY

Bypassing Web Application Firewalls an approach for pentesters KHALIL BIJJOU SECURITY

Bypassing Web Application Firewalls an approach for pentesters KHALIL BIJJOU SECURITY CONSULTANT 17 th November 2017 BYPASSING A WAF WHY? Number of deployed Web Application Firewalls (WAFs) is increasing WAFs make a penetration

533 views • 34 slides
Breaking Through Another Side Bypassing Firmware Security Boundaries from Embedded Controller

Breaking Through Another Side Bypassing Firmware Security Boundaries from Embedded Controller

Breaking Through Another Side Bypassing Firmware Security Boundaries from Embedded Controller Alex Matrosov Alexandre Gazet Actually 5 months of passionate reverse-engineering nights Disclaimer All the details given about BIOS Guard

968 views • 77 slides
Mobile operators vs. Hackers: new security measures for new bypassing techniques ptsecurity.com

Mobile operators vs. Hackers: new security measures for new bypassing techniques ptsecurity.com

Sergey Puzankov Mobile operators vs. Hackers: new security measures for new bypassing techniques ptsecurity.com SS7 in the 20 th century SCP STP STP SSP SCP STP STP PSTN SSP SSP SS7 Signaling System #7, a set of telephony protocols

937 views • 60 slides
Bypassing CSRF Protections A Double Defeat of the Double-Submit Cookie Pattern About Me

Bypassing CSRF Protections A Double Defeat of the Double-Submit Cookie Pattern About Me

Bypassing CSRF Protections A Double Defeat of the Double-Submit Cookie Pattern About Me David Johansson (@securitybits) Security consultant since 2007 Helping clients design and build secure software Security training Based in

821 views • 25 slides
Bypassing Mitigations by Attacking JIT Server in Microsoft Edge Ivan Fratric Infiltrate 2018

Bypassing Mitigations by Attacking JIT Server in Microsoft Edge Ivan Fratric Infiltrate 2018

Bypassing Mitigations by Attacking JIT Server in Microsoft Edge Ivan Fratric Infiltrate 2018 About me Security researcher at Google Project Zero Previously: Google Security Team, Academia (UNIZG) Doing security research for the last

774 views • 48 slides
Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC Is the

Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC Is the

Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC Is the permission model working? Are users making good decisions? Most Popular Android App Demo App abusing permissions Demo explained Permissions:

819 views • 43 slides
Bypassing ISP and Enterprise Anti- DDoS with 90s technology Dennis Rand

Bypassing ISP and Enterprise Anti- DDoS with 90s technology Dennis Rand

So you think IoT DDoS botnets are dangerous Bypassing ISP and Enterprise Anti- DDoS with 90s technology Dennis Rand https://www.ecrimelabs.com @DennisRand About me Im a security researcher and founder of eCrimeLabs, based out of Denmark.

674 views • 48 slides
Exploitation on ARM Technique and bypassing defense mechanisms 07. 2010 STRI/Advance Technology

Exploitation on ARM Technique and bypassing defense mechanisms 07. 2010 STRI/Advance Technology

Exploitation on ARM Technique and bypassing defense mechanisms 07. 2010 STRI/Advance Technology Lab/Security # /usr/bin/whoami Itzhak (Zuk) Avraham Researcher at Samsung Electronics Partner at PIA Follow me on twitter under

473 views • 31 slides
Firefox Security Sid Stamm <sid@mozilla.com> Browser as a Protector Protect Site

Firefox Security Sid Stamm <sid@mozilla.com> Browser as a Protector Protect Site

Firefox Security Sid Stamm <sid@mozilla.com> Browser as a Protector Protect Site Content Safe Platform Third-Party Features Keeping your Secrets Content Restrictions Content Security Policy Content Restrictions Document

560 views • 43 slides
Selectional Restrictions Selectional Restrictions Introduction Selectional Restrictions

Selectional Restrictions Selectional Restrictions Introduction Selectional Restrictions

Selectional Restrictions Selectional Restrictions Introduction Selectional Restrictions Consider the two interpretations of: I want to eat someplace nearby. a) sensible: Eat is intransitive

1.18k views • 17 slides
Bypassing Memory Protections: The Future of Exploitation Alexander Sotirov alex@sotirov.net

Bypassing Memory Protections: The Future of Exploitation Alexander Sotirov alex@sotirov.net

Bypassing Memory Protections: The Future of Exploitation Alexander Sotirov alex@sotirov.net About me Exploit development since 1999 Research into reliable exploitation techniques: Heap Feng Shui in JavaScript Bypassing browser

1.1k views • 48 slides
AVPASS: Automatically Bypassing Android Malware Detection System Jinho Jung, Chanil Jeon, Max

AVPASS: Automatically Bypassing Android Malware Detection System Jinho Jung, Chanil Jeon, Max

AVPASS: Automatically Bypassing Android Malware Detection System Jinho Jung, Chanil Jeon, Max Wolotsky, Insu Yun, and Taesoo Kim Georgia Institute of Technology, July 27, 2017 Ab About t Us SSLab (@GT) Focusing on s ystem and security

1.25k views • 72 slides
Bypassing Different Defense Schemes via Crash-Resistant Probing of Address Space Robert Gawlik

Bypassing Different Defense Schemes via Crash-Resistant Probing of Address Space Robert Gawlik

Bypassing Different Defense Schemes via Crash-Resistant Probing of Address Space Robert Gawlik Ruhr University Bochum Horst Grtz Institute for IT-Security Bochum, Germany About me Playing with InfoSec since 2010 Currently in academia

1.13k views • 84 slides
Bypassing Android Password Manager Apps Without Root Stephan Huber, Siegfried Rasthofer, Steven

Bypassing Android Password Manager Apps Without Root Stephan Huber, Siegfried Rasthofer, Steven

Bypassing Android Password Manager Apps Without Root Stephan Huber, Siegfried Rasthofer, Steven Arzt Fraunhofer SIT 2 Stephan Siegfried Mobile Security Researcher at Head of Department Secure Fraunhofer SIT Software Engineering

948 views • 58 slides
Bypassing the hubs - The potential of secondary European airports in the long haul sector Sven

Bypassing the hubs - The potential of secondary European airports in the long haul sector Sven

Bypassing the hubs - The potential of secondary European airports in the long haul sector Sven Maertens / DLR 7th Conference on Applied Infrastructure Research, OCT 10-11, 2008 Sven Maertens DLR Bypassing the hubs Page 1 Structure

559 views • 22 slides
Bypassing 802.1X In an IPv6 environment Introduction and motivation What is 802.1X? IEEE

Bypassing 802.1X In an IPv6 environment Introduction and motivation What is 802.1X? IEEE

Robert Diepeveen & Ruben de Vries Bypassing 802.1X In an IPv6 environment Introduction and motivation What is 802.1X? IEEE standard Port-based network access protocol Authentication mechanism for devices wishing to attach to

357 views • 17 slides
Computational Logic WWW Programming Using LP/CLP Systems 1 LP/CLP , the Internet, and the WWW

Computational Logic WWW Programming Using LP/CLP Systems 1 LP/CLP , the Internet, and the WWW

Computational Logic WWW Programming Using LP/CLP Systems 1 LP/CLP , the Internet, and the WWW Logic and Constraint Logic Programming can be an attractive alternative for Internet/WWW programming. Shared with other net programming tools:

822 views • 51 slides
Python Crash Course + Web Forms (CGI) CS370 SE Practice & Startup, Cengiz Gnay (Some slides

Python Crash Course + Web Forms (CGI) CS370 SE Practice & Startup, Cengiz Gnay (Some slides

Python Crash Course + Web Forms (CGI) CS370 SE Practice & Startup, Cengiz Gnay (Some slides courtesy of Eugene Agichstein and the Internets) CS370, Gnay (Emory) Python Intro + CGI Spring 2015 1 / 4 Instructions Go through this

505 views • 39 slides
CS108 Lecture 24: Web Forms Processing CGI Data Aaron Stevens 27 March 2009 1

CS108 Lecture 24: Web Forms Processing CGI Data Aaron Stevens 27 March 2009 1

CS108 Lecture 24: Web Forms Processing CGI Data Aaron Stevens 27 March 2009 1 Overview/Questions Review: Python and HTML HTML Forms Processing Form Fields Organizing a Python Web Application using functions, decision

592 views • 11 slides
systemd in Debian - a status update Michael Biebl July 5, 2016 introduction polish and QA

systemd in Debian - a status update Michael Biebl July 5, 2016 introduction polish and QA

systemd in Debian - a status update Michael Biebl July 5, 2016 introduction polish and QA trimming the base OS getting rid of legacy cruft polish and QA stable updates 4 stable point releases in jessie bug fixes and

550 views • 13 slides
The language COMP 520 Fall 2010 The WIG language (2) Uses of the World Wide Web: static

The language COMP 520 Fall 2010 The WIG language (2) Uses of the World Wide Web: static

COMP 520 Fall 2010 The WIG language (1) The language COMP 520 Fall 2010 The WIG language (2) Uses of the World Wide Web: static documents (supported by HTML); dynamic documents (supported by CGI, ASP, Ruby on Rails, various HTML

734 views • 44 slides
Towards Client Side HTML Security Policies Joel Weinberger, Adam Barth, Dawn Song MySpace Samy

Towards Client Side HTML Security Policies Joel Weinberger, Adam Barth, Dawn Song MySpace Samy

Towards Client Side HTML Security Policies Joel Weinberger, Adam Barth, Dawn Song MySpace Samy Worm Content Injection The insertion of untrusted data, structure, or code into an application Key Points Explicit policies form a compelling,

380 views • 23 slides
is very helpful in understanding why a JSP/Servlet container is required. The exact life cycle

is very helpful in understanding why a JSP/Servlet container is required. The exact life cycle

falkner.ch1.qxd 8/21/03 4:42 PM Page 1 Chapter 1 Setting Up a Servlet and JSP Environment B efore you start developing with Servlets and JavaServer Pages, you need to understand two very important things: Why is using the technology

764 views • 30 slides
Forms, CGI Objectives The basics of HTML forms How form content is submitted GET, POST

Forms, CGI Objectives The basics of HTML forms How form content is submitted GET, POST

Forms, CGI Forms, CGI Objectives The basics of HTML forms How form content is submitted GET, POST Elements that you can have in forms Responding to forms CGI the Common Gateway Interface Later: Servlets

848 views • 19 slides

More recommend