|
Man Yue Mo
@
mmolgtm
|
|
Security research at lgtm.com and semmle.com
|
|
|
26
Tweetovi
|
88
Pratim
|
1.169
Osobe koje vas prate
|
| Tweetovi |
|
Man Yue Mo
@mmolgtm
|
6. velj |
|
In this post I give details about how to create an exploit for the type confusion vulnerability (CVE-2018-19134) of Ghostscript and turn it into a RCE. I have to say PostScript is not my prefer language for writing exploit. lgtm.com/blog/ghostscri…
|
||
|
|
||
|
Man Yue Mo
@mmolgtm
|
23. sij 2019. |
|
Thanks! I hope you'll find QL useful and do let us know of any feedback and comments, or if there's any open source code that you'd like to look at but is not on lgtm.com.
|
||
|
|
||
|
Man Yue Mo
@mmolgtm
|
23. sij 2019. |
|
This post gives the details of some type confusions (CVE-2018-19134,19475-76) that I found in Ghostscript after studying reports of similar issues filed by @taviso between 2016 and 2018. The tools used for finding these bugs are open sourced. lgtm.com/blog/ghostscri…
|
||
|
|
||
|
Man Yue Mo
@mmolgtm
|
14. sij 2019. |
|
This post contains the details of a sandbox escape bug in Ghostscript that I found a couple of months ago that is a variant of the ones that @taviso discovered last August. lgtm.com/blog/ghostscri…
|
||
|
|
||
|
Man Yue Mo
@mmolgtm
|
22. stu 2018. |
|
Thanks! I've agreed with the vendor to not publish the details for a couple of weeks, but should be able to share some details, as well as the tools I used to discover these bugs after that.
|
||
|
|
||
|
Man Yue Mo
@mmolgtm
|
21. stu 2018. |
|
Done some variant analysis with the Ghostscript RCEs that @taviso found in the last few months and ended up finding another -dSAFER bypass RCE, plus some type confusions, one of which is also a proper RCE. All patched in 9.26. Write ups coming soon. youtu.be/20yfCccIORE?li…
|
||
|
|
||
|
Man Yue Mo
@mmolgtm
|
21. stu 2018. |
|
This post reviews OGNL mitigation measures in Struts and how they were bypassed in the past, leading up to a CVE-2018-11776 exploit that actually works. lgtm.com/blog/apache_st…
|
||
|
|
||
|
Man Yue Mo
@mmolgtm
|
31. lis 2018. |
|
Patch Apple devices and avoid public wifi! @kevin_backhouse discovered a kernel heap overflow that can be triggered by someone sharing the same network as you, affecting all devices by default without user interaction. lgtm.com/blog/apple_xnu…
|
||
|
|
||
|
Man Yue Mo
@mmolgtm
|
4. lis 2018. |
|
In this post on Struts' OGNL injection vulnerabilities I'll go through a type of RCE issue called "double evaluation". There are a number of new issues, although no CVE as Struts did not think it's their responsibility. lgtm.com/blog/apache_st…
|
||
|
|
||
|
Man Yue Mo
@mmolgtm
|
25. ruj 2018. |
|
In this second post on Struts' ognl injection vulnerabilities I'll give an overview of the structure of Struts and a more detailed dataflow analysis of CVE-2018-11776.
lgtm.com/blog/apache_st…
|
||
|
|
||
|
Man Yue Mo
@mmolgtm
|
30. kol 2018. |
|
There are probably other versions of Struts2, e.g. 2.2.x that are no longer supported and maybe affected. I haven't tested v1, but Struts 1 and 2 are very different so I'm not surprised by your find. However, Struts 1 probably got other problems.
|
||
|
|
||
|
Man Yue Mo
@mmolgtm
|
24. kol 2018. |
|
For people looking into intrusion detection of CVE-2018-11776. From what is available in public, it should be clear that the attack is done via a url with ognl. So look for url that contains ognl. An exploit won't tell you more than that.
|
||
|
|
||
|
Man Yue Mo
@mmolgtm
|
24. kol 2018. |
|
For the cases I tested, alwaysSelectFullNamespace has to be true (false by default). What worries me is that the showcase app is vulnerable without setting this explicitly. I then realized the convention-plugin overrides it and I can't be sure if something else does it also.
|
||
|
|
||
|
Man Yue Mo
@mmolgtm
|
23. kol 2018. |
|
Yea, makes me jealous of people who uses windows every time I see the calculator pop. :)
|
||
|
|
||
|
Man Yue Mo
@mmolgtm
|
22. kol 2018. |
|
It's an attack on the server by sending a crafty HTTP request, (not XSS or phishing on the client) so there is no end user here and doesn't require any user interaction.
|
||
|
|
||
|
Man Yue Mo
@mmolgtm
|
22. kol 2018. |
|
Struts users should take the advice of the Struts team to upgrade:
cwiki.apache.org/confluence/dis…
the new versions are backward compatible and they don't just patched CVE-2018-11776 but also include general security improvements to make life harder for hackers.
|
||
|
|
||
|
Man Yue Mo
@mmolgtm
|
22. kol 2018. |
|
As some people have asked about exploits of CVE-2018-11776. I don't plan to release it at the moment so that users can have time to upgrade, I would also like to urge others to refrain from releasing exploits just yet.
|
||
|
|
||
|
Man Yue Mo
@mmolgtm
|
22. kol 2018. |
|
We will not be releasing PoC or exploits at this stage to give people time to upgrade, thanks.
|
||
|
|
||
|
Man Yue Mo
@mmolgtm
|
22. kol 2018. |
|
I'm writing some blogs that study RCEs in #apachestruts. I'll start with the latest CVE-2018-11776 that I found and how they are related to some previously known RCEs. lgtm.com/blog/apache_st…
|
||
|
|
||
|
Man Yue Mo
@mmolgtm
|
22. kol 2018. |
|
hi we've got more details here:
semmle.com/news/apache-st…
and here:
lgtm.com/blog/apache_st…
|
||
|
|
||