ZDI-21-354 (0Day) Lepide AD Self-Service - forced browsing to RCE TLDR Lepide AD Self-Service (LADSS) is vulnerable to a forced browsing issue that allows an unauthenticated actor to download an encrypted backup, however the backup is encrypted with a static
quick assist Impersonating Microsoft Support using Quick Assist TL;DR This vulnerability allows attackers to impersonate Microsoft Support via the built-in remote support tool of Windows 10 named "Quick Assist". Microsoft decided not to fix it
Privilege Escalation DACL Permissions Overwrite Privilege Escalation (CVE-2019-0841) TL;DR This vulnerability allows low privileged users to hijack file that are owned by NT AUTHORITY\SYSTEM by overwriting permissions on the targeted file. Successful exploitation results in "
Oracle The perfect SSO account takeover with Oracle OAM (CVE-2018-2739) TL;DR This weakness allows us to bypass the URL filtering on the RH parameter which could be used to hijack the session of any user when following a particularly
CVE-2018-0878 Windows Remote Assistance XXE vulnerability Intro Windows Remote Assistance allows someone you trust take over your PC and fix a problem from anywhere around the world. It relies on the Remote Desktop Protocol to establish
Windows SMBv3 Null Pointer Dereference vulnerability (CVE-2018-0833) Table of contents Intro Root cause analysis Proof-of-Concept Intro Late last year while setting up a fuzzer to target the SMB protocol, I discovered a vulnerability so simple yet so
Oracle OAM 10g Session Hijacking Table of contents Intro Oracle OAM Authentication flow Hijacking the session Global Exposure Proof-of-Concept Webserver Script Proof-of-Concept Video Mitigation CVSS rating Intro TL;DR Badly configured Oracle OAM 10g allows
VIDEO: Hack In Paris 2016: From zero to SYSTEM on FDE Windows System This is the presentation video from the HIP 16 presentation Tom and I did earlier this summer. I hope you enjoy it!
BitLocker Abusing Kerberos to NTLM fallback to defeat BitLocker FDE Intro This vulnerability is related to the initial vulnerbility which I and my collegue Tom found back in February, namely the Microsoft Security Bulletin MS16-014. More information about the MS16-014 attack can be found in my earlier blog post here. TL;DR Windows login
HIP16 SLIDES: From zero to SYSTEM of full disk encrypted Windows system (Hack In Paris 2016) Intro On the 30th of June, Tom and I gave a presentation at Hack In Paris about the vulnerabilities we discovered and which could be abused to bypass BitLocker FDE. These slides were used during the presentation a video of the presentation will be
Windows From zero to SYSTEM on full disk encrypted Windows system (Part 2) Intro This blog post is a continuation of my previous post which can be found here. The reason I devided is because two seperate vulnerabilities come in to play in order to successfully retrieve the original user password and install your favourite malware :) So
Authentication Bypass From zero to SYSTEM on full disk encrypted Windows system (Part 1) Intro Whether you want to protect the operating system components or your personal files, a Full Disk Encryption (FDE) solution allows you to keep track of the confidentiality and integrity. One of the most commonly used FDE solutions is Microsoft Bitlocker®, which due to
