In 2021 I discovered several high and critical vulnerabilities in the Kaseya Unitrends backup appliance. This research was conducted and published as part of my day job. Part one details a chain of vulnerabilities by leveraging an insecure PostgreSQL database to ultimately gain shell access to the remote server. Visit https://www.cyberonesecurity.com/blog/exploiting-kaseya-unitrends-backup-appliance-part-1 for the the full write-up. Stay tuned for part two.

I noticed the following changelog entry in sudo 1.9.5p1. This caught my attention so I decided to look further. I was unable to find an advisory, PoC, or CVE for this vulnerability. Using the details from the changelog message and fix, I decided to write an exploit for it. Using an Ubuntu 20.04.1 VM, I created a low privileged user named “lowpriv” and added a sudoedit rule for a root owned file /etc/test.txt. I also downloaded the source for sudo 1.9.5, compiled it, and installed it to /opt/sudo. ...

Pi-hole v5.2.1 is vulnerable to a critical stored cross site scripting vulnerability. An attacker with the ability to directly or indirectly query DNS with a malicious hostname can cause arbitrary JavaScript to execute when the Pi-hole administrator accesses the Query Log or Long-term Query Log pages on the web portal. The Pi-hole project released a fix on 12/24/2020 in v5.2.2. Shodan reports over 7,500 Pi-hole instances. This could be remotely exploited if these instances permit external DNS queries. Other possibilities may exist if a malformed DNS query is allowed. ...

Today, a Metasploit module was merged for a vulnerability I found in 2018 with VyOS. This vulnerability was my first public InfoSec blog post. I appreciate bcoles for developing the exploit/linux/ssh/vyos_restricted_shell_privesc module. Read the Metasploit Wrapup for 9/25/2020. The full write-up can can be found on this blog at C VE-2018-18556 – VyOS Privilege escalation via sudo pppd for operator users.

I discovered several vulnerabilities in the MoFi4500 LTE router. Several vulnerabilities have not been patched, including an unauthenticated remote command injection and several undocumented backdoors. The full write-up can be viewed at https://www.criticalstart.com/critical-vulnerabilities-discovered-in-mofi-routers/. Media Coverage https://www.cyberscoop.com/mofi-networks-routers-zero-day-critical-start/ https://www.zdnet.com/article/backdoors-left-unpatched-in-mofi-routers/ Follow the conversation on Twitter https://twitter.com/TeamAresSec/status/1301200248417775618?s=20

VMware Fusion 11.5.12 and prior are vulnerable to an elevation of privilege vulnerability. For more details please review the advisory and proof of concept on my Github page CVE-2020-3950.sh. VMware released a the patch last week and a public advisory VMSA-2020-0005 today however it has been determined that the patch does not properly fix the vulnerability. I reached out to the VMware security team and received a response at 10:31 UTC 2020-03-18 - “We are aware of the situation and working on the next steps”. ...

Vulnerability Summary Signal Desktop v1.29 on Windows is vulnerable to an elevation of privilege vulnerability. During the startup the application will execute the c:\node_modules\.bin\wmic.exe binary if it exists. By default on Windows, low privileged users have the privilege to create folders under root level drives. A low privileged user can create a malicious wmic.exe which will be executed every time Signal Desktop starts by any user of the system. The malicious binary is executed in the background without the users knowledge. This is an example of horizontal privilege escalation. ...

Vulnerability Summary The pg_ctlcluster script in the postgresql-common package in Debian and Ubuntu is vulnerable to a local privilege escalation attack. pg_ctlcluster is a script used to manage PostgreSQL instances. A malicious actor with access to the postgres account can create arbitrary directories during startup or reload when called via systemd. This vulnerability can be leveraged to escalate privileges to root. It’s important to note this is not a vulnerability in PostgreSQL and is specific to Debian, Ubuntu, or any system that consumes the Debian postgresql-common package. ...

Vulnerability Summary IBM MQ for Linux and UNIX systems is vulnerable to a privilege escalation attack by forcing a setuid root binary to load a malicious library. A local attacker with access to the mqm account can execute arbitrary code as root. In October 2018 IBM published an advisory along with patches for several versions. The goal of this post is to show how the RPATH/RUNPATH value could potentially be leveraged for privilege escalation. When specified at compile time this path is embedded in the binary and is the first path searched when searching for a library if the dependent library specified does contain a slash. Details on how this works can be found in the ld.so man page. ...