About Administrador

This author has not yet filled in any details.
So far Administrador has created 238 blog entries.

Saifor CVMS Hub 1.3.1 Vulnerability – CVE-2018-6792

By |1 Mar. 2018|Tarlogic's Blog - Cybersecurity|

Tarlogic Advisory: Tarlogic-2018-001 Title: SQL Injection in Saifor CVMS Hub 1.3.1 Discovered by: José Manuel Aparicio - Tarlogic (@jm_aparicio) Saifor Vulnerability - CVE-2018-6792 Multiple SQL injection vulnerabilites in CVMS HUB 1.3.1 allow an authenticated user to execute arbitrary SQL commands via multiple POST parameters to /cvms-hub/privado/seccionesmib/secciones.xhtml. The following parameteres are prone to be vulnerable: formularioGestionarSecciones:tablaSeccionesMib:j_idt118:filter formularioGestionarSecciones:tablaSeccionesMib:j_idt120:filter formularioGestionarSecciones:tablaSeccionesMib:j_idt122:filter formularioGestionarSecciones:tablaSeccionesMib:j_idt124:filter formularioGestionarSecciones:tablaSeccionesMib:j_idt126:filter formularioGestionarSecciones:tablaSeccionesMib:j_idt128:filter formularioGestionarSecciones:tablaSeccionesMib:j_idt130:filter Likewise, SQL injection exists in /cvms-hub/privado/seccionesmib/secciones.xhtml via GET parameter 'nombreAgente'. Time Line ------------------- 21/12/2017 - Vulnerability reported to vendor (No response) 23/01/2018 - Vulnerability reported to vendor (No Response) 06/02/2018 - Full disclosure after 45 days (https://www.cert.org/vulnerability-analysis/vul-disclosure.cfm) Discover our work and cybersecurity services.

Read More
Comments Off on Saifor CVMS Hub 1.3.1 Vulnerability – CVE-2018-6792

Backdoors in XAMP stack (part II): UDF in MySQL

By |21 Aug. 2017|BlackArrow blog|

EIn the last Hack&Beers at Vigo we were giving a talk about backdoors in the XAMP stack, where we explained the same methods that we intend to summarize in this series of posts. Today we will talk about an old technique to introduce backdoors in the database, using MySQL UDFs. Introduction MySQL UDF (User-Defined Functions) are extra functions that the user can add to MySQL to extend its default capabilities. Through the programming of libraries (.so and .dll depending on the operating system we are using as a base) the user can add new functions to the default MySQL functions repertoire. As we saw in the previous installment of this series, with PHP extensions, this type of feature can be ...

Read More
Comments Off on Backdoors in XAMP stack (part II): UDF in MySQL

The Shadow Brokers – TSB actions follow-up

By |9 Aug. 2017|Cyber intelligence blog|

The Shadow Brokers are a group of hackers who made their first public appearance in the summer of 2016. Actually, this fact was quite controversial since this group had confirmed having a great number of computer hacking tools such as “exploits” or “0-day” which would enable access to almost any computer system. The special feature of these exploits, whose property was confirmed by this group, is their origin, since they advertised that they came from US NSA. This situation pointed out that this group would have been able to access NSA computer systems obtaining not only the aforementioned exploits, but also a different kind of information. The Shadow Brokers provided the possibility of purchasing these tools by anyone willing ...

Read More
Comments Off on The Shadow Brokers – TSB actions follow-up

Vulnerabilities in Televes COAXDATA GATEWAY – CVE-2017-6532

By |17 Jul. 2017|Tarlogic's Blog - Cybersecurity|

=============================== - Advisory - =============================== Title: Televes COAXDATA GATEWAY 1Gbps - Priv Escalation Risk: High Date: 19.Jul.2017 Author: Pedro Andujar (Tarlogic) Twitter: @pandujar Televes COAXDATA GATEWAY Introduction Televes COAXDATA GATEWAY 1Gbps it is a router+WiFI device used by both, end-user and professional Internet Services providers. According to the manufacturer: "The CoaxData system enables the use of coaxial, PLC or fibre optics networks to distribute Internet services to a certain number of points, providing a non-invasive distribution system that preserves the quality of the transmission. CoaxData Home WiFi (ref. 769301) transforms the data signal distributed by the coaxial system in a wireless signal through an Ethernet interface gateway or "Low Power WiFi". Also it can be configured as a router and/ ...

Read More
Comments Off on Vulnerabilities in Televes COAXDATA GATEWAY – CVE-2017-6532

AeroAdmin 4.1 Vulnerability – CVE-2017-8893 CVE-2017-8894

By |1 Mar. 2017|Tarlogic's Blog - Cybersecurity|

Tarlogic Advisory: Tarlogic-2017-001 Title: Multiple vulnerabilities found in AeroAdmin 4.1 software. Discovered by: Juan Manuel Fernandez (@TheXC3LL) CWE-ID: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer AeroAdmin Vulnerability - CVE-2017-8893 Advisory.vulnerabilities reported by Tarlogic AeroAdmin 4.1 uses a function to copy data between two pointers where the size of the data copied is taken directly from a network packet. This vulnerability have been reported as CVE-2017-8893. 005301B0 push edi 005301B1 push esi 005301B2 mov esi, ORIGEN 005301B6 mov ecx, SIZE 005301BA mov edi, DESTINO 005301BE mov eax, ecx 005301C0 mov edx, ecx 005301C2 add eax, esi 005301C4 cmp edi, esi 005301C6 jbe short loc_005 (...) 005301FE rep movsb ; Crash 00530200 mov eax, [esp+8+DESTINO] 00530204 pop ...

Read More
Comments Off on AeroAdmin 4.1 Vulnerability – CVE-2017-8893 CVE-2017-8894

DSL Communications Interception – TR069 – Part 4

By |18 Feb. 2015|Tarlogic's Blog - Cybersecurity|

We continue with the analysis of DSL routers security and communications interception (See previous Part I, Part II and Part III). After having correctly configured our DSL infrastructure, we can start analyzing the TR-069 management protocol . This protocol is a sequence of SOAP messages over HTTP, with an optional encryption layer. In case it is not immediately obvious, an ACS is the complete owner of an ISP's entire router infrastructure as it can force virtually any action on them. The ACS URL, to which the CPE connects, can be set or modified in the CPE through several mechanisms: At the firmware that comes pre-installed on the device. Locally via TR-064, web interface, telnet or ssh. From ...

Read More
Comments Off on DSL Communications Interception – TR069 – Part 4

How to generate PHP sessions securely

By |16 Feb. 2015|Tarlogic's Blog - Cybersecurity|

When conducting a web security assessment against a web application, one of the attack paths is session management. The possibility that someone can impersonate another user, or interact with application modules without being authenticated can cause headaches for developers and the organization. There are several complex aspects of session management, but all this starts to become simpler if we centralize all the code responsible for this management in a single module. Once we have defined the file that will be the central repository of the session management functions, it is necessary to include this module in all our web pages. Depending on our development framework, the inclusion of these functions will be done through "autoload" methods, through require() / include(), ...

Read More
Comments Off on How to generate PHP sessions securely

DSL Communications Interception – Administration – part 3

By |16 Feb. 2015|Tarlogic's Blog - Cybersecurity|

We continue with the articles on ADSL router security analysis and communications interception (See Part I and Part II). One of the most interesting elements to analyze in a DSL infrastructure is the Administration traffic that is generated against and from our DSL device. Currently all DSL routers or cablemodems provided by an ISP can be managed and administered remotely. The administration traffic is generated from the WAN, so it is not possible to analyze it without an ATM sniffer or, as in our case, our own DSL infrastructure with a DSLAM. Several particularly relevant elements are involved in remote management and administration: TR-069: This is a protocol for remotely configuring and administering client routers, also called CPE (Custom ...

Read More
Comments Off on DSL Communications Interception – Administration – part 3

Interception of DSL Communications – Synchronization – Part 2

By |16 Feb. 2015|Tarlogic's Blog - Cybersecurity|

We continue with the articles on DSL router security analysis and communications interception (See Part I). When the investigation of several communication devices started, only the users' routers were available, so it was Tarlogic's task to set up its own DSL infrastructure in order to analyze both the risks faced through the ISP and its subscribers. Once the DSLAM was in the hardware security lab, the first thing that had to be done was to assemble a cable to connect the routers, via its RJ11 port, to the RJ21 interface of the DSLAM. This cable can also be purchased on the Internet for about 50€.   Cable de RJ11 a RJ21 The ultimate goal ...

Read More
Comments Off on Interception of DSL Communications – Synchronization – Part 2

DSL Communications Interception – Introduction – Part 1

By |16 Feb. 2015|Tarlogic's Blog - Cybersecurity|

The purpose of this series of articles is to analyze communications analysis and interception strategies, specifically for DSL routers, through DSLAM devices, although it is equally valid for cable modems through CMTS. Many of the communications over the Internet, whether at a private level, pass through communications devices provided by a DSL or cable provider and, therefore, the security of these environments is a priority aspect. One of the last things we have been investigating at Tarlogic was the security of various routers and the underlying infrastructure that an ISP uses to provide DSL (Asymmetric Digital Subscriber Line) services. Thanks to Ebay, it is possible to acquire a large number of devices from multiple service providers around the world. These ...

Read More
Comments Off on DSL Communications Interception – Introduction – Part 1

We are using cookies to give you the best experience on our website. You can find out more about which cookies we are using or switch them off in Cookies Settings

Privacy policy - Legal notice

Necessary

Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.

3rd Party Cookies

This website uses Google Analytics to collect anonymous information such as the number of visitors to the site, and the most popular pages. Keeping this cookie enabled helps us to improve our website.

Cookies policy