-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathindex.xml
More file actions
88 lines (69 loc) · 8.35 KB
/
index.xml
File metadata and controls
88 lines (69 loc) · 8.35 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
<?xml version="1.0" encoding="utf-8" standalone="yes" ?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
<channel>
<title>Application Security Blog</title>
<link>https://blog.jamesotten.com/</link>
<description>Recent content on Application Security Blog</description>
<generator>Hugo -- gohugo.io</generator>
<language>en-us</language>
<copyright>&copy; 2018 James Otten. &nbsp;All rights reserved.</copyright>
<lastBuildDate>Fri, 21 Sep 2018 00:00:00 +0000</lastBuildDate>
<atom:link href="https://blog.jamesotten.com/index.xml" rel="self" type="application/rss+xml" />
<item>
<title>ManageEngine Applications Manager Deserialization Unauthenticated RCE</title>
<link>https://blog.jamesotten.com/post/applications-manager-rce/</link>
<pubDate>Fri, 21 Sep 2018 00:00:00 +0000</pubDate>
<guid>https://blog.jamesotten.com/post/applications-manager-rce/</guid>
<description><p>This year at Black Hat USA I participated in Offensive Security&rsquo;s <a href="https://www.offensive-security.com/information-security-training/advanced-web-attack-and-exploitation/">AWAE</a>. This training was extremely interesting and I would strongly recommend it to others interested in web application security. One of the modules in AWAE included looking at <a href="https://www.manageengine.com/products/applications_manager/">ManageEngine Applications Manager</a>. As I have some previous experience with web applications and writing PoCs, I occasionally found myself with some spare time during the training. I spent most of this spare time looking deeper into the applications that were included in the training and I ended up finding my first deserialization vulnerability. This vulnerability happens to be an unauthenticated remote root in ManageEngine Applications Manager running on Windows machines. While I have not seen this vulnerability posted online, I know for a fact that I am not the only one who has come across it.
</p></description>
</item>
<item>
<title>CVEs</title>
<link>https://blog.jamesotten.com/cves/</link>
<pubDate>Thu, 31 May 2018 21:41:23 -0500</pubDate>
<guid>https://blog.jamesotten.com/cves/</guid>
<description> CVE-2017-11348 Octopus Deploy Package ID Directory Traversal CVE-2017-14944 Indeo ProGet Directory Traversal CVE-2017-15606 Unpublished CVE-2017-15607 Inedo Otter Directory Traversal (RCE) CVE-2017-15608 Inedo Advanced Settings CSRF CVE-2017-16520 Inedo BuildMaster Improper Authorization (RCE) CVE-2017-16521 Inedo BuildMaster Unsafe User Controlled XSLT (RCE) CVE-2017-16760 Inedo BuildMaster XSS CVE-2017-16761 Inedo BuildMaster Open Redirect CVE-2017-16801 Octopus Deploy Step Template XSS CVE-2017-16810 Octopus Deploy Variable Set XSS CVE-2017-17086 Inedo Otter XSS CVE-2018-16243 Unpublished CVE-2018-16364 ManageEngine Applications Manager Deserialization (Unauthenticated RCE) </description>
</item>
<item>
<title>About</title>
<link>https://blog.jamesotten.com/about/</link>
<pubDate>Sun, 13 May 2018 22:00:49 -0500</pubDate>
<guid>https://blog.jamesotten.com/about/</guid>
<description>About Me I&rsquo;m James Otten and this is my personal blog. I&rsquo;m an Application Security Consultant and former Software Engineer from Minnesota with a strong interest in application and network security. In my spare time I enjoy finding vulnerabilities in web applications, auditing code, maintaining my home lab, and writing software.
Purpose The purpose of this blog is to help others learn about application security. I plan to post as many write-ups as I can here in the hopes that this information will be useful for those looking to improve application security from both the offensive and defensive perspective.</description>
</item>
<item>
<title>BuildMaster Configuration File Template XSLT RCE</title>
<link>https://blog.jamesotten.com/post/buildmaster-xslt-rce/</link>
<pubDate>Mon, 14 May 2018 00:00:00 +0000</pubDate>
<guid>https://blog.jamesotten.com/post/buildmaster-xslt-rce/</guid>
<description><p>In October of 2017 I discovered a vulnerability in <a href="https://inedo.com/buildmaster">Inedo BuildMaster</a> 5.8.1 related to the use of <a href="https://inedo.com/support/documentation/buildmaster/modeling-applications/configuration-files">configuration file templates</a> which allowed for RCE. This vulnerability could be exploited by an authenticated user directly, or by exploiting multiple CSRF vulnerabilities without the user&rsquo;s knowledge in some cases.
</p></description>
</item>
<item>
<title>BuildMaster Event Listener RCE</title>
<link>https://blog.jamesotten.com/post/buildmaster-event-listener-rce/</link>
<pubDate>Sat, 12 May 2018 00:00:00 +0000</pubDate>
<guid>https://blog.jamesotten.com/post/buildmaster-event-listener-rce/</guid>
<description><p>In my initial look at <a href="https://inedo.com/buildmaster">Inedo BuildMaster</a>, one of the more interesting capabilities I came across was event listeners. <a href="https://inedo.com/support/documentation/buildmaster/global-components/event-listeners">Event listeners</a> allow users to have the BuildMaster server perform certain tasks when certain types of events occur within BuildMaster. It looks like this feature could be very useful to server administrators looking to integrate BuildMaster with external tools, but that&rsquo;s not why it caught my eye. One of the types of event listeners available is &ldquo;Execute Command Line&rdquo;, which allows users to execute system commands on the BuildMaster server. The prevalence of this type of functionality in various CI/CD tools is a topic for another post, but in short, seeing this type of functionality worries me because it guarantees that there is a path to RCE either through application vulnerabilities or gaining access to a privileged user account.</p>
<p>Given how sensitive command line event listeners are, I decided to do some authorization testing. When testing this functionality with multiple users, I noticed that the option to create command line event listeners was unavailable in the UI for low privileged users, but it was available for privileged users. My testing of BuildMaster 5.8.1 indicated that the limitations enforced through the UI could be bypassed by low privileged users by directly navigating to certain URLs.
</p></description>
</item>
<item>
<title>Package Name Directory Traversals</title>
<link>https://blog.jamesotten.com/post/package-name-directory-traversals/</link>
<pubDate>Sun, 06 May 2018 00:00:00 +0000</pubDate>
<guid>https://blog.jamesotten.com/post/package-name-directory-traversals/</guid>
<description><p>Last year I discovered two very similar directory traversal vulnerabilities in <a href="https://octopus.com">Octopus Deploy</a> and <a href="https://inedo.com/proget">Inedo ProGet</a>. Octopus Deploy&rsquo;s built in NuGet feed and several feed types in ProGet were vulnerable to directory traversal attacks on the package name fields inside packages uploaded to the respective system. While the same type of vulnerability was found for several feed types in ProGet (including npm, Maven, VSIX, Ruby Gems&hellip;), this post will focus on NuGet as it is representative of the other issues.</p>
<p>These vulnerabilities enabled an attacker to both overwrite arbitrary packages within the respective system and to write packages to arbitrary locations on the server&rsquo;s file system. After a package was overwritten by one of these vulnerabilities, the attacker&rsquo;s package would be returned instead of the original package. This could be used by an attacker spread a backdoor to several systems within a network.
</p></description>
</item>
<item>
<title>Hello World</title>
<link>https://blog.jamesotten.com/post/hello-world/</link>
<pubDate>Mon, 01 Jan 2018 00:00:00 +0000</pubDate>
<guid>https://blog.jamesotten.com/post/hello-world/</guid>
<description>Hello World!</description>
</item>
</channel>
</rss>