polict.net | blogposts

Pre-auth root remote code execution in QNAP NAS

Tue, 19 May 2021 13:33:37 -0000

QNAP MusicStation and MalwareRemover pre-installed official apps are affected by an arbitrary file upload and a command injection, leading to pre-auth remote root command execution.

Hunting for bugs in Telegram's animated stickers remote attack surface

Tue, 16 Feb 2021 13:33:37 -0000

My 2020 journey in researching the lottie animation format, its integration in mobile apps and the vulnerabilities triggerable by a remote attacker against any Telegram user.

Auth Bypass and RCE in Infinite WP Admin Panel

Tue, 8 Dec 2020 10:00:00 -0000

A vulnerability in InfiniteWP allows unauthenticated users to log-in if they know an email address of one of the users in the system, this is done through a flaw in the password reset mechanism of the product. An additional vulnerability allows the attacker to achieve Remote Code Execution.

Sometimes they come back: exfiltration through MySQL and CVE-2020-11579

Sun, 28 Jul 2020 10:00:00 -0000

Walkthrough and exploitation of MySQL LOCAL INFILE accompanied by the release of a new open-source tool to exploit similar vulnerabilities.

Bitwarden Server 1.35.1 Blind Server-Side Request Forgery (SSRF)

Thu, 16 Jul 2020 10:00:00 -0000

Bitwarden Server 1.35.1 is affected by a blind Server-Side Request Forgery (SSRF): an authenticated attacker can trigger arbitrary HTTP GET requests, even to locally exposed services, by adding a credential for a malicious domain.

Web tracking via HTTP cache cross-site leaks

Sun, 8 Sep 2019 10:00:00 -0000

Google Chrome and Mozilla Firefox desktop users using the default configuration can be identified and tracked online if they are logged-in popular social networks, have JavaScript enabled and visit malicious websites.

On insecure zip handling, Rubyzip and Metasploit RCE (CVE-2019-5624)

Wed, 24 Apr 2019 10:00:00 -0000

During one of our projects we had the opportunity to audit a Ruby-on-Rails (RoR) web application handling zip files using the Rubyzip gem. Zip files have always been an interesting entry-point to triggering multiple vulnerability types, including path traversals and symlink file overwrite attacks. As the library under testing had symlink processing disabled, we focused on path traversal exploitation. This blog post discusses our results, the “bug” discovered in the library itself and the implication of such an issue in a popular piece of software - Metasploit...

Nagios XI 5.5.10: XSS to #

Wed, 10 Apr 2019 10:00:00 -0000

Walkthrough of a 1-click root RCE exploit chain in Nagios XI 5.5.10 by polict: XSS, RCE and local privilege escalation in a single URL click.

CVE-2018-17057: yet another phar deserialization in TCPDF

Sun, 17 Mar 2019 10:00:00 -0000

In TCPDF <= 6.2.19 it is possible to exploit a PHP Object Injection via malicious HTML code and potentially achieve Remote Code Execution (RCE).

XSSGame by Google at #HITB2017AMS Writeup

Wed, 26 Apr 2017 10:00:00 -0000

Walkthrough of the Google XSS Game CTF @ Hack in the Box Amsterdam 2017 (HITBAMS2017): 8 challenges to win a Nexus 5X -- find out how we won it! 🤟🏻