Personal


Twitter
LinkedIn
Packet Storm
cxsecurity.com


Blog/News


Securify - Researching VPN applications - part 2 testing Windows applications
SSD Secure Disclosure - Vulnerability overview: Wrapping up 2020
The Daily Swig - QRadar: Popular IBM security tool open to remote code execution attacks
Securify - Researching VPN applications - part 1 VPN internals
Bsides Delft 2018 - All Ivanti is a secure Workspace (slides)
Securify - Cross-Site Scripting in a Content Security Policy world
Securify - Click me if you can, Office social engineering with embedded objects
Securify - Living off the land: stealing NetNTLM hashes
SecurityWeek - Seagate Patches Flaws in Personal Cloud, GoFlex Products
Bleeping Computer - Seagate Quietly Patches Dangerous Bug in NAS Devices
bit-tech - Seagate patches Personal Cloud NAS file deletion flaw
Security.nl - Seagate dicht beveiligingslek in Personal Cloud NAS (Dutch)
Microsoft - The MSRC Top 100 Security Researchers (#67)
Security.nl - Microsoft publiceert Top 100 van beveiligingsonderzoekers (Dutch)
SecurityWeek - Microsoft Makes Third Attempt at Fixing Old Stuxnet Flaw
Threatpost - WordPress Fixes CSRF, XSS Bugs, Announces Bug Bounty Program
Securify - AutoRun is dead, long live AutoRun
Securify - Pwning WordPress with Cross-Site Scripting
OWASP BeNeLux 2016-2 - The State of Security of WordPress (plugins) (slides)
Securify - Summer of Pwnage, one month of WordPress pwning
SecurityWeek - VMware Tools Flaw Allowed Code Execution via DLL Hijacking
The Register - And now for a lazy Fri...d'oh! Two VMware patches just landed!?
Softpedia - Summer of Pwnage Event Yields 64 Security Bugs in WordPress Core and Plugins (interview)
Securify - There's a party in OLE, and you are invited
Securify - Exploiting the Xamarin.Android DLL hijack vulnerability
SecurityWeek - Researchers Keep Finding Bugs in Google's Password Alert Extension
The Hacker News - Hacker Finds a Simple Way to Bypass Google Password Alert
PCWorld - Security researchers poke holes in Google's anti-phishing Chrome extension
Security.nl - Kat-en-muisspel rond Google Password Alert duurt voort (Dutch)
Securify - Java SE a PATH to privilege escalation
Securify - Responsible disclosure or concealed bug report?
Securify - Tales from the crypt: exploiting the .NET EncoderParameter integer overflow vulnerability
SecurityWeek - Cisco Fixes Vulnerabilities in Small Business Routers
The Hacker News - Update Adobe Reader app for Android to Patch Remote Code Execution Vulnerability
ThreatPost - Arbitrary Code Execution Bug in Android Reader
HEAT Security Blog - Got Adobe Reader on your Android device? You Had Best Update it ASAP
Computable - Adobe dicht lek in Reader for Android (Dutch)
Testnet - Security Testen nog steeds onderbelicht (Dutch)
Security.nl - Nederlander vindt gevaarlijk Windows-lek (Dutch)


Projects


OutCrack.sh - Quick 'n Dirty PoC for cracking OutSystems hashes with hashcat
cicdecrypt.py - IBM Installation Manager imcl / imutilsc encryptString command decrypt script
ghcdecrypt.py - IBM Green Hat / Rational Integration Tester password decryptor
Start-ProcessAMSelfElevate.psm1 - PowerShell module to interact with the Self-Elevation functionality of Ivanti AppSense Application Manager
Invoke-MTPuTTYConfigDump.psm1 - Read an MTPuTTY configuration file, decrypt the passwords and dump the result
PHP Screw Brute - Recovers/brute forces the key for PHP files protected with PHP Screw
ShellLink - A .NET Class Library for processing ShellLink (LNK) files
PropertyStore - .NET Class Library for processing Serialized Property Stores
PHP Unserialize Check - Burp Scanner Extension
NotCreateRemoteThread.c - Run shell code in another process without CreateRemoteThread
U3 armory - exploiting the AutoRunz


Security advisories


Securify - Java deserialization vulnerability in QRadar RemoteJavaScript Servlet
Securify - IBM Aspera Connect for Windows Qt plugin hijack
SFY20200708 - Microsoft OneDrive client for Windows Qt QML module hijack
SFY20200419 - Cisco AnyConnect elevation of privileges due to insecure handling of path names
SFY20200409 - QRadar session manager path traversal vulnerability
SFY20200408 - Authorization bypass in QRadar Forensics web application
SFY20200407 - Arbitrary class instantiation & local file inclusion vulnerability in QRadar Forensics web application
SFY20200406 - PHP object injection vulnerability in QRadar Forensics web application
SFY20200405 - Local privilege escalation in QRadar due to run-result-reader.sh insecure file permissions
SFY20200404 - Reflected Cross-Site Scripting in QRadar Forensics link analysis page
SFY20200403 - Cross-Site Request Forgery & weak access control in QRadar ConfigServices webservice
SFY20200402 - QRadar RssFeedItem Server-Side Request Forgery vulnerability
SFY20200401 - Unauthorized access to QRadar configuration sets via default password
SFY20200317 - ZoneAlarm TrueVector Internet Monitor service insecure NTFS permissions vulnerability
SFY20180806 - Ivanti Workspace Control Application Whitelist bypass via PowerGrid /SEE command line argument
SFY20180804 - Stored credentials Ivanti Workspace Control can be retrieved from Registry
SFY20180803 - Ivanti Workspace Control Data Security bypass via localhost UNC path
SFY20180802 - Ivanti Workspace Control local privilege escalation via Named Pipe
SFY20180801 - Ivanti Workspace Control Application Whitelist bypass via PowerGrid /RWS command line argument
SFY20170901 - Seagate Personal Cloud multiple information disclosure vulnerabilities
SFY20170903 - Seagate Media Server multiple SQL injection vulnerabilities
SFY20170907 - Seagate Media Server path traversal vulnerability
SFY20170906 - Seagate Media Server stored Cross-Site Scripting vulnerability
SFY20170904 - Seagate Personal Cloud allows moving of arbitrary files
SFY20170905 - Seagate Media Server allows deleting of arbitrary files and folders
SFY20170902 - Seagate Media Server multiple command injection vulnerabilities
SFY20171101 - Clickjacking vulnerability in CSRF error page pfSense
SFY20170403 - Xamarin Studio for Mac API documentation update affected by local privilege escalation
SFY20170405 - InsomniaX loader allows loading of arbitrary Kernel Extensions
SFY20170201 - SyntaxHighlight MediaWiki extension allows injection of arbitrary Pygments options
SFY20160743 - Cross-Site Request Forgery in WordPress Connection Information
SFY20150907 - Microsoft Office OneNote 2007 DLL side loading vulnerability
SFY20170401 - Multiple local privilege escalation vulnerabilities in Proxifier for Mac
SFY20170101 - Microsoft Edge Fetch API allows setting of arbitrary request headers
SFY20160742 - WordPress audio playlist functionality is affected by Cross-Site Scripting
SFY20160605 - InfiniteWP Client WordPress Plugin unauthenticated PHP Object injection vulnerability
SFY20160604 - CMS Commander Client WordPress Plugin unauthenticated PHP Object injection vulnerability
SFY20160602 - Google Forms WordPress Plugin unauthenticated PHP Object injection vulnerability
SFY20160781 - Cross-Site Request Forgery in Insert Html Snippet WordPress Plugin
SFY20160785 - Stored Cross-Site Scripting in WP Canvas - Shortcodes WordPress Plugin
SFY20160728 - Cross-Site Scripting in All In One WP Security & Firewall WordPress Plugin
SFY20160607 - YITH WooCommerce Compare WordPress Plugin unauthenticated PHP Object injection vulnerability
SFY20160713 - Cross-Site Scripting vulnerability in Quotes Collection WordPress Plugin
SFY20160701 - Path traversal vulnerability in WordPress Core Ajax handlers
SFY20160301 - Internet Explorer iframe sandbox local file name disclosure vulnerability
SFY20160603 - Ecwid Ecommerce Shopping Cart WordPress Plugin unauthenticated PHP Object injection vulnerability
SFY20160779 - Cross-Site Scripting in Store Locator Plus for WordPress
SFY20151201 - DLL side loading vulnerability in VMware Host Guest Client Redirector
SFY20160783 - Cross-Site Scripting in Uji Countdown WordPress Plugin
SFY20160776 - Cross-Site Scripting in Activity Log WordPress Plugin
SFY20160778 - Cross-Site Scripting in Count per Day WordPress Plugin
SFY20160784 - Cross-Site Scripting in WangGuard WordPress Plugin
SFY20160775 - Cross-Site Request Forgery in ALO EasyMail Newsletter WordPress Plugin
SFY20160777 - Cross-Site Scripting in Contact Bank WordPress Plugin
SFY20160722 - Cross-Site Scripting vulnerability in ColorWay WordPress Theme
SFY20160707 - Multiple SQL injection vulnerabilities in WordPress Video Player
SFY20160730 - Cross-Site Request Forgery in Icegram WordPress Plugin
SFY20160719 - Cross-Site Scripting vulnerability in Google Forms WordPress Plugin
SFY20160718 - Cross-Site Scripting vulnerability in WP No External Links WordPress Plugin
SFY20160715 - Cross-Site Scripting vulnerability in Top 10 - Popular posts plugin for WordPress
SFY20160714 - Cross-Site Scripting vulnerability in Simple Membership WordPress Plugin
SFY20160721 - Easy Forms for MailChimp Local File Inclusion vulnerability
SFY20160720 - WP Fastest Cache Member Local File Inclusion vulnerability
SFY20160711 - Cross-Site Scripting vulnerability in Master Slider WordPress Plugin
SFY20160710 - Cross-Site Scripting vulnerability in Email Users WordPress Plugin
SFY20160712 - Cross-Site Scripting vulnerability in Profile Builder WordPress Plugin
SFY20150804 - Microsoft Visio multiple DLL side loading vulnerabilities
SFY20160201 - .NET Framework 4.6 allows side loading of Windows API Set DLL
SFY20150904 - Windows Mail Find People DLL side loading vulnerability
SFY20151101 - MapsUpdateTask Task DLL side loading vulnerability
SFY20150906 - BDA MPEG2 Transport Information Filter DLL side loading vulnerability
SFY20150905 - NPS Datastore server DLL side loading vulnerability
SFY20150903 - HP LaserJet Fax Preview DLL side loading vulnerability
SFY20150902 - HP ToComMsg DLL side loading vulnerability
SFY20150901 - LEADTOOLS ActiveX control multiple DLL side loading vulnerabilities
SFY20150806 - OLE DB Provider for Oracle multiple DLL side loading vulnerabilities
SFY20150802 - Shockwave Flash Object DLL side loading vulnerability
SFY20151102 - Shutdown UX DLL side loading vulnerability
SFY20150803 - Windows Authentication UI DLL side loading vulnerability
SFY20150805 - Event Viewer Snapin multiple DLL side loading vulnerabilities
SFY20150801 - COM+ Services DLL side loading vulnerability
SFY20150701 - Cisco AnyConnect elevation of privileges via DMG install script
SFY20150601 - Cisco AnyConnect elevation of privileges via DLL side loading
SFY20150501 - Integer overflow in .NET Framework System.DirectoryServices.Protocols.Utility class
GitHUb - iframe sandbox attribute allows evasion of extension
SFY20140402 - Viber for Android exposes insecure Javascript interface
SFY20130601 - Cisco RV Series multiple vulnerabilities
SFY20140403 - Outlook.com for Android fails to validate server certificates
Umbraco - Security issues found in Umbraco 4, 6 and 7
SFY20140401 - Adobe Reader for Android exposes insecure Javascript interfaces
SFY20140301 - NSS 2014 affected by remote code execution & insecure certificate validation
SFY20130501 - Path traversal vulnerability in File Roller
AK20110801 - .NET Framework EncoderParameter integer overflow vulnerability
AK20100601 - Office arbitrary ClickOnce application execution vulnerability
AK20090402 - Akamai Download Manager arbitrary file download & execution
AK20091001 - Outlook PR_ATTACH_METHOD file execution vulnerability
AK20090401 - getPlus insufficient domain name validation vulnerability
AK20090301 - FreeWebshop.org: multiple vulnerabilities
AK20090601 - yTNEF/Evolution TNEF plugin traversal & overflow vulnerabilities
AK20090602 - PulseAudio local race privilege escalation vulnerability
AK20080401 - XP: inconsistent verification messages for signed execs
AK20070603 - XUpload multiple vulnerabilities
AK20070602 - XUpload/JUpload arbitrary file upload
AK20070601 - XUpload stack-based buffer overflow vulnerability
AK20060602 - Aangifte 2005 privilege escalation vulnerability
AK20060601 - Internet Explorer redirect arbitrary file access vulnerability
AK20050803 - MMC resource cross-site scripting vulnerability
AK20050802 - Internet Explorer: drag and drop, loading files from TIF
AK20050801 - Internet Explorer inconsistent file protocol handling
AK20050601 - PowerPoint/IE reload information disclosure vulnerability
AK20040801 - Address bar spoofing flaw in Internet Explorer


Exploits/Proof of concepts


Invoke-ExploitAWSVPNLPE.psd1 - AWS Client VPN < 3.1.0 OpenVPN config validation flaw can be used to escalate privileges (proof of concept)
qradar_deserialize.py - Proof of concept for Java deserialization vulnerability in QRadar RemoteJavaScript Servlet
cve-2020-5902-tmsh.py - Proof of concept for CVE-2020-5902 / F5 BIG-IP path traversal
OneDriveQtDllHijack.ps1 - Microsoft OneDrive client Qt plugin hijack proof of concept
Invoke-ExploitBdVpnLpe.psm1 - Exploit module for Bitdefender VPN for Windows
qradar_php_lfi.py - Arbitrary class instantiation & local file inclusion vulnerability in QRadar Forensics web application (CVE-2020-4272) proof of concept
qradar_php_object_injection.py - PHP object injection vulnerability in QRadar Forensics web application (CVE-2020-4271) proof of concept
qradar_rss_ssrf.py - QRadar RssFeedItem Server-Side Request Forgery vulnerability (CVE-2020-4294) proof of concept
qradar_run-result-reader_lpe.sh - Local privilege escalation in QRadar due to run-result-reader.sh insecure file permissions (CVE-2020-4270) proof of concept
qradar_session_deserialize.py - Proof of concept for QRadar session manager path traversal vulnerability
Invoke-ExploitZoneAlarmLPE.psm1 - ZoneAlarm (< v15.8.043.18324) TrueVector Internet Monitor service insecure NTFS permissions vulnerability proof of concept
Invoke-ExploitIVPNLPE.psd1 - IVPN <= 2.11.3 exploit module to run commands with SYSTEM privileges
dionaea_attach_database.py - Dionaea honeypot allows the "ATTACH DATABASE" command, which can be used to attach to any local SQLite database on which the Dionaea process has read access
Invoke-ExploitOsqueryLPE.psm1 - Exploit module for CVE-2019-3567 - Osquery for Windows access right misconfiguration Elevation of Privilege
SonosController.ps1 - Sonos Controller for Windows ShareConfig.xml weak file permissions
gotroot.sh -
IBM Trusted Key Entry (TKE) workstation local privilege escalation
Forms.HTML.ps1 - PowerShell script that creates a Word document with an embedded Forms.HTML:Image.1 object that when clicked will cause Calculator to be opened
Shell.Explorer open file.ps1 - PowerShell script that creates a Word document with an embedded Forms.HTML:Image.1 object that when clicked will cause Calculator to be opened
Metasploit - Clickjacking Vulnerability In CSRF Error Page pfSense
Metasploit (PR) - Add exploit module for Clickjacking vulnerability in CSRF error page pfSense <= 2.4.1
Metasploit - LNK Code Execution Vulnerability
Metasploit - LNK Code Execution Vulnerability
Metasploit (PR) - Add exploit module for CVE-2017-8464 LNK Code Execution Vulnerability
Metasploit (PR) - Exploit modules for multiple PHP object injection vulnerabilities in various WordPress plugins
Metasploit - MediaWiki SyntaxHighlight extension option injection vulnerability
Metasploit - Office OLE Multiple DLL Side Loading Vulnerabilities
Metasploit - Internet Explorer Iframe Sandbox File Name Disclosure Vulnerability
Metasploit - DLL Side Loading Vulnerability in VMware Host Guest Client Redirector
SFY20150901 - HP Color LaserJet CM2320 MFP Series multiple DLL side loading vulnerabilities
SFY20151201 - MS15-132: Office OLE multiple DLL side loading vulnerabilities
SFY20150701 - Cisco AnyConnect elevation of privileges via DMG install script
SFY20150601 - Cisco AnyConnect elevation of privileges via DLL side loading
SFY20140401 - Adobe Reader for Android exposes insecure Javascript interfaces
ms12_025_dotnet_encoderparameter.rb - .NET Framework EncoderParameter integer overflow vulnerability
Metasploit - Outlook ATTACH_BY_REF_ONLY File Execution
AK20091001 - Outlook PR_ATTACH_METHOD file execution vulnerability (ATTACH_BY_REF_ONLY)
Metasploit - Outlook ATTACH_BY_REF_RESOLVE File Execution
AK20091001 - Outlook PR_ATTACH_METHOD file execution vulnerability (ATTACH_BY_REF_RESOLVE)
evolution_tnef_plugin_multil.rb - yTNEF/Evolution TNEF Attachment decoder plugin directory traversal & buffer overflow vulnerabilities
pa_race.sh - PulseAudio local race condition privilege escalation vulnerability
AK20050802 - Internet Explorer: drag and drop, loading files from TIF
AK20050601 - PowerPoint/IE reload information disclosure vulnerability
parse_srv.c.diff - MS04-037: Vulnerability in Windows Shell Could Allow Remote Code Execution
EMFexp.c - Enhanced Meta File arbitrary memory access
EudoraBoF.c - Eudora long attachment file name buffer overflow


Demos


Vimeo - VMware Host Guest Client Redirector DLL hijack
Vimeo - Cisco AnyConnect elevation of privileges via DMG install script
Vimeo - Cisco AnyConnect elevation of privileges via DLL side loading
Vimeo - Office OLE multiple DLL side loading vulnerabilities
Vimeo - Google Password Alert 1.6 bypass proof of concept
Vimeo - .NET Framework EncoderParameter integer overflow vulnerability demo
Vimeo - IE 10/11 UXSS XFO demo
Vimeo - CVE-2012-0013 Word 2007 proof of concept
Vimeo - CVE-2012-0013 PowerPoint 2007 proof of concept
Vimeo - Meldknop Chrome Extension malicious update