Posts - Page 2 of 3 - Mehmet Ince @mdisec - Vulnerability Researcher | Building security products | Security Advisor

Jun 22, 2018

Unexpected Journey #6 – All ways lead to Rome ! Remote Code Execution on MicroFocus Secure Messaging Gateway

It has been a quite while since I haven’t released a new part of unexpected journey article serie. Particularly this small 0-day research project has been certainly didactic to me. Thus, I’ve decided to write down the process of achieving remote code execution on MicroFocus Secure Messaging Gateway product.
(more…)
Mar 7, 2018

Advisory | ManageEngine Applications Manager Remote Code Execution and SQLi

It is an interesting coincidence that almost 1 year ago we identified a critical security issue in a different product (Eventlog Analyzer) of this company. Now, this time we’ve came across with another product of this company during penetration test. To be honest I’ve seen more than 20 different high/critical vulnerability during the analysis of the product but I will only share two of them now, as a full disclosure.
(more…)
Nov 6, 2017

CVE-2017-16666 | Xplico Unauthenticated Remote Code Execution

The goal of Xplico is extract from an internet traffic capture the applications data contained. For example, from a pcap file Xplico extracts each email (POP, IMAP, and SMTP protocols), all HTTP contents, each VoIP call (SIP), FTP, TFTP, and so on. Xplico isn’t a network protocol analyzer. Xplico is an open source Network Forensic Analysis Tool (NFAT).

(more…)
Oct 8, 2017

One ring to rule them all – Same RCE on multiple Trend Micro products

Framework’s security has been a known topic for security folks. In fact, we already seen a real impact of single vulnerability within a framework on Apache Struts case. If we consider this risk from the point of products vendor, we could see very similar case. In this article, I will show you how we get RCE on different Trend Micro products because of same codebase used by across the different products.
(more…)
Sep 19, 2017

Advisory | DenyAll Web Application Firewall Unauthenticated Remote Code Execution (CVE-2017-14706)

DenyAll Web Application Firewall is the foundation for next generation application security products. It combines ease of configuration – with its workflow engine and management APIs – with a proven ability to secure web applications. It embeds negative and positive security, in-context, user behavior analysis, and soon-to-be added rWeb advanced security engines, to efficiently protect your web applications while minimizing false positives.
(more…)
Sep 12, 2017

Advisory | osTicket v1.10 Unauthenticated SQL Injection (CVE-2017-14396 )

osTicket is a widely-used and trusted open source support ticket system. It seamlessly routes inquiries created via email, web-forms and phone calls into a simple, easy-to-use, multi-user, web-based customer support platform. osTicket comes packed with more features and tools than most of the expensive (and complex) support ticket systems on the market.
(more…)
Aug 6, 2017

Exploiting Second Order SQLi Flaws by using Burp & Custom Sqlmap Tamper

Web applications evolved in the last century from simple scripts to single page applications. Such complex web applications are prone to different types of security vulnerabilities. One type of vulnerability, named as secondorder, occurs when an attack payload is first stored by the application on the web server and then later on used in a security-critical operation.
(more…)
Jun 10, 2017

Unexpected Journey #5 – From weak password to RCE on Symantec Messaging Gateway (CVE-2017-6326)

If you are following our blog, you must familiar with Unexpected Journey article series. In this article, I will share our latest real-life pentest experience as well as the technical details of our brand new ~~0day~~ that helps us to execute operating system commands on Symantec Messaging Gateway.
(more…)
May 17, 2017

Advisory | Cryptolog Unauthenticated Remote Code Execution

CRYPTOLOG is a log manager that collects, normalizes, and categorizes massive logs generated across your network and turn it into valuable information on an intuitive interface where advance search, analysis and correlation monitoring becomes easier and more efficient.
(more…)
Mar 17, 2017

Unexpected Journey #4 – Escaping from Restricted Shell and Gaining Root Access to SolarWinds Log & Event Manager (SIEM) Product

By time goes, I’ve found myself more focusing on SIEM product during penetration test. This is the fourth article of my article series called as “Unexpected Journey” which all of them focused on different SIEM products. In this article, I will share the details how I’ve got root access to the SolarWinds Log & Event Management product.
(more…)