24 September 2024
This year was my first time at the balccon conference. This infosec event takes place in Serbia and is a community oriented congress very similar to the CCC Congress in Germany. I felt very comfortable there right from the start. There were incredibly good talks and fantastic installations built by the community.
12 August 2024
Identifier: | AIT-SA-20240514-04 |
Target: | FIWARE Keyrock |
Vendor: | FIWARE |
Version: | all versions including 8.4 |
CVE: | CVE-2024-42167 |
Accessibility: | Remote |
Severity: | Critical (9.1) |
Author: | Wolfgang Hotwagner (AIT Austrian Institute of Technology) |
12 August 2024
Identifier: | AIT-SA-20240514-04 |
Target: | FIWARE Keyrock |
Vendor: | FIWARE |
Version: | all versions including 8.4 |
CVE: | CVE-2024-42166 |
Accessibility: | Remote |
Severity: | Critical (9.1) |
Author: | Wolfgang Hotwagner (AIT Austrian Institute of Technology) |
12 August 2024
Identifier: | AIT-SA-20240514-03 |
Target: | FIWARE Keyrock |
Vendor: | FIWARE |
Version: | all versions including 8.4 |
CVE: | CVE-2024-42165 |
Accessibility: | Remote |
Severity: | Medium (6.3) |
Author: | Wolfgang Hotwagner (AIT Austrian Institute of Technology) |
12 August 2024
Identifier: | AIT-SA-20240514-02 |
Target: | FIWARE Keyrock |
Vendor: | FIWARE |
Version: | all versions including 8.4 |
CVE: | CVE-2024-42164 |
Accessibility: | Remote |
Severity: | Medium (4.3) |
Author: | Wolfgang Hotwagner (AIT Austrian Institute of Technology) |
12 August 2024
Identifier: | AIT-SA-20240514-01 |
Target: | FIWARE Keyrock |
Vendor: | FIWARE |
Version: | all versions including 8.4 |
CVE: | CVE-2024-42163 |
Accessibility: | Remote |
Severity: | Medium (8.3) |
Author: | Wolfgang Hotwagner (AIT Austrian Institute of Technology) |
12 November 2023
One of my daily work is to create testbeds to test defense mechanisms. As a result, I am constantly watching for vulnerabilities that I could use in such testbeds. In February 2023, someone discovered a vulnerability in the open-source surveillance software “Zoneminder”. It was a command injection vulnerability that an unauthorized attacker could trigger. Since there was only an advisory on Github without any proof of concept code, I created an exploit and contributed it to Metasploit. I learned a lot about developing modules for the Metasploit framework, and this article summarizes my experiences. To give Zoneminder administrators enough time to patch their systems, I waited more than seven months from releasing a patched version of Zoneminder before releasing this exploit.
2 January 2023
Due to the corona pandemic the chaos communication congress did not take place in 2022. Different hackerspaces created mini-events with talks and workshops instead. One of them was “Fireshonks 2022” which was organized by “Remote Rhein-Ruhr Stage” and “Haecksen”. I had the honour to give a talk about Logrotten - It’s not a Bug.
The full talk is online as a video-stream and was held in german language.
19 November 2022
BSides Vienna 2022 was a wonderful event. There were so many great talks and the location was beautiful. I gave a talk at the BSides Vienna 2022 about my “logrotten” exploit and I think the hacker community liked it. Here is a short description about the talk: