11 December 2019
I gave a talk at the BSides 2019 Vienna about PHP Object Injection. Here is the abstract of this talk:
2 December 2019
Identifier: AIT-SA-20191129-01
Target: OkayCMS
Vendor: OkayCMS
Version: all versions including 2.3.4
CVE: CVE-2019-16885
Accessibility: Local
Severity: Critical
Author: Wolfgang Hotwagner (AIT Austrian Institute of Technology)
Summary
OkayCMS is a simple and functional content managment system for an online store.
2 December 2019
Identifier: AIT-SA-20191112-01
Target: FreeRadius
Vendor: FreeRadius
Version: all versions including 3.0.19
Fixed in Version: 12.2.3, 12.1.8 and 12.0.8
CVE: CVE-2019-10143
Accessibility: Local
Severity: Low
Author: Wolfgang Hotwagner (AIT Austrian Institute of Technology)
Summary
7 November 2019
I started this blog five years ago. In the beginning I wrote mostly articles about sysadmin and programming. Now its also filled with security related stuff. It’s fascinating for me to have a history of my interests. It’s sadly that my spare time got rare and so it happens that I don’t write much lately. My intention for the next 5 years is, to be more consequent with writing articles.
4 October 2019
Overview
- Identifier: AIT-SA-20190930-01
- Target: GitLab Omnibus
- Vendor: GitLab
- Version: 7.4 through 12.2.1
- Fixed in Version: 12.2.3, 12.1.8 and 12.0.8
- CVE: CVE-2019-15741
- Accessibility: Local
- Severity: Low
- Author: Wolfgang Hotwagner (AIT Austrian Institute of Technology)
Vulnerability Description
GitLab Omnibus sets the ownership of the log directory to the system-user “git”, which might let local users obtain root access because of unsafe interaction with logrotate.
7 May 2019
Overview
- System affected: Debian packages of groonga/-httpd 6.1.5-1
- Software-Version: 6.1.5-1
- User-Interaction: Not required
- Impact: Local root
- CVE: CVE-2019-11675
7 May 2019
This year I gave a talk at the Easterhegg 2019 about a Linux kernel rootkit that can handle containers. I mainly presented my Bachelor work from 2017 with some improvements.
1 May 2019
Logrotate is prone to a race-condition on systems with a log directory that is in control of a low privileged user. A malicious user could trick logrotate to create files in any directory if it is executed as root. This might lead into a privileged escalation.
14 January 2019
Together with a friend we took part of the Capture The Flag at the 35C3. One challenge was that one:
Logrotate is designed to ease administration of systems that generate large numbers of log files. It allows automatic rotation, compression, removal, and mailing of log files. Each log file may be handled daily, weekly, monthly, or when it grows too large. It also gives you a root shell.
My name is Wolfgang Hotwagner. I am a Linux and Information Security enthusiast from Vienna. This blog is about my journey through Computer Science.
Tag Cloud
CVE Ansible Crypto Toscom Sysadmin Tricks CLI Mathematics Suricata Web Debian logrotate Virtualization News Shell git Programming ccc openssl Backup One-Liner Zsh Fun Puppet Software-Raid LVM Email TerminalEmulator Postgresql Desktop C External xmas Firewall Proxy Security HackADay Network Perl Kernel Anniversary Multimedia Mail Btrfs Downloads Certification PHP Open-Source Blog Docker apache Bash vim Database Raspberry Nagios Ruby Hardware LinuxRecent Posts
- Decidim: Stored XSS in embedded URLs for Decidim Meetings
- Decidim-Awesome: SQL Injection in AdminAccountability
- AttackMate A modern open source tool for automating cyberattack
- BalCCon2k24 was amazing
- FIWARE Keyrock: Command Injection in Organisationname
- FIWARE Keyrock: Command Injection in Applicationname
- FIWARE Keyrock: Activation of any new user
- FIWARE Keyrock: Deactivate 2-factor-auth of any user
- FIWARE Keyrock: Manipulate passwords of any user
- Contributing a Metasploit Exploit