Compass Security Blog

Offensive Defense

SAML Padding Oracle

ArcGIS [1] is a family of software providing geographic information system services. While testing a customer’s ArcGIS architecture we came across a SAML login flow. In this blogpost we show how we found and exploited an AES-CBC padding oracle in this flow.

Continue reading

Ionic Identity Vault Biometric Authentication Bypass

During a customer project, we could bypass the biometric authentication mechanism of Ionic Identity Vault on Android, because the Android KeyStore entry does not require any authentication. This post shows how this was done and how it can be exploited.

Continue reading

Relaying NTLM authentication over RPC again…

A little bit over a year ago, I wrote an article on this blog about CVE-2020-1113 and how it enabled to execute code on a remote machine through relaying NTLM authentication over RPC triggering a scheduled task on the remote system. History repeats itself and a vulnerability of the same category has been fixed by Microsoft in June this year.

Continue reading

Yet Another Froala 0-Day XSS

Compass found a DOM-based cross-site scripting (XSS) in the Froala WYSIWYG HTML Editor. HTML code in the editor is not correctly sanitized when inserted into the DOM. This allows an attacker that can control the editor content to execute arbitrary JavaScript in the context of the victim’s session.

Continue reading

SharePoint: Collaboration vs. XSS

SharePoint is a very popular browser-based collaboration and content management platform. Due to its high complexity, proprietary technology and confusing terminology it is often perceived as a black-box that IT and security professionals do not feel very comfortable with. These days, web security topics are well understood by many security professionals, penetration testers and vendors. But what […]

Continue reading

SharePoint: How to collaborate with external parties?

Opening up an internal SharePoint farm to the Internet in order to share resources with external parties might seem a good idea, because it helps avoiding expensive infrastructure changes. However, in terms of security, this is not recommended because it does not sufficiently protect internal resources from external threats. The protection of internal resources hinges […]

Continue reading

Wrap-up: Hack-Lab 2017#1

What is a Hack-Lab? Compass Security provides a monthly playful occasion for the security analysts to get-together and try to hack new devices, dive into current technologies and share their skills with their fellows. This also includes the improvement of internal tools, the research of newly identified publicly known attacks, and security analysis of hardware […]

Continue reading

Excuse me, where is the best site of the city? After the DOM, just turn right!

During a SharePoint 2013 penetration test I performed last November, I noticed that a dynamically constructed JavaScript constantly fetched content or redirected me to the requested pages. Using a variation of the double-slash trick we exploited in the past, I misused this functionality in order to perform a DOM based open redirection attack. Every SharePoint […]

Continue reading

Advisories regarding Leed and Secure Entry Server (SES)

Today I’m happy to release the following security advisories: SQL injection in Leed (CSNC-2013-005 / CVE-2013-2627) Cross-site request forgery in Leed (CSNC-2013-006 / CVE-2013-2628 Authentication bypass in Leed (CSNC-2013-007 / CVE-2013-2629) URL redirection in Secure Entry Server (SES) I would take the opportunity to thanks Valentin CARRUESCO aka Idleman for the timely patches he implemented […]

Continue reading

Research über die Netkit-Telnetd Schwachstelle

Als ich nach den üblichen Weihnachtsfesten auf Twitter die neusten Sicherheitsmeldungen überflog, bin ich auf einen interessanten Blog Eintrag gestossen: A Textbook Buffer Overflow: A Look at the FreeBSD telnetd Code. Der Author beschreibt eine Buffer Overflow Lücke im Netkit Telnet Daemon, der im FreeBSD Betriebssystem verwendet wird. Die Schwachstelle wurde Zwei Tage vorher, am 23.12.2011 veröffentlicht. […]

Continue reading