/dev/posts/

Cross-origin/same-site request forgery to RCE in chromedriver

Published:

I found a cross-origin/same-site request forgery vulnerability in chromedriver. It was rejected (won't fix) because it is only possible to trigger this from the cross-origin/same-site and not cross-site. In practice, it means it is really only possible to trigger this from another localhost-bound web application.

Read more…

CSRF to RCE in GeckoDriver

Published:

A Cross-Site Request Forgery (CSRF) vulnerability I found in GeckoDriver which could be used to execute arbitrary shell commands. CVE-2020-15660 has been assigned to this vulnerability. This was fixed by GeckoDriver v0.27.0 in 2020-07-27. This is bug #1648964.

Read more…

DNS rebinding vulnerability in GUPnP

Published:

GUPnP, a GNOME library for Universal Plug and Play (UPnP), was vulnerable to DNS rebinding attacks. This is CVE-2021-33516 and GUPnP issue #24. This was fixed in GUPnP 1.0.7 and GUPnP 1.2.5.

Read more…

DNS rebinding vulnerability in pupnp and npupnp

Published:

I found that pupnp was vulnerable to DNS rebinding attacks. npupnp, a fork a pupnp, was impacted as well. This is demonstrated using Gerbera a UPnP MediaServer.

Read more…

DNS rebinding explained

Published:

A quick summary about how DNS rebinding attacks work. The main motivation for this post is to have a diagram to show when explaining DNS-rebinding attacks.

Read more…

TUN/TAP interface (on Linux)

Published:

Some notes about using the TUN/TAP interface, especially on Linux.

Read more…

Firefox DoH DNS rebinding protection bypass using IPv4-mapped addresses

Published:

I found that the filtering of private IPv4 addresses in the DNS-over-HTTPS (DoH) implementation of Firefox could by bypassed. This is CVE-2020-26961 and Mozilla bug 1672528. It has been fixed in Firefox 83, Firefox ESR 78.5 and Thunderbird 78.5.

Read more…

Introduction to UPnP

Published:

This post gives simple explanations of how UPnP (Universal Plug-and-Play) works, especially with the goal of testing the security devices such as routers, smart TVs, etc.

Read more…

DNS rebinding and CSRF vulnerabilites on Samsung TV DIAL implementation

Published:

I found a DNS rebinding vulnerability as well as a Cross Site Request Forgery (CSRF) vulnerability on the DIAL (Discovery And Launch) implementation of the Samsung TV UE40F6320 (v1.0), from 2011. This can be used to open any installed application (eg. Netflix and Youtube) and force the vizualisation of a given video in the applications.

Read more…

DNS rebinding vulnerability in Samsung SmartTV UPnP

Published:

I found a DNS rebinding vulnerability on the Universal Plug-and-Play (UPnP) interface of the Samsung TV UE40F6320 (v1.0), from 2011. This could be used, for example, to change the channel, to know which channel is currently used or open the builtin browser to any URI.

Read more…

Page 4 of 10 | | | JSON Feed | Atom Feed