-
(CVE-2020-11553 -> CVE-2020-11557) NOC NOC. Who’s there? Your NMS is pwnd.
Recently I discovered vulnerabilities in Castle Rock Computing’s SNMPc Enterprise, specifically SNMPc OnLine 12.10.10 before 2020-01-28. Instead of writing my usual blog post containing the coordinated disclosure information, I thought I would do something a little bit different this time and create a simple tutorial for new players regarding the importance of bug chaining. We’ll […]
-
Here phishy phishy phishy…
As a red teamer, I will often phish my targets. Most of the time I’ll do this to gain an initial foothold in to the target environment, however sometimes I may also phish victims as part of my escalation methodology. To be honest, sometimes I may also phish the targets just to feed my own […]
-
(CVE-2019-16061 –> CVE-2019-16072) Enigma NMS Multiple Vulnerabilities
#——————————————————————– # Multiple Vulnerabilities # NETSAS Pty Ltd’s Enigma NMS # Working exploits: Yes # Vendor Homepage: https://www.netsas.com.au/ # Software Link: https://www.netsas.com.au/enigma-nms-introduction/ # Version: Enigma NMS 65.0.0 # Public Disclosure Date: 22 August 2019 (30 days) # CVE-IDs: CVE-2019-16061 > CVE-2019-16072 # Author: Mark Cross (@xerubus | mogozobo.com) #——————————————————————– On the 20th July 2019 I […]
-
(CVE-2019-14925 –> CVE-2019-14931) Mitsubishi Electric & INEA RTU Multiple Vulnerabilities
#——————————————————- # Multiple Vulnerabilities # Mitsubishi Electric smartRTU & INEA ME-RTU # Working exploits: Yes # Public Disclosure Date: 13 August 2019 # CVE-IDs: CVE-2019-14925 -> CVE-2019-14931 (7 CVE-IDs) # Author: Mark Cross (@xerubus | mogozobo.com) #——————————————————- ==================== Summary ==================== Product: Mitsubishi Electric smartRTU & INEA ME-RTU Version: Latest version of firmware (Misubishi Electric 2.02 […]
-
SNMPc: Fun with SEH
Recently I found a stack based buffer overflow in Caste Rock Computing’s SNMPc Enterprise Edition 9 & 10 software; details here if you want to read my disclosure info. Now, BOFs are relatively easy to identify, and old school vanilla EIP BOFs are even easier to write exploits for, however this time I encountered something […]
-
(CVE-2019-13494) SNMPc Enterprise Edition 9 & 10 Stack Based Buffer Overflow
Background: On the 27th May 2019 I discovered a number of stack based buffer overflows in Castle Rock Computing’s SNMPc Enterprise Edition 9 & 10. Exploitation of the these vulnerabilities allows an attacker to execute arbitrary code on the targeted system/s. Castle Rock Computing’s (CRC) SNMPc Enterprise 10 “is a secure distributed Network Management System […]
-
(CVE-2019-12774 –> CVE-2019-12777) ENTTEC Lighting Controllers Vulnerabilities
In March 2019 I discovered numerous vulnerabilities in a number of ENTTEC’s Lighting Controller products. These vulnerabilities were identified in the current firmware versions publicly available from ENTTEC’s website product pages. According to the comapany’s website, ENTTEC are “Leaders in the expert design and manufacture of LED lights and controls, ENTTEC are an Australian company […]
-
Welcome to 2019, BTW disclosure is still borked
Straight up TL;DR here… I don’t give a flying toss which form of disclosure you choose to use when disclosing vulnerabilities, just do not preach to me regarding how I should go about the process. I am writing this short rant to answer the perpetual questions I receive around which disclosure discipline I personally subscribe […]
-
(CVE-2018-5457) Vyaire Medical CareFusion Upgrade Utility Vulnerability
Background: On the 03rd August 2017 I discovered an Uncontrolled Search Path Element (CWE-427) vulnerability in Vyaire Medical’s CareFusion Upgrade Utility software. This vulnerability can be exploited by placing a crafted DLL file in the search path which is loaded prior to a valid DLL, allowing an attacker to hijack the DLL and execute arbitrary […]
-
(CVE-2017-14020) Automation Direct Multiple Software Vulnerabilities
Background: In late July 2017, I discovered vulnerabilities in a number of AutomationDirect’s industrial control products, particularly around the programming and interaction software. These vulnerabilities can be exploited by placing a crafted DLL file in the software search path which is loaded prior to a valid DLL, allowing an attacker to hijack the DLL and […]
-
(CVE-2017-14029) VTScada HMI and SCADA Software Vulnerability
Background: On the 05th August 2017 I discovered an Uncontrolled Search Path Element (CWE-427) vulnerability in Trihedral Engineering Limited’s VTScada HMI and SCADA software. This vulnerability can be exploited by placing a crafted DLL file in the search path which is loaded prior to a valid DLL, allowing an attacker to hijack the DLL and […]
-
(CVE-2017-13993) i-SENS Inc. SmartLog Diabetes Management Software Vulnerability
Background: On the 03rd August 2017 I discovered an Uncontrolled Search Path Element (CWE-427) vulnerability in i-SENS Inc. SmartLog Diabetes Management Software. This vulnerability can be exploited by placing a crafted DLL file in the search path which is loaded prior to a valid DLL, allowing an attacker to hijack the DLL and execute arbitrary […]