"SCS in a nutshell"-Interview über Penetrationstests versus Bug Bounty-Programme

Chritian Folin vom Swiss Cyber Storm lud den freiberuflichen Bug-Bounty-Jäger Raphaël Arrouas und den IT-Sicherheitsanalysten Tobias Ospelt von der Pentagrid AG zu einem Interview über Vor- und Nachteile von Penetrationstests und Bug Bounty-Programmen ein. Das Interview fand im Rahmen des Formats "SCS in a nutshell" statt. Während beide Ansätze valide Methoden für das Testen auf Sicherheitsproblemen sind, unterscheiden sie sich auch in vielen Aspekten.


Local Privilege Escalation in many Ricoh Printer Drivers for Windows (CVE-2019-19363)

Pentagrid has been asked to manage the coordinated disclosure process for a vulnerability that affects several Windows printer drivers for a wide range of printers by the printer manufacture Ricoh. Due to improperly set file permissions of file system entries that are installed when a printer is added to a Windows system, any local user is able to overwrite program library files (DLLs) with own code.


Fuzzing Java with JQF

As we mentioned in our our last blog post, Tobias Ospelt of Pentagrid AG lately broke down the idea of Java fuzzing with JQF into simple steps and presented it at Swiss Cyber Storm in Bern, Switzerland and at the Black Alps conference in Yverdon-Les-Bain, Switzerland. The recordings of the talks are not online, yet. (Update: Now they are vailable via the Swiss Cyber Storm channel on YouTube.)

We wanted to describe our work in written form as well, so you get a better idea of what can be done by fuzzing Java with JQF. It also allows you to copy and paste commands if you want to try it yourself. We also uploaded the talk slides as a PDF and the video with the JQF tutorial and Bouncycastle ASN.1 parser fuzzing run, which were shown during the talks.


Fuzzing Java with the Help of JQF Talks

Lately at Pentagrid AG we have been doing research into Java fuzzing. While the ideas of what kind of security vulnerabilities can be found came up already before Pentagrid AG was founded (blog post over in Tobias Ospelt's blog: Java Bugs with and without Fuzzing – AFL-based Java fuzzers and the Java Security Manager), a lot of new research was done in the meantime. While most fuzzers that Tobias evaluated back then didn't really move on until today, the JQF fuzzer took a big leap forward. We strongly recommend trying JQF.

Tobias broke down the process of Java fuzzing into simple steps and presented it at Swiss Cyber Storm mid October 2019 in Bern, Switzerland. While the recording is not published on Youtube yet, you can still grab a ticket for the Black Alps 2019 security conference in Yverdonne-Les-Bain, Switzerland during 07 and 08 November 2019, where he is going to present his findings as well.

JQF's capabilities are really impressive. Stay tuned for a more detailed blog post here after the Blackalps talk.

Update: The recording of the talk at Blackalps is now online.

Hello, World

Finally, we founded the Pentagrid AG to provide IT security assessments to customers and now our website is also operational. We will use this blog for things we want to share with our audience, for example tools we release and security advisories on vulnerabilities we find during our work and research projects.

You will find us as well on Twitter under @pentagridsec and on Github.