Shreddy2 – The Raspberry Pi storage scrub station for USB thumb drives

"Delete early, delete often" is the slightly adapted slogan reminding to minimize data leakage via lost or stolen USB thumb drives by frequently cleaning them. Are you tired of being focused to not accidentally erase the wrong USB device on your local computer when formatting an USB stick? To simplify the process, we implemented an USB eraser station software, which runs on a Raspberry Pi and that cleans USB sticks. Therefore, shreddy, ready, go!

Read more…

Password reset code brute-force vulnerability in AWS Cognito

The password reset function of AWS Cognito allows attackers to change the account password if a six-digit number (reset code) sent out by E-mail is correctly entered. By using concurrent HTTP request techniques, it was shown that an attacker can do more guesses on this number than mentioned in the AWS documentation (1587 instead of 20). If the attack succeeds and the attacked accounts do not have multi-factor authentication enabled, a full take-over of the attacked AWS Cognito user accounts would have been possible. The issue was fixed by AWS on 2021-04-20.

Read more…

Burp Suite - solving E-mail and SMS TAN multi-factor authentication with Hackvertor custom tags

Why bother investing time to automate work when doing IT security testing? On one hand, manual testing is a tedious work, where you spend time doing vulnerability tests that could be done by a machine. On the other hand, letting a machine decide fully on its own on how to do tests will mostly result in the machine doing nothing useful. This is especially true for security testing, where manually checking every parameter for injection attacks is very laborious and automated security scanners go on scanning for hours while a human would have aborted the scan for various reasons. However, if we teach automated tools to do things correctly each time, we get the sweet middle spot of semi-automated security testing, where the tools do the automatic and systematic security tests and the analyst can focus on the parts of a security test, where the tools are likely insufficient.

Burp Suite Pro is one of the main tools to do all kind of HTTP related security analysis and that supports a semi-automated testing. But now and then it lacks certain features. Burp extensions can again add some of them. In this post we would like to show how to use one of the most powerful extensions, Hackvertor by Gareth Hayes and its relatively new feature of Python scripting.

Read more…

Interview on the “SCS in a nutshell” channel about penetration testing versus bug bounty programs

Swiss Cyber Storm and their host Christian Folini invited freelancing Bug Bounty hunter Raphaël Arrouas and Pentagrid’s IT security analyst Tobias Ospelt to an interview in the „SCS in a nutshell” format about the pro and cons of penetration testing and bug bounty programs. While both approaches are valid methods to find security vulnerabilities, they also differ in many aspects.

Read more…

Local Privilege Escalation in many Ricoh Printer Drivers for Windows (CVE-2019-19363)

Pentagrid has been asked to manage the coordinated disclosure process for a vulnerability that affects several Windows printer drivers for a wide range of printers by the printer manufacture Ricoh. Due to improperly set file permissions of file system entries that are installed when a printer is added to a Windows system, any local user is able to overwrite program library files (DLLs) with own code.

Read more…

Fuzzing Java with JQF

As we mentioned in our our last blog post, Tobias Ospelt of Pentagrid AG lately broke down the idea of Java fuzzing with JQF into simple steps and presented it at Swiss Cyber Storm in Bern, Switzerland and at the Black Alps conference in Yverdon-Les-Bain, Switzerland. The recordings of the talks are not online, yet. (Update: Now they are vailable via the Swiss Cyber Storm channel on YouTube.)

We wanted to describe our work in written form as well, so you get a better idea of what can be done by fuzzing Java with JQF. It also allows you to copy and paste commands if you want to try it yourself. We also uploaded the talk slides as a PDF and the video with the JQF tutorial and Bouncycastle ASN.1 parser fuzzing run, which were shown during the talks.

Read more…

Fuzzing Java with the Help of JQF Talks

Lately at Pentagrid AG we have been doing research into Java fuzzing. While the ideas of what kind of security vulnerabilities can be found came up already before Pentagrid AG was founded (blog post over in Tobias Ospelt's blog: Java Bugs with and without Fuzzing – AFL-based Java fuzzers and the Java Security Manager), a lot of new research was done in the meantime. While most fuzzers that Tobias evaluated back then didn't really move on until today, the JQF fuzzer took a big leap forward. We strongly recommend trying JQF.

Tobias broke down the process of Java fuzzing into simple steps and presented it at Swiss Cyber Storm mid October 2019 in Bern, Switzerland. While the recording is not published on Youtube yet, you can still grab a ticket for the Black Alps 2019 security conference in Yverdonne-Les-Bain, Switzerland during 07 and 08 November 2019, where he is going to present his findings as well.

JQF's capabilities are really impressive. Stay tuned for a more detailed blog post here after the Blackalps talk.

Update: The recording of the talk at Blackalps is now online.