HackDefense Home

HackDefense Publications.

Here we gather our ramblings on IT security — things that we think may be of interest.

CVE-2019 – 18345 Reflected Cross-Site Scripting (XSS) vulnerability in DAViCal CalDAV Server

At HackDefense, we were evaluating various calendaring solutions, and during installation and configuration of DAViCal we discovered three (severe) vulnerabilities. We reported these vulnerabilities to the vendor. Unfortunately, the DAViCal project itself was not able to fix these vulnerabilities. As DAViCal is an open source project we decided to contribute patches for these vulnerabilities ourselves. DAViCal has accepted our patches in the 1.1.9.1 release. If you use DAViCal as a calendaring server, we recommend upgrading to version 1.1.9.1 immediately to remediate the issues we’ve discovered.

CVE-2019 – 18346 Cross-Site Request Forgery (CSRF) vulnerability in DAViCal CalDAV Server

At HackDefense, we were evaluating various calendaring solutions, and during installation and configuration of DAViCal we discovered three (severe) vulnerabilities. We reported these vulnerabilities to the vendor. Unfortunately, the DAViCal project itself was not able to fix these vulnerabilities. As DAViCal is an open source project we decided to contribute patches for these vulnerabilities ourselves. DAViCal has accepted our patches in the 1.1.9.1 release. If you use DAViCal as a calendaring server, we recommend upgrading to version 1.1.9.1 immediately to remediate the issues we’ve discovered.

CVE-2019 – 18347 Persistent Cross-Site Scripting (XSS) vulnerability in DAViCal CalDAV Server

At HackDefense, we were evaluating various calendaring solutions, and during installation and configuration of DAViCal we discovered three (severe) vulnerabilities. We reported these vulnerabilities to the vendor. Unfortunately, the DAViCal project itself was not able to fix these vulnerabilities. As DAViCal is an open source project we decided to contribute patches for these vulnerabilities ourselves. DAViCal has accepted our patches in the 1.1.9.1 release. If you use DAViCal as a calendaring server, we recommend upgrading to version 1.1.9.1 immediately to remediate the issues we’ve discovered.

Remote Code Execution in Apache UNO API

During his research on the potential use of DCOM for lateral movement in Windows networks, our very talented intern Axel Boesenach discovered that the Apache UNO API (used by both OpenOffice and LibreOffice in so-called office server’ mode) allows anyone to send it system commands, without any form of authentication, and it will execute the command with the rights of the user running OpenOffice or LibreOffice in office server’ mode.

Finding RCE capabilities in the Apache UNO API

During my internship at HackDefense I researched lateral movement techniques using the Distributed Component Object Model (DCOM), the built-in system to call software over the network from one Windows system to another. During my research I was looking at the Apache LibreOffice project to see if they had any DCOM functionalities implemented. What I found was not a DCOM functionality but an API with functionalities to remotely execute code.

DCOMrade — Automating the enumeration of DCOM applications

Research project into lateral movement techniques using the Distributed Component Object Model (DCOM), the built-in system to call software over the network from one Windows system to another. Part of this project was creating a script to enumerate DCOM objects that can be abused for lateral movement.

SSH hardening on LTS systems

Recently we came across some Linux systems still supported by Long Term Support (LTS) but running a weak Secure Shell (SSH) server configuration. By further digging into this matter, we discovered that this is the default setup for these systems. In this blog we’ll show you how you can harden the SSH daemon running on these systems.

CSP – The how and why of a Content Security Policy

Recently we’ve recommended to more and more of our customers that they set up a Content Security Policy alongside the usual security headers. In this blog we dive deeper into that topic: where does this new standard originate from? Why would you like to use one? How do you set one up? And how does CSP relate to other, similar standards?

#EFail — the security industry and the importance of nuance

Today, details were rushed out regarding two serious vulnerabilities that might enable a determined attacker to decrypt users’ encrypted e‑mails. Not just current ones, but older e‑mails too. Doesn’t that sound alarming?

Information disclosure vulnerability in Apache Tomcat

On a pentest for a client we discovered a way to obtain information about a web application’s internal structure from the network. We reported the issue to the vendor and a fix was released. The following security advisory details the vulnerability and how to resolve it.

Crowd Control?

Voor de viering van Leids Ontzet zette de politie o.a. een speciale app in om de drukte in de stad onder controle te houden. Het publiek werd gevraagd om de app te installeren op de smartphone en om de app toegang te geven tot locatiegegevens. Het lijkt erop dat dezelfde app is ingezet voor Koningsdag, de Gay Pride in Amsterdam en de Vierdaagse in Nijmegen — de app bevat van dit laatste ook nog sporen. QCSec testte de privacy en veiligheid van de app en vond opmerkelijke resultaten. Derden kunnen eenvoudig meelezen’ met de communicatie tussen de app en de politie, en kunnen zelfs de berichten manipuleren die aan het publiek worden verzonden. De privacy is niet gewaarborgd, en er kunnen gevaarlijke situaties ontstaan als iemand hier misbruik van zou maken.