Our blog

Improper Spring @Query Usage Allows N1QL Injection
Summary TL;DR Intro Testbed Couchbase Spring Project Build Experiments Exploitation Conclusion Summary Spring applications quite often use @Query annotation. It helps to control requests executed by database servers, like customising what data to extract. It is usually…
September 30, 2021 | by pavel
Read more
qsslcaudit release v0.8.3
A new version has been released of our tool which we use to assess TLS clients security: v0.8.3. The corresponding packages for various Ubuntu versions are prepared in ppa:gremwell/qsslcaudit. Packaging for Kali is handled by Kali maintainers. Each time you dive into the process of TLS handshake…
April 12, 2021 | by pavel
Read more
Breaking JCaptcha using Tensorflow and AOCR
Introduction In early 2020, we had a situation where we wanted to abuse a known username enumeration issue in Atlassian products. The vulnerability allows to enumerate valid username, but if an attacker wants to bruteforce the identified accounts, a CAPTCHA is displayed in the login page and…
October 5, 2020 | by quentin
Read more
Reversing Pulse Secure Client Credentials Store
In early 2019, I had to assess the latest version (9.1r3 at the time) of Pulse Secure Connect Client, an IPSEC/SSL VPN client developed by Juniper. Given that the client allow end users to save their credentials, one of my tests included verifying how an attacker could recover them. The attacker…
October 5, 2020 | by quentin
Read more
Forcing Firefox to Execute XSS Payloads during 302 Redirects
Initial Discovery During a recent engagement I identified an open redirect where a GET parameter would be reflected as-is in the HTTP response Location header without any kind of sanitization. Something similar to this: Trying multiple kinds of injections, I discovered that newlines and carriage…
September 30, 2020 | by quentin
Read more
Remote Command Execution on RemotePC for Windows
Introduction During an audit we executed in 2019, we had to test a deployment where a third party company had to remotely connect to special purpose computers to perform maintenance. At the time, they had chosen a software called RemotePC to remotely login into these special purpose computers…
May 8, 2020 | by quentin
Read more
Understanding DTLS Usage in VoIP Communications
Introduction TL;DR Twilio Platform Preparing Custom Setup Traffic Interception and Analysis Information Gathering DTLS Demultiplexing Intercepting Traffic to chunderm.gll.twilio.com Signalling Traffic Intercepting DTLS-SRTP Terminating DTLS with SRTP Extension Putting It All…
March 26, 2020 | by pavel
Read more
Introducing Qsslcauditproxy
The Qsslcaudit tool developed by my colleague Pavel provides an easy way for testing a client SSL implementation. To make testing of multiple connections even more straightforward, I created a proxy wrapper for this tool. How it works The user configures qsslcauditproxy as a proxy server on the…
March 18, 2020 | by sean
Read more
Client-side TLS implementation assessment with qsslcaudit - The WPS Office case
Preface In this post we demonstrate how to use our tool to assess client-side TLS implementation: qsslcaudit. qsslcaudit helps determine if a TLS client (mobile application, standalone application, web service) properly validates server's certificate and if only secure protocols are supported.…
February 28, 2020 | by pavel
Read more
CVE-2020-0601: theory and practice
Intro Theory Common words ECC The issue Practice Objective Input data Evil private key generation Crafting certificates Exploitation qsslcaudit Conclusion Intro On the 14th of January 2020, Microsoft fixed CVE-2020-0601, a high severity vulnerability affecting…
February 26, 2020 | by pavel
Read more

Contacts

+32 (0) 2 215 53 58

info@gremwell.com

Gremwell BVBA
Sint-Katherinastraat 24
1742 Ternat
Belgium
VAT: BE 0821.897.133.