Introduction
In early 2020, we had a situation where we wanted to abuse a known username enumeration issue in Atlassian products. The vulnerability allows to enumerate valid username, but if an attacker wants to bruteforce the identified accounts, a CAPTCHA is displayed in the login page and…
Our blog
In early 2019, I had to assess the latest version (9.1r3 at the time) of Pulse Secure Connect Client, an IPSEC/SSL VPN client developed by Juniper.
Given that the client allow end users to save their credentials, one of my tests included verifying how an attacker could recover them. The attacker…
October 5, 2020 | by quentin
Initial Discovery
During a recent engagement I identified an open redirect where a GET parameter would be reflected as-is in the HTTP response Location header without any kind of sanitization. Something similar to this:
Trying multiple kinds of injections, I discovered that newlines and…
September 30, 2020 | by quentin
Introduction
During an audit we executed in 2019, we had to test a deployment where a third party company had to remotely connect to special purpose computers to perform maintenance. At the time, they had chosen a software called RemotePC to remotely login into these special purpose computers…
May 8, 2020 | by quentin
Introduction
TL;DR
Twilio Platform
Preparing Custom Setup
Traffic Interception and Analysis
Information Gathering
DTLS Demultiplexing
Intercepting Traffic to chunderm.gll.twilio.com
Signalling Traffic
Intercepting DTLS-SRTP
Terminating DTLS with SRTP Extension
Putting It All Together
Spoofing…
March 26, 2020 | by pavel
The Qsslcaudit tool developed by my colleague Pavel provides an easy way for testing a client SSL implementation. To make testing of multiple connections even more straightforward, I created a proxy wrapper for this tool.
How it works
The user configures qsslcauditproxy as a proxy server on the…
March 18, 2020 | by sean
Preface
In this post we demonstrate how to use our tool to assess client-side TLS implementation: qsslcaudit. qsslcaudit helps determine if a TLS client (mobile application, standalone application, web service) properly validates server's certificate and if only secure protocols are supported.…
February 28, 2020 | by pavel
Intro
On the 14th of January 2020, Microsoft fixed CVE-2020-0601, a high severity vulnerability affecting "the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates". Corresponding advisories were issued by NSA and CERT on the same day. On the next day it…
February 26, 2020 | by pavel
This is a new release of our tool designed to assess TLS clients security (certificates validation, protocols and ciphers support): v0.8.1.
The corresponding packages for various Ubuntu versions are prepared in ppa:gremwell/qsslcaudit. Packaging for Kali is handled by Kali maintainers.
The single…
February 25, 2020 | by pavel
During a recent engagement, we tried to enumerate email accounts by abusing previously reported user enumeration issue affecting Office 365, but found out it no longer works.
In the past, sending authentication requests to ActiveSync with Basic HTTP authentication mechanism would return different…
February 18, 2020 | by quentin
Contacts

+32 (0) 2 215 53 58

Gremwell BVBA
Sint-Katherinastraat 24
1742 Ternat
Belgium
VAT: BE 0821.897.133.