Analysis of a Command Injection in VBScript

In this writeup we present the analysis and exploitation of a VBScript command injection vulnerability we stumbled upon during a penetration test on a .NET web application. What makes this vulnerability stand out is the fact that at first glance it could be mistaken for a common SQL injection. After a few exploitation attempts, we developed a VBScript Proof of...

Posted By

OverIT framework XSLT Injection and XXE – CVE-2022-22834 & CVE-2022-22835

During a penetration test activity, two vulnerabilities were discovered on a specific functionality called “Test Trasformazione xsl” whose purpose is to test the correct operation of the XSLT Java engine. This functionality is part of the set of tools available within the Geocall-Framework and it is not active by default. Advisory - CVE-2022-22834 OverIT projects based on the same Geocall-Framework at level...

Posted By

Merry Hackmas: multiple vulnerabilities in MSI’s products

This blog post serves as an advisory for a couple MSI’s products that are affected by multiple high-severity vulnerabilities in the driver components they are shipped with. All the vulnerabilities are triggered by sending specific IOCTL requests and will allow to: Directly interact with physical memory via the MmMapIoSpace function call, mapping physical memory into a virtual address user-space. Read/write Model-Specific...

Posted By

Driver Buddy Reloaded

As part of Yarix's continuous security research journey, during this year I’ve spent a good amount of time reverse-engineering Windows drivers and exploiting kernel-mode related vulnerabilities. While in the past there were (as far as I know), at least two good IDA plugins aiding in the reverse engineering process: DriverBuddy of NCC Group. win_driver_plugin of F-Secure. unfortunately, nowadays, they are both rusty,...

Posted By