Advisories

A list of my (old) public advisories. Several of these contain remote preauth -> root exploit bug chains, and all contain full proof of concept exploit details.

SaltStack Salt - March 2021

CVE-2021-3197, CVE-2021-25281 and CVE-2021-25282, discovered via variant analysis. Post here.

Calibre - December 2019

Straightforward XXE then exfiltration of the read file from inside the sandbox. Launchpad Ref, fixed in 4.8. POC at poc3.epub

Cisco WSA - July 2016

Partial Auth bypass, authenticated code execution, Stored XSS in Cisco Web Security Appliance

Cisco Prime Infrastructure - Jun 2016

API authentication bypass, authenticated code execution, Privilege Escalation, unauthenicated XXE and unauthenticated SQLi

Cisco Prime vNAM - Jun 2016

Unauthenticated remote code execution, privesc, subshell breakout in Cisco Prime vNAM

Kaltura - Mar 2016

Preauth RCE via unserialize, authenticated file upload, preauth SSRF, cryptographic weakness leading to account takeover, stored XSS

CYAN - Nov 2015

Authentication byass, authed file write to shell, privilege escalation.

Symantec Web Gateway - Sep 2015

Authenticated SQLi, authenticated command injection

Silver Peak VXOA - Sep 2015

Preauth file read, post auth command injection, mass assignment, shell file upload , hardcoded admin credentials, subshell breakout.

Citrix Netscaler - Jun 2015

Authenticated command injection, privilege escalation

WedgeOS - Jun 2015

Preauth file read, authenticated command injection, privilege escalation

Watchguard XCS - Jun 2015

Preauth SQLi, command injection, privilege escalation

Liferay Portal - Feb 2015

Authenticated file upload to shell