CVE’s

Oracle - Unauthenticated XML eXternal Entity (XXE) [2017]

CVE-2017-10310

The XML parser of the Oracle Hyperion Financial Reporting Web Studio was configured to process document type definition (DTD) files provided by users. This allowed unauthenticated attackers to exploit this misconfiguration in the XML processor and read arbitrary files on the host system. In addition, it was also possible to obtain directory listings, perform server-side requests or cause a denial of service by using different variations of the payload.

The confidentially of the system can be highly affected. As this is a POST request against the log in endpoint, most servers may not be configured to perform logging of the POST data; also, as this is an unauthenticated attack, it would be hard to find evidence of this attack occurring and the information obtained via successful exploitation.

Technical details of this vulnerability can be found here

JCE - Bypass Joomla Content Editor upload validation [2015]

CVE-2015-7339

A vulnerability has been reported in the JCE upload routine that could allow a privileged user (in this case one allowed to use the editor and upload files), using the right tools, to upload a php file to the site by intercepting and altering the upload request data. The upload destination is limited to that set in the editor profile (“images” by default).

This vulnerability was introduced as the result of a mistake in the code in JCE 2.5.0 and affects versions 2.5.0, 2.5.1 and 2.5.2. Versions prior to this do not appear to be affected, but all users are requested to upgrade to 2.5.3

Thank you to Fábio Pires (https://twitter.com/fabiopirespt), Vitor Oliveira (https://twitter.com/r0t1v) and Filipe Reis (https://twitter.com/fjreis) from INTEGRITY Portugal for reporting the vulnerability and verifying the fix.”

Technical details of this vulnerability can be found here

jNews - Multiple vulnerabilities found in the jNews plugin [2015]

“This release addresses some possible vulnerability in jNews that could be used to compromise a site if attacker has a login to your site administrator area. The vulnerability was discovered by Fabio Pires, Filipe Reis, and Vitor Oliveira and of INTEGRITY Portugal.”

  • Bypass File Upload Restriction (CVE-2015-7341)
  • SQL Injection ( CVE-2015-7342)
  • Cross-Site Scripting ( CVE-2015-7343)

jNews release notes

jEvents - SQL Injection Vulnerability found in the jEvents Plugin [2015]

CVE-2015-7340

By means of a code-review, we found a SQL Injection vulnerability located in the icalevent controller, inside the backoffice.

“v. 3.4.0 RC6 security fix for risk of SQL injection - thanks to our friends at Integrity - Filipe Reis, Vitor Oliveira and Fabio Pires - for bringing it to our attention.”

HikaShop - Reflected Cross-Site scripting vulnerability found in the HikaShop Plugin [2015]

CVE-2015-7344

By means of a code-review, we found a Cross-site scripting vulnerability located in the update controller, inside the backoffice. It was a low issue but we decided to report it anyway.

“Minor security issue allowing reflected XSS in the backend has been fixed. Reported by Vitor Oliveira, Filipe Reis and Fábio Pires from Integrity

Bounties

Uber bug-bounty program [2016]

In this year, around 14 vulnerabilities were reported to the Uber bug-bounty program by me, Vitor and Filipe. Unfortunately, only 8 vulnerabilities were considered to be valid and unique after uber’s triaging. Due to the amount of vulnerabilities and the impact associated, various media and tech blogs decided to cover these as a reference.

Some of them are listed below:

The original article can be found here

Race Conditions in Popular reports feature [2016]

Reported a race condition bug that allowed authenticated users to upvote and downvote multiple times on single report, increasing its counter and their rank showed in the hacktivity page.

Insecure Direct Object Reference in OSTicket attachments [2015]

Reported a vulnerability that allowed remote attackers to download documents previously attached to tickets created by other users.

Parigami – Beta test challenge [2015]

Winner of the beta testing challenge by reporting a bug that allowed users to manipulate the score and force them pass the levels. The lack of certificate pinning and server-side validation, allowed me to manipulate the request data in order to trick the server to accept my forged score. The bug was fixed before the application went live.

Multicraft - Template Injection [2014]

Reported a cross-site script using template injection in this program, in my early days in bug bounties.

Projects and Contributions

Reverse Suite - A set of reverse engineer tools for android apps [2017]

A fork of kanytu’s project aiming to ease the process of reverse engineering and re-assemble android applications. The fork has put together some existing scripts in a single python tool. The changes also implemented a way to manage old disassembled applications to facilitate the build/signing/optimisation process.

Tomaolink [2016]

A website that aggregates most of the Facebook pages’ content related to humour (memes, jokes, videos, etc.). The original project was to collect on a single website, all the Portuguese funny Facebook’s pages, avoiding reposts and avoiding losing content due to Facebook’s content policies. The project grew up, and we later included some Brasilian and Angolan sources. With the growth of the project, we also started to use a CDN and an algorithm to detect repeated images.

Metasploit module for Account Creation and Privilege Escalation [2016]

In the same week that joomla released a fix for 3 high security issues, me, Filipe and Vitor decided to create a metasploit module to exploit them. This module creates an arbitrary account with administrative privileges in Joomla versions 3.4.4 through 3.6.3. Also, if an email server has been configured in the Joomla, the attacker will be able to receive an email to activate his account. (PS: The account is disabled by default).