In a previous post we told about the Modulus Oracle Attack. This technique exploits the ability to treat a modulus error as an oracle to infer the modulus value and rebuild the public key. Really, it should not be a problem. The public key is public anyway. But in certain cases to know the public key could be very useful. The following case is one of them.
The last year, while we were performing an ethical hacking assessment, we found a curious vulnerability in a cryptosystem implementation based on RSA.
Our client centralized the authentication of their internal applications in a web login. This login, after verifying the username and password, redirects to the selected internal application and pass a misterious Base64 encoded parameter to such application. Obviously, we decoded it to reveal its content, but we got just a random binary stream. The content was encrypted.
While I was on vacations, there was a patch on RD Gateway CVE-2020-0609 and CVE-2020-0610, I never listen about a Gateway on Remote Desktop so I found it interesting to analyze.
I stopped sunbathing on the beach, turned on the laptop and started. After doing a PoC that worked correctly triggering a DoS, some post began to apper about that. Then, I was in doubt if I should write about it, and here we are.
The vulnerability that we are disclosing here has been fixed some months before this post. We could not report it timely, but we are happy to finally share this story.
Long time ago, while I was doing a malware analysis on a customer computer, I found a weird Monero miner. This miner had its configuration on a JSON file in plain text without any obfuscation. That is very unusual on a malware, so I decided to investigate a little more.
The tool we are releasing today implements some not so novel techniques but very cleaver for the purpose and not seen before in this specific use-case.
The use of User Defined Functions (UDF) to achieve Code Execution in different DBMS is not new, but implementing it in a clean and efficient way for PostgreSQL, and particulary running under Windows OS, always required multiple steps: detecting the exact version of the DBMS (9.x, 10.x, etc.), after that modify the UDF dll source code or compile with the exact PostgreSQL version libs and headers. This process have been demostrated to be less than user friendly and prone to errors, and even considered too complex to worth the efforts (yes we are lazy for the simple tasks).