rskvp93 - Blog of Viettel Cyber Security

The OWASSRF + TabShell exploit chain

We see that one of our vulnerabilities is exploited in the wild Link. So we decided to public the detail analysis of our two bug chain. Any customer has enough information to mitigate these bugs. The vendor also released all patches two weeks ago. This blog post shares the detail

Researches

Deep understand ASPX file handling and some related attack vectors

Basic conceptsEach IIS server may be include many websites, each website has Site ID, Physical webroot path, bindings and Root application (and more another applications under child directory): Example website1For example, website1 have: Site ID = 2, Physical Path = C:\website1, Bindings = http:*:81:, two applications (Root application at C:\website1

Researches

Pwn2Own 2021 Microsoft Exchange Exploit Chain

VULNERABILITY TITLE Microsoft Exchange Unauthenticated SSRF in Autodiscover frontend service combined with Authentication Bypass in Powershell Backend service and Arbitrary File Write in OAB backend service lead to Remote Code Execution VULNERABILITY SUMMARY The chains of 3 vulnerablity allows remote attackers to write a webshell and execute arbitrary code on

Researches

The journey of exploiting a Sharepoint vulnerability.

Today I will writeup two vulnerabilities: Microsoft Sharepoint: MS13–067Microsoft Exchange: MS13–105Before reading, I think you need to know some concepts: Microsoft Exchange, Microsoft Sharepoint, ASP.NET Web Forms, VIEWSTATE. Microsoft Exchange is the webmail server of MicrosoftMicrosoft Sharepoint is a web-based, collaborative platform for creating portal, managing document,