SensePost | Vulnerability

From Discovery to Disclosure: ReCrystallize Server Vulnerabilities

22 March 2024 ~8 min By Paul van der Haas

Exploit Vulnerability Webapps Cve-2024-26331 Cve-2024-28269 Web Application

TL&DR – While on an assessment, I found an instance of ReCrystallize Server. It had many problems, some of which had to do with insufficient hardening on the client’s side while others were new vulnerabilities I found that when chained together, achieve Remote Code Execution (RCE). These vulnerabilities were disclosed to ReCrystallize Software and MITRE. Besides the disclosed vulnerabilities, some “features” were also used for malicious purposes. The replication and validation of the findings were done on my own test environment.

The hunt for Chromium issue 1072171

29 May 2020 ~29 min By Javier Jimenez

Browser Chrome Exploit Development Vulnerability Research 0day V8 Vulnerability

Intro The last few months I’ve been studying Chrome’s v8 internals and exploits with the focus of finding a type confusion bug. The good news is that I found one, so the fuzzing and analysis efforts didn’t go to waste. The bad news is that I can reliably trigger the vulnerability but I haven’t found a way to weaponise it yet. If you don’t have prior knowledge of v8, I encourage you to take some time and read through the previous post I wrote. It covers all of the basics regarding the v8 compiler and tools that helped me throughout my research. More importantly, it will help newcomers understand all of the research described within this post.

The power of variant analysis (Semmle QL) CVE-2019-15937 and CVE-2019-15938

28 October 2019 ~9 min By Hector Cuesta

Cve Exploit Variant Analysis Vulnerability Research Code Analysis Cve-2019-15937 Cve-2019-15938 Ql Semmle Vulnerability

Intro This post will try to do a small introduction to the QL language using real-world vulnerabilities that I found in the past, and it will end with a small challenge using QL. A few months ago, I heard of Semmle QL for the first time, what they do is perform multiple code analysis techniques against source code, and dump these results into a database. Then using the QL language, you can query this data to perform variant analysis.

Google Docs XSS – no bounty today

04 March 2013 ~2 min By inaki

Programming Python Google Vulnerability

A few days ago, during one of those nights with the baby crying at 2:00 am and the only thing you can do is to read emails, I realised that Gmail shows the content of compressed files when reading them in Google Docs. As often is the case at SensePost, the “think evil ™” came to me and I started to ponder the possibilities of injecting HTML inside the file listing. The idea is actually rather simple. Looking at the file format of a .zip file we see the following: