Recent Curesec Publications
2023 Apr 25
Posted by Marco Lux
In 2019 Pedro Umbelino and myself (Marco Lux) figured that we had made attempts to research DoS issues with the Service Location Protocol. Each of us stumbled by accident across that protocol. Myself during ongoing failures regarding an installation of an HP Printer to the local network and Pedro by skimming through RFCs.
Quickly we found that the results we had are common and decided to correlate the data to publish it in the near future. As it turned out, the near future was several years later. While collecting the evidence in 2023 we recognized the #ESXi attack by a random-ransomware group. We decided it is time to publish our results.
2023 Jan 27
Posted by Marco Lux
Recently, at a rainy sunday, I used the opportunity to analyze a camera that was integrated into a sleek robotic shell. The manufacturer provided a brief instruction manual on how to set up and connect to the device. However, after observing the network traffic, I became intrigued and decided to delve deeper into the device.
2017 May 24
Posted by Mathis Hagen
This is the second article about our small sniffing device where we focus on making our lives easier by creating a firmware image to shorten up the configuration process and abandon the need for an internet connection during setup.
2017 May 24
Posted by Marcus Gruber
This tutorial shows how to use the broken authentication and find the support_user of an ALLNET ALLBM100VDSL2V modem.
2017 May 24
Posted by Mathis Hagen
The Smartwares C935IP is an IP surveillance camera with night vision and motion detection. The camera can be configured to send an alarm email when motion is detected. Enabling this option makes it possible for an attacker to obtain login information from the used account.
2017 May 24
Posted by Mathis Hagen
This Article describes how we found the SSL Vulnerability of the Smartwares C935IP camera. The camera is vulnerable to a MITM Attack using sslsplit. The test described can also be used for every device capable of networking, making it an easy to perform standard test.
2017 May 09
The web interface of the VDSL Client Modem ALL-BM100VDSL2 is vulnerable to CSRF. Because of this it is possible to add a new admin user.
2017 Apr 13
The web interface of the VDSL Client Modem ALL-BM100VDSL2 is vulnerable to reflected as well as persistent XSS. A privileged user account is required to exploit the persistent XSS vulnerability but this can be bypassed via CSRF.
2017 Apr 13
The authentication of the web interface of the VDSL Client Modem ALL-BM100VDSL2 relies on local IP addresses and can thus be bypassed by an attacker with access to the local network as long as any user is currently authenticated. Additionally, the system contains an undocumented default user with a hardcoded password who has root access to the device.
2017 Mar 24
pfsense is an open source firewall. The web interface is written in PHP. In version 2.3.2-RELEASE (amd64), the setup wizard is vulnerable to code execution. It should be noted that by default, only an administrator can access the setup wizard. By default, administrators have far-reaching permissions via the wizard and via other functionality. There are however some custom configurations where this vulnerability could lead to privilege escalation or undesired code execution.