Vulnerabilities (Page 41)

Telenot Complex: Insecure AES Key Generation

The issue here is relatively simple despite the technical depth the authors go into on the crypto and how it’s used.AES-128 keys are used to encrypt challenge codes for the authentication flow between NFC tags and the alarm system, but the way these AES-128 keys are generated is naive and insecure…

 

SSRF leading to JWT disclosure in VMWare Workspace One

While the hostnames were being validated for this vulnerability, injecting a @ into the path argument was sufficent to mislead the final URL parser and actual code making the HTTP request to go to an unapproved domain by tricking it into thinking the path is actually the host and everything before the @ is just credentials.

 

CWP CentOS Web Panel - preauth RCE [CVE-2021-45467]

Combination of a local file inclusion bug and a file write bug.Firstly, the user/loader.php and /user/index.php pages had some interesting code where it would take a scripts GET parameter to construct an include path in PHP…

 

Uniview PreAuth RCE

The inital vulnerability here is an unbounded sscanf into a stack variable.In terms of discovery just checking those format strings for unbounded string reads will find plenty of bugs out there in the world…