Blogs & Stories

SpiderLabs Blog

Attracting more than a half-million annual readers, this is the security community's go-to destination for technical breakdowns of the latest threats, critical vulnerability disclosures and cutting-edge research.

ModSecurity DoS Vulnerability in JSON Parsing (CVE-2021-42717)

ModSecurity is an open-source WAF engine maintained by Trustwave. This blog post discusses an issue with JSON parsing that could enable a Denial of Service (DoS) attack by a malicious actor. The issue has been addressed with fixes in both v2 and v3.

CrypKey License Service Allows Privilege Escalation

CrypKey (https://www.crypkey.com/) is a third-party licensing service for Windows that integrates with existing software packages to prevent piracy and illegal duplication of software and data. I discovered that this service was installed on my system and decided to investigate it a little deeper. What I found was a trivial Privilege Escalation vulnerability and despite multiple attempts to get the vendor to patch the issue, a patch is still unavailable at the time of publication.

BlackByte Ransomware – Pt. 1 In-depth Analysis

During a recent malware incident response case, we encountered an interesting piece of ransomware that goes by the name of BlackByte.

BlackByte Ransomware – Pt 2. Code Obfuscation Analysis

We received the original launcher file from an Incident Response case. It was about 630 KB of JScript code which was seemingly full of garbage code – hiding the real intent.

A Handshake with MySQL Bots

It’s well known that we just don’t put services or devices on the edge of the Internet without strong purpose justification. Services, whether maintained by end-users or administrators, have a ton of security challenges. Databases belong to a group that often needs direct access to the Internet - no doubt that security requirements are a priority here.

Missing Critical Vulnerabilities Through Narrow Scoping

The typical process when scoping a penetration test is to get a list of targets from the client, which are typically a list of IP addresses and/or hostnames. But where does this information come from, and how accurate is it?

How Lack of Awareness and Clinging to the Past Threaten Your Networks

The security landscape is always changing. New features are coming out all the time, but often backward compatibility is maintained too. What this means is that while the new features may be present and active by default, it's possible for users to be completely unaware of them and continue using the legacy functionality.

Patch Tuesday, August 2021

Here we are in August and it's Patch Tuesday once more. It's another light month with only 9 CVEs patched for vulnerabilities rated as "Critical" and 35 CVEs rated as "Important". On the Critical list, you'll Remote Code Execution vulnerabilities in Windows Graphics Engine, MSHTML Platform, NFS/OpenRPC/XDR Driver, the MS TCP/IP stack, and Windows Print Spooler. Additionally, Azure Sphere has Denial of Service and Information Disclosure vulnerabilities patched.

SQL Injection in WordPress Plugins: ORDER and ORDER BY as Overlooked Injection Points

Trustwave SpiderLabs recently undertook a survey of some 100 popular WordPress plugins for possible SQL Injection vulnerabilities. Some good news is that in the vast majority, no such vulnerabilities were identified.  Most plugins were found to be using either prepared statements or suitable sanitization when incorporating user-controlled data in a query. Of the five vulnerable plugins identified, some patterns emerged, including that four out of five were vulnerable in only one or both the ORDER and ORDER BY clauses.

Telegram Self-Destruct? Not Always

Secret-Chats in Telegram use end-to-end encryption, which is meant for people who are concerned about the security and privacy of their chat history. The messages can be read only by sender and receiver, and not even Telegram administrators have the encryption keys necessary to read any chats.

Compromising a Network Using an "Info" Level Finding

Anyone who has ever read a vulnerability scan report will know that scanners often include a large number of findings they classify as "Info". Typically this is meant to convey general information about the target systems which does not pose any risk.

Patch Tuesday, July 2021

We're a little over halfway through the year now as July's Patch Tuesday is released and it's been a rough year so far for Microsoft. From the HAFNIUM zero-day campaign targeting Exchange back in March to the accidental zero-day release last month for PrintNightmare.

ModSecurity v3 and URI Fragments

ModSecurity is an open-source WAF engine maintained by Trustwave. This blog post discusses an input interpretation bug in ModSecurity v3 related to URI fragments that was identified during a recent internal security review.

Solarwinds Serv-U 15.2.3 Share URL XSS (CVE-2021-32604)

Sometimes when pen-testing a large network you come across a few exposed web hosts running out-of-the-box software. In this example, I found a small, yet interesting vulnerability within the SolarWinds Serv-U FTP Server. Although the initial vector requires authentication, a low privileged user is able to create a publicly accessible URL that triggers an XSS payload when visited.

Yet Another Archive Format Smuggling Malware

The use of novel disk image files to encapsulate malware distributed via spam has been a theme that we have highlighted over the past couple of years. As anticipated, we have seen more disk image file formats being used, in addition to .ISO, .IMG, and .DAA which we blogged about.

Thousands of Vulnerable VMWare vCenter Servers Still Publicly Exposed (CVE-2021-21985, CVE-2021-21986)

On May 25th, 2021, VMWare released patches to address VMSA-2021-0010, a critical security advisory for VMWare vCenter Server addressing two vulnerabilities. One of them was a remote code execution (RCE) in the vSphere Client (CVE-2021-21985) that exists due to a lack of input validation in the Virtual SAN Health Check plug-in, which is enabled by default in the vCenter Server.

Patch Tuesday, June 2021

Summer is officially here and with it June's Patch Tuesday. This is a surprisingly light month with only 49 CVEs being patched and only five of those rated as "Critical". The list of "Critical" includes a Remote Code Execution (RCE) Microsoft's anti-malware software, Defender. It's always a double hit when the software meant to protect your system ends up being a threat that can cause compromise. In addition, you'll find RCEs in the MS Scripting Engine, SharePoint, and VP9 Video Extensions on that list. Most concerning is an RCE vulnerability in the MSHTML Platform (CVE-2021-33742). This CVE has been publicly disclosed and exploited in the wild in targeted campaigns.

Huawei LTE USB Stick E3372: From File Overwrite to Code Execution

In today's world, more and more devices are connected to the Internet for on-the-go connectivity. Huawei has a mobile broadband service that allows Internet connectivity via cellular networks by using a small USB dongle. The device itself – Huawei LTE USB Stick E3372 – looks like a USB thumb drive and comes with software to install on macOS called HiLink.

Stay Connected


Sign up to receive the latest security news and trends from Trustwave.

No spam, unsubscribe at any time.

Trending Topics