SSD Advisory – Oracle Knowledge Management XXE Leading to a RCE

Vulnerability Summary
The following advisory describe Information Disclosure found in Oracle Knowledge Management version 8.5.1.

By enabling searches across a wide variety of sources, Oracle’s InQuira knowledge management products offer simple and convenient ways for users to access knowledge that was once hidden in the myriad systems, applications, and databases used to store enterprise content.

Oracle’s products for knowledge management help users find useful knowledge contained in corporate information stores.

Credit
An independent security researcher, Steven Seeley, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.

Vendor response
Oracle has released patches to address this vulnerability, for more details see: http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html.

Continue reading SSD Advisory – Oracle Knowledge Management XXE Leading to a RCE

SSD Advisory – HTC Sync Remote Code Execution

Vulnerabilities Summary
The following advisory describes a remote code execution (RCE) found in HTC Sync version v3.3.63.

Credit
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.

Vendor response
The vulnerability was not reported to the vendor because the product has reached end of life on 31 August 2016 and was replaced by HTC Sync Manager which is not vulnerable to this vulnerability.

Continue reading SSD Advisory – HTC Sync Remote Code Execution

HITCON Taiwan 2016

On the 1-2 December 2016 we had the honor for the first time to sponsor HITCON and visit Taiwan.

Our adventure started in November 30th when Noam and I landed in Taipei and we had half a day to sightseeing and set up our booth at the conference hall.
img_20161130_052027
img_20161130_054254

In the evening we were invited to Team T5 reception, there we saw some old friends and made some new ones. We talked about the the importance of the hacker community and how Beyond Security can support it in this era.
img_20161130_185229

During the HITCON conference we had the opportunity to meet with so many great people, gave them an awesome T-shirts for free, answered their questions and provided them with information about the SSD program and how it can help them to more easily report vulnerabilities and get paid for them.

img_20161130_161939

On the second day, Noam gave his lecture on “Why today’s security researchers cannot just publish vulnerabilities” and explained the problems currently present in the process of reporting vulnerabilities to vendors and why the current bug bounty programs are not offering the solution (the slides will upload soon by HITCON)
img_20161202_112256

img_20161202_112306

We found the whole conference experience to be amazing – it was privilege for us to be able to attend and sponsor HITCON 2016. Especially since it allowed us to be part of the ‘international’ community of security researchers.

One last thing, Noam and Yannay Livneh (a speaker of HITCON) had birthday during HITCON – Happy Birthday guys!