Zimbra “nginx” Local Root Exploit

Recently I decided to have a look at the somewhat popular email and collaboration platform, Zimbra, with the idea to go find some bugs in it. I'm simply dropping these as full disclosure, because the Zimbra "disclosure policy" prohibits publication of exploit code, which is something I find incredibly disagreeable. I also find that "responsible" …

PHP Webshells, vBulletin, and Equifax Mode

This is just a quick post about some of the stuff behind an exploit I wrote for CVE-2020-7373. If you want to know more about the vulnerability itself, I'd suggest reading this blog post by zenofex. Effectively the vulnerability gives us a method of executing arbitrary PHP code on a vulnerable vBulletin installation. When I …

Honeypot Detection: SSH Host Keys

In this post I'll outline a method to detect Cowrie honeypots in both "shell" and "proxy" mode based on SSH Host Keys, post authentication. The method involved is quite simple. It also works on some other honeypots. Firstly, we grab the hosts SSH public key. This can be easily done by using the ssh-keyscan utility. …