illumant

ILLUMANT #1 Bug Bounty Hunter on Alibaba

In 2018 Illumant topped the list of bug hunters for Alibaba’s bug bounty program: To see this info on Alibaba, go the following link and select the year 2018: https://security.alibaba.com/top.htm?tab=1

Check Point ZoneAlarm Anti-Virus Exploit

Local Exploitation of WCF Services within ZoneAlarm Anti-Virus Software to Escalate Privileges General Overview Illumant has discovered a critical vulnerability in Check Point’s ZoneAlarm anti-virus software. This vulnerability allows a low-privileged user to escalate to SYSTEM-level privileges. A service endpoint within ZoneAlarm exposes powerful functionality, including the ability to start new processes as SYSTEM. Efforts …

Check Point ZoneAlarm Anti-Virus ExploitRead More »

Technical White Paper: Finding and Exploiting the Check Point ZoneAlarm Anti-Virus for Local Privilege Escalation

Introduction Illumant has discovered a critical vulnerability in Check Point’s ZoneAlarm anti-virus software. This vulnerability allows a low-privileged user to escalate privileges to SYSTEM-level with the anti-virus software enabled. The vulnerability is due to insecure implementation of inter-process communications within the ZoneAlarm application itself, which allows a low-privilege user to inject and execute code by …

Technical White Paper: Finding and Exploiting the Check Point ZoneAlarm Anti-Virus for Local Privilege EscalationRead More »

Owning JBOSS 4.2.3.GA Manually

Today we’ll talk about how to take ownership of a server running a default install of JBOSS 4.2.3.GA by hand using CVE-2010-0738.  Why are we talking about exploiting such an old vulnerability?  Well one reason is because it’s fun!  Another, is that we still see these type of installs on real life engagements!  Finally, there …

Owning JBOSS 4.2.3.GA ManuallyRead More »

Owning Solar Winds Firewall Security Manager Manually

We recently encountered a Solar Winds Firewall Security Manager (soon to be EOL) during an internal assessment. The vulnerability scan reported a source code disclosure vulnerability related to the underlying Java application server Jetty 6.1. While following up on this we stumbled upon a public exploit for CVE-2015-2284, “userlogin.jsp in SolarWinds Firewall Security Manager (FSM) before 6.6.5 HotFix1 allows remote attackers to gain privileges and execute arbitrary code”.