Owning JBOSS 4.2.3.GA Manually

Today we’ll talk about how to take ownership of a server running a default install of JBOSS 4.2.3.GA by hand using CVE-2010-0738.  Why are we talking about exploiting such an old vulnerability?  Well one reason is because it’s fun!  Another, is that we still see these type of installs on real life engagements!  Finally, there …

Owning JBOSS 4.2.3.GA ManuallyRead More »

Owning Solar Winds Firewall Security Manager Manually

We recently encountered a Solar Winds Firewall Security Manager (soon to be EOL) during an internal assessment. The vulnerability scan reported a source code disclosure vulnerability related to the underlying Java application server Jetty 6.1. While following up on this we stumbled upon a public exploit for CVE-2015-2284, “userlogin.jsp in SolarWinds Firewall Security Manager (FSM) before 6.6.5 HotFix1 allows remote attackers to gain privileges and execute arbitrary code”.

Vulnerability Disclosure Policy

As a provider of security solutions, services, and research, ILLUMANT takes security issues very seriously. It is our policy to work and coordinate with other vendors with regards to discovered vulnerabilities, with the intention of keeping users and customers safe. This document will share our process for disclosure. Outreach ILLUMANT will reach out to the …

Vulnerability Disclosure PolicyRead More »