Pentest
Our experts perform advanced technical operations such as intrusion tests simulating cyber espionage operations under an ethical hacker contract. These simulations can be:
- Restricted to a particular application in order to discover any vulnerability allowing you to grant yourself specific rights, access sensitive data, etc.
- Extended to the entire network and internal and/or external infrastructure to analyze the exposure area, find infrastructure vulnerabilities and show how an attacker would find and connect multiple vulnerabilities to compromise the network and its data.
To illustrate, here are some examples of topics and environments addressed in recent years during digital security projects or security assessments through intrusion tests:
- Advanced Persistent Threat (APT) & In-depth Hacking
- Exfiltration of sensitive data outside the infrastructure beyond proxies, DLP, etc.
- Servers, workstations, applications, Active Directory Windows, UNIX, etc.
- WEB applications, APIs, Docker environments, Cloud applications (AWS, Kubernetes, etc.)
- Limitations of protection tools: antivirus, firewall, anti-spyware, proxy, NAC, etc.
- SCADA (plants), supercomputing (infrastructures), CCTV (network cameras)
- LAN, DMZ, VPN, WEB, VoIP, Wifi, databases, etc
- Mobile fleet and tablet management (MDM)
- Mobile Device Management)
- Old-school PBX – PABX infrastructures
Remote pentest
On-site pentest
On-demand 0day research
for critical products
Some examples of vulnerabilities discovered by TEHTRIS, shared directly with the affected vendors
[MISP]
CVE-2021-36212 : Stored XSS sur MISP < 2.4.146
MISP before version 2.4.146 is impacted by a stored XSS vulnerability via the “share groups” menu
https://github.com/MISP/MISP/commit/01521d614cb578de75a406394b4f0426f6036ba7
[The Plus Addons]
CVE-2021-24351 The Plus Addons for Elementor < 4.1.12 - Reflected Cross-Site Scripting (XSS)
The plugin did not validate a redirect parameter on a specifically crafted URL before redirecting the user to it, leading to an Open Redirect issue.
[The Plus Addons]
CVE-2021-24359 The Plus Addons for Elementor Page Builder < 4.1.11 - Arbitrary Reset Pwd Email Sending
The plugin did not properly check that a user requesting a password reset was the legitimate user, allowing an attacker to send an arbitrary reset password email to a registered user on behalf of the WordPress site. Such issue could be chained with an open redirect (https://wpscan.com/vulnerability/fd4352ad-dae0-4404-94d1-11083cb1f44d) in version below 4.1.10, to include a crafted password reset link in the email, which would lead to an account takeover.
[The Plus Addons]
CVE-2021-24358 The Plus Addons for Elementor Page Builder < 4.1.10 - Open redirect
The plugin did not validate a redirect parameter on a specifically crafted URL before redirecting the user to it, leading to an Open Redirect issue.
[Tenable]
CVE-2021-20076 Remote vulnerability in Tenable
Tenable.sc and Tenable.sc Core versions 5.13.0 through 5.17.0 contain a vulnerability that could allow an unprivileged, authenticated user to perform remote code execution (RCE) on the Tenable.sc server via hypertext preprocessor deserialization.
[SolarWinds]
CVE-2020-35482 Reflective XSS vulnerability on Serv-U
The URL for the web client sharing details was vulnerable to an XSS attack. An attacker could perform social engineering and impersonate an authenticated user.
[SolarWinds]
CVE-2020-35481 & CVE-2021-3154 Macro Injection vulnerability on Serv-U
SolarWinds Serv-U before 15.2.2 allows the injection of unauthenticated macros. These two vulnerabilities allow an unauthenticated attacker to recover user passwords in clear text.
[BITEFENDER]
CVE-2020-8097 : Critical vulnerability in Bitdefender Endpoint Security Tools for Windows ; Bitdefender Endpoint Security SDK
An untrusted search path vulnerability in the product.console.exe as implemented in Bitdefender Endpoint Security Tools for Windows and Endpoint Security SDK allows a local attacker to escalate privileges.
This issue affects Bitdefender Endpoinit Security Tools for Windows versions prior to 6.6.18.261; Endpoint Security SDK versions prior to 6.6.18.261.
[PAESSLER PRTG Network Monitor]
CVE-2020-10374 on PRTG Network Monitor
A webserver component in Paessler PRTG Network Monitor 19.2.50 to PRTG 20.1.56 allows unauthenticated remote command execution via a crafted POST request or the what parameter of the screenshot function in the Contact Support form.
Reference : https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10374
https://www.paessler.com/prtg/history/stable
[Oracle] Risk of ERP attacks
CVE-2018-2991 Vulnerability in the Oracle Trade Management component of Oracle E-Business Suite
A vulnerability allows an attacker who is not authenticated with network access via HTTP to compromise the Oracle Trade Management component of Oracle eBusiness Suite. The attack requires human interaction and although the vulnerability is in the Oracle Trade Management component, the attack significantly impacts other components. Exploiting this vulnerability gives unauthorized access to critical data, or even full access to all data accessible by the “Oracle Trade Management” module as well as unauthorized access to read, write and modify the data accessible by the module.
Reference : https://www.oracle.com/technetwork/topics/security/cpujul2018-4258247.html
[Oracle] Risk of ERP attacks
CVE-2018-2993 Vulnerability in the "Oracle CRM Technical Foundation" component of Oracle E-Business Suite
A vulnerability allows an attacker who is not authenticated with network access via HTTP to compromise the “CRM Technical Foundation” component of Oracle eBusiness Suite. The attack requires human interaction and although the vulnerability is in the Oracle CRM Technical Foundation component, the attack significantly impacts other components. Exploiting this vulnerability gives unauthorized access to critical data, or even full access to all data accessible by the “Oracle CRM Technical Foundation” module as well as unauthorized access to read, write and modify the data accessible by the module.
Reference : https://www.oracle.com/technetwork/topics/security/cpujul2018-4258247.html
[Oracle] Risk of ERP attacks
CVE-2018-2996 Vulnerability in the "Oracle Applications Manager" component of Oracle E-Business Suite
A vulnerability allows a non-authenticated attacker with network access via HTTP to compromise the Oracle Applications Manager component of Oracle eBusiness Suite. Exploiting this vulnerability gives unauthorized access to critical data, or even full access to all data accessible by the “Oracle Applications Manager” module.
Reference : https://www.oracle.com/technetwork/topics/security/cpujul2018-4258247.html
[Oracle] Risk of ERP attacks
CVE-2018-3012 Vulnerability in the "Oracle Trade Management" component of Oracle E-Business Suite
A vulnerability allows an attacker who is not authenticated with network access via HTTP to compromise the Oracle Trade Management component of Oracle eBusiness Suite. The attack requires human interaction and although the vulnerability is in the Oracle Trade Management component, the attack significantly impacts other components. Exploiting this vulnerability gives unauthorized access to critical data, or even full access to all data accessible by the “Oracle Trade Management” module as well as unauthorized access to read, write and modify the data accessible by the module.
Reference : https://www.oracle.com/technetwork/topics/security/cpujul2018-4258247.html
[Alfresco] Possible document hacking
CVE-2014-2939 : Multiple XSS vulnerabilities on Alfresco Enterprise
Multiple cross-site scripting (XSS) vulnerabilities in Alfresco Enterprise prior to version 4.1.6.13 allow attackers to inject HTML and arbitrary JavaScript content via (1) an XHTML document, (2) a <% tag, or (3) the taskId parameter on share/page/task-edit.
Reference : https://www.kb.cert.org/vuls/id/537684/
[MCAFEE] Possible hacking of mobile fleets
CVE-2012-4587 : Remote vulnerabilities on McAfee Enterprise Mobility Manager
McAfee Enterprise Mobility Manager (EMM) Agent before version 4.8 and Server before version 10.1, are vulnerable when the single provisioning mode (OTP) is enabled. They are unduly dependent on SRV DNS records, which makes it easier for remote hackers to discover user passwords, as demonstrated by a password entered on an iOS device.
Reference : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4587
[Citrix] Possible hacking of mobile fleets
VU#584363 : CSRF vulnerabilities in Citrix Zenprise Device Manager
Zenprise Device Manager is a mobile device management (MDM) software that can be used to manage a company’s mobile device fleet. The web interface of the Zenprise device manager is vulnerable to intersite request falsification (CSRF) attacks. A successful CSRF attack against an administrator user will allow a remote attacker to execute commands as an administrator on any device managed by Zenprise Device Manager.
Reference : https://www.kb.cert.org/vuls/id/584363/
[APPLE] Critical vulnerabilities in phones, etc.
CVE-2010-1752 : Remote vulnerabilities (Overflow) on iPhone, iPod, MacOS (Safari) and Windows (Safari)
There is a stack overflow in the CFNetwork URL management code. Visiting a maliciously constructed website can lead to the unintended closure of the application or arbitrary execution of code. This problem has been solved by better memory management.
Reference : https://support.apple.com/en-us/HT4225
[BLACKBERRY] Critical vulnerabilities in phones
CVE-2010-2599 : Remote vulnerabilities on Blackberry equipment (Overflow)
Overflow vulnerabilities in Research In Motion (RIM) BlackBerry devices prior to version 6.0.0 allowing remote attackers to cause (at a minimum) a denial of service (browser blocking) via a malicious web page designed for them.
Reference : https://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber=000024841
Example of a simulated attack scenario by TEHTRIS to identify it risks for a customer
The test is defined as a black box test from the internet to simulate an external attacker. No information is given other than the company’s external IP ranges. In a few days, TEHTRIS can :
- Perform reconnaissance on the external IP ranges of the company in order to list the exposed assets (IPs, OS, Applications, domains…)
- Find several vulnerabilities on the exposed applications (pre-authentication) that allowed to execute commands on the backend OSes
- Bypass security solutions on exposed web servers (WAF, Antivirus, firewalls …) and deploy post-exploitation tools in order to bounce back on the internal network
- Scan the internal network from one of the web servers for a quick recognition phase
- Discover vulnerabilities in internal applications
- Rotate and escalate privileges on the Active Directory Domain
- Get “Domain Administrator” privileges on the Active Directory
At the end of the test, a meeting is held with the client to discuss the various problems identified and possible improvements. A detailed report containing the exploited vulnerabilities and recommendations for patches/mitigations and infrastructure improvements are delivered to the client.
