Vulnerability Research
Overview
Hackers for Change believes in transparency and responsible disclosure. We have a volunteer-run vulnerability research team that identifies vulnerabilities in popular applications and modules.
We believe that vulnerability disclosure is a two-way street. Vendors, as well as researchers, must act responsibly. This is why Hackers for Change adheres to a 90-day disclosure deadline. We notify vendors of vulnerabilities immediately, with details shared in public with the defensive community after 90 days, or sooner if the vendor releases a fix. More information about our disclosure policy can be found here.
Want to join the vulnerability research team? Join Hackers for Change as a Junior or Senior Consultant and hack with us today!
Advisories
Ark: maliciously crafted archive can install files outside the extraction directory.
Author: Dominik Penner (Director of Advisory) - CVE-2020-16116
Timeline
07/14/2020 - Date of initial discovery
07/20/2020 - Report submitted to KDE
07/30/2020 - Patch released
07/31/2020 - Date of Public Disclosure
KDE is a desktop environment found in Linux distributions such as OpenSUSE, Kali, KUbuntu, and others that offers a graphical user interface to the operating system. Penner discovered a path traversal vulnerability in the default ARK archive utility that allows malicious actors to perform remote code execution by distributing malicious archives. Once a user opens the archive, the attacker can create autostarts that automatically launch programs that could encrypt a user's files with ransomware, install miners, or install backdoors that give remote attackers shell access to a victim's account.
Maltego: XXE in all versions prior to 4.2.11
Author: Dominik Penner (Director of Advisory) - CVE-2020-24656
Timeline
07/13/2020 - Date of initial discovery
07/16/2020 - Report submitted to Maltego
08/12/2020 - Patch released
08/27/2020 - Date of Public Disclosure
Maltego facilitates forensic investigations for security researchers, law enforcement and intelligence alike. This vulnerability can allow an attacker to perform a number of actions such as exfiltrating local files from a victim's system. The vulnerability can be distributed by sharing a malicious project file and having a user import it. Maltego project files are commonly shared across the internet which increases the likelihood of a successful attack.