Hey Gucci, you Gucci?

0x01 Introduction Around March 14th 2019 I found Local File Inclusion, Path Traversal and File Write on the Gucci subdomain glft.gucci.com on port 3443 (https://glft.gucci.com:3443/). When attempting to go to the subdomain on the regular port 80/433 you would be met with a message that the subdomain was an intranet interface. So all of the findings combined, a malicious actor could have read local files, uploaded a phishing page, upload a shell which could have led to a reverse shell, opening up a potential of traversing the internal network.
Read more →

Fun With Custom URI Schemes

0x01 Introduction Over the past month or so, I’ve spent quite a bit of time reading and experimenting with custom URI schemes. As the last post on this blog clearly demonstrated, a poorly implemented custom URI can have a number of security concerns. When I say “a number”, it’s because I’m about to bring a few more to light, using EA’s Origin Client as our crash test dummy. TL;DR: Another Origin RCE, unrelated to CVE-2019-11354.
Read more →

A Questionable Journey From XSS to RCE

Introduction As many of you reading this probably already know, in mid April, a good friend of mine (@Daley) and I located a Remote Code Execution vulnerability in EA’s Origin client (CVE-2019-11354). Today I’m going to go in depth on how we discovered this vulnerability, along with a couple others we needed to chain along the way ;pp

Debugging Origin A lot of what was discovered was enabled by QtWebEngine debugging.

Read more →