Preface: There is very little in this blog post that is interesting from a technical perspective. The discovered vulnerability is incredibly basic but fairly high risk. Due to the nature of the application, and the fallout from our disclosure attempt, we wanted to write up our findings. The TL;DR is that giggle has been exposing user’s phone numbers, private images and location to the world.

During a recent review of the ADManager Plus software offered by Zoho, we were able to identify a privilege escalation vulnerability which would allow authenticated users to escalate to NT AUTHORITY\SYSTEM in versions up to and including 6.6 (build 6657).

Multiple directory traversal vulnerability exists in Zoho ManageEngine Service Desk Plus 9.4 which allows a user with at least guest access to upload a file which can be placed into a directory that is writable by the applicaiton. This includes directories that are served from the web server. An attacker can make use of this to serve malware from the domain hosting the ServiceDesk application or to perform convincing social engineering attacks by (for example) uploading an HTML file that requests a user to log in to the application. As this page will be served from the ServiceDesk domain, it will look like a valid page of the application. The following HTTP request shows using directory traversal in the “module” parameter to change the path the “testfile.html” file is uploaded to. This places the uploaded file in webapps/ROOT/ directory.

A few months ago during a penetration test, we stumbled upon a Windows based mobile device management [MDM] system named SureMDM. MDM systems aim to provide an efficient means of managing a large number of mobile devices, ensuring that they are all configured to the same standard and kept secure.

We were recently tasked with determining what effects the use of the minSdkVersion property within Android projects has on the security of the application; specifically whether or not it can result in a downgrade attack of the runtime environment.