ITSEC Newsletter 2024-07-18

What is qwinsta? qwinsta : Displays information about sessions on a Remote Desktop Session Host server. The list includes information not only about active sessions but also about other sessions that the server runs. (ref: MSFT Docs) It is also possible to remotely enumerate user sessions via the /server:{hostname} parameter. Despite the Microsoft documentation specifying this binary being related to Remote Desktop Sessions, Remote Desktop does not need to be enabled in order for the binary, and enumeration to succeed:

Hello world!It’s July and this is another blog post on malware analysis. I came up with the idea to write this blog because I feel that beginners in the malw...

During our research, we discovered a vulnerability in the JSON parsing routine used by a CGI binary,  /www/camera-cgi/synocm_param.cgi which is accessible by the following HTTP URL,  /syno-api/activate. When examining this binary, we noticed that upon receiving a request with method type PUT, it tries to parse the JSON contents from the request body using the open source library libjansson.