Blog on Shielder

Inspektor Gadget Security Audit

Thu, 30 Apr 2026 13:30:00 +0000

TL;DR

In early 2026, Shielder was hired by OSTIF to perform a security audit of Inspektor Gadget, an eBPF-based framework that provides powerful and flexible observability tools for Kubernetes and Linux hosts.

Today, we are publishing the full report in our dedicated repository.

Context

Inspektor Gadget is both a framework and a toolkit to enhance observability on a Linux machine/Kubernetes node, using the eBPF technology. Inspektor Gadget manages the packaging, deployment and execution of “gadgets”, which are essentially eBPF programs encapsulated in OCI images. Gadgets export events that are caught by the tool and that can be filtered, sorted, exported or enriched.

MaterialX and OpenEXR Security Audit

Thu, 31 Jul 2025 14:45:00 +0000

TL;DR

Shielder, together with OSTIF and the Academy Software Foundation (ASWF), performed a Security Audit on the MaterialX and OpenEXR projects.

The audit resulted in eleven (11) findings ranging from critical to informational severity. Most of them have been addressed by the project maintainers, but three of them - affecting MaterialX - are marked for a future iteration and are not disclosed in the public report yet.

Today, we are publishing the reports of the audit in our dedicated repository.

Karmada Security Audit

Thu, 16 Jan 2025 15:37:00 +0000

TL;DR

Shielder, together with OSTIF and CNCF, performed a Security Audit on the Karmada project.

The audit resulted in six (6) findings ranging from high to informational severity. Most of them have been addressed by the Karmada core team, while two of them are marked for a future iteration.

Today, we are publishing the full report in our dedicated repository.

Introduction

In September 2024, Shielder was hired to perform a Security Audit of Karmada, an open, multi-cloud, multi-cluster Kubernetes orchestration and management system. The audit has been sponsored by the CNCF and facilitated by the Open Source Technology Improvement Fund (OSTIF).

A Journey From `sudo iptables` To Local Privilege Escalation

Fri, 20 Sep 2024 13:30:00 +0000

TL;DR

A low-privileged user on a Linux machine can obtain the root privileges if:

They can execute iptables and iptables-save with sudo as they can inject a fake /etc/passwd entry in the comment of an iptables rule and then abusing iptables-save to overwrite the legitimate /etc/passwd file.
They can execute iptables with sudo and the underlying system misses one of the kernel modules loaded by iptables. In this case they can use the --modprobe argument to run an arbitrary command.

Intro

If you’ve ever played with boot2root CTFs (like Hack The Box), worked as a penetration tester, or just broke the law by infiltrating random machines (NO, DON’T DO THAT), chances are good that you found yourself with a low-privileged shell - www-data, I’m looking at you - on a Linux machine.

Boost Security Audit

Wed, 22 May 2024 15:00:00 +0000

TL;DR

Shielder, with OSTIF and Amazon Web Services, performed a Security Audit on a subset of the Boost C++ libraries. The audit resulted in five (5) findings ranging from low to medium severity plus two (2) informative notices. The Boost maintainers of the affected libraries addressed some of the issues, while some other were acknowledged as accepted risks.

Today, we are publishing the full report in our dedicated repository.

Introduction

In December 2023, Shielder was hired to perform a Security Audit of Boost, a set of free peer-reviewed portable C++ source libraries. The audit has been sponsored by Amazon Web Services and facilitated by the Open Source Technology Improvement Fund (OSTIF).

Element Android CVE-2024-26131, CVE-2024-26132 - Never Take Intents From Strangers

Thu, 18 Apr 2024 08:00:00 +0000

TL;DR

During a security audit of Element Android, the official Matrix client for Android, we have identified two vulnerabilities in how specially forged intents generated from other apps are handled by the application. As an impact, a malicious application would be able to significatively break the security of the application, with possible impacts ranging from exfiltrating sensitive files via arbitrary chats to fully taking over victims’ accounts. After private disclosure of the details, the vulnerabilities have been promptly accepted and fixed by the Element Android team.

Bref Security Audit

Fri, 29 Mar 2024 12:00:00 +0000

TL;DR

Shielder, with OSTIF and Amazon Web Services, performed a Security Audit of Bref. The audit resulted in five (5) findings ranging from low to medium severity. The Bref maintainers and community addressed most of the the issues in a timely and accurate manner.

Today, we are publishing the full report in our dedicated repository.

Introduction

In December 2023, Shielder was hired to perform a Security Audit of Bref, an open-source project that helps you go serverless on AWS with PHP. The audit has been sponsored by Amazon Web Services and facilitated by the Open Source Technology Improvement Fund (OSTIF).

Hunting for Unauthenticated n-days in Asus Routers

Tue, 30 Jan 2024 10:00:00 +0000

TL;DR

After reading online the details of a few published critical CVEs affecting ASUS routers, we decided to analyze the vulnerable firmware and possibly write an n-day exploit. While we identified the vulnerable piece of code and successfully wrote an exploit to gain RCE, we also discovered that in real-world devices, the “Unauthenticated Remote” property of the reported vulnerability doesn’t hold true, depending on the current configuration of the device.

CVE-2023-33466 - Exploiting Healthcare Servers with Polyglot Files

Tue, 24 Oct 2023 10:00:00 +0000

TL;DR

Orthanc is an open source software to manage, exchange and visualize medical imaging data. In versions < 1.12.0, it is affected by an arbitrary file overwrite vulnerability (CVE-2023-33466) that might allow an authenticated attacker to obtain RCE on the system. The CVE was published on June 2023, but no exploit was publicly available for it, so we chose to publish this blogpost with more details about the vulnerability so you can exploit and mitigate it.

AWS CodeBuild + S3 == Privilege Escalation

Mon, 10 Jul 2023 10:00:30 +0000

Introduction

In the last decade one of the most common patterns observed in web applications is their shift to cloud environments. This means that in 2023 you can’t evaluate the security of a web application without going through a review of its cloud infrastructure as you might miss the elephant in the room. That’s why we - as in Shielder - always try to learn new techniques to assess the security of cloud environments. This post is about a privilege escalation vector which we have discovered during a recent assessment and which was not documented.

How to Decrypt Manage Engine PMP Passwords for Fun and Domain Admin - a Red Teaming Tale

Mon, 05 Sep 2022 10:00:30 +0000

TL;DR

During a recent Red Teaming assessment we have found an internet-exposed instance of ManageEngine’s Password Manager Pro which was vulnerable to a pre-authentication Remote Code Execution (CVE-2022-35405). After gaining code execution we reverse engineered the password encryption/decryption routine to decrypt all the passwords and hack our way to become Domain Admin.

What’s a Red Teaming?

Red Team(ing) is an abused word in the InfoSec world and it’s commonly used to define various things:

Printing Fake Fiscal Receipts - An Italian Job p.2

Mon, 16 May 2022 10:00:30 +0000

TL;DR

The ItalRetail RistorAndro app installed on the SpiceT fiscal printer is affected by a pre-authentication remote arbitrary file write and an arbitrary app installation.

Moreover, the Android OS version installed is affected by two known vulnerabilities, namely CVE-2017-13156 (Janus), that allows to esclate the privileges to system, and CVE-2016-5195 (DirtyCOW) that allows to escalate the privileges to root in the vold SELinux context.

Rewind ⏮

In the first post we analyzed the fiscal unit and its local attack surface. We discovered how it’s possible for any installed Android app to abuse the fiscal features.

Printing Fake Fiscal Receipts - An Italian Job p.1

Tue, 19 Apr 2022 10:00:30 +0000

TL;DR

Italretail SpiceT fiscal printer allows any installed Android app to talk to the fiscal unit to print receipts, forge data in the Electronic Journal, open the cash drawer, etc.

Introduction

In this post series I will walk you through the vulnerabilities I’ve found during my research time on a fiscal printer model that is widely used in Italy.

Lets take a step back to better understand what we are talking about.

A Sneak Peek into Smart Contracts Reversing and Emulation

Tue, 05 Apr 2022 10:00:30 +0000

In the last years the web3 topic became increasingly relevant and, as for every buzzword, a lot of companies and start-ups started developing solutions based on it.
Consequently there also was an increase on the number of attacks and vulnerabilities found in such projects, for example: Saurik’s write up on Optimism, the PolyNetwork hack, the Ronin Validator compromission, and many more.

In this post we will scratch the surface of the topic, limiting our focus on the Ethereum blockchain. We will take a look at the EVM bytecode, and learn how to reverse and emulate a smart contract with Qiling.

Reversing embedded device bootloader (U-Boot) - p.2

Mon, 21 Mar 2022 11:00:30 +0000

This blog post is not intended to be a “101” ARM firmware reverse-engineering tutorial or a guide to attacking a specific IoT device. The goal is to share our experience and, why not, perhaps save you some precious hours and headaches.

Sum up

The first post dealt with some more theoretical aspects at a very low level, instead this one will show how we finally decrypted the kernel image. DO NOT PANIC - we will not be as long-winded as in the first post. 😇

Reversing embedded device bootloader (U-Boot) - p.1

Tue, 08 Mar 2022 14:20:30 +0000

“Bootrom”

In this two posts series, we will share an analysis of some aspects of reversing a low-level binary.
Why? Well, we have to admit we struggled a bit to collect the information to build the basic knowledge about this topic and the material we found was often not comprehensive enough, or many aspects were taken for granted. For this reason, we share here what we learned from multiple sources and try to collect them in these posts, while also trying to give some context and analyze the more complex or cryptic aspects.

QilingLab – Release

Wed, 21 Jul 2021 15:00:30 +0000

Two years ago Ross Marks created the FridaLab challenge as a playground to test and learn how to use the Frida dynamic instrumentation toolkit.

At that time, I solved FridaLab and wrote a writeup about it explaining the main APIs and usages of Frida for Android. This helped others to start getting familiar with it and as a reference when developing Frida scripts.

After trying Qiling for some time I decided to follow Ross Marks’ steps and to develop a basic playground challenge to make use of the main Qiling features and I obviously called it QilingLab.

Hunting for bugs in Telegram's animated stickers remote attack surface

Tue, 16 Feb 2021 09:00:00 +0100

Introduction

At the end of October ‘19 I was skimming the Telegram’s android app code, learning about the technologies in use and looking for potentially interesting features. Just a few months earlier, Telegram had introduced the animated stickers; after reading the blogpost I wondered how they worked under-the-hood and if they created a new image format for it, then forgot about it. Back to the skimming, I stumbled upon the rlottie folder and started googling. It turned out to be the Samsung native library for playing Lottie animations, originally created by Airbnb. I don’t know about you but the combination of Telegram, Samsung, native and animations instantly triggered my interest in learning more 👀.

Re-discovering a JWT Authentication Bypass in ServiceStack

Mon, 02 Nov 2020 09:37:42 +0100

TL;DR

ServiceStack before version 5.9.2 failed to properly verify JWT signatures, allowing to forge arbitrary tokens and bypass authentication/authorization mechanisms.
The vulnerability was discovered and patched by the ServiceStack team without highlighting the actual impact, so we chose to publish this blog post along with an advisory.

Routine checks –> Auth bypass

During a Web Application Penetration Test for one of our customers, I noticed that after the login process through a 3rd-party Oauth service the web application used JWT tokens to track sessions and privileges.

Sometimes they come back: exfiltration through MySQL and CVE-2020-11579

Tue, 28 Jul 2020 16:18:14 +0200

Let’s jump straight to the strange behavior: up until PHP 7.2.16 it was possible by default to exfiltrate local files via the MySQL LOCAL INFILE feature through the connection to a malicious MySQL server. Considering that the previous PHP versions are still the majority in use, these exploits will remain useful for quite some time.

Like many other vulnerabilities, after reading about this quite-unknown attack technique (1, 2), I could not wait to find a vulnerable software where to practice such unusual dynamic. The chance finally arrived after a network penetration test where @smaury encountered PHPKB, a knowledge-base software written in PHP which he felt might be interesting to review, and that was my trigger. 😏

1-click RCE on Keybase

Mon, 27 Apr 2020 18:00:42 +0000

TL;DR

Keybase clients allowed to send links in chats with arbitrary schemes and arbitrary display text. On Windows it was possible to send an apparently harmless link which, when clicked, could execute arbitrary commands on the victim’s system.

Introduction

Keybase is a chat, file sharing, git, * platform, similar to Slack, but with a security in-depth approach. *Everything* on Keybase is encrypted, allowing you to relax while syncing your private files on the cloud.

NotSoSmartConfig: broadcasting WiFi credentials Over-The-Air

Mon, 20 Apr 2020 16:00:00 +0000

During one of our latest IoT Penetration Tests we tested a device based on the ESP32 SoC by EspressIF. While assessing the activation procedure we faced for the first time a beautiful yet dangerous protocol: SmartConfig.

The idea behind the SmartConfig protocol is to allow an unconfigured IoT device to connect to a WiFi network without requiring a direct connection between the configurator and the device itself – I know, it’s scary.

Don’t open that XML: XXE to RCE in XML plugins for VS Code, Eclipse, Theia, …

Thu, 24 Oct 2019 17:22:53 +0000

TL;DR

LSP4XML, the library used to parse XML files in VSCode-XML, Eclipse’s wildwebdeveloper, theia-xml and more, was affected by an XXE (CVE-2019-18213) which lead to RCE (CVE-2019-18212) exploitable by just opening a malicious XML file.

Introduction

2019 seems to be XXE’s year: during the latest Penetration Tests we successfully exploited a fair amount of XXEs, an example being https://www.shielder.com/blog/exploit-apache-solr-through-opencms/.

It all started during a web application penetration test, while I was trying to exploit a blind XXE with zi0black. We started with a standard XXE payload with an external DTD pointing to our listening web-server; we knew the target server couldn’t perform HTTP requests to the internet, so we were expecting only a DNS interaction, but then we received two different DNS interactions and one HTTP request… What the Phrack?!

Exploiting an old noVNC XSS (CVE-2017-18635) in OpenStack

Sat, 19 Oct 2019 17:40:30 +0000

TL;DR: noVNC had a DOM-based XSS that allowed attackers to use a malicious VNC
server to inject JavaScript code inside the web page.
As OpenStack uses noVNC and its patching system doesn’t update third parties’ software, fully-updated OpenStack installations may still be vulnerable.

Introduction

Last week I was testing an OpenStack infrastructure during a Penetration Test.
OpenStack is a free and open-source software platform for cloud computing, where you can manage and deploy virtual servers and other resources.
OpenStack is a huge piece of software, made of many different “modules ”, as can be seen in the official Github repository.

Exploiting Apache Solr through OpenCMS

Sat, 13 Apr 2019 09:19:53 +0000

Tl;dr

It’s possible to exploit a known Apache Solr vulnerability through OpenCMS.

Introduction meme

During one of my last Penetration Test I was asked to analyze some OpenCMS instances. Before the assessment I wasn’t really familiar with OpenCMS, so I spent some time on the official documentation in order to understand how it works, which is the default configuration and if there are some security-related configurations which I should check during the test.

Nagios XI 5.5.10: XSS to #

Wed, 10 Apr 2019 13:10:36 +0000

Tl;dr

A remote attacker could trick an authenticated victim (with “autodiscovery job” creation privileges) to visit a malicious URL and obtain a remote root shell via a reflected Cross-Site Scripting (XSS), an authenticated Remote Code Execution (RCE) and a Local Privilege Escalation (LPE).

Introduction

A few months ago I read about some Nagios XI vulnerabilities which got me interested in studying it a bit by myself. For those of you who don’t know what Nagios XI is I suggest you have a look at their website.

WebTech, identify technologies used on websites

Fri, 08 Mar 2019 00:37:49 +0000

Introduction

We’re very proud to release WebTech as open-source software.
WebTech is a Python software that can identify web technologies by visiting a given website, parsing a single response file or replaying a request described in a text file. This way you can have reproducible results and minimize the requests you need to make to a target website.

The RECON phase in a Penetration Test is one among the most important ones. By being able to detect which software runs on the target it’s easier to search for vulnerabilities in a specific module or version.
WebTech scans websites and detect software and versions in use and can report data in a structured format like JSON or in a grepable text for later analysis.

FridaLab – Writeup

Mon, 04 Feb 2019 15:20:24 +0000

Today I solved FridaLab, a playground Android application for playing with Frida and testing your skills.

The app is made of various challenges, with increasing difficulty, that will guide you through Frida’s potential.

This is a writeup with solutions to the challenges in FridaLab. We suggest the reader to take a look at it and try to solve it by itself before reading further.

In this writeup we will assume that the reader has a working environment with frida-server already installed on the Android device and frida-tools installed on the PC as well, since we will not cover those topics.

XSSGame by Google at #HITB2017AMS – Writeup

Wed, 26 Apr 2017 10:19:22 +0000

CTF’s homepage

During the last edition of HITB in Amsterdam we partecipated in the XSSGame by Google: 8 XSS challenges to win a Nexus 5X. The various levels exposed common vulnerabilities present in modern web apps.

Introduction

Each level required to trigger the JavaScript’s alert function by creating an URL with a Cross-Site Scripting (XSS) payload inside, which should be executed without any user interaction: once it is executed, the server replies with the link to the following challenge.

Blog on Shielder

Inspektor Gadget Security Audit

TL;DR

Context

MaterialX and OpenEXR Security Audit

TL;DR

Karmada Security Audit

TL;DR

Introduction

A Journey From `sudo iptables` To Local Privilege Escalation

TL;DR

Intro

Boost Security Audit

TL;DR

Introduction

Element Android CVE-2024-26131, CVE-2024-26132 - Never Take Intents From Strangers

TL;DR

Bref Security Audit

TL;DR

Introduction

Hunting for ~~Un~~authenticated n-days in Asus Routers

TL;DR

CVE-2023-33466 - Exploiting Healthcare Servers with Polyglot Files

TL;DR

AWS CodeBuild + S3 == Privilege Escalation

Introduction

How to Decrypt Manage Engine PMP Passwords for Fun and Domain Admin - a Red Teaming Tale

TL;DR

What’s a Red Teaming?

Printing Fake Fiscal Receipts - An Italian Job p.2

TL;DR

Rewind ⏮

Printing Fake Fiscal Receipts - An Italian Job p.1

TL;DR

Introduction

A Sneak Peek into Smart Contracts Reversing and Emulation

Reversing embedded device bootloader (U-Boot) - p.2

Sum up

Reversing embedded device bootloader (U-Boot) - p.1

“Bootrom”

QilingLab – Release

Hunting for bugs in Telegram's animated stickers remote attack surface

Introduction

Re-discovering a JWT Authentication Bypass in ServiceStack

TL;DR

Routine checks –> Auth bypass

Sometimes they come back: exfiltration through MySQL and CVE-2020-11579

1-click RCE on Keybase

TL;DR

Introduction

NotSoSmartConfig: broadcasting WiFi credentials Over-The-Air

Don’t open that XML: XXE to RCE in XML plugins for VS Code, Eclipse, Theia, …

TL;DR

Introduction

Exploiting an old noVNC XSS (CVE-2017-18635) in OpenStack

Introduction

Exploiting Apache Solr through OpenCMS

Tl;dr

Nagios XI 5.5.10: XSS to #

Tl;dr

Introduction

WebTech, identify technologies used on websites

Introduction

FridaLab – Writeup

XSSGame by Google at #HITB2017AMS – Writeup

Introduction

Hunting for Unauthenticated n-days in Asus Routers