Blog posts on MOGWAI LABS

Reporting and Disclosure Obligations in the Cyber Resilience Act

Thu, 22 Jan 2026 17:00:35 +0200

TL;DR: Starting on 11 September 2026, the Cyber Resilience Act requires vendors to report exploited vulnerabilities and severe incidents to ENISA through a central reporting platform. Reporting deadlines are tight, vendors must improve their vulnerability and incident handling processes accordingly. They should further review the CSAF standard, as it is likely to become the primary format for reporting vulnerabilities to ENISA.

While much of the discussion (at least on LinkedIn) focuses on NIS2, another EU regulation, the Cyber Resilience Act (CRA), has also entered into force. Parts of the CRA will apply from 11 September 2026. Over the Christmas break, I took the time to read the legal text and derive conclusions on what this regulation means for affected customers.

Is this up2date?

Tue, 16 Sep 2025 17:00:35 +0200

Over the past few weeks, I’ve had to explain multiple times why you can’t rely on version numbers in HTTP headers to determine the patch level of a system. I assumed this was common knowledge — but every day, somebody’s born who’s never seen The Flintstones.

This post uses Ubuntu as an example, but the principle applies to all Linux distributions that offer Long Term Support (LTS) releases. The focus here is on patching; other factors that may determine whether a system is vulnerable (such as specific configurations) are not covered.

c3p0, you little rascal

Fri, 28 Feb 2025 09:40:35 +0200

Since the enforcement of the Java Module System in Java 16, deserialization gadget chains that enable direct remote code execution have become increasingly rare. One notable exception is the gadget from the JDBC connection pool library c3p0.

c3p0 (along with its dependency mchange-commons-java) provides multiple features that can be useful when exploiting Java applications. The most powerful primitive the possiblity to load classes from an attacker-controlled resource, which still works on the latest Java versions. However, c3p0 is not included in many deserialization scanners, likely because exploitation is not as straightforward as with other gadgets.

JNDI Mind Tricks

Wed, 18 Dec 2024 13:56:00 +0100

Injection attacks via the Java Naming and Directory Interface (JNDI) have been known for years.

Most security professionals got in contact with JNDI when they had to deal with the infamous Log4Shell vulnerability, which is based on tricking the log4j library into making a JNDI call to an attacker controlled system.

Over the years, abusing JNDI has been an important part in the Java exploitation toolkit. This is even more true after common deserialization sinks were removed in Java 16/17 (see JEP 396).

Vulnerability Spotlight: CVE-2023-0264

Wed, 19 Apr 2023 12:45:00 +0200

Keycloak is an open source identity and access management solution […] [to] secure services with minimum effort

Due to it’s relative simplicity (at least for a IAM product) and its open source nature Keycloak is a popular authorization server for many of our customers’ projects. As we do our best to stay up to date on emerging vulnerabilities and give our customers a heads up on what to focus on, CVE-2023-0264 with a CVSS rating of 8.3 caught our attention.

Look Mama, no TemplatesImpl

Tue, 11 Apr 2023 17:00:35 +0200

Due to changes in Java 16, exploiting native deserialization vulnerabilities became much harder. This post will give an overview what has been changed and provides some ideas how attackers can still gain remote code execution.

Project Jigsaw and the Java module system

To understand the underlying issue, we need to talk about the Java Module system and Java Reflection first. I will keep it short, a more detailed explanation can be found in the Java Magazine.

Exploiting Laravel based applications with leaked APP_KEYs and Queues

Fri, 26 Aug 2022 06:40:35 +0200

Laravel is a widespread open-source PHP web framework. It can be used to create complex web applications with relative ease and is used within many popular projects.

During a recent penetration test of such an application we gained access to the frameworks environment file. This file contains numerous sensitive Laravel configuration settings, including the applications APP_KEY .

The APP_KEY is used for multiple security-related tasks, such as singing objects and protecting them from being tampered with. In the past, knowledge of the APP_KEY was a reliable way to gain remote code execution as it was used to sign the (serialized) XSRF token. An attacker with knowledge of the APP_KEY, was able to create a malicious XSRF token, which then lead to RCE through insecure deserialization (CVE-2018-15133), using a known gadget chain.

Vulnerability Spotlight: RCE in Ajax.NET Professional

Tue, 18 Jan 2022 12:30:35 +0000

In Fall of 2021, MOGWAI LABS conducted a penetration test for a customer. In the process, our team encountered an out-of-scope application that was on “Ajax.NET Professional”. A brief analysis of the framworks source revealed a deserialization vulnerability, which MOGWAI LABS reported to the developer (CVE-2021-23758).

This blog post includes findings from Markus Wulftange (Code White GmbH) who also analyzed the library for a different project and pinned us to some key points during a discussion.

Vulnerability notes: Log4Shell

Fri, 10 Dec 2021 06:40:35 +0200

“Log4Shell” (CVE-2021-44228) is a pretty epic vulnerability in the Java logging library “Log4j”. This blog post (hopefully) contains everything you need to know about this vulnerability and how to mitigate it. It was written in a hurry, we will add additional details and remarks in the upcoming days.

Introduction

Log4j is a commonly used logging library in the Java world. It does what a logging library should do, is fast and integrates well with existing application servers. Here a minimal example that uses user provided input to create a log entry.

Vulnerability digging with CodeQL

Mon, 13 Sep 2021 14:15:35 +0200

Introduction

CodeQL is the semantic code analysis engine from GitHub which can be used to discover vulnerabilities in different code bases. It allows us to Query code as if it were data, and helps to describe and identify insecure code patterns. Especially the ability to easily describe code flows from a source to sink, even if variables are reassigned or modified multiple times, is quite impressive. Over the last two years, several interesting blog posts and vulnerability reports have been published that impressively demonstrated the power of this approach.

Exploiting insecure RCCMD installations

Fri, 18 Jun 2021 07:00:35 +0200

Generex RCCMD (Remote Control Command) is an application that allows the UPS (uninterruptible power supply) to gracefully shutdown critical systems before it runs out of power. It is quite popular in Germany, especially in small and midsize companies. In recent years, MOGWAI LABS exploited multiple insecurely configured installations to gain RCE on critical systems, including Domain controllers.

RCCMD overview

A typical installation usually contains of a UPS monitoring system/device (UPSMON) and multiple “client” systems which have the RCCMD service installed. We will focus on the RCCMD service here.

An Trinhs RMI Registry Bypass

Sat, 08 Feb 2020 05:40:35 +0200

TL:DR: This blog entry analyses the RMIRegistry whitelist filter bypass gadget discovered by An Trinh (@_tint0) in the RMI naming registry. It covers some basic concepts that are commonly used when building deserialization gadgets. With the help of this gadget it is possible to exploit deserialization vulnerabilities in the RMI registry, even if the target is running a current version of Java/OpenJDK.

Update: This bypass has been fixed by Oracle in JDK8u241 which was released on January 14. Thanks to MR_ME for pointing out.

(Ab)using Linux SNMP for RCE

Wed, 30 Oct 2019 17:00:35 +0200

TL:DR: If you have a SNMP community with write permissions on a Linux target, you can archive code execution by abusing the NET-SNMP-EXTEND-MIB extension. The SNMP daemon is running as root, which makes this also a nice local privilege escalation vector.

We recently used this feature to gain root permissions during an assessment. As the Linux systems has been analyzed several times before, we assume that this issue is not common knowledge among other penetration testers. As so often, we are not the first to discover this, in fact there already exists a write-up by Kert Ojasoo. In this blog post, we try to give the technical background and how this configuration can be efficiently exploited.

Attacking RMI based JMX services

Sun, 28 Apr 2019 06:40:35 +0200

TL:DR: In a previous post we described how Java RMI services can be exploited using various techniques, mainly Java Deserialization. While RMI is commonly no longer used for developing new applications, it is still the standard technology that is used to allow remote monitoring via JMX. Attack techniques against JMX services have been known since several years, however we regularly find insecure/exploitable JMX instances while conducting security assessments.

This article starts with a brief introduction to JMX and then describes the known attack techniques. Additionally, we will have a look on how to use Java Deserialization against JMX services.

Attacking Java RMI services after JEP 290

Mon, 25 Mar 2019 06:40:35 +0200

TL:DR: The introduction of JEP 290 killed the known RMI exploits in ysoserial. However, you can still exploit Java deserialization on the application level if no global filter is active. The article shows you how to replace those methods on the fly, using the scriptable debugger YouDebug.

As Java RMI (Remote Method Invocation) is based on native Java deserialization, they became one of the major victims of the Java Deserialization Appocalype. This changed with the implementation of JEP 290 in current JDK releases. This blog post describes the changes and describes ways how Java deserialization could still be used on the application level to exploit those services.

Repacking iOS applications

Sat, 02 Mar 2019 09:40:35 +0200

TL:DR: You can use Cydia Impactor to resign a patched iOS app. This works way easier then using XCode or the codesign tool.

We recently had to test a iOS application for one of our customers. Like many business applications, the developers integrated common protections, including jailbreak detection and certificate pinning. In cases like this, we commonly use a dynamic Instrumentation framework like Frida to bypass these protections so that we can freely interact with the application and intercept the communication with the server side backend.

jarjarbigs

Wed, 31 Oct 2018 20:40:35 +0000

When it comes to analyzing closed source Java Applications, most researchers quickly fire up decompilers like JD-GUI and start analyzing. These tools are fine, however they only allow static analysis. In case of complex code it is often much better to attach a debugger and analyze the application during runtime.

Unlike dnspy (a decompiler for .NET applications), JD-GUI itself doesn’t provide any debugging capabilities. However, it is possible to extend IDEs like Intellij or Eclipse with a decompiler plugin.

Vulnerability spotlight: CVE-2016-5072

Fri, 13 Jul 2018 09:40:35 +0200

Some time ago, I checked the known vulnerabilities in the open source shop software “OXID eShop”, which is very popular here in Germany. One issue that caught my interest is the vulnerability OXID Security Bulletin 2016-001 (CVE-2016-5072), mainly due to the high impact. From the adivsory:

An attacker can gain full administrative access to OXID eShop. This includes all shopping cart options, customer data and the database. They also can execute PHP code or inject malicious code into the system and the shop’s storefront. No interaction between the attacker and the victim is necessary.

Static JWT signing Key in dotCMS

Mon, 02 Jul 2018 09:40:35 +0200

We recently had a look at dotCMS, an open source content management system written in Java. While we analyzed the CMS source for potential deserializiation vulnerabilities, we stumbled over the following code:

@Override
public Key getKey() {
 final String hashKey = Config
 .getStringProperty(
 "json.web.token.hash.signing.key",
 "rO0ABXNyABRqYXZhLnNlY3VyaXR5LktleVJlcL35T7OImqVDAgAETAAJYWxnb3JpdGhtdAASTGphdmEvbGFuZy9TdHJpbmc7WwAHZW5jb2RlZHQAAltCTAAGZm9ybWF0cQB+AAFMAAR0eXBldAAbTGphdmEvc2VjdXJpdHkvS2V5UmVwJFR5cGU7eHB0AANERVN1cgACW0Ks8xf4BghU4AIAAHhwAAAACBksSlj3ReywdAADUkFXfnIAGWphdmEuc2VjdXJpdHkuS2V5UmVwJFR5cGUAAAAAAAAAABIAAHhyAA5qYXZhLmxhbmcuRW51bQAAAAAAAAAAEgAAeHB0AAZTRUNSRVQ=");
 return (Key) Base64.stringToObject(hashKey);
}

As the key is not changed/generated during the dotCMS installation every default installation of dotCMS uses the same key to sign Json Web Tokens (JWT). This made us curious as JWT is often used for user authentication. When we checked the security best practices section of the documentation, we noticed that the dotCMS team also recommends to change this key on production environments.

CANAPE workshop slides

Fri, 22 Jun 2018 09:40:35 +0200

In April 2018, we provided our free CANAPE workshop for the first time at the BSides Munich conference. CANAPE is a tool that allows you to analyze binary protocols which are still very common today. CANAPE is unique by taking the well known web application testing paradigm and applying it to abitrary network protocols.

This hands-on workshop is based on the original workshop material by James Foreshaw (the author of CANAPE). and includes a complete walk-through through the most important CANAPE features. The slides are very detailed as we tried to create some kind of “missing manual” for this awesome tool.