Blog posts from Kerbit

SMC Broadband Router Root RCE

A route's handler copies a parameter to a global object which allows us to write a crafted message and add our own session via a memory corruption vulnerability. Another handler allows us to inject a command into the OS. Read on for More.

Multiple vulnerabilities in VoipMonitor.

I discovered and reported a few bugs in VoipMonitor ranging from a simple authentication bypass to a full RCE chain. Here I'll describe "most" of these bugs. The issues have been patched in VoipMonitor GUI version 24.97. If you use this product, Please update your installation. If you're not interested in reading the details, There's a short demo at the end.

Pascom: The story of 3 bugs that lead to unauthed RCE.

A detailed post on how I chained 3 vulnerabilities (A path traversal, An SSRF in an external piece of software and a post-authentication RCE) into a full pre-auth RCE in Pascoms Cloud phone system.