Spencer Alessi

Spencer Alessi

hacker | pentester | researcher | active directory connoisseur | wiz-bang exploit slinger hiding in the shadows | Live now, be yourself, remember death 🛹🏂👨🏼‍💻🎮❄️🏔📷

2023-05-10-Webroot-SecureAnywhere

  less than 1 minute read  

CVE-2023-29818

(CVE-2023-29818) CWE-183 - Permissive List of Allowed Inputs: An issue found in Webroot SecureAnywhere Endpoint Protection CE 23.1 v.9.0.33.39 and before allows a local attacker to bypass protections via the default allowlist feature being stored as non-admin. A local attacker can match their payload to a file name, file path, and file size of one of the files contained within the default allowlist to bypass protections.

CVE-2023-29819

(CVE-2023-29819) CWE-284 - Improper Access Control: An issue found in Webroot SecureAnywhere Endpoint Protection CE 23.1 v.9.0.33.39 and before allows a local attacker to bypass protections via a crafted payload. A local attacker, as a non-administrator, can read the registry containing the default allowlist.

You may also enjoy

Why You Should Have A Personal Blog as A Pentester

  3 minute read  

Writing on a personal blog is a really great investment in yourself. It shows gumption and can be a sign that you take your career seriously. It can be an outward display that you “know your stuff.” A person blog is also a great place to link to open-source projects you work on, or tools you’ve written or CTFs you’ve participated in.

Twenty Days of Consistent Writing

  2 minute read  

What happens to your brain when you write every day? The results are pretty interesting, at least for me personally.

Complexity Is The Enemy Of Security

  2 minute read  

As a Security Practitioner, you win or lose by how you strategize, plan, design and build. To me that’s some of the most enjoyable parts of security. Thinking of creative ways to solve problems. The issue becomes, sometimes the more creative we are, the more complexity we add. Complexity adds to confusion. Confusion leads to more problems and problems lead to incidents.