Monthly Archives: September 2024

August episode of “In The Trend of VM”: 5 vulnerabilities in Microsoft Windows and one in WordPress

Leave a reply

August episode of “In The Trend of VM”: 5 vulnerabilities in Microsoft Windows and one in WordPress. We have branched off from Seclab news videos and started releasing separate episodes. Hooray! 🥳😎 If we get enough views, we will continue to release them in the future. It’s up to you, please follow the link to the video platform and click “Like” button and/or leave a comment. 🥺

📹 Video “In The Trend of VM” on YouTube
🗞 A post on Habr (rus) a slightly expanded script of the video
🗒 A compact digest (rus) on the official PT website

List of vulnerabilities:

🔻 00:48 Remote Code Execution – Windows Remote Desktop Licensing Service “MadLicense” (CVE-2024-38077)
🔻 02:22 Security Feature Bypass – Windows Mark of the Web “Copy2Pwn” (CVE-2024-38213)
🔻 03:23 Elevation of Privilege – Windows Ancillary Function Driver for WinSock (CVE-2024-38193), Windows Kernel (CVE-2024-38106), Windows Power Dependency Coordinator (CVE-2024-38107)
🔻 04:50 Unauthenticated Elevation of Privilege – WordPress LiteSpeed Cache Plugin (CVE-2024-28000)

English voice over was generated by my open source utility subtivo (subtitles to voice over)

06:39 Check out the final jingle I generated using AI services 😉 (ToolBaz for lyrics and Suno for music)

На русском

September Linux Patch Wednesday

Leave a reply

September Linux Patch Wednesday

September Linux Patch Wednesday. 460 vulnerabilities. Of these, 279 are in the Linux Kernel.

2 vulnerabilities with signs of exploitation in the wild, but without public exploits:

🔻 Security Feature Bypass – Chromium (CVE-2024-7965)
🔻 Memory Corruption – Chromium (CVE-2024-7971)

29 vulnerabilities with no sign of exploitation in the wild, but with a link to a public exploit or a sign of its existence. Can be highlighted:

🔸 Remote Code ExecutionpgAdmin (CVE-2024-2044), SPIP (CVE-2024-7954), InVesalius (CVE-2024-42845)
🔸 Command Injection – SPIP (CVE-2024-8517)

Among them are vulnerabilities from 2023, fixed in repos only now (in RedOS):

🔸 Remote Code Executionwebmin (CVE-2023-38303)
🔸 Code Injection – webmin (CVE-2023-38306, CVE-2023-38308)
🔸 Information DisclosureKeePass (CVE-2023-24055)

Debian brought “Google Chrome on Windows” vulnerabilities. 😣👎

🗒 Vulristics September Linux Patch Wednesday Report

На русском

The severity of the Spoofing – Windows MSHTML Platform vulnerability (CVE-2024-43461) has increased

Leave a reply

The severity of the Spoofing - Windows MSHTML Platform vulnerability (CVE-2024-43461) has increased

The severity of the Spoofing – Windows MSHTML Platform vulnerability (CVE-2024-43461) has increased. The vulnerability was fixed in September Microsoft Patch Tuesday. At the time of publication, Microsoft had not yet flagged this vulnerability as being exploited in the wild. They did this only 3 days later, on September 13.

ZDI Threat Hunting team researcher Peter Girnus discovered the vulnerability while investigating the Void Banshee APT attack. The vulnerability was exploited in the same attack chain as the trending Spoofing – Windows MSHTML Platform (CVE-2024-38112) vulnerability, patched in July.

Using this vulnerability, the attackers hid the extension of the malicious HTA file being opened by adding 26 Braille space characters to its name. Thus, victims may think that they are opening a harmless PDF document.

Installing the security update does not remove spaces in the file name, but Windows now shows the actual file extension. 👍

На русском

Generating names for vulnerabilities

Leave a reply

Generating names for vulnerabilities

Generating names for vulnerabilities. Colleagues who work on attack attribution have a funny habit of naming attack groups according to some scheme. For example, Midnight Blizzard or Mysterious Werewolf. 🙂 I thought, why can’t we name vulnerabilities in a similar way?

For example, Remote Code Execution – Windows NAT (CVE-2024-38119)

🔹 We transform vulnerability types into consonant names of animals. RCE – let it be Racoon. For EoP it can be Elephant, for Memory Corruption – Monkey, etc.

🔹 Based on software names, we automatically select adjectives that begin with the same letters. “Windows NAT” -> “Windy Nautical”.

🔹 There can be many vulnerabilities of the same type in the same product. Therefore, we generate combinations of adverbs and past participles (6940230 combinations), and then map CVE identifiers into them. CVE-2024-38119 -> 202438119 -> “2438119”: “inquisitively underspecified”

Thus we get: “Inquisitively Underspecified Windy Nautical Racoon”. 🙂

На русском

September Microsoft Patch Tuesday

Leave a reply

September Microsoft Patch Tuesday

September Microsoft Patch Tuesday. 107 CVEs, 28 of which were added since August MSPT. 6 vulnerabilities with signs of exploitation in the wild:

🔻 Remote Code Execution – Windows Update (CVE-2024-43491)
🔻 Elevation of Privilege – Windows Installer (CVE-2024-38014)
🔻 Security Feature Bypass – Windows Mark of the Web (CVE-2024-38217), Microsoft Publisher (CVE-2024-38226), Chromium (CVE-2024-7965)
🔻 Memory Corruption – Chromium (CVE-2024-7971)

3 more with private exploits:

🔸 Authentication Bypass – Azure (CVE-2024-38175)
🔸 Security Feature Bypass – Windows Mark of the Web (CVE-2024-43487)
🔸 Elevation of Privilege – Windows Storage (CVE-2024-38248)

Other interesting vulnerabilities:

🔹 Remote Code Execution – Microsoft SQL Server (CVE-2024-37335 and 5 more CVEs)
🔹 Remote Code Execution – Windows NAT (CVE-2024-38119)
🔹 Elevation of Privilege – Windows Win32k (CVE-2024-38246, CVE-2024-38252, CVE-2024-38253)

🗒 Full Vulristics report

На русском

I have released a new version of Vulristics 1.0.8 with some minor usability improvements

Leave a reply

I have released a new version of Vulristics 1.0.8 with some minor usability improvements

I have released a new version of Vulristics 1.0.8 with some minor usability improvements. I love it when my open source projects get pull requests. 😊 This time help came from user dvppvd:

🔹 Padding was set in the css table to make the html report more readable.

🔹 When you run the utility without parameters, help and examples are displayed. The examples show how to run the utility to analyze MSPT vulnerabilities for a specific month and year, or to analyze an arbitrary set of CVE identifiers.

🔹 Empty lines for the text banner have been added.

TODO for the next releases:

🔸 Support CVSS 4 for data sources that have already started providing this data.

🔸 Develop automated tests to verify the correct operation of the utility for known CVE identifiers.

🔸 Implement a new data source for the CVEProject GitHub repository for mass analysis of CVE vulnerabilities.

If you want to participate, join AVLEONOV Start. 😉

Changelog

На русском

I found that the research data for Remote Code Execution – Windows Remote Desktop Licensing Service “MadLicense” (CVE-2024-38077), which I wrote about 3 weeks ago, was deleted

Leave a reply

I found that the research data for Remote Code Execution - Windows Remote Desktop Licensing Service MadLicense (CVE-2024-38077), which I wrote about 3 weeks ago, was deleted

I found that the research data for Remote Code Execution – Windows Remote Desktop Licensing Service “MadLicense” (CVE-2024-38077), which I wrote about 3 weeks ago, was deleted. Both on GitHub and on Google Sites.

And what does this all mean? 🤔 Who knows. 🤷‍♂️ Considering that it disappeared on two platforms at once, it was probably deleted by the Chinese researchers themselves. Why did they do this? Perhaps they established a dialogue with Microsoft and MS asked them to remove everything from the public (which, of course, is stupid – the Internet remembers everything). Perhaps someone else asked them to do this. 🫡 Another reason to pay attention to this vulnerability.

На русском