Author Archives: Alexander Leonov

About Alexander Leonov

Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven't used Telegram yet, give it a try. It's great. You can discuss my posts or ask questions at @avleonovchat. А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.

Remote Code Execution – IBM QRadar / Robin Weser Fast Loops (CVE-2024-39008)

Leave a reply

Remote Code Execution - IBM QRadar / Robin Weser Fast Loops (CVE-2024-39008)

Remote Code Execution – IBM QRadar / Robin Weser Fast Loops (CVE-2024-39008). On August 14, a security bulletin for QRadar Suite Software and IBM Cloud Pak for Security was published on the IBM website. It lists fixed vulnerabilities in IBM QRadar itself and its open source components: Node.js, Jinja, kjd/idna, robinweser/fast-loops. The vulnerability of the last project is the most interesting.

🔻 robinweser/fast-loops – a set of compact utilities for faster work with JavaScript arrays and objects. This is not a very popular project, only 25 stars and 3 forks on GitHub.

🔻 The vulnerability CVE-2024-39008 allows an attacker to send special requests and, potentially, cause a DoS and RCE. There are technical details and a PoC.

Ok, the open source component is vulnerable. But how to exploit the vulnerability in QRadar itself? It is still unknown. 🤷‍♂️ But it is better not to wait for the details to appear, but to update QRadar in advance. 😉

На русском

Trending vulnerabilities of July according to Positive Technologies

Leave a reply

Trending vulnerabilities of July according to Positive Technologies.

The SecLab film crew went on vacation. Therefore, there was a choice: to skip the episode of “In the trend of VM” about the July vulnerabilities, or to make a video myself. Which is what I tried to do. And from the next episode we will return to SecLab again.

📹 Video “In The Trend of VM” on YouTube
🗞 A post on Habr (rus) a slightly expanded script of the video
🗒 A compact digest (rus) on the official PT website

List of vulnerabilities:

🔻 00:33 Spoofing – Windows MSHTML Platform (CVE-2024-38112)
🔻 02:23 RCE – Artifex Ghostscript (CVE-2024-29510)
🔻 03:55 RCE – Acronis Cyber Infrastructure (CVE-2023-45249)

English voice over was generated by my open source utility subtivo (subtitles to voice over)

На русском

Security Feature Bypass – Windows Mark of the Web “Copy2Pwn” (CVE-2024-38213)

Leave a reply

Security Feature Bypass - Windows Mark of the Web Copy2Pwn (CVE-2024-38213)

Security Feature Bypass – Windows Mark of the Web “Copy2Pwn” (CVE-2024-38213). The vulnerability was released as part of the August Microsoft Patch Tuesday (although ZDI writes that MS fixed it earlier, in June).

The vulnerability allows attackers to bypass the SmartScreen security feature, which protects users from running potentially malicious files downloaded from the Internet.

What is it about? There is a set of extensions over HTTP for collaborative work with files – WebDAV.

🔹 The WebDAV share can be accessed via a web browser::

http://10_.37.129.2/example_webdav_folder/somefile

🔹 Or you can do it via Windows Explorer (like SMB):

\\10_.37.129.2@80\example_webdav_folder

When copying from the WebDAV share via Windows Explorer, the Mark-of-the-Web label was not set. 🤷‍♂️ That’s why the name is “Copy2Pwn”. 😏

According to ZDI, the vulnerability has been exploited by the DarkGate malware operator since at least March 2024.

На русском

Remote Code Execution – Windows TCP/IP IPv6 (CVE-2024-38063)

Leave a reply

Remote Code Execution - Windows TCP/IP IPv6 (CVE-2024-38063)

Remote Code Execution – Windows TCP/IP IPv6 (CVE-2024-38063). Vulnerability from August Microsoft Patch Tuesday. No exploits or signs of exploitation in the wild have yet been discovered, but the description of the vulnerability looks scary. 😱

An unauthenticated attacker sends IPv6 packets to a Windows computer and this results in remote code execution. CVSS 9.8, “Exploitation More Likely”.

🔹 If IPv6 is disabled, the vulnerability is not exploited. But by default it is enabled. 😏
🔹 Blocking IPv6 on the local Windows firewall will not prevent exploitation (exploitation occurs before the packet is processed by the firewall). 🤷‍♂️

The vulnerability was found by experts from the Chinese information security company Cyber ​​Kunlun. When technical details and exploits for the vulnerability appear, it may be very critical and “wormable”. 🪱

На русском

Remote Code Execution – Microsoft Project (CVE-2024-38189)

Leave a reply

Remote Code Execution - Microsoft Project (CVE-2024-38189)

Remote Code Execution – Microsoft Project (CVE-2024-38189).

Microsoft Project is a project management program. It is designed to assist a project manager in developing a schedule, assigning resources to tasks, tracking progress, managing the budget, and analyzing workloads.

The vulnerability was fixed as part of the August Patch Tuesday. The malicious code is executed when the victim opens a special Microsoft Office Project file, received in a phishing email or downloaded from the attacker’s website.

👾 For a successful attack, these security features must be disabled:

🔹 Policy “Block macros from running in Office files from the Internet” (enabled by default).
🔹 “VBA Macro Notification Settings“.

Previewing files in the “Preview Pane” is not an exploitation vector. 👍

As you can see, there are quite a few conditions required for a successful attack, but Microsoft has reported cases of exploitation of the vulnerability in the wild. 🤷‍♂️

На русском

August Microsoft Patch Tuesday

Leave a reply

August Microsoft Patch Tuesday

August Microsoft Patch Tuesday. 130 CVEs, of which 45 were added since July MSPT.

In the TOP suddenly is RCE – OpenSSH “regreSSHion” (CVE-2024-6387), which MS fixed in Azure. 🙂

6 vulnerabilities with signs of exploitation in the wild. 😱 It’s been a long time since we’ve seen so many. I will write about them in separate posts.

🔻 EoP – Windows Kernel (CVE-2024-38106), Windows Ancillary Function Driver for WinSock (CVE-2024-38193), Windows Power Dependency Coordinator (CVE-2024-38107)
🔻 Security Feature Bypass – Windows Mark of the Web (CVE-2024-38213)
🔻 RCE – Microsoft Project (CVE-2024-38189)
🔻 RCE – Scripting Engine (CVE-2024-38178)

Other:

🔸 AuthBypass – Windows Update Stack (CVE-2024-38202) – the vulnerability was recently presented at BlackHat
🔹 Interesting RCEs – Windows TCP/IP (CVE-2024-38063) and LPD (CVE-2024-38199)
🔹 A lot of EoPs in Windows components (~26)

🗒 Full Vulristics report

На русском

I have released a new version of Vulristics 1.0.7

Leave a reply

I have released a new version of Vulristics 1.0.7

I have released a new version of Vulristics 1.0.7.

🔹 Now, if you see exploits in the report that are not actually exploits (but are, for example, detection scripts), you can exclude them. To do this, create a custom data source (json file) for the CVE identifier and add the identifiers of the exploits you want to exclude to the ignore_exploits tag.

🔹 I’ve added the ability to manage the html report banner via the –result-html-label key. You can specify a banner for Linux Patch Wednesday (lpw), a banner for Microsoft Patch Tuesday (mspt), or the URL of an arbitrary image.

Changelog
Uncompressed picture

На русском