Author Archives: Alexander Leonov

About Alexander Leonov

Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven't used Telegram yet, give it a try. It's great. You can discuss my posts or ask questions at @avleonovchat. А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.

About Remote Code Execution – NVIDIA Container Toolkit (CVE-2024-0132) vulnerability

Leave a reply

About Remote Code Execution - NVIDIA Container Toolkit (CVE-2024-0132) vulnerability

About Remote Code Execution – NVIDIA Container Toolkit (CVE-2024-0132) vulnerability. NVIDIA’s bulletin was released on September 25. The vulnerability was found by researchers from Wiz.

Container Toolkit provides containerized AI applications with access to GPU resources. AI is now almost impossible without the use of video cards. 😏 Therefore, this component is very common.

The essence of the vulnerability is that a launched malicious container image can gain access to the host file system, which, in turn, can lead to the attacker’s code execution, denial of service, escalation of privileges, information disclosure, and data tampering.

If an attacker gains access to a desktop in this way, it’s not so bad, but what if he gains access to Kubernetes nodes or a cluster? 🫣 AI service providers (a la Hugging Face) that launch untrusted images are at risk.

На русском

About SQL Injection – The Events Calendar plugin for WordPress (CVE-2024-8275) vulnerability

Leave a reply

About SQL Injection - The Events Calendar plugin for WordPress (CVE-2024-8275) vulnerability

About SQL Injection – The Events Calendar plugin for WordPress (CVE-2024-8275) vulnerability. This plugin for WordPress CMS allows you to create event pages with search and filtering capabilities. The plugin is installed on more than 700,000 websites.

The plugin offers extensive customization options, including using individual plugin functions in your own code. One of these functions, tribe_has_next_event(), was found to have a SQL injection that allows an unauthenticated attacker to extract sensitive information from the website’s database. An exploit is available on GitHub.

❗️ The developers note that this function is not used by the plugin itself (“unused code”). Only sites that have manually added a tribe_has_next_event() call will be vulnerable.

If you are using WordPress with The Events Calendar plugin, check if there is some tricky customization using this vulnerable function and update to v.6.6.4.1 and above.

На русском

Fake reCAPTCHA

Leave a reply

Fake reCAPTCHA

Fake reCAPTCHA. Probably the most interesting example of exploitation of human vulnerability in the last month. This trick works for two reasons:

🔹 Various captcha services have taught people to do the strangest things: click on pictures with certain content, retype words, solve some puzzles. Many people do not even think when they see another window “prove that you are not a robot” and just do what they are asked. 🤷‍♂️

🔹 Websites have the ability to write arbitrary text to the site visitor’s clipboard. 😏

Fake captcha asks the user to launch the Run window in Windows (Win + R), then paste a malicious command from the clipboard into this window (Ctrl + V) and run the command (Enter). Very primitive, but it works! 🤩 This is how attackers trick victims into running malicious PowerShell scripts and HTA applications. 👾

John Hammond recreated the code of such a “captcha”. You can use it in anti-phishing training.

На русском

A few details about Elevation of Privilege – Windows Installer (CVE-2024-38014)

Leave a reply

A few details about Elevation of Privilege - Windows Installer (CVE-2024-38014)

A few details about Elevation of Privilege – Windows Installer (CVE-2024-38014). So that you don’t get the impression that this vulnerability can be exploited absolutely universally.

🔹 The attacker needs access to the Windows GUI. Naturally, the console window needs to be seen and “caught”. Just with the mouse. The task can be simplified by the SetOpLock utility, which does not allow the window to close.

🔹 The attacker needs a web browser installed on the host. Moreover, the current Edge or IE will not work, Firefox or Chrome is needed. And the browser should not be running before the attack. And Edge or IE should not be set as the default browser.

🔹 This will not work for every MSI file. SEC Consult has released a utility called msiscan to detect MSI files that can be used to exploit this and similar vulnerabilities.

На русском

About Elevation of Privilege – Windows Installer (CVE-2024-38014) vulnerability

Leave a reply

About Elevation of Privilege - Windows Installer (CVE-2024-38014) vulnerability

About Elevation of Privilege – Windows Installer (CVE-2024-38014) vulnerability. The vulnerability was fixed on September 11 as part of the September Microsoft Patch Tuesday. It was discovered by Michael Baer from SEC Consult. On September 12, a post was published in their blog with exploitation details.

MSI files are the standard way to install, repair, and uninstall programs in Windows. Installation requires high privileges. But the repair function can be launched by a low-privileged user. At the same time, the function itself might be executed in the context of NT AUTHORITY\SYSTEM. 🤔

The attacker launches the MSI file of an installed application, selects repair mode, and interacts with the console window launched with SYSTEM privileges. After a few steps, attacker gets an interactive SYSTEM console.

The Microsoft fix activates a UAC prompt when the MSI installer performs an action with elevated privileges, i.e. before the console window appears.

На русском

I looked at the Forrester Wave on ASM for Q3 2024

Leave a reply

I looked at the Forrester Wave on ASM for Q3 2024

I looked at the Forrester Wave on ASM for Q3 2024. The reprint was posted by Trend Micro. Forrester understands ASM to be something that evolved from EASM or CAASM. “Attack surface management […] gives you a depiction of what is attackable and whether it’s being monitored and hardened appropriately”. The goal is to provide a complete cyber asset inventories. So is this a kind of view on Asset Management from the information security side (like Qualys CSAM)? 🤔

CrowdStrike, Palo Alto Networks and Trend Micro are among the Leaders. And traditional vendors with vulnerability detection expertise either in Strong Perfomers (Qualys, Tenable), or even in Contenders (Rapid7).

IMHO, this happened because the assessment focused on CAASM, not EASM features. For example, there is nothing about vulnerability detection for network perimeter. And the criteria are rather vague, like “Cyber ​​asset inventory: asset contextualization” or “Srategy: Vision”. 😉

На русском

About Remote Code Execution – CUPS cups-browsed (CVE-2024-47176) and other CUPS vulnerabilities

Leave a reply

About Remote Code Execution - CUPS cups-browsed (CVE-2024-47176) and other CUPS vulnerabilities

About Remote Code Execution – CUPS cups-browsed (CVE-2024-47176) and other CUPS vulnerabilities. On September 26, researcher Simone Margaritelli (evilsocket) disclosed 4 vulnerabilities of the CUPS print server for Linux systems (CVE-2024-47176, CVE-2024-47076, CVE-2024-47175, CVE-2024-47177) in the cups-browsed, libcupsfilters, libppd and cups-filters components.

The vulnerability chain allows a remote unauthenticated attacker to silently replace existing printer IPP URLs with malicious ones by sending special packets to 631/UDP. Then, when a print job is initiated, an RCE occurs. Mass exploitation is possible in local networks via mDNS or DNS-SD.

The OpenPrinting/cups-browsed bulletin contains a PoC of the exploit.

How many potentially vulnerable hosts are accessible from the Internet?
🔻 According to Qualys and Rapid7 score – 75000.

No patches yet. 🤷‍♂️ So, let’s wait, check network accessed and disable cups-browsed, where it is not needed.

На русском