Author Archives: Alexander Leonov

About Alexander Leonov

Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven't used Telegram yet, give it a try. It's great. You can discuss my posts or ask questions at @avleonovchat. А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.

Attack on the complainer

Leave a reply

Attack on the complainer

Attack on the complainer. Let’s say you ordered a product or service from some organization (marketplace, online store, service center – it doesn’t matter) and something went wrong. It’s quite natural to find the official community of this organization on a social network and write a complaint. Communication with the support team is good, but with some public stimulation it’s even better, right? 😉

Only since the complaint is public, it can be read not only by the organization’s employees, but also by attackers. 🤷‍♂️ They can write to you in a private message, posing as a representative of the organization, and promise to resolve all issues.

You just need to
🔻 go to the website (a phishing one 🪝)
🔻 fill out the form (with personal and card data 💳)
🔻 enter SMS code (2FA from Government Services website 🛂)
🔻 download and run the “helper application” (malware 👾)

There can be many attack scenarios. And there is only one way to resist them – vigilance.

На русском

Vulnerability Remediation using the “Ford Method”

Leave a reply

Vulnerability Remediation using the Ford Method

Vulnerability Remediation using the “Ford Method”. There is a popular story in the Russian segment of the Internet. Allegedly, an experiment was carried out at Henry Ford’s plant: conveyor repair workers were paid only for the time they were in the break room. And as soon as the conveyor stopped 🚨 and the repair workers went to fix it, they stopped getting paid. Therefore, they did their work quickly and efficiently, so that they could quickly (and for a long time) return to the break room and start earning money again. 👷‍♂️🪙

I did not find any reliable evidence of this. 🤷‍♂️

But what if the specialists responsible for vulnerability remediation were paid only for the time when vulnerabilities are not detected on their hosts. 🤔 This can have a very positive impact on the speed and quality of remediation. Unsolvable problems will quickly become solvable, and automation of testing and deployment of updates will develop at the fastest pace. 😏

На русском

Continuing the story about recent CUPS vulnerabilities: vulnerable hosts will be used by attackers to amplify DDoS attacks

Leave a reply

Continuing the story about recent CUPS vulnerabilities: vulnerable hosts will be used by attackers to amplify DDoS attacks

Continuing the story about recent CUPS vulnerabilities: vulnerable hosts will be used by attackers to amplify DDoS attacks.

Researchers from Akamai Technologies wrote about this. An attacker can send a special packet to a vulnerable host with CUPS: “add a printer located at this IP address”. CUPS will start sending large IPP/HTTP requests to the specified IP address. Thus, vulnerable hosts can be organized in such a way that they start DDoSing IP addresses chosen by the attacker.

Akamai has discovered more than 198,000 vulnerable hosts with CUPS, of which more than 58,000 (34%) can be used for DDoS attacks. Of these, hundreds demonstrated an “infinite loop” of requests in response to HTTP/404.

Assuming that all 58,000+ vulnerable hosts are used for the attack, they can cause a traffic flow of 1 GB to 6 GB per attacker’s udp packet. The victim will have to handle 2.6 million TCP connections and HTTP requests.

На русском

About Remote Code Execution – NVIDIA Container Toolkit (CVE-2024-0132) vulnerability

Leave a reply

About Remote Code Execution - NVIDIA Container Toolkit (CVE-2024-0132) vulnerability

About Remote Code Execution – NVIDIA Container Toolkit (CVE-2024-0132) vulnerability. NVIDIA’s bulletin was released on September 25. The vulnerability was found by researchers from Wiz.

Container Toolkit provides containerized AI applications with access to GPU resources. AI is now almost impossible without the use of video cards. 😏 Therefore, this component is very common.

The essence of the vulnerability is that a launched malicious container image can gain access to the host file system, which, in turn, can lead to the attacker’s code execution, denial of service, escalation of privileges, information disclosure, and data tampering.

If an attacker gains access to a desktop in this way, it’s not so bad, but what if he gains access to Kubernetes nodes or a cluster? 🫣 AI service providers (a la Hugging Face) that launch untrusted images are at risk.

На русском

About SQL Injection – The Events Calendar plugin for WordPress (CVE-2024-8275) vulnerability

Leave a reply

About SQL Injection - The Events Calendar plugin for WordPress (CVE-2024-8275) vulnerability

About SQL Injection – The Events Calendar plugin for WordPress (CVE-2024-8275) vulnerability. This plugin for WordPress CMS allows you to create event pages with search and filtering capabilities. The plugin is installed on more than 700,000 websites.

The plugin offers extensive customization options, including using individual plugin functions in your own code. One of these functions, tribe_has_next_event(), was found to have a SQL injection that allows an unauthenticated attacker to extract sensitive information from the website’s database. An exploit is available on GitHub.

❗️ The developers note that this function is not used by the plugin itself (“unused code”). Only sites that have manually added a tribe_has_next_event() call will be vulnerable.

If you are using WordPress with The Events Calendar plugin, check if there is some tricky customization using this vulnerable function and update to v.6.6.4.1 and above.

На русском

Fake reCAPTCHA

Leave a reply

Fake reCAPTCHA

Fake reCAPTCHA. Probably the most interesting example of exploitation of human vulnerability in the last month. This trick works for two reasons:

🔹 Various captcha services have taught people to do the strangest things: click on pictures with certain content, retype words, solve some puzzles. Many people do not even think when they see another window “prove that you are not a robot” and just do what they are asked. 🤷‍♂️

🔹 Websites have the ability to write arbitrary text to the site visitor’s clipboard. 😏

Fake captcha asks the user to launch the Run window in Windows (Win + R), then paste a malicious command from the clipboard into this window (Ctrl + V) and run the command (Enter). Very primitive, but it works! 🤩 This is how attackers trick victims into running malicious PowerShell scripts and HTA applications. 👾

John Hammond recreated the code of such a “captcha”. You can use it in anti-phishing training.

На русском

A few details about Elevation of Privilege – Windows Installer (CVE-2024-38014)

Leave a reply

A few details about Elevation of Privilege - Windows Installer (CVE-2024-38014)

A few details about Elevation of Privilege – Windows Installer (CVE-2024-38014). So that you don’t get the impression that this vulnerability can be exploited absolutely universally.

🔹 The attacker needs access to the Windows GUI. Naturally, the console window needs to be seen and “caught”. Just with the mouse. The task can be simplified by the SetOpLock utility, which does not allow the window to close.

🔹 The attacker needs a web browser installed on the host. Moreover, the current Edge or IE will not work, Firefox or Chrome is needed. And the browser should not be running before the attack. And Edge or IE should not be set as the default browser.

🔹 This will not work for every MSI file. SEC Consult has released a utility called msiscan to detect MSI files that can be used to exploit this and similar vulnerabilities.

На русском