Category Archives: Projects

Last Week’s Security news: Serious Sam in Metasploit, PetitPotam, Zimbra Hijack, Joint Advisory TOP30 CVEs

1 Reply

Last Week’s Security news: Serious Sam in Metasploit, PetitPotam, Zimbra Hijack, Joint Advisory TOP30 CVEs. Hello everyone! Last Week’s Security News, July 26 – August 1.

Serious Sam in Metasploit

Last week I talked about the Serious Sam vulnerability (CVE-2021-36934), also known as HiveNightmare. The name HiveNightmare comes from the fact that Windows stores its registry data in a small number of proprietary database files called hives. Due to mismanagement of SAM and SYSTEM hives in Windows 10, it is possible for an unprivileged user to read those files and then, for example, extract the account password hashes. An exploit for this vulnerability is now available in Metasploit and it will be much easier for attackers to exploit this vulnerability. The issues is still under investigation by Microsoft and a patch is not currently available, only the list of vulnerable OS versions, however a workaround has been provided.

PetitPotam

At the beginning of last week, PetitPotam (Little Hippo) attack made a lot of noise. It could force remote Windows systems to reveal password hashes that could then be easily cracked.

“The PetitPotam bug is tied to the Windows operating system and the abuse of a remote access protocol called Encrypting File System Remote Protocol (MS-EFSRPC). The protocol is designed to allow Windows systems to access remote encrypted data stores, allowing for management of the data while enforcing access control policies. […]
The PetitPotam PoC is a form of manipulator-in-the-middle (MitM) attack against Microsoft’s NTLM authentication system. Next, an attacker uses the file-sharing protocol Server Message Block (SMB) to request access to a remote system’s MS-EFSRPC interface. According to [security researcher Gilles Lionel], this forces the targeted computer to initiate an authentication procedure and share its authentication details via NTLM.

In response to the public availability of the PoC, Microsoft was quick to respond, outlining several mitigation options. For starters, Microsoft recommends disabling NTLM authentication on Windows domain controllers. It also suggests enabling the Extended Protection for Authentication (EPA) feature on AD CS services.”

But there won’t be any special fix. Microsoft: “PetitPotam is a classic NTLM Relay Attack, and such attacks have been previously documented by Microsoft along with numerous mitigation options to protect customers.”

Continue reading

Last Week’s Security news: Pegasus, SeriousSAM, Sequoia

1 Reply

Last Week’s Security news: Pegasus, SeriousSAM, Sequoia. Hello everyone! After 4 episodes of the Last Week’s Security news, I decided to change the format. I will no longer try to cover all the important news, because it takes a long time to prepare such reviews. So, from now on, I will focus only on a few news of the past week, which I subjectively consider the most interesting.

So, the last week, July 19 – July 25. In my opinion, the most interesting news was the scandal related to the iPhone Pegasus spyware and two Elevations of Privileges: SeriousSAM for Windows and Sequoia for Linux.

Continue reading

Last Week’s Security news: Exploits for ForgeRock, vSphere, Apache Tomcat, new Print Spooler vuln, Kaseya Patch and REvil, SolarWinds, Schneider Electric, Bulletins

Leave a reply

Last Week’s Security news: Exploits for ForgeRock, vSphere, Apache Tomcat, new Print Spooler vuln, Kaseya Patch and REvil, SolarWinds, Schneider Electric, Bulletins. Hello guys! The fourth episode of Last Week’s Security news, July 12 – July 18.

I would like to start with some new public exploits. I think these 4 are the most interesting.

  • If you remember, 2 weeks ago I mentioned the ForgeRock Access Manager and OpenAM vulnerability (CVE-2021-35464). Now there is a public RCE exploit for it. ForgeRock OpenAM server is a popular access management solution for web applications. Michael Stepankin, Researcher: “In short, RCE is possible thanks to unsafe Java deserialization in the Jato framework used by OpenAM”. And now this vulnerability is Under Active Attack. “The [Australian Cyber Security Centre] has observed actors exploiting this vulnerability to compromise multiple hosts and deploy additional malware and tools,” the organization said in an alert. ACSC didn’t disclose the nature of the attacks, how widespread they are, or the identities of the threat actors exploiting them”.
  • A new exploit for vSphere Client (CVE-2021-21985). The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.
  • Apache Tomcat 9.0.0.M1 – Open Redirect (CVE-2018-11784). “When the default servlet in Apache Tomcat […] returned a redirect to a directory […] a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice”.
  • Apache Tomcat 9.0.0.M1 – Cross-Site Scripting (CVE-2019-0221). “The SSI printenv command in Apache Tomcat […] echoes user provided data without escaping and is, therefore, vulnerable to XSS”. However, in real life this is unlikely to be used. “SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website”.

Continue reading

Vulristics Microsoft Patch Tuesday July 2021: Zero-days EoP in Kernel and RCE in Scripting Engine, RCEs in Kernel, DNS Server, Exchange and Hyper-V

1 Reply

Vulristics Microsoft Patch Tuesday July 2021: Zero-days EoP in Kernel and RCE in Scripting Engine, RCEs in Kernel, DNS Server, Exchange and Hyper-V. Hello everyone! For the past 9 months, I’ve been doing Microsoft Patch Tuesday reviews quarterly. Now I think it would be better to review the July Patch Tuesday while the topic is still fresh. And that will save us some time in the next Last Week’s Security news episode. So, July Patch Tuesday, 116 vulnerabilities.

The 2 most critical are the Windows Kernel Elevation of Privilege Vulnerabilities (CVE-2021-31979, CVE-2021-33771). These vulnerabilities are critical because they are used in real attacks according to Microsoft’s Threat Intelligence Center and Security Response Center. Tenable: “A local, authenticated attacker could exploit these vulnerabilities to run processes with elevated permissions. Similar zero-day vulnerabilities were patched in April 2020, which were observed under active exploitation by Google Project Zero.”

Continue reading

Last Week’s Security news: PrintNightmare patches and Metasploit, Kaseya CVEs, Morgan Stanley Accellion FTA, Cisco BPA and WSA, Philips Vue PACS, CISA RVAs, Lazarus job offers

1 Reply

Last Week’s Security news: PrintNightmare patches and Metasploit, Kaseya CVEs, Morgan Stanley Accellion FTA, Cisco BPA and WSA, Philips Vue PACS, CISA RVAs, Lazarus job offers. Hello guys! The third episode of Last Week’s Security news, July 5 – July 11. There was a lot of news last week. Most of them was again about PrintNightmare and Kaseya.

The updates for PrintNightmare (CVE-2021-34527) were finally released mid-week. It became possible not only to disable the service, but also to update the hosts. This is especially important for desktops that need to print something. But the problem is that these patches can be bypassed. “If you have a system where PointAndPrint NoWarningNoElevationOnInstall = 1, then Microsoft’s patch for #PrintNightmare CVE-2021-34527 does nothing to prevent either LPE or RCE”. Microsoft has updated their security update guide after that: “if you set this reg key to = 1 then the system is vulnerable by design”. It seems that solving this problem requires hardening and registry monitoring.

Continue reading

Vulristics: Microsoft Patch Tuesdays Q2 2021

Leave a reply

Vulristics: Microsoft Patch Tuesdays Q2 2021. Hello everyone! Let’s now talk about Microsoft Patch Tuesday vulnerabilities for the second quarter of 2021. April, May and June. Not the most exciting topic, I agree. I am surprised that someone is reading or watching this. For me personally, this is a kind of tradition. Plus this is an opportunity to try Vulristics in action and find possible problems. It is also interesting to see what VM vendors considered critical back then and what actually became critical. I will try to keep this video short.

First of all, let’s take a look at the vulnerabilities from the April Patch Tuesday. 108 vulnerabilities, 55 of them are RCEs. Half of these RCEs (27) are weird RPC vulnerabilities. “Researcher who reported these bugs certainly found quite the attack surface”. The most critical vulnerability is RCE in Exchange (CVE-2021-28480). This is not ProxyLogon, this is another vulnerability. ProxyLogon was in March. And this vulnerability is simply related to ProxyLogon, so it is believed that it is exploited in the wild as well. In the second place this Win32k Elevation of Privilege (CVE-2021-28310). It is clearly mentioned in several sources as being used in real attacks. “Bugs of this nature are typically combined with other bugs, such as a browser bug or PDF exploit, to take over a system”. And the only vulnerability with a public exploit is the Azure DevOps Server Spoofing (CVE-2021-28459). Previously known as Team Foundation Server (​TFS), Azure DevOps Server is a set of collaborative software development tools. It is hosted on-premises. Therefore, this vulnerability can be useful for attackers.

Continue reading

Last Week’s Security news: PrintNightmare, Kaseya, Intune, Metasploit Docker escape

2 Replies

Last Week’s Security news: PrintNightmare, Kaseya, Intune, Metasploit Docker escape. Hello guys! The second episode of Last Week’s Security news from June 28 to July 4.

The most interesting vulnerability of the last week is of course Microsoft Print Spooler “PrintNightmare”. By sending an RpcAddPrinterDriverEx() RPC request, for example over SMB, a remote, authenticated attacker may be able to execute arbitrary code with SYSTEM privileges on a vulnerable Windows system. And there is a public PoC exploit for this vulnerability published by the Chinese security firm Sangfor. And there is some strange story. It turns out that Sangfor published an exploit for the 0day vulnerability. But they thought this vulnerability (CVE-2021-1675) had already been patched as part of the June Micorosft Patch Tuesday. And then it turns out that this is a bug in the Microsoft patch. But Microsoft wrote that this is a different, new vulnerability CVE-2021-34527 and so there were no problems with the previous patch. In any case, a patch for this vulnerability has not yet been released and Microsoft is suggesting two Workarounds. Option 1 – Disable the Print Spooler service, Option 2 – Disable inbound remote printing through Group Policy. Do this first for Domain Controllers and other critical Windows servers. All versions of Windows contain the vulnerable code and are susceptible to exploitation. Also note that the new vulnerability has a flag Exploitation Detected on the MS site.

Continue reading