Category Archives: Topics

Fake reCAPTCHA

Leave a reply

Fake reCAPTCHA

Fake reCAPTCHA. Probably the most interesting example of exploitation of human vulnerability in the last month. This trick works for two reasons:

🔹 Various captcha services have taught people to do the strangest things: click on pictures with certain content, retype words, solve some puzzles. Many people do not even think when they see another window “prove that you are not a robot” and just do what they are asked. 🤷‍♂️

🔹 Websites have the ability to write arbitrary text to the site visitor’s clipboard. 😏

Fake captcha asks the user to launch the Run window in Windows (Win + R), then paste a malicious command from the clipboard into this window (Ctrl + V) and run the command (Enter). Very primitive, but it works! 🤩 This is how attackers trick victims into running malicious PowerShell scripts and HTA applications. 👾

John Hammond recreated the code of such a “captcha”. You can use it in anti-phishing training.

На русском

A few details about Elevation of Privilege – Windows Installer (CVE-2024-38014)

Leave a reply

A few details about Elevation of Privilege - Windows Installer (CVE-2024-38014)

A few details about Elevation of Privilege – Windows Installer (CVE-2024-38014). So that you don’t get the impression that this vulnerability can be exploited absolutely universally.

🔹 The attacker needs access to the Windows GUI. Naturally, the console window needs to be seen and “caught”. Just with the mouse. The task can be simplified by the SetOpLock utility, which does not allow the window to close.

🔹 The attacker needs a web browser installed on the host. Moreover, the current Edge or IE will not work, Firefox or Chrome is needed. And the browser should not be running before the attack. And Edge or IE should not be set as the default browser.

🔹 This will not work for every MSI file. SEC Consult has released a utility called msiscan to detect MSI files that can be used to exploit this and similar vulnerabilities.

На русском

About Elevation of Privilege – Windows Installer (CVE-2024-38014) vulnerability

Leave a reply

About Elevation of Privilege - Windows Installer (CVE-2024-38014) vulnerability

About Elevation of Privilege – Windows Installer (CVE-2024-38014) vulnerability. The vulnerability was fixed on September 11 as part of the September Microsoft Patch Tuesday. It was discovered by Michael Baer from SEC Consult. On September 12, a post was published in their blog with exploitation details.

MSI files are the standard way to install, repair, and uninstall programs in Windows. Installation requires high privileges. But the repair function can be launched by a low-privileged user. At the same time, the function itself might be executed in the context of NT AUTHORITY\SYSTEM. 🤔

The attacker launches the MSI file of an installed application, selects repair mode, and interacts with the console window launched with SYSTEM privileges. After a few steps, attacker gets an interactive SYSTEM console.

The Microsoft fix activates a UAC prompt when the MSI installer performs an action with elevated privileges, i.e. before the console window appears.

На русском

I looked at the Forrester Wave on ASM for Q3 2024

Leave a reply

I looked at the Forrester Wave on ASM for Q3 2024

I looked at the Forrester Wave on ASM for Q3 2024. The reprint was posted by Trend Micro. Forrester understands ASM to be something that evolved from EASM or CAASM. “Attack surface management […] gives you a depiction of what is attackable and whether it’s being monitored and hardened appropriately”. The goal is to provide a complete cyber asset inventories. So is this a kind of view on Asset Management from the information security side (like Qualys CSAM)? 🤔

CrowdStrike, Palo Alto Networks and Trend Micro are among the Leaders. And traditional vendors with vulnerability detection expertise either in Strong Perfomers (Qualys, Tenable), or even in Contenders (Rapid7).

IMHO, this happened because the assessment focused on CAASM, not EASM features. For example, there is nothing about vulnerability detection for network perimeter. And the criteria are rather vague, like “Cyber ​​asset inventory: asset contextualization” or “Srategy: Vision”. 😉

На русском

About Remote Code Execution – CUPS cups-browsed (CVE-2024-47176) and other CUPS vulnerabilities

Leave a reply

About Remote Code Execution - CUPS cups-browsed (CVE-2024-47176) and other CUPS vulnerabilities

About Remote Code Execution – CUPS cups-browsed (CVE-2024-47176) and other CUPS vulnerabilities. On September 26, researcher Simone Margaritelli (evilsocket) disclosed 4 vulnerabilities of the CUPS print server for Linux systems (CVE-2024-47176, CVE-2024-47076, CVE-2024-47175, CVE-2024-47177) in the cups-browsed, libcupsfilters, libppd and cups-filters components.

The vulnerability chain allows a remote unauthenticated attacker to silently replace existing printer IPP URLs with malicious ones by sending special packets to 631/UDP. Then, when a print job is initiated, an RCE occurs. Mass exploitation is possible in local networks via mDNS or DNS-SD.

The OpenPrinting/cups-browsed bulletin contains a PoC of the exploit.

How many potentially vulnerable hosts are accessible from the Internet?
🔻 According to Qualys and Rapid7 score – 75000.

No patches yet. 🤷‍♂️ So, let’s wait, check network accessed and disable cups-browsed, where it is not needed.

На русском

watchTowr Labs draws attention to some oddities with the fix for the Remote Code Execution – Veeam Backup & Replication vulnerability (CVE-2024-40711)

Leave a reply

watchTowr Labs draws attention to some oddities with the fix for the Remote Code Execution - Veeam Backup & Replication vulnerability (CVE-2024-40711)

watchTowr Labs draws attention to some oddities with the fix for the Remote Code Execution – Veeam Backup & Replication vulnerability (CVE-2024-40711).

🔹 The description of the vulnerability in NVD tells us that authentication is not required to exploit the vulnerability, but the CVSS vector in the vendor bulletin indicates that authentication is required (“PR:L”).

🔹 The large number of changes in the patch hints that the vendor fixed some vulnerabilities without informing customers (silent patching).

🔹 The researchers concluded that CVE-2024-40711 was fixed in several stages. At first, exploitation of the vulnerability did not require authentication, then a patch was released and exploitation began to require authentication, and finally, the second patch completely fixed this vulnerability.

❗ Exploitation of the vulnerability allows an attacker to destroy backups and significantly complicate the restoration of the organization’s infrastructure.

На русском

About Remote Code Execution – Veeam Backup & Replication (CVE-2024-40711) vulnerability

Leave a reply

About Remote Code Execution - Veeam Backup & Replication (CVE-2024-40711) vulnerability

About Remote Code Execution – Veeam Backup & Replication (CVE-2024-40711) vulnerability. The bulletin was released on September 4. The vulnerability description states that it is caused by deserialization of untrusted data with a malicious payload. The vulnerability was discovered by a researcher from CODE WHITE.

Five days later, on September 9, researchers from another company, watchTowr Labs, posted a detailed write-up, exploit code, and a video demonstrating exploitation.

There are no signs of exploitation in the wild for this vulnerability yet. As with the June vulnerability in Veeam B&R (CVE-2024-29849). This does not mean that attackers do not exploit these vulnerabilities. It is possible that targeted attacks using these vulnerabilities have simply not yet been reliably confirmed. For example, CISA KEV contains Veeam B&R vulnerabilities from 2022, which were added to the list only in 2023. 😉

Update in advance!

На русском