Category Archives: Vulnerability

Remote Code Execution – Bitrix (CVE-2022-29268) and Jet CSIRT deface case

Leave a reply

Remote Code Execution - Bitrix (CVE-2022-29268) and Jet CSIRT deface case

Remote Code Execution – Bitrix (CVE-2022-29268) and Jet CSIRT deface case.

🔻 The vulnerability is in the “Rejected” status in NVD, although its exploitability has been confirmed. 🤷‍♂️ What is it about? CMS Bitrix can be deployed from the “1C-Bitrix: Virtual Machine” image. Then it is configured in the web setup interface (without authentication). At a certain step there is an option “Upload backup”. Instead of a backup, you can upload a web shell there and it will be installed. 🫠

🔻 What is the risk? Surely no one will expose the initial setup interface to the Internet? 🤔 But people do it, Google dork is available.

🔻 This happened in the Jet CSIRT website deface case as well. In November 2023, the setup interface was exposed for 3 days. The attackers found it and installed the web shell. 🤷‍♂️

Jet states that Bitrix does not consider this to be a vulnerability in the setup interface. So the recommendation: don’t make it accessible from the Internet. 😅🤡

На русском

TOP 5 CVEs that were most often exploited by Positive Technologies pentesters in 2023

Leave a reply

TOP 5 CVEs that were most often exploited by Positive Technologies pentesters in 2023. The report was released on July 2. I generated a rap track on this topic in Russian using Suno. 🙂 English subtitles available.

List of vulnerabilities:

🔻 Remote Code Execution – Microsoft Exchange “ProxyNotShell” (CVE-2022-41040, CVE-2022-41080, CVE-2022-41082)
🔻 Remote Code Execution – Bitrix Site Manager “PollsVotes” (CVE-2022-27228)
🔻 Elevation of Privilege – Polkit “PwnKit” (CVE-2021-4034)

На русском

I’ve released a new version of Vulristics 1.0.6

Leave a reply

I've released a new version of Vulristics 1.0.6

I’ve released a new version of Vulristics 1.0.6.

🔹 I’ve made it easier to work with exploit data. Now all Data Sources bring such data in a single format and it is processed uniformly. Including signs of the presence of an exploit in Microsoft CVSS Temporal Vector (I classify them as private exploits). First, I look for the presence of public exploits; if there are none, then private exploits.

🔹 I fixed a bug due to which it was not possible to force the vulnerability type to be set from the Custom Data Source.

🔹 During simplified detection of product names for generated Microsoft vulnerability descriptions, product descriptions can now be pulled up by alternative_names as well.

🔹I fixed a bug with Vulristics crashing when generating a Microsoft Patch Tuesday report while searching for an MSPT review from Qualys. […]

Changelog
Uncompressed picture
На русском

July Microsoft Patch Tuesday

Leave a reply

July Microsoft Patch Tuesday

July Microsoft Patch Tuesday. There are 175 vulnerabilities in total, 33 of which appeared between June and July Patch Tuesday.

There are 2 vulnerabilities with the sign of exploitation in the wild:

🔻 Spoofing – Windows MSHTML Platform (CVE-2024-38112). It’s not clear what exactly is being spoofed. Let’s wait for the details. It is currently known that to exploit the vulnerability, an attacker must send the victim a malicious (MSHTML?) file, which the victim must somehow run/open.
🔻 Elevation of Privilege – Windows Hyper-V (CVE-2024-38080). This vulnerability allows an authenticated attacker to execute code with SYSTEM privileges. Again, no details. This could be interpreted that the guest OS user can gain privileges in the host OS (I hope this is not the case).

From the rest we can highlight:

🔸 Elevation of Privilege – various Windows components (CVE-2024-38059, CVE-2024-38066, CVE-2024-38100, CVE-2024-38034, CVE-2024-38079, CVE-2024-38085, CVE-2024-38062, CVE-2024-30079, CVE-2024-38050). EoPs quite often become exploitable.
🔸 Remote Code Execution – Windows Remote Desktop Licensing Service (CVE-2024-38074, CVE-2024-38076, CVE-2024-38077)
🔸 Remote Code Execution – Microsoft Office (CVE-2024-38021)
🔸 Remote Code Execution – Windows Imaging Component (CVE-2024-38060). All you need to do is upload a malicious TIFF file to the server.
🔸 Remote Code Execution – Microsoft SharePoint Server (CVE-2024-38023, CVE-2024-38024). Authentication is required, but “Site Owner” permissions are sufficient.

🗒 Vulristics report on July Microsoft Patch Tuesday

Vulristics shows an exploit existence for Spoofing – RADIUS Protocol (CVE-2024-3596) on GitHub, but in reality it is just a detection utility.

На русском

Trending vulnerabilities for June according to Positive Technologies

Leave a reply

Trending vulnerabilities for June according to Positive Technologies. Traditionally, in 3 formats (in Russian):

📹 The section “Trending VM” in the SecLab news video (starts at 15:03)
🗞 Post on the Habr website, in fact this is a slightly expanded scenario for the “Trending VM” section
🗒 Compact digest with technical details on the official PT website

List of vulnerabilities:

🔻 EoP in Microsoft Windows CSC (CVE-2024-26229)
🔻 EoP in Microsoft Windows Error Reporting (CVE-2024-26169)
🔻 EoP in Microsoft Windows Kernel (CVE-2024-30088)
🔻 RCE in PHP (CVE-2024-4577)
🔻 EoP in Linux Kernel (CVE-2024-1086)
🔻 InfDisclosure in Check Point Security Gateways (CVE-2024-24919)
🔻 RCE in VMware vCenter (CVE-2024-37079, CVE-2024-37080)
🔻 AuthBypass in Veeam Backup & Replication (CVE-2024-29849)

На русском

I watched a joint webinar by Vulners and RST Cloud about Vulnerability Prioritization

Leave a reply

I watched a joint webinar by Vulners and RST Cloud about Vulnerability PrioritizationI watched a joint webinar by Vulners and RST Cloud about Vulnerability PrioritizationI watched a joint webinar by Vulners and RST Cloud about Vulnerability PrioritizationI watched a joint webinar by Vulners and RST Cloud about Vulnerability Prioritization

I watched a joint webinar by Vulners and RST Cloud about Vulnerability Prioritization.

🔹 Kir Ermakov from Vulners spoke about the importance of prioritizing vulnerabilities (especially for MSSP companies, since they are responsible for customer security) and how it can be improved using dynamically updated AI Score v2. I really liked his phrase: “if you don’t know your assets very well, turn off the webinar and go do Asset Management”. Asset Management is the base. 👍

🔹 Yury Sergeev from RST Cloud told how, when prioritizing vulnerabilities, take into account data on the exploitation of vulnerabilities in real attacks (in your location, in your industry, for your attacker profile). He provided a formula and demonstrated how taking these factors into account affects prioritization. I liked his regreSSHion example: there is a lot of hype, but the attack is very noticeable and takes a lot of time, so the exploitation is unlikely to be widespread.

На русском

Attackers are distributing malware on social networks under the guise of the regreSSHion exploit (CVE-2024-6387)

Leave a reply

Attackers are distributing malware on social networks under the guise of the regreSSHion exploit (CVE-2024-6387)

Attackers are distributing malware on social networks under the guise of the regreSSHion exploit (CVE-2024-6387). According to Kaspersky Lab experts, this is an attack on cybersecurity specialists. The attackers invite victims to examine an archive that supposedly contains a functional regreSSHion exploit, a list of IP addresses, and some payload.

🔻 The source code resembles a slightly edited version of a non-functional proof-of-concept exploit for this vulnerability that was already public.

🔻 One of the Python scripts simulates the exploitation of the vulnerability on IP addresses from the list. But in reality, it launches malware that achieves persistence in the system and downloads additional payload. The malware modifies /etc/cron.hourly and the operation of the ls command.

If you are examining someone else’s code, do so in a securely isolated environment and be aware that you may be attacked this way. 😉

На русском