Category Archives: Vulnerability

The criticality of the Elevation of Privilege – Windows CSC Service vulnerability (CVE-2024-26229) has increased dramatically

Leave a reply

The criticality of the Elevation of Privilege - Windows CSC Service vulnerability (CVE-2024-26229) has increased dramatically

The criticality of the Elevation of Privilege – Windows CSC Service vulnerability (CVE-2024-26229) has increased dramatically. The vulnerability is from Microsoft’s April Patch Tuesday. In April, no one highlighted this vulnerability at all.

Microsoft wrote about it “Exploitation Less Likely”. All that was known was that if exploited successfully, the attacker could gain SYSTEM privileges.

But 2 months later, on June 10, an exploit appeared on GitHub. 🤷‍♂️ Surprise! The criticality of the vulnerability has increased dramatically.

Could this be somehow predicted? IMHO, not at all. Another confirmation that predicting trending vulnerabilities is, of course, good, but does not cancel regular unconditional patching according to the established SLA (AIT).

The author of the exploit clarified the CWE of the vulnerability.

It was: CWE-122 – Heap-based Buffer Overflow

It became: CWE-781 – Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code

На русском

An idea worth a million Hamster coins

Leave a reply

An idea worth a million Hamster coins

An idea worth a million Hamster coins. 🐹😅 Website/app to tap on CVEs. But it will make sense to tap not on all CVEs, but only on those that should have a confirmed exploit or sign of exploitation in the wild within the next week.

🪙 When such a sign or exploit does appear, distribute coins to those who have been tapping on this vulnerability for the last week. In proportion to the number of taps, the criticality of the vulnerability, etc.

📈 And based on the analysis of these taps, it will be possible to make forecasts on the exploitability of vulnerabilities. With the help of AI, of course.

I am sure that this will work much better than EPSS and social network fortune tellers. 😅

На русском

June Microsoft Patch Tuesday

Leave a reply

June Microsoft Patch Tuesday

June Microsoft Patch Tuesday. There are 69 vulnerabilities in total, 18 of which were added between May and June Patch Tuesday. Among these added were 2 vulnerabilities with signs of exploitation in the wild:

🔻 Remote Code Execution – Chromium (CVE-2024-5274, CVE-2024-4947). Both vulnerabilities are in CISA KEV; there are no exploits for them yet.

For the remaining vulnerabilities, there are no formal signs of exploitation in the wild or public exploits yet.

The specialized InfoSec media pay attention to these 2:

🔸 Remote Code Execution – Microsoft Message Queuing (MSMQ) (CVE-2024-30080). This vulnerability has a high CVSS Score of 9.8. To get RCE, the attacker sends a specially crafted malicious packet to the MSMQ server. The vulnerability may well become wormable for Windows servers with MSMQ enabled. It is very similar to last year’s QueueJumper (CVE-2023-21554).
🔸 Denial of Service – DNSSEC (CVE-2023-50868). Vulnerability in DNSSEC validation. An attacker can cause DoS using standard DNS integrity protocols. 🤷‍♂️ I don’t see any super criticality, but this is rare for MS Patch Tuesday, which is probably why everyone is writing about it.

What else you can pay attention to:

🔸 Elevation of Privilege – Windows Win32k (CVE-2024-30091), Windows Kernel (CVE-2024-30088, CVE-2024-30099) and Windows Cloud Files Mini Filter Driver (CVE-2024-30085). Why these? Microsoft’s CVSS states that there are private Proof-of-Concept exploits for them.
🔸 Remote Code Execution – Microsoft Office (CVE-2024-30101). This is a Microsoft Outlook vulnerability. To successfully exploit this vulnerability, a user must open a malicious email in an affected version of Microsoft Outlook and then perform certain actions to trigger the vulnerability. It’s enough to open the email in the Preview Pane. However, to successfully exploit this vulnerability, an attacker needs to win the race condition.
🔸 Remote Code Execution – Microsoft Outlook (CVE-2024-30103). Preview Pane is a vector. Authentication required. The vulnerability is somehow related to the creation of malicious DLL files. 🤷‍♂️
🔸 Remote Code Execution – Windows Wi-Fi Driver (CVE-2024-30078). An attacker can execute code on a vulnerable system by sending a specially crafted network packet. The victim must be within the attacker’s Wi-Fi range and use a Wi-Fi adapter. Sounds interesting, let’s wait for details. 😈
🔸 Remote Code Execution – Microsoft Office (CVE-2024-30104). An attacker must send the user a malicious file and convince the user to open the file. The Preview Pane is NOT an attack vector.

🗒 Vulristics report on June Microsoft Patch Tuesday

На русском

Exploit accounting in Vulristics: bug and new component name

Leave a reply

Exploit accounting in Vulristics: bug and new component nameExploit accounting in Vulristics: bug and new component name

Exploit accounting in Vulristics: bug and new component name.

🔹 I discovered that sometime in April a bug was added to Vulristics: vulnerabilities without exploits received the value of the corresponding component 0.5, not 0. 🤦‍♂️ Somehow I didn’t pay attention to it and no one reported it to me. I corrected it with today’s commit. I’m going to regenerate the Microsoft Patch Tuesday and Linux Patch Wednesday reports for April and May. This, of course, is not a super-critical bug, but the final vulnerability score was distorted. If you use Vulristics, take note and update.

🔹 At the same time, I renamed the “Public Exploit Exists” component to the more logical “Exploit Exists”. It takes values:
1, if there is a public exploit (link or flag in the BDU)
0, if there is no exploit data at all
from 0 to 1, if there is data about a private exploit/PoC

🔹 I created a Changelog and added the “-v” or “–version” parameters. I have been running a project without versions since 2020. 😅🤷‍♂️

На русском

The Remote Code Execution vulnerability – PHP on Windows hosts (CVE-2024-4577) is used in ransomware attacks

Leave a reply

The Remote Code Execution vulnerability - PHP on Windows hosts (CVE-2024-4577) is used in ransomware attacks

The Remote Code Execution vulnerability – PHP on Windows hosts (CVE-2024-4577) is used in ransomware attacks. I already had a post about this vulnerability earlier. Now Imperva Threat Research reports that this vulnerability is being used by attackers to deliver malware identified as a component of the TellYouThePass ransomware.

⏳ The attacks were noticed on June 8, less than 48 hours after the PHP developers released a patch. The attacks used an exploit that by that time was already publicly available.

TellYouThePass attacks have been reported since 2019. They target enterprises and individuals. Attackers encrypt both Windows and Linux infrastructure.

What conclusions can be drawn? If you see a vulnerability with a public exploit and a more or less clear vector of exploitation, don’t be lazy to patch it as quickly as possible. Because attackers will definitely not be too lazy to add this exploit to their malware. 😉

На русском

Critical Remote Code Execution – PHP on Windows hosts (CVE-2024-4577) vulnerability with a public exploit

Leave a reply

Critical Remote Code Execution - PHP on Windows hosts (CVE-2024-4577) vulnerability with a public exploit

Critical Remote Code Execution – PHP on Windows hosts (CVE-2024-4577) vulnerability with a public exploit. CVSS 9.8. On June 6, PHP developers released an update to fix an RCE vulnerability which exists due to incorrect work with the Best-Fit encoding conversion function in the Windows operating system. An unauthenticated attacker performing an argument injection attack can bypass protection against the old actively exploited RCE vulnerability CVE-2012-1823 using certain character sequences and thus execute arbitrary code. Exploits for the vulnerability are already available on GitHub. The Shadowserver Foundation has noticed active scans aimed at detecting vulnerable hosts. 👾

The vulnerability affects all versions of PHP installed on the Windows operating system.

🔻 PHP 8.3 < 8.3.8
🔻 PHP 8.2 < 8.2.20
🔻 PHP 8.1 < 8.1.29 PHP 8.0, PHP 7 and PHP 5 are also vulnerable, but they are already in End-of-Life and are not supported. 🤷‍♂️ It is specifically emphasized that all XAMPP installations are also vulnerable by default. XAMPP is a free and open-source cross-platform web server solution containing Apache, MariaDB, PHP, Perl and a large number of additional libraries. If updating to the latest version of PHP is not possible, researchers from DEVCORE suggest configuration recommendations that prevent vulnerability exploitation. However, these recommendations apply to installations on Windows with certain language locales (Traditional Chinese, Simplified Chinese, Japanese) for which the exploitation of the vulnerability has been verified. For other locales, due to the wide range of PHP use cases, it is currently impossible to fully list and exclude all potential exploitation scenarios. Therefore, users are advised to conduct a comprehensive asset assessment, check PHP usage scenarios, and update PHP to the latest version.

На русском

Elevation of Privilege (Local Privilege Escalation) – Linux Kernel (CVE-2024-1086) has been added to CISA KEV

Leave a reply

Elevation of Privilege (Local Privilege Escalation) - Linux Kernel (CVE-2024-1086) has been added to CISA KEV

Elevation of Privilege (Local Privilege Escalation) – Linux Kernel (CVE-2024-1086) has been added to CISA KEV. The vulnerability itself is relatively old, from January. I already wrote about it in March, when the write-up and public exploit were released.

Despite the fact that the exploitation of this vulnerability is trivial (the attacker launches a local utility and gains root privileges), until recently there were no signs of exploitation in the wild. This is quite strange: such a useful exploit should immediately be included in the attackers’ toolkit. So either the practical exploitation of this vulnerability is somehow complicated, or the attackers did not leave any traces. 🤔

In any case, on May 30, the vulnerability was added to CISA KEV, and this means the fact of its exploitation in attacks has been proven. But there are no details yet. Please be aware of this vulnerability when upgrading Linux hosts.

На русском