Category Archives: Video

Last Week’s Security news: PrintNightmare patches and Metasploit, Kaseya CVEs, Morgan Stanley Accellion FTA, Cisco BPA and WSA, Philips Vue PACS, CISA RVAs, Lazarus job offers

Last Week’s Security news: PrintNightmare patches and Metasploit, Kaseya CVEs, Morgan Stanley Accellion FTA, Cisco BPA and WSA, Philips Vue PACS, CISA RVAs, Lazarus job offers. Hello guys! The third episode of Last Week’s Security news, July 5 – July 11. There was a lot of news last week. Most of them was again about PrintNightmare and Kaseya.

The updates for PrintNightmare (CVE-2021-34527) were finally released mid-week. It became possible not only to disable the service, but also to update the hosts. This is especially important for desktops that need to print something. But the problem is that these patches can be bypassed. “If you have a system where PointAndPrint NoWarningNoElevationOnInstall = 1, then Microsoft’s patch for #PrintNightmare CVE-2021-34527 does nothing to prevent either LPE or RCE”. Microsoft has updated their security update guide after that: “if you set this reg key to = 1 then the system is vulnerable by design”. It seems that solving this problem requires hardening and registry monitoring.

Continue reading

Vulristics: Microsoft Patch Tuesdays Q2 2021

Vulristics: Microsoft Patch Tuesdays Q2 2021. Hello everyone! Let’s now talk about Microsoft Patch Tuesday vulnerabilities for the second quarter of 2021. April, May and June. Not the most exciting topic, I agree. I am surprised that someone is reading or watching this. For me personally, this is a kind of tradition. Plus this is an opportunity to try Vulristics in action and find possible problems. It is also interesting to see what VM vendors considered critical back then and what actually became critical. I will try to keep this video short.

First of all, let’s take a look at the vulnerabilities from the April Patch Tuesday. 108 vulnerabilities, 55 of them are RCEs. Half of these RCEs (27) are weird RPC vulnerabilities. “Researcher who reported these bugs certainly found quite the attack surface”. The most critical vulnerability is RCE in Exchange (CVE-2021-28480). This is not ProxyLogon, this is another vulnerability. ProxyLogon was in March. And this vulnerability is simply related to ProxyLogon, so it is believed that it is exploited in the wild as well. In the second place this Win32k Elevation of Privilege (CVE-2021-28310). It is clearly mentioned in several sources as being used in real attacks. “Bugs of this nature are typically combined with other bugs, such as a browser bug or PDF exploit, to take over a system”. And the only vulnerability with a public exploit is the Azure DevOps Server Spoofing (CVE-2021-28459). Previously known as Team Foundation Server (​TFS), Azure DevOps Server is a set of collaborative software development tools. It is hosted on-premises. Therefore, this vulnerability can be useful for attackers.

Continue reading

Last Week’s Security news: PrintNightmare, Kaseya, Intune, Metasploit Docker escape

Last Week’s Security news: PrintNightmare, Kaseya, Intune, Metasploit Docker escape. Hello guys! The second episode of Last Week’s Security news from June 28 to July 4.

The most interesting vulnerability of the last week is of course Microsoft Print Spooler “PrintNightmare”. By sending an RpcAddPrinterDriverEx() RPC request, for example over SMB, a remote, authenticated attacker may be able to execute arbitrary code with SYSTEM privileges on a vulnerable Windows system. And there is a public PoC exploit for this vulnerability published by the Chinese security firm Sangfor. And there is some strange story. It turns out that Sangfor published an exploit for the 0day vulnerability. But they thought this vulnerability (CVE-2021-1675) had already been patched as part of the June Micorosft Patch Tuesday. And then it turns out that this is a bug in the Microsoft patch. But Microsoft wrote that this is a different, new vulnerability CVE-2021-34527 and so there were no problems with the previous patch. In any case, a patch for this vulnerability has not yet been released and Microsoft is suggesting two Workarounds. Option 1 – Disable the Print Spooler service, Option 2 – Disable inbound remote printing through Group Policy. Do this first for Domain Controllers and other critical Windows servers. All versions of Windows contain the vulnerable code and are susceptible to exploitation. Also note that the new vulnerability has a flag Exploitation Detected on the MS site.

Continue reading

Vulristics HTML Report Update: Table for Products, Table for Vuln. Types and “Prevalence”

Vulristics HTML Report Update: Table for Products, Table for Vuln. Types and “Prevalence”. Hi guys! I was on vacation this week. So I had time to work on my Vulristics project. For those who don’t know, this is a framework for prioritizing known CVE vulnerabilities. I was mainly grooming the HTML report.

I added a logo at the top, set a max width for the report, added a timestamp when the report was created so you can now see how fresh it is. I have combined CVSS and Vulristics score statistics in two parallel columns.

But the main new feature is the tables of vulnerable products and types of vulnerabilities. The products are sorted by “prevalence”. You can review this list and ask yourself if this order is correct in your opinion or change the “prevalence” values for some products in the config dictionary. For software products with unknown “prevalence”, you will see the comment “Unclassified Product”.

Continue reading

Last Week’s Security news: Cisco ASA, BIG-IQ, vSphere, Solaris, Dlink, iPhone %s, DarkRadiation, Google schema, John McAfee

Last Week’s Security news: Cisco ASA, BIG-IQ, vSphere, Solaris, Dlink, iPhone %s, DarkRadiation, Google schema, John McAfee. Hello, today I want to experiment with a new format. I will be reading last week’s news from my @avleonovnews channel, which I found the most interesting. I do this mostly for myself, but if you like it too, then that would be great. Please subscribe to my YouTube channel and my Telegram @avleonovcom.

Let’s start with some new public exploits.

  1. Researchers at Positive Technologies have dropped a proof-of-concept (PoC) exploit on Twitter for a known cross-site scripting (XSS) vulnerability in the Cisco Adaptive Security Appliance (ASA) CVE-2020-3580. This flaw was patched in October. There are reports of researchers pursuing bug bounties using this exploit. Maybe you should do this too. Well, or at least ask your IT administrators if they have updated the ASA.
  2. F5 BIG-IQ VE Post-auth Remote Root RCE. BIG-IQ provides a single point of management for all your BIG-IP devices — whether they are on premises or in a public or private cloud. It was possible to execute commands with root privileges as an authenticated privileged user via command injection in easy-setup-test-connection. A good reason to check if you have this in the infrastructure. But of course the fact that this is Post-auth makes it less interesting.
  3. VMware vCenter 6.5 / 6.7 / 7.0 Remote Code Execution. From the description of the vulnerability that was published in February 2021. “The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.” Therefore, if your IT colleagues have not patched vCenter since February, you can try to demonstrate how this vulnerability is exploited in practice.
  4. Solaris SunSSH 11.0 Remote Root. “CVE-2020-14871 is a critical pre-authentication (via SSH) stack-based buffer overflow vulnerability in the Pluggable Authentication Module (PAM) in Oracle Solaris. PAM is a dynamic authentication component that was integrated into Solaris back in 1997 as part of Solaris 2.6”. If you are still using Solaris in your infrastructure, this is a great opportunity to try this exploit.
  5. Dlink DSL2750U – ‘Reboot’ Command Injection. There, in the exploit code, there is a link to the full study that shows how the researcher, Mohammed Hadi, gains admin access to the router. This is interesting considering that this router model is quite popular and you can still buy such a router.
  6. It’s 2021 and a printf format string in a wireless network’s name can break iPhone Wi-Fi. On Friday, Carl Schou, a security researcher in Denmark, reported that his iPhone lost its Wi-Fi capability after attempting to connect to a Wi-Fi network named “%p%s%s%s%s%n”. Fortunately, the damage appears not to be permanent. Apple iOS devices that lose Wi-Fi capability after being bitten by this bug can be restored via the General -> Reset -> Reset Network Settings menu option, which reverts network settings to their factory default. Not a very interesting vulnerability in terms of practical exploitation, but fun. Don’t connect to unfamiliar Wi-Fi networks.

Continue reading

PHDays 10: U.S. Sanctions, My Talk on Vulristics, Other Great Talks Related to VM

PHDays 10: U.S. Sanctions, My Talk on Vulristics, Other Great Talks Related to VM. Today I will talk about the Positive Hack Days conference, which took place on May 20 and May 21 in Moscow. I can say that this was and remains the main event for Information Security Practitioners in Russia.

First of all, I have to say a few words about the sanctions. The organizer of the event, Positive Technologies, is under the sanctions of the US Treasury Department since April 2021 among the “COMPANIES IN THE TECHNOLOGY SECTOR SUPPORTING RUSSIAN INTELLIGENCE SERVICES”. In a press release, the Treasury Department wrote that Positive Technologies hosts large-scale conventions that are used as recruiting events for russian special services. Well, I don’t know exactly what they mean. Maybe they mean PHDays or maybe not. But to say this about PHDays is like saying that any major international conference, Black Hat or RSA, is a recruiting event. This is ridiculous. In my humble opinion, these are some dirty political games. It is sad that reputable information security companies and security researchers are suffering from this.

Now let’s talk about my speech at PHDays 10. This year I had the opportunity to talk for an hour about my pet project – Vulristics. This project can help you prioritize known vulnerabilities. Anything that has a CVE id. There is a full video of my speech. I have uploaded this to my YouTube channel.

Russian version.

And a version that was dubbed into English.

So, if you’re interested, I recommend watching the full video. Here I will simply repeat the main points.

Continue reading

Getting Hosts from Microsoft Intune MDM using Python

Getting Hosts from Microsoft Intune MDM using Python. Today I want to talk about Microsoft Intune. It is a Mobile Device Management platform.

Well, I think that the importance of MDM systems has become much higher than it was before the days of covid-19. Simply because a lot more people now work remotely using corporate laptops. And if these people don’t connect to the corporate network using a VPN, you most likely won’t see any activity from their devices in Active Directory. This means that you will not understand whether the device is active or not. And it will be impossible to get the correct security metrics for these devices.

Mobile device management is a solution to this problem as it maintains a connection between the laptop and the cloud server. MDM can collect various parameters from hosts, but for me the most important parameter is the timestamp. I will not describe all the features of Microsoft Intune here. Simply because at this stage they are not very interesting to me. The task I needed to solve was how to get the timestamp of the last activity for all hosts in Microsoft Intune using the official API. And since this is poorly documented, I want to share it with you.

Continue reading