Tag Archives: Microsoft

“The Mystery of the Hole”: Remote Code Execution – Internet Explorer (CVE-2012-4792)

Leave a reply

The Mystery of the Hole: Remote Code Execution - Internet Explorer (CVE-2012-4792)

“The Mystery of the Hole”: Remote Code Execution – Internet Explorer (CVE-2012-4792). Yesterday, an old vulnerability “CDwnBindInfo” from 2012 was added to CISA KEV: the user opens a malicious website in MS Internet Explorer 6–8 and the attacker gets RCE on user’s host. The vulnerability has been actively exploited since the end of 2012 as 0day in watering hole attacks on US organizations. In particular, the malicious code was placed on the hacked Council on Foreign Relations (CFR) website.

Why was the vulnerability added to CISA KEV only now?

🔹 New attacks on legacy systems (Win XP/ Vista/7, WinServer 2003/2008) were discovered? 🤪 It’s unlikely.

🔹 They saw a vulnerability with confirmed incidents, but it wasn’t in CISA KEV, so they added it? More likely, but why only this vulnerability? 🧐

🔹 There was no formal excuse for urgently updating found legacy systems? A bit strange. 🤷‍♂️

Let’s wait for updates. 🙂

На русском

What is known about Spoofing – Windows MSHTML Platform (CVE-2024-38112) from the July Microsoft Patch Tuesday?

3 Replies

What is known about Spoofing - Windows MSHTML Platform (CVE-2024-38112) from the July Microsoft Patch Tuesday?

What is known about Spoofing – Windows MSHTML Platform (CVE-2024-38112) from the July Microsoft Patch Tuesday?

🔻 According to Check Point, attackers use special “.url” files with icons that look like PDF documents. If the user clicks on the file and ignores 2 uninformative warnings, then a malicious HTA application is launched in the outdated Internet Explorer browser built into Windows. 😱 Why in IE? This is all due to the processing of the “mhtml:” prefix in the “.url” file. The July update blocks this. 👍

🔻 Check Point found “.url” samples that could date back to January 2023. According to Trend Micro, the vulnerability is exploited by the APT group Void Banshee to install the Atlantida Stealer malware and collect passwords, cookies and other sensitive data. Void Banshee add malicious “.url” files to archives with PDF books and distribute them through websites, instant messengers and phishing.

На русском

TOP 5 CVEs that were most often exploited by Positive Technologies pentesters in 2023

1 Reply

TOP 5 CVEs that were most often exploited by Positive Technologies pentesters in 2023. The report was released on July 2. I generated a rap track on this topic in Russian using Suno. 🙂 English subtitles available.

List of vulnerabilities:

🔻 Remote Code Execution – Microsoft Exchange “ProxyNotShell” (CVE-2022-41040, CVE-2022-41080, CVE-2022-41082)
🔻 Remote Code Execution – Bitrix Site Manager “PollsVotes” (CVE-2022-27228)
🔻 Elevation of Privilege – Polkit “PwnKit” (CVE-2021-4034)

На русском

July Microsoft Patch Tuesday

4 Replies

July Microsoft Patch Tuesday

July Microsoft Patch Tuesday. There are 175 vulnerabilities in total, 33 of which appeared between June and July Patch Tuesday.

There are 2 vulnerabilities with the sign of exploitation in the wild:

🔻 Spoofing – Windows MSHTML Platform (CVE-2024-38112). It’s not clear what exactly is being spoofed. Let’s wait for the details. It is currently known that to exploit the vulnerability, an attacker must send the victim a malicious (MSHTML?) file, which the victim must somehow run/open.
🔻 Elevation of Privilege – Windows Hyper-V (CVE-2024-38080). This vulnerability allows an authenticated attacker to execute code with SYSTEM privileges. Again, no details. This could be interpreted that the guest OS user can gain privileges in the host OS (I hope this is not the case).

From the rest we can highlight:

🔸 Elevation of Privilege – various Windows components (CVE-2024-38059, CVE-2024-38066, CVE-2024-38100, CVE-2024-38034, CVE-2024-38079, CVE-2024-38085, CVE-2024-38062, CVE-2024-30079, CVE-2024-38050). EoPs quite often become exploitable.
🔸 Remote Code Execution – Windows Remote Desktop Licensing Service (CVE-2024-38074, CVE-2024-38076, CVE-2024-38077)
🔸 Remote Code Execution – Microsoft Office (CVE-2024-38021)
🔸 Remote Code Execution – Windows Imaging Component (CVE-2024-38060). All you need to do is upload a malicious TIFF file to the server.
🔸 Remote Code Execution – Microsoft SharePoint Server (CVE-2024-38023, CVE-2024-38024). Authentication is required, but “Site Owner” permissions are sufficient.

🗒 Vulristics report on July Microsoft Patch Tuesday

Vulristics shows an exploit existence for Spoofing – RADIUS Protocol (CVE-2024-3596) on GitHub, but in reality it is just a detection utility.

На русском

Trending vulnerabilities for June according to Positive Technologies

Leave a reply

Trending vulnerabilities for June according to Positive Technologies. Traditionally, in 3 formats (in Russian):

📹 The section “Trending VM” in the SecLab news video (starts at 15:03)
🗞 Post on the Habr website, in fact this is a slightly expanded scenario for the “Trending VM” section
🗒 Compact digest with technical details on the official PT website

List of vulnerabilities:

🔻 EoP in Microsoft Windows CSC (CVE-2024-26229)
🔻 EoP in Microsoft Windows Error Reporting (CVE-2024-26169)
🔻 EoP in Microsoft Windows Kernel (CVE-2024-30088)
🔻 RCE in PHP (CVE-2024-4577)
🔻 EoP in Linux Kernel (CVE-2024-1086)
🔻 InfDisclosure in Check Point Security Gateways (CVE-2024-24919)
🔻 RCE in VMware vCenter (CVE-2024-37079, CVE-2024-37080)
🔻 AuthBypass in Veeam Backup & Replication (CVE-2024-29849)

На русском

Microsoft is beginning to add CVEs to address security flaws in its cloud services

Leave a reply

Microsoft is beginning to add CVEs to address security flaws in its cloud services

Microsoft is beginning to add CVEs to address security flaws in its cloud services. It’s not as straightforward. Assume a cloud CRM has a vulnerability. The vendor instantly corrected it for everyone, and clients didn’t need to take any action. What good is it to issue a CVE for this? 🤔

But Microsoft believes it’s required for greater transparency, and the new rules require CNAs (CVE Numbering Authorities) to add vulnerabilities that could cause significant harm, regardless of whether customers have to take action to fix the vulnerabilities or not. 🤷‍♂️

Microsoft promises to mark such vulnerabilities, such as CVE-2024-35260 “CVE requires no customer action to resolve”. There will be a special tag in CVEorg as well.

Whether or not it is necessary to register cloud service vulnerabilities as CVE is a controversial issue. But it is a fact that, due to this practice, the number of identifiers in CVEorg/NVD will grow much faster. 🤷‍♂️

На русском

The severity of the Elevation of Privilege – Windows Kernel (CVE-2024-30088) has increased

1 Reply

The severity of the Elevation of Privilege - Windows Kernel (CVE-2024-30088) has increased

The severity of the Elevation of Privilege – Windows Kernel (CVE-2024-30088) has increased. The vulnerability is fresh, it is from the June Microsoft Patch Tuesday. I highlighted it in the review because, according to the CVSS vector, there was a private Proof-of-Concept Exploit for it. But there were no details. It was only clear that in case of successful exploitation, the attacker gains SYSTEM privileges. According to the ZDI advisory, the vulnerability affects the implementation of NtQueryInformationToken and is due to the lack of proper locking when performing operations on the object.

On June 24, 2 weeks after the June Patch Tuesday, a repository with technical details on this vulnerability and PoC appeared on GitHub. A video of running the utility to obtain SYSTEM privileges is also available.

A lot of exploits have begun to appear for Windows EoP/LPE vulnerabilities recently. Fix them in advance!

На русском