Tag Archives: Microsoft

Critical Remote Code Execution – PHP on Windows hosts (CVE-2024-4577) vulnerability with a public exploit

1 Reply

Critical Remote Code Execution - PHP on Windows hosts (CVE-2024-4577) vulnerability with a public exploit

Critical Remote Code Execution – PHP on Windows hosts (CVE-2024-4577) vulnerability with a public exploit. CVSS 9.8. On June 6, PHP developers released an update to fix an RCE vulnerability which exists due to incorrect work with the Best-Fit encoding conversion function in the Windows operating system. An unauthenticated attacker performing an argument injection attack can bypass protection against the old actively exploited RCE vulnerability CVE-2012-1823 using certain character sequences and thus execute arbitrary code. Exploits for the vulnerability are already available on GitHub. The Shadowserver Foundation has noticed active scans aimed at detecting vulnerable hosts. 👾

The vulnerability affects all versions of PHP installed on the Windows operating system.

🔻 PHP 8.3 < 8.3.8
🔻 PHP 8.2 < 8.2.20
🔻 PHP 8.1 < 8.1.29 PHP 8.0, PHP 7 and PHP 5 are also vulnerable, but they are already in End-of-Life and are not supported. 🤷‍♂️ It is specifically emphasized that all XAMPP installations are also vulnerable by default. XAMPP is a free and open-source cross-platform web server solution containing Apache, MariaDB, PHP, Perl and a large number of additional libraries. If updating to the latest version of PHP is not possible, researchers from DEVCORE suggest configuration recommendations that prevent vulnerability exploitation. However, these recommendations apply to installations on Windows with certain language locales (Traditional Chinese, Simplified Chinese, Japanese) for which the exploitation of the vulnerability has been verified. For other locales, due to the wide range of PHP use cases, it is currently impossible to fully list and exclude all potential exploitation scenarios. Therefore, users are advised to conduct a comprehensive asset assessment, check PHP usage scenarios, and update PHP to the latest version.

На русском

My colleagues from PT ESC discovered a previously unknown keylogger for Microsoft Exchange OWA

Leave a reply

My colleagues from PT ESC discovered a previously unknown keylogger for Microsoft Exchange OWA

My colleagues from PT ESC discovered a previously unknown keylogger for Microsoft Exchange OWA. The injected code collects the logins/passwords that users enter to access the Exchange web interface and stores them in a special file. This file is accessible externally. Thus, attackers simply collect credentials to access confidential information and develop the attack further. 🙂

👾 The malware is installed by exploiting an old ProxyShell vulnerability (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207).

🏛 A total of 30 victims were discovered, including government agencies, banks, IT companies, and educational institutions.

🌍 Countries attacked: Russia, UAE, Kuwait, Oman, Niger, Nigeria, Ethiopia, Mauritius, Jordan, Lebanon and others.

🕵️‍♂️ The fact of compromise can be determined by a specific line in the logon.aspx file.

На русском

May Microsoft Patch Tuesday

1 Reply

May Microsoft Patch TuesdayMay Microsoft Patch TuesdayMay Microsoft Patch TuesdayMay Microsoft Patch TuesdayMay Microsoft Patch TuesdayMay Microsoft Patch TuesdayMay Microsoft Patch Tuesday

May Microsoft Patch Tuesday. There are 91 vulnerabilities in total. Of those, 29 were added between April and May Patch Tuesday.

Two vulnerabilities have signs of exploitation in the wild and the presence of a functional exploit (not yet public):

🔻 Security Feature Bypass – Windows MSHTML Platform (CVE-2024-30040). In fact, an attacker can execute arbitrary code when the victim opens a specially crafted document. It is exploited through phishing.
🔻 Elevation of Privilege – Windows DWM Core Library (CVE-2024-30051). A local attacker can gain SYSTEM privileges on the vulnerable host. Microsoft credits four different groups for reporting the bug, indicating that the vulnerability is being widely exploited. The vulnerability is associated with the QakBot malware.

Among the rest we can note:

🔸 Security Feature Bypass – Windows Mark of the Web (CVE-2024-30050). Such vulnerabilities have been frequently exploited recently. Microsoft indicates that there is a functional exploit (private) for the vulnerability.
🔸 Remote Code Execution – Microsoft SharePoint Server (CVE-2024-30044). An authenticated attacker with Site Owner privileges or higher can execute arbitrary code in the context of SharePoint Server by uploading a specially crafted file.
🔸 Elevation of Privilege – Windows Search Service (CVE-2024-30033). ZDI believes that the vulnerability has the potential to be exploited in the wild.
🔸 Remote Code Execution – Microsoft Excel (CVE-2024-30042). An attacker can execute code, presumably in the user’s context, when a malicious file is opened.

🗒 Vulristics report

На русском

First impressions of the April Microsoft Patch Tuesday

1 Reply

First impressions of the April Microsoft Patch Tuesday
First impressions of the April Microsoft Patch TuesdayFirst impressions of the April Microsoft Patch TuesdayFirst impressions of the April Microsoft Patch TuesdayFirst impressions of the April Microsoft Patch TuesdayFirst impressions of the April Microsoft Patch TuesdayFirst impressions of the April Microsoft Patch TuesdayFirst impressions of the April Microsoft Patch TuesdayFirst impressions of the April Microsoft Patch TuesdayFirst impressions of the April Microsoft Patch Tuesday

First impressions of the April Microsoft Patch Tuesday. I don’t even know what to write. 🤪 Very strange! 173 vulnerabilities, of which 23 were added since the last Patch Tuesday.

Microsoft flags one vulnerability as being exploited in the wild: Spoofing – Proxy Driver (CVE-2024-26234). And only Qualys briefly mentions it. Literally like this: “Microsoft has not disclosed any information about the vulnerability”. 😅 ZDI also claims that Security Feature Bypass – SmartScreen Prompt (CVE-2024-29988) is being exploited in the wild, which is a Mark of the Web (MotW) bypass.

There are no exploits for anything yet. The following vulnerabilities can be highlighted:

🔸 Remote Code Execution – Microsoft Excel (CVE-2024-26257). Can be exploited by an attacker when the victim opens a specially crafted file.
🔸 Remote Code Execution – RPC (CVE-2024-20678). It is highlighted by ZDI, which also claims 1.3 million exposed TCP 135 ports.
🔸 Spoofing – Outlook for Windows (CVE-2024-20670). ZDI writes that this is an Information Disclosure vulnerability that can be used in NTLM relay attacks.
🔸 Remote Code Execution – Windows DNS Server (CVE-2024-26221, CVE-2024-26222, CVE-2024-26223, CVE-2024-26224, CVE-2024-26227, CVE-2024-26231, CVE-2024-26233). Maybe some of this will be exploited in the wild, ZDI particularly highlights CVE-2024-26221.
🔸 Remote Code Execution – Microsoft Defender for IoT (CVE-2024-21322, CVE-2024-21323, CVE-2024-29053). It is an IoT and ICS/OT security solution that can be deployed on-prem.

There are simply indecently massive fixes:

🔹 Remote Code Execution – Microsoft OLE DB Driver for SQL Server / Microsoft WDAC OLE DB Provider for SQL Server / Microsoft WDAC SQL Server ODBC Driver. 28 CVEs! I won’t even list everything here. 😨
🔹 Security Feature Bypass – Secure Boot. 23 CVEs!

🗒 Vulristics report

На русском

Upd. 10.04 I slightly tweaked the vulnerability type detection to increase the priority of the detection based on the Microsoft generated description compared to the detection based on CWE. In particular, the type of vulnerability for Spoofing – Proxy Driver (CVE-2024-26234) and Spoofing – Outlook for Windows (CVE-2024-20670) has changed.

The digest of March trending vulnerabilities was published on the Positive Technologies website (in Russian)

Leave a reply

The digest of March trending vulnerabilities was published on the Positive Technologies website (in Russian)The digest of March trending vulnerabilities was published on the Positive Technologies website (in Russian)The digest of March trending vulnerabilities was published on the Positive Technologies website (in Russian)The digest of March trending vulnerabilities was published on the Positive Technologies website (in Russian)The digest of March trending vulnerabilities was published on the Positive Technologies website (in Russian)

The digest of March trending vulnerabilities was published on the Positive Technologies website (in Russian). I also generated a Vulristics report for these vulnerabilities. There are 5 vulnerabilities in total.

🔻 For 3 vulnerabilities there are exploits and confirmed signs of exploitation in the wild: AuthBypassTeamCity (CVE-2024-27198), RCE – FortiClientEMS (CVE-2023-48788), EoPWindows Kernel (CVE-2024-21338).

🔻 For 2 more vulnerabilities there are no signs of exploitation in the wild yet, but there are exploits: EoP – Windows CLFS Driver (CVE-2023-36424), RCEMicrosoft Outlook (CVE-2024-21378).

На русском

First impressions of the March Microsoft Patch Tuesday

1 Reply

First impressions of the March Microsoft Patch Tuesday
First impressions of the March Microsoft Patch TuesdayFirst impressions of the March Microsoft Patch TuesdayFirst impressions of the March Microsoft Patch TuesdayFirst impressions of the March Microsoft Patch TuesdayFirst impressions of the March Microsoft Patch TuesdayFirst impressions of the March Microsoft Patch TuesdayFirst impressions of the March Microsoft Patch Tuesday

First impressions of the March Microsoft Patch Tuesday. So far I have not seen anything overtly critical. There are 80 vulnerabilities in total, including 20 added between the February and March MSPT.

With PoC there is only one:

🔻 Information Disclosure – runc (CVE-2024-21626). It allows an attacker to escape from the container. What does Microsoft have to do with it? The vulnerability has been fixed in Azure Kubernetes Service and CBL-Mariner (Microsoft’s internal Linux distribution).

For the rest, there are no signs of active exploitation or the existence of a PoC yet.

We can pay attention to the following:

🔸 Elevation of Privilege – Windows Kernel (CVE-2024-21443, CVE-2024-26173, CVE-2024-26176, CVE-2024-26178, CVE-2024-26182). Such vulnerabilities often become exploitable recently. The same applies to Elevation of Privilege – Windows Print Spooler (CVE-2024-21433).
🔸 Remote Code Execution – Open Management Infrastructure (OMI) (CVE-2024-21334). CVSS 9.8 and ZDI write that “it would allow a remote, unauthenticated attacker to execute code on OMI instances on the Internet”. Perhaps such instances are indeed often accessible via the Internet, this requires research. 🤷‍♂️
🔸 Remote Code Execution – Windows Hyper-V (CVE-2024-21407). This “guest-to-host escape” vulnerability was highlighted by everyone: Qualys, Tenable, Rapid7, ZDI.
🔸 Remote Code Execution – Microsoft Exchange (CVE-2024-26198). This is a “DLL loading” vulnerability. The details are still unclear, but I wouldn’t be surprised if there will be a detailed write-up on it soon.

🗒 Vulristics report

На русском

I reach a wider audience: I talk about trending vulnerabilities in the SecLab News show

Leave a reply

I reach a wider audience: I talk about trending vulnerabilities in the SecLab News show. 🤩 It’s in Russian, but the automatically generated subtitles combined with automatic translation do a good job. The “Trending VM” section starts at 16:05. 🎞

As for the content, this is the February digest of trending vulnerabilities, but presented in a more lively format: simple phrases, with all sorts of memes, jokes and so on. Typical edutainment. 😏 The level of production demonstrated by the SecLab News team is, of course, amazing. I haven’t seen anything better yet. Very professional guys, it’s a pleasure to work with them. 🔥

In general, this is a trial attempt – the further fate of the section (and maybe not only the section) depends on you 😉.

➡️ Please follow the link, watch the episode, like it, leave a comment about the section. What you liked and what could have been done better.

We are really looking forward to your feedback. 🫠

На русском