September 2023: VM courses, Bahasa Indonesia, Russian Podcasts, Goodbye Tinkoff, MS Patch Tuesday, Qualys TOP 20, Linux, Forrester, GigaOm, R-Vision VM. Hello everyone! On the last day of September, I decided to record another retrospective episode on how my Vulnerability Management month went.
Microsoft Patch Tuesday March 2023: Outlook EoP, MOTW Bypass, Excel DoS, HTTP/3 RCE, ICMP RCE, RPC RCE. Hello everyone! This episode will be about Microsoft Patch Tuesday for March 2023, including vulnerabilities that were added between February and March Patch Tuesdays.
As usual, I use my open source Vulristics project to analyse and prioritize vulnerabilities. I took the comments about the vulnerabilities from the Qualys, Tenable, Rapid7, ZDI Patch Tuesday reviews.
Microsoft Patch Tuesday for March 2023 was quite refreshing. 😈
Microsoft Patch Tuesday January 2023: ALPC EoP, Win Backup EoP, LocalPotato, Exchange, Remote RCEs. Hello everyone! This episode will be about Microsoft Patch Tuesday for January 2023, including vulnerabilities that were added between December and January Patch Tuesdays.
As usual, I use my open source Vulristics project to analyse and prioritize vulnerabilities. I took the comments about the vulnerabilities from the Qualys, Nessus, Rapid7 and ZDI Patch Tuesday reviews.
Microsoft Patch Tuesday May 2022: Edge RCE, PetitPotam LSA Spoofing, bad patches. Hello everyone! This episode will be about Microsoft Patch Tuesday for May 2022. Sorry for the delay, this month has been quite intense. As usual, I’m using my Vulristics project and going through not only the vulnerabilities that were presented on May 10th, but all the MS vulnerabilities presented by Microsoft since the previous Patch Tuesday, April 12th.
Security News: Microsoft Patch Tuesday August 2021, Phishers Started Using reCAPTCHA, Scan 1 IP and Go to Jail. Hello everyone! Yet another news episode.
Microsoft’s August Patch Tuesday
Let’s start with Microsoft’s August Patch Tuesday. I think the most interesting thing is that it contains a fix for the PetitPotam vulnerability. I talked about this vulnerability two weeks ago. At the time, Microsoft had no plans to release a patch because PetitPotam was a “classic NTLM Relay Attack”. But the patch was actually released as part of August Patch Tuesday.
A quote from Rapid7: “Tracked as CVE-2021-36942, the August 2021 Patch Tuesday security update blocks the affected API calls OpenEncryptedFileRawA and OpenEncryptedFileRawW through the LSARPC interface”.
There are no formal signs that this vulnerability is critical other than comments from the vendors. My Vulristics tool has flagged this “Windows LSA Spoofing” as a Medium level Vulnerability. But this fix seems to be the most important thing in this Patch Tuesday. So install this patch first.
Last Week’s Security news: Serious Sam in Metasploit, PetitPotam, Zimbra Hijack, Joint Advisory TOP30 CVEs. Hello everyone! Last Week’s Security News, July 26 – August 1.
Serious Sam in Metasploit
Last week I talked about the Serious Sam vulnerability (CVE-2021-36934), also known as HiveNightmare. The name HiveNightmare comes from the fact that Windows stores its registry data in a small number of proprietary database files called hives. Due to mismanagement of SAM and SYSTEM hives in Windows 10, it is possible for an unprivileged user to read those files and then, for example, extract the account password hashes. An exploit for this vulnerability is now available in Metasploit and it will be much easier for attackers to exploit this vulnerability. The issues is still under investigation by Microsoft and a patch is not currently available, only the list of vulnerable OS versions, however a workaround has been provided.
PetitPotam
At the beginning of last week, PetitPotam (Little Hippo) attack made a lot of noise. It could force remote Windows systems to reveal password hashes that could then be easily cracked.
“The PetitPotam bug is tied to the Windows operating system and the abuse of a remote access protocol called Encrypting File System Remote Protocol (MS-EFSRPC). The protocol is designed to allow Windows systems to access remote encrypted data stores, allowing for management of the data while enforcing access control policies. […] The PetitPotam PoC is a form of manipulator-in-the-middle (MitM) attack against Microsoft’s NTLM authentication system. Next, an attacker uses the file-sharing protocol Server Message Block (SMB) to request access to a remote system’s MS-EFSRPC interface. According to [security researcher Gilles Lionel], this forces the targeted computer to initiate an authentication procedure and share its authentication details via NTLM.
In response to the public availability of the PoC, Microsoft was quick to respond, outlining several mitigation options. For starters, Microsoft recommends disabling NTLM authentication on Windows domain controllers. It also suggests enabling the Extended Protection for Authentication (EPA) feature on AD CS services.”
But there won’t be any special fix. Microsoft: “PetitPotam is a classic NTLM Relay Attack, and such attacks have been previously documented by Microsoft along with numerous mitigation options to protect customers.”
Burp Suite Free Edition and NTLM authentication in ASP.net applications. As you know, Burp Suit is a scanner for advanced Web Application Security researchers. However, the free version of Burp is more like Firebug analogue, but much more functional.
Let’s see how to install it and use for website analysis. This analysis may be necessary to find vulnerabilities or somehow automate the work with the site. Let’s take, for example, ASP.net applications with NTLM-authorization, which is rather unpleasant to analyze.
This is my personal blog. The opinions expressed here are my own and not of my employer. All product names, logos, and brands are property of their respective owners. All company, product and service names used here for identification purposes only. Use of these names, logos, and brands does not imply endorsement. You can freely use materials of this site, but it would be nice if you place a link on https://avleonov.com and send message about it at me@avleonov.com or contact me any other way.