Tag Archives: vulnerability

Continuing the story about recent CUPS vulnerabilities: vulnerable hosts will be used by attackers to amplify DDoS attacks

Leave a reply

Continuing the story about recent CUPS vulnerabilities: vulnerable hosts will be used by attackers to amplify DDoS attacks

Continuing the story about recent CUPS vulnerabilities: vulnerable hosts will be used by attackers to amplify DDoS attacks.

Researchers from Akamai Technologies wrote about this. An attacker can send a special packet to a vulnerable host with CUPS: “add a printer located at this IP address”. CUPS will start sending large IPP/HTTP requests to the specified IP address. Thus, vulnerable hosts can be organized in such a way that they start DDoSing IP addresses chosen by the attacker.

Akamai has discovered more than 198,000 vulnerable hosts with CUPS, of which more than 58,000 (34%) can be used for DDoS attacks. Of these, hundreds demonstrated an “infinite loop” of requests in response to HTTP/404.

Assuming that all 58,000+ vulnerable hosts are used for the attack, they can cause a traffic flow of 1 GB to 6 GB per attacker’s udp packet. The victim will have to handle 2.6 million TCP connections and HTTP requests.

На русском

About Remote Code Execution – NVIDIA Container Toolkit (CVE-2024-0132) vulnerability

Leave a reply

About Remote Code Execution - NVIDIA Container Toolkit (CVE-2024-0132) vulnerability

About Remote Code Execution – NVIDIA Container Toolkit (CVE-2024-0132) vulnerability. NVIDIA’s bulletin was released on September 25. The vulnerability was found by researchers from Wiz.

Container Toolkit provides containerized AI applications with access to GPU resources. AI is now almost impossible without the use of video cards. 😏 Therefore, this component is very common.

The essence of the vulnerability is that a launched malicious container image can gain access to the host file system, which, in turn, can lead to the attacker’s code execution, denial of service, escalation of privileges, information disclosure, and data tampering.

If an attacker gains access to a desktop in this way, it’s not so bad, but what if he gains access to Kubernetes nodes or a cluster? 🫣 AI service providers (a la Hugging Face) that launch untrusted images are at risk.

На русском

About SQL Injection – The Events Calendar plugin for WordPress (CVE-2024-8275) vulnerability

Leave a reply

About SQL Injection - The Events Calendar plugin for WordPress (CVE-2024-8275) vulnerability

About SQL Injection – The Events Calendar plugin for WordPress (CVE-2024-8275) vulnerability. This plugin for WordPress CMS allows you to create event pages with search and filtering capabilities. The plugin is installed on more than 700,000 websites.

The plugin offers extensive customization options, including using individual plugin functions in your own code. One of these functions, tribe_has_next_event(), was found to have a SQL injection that allows an unauthenticated attacker to extract sensitive information from the website’s database. An exploit is available on GitHub.

❗️ The developers note that this function is not used by the plugin itself (“unused code”). Only sites that have manually added a tribe_has_next_event() call will be vulnerable.

If you are using WordPress with The Events Calendar plugin, check if there is some tricky customization using this vulnerable function and update to v.6.6.4.1 and above.

На русском

Fake reCAPTCHA

Leave a reply

Fake reCAPTCHA

Fake reCAPTCHA. Probably the most interesting example of exploitation of human vulnerability in the last month. This trick works for two reasons:

🔹 Various captcha services have taught people to do the strangest things: click on pictures with certain content, retype words, solve some puzzles. Many people do not even think when they see another window “prove that you are not a robot” and just do what they are asked. 🤷‍♂️

🔹 Websites have the ability to write arbitrary text to the site visitor’s clipboard. 😏

Fake captcha asks the user to launch the Run window in Windows (Win + R), then paste a malicious command from the clipboard into this window (Ctrl + V) and run the command (Enter). Very primitive, but it works! 🤩 This is how attackers trick victims into running malicious PowerShell scripts and HTA applications. 👾

John Hammond recreated the code of such a “captcha”. You can use it in anti-phishing training.

На русском

A few details about Elevation of Privilege – Windows Installer (CVE-2024-38014)

Leave a reply

A few details about Elevation of Privilege - Windows Installer (CVE-2024-38014)

A few details about Elevation of Privilege – Windows Installer (CVE-2024-38014). So that you don’t get the impression that this vulnerability can be exploited absolutely universally.

🔹 The attacker needs access to the Windows GUI. Naturally, the console window needs to be seen and “caught”. Just with the mouse. The task can be simplified by the SetOpLock utility, which does not allow the window to close.

🔹 The attacker needs a web browser installed on the host. Moreover, the current Edge or IE will not work, Firefox or Chrome is needed. And the browser should not be running before the attack. And Edge or IE should not be set as the default browser.

🔹 This will not work for every MSI file. SEC Consult has released a utility called msiscan to detect MSI files that can be used to exploit this and similar vulnerabilities.

На русском

About Elevation of Privilege – Windows Installer (CVE-2024-38014) vulnerability

Leave a reply

About Elevation of Privilege - Windows Installer (CVE-2024-38014) vulnerability

About Elevation of Privilege – Windows Installer (CVE-2024-38014) vulnerability. The vulnerability was fixed on September 11 as part of the September Microsoft Patch Tuesday. It was discovered by Michael Baer from SEC Consult. On September 12, a post was published in their blog with exploitation details.

MSI files are the standard way to install, repair, and uninstall programs in Windows. Installation requires high privileges. But the repair function can be launched by a low-privileged user. At the same time, the function itself might be executed in the context of NT AUTHORITY\SYSTEM. 🤔

The attacker launches the MSI file of an installed application, selects repair mode, and interacts with the console window launched with SYSTEM privileges. After a few steps, attacker gets an interactive SYSTEM console.

The Microsoft fix activates a UAC prompt when the MSI installer performs an action with elevated privileges, i.e. before the console window appears.

На русском

I looked at the Forrester Wave on ASM for Q3 2024

Leave a reply

I looked at the Forrester Wave on ASM for Q3 2024

I looked at the Forrester Wave on ASM for Q3 2024. The reprint was posted by Trend Micro. Forrester understands ASM to be something that evolved from EASM or CAASM. “Attack surface management […] gives you a depiction of what is attackable and whether it’s being monitored and hardened appropriately”. The goal is to provide a complete cyber asset inventories. So is this a kind of view on Asset Management from the information security side (like Qualys CSAM)? 🤔

CrowdStrike, Palo Alto Networks and Trend Micro are among the Leaders. And traditional vendors with vulnerability detection expertise either in Strong Perfomers (Qualys, Tenable), or even in Contenders (Rapid7).

IMHO, this happened because the assessment focused on CAASM, not EASM features. For example, there is nothing about vulnerability detection for network perimeter. And the criteria are rather vague, like “Cyber ​​asset inventory: asset contextualization” or “Srategy: Vision”. 😉

На русском