Tag Archives: vulnerability

Security Feature Bypass – Windows Mark of the Web “Copy2Pwn” (CVE-2024-38213)

Security Feature Bypass – Windows Mark of the Web “Copy2Pwn” (CVE-2024-38213). The vulnerability was released as part of the August Microsoft Patch Tuesday (although ZDI writes that MS fixed it earlier, in June).

The vulnerability allows attackers to bypass the SmartScreen security feature, which protects users from running potentially malicious files downloaded from the Internet.

What is it about? There is a set of extensions over HTTP for collaborative work with files – WebDAV.

🔹 The WebDAV share can be accessed via a web browser::

http://10_.37.129.2/example_webdav_folder/somefile

🔹 Or you can do it via Windows Explorer (like SMB):

\\10_.37.129.2@80\example_webdav_folder

When copying from the WebDAV share via Windows Explorer, the Mark-of-the-Web label was not set. 🤷‍♂️ That’s why the name is “Copy2Pwn”. 😏

According to ZDI, the vulnerability has been exploited by the DarkGate malware operator since at least March 2024.

На русском

Remote Code Execution – Windows TCP/IP IPv6 (CVE-2024-38063)

Leave a reply

Remote Code Execution – Windows TCP/IP IPv6 (CVE-2024-38063). Vulnerability from August Microsoft Patch Tuesday. No exploits or signs of exploitation in the wild have yet been discovered, but the description of the vulnerability looks scary. 😱

An unauthenticated attacker sends IPv6 packets to a Windows computer and this results in remote code execution. CVSS 9.8, “Exploitation More Likely”.

🔹 If IPv6 is disabled, the vulnerability is not exploited. But by default it is enabled. 😏
🔹 Blocking IPv6 on the local Windows firewall will not prevent exploitation (exploitation occurs before the packet is processed by the firewall). 🤷‍♂️

The vulnerability was found by experts from the Chinese information security company Cyber Kunlun. When technical details and exploits for the vulnerability appear, it may be very critical and “wormable”. 🪱

На русском

Remote Code Execution – Microsoft Project (CVE-2024-38189)

Leave a reply

Remote Code Execution – Microsoft Project (CVE-2024-38189).

Microsoft Project is a project management program. It is designed to assist a project manager in developing a schedule, assigning resources to tasks, tracking progress, managing the budget, and analyzing workloads.

The vulnerability was fixed as part of the August Patch Tuesday. The malicious code is executed when the victim opens a special Microsoft Office Project file, received in a phishing email or downloaded from the attacker’s website.

👾 For a successful attack, these security features must be disabled:

🔹 Policy “Block macros from running in Office files from the Internet” (enabled by default).
🔹 “VBA Macro Notification Settings“.

Previewing files in the “Preview Pane” is not an exploitation vector. 👍

As you can see, there are quite a few conditions required for a successful attack, but Microsoft has reported cases of exploitation of the vulnerability in the wild. 🤷‍♂️

На русском

August Microsoft Patch Tuesday

Leave a reply

August Microsoft Patch Tuesday. 130 CVEs, of which 45 were added since July MSPT.

In the TOP suddenly is RCE – OpenSSH “regreSSHion” (CVE-2024-6387), which MS fixed in Azure. 🙂

6 vulnerabilities with signs of exploitation in the wild. 😱 It’s been a long time since we’ve seen so many. I will write about them in separate posts.

🔻 EoP – Windows Kernel (CVE-2024-38106), Windows Ancillary Function Driver for WinSock (CVE-2024-38193), Windows Power Dependency Coordinator (CVE-2024-38107)
🔻 Security Feature Bypass – Windows Mark of the Web (CVE-2024-38213)
🔻 RCE – Microsoft Project (CVE-2024-38189)
🔻 RCE – Scripting Engine (CVE-2024-38178)

Other:

🔸 AuthBypass – Windows Update Stack (CVE-2024-38202) – the vulnerability was recently presented at BlackHat
🔹 Interesting RCEs – Windows TCP/IP (CVE-2024-38063) and LPD (CVE-2024-38199)
🔹 A lot of EoPs in Windows components (~26)

🗒 Full Vulristics report

На русском

Remote Code Execution – Windows Remote Desktop Licensing Service “MadLicense” (CVE-2024-38077)

Leave a reply

Remote Code Execution – Windows Remote Desktop Licensing Service “MadLicense” (CVE-2024-38077). The vulnerability was fixed in July Patch Tuesday. An unauthenticated attacker can get RCE by sending messages to RDL. CVSS 9.8. Updates for Win Server from 2008 to 2022.

What is the RDL service? By default, Remote Desktop Services allow only two simultaneous RDP connections to a Windows server. If you need more, you need to purchase additional licenses. These licenses are managed by the RDL service. Often, admins enable RDL on Win servers where it is not needed. 🙄🤷‍♂️

On August 9, a write-up and PoC for Server 2025 were posted on GitHub. So far, it’s only Python pseudo-code without critical parts.

They write that 170,000 hosts with RDL are accessible from the Internet. 🤷‍♂️ And there should be countless of them on intranets.

❗️ Looks like a long-running trending vulnerability story.

Researchers promise us BadLicense and DeadLicense as well. 😉

На русском

What is known about the 0.0.0.0_Day vulnerability?

Leave a reply

What is known about the 0.0.0.0_Day vulnerability? The original post was published on August 7 by Oligo Security. Last year, this Israeli company released research about ShellTorch vulnerability. This time, another research on local services accessible from the outside.

When a victim visits a malicious website, this site can interact with web services on the victim’s localhost at 0.0.0.0_ using JS. The trick works with Chromium, Firefox, and Safari on MacOS and Linux. This is not cool, browsers should block requests to localhost.

So, let’s say the site interacts with some services on localhost (if any), so what? Well, if the service is poorly written, then this can very potentially lead to RCE. 🤷‍♂️ For demonstration, the researchers took an exploited in the wild vulnerability in the Ray AI framework (ShadowRay) and attacked the local Ray server through 0.0.0.0_Day. 🤔

So far, it doesn’t look like 0.0.0.0_Day will become a trending vulnerability.

На русском

The master class on painting Christmas tree decorations was a success

Leave a reply

The master class on painting Christmas tree decorations was a success. 👍 They said that you can draw anything. 😏 I drew Elevation of Privilege (Local Privilege Escalation) – Linux Kernel (CVE-2024-1086). 😅

На русском

This is my personal blog. The opinions expressed here are my own and not of my employer. All product names, logos, and brands are property of their respective owners. All company, product and service names used here for identification purposes only. Use of these names, logos, and brands does not imply endorsement. You can freely use materials of this site, but it would be nice if you place a link on https://avleonov.com and send message about it at me@avleonov.com or contact me any other way.

Alexander V. Leonov

Vulnerability Management and more

Tag Archives: vulnerability

Security Feature Bypass – Windows Mark of the Web “Copy2Pwn” (CVE-2024-38213)

Remote Code Execution – Windows TCP/IP IPv6 (CVE-2024-38063)

Remote Code Execution – Microsoft Project (CVE-2024-38189)

August Microsoft Patch Tuesday

Remote Code Execution – Windows Remote Desktop Licensing Service “MadLicense” (CVE-2024-38077)

What is known about the 0.0.0.0_Day vulnerability?

The master class on painting Christmas tree decorations was a success