Tag Archives: vulnerability

About the “EvilVideo” vulnerability in Telegram for Android

Leave a reply

About the EvilVideo vulnerability in Telegram for Android

About the “EvilVideo” vulnerability in Telegram for Android. The post was published on the ESET blog. They stated that the exploit is for sale on the Dark Net.

🔻 The attacker creates a payload, which is displayed in Telegram for Android not as a file, but as a video preview. By default, media files in Telegram are downloaded automatically when the user sees a message in a chat. This payload will also be downloaded automatically as well.
If the user clicks on the preview, he sees a Telegram error asking him to use an external media player.
If the user agrees, an attempt is made to install the APK.
If the user allows the installation of APK from Telegram and clicks on the preview again, a window appears to confirm the installation of the application.
If the user presses “install”, the malware installs. 👾
🎞 There is a video demo.

🔻 Fixed in 10.14.5, older versions are vulnerable.

This is far from 0click, but with good social engineering, the efficiency can be high.

На русском

July Linux Patch Wednesday

Leave a reply

July Linux Patch Wednesday

July Linux Patch Wednesday. There are 705 vulnerabilities, of which 498 are in the Linux Kernel. There are no vulnerabilities with signs of exploitation in the wild yet, 11 have public exploits.

🔻 RCE – OpenSSH “regreSSHion” (CVE-2024-6387) is in the absolute top with many variations of exploits on GitHub. Mind the malicious fakes (❗️). I will also mention a similar vulnerability RCE – OpenSSH (CVE-2024-6409) with no exploits yet.
🔻 Public PoC links for DoS in Suricata (CVE-2024-38536) and QEMU (CVE-2024-3567).

According to BDU, public exploits exist for:

🔸 AuthBypass – RADIUS Protocol (CVE-2024-3596), it was also fixed in the July MSPT
🔸 Security Feature Bypass – Exim (CVE-2024-39929) – mime_filename blocking bypass, as well as in Nextcloud (CVE-2024-22403) – eternal OAuth codes
🔸 DoS – OpenTelemetry (CVE-2023-45142)
🔸 Memory Corruption – 7-Zip (CVE-2023-52168)

🗒 Vulristics report on July Linux Patch Wednesday

На русском

What is known about Spoofing – Windows MSHTML Platform (CVE-2024-38112) from the July Microsoft Patch Tuesday?

Leave a reply

What is known about Spoofing - Windows MSHTML Platform (CVE-2024-38112) from the July Microsoft Patch Tuesday?

What is known about Spoofing – Windows MSHTML Platform (CVE-2024-38112) from the July Microsoft Patch Tuesday?

🔻 According to Check Point, attackers use special “.url” files with icons that look like PDF documents. If the user clicks on the file and ignores 2 uninformative warnings, then a malicious HTA application is launched in the outdated Internet Explorer browser built into Windows. 😱 Why in IE? This is all due to the processing of the “mhtml:” prefix in the “.url” file. The July update blocks this. 👍

🔻 Check Point found “.url” samples that could date back to January 2023. According to Trend Micro, the vulnerability is exploited by the APT group Void Banshee to install the Atlantida Stealer malware and collect passwords, cookies and other sensitive data. Void Banshee add malicious “.url” files to archives with PDF books and distribute them through websites, instant messengers and phishing.

На русском

Remote Code Execution – Bitrix (CVE-2022-29268) and Jet CSIRT deface case

Leave a reply

Remote Code Execution - Bitrix (CVE-2022-29268) and Jet CSIRT deface case

Remote Code Execution – Bitrix (CVE-2022-29268) and Jet CSIRT deface case.

🔻 The vulnerability is in the “Rejected” status in NVD, although its exploitability has been confirmed. 🤷‍♂️ What is it about? CMS Bitrix can be deployed from the “1C-Bitrix: Virtual Machine” image. Then it is configured in the web setup interface (without authentication). At a certain step there is an option “Upload backup”. Instead of a backup, you can upload a web shell there and it will be installed. 🫠

🔻 What is the risk? Surely no one will expose the initial setup interface to the Internet? 🤔 But people do it, Google dork is available.

🔻 This happened in the Jet CSIRT website deface case as well. In November 2023, the setup interface was exposed for 3 days. The attackers found it and installed the web shell. 🤷‍♂️

Jet states that Bitrix does not consider this to be a vulnerability in the setup interface. So the recommendation: don’t make it accessible from the Internet. 😅🤡

На русском

TOP 5 CVEs that were most often exploited by Positive Technologies pentesters in 2023

Leave a reply

TOP 5 CVEs that were most often exploited by Positive Technologies pentesters in 2023. The report was released on July 2. I generated a rap track on this topic in Russian using Suno. 🙂 English subtitles available.

List of vulnerabilities:

🔻 Remote Code Execution – Microsoft Exchange “ProxyNotShell” (CVE-2022-41040, CVE-2022-41080, CVE-2022-41082)
🔻 Remote Code Execution – Bitrix Site Manager “PollsVotes” (CVE-2022-27228)
🔻 Elevation of Privilege – Polkit “PwnKit” (CVE-2021-4034)

На русском

I’ve released a new version of Vulristics 1.0.6

Leave a reply

I've released a new version of Vulristics 1.0.6

I’ve released a new version of Vulristics 1.0.6.

🔹 I’ve made it easier to work with exploit data. Now all Data Sources bring such data in a single format and it is processed uniformly. Including signs of the presence of an exploit in Microsoft CVSS Temporal Vector (I classify them as private exploits). First, I look for the presence of public exploits; if there are none, then private exploits.

🔹 I fixed a bug due to which it was not possible to force the vulnerability type to be set from the Custom Data Source.

🔹 During simplified detection of product names for generated Microsoft vulnerability descriptions, product descriptions can now be pulled up by alternative_names as well.

🔹I fixed a bug with Vulristics crashing when generating a Microsoft Patch Tuesday report while searching for an MSPT review from Qualys. […]

Changelog
Uncompressed picture
На русском

July Microsoft Patch Tuesday

Leave a reply

July Microsoft Patch Tuesday

July Microsoft Patch Tuesday. There are 175 vulnerabilities in total, 33 of which appeared between June and July Patch Tuesday.

There are 2 vulnerabilities with the sign of exploitation in the wild:

🔻 Spoofing – Windows MSHTML Platform (CVE-2024-38112). It’s not clear what exactly is being spoofed. Let’s wait for the details. It is currently known that to exploit the vulnerability, an attacker must send the victim a malicious (MSHTML?) file, which the victim must somehow run/open.
🔻 Elevation of Privilege – Windows Hyper-V (CVE-2024-38080). This vulnerability allows an authenticated attacker to execute code with SYSTEM privileges. Again, no details. This could be interpreted that the guest OS user can gain privileges in the host OS (I hope this is not the case).

From the rest we can highlight:

🔸 Elevation of Privilege – various Windows components (CVE-2024-38059, CVE-2024-38066, CVE-2024-38100, CVE-2024-38034, CVE-2024-38079, CVE-2024-38085, CVE-2024-38062, CVE-2024-30079, CVE-2024-38050). EoPs quite often become exploitable.
🔸 Remote Code Execution – Windows Remote Desktop Licensing Service (CVE-2024-38074, CVE-2024-38076, CVE-2024-38077)
🔸 Remote Code Execution – Microsoft Office (CVE-2024-38021)
🔸 Remote Code Execution – Windows Imaging Component (CVE-2024-38060). All you need to do is upload a malicious TIFF file to the server.
🔸 Remote Code Execution – Microsoft SharePoint Server (CVE-2024-38023, CVE-2024-38024). Authentication is required, but “Site Owner” permissions are sufficient.

🗒 Vulristics report on July Microsoft Patch Tuesday

Vulristics shows an exploit existence for Spoofing – RADIUS Protocol (CVE-2024-3596) on GitHub, but in reality it is just a detection utility.

На русском