Tag Archives: Windows

The severity of the Elevation of Privilege – Windows Kernel (CVE-2024-30088) has increased

Leave a reply

The severity of the Elevation of Privilege - Windows Kernel (CVE-2024-30088) has increased

The severity of the Elevation of Privilege – Windows Kernel (CVE-2024-30088) has increased. The vulnerability is fresh, it is from the June Microsoft Patch Tuesday. I highlighted it in the review because, according to the CVSS vector, there was a private Proof-of-Concept Exploit for it. But there were no details. It was only clear that in case of successful exploitation, the attacker gains SYSTEM privileges. According to the ZDI advisory, the vulnerability affects the implementation of NtQueryInformationToken and is due to the lack of proper locking when performing operations on the object.

On June 24, 2 weeks after the June Patch Tuesday, a repository with technical details on this vulnerability and PoC appeared on GitHub. A video of running the utility to obtain SYSTEM privileges is also available.

A lot of exploits have begun to appear for Windows EoP/LPE vulnerabilities recently. Fix them in advance!

На русском

The criticality of the Elevation of Privilege – Windows Error Reporting Service (CVE-2024-26169) vulnerability has increased

Leave a reply

The criticality of the Elevation of Privilege - Windows Error Reporting Service (CVE-2024-26169) vulnerability has increased

The criticality of the Elevation of Privilege – Windows Error Reporting Service (CVE-2024-26169) vulnerability has increased. If exploited successfully, the attacker gains SYSTEM privileges. The vulnerability was fixed in Microsoft’s March Patch Tuesday. As often happens, no one highlighted this vulnerability back then. 🤷‍♂️

However, 3 months later, on June 12, Symantec researchers reported attacks related to the famous Black Basta ransomware, in which exploits for this vulnerability were used. If we believe the compilation timestamps, these exploits were created long before the release of Microsoft’s patches, in February 2024 or even December 2023. Of course, attackers could fake them, but why would they do that? 🤔

On June 13, the vulnerability was added to CISA KEV. The exploit is not yet publicly available.

The moral is the same: vulnerability prioritization is good, but regular unconditional patching is better.

На русском

The criticality of the Elevation of Privilege – Windows CSC Service vulnerability (CVE-2024-26229) has increased dramatically

Leave a reply

The criticality of the Elevation of Privilege - Windows CSC Service vulnerability (CVE-2024-26229) has increased dramatically

The criticality of the Elevation of Privilege – Windows CSC Service vulnerability (CVE-2024-26229) has increased dramatically. The vulnerability is from Microsoft’s April Patch Tuesday. In April, no one highlighted this vulnerability at all.

Microsoft wrote about it “Exploitation Less Likely”. All that was known was that if exploited successfully, the attacker could gain SYSTEM privileges.

But 2 months later, on June 10, an exploit appeared on GitHub. 🤷‍♂️ Surprise! The criticality of the vulnerability has increased dramatically.

Could this be somehow predicted? IMHO, not at all. Another confirmation that predicting trending vulnerabilities is, of course, good, but does not cancel regular unconditional patching according to the established SLA (AIT).

The author of the exploit clarified the CWE of the vulnerability.

It was: CWE-122 – Heap-based Buffer Overflow

It became: CWE-781 – Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code

На русском

June Microsoft Patch Tuesday

Leave a reply

June Microsoft Patch Tuesday

June Microsoft Patch Tuesday. There are 69 vulnerabilities in total, 18 of which were added between May and June Patch Tuesday. Among these added were 2 vulnerabilities with signs of exploitation in the wild:

🔻 Remote Code Execution – Chromium (CVE-2024-5274, CVE-2024-4947). Both vulnerabilities are in CISA KEV; there are no exploits for them yet.

For the remaining vulnerabilities, there are no formal signs of exploitation in the wild or public exploits yet.

The specialized InfoSec media pay attention to these 2:

🔸 Remote Code Execution – Microsoft Message Queuing (MSMQ) (CVE-2024-30080). This vulnerability has a high CVSS Score of 9.8. To get RCE, the attacker sends a specially crafted malicious packet to the MSMQ server. The vulnerability may well become wormable for Windows servers with MSMQ enabled. It is very similar to last year’s QueueJumper (CVE-2023-21554).
🔸 Denial of Service – DNSSEC (CVE-2023-50868). Vulnerability in DNSSEC validation. An attacker can cause DoS using standard DNS integrity protocols. 🤷‍♂️ I don’t see any super criticality, but this is rare for MS Patch Tuesday, which is probably why everyone is writing about it.

What else you can pay attention to:

🔸 Elevation of Privilege – Windows Win32k (CVE-2024-30091), Windows Kernel (CVE-2024-30088, CVE-2024-30099) and Windows Cloud Files Mini Filter Driver (CVE-2024-30085). Why these? Microsoft’s CVSS states that there are private Proof-of-Concept exploits for them.
🔸 Remote Code Execution – Microsoft Office (CVE-2024-30101). This is a Microsoft Outlook vulnerability. To successfully exploit this vulnerability, a user must open a malicious email in an affected version of Microsoft Outlook and then perform certain actions to trigger the vulnerability. It’s enough to open the email in the Preview Pane. However, to successfully exploit this vulnerability, an attacker needs to win the race condition.
🔸 Remote Code Execution – Microsoft Outlook (CVE-2024-30103). Preview Pane is a vector. Authentication required. The vulnerability is somehow related to the creation of malicious DLL files. 🤷‍♂️
🔸 Remote Code Execution – Windows Wi-Fi Driver (CVE-2024-30078). An attacker can execute code on a vulnerable system by sending a specially crafted network packet. The victim must be within the attacker’s Wi-Fi range and use a Wi-Fi adapter. Sounds interesting, let’s wait for details. 😈
🔸 Remote Code Execution – Microsoft Office (CVE-2024-30104). An attacker must send the user a malicious file and convince the user to open the file. The Preview Pane is NOT an attack vector.

🗒 Vulristics report on June Microsoft Patch Tuesday

На русском

The Remote Code Execution vulnerability – PHP on Windows hosts (CVE-2024-4577) is used in ransomware attacks

Leave a reply

The Remote Code Execution vulnerability - PHP on Windows hosts (CVE-2024-4577) is used in ransomware attacks

The Remote Code Execution vulnerability – PHP on Windows hosts (CVE-2024-4577) is used in ransomware attacks. I already had a post about this vulnerability earlier. Now Imperva Threat Research reports that this vulnerability is being used by attackers to deliver malware identified as a component of the TellYouThePass ransomware.

⏳ The attacks were noticed on June 8, less than 48 hours after the PHP developers released a patch. The attacks used an exploit that by that time was already publicly available.

TellYouThePass attacks have been reported since 2019. They target enterprises and individuals. Attackers encrypt both Windows and Linux infrastructure.

What conclusions can be drawn? If you see a vulnerability with a public exploit and a more or less clear vector of exploitation, don’t be lazy to patch it as quickly as possible. Because attackers will definitely not be too lazy to add this exploit to their malware. 😉

На русском

Critical Remote Code Execution – PHP on Windows hosts (CVE-2024-4577) vulnerability with a public exploit

Leave a reply

Critical Remote Code Execution - PHP on Windows hosts (CVE-2024-4577) vulnerability with a public exploit

Critical Remote Code Execution – PHP on Windows hosts (CVE-2024-4577) vulnerability with a public exploit. CVSS 9.8. On June 6, PHP developers released an update to fix an RCE vulnerability which exists due to incorrect work with the Best-Fit encoding conversion function in the Windows operating system. An unauthenticated attacker performing an argument injection attack can bypass protection against the old actively exploited RCE vulnerability CVE-2012-1823 using certain character sequences and thus execute arbitrary code. Exploits for the vulnerability are already available on GitHub. The Shadowserver Foundation has noticed active scans aimed at detecting vulnerable hosts. 👾

The vulnerability affects all versions of PHP installed on the Windows operating system.

🔻 PHP 8.3 < 8.3.8
🔻 PHP 8.2 < 8.2.20
🔻 PHP 8.1 < 8.1.29 PHP 8.0, PHP 7 and PHP 5 are also vulnerable, but they are already in End-of-Life and are not supported. 🤷‍♂️ It is specifically emphasized that all XAMPP installations are also vulnerable by default. XAMPP is a free and open-source cross-platform web server solution containing Apache, MariaDB, PHP, Perl and a large number of additional libraries. If updating to the latest version of PHP is not possible, researchers from DEVCORE suggest configuration recommendations that prevent vulnerability exploitation. However, these recommendations apply to installations on Windows with certain language locales (Traditional Chinese, Simplified Chinese, Japanese) for which the exploitation of the vulnerability has been verified. For other locales, due to the wide range of PHP use cases, it is currently impossible to fully list and exclude all potential exploitation scenarios. Therefore, users are advised to conduct a comprehensive asset assessment, check PHP usage scenarios, and update PHP to the latest version.

На русском

Microsoft Patch Tuesday October 2022: Exchange ProxyNotShell RCE, Windows COM+ EoP, AD EoP, Azure Arc Kubernetes EoP

1 Reply

Microsoft Patch Tuesday October 2022: Exchange ProxyNotShell RCE, Windows COM+ EoP, AD EoP, Azure Arc Kubernetes EoP. Hello everyone! This episode will be about Microsoft Patch Tuesday for October 2022, including vulnerabilities that were added between September and October Patch Tuesdays. As usual, I use my open source Vulristics project to create the report.

Alternative video link (for Russia): https://vk.com/video-149273431_456239106

Continue reading