Monthly Vulners Review #2

Vulners events
The most interesting vulnerabilities of the month
Very few tools
News with almost no attacks

Vulners events

There have been several events for Vulners this month:

  1. Intergated with project: which we mentioned at Vulners weekly digest #5;
  2. Vullners integrated with data about Apple vulnerabilities. Mentioned at Vulners weekly digest #7;
  3. Update our contacts 🙂 Anyone can contact us through any way;
  4. Made a survey for feedback:

We are constantly experimenting with the format of our posts. At this time, we decided to show the maximum number of the most interesting vulnerabilities this month and not to divide by platforms as in the previous monthly post.


Microsoft wouldn’t be themselves if their next monthly update didn’t break something. So it broke…

Released on may 12, the monthly update of Windows 10 KB4556799 may cause LTE modems (internal or external) to stop working. In this case, Windows will show that there is a network. And it’s not really there.

Microsoft promises to solve the problem in the nearest fix.

Ambiguous vulnerabilities

According to vulners AI score, there are some ambiguous vulnerabilities (low CVSS with high AI score or without CVSS).

(bulletinFamily:exploit OR bulletinFamily:NVD) AND enchantments.score.value:[6 TO 10] AND cvss.score:[0 TO 6] AND order:viewCount last month

A few examples from this month are below:

Few PoCs for few vulnerabilities in the ManageEngine

ManageEngine is one of the most popular software solutions for managing IT infrastructure (typical Help Desk)

CVE-2020-11531Data Security <v6.0.1Path TraversalPoC for CVE-2020-11531
CVE-2020-11532Data Security <v6.0.1Authentication BypassPoc for CVE-2020-11532
CVE-2020-8838Windows agent <v6.5Remote Code ExecutionPoc for CVE-2020-8838

All these vulnerabilities were disclosed on may 5.

Kill-chain with IBM Data Risk Manager


IDRM is a special software platform designed to collect threat data from various security systems. Thanks to this principle IDRM is well suited for evaluating an organization’s cyber risks.

If attackers compromise this component, it is highly likely that they will be able to completely compromise the organization. Please note that IDRM stores the credentials used to access other security products. Moreover, the platform contains information about the company’s critical vulnerabilities.

The three vulnerabilities can be linked in a kill-chain, which will allow the attacker to remotely code execution with high privileges.

The metasploit module includes CVE-2020-4427, CVE-2020-4428, CVE-2020-4429:

Pi-hole <= 4.4 RCE

Pi-hole is a Linux-based assembly that allows you to block ads and save sensitive data while on the network. Blocking takes place at the DNS level and allows you to flexibly configure lists of banned resources.

CVE-2020-11108: Pi-hole through 4.4 allows an authenticated adversary to upload arbitrary files. This opportunity can be abuse for arbitaru code execution by writing to a PHP file in the web directory. Exploit:

Metsploit module:

Top 10 Routinely Exploited Vulnerabilities


This month, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the broader U.S. Government are providing this technical guidance to advise IT security professionals.

For each of the mentioned vulnerabilities it is specified which malware it was found in, when it was fixed, IOCs and etc. The list of vulnerabilities includes vulnerabilities from 2012 to 2019:

And vulnerabilities in 2020, which managed to be remembered in various events:

You may notice that there are links at the bottom of each Vulners page with a vulnerability. These links include all news and events that will be associated with the vulnerability. Example for CVE-2017-11882:


This feature allows you to perform your own analysis of these vulnerabilities and prioritize them for your own purposes.

High-profile vulnerabilities of the month

A new type of DoS attack using the DNS protocol is called NXNSAttack.
Briefly: An attacker sends a request to the Openresolver server, redirecting it to his controlled authoritative server, which responds with a long list of NS victims’ servers (most often spoofed names).
Openresolver takes this list and begins to query the victim’s DNS for information about these addresses, which causes a large number of NXDomain messages, which leads to an increase in server load. In fact, the attack is directed only at the target DNS server.
At the moment, the only salvation is to install patches on your DNS servers and configure polling limits.

According to research, the gain when attacking the BIND server (9.12.3) can increase the attack by 1000 times (Packet Amplification Factor, PAF).

BIND (CVE-2020-8616)
Knot (CVE-2020-12667)
PowerDNS (CVE-2020-10995)
Windows DNS Server
Unbound (CVE-2020-12662)
as well as public DNS services of Google, Cloudflare, Amazon, Quad 9, ICANN and other companies.


Symantec endpoint privilege escalation

The exploitation of CVE-2020-5837 allow for low privileged user to create a file anywhere in the system. The attacker partially controls the content of the file. There are many ways to abuse this issue. Vulnerable version prior to 14.3

Video PoC Step By Step:

CVE-2020-5837 PoC


Most of the most interesting and fresh tools that appear we publish in our weekly reviews.


Powershell script obfuscator meant for red teamers. Takes the original command name and displays the obfuscated command name to be used in Powershell.


Malicious Android apk generator (Reverse Shell)


RAT for Discord written in Python3. You can generate binart fle, deploy bot on your own server and after that get access. We don’t know the practical meaning of this tool, but it’s a cool idea.

Thomas Brewster, a Forbes journalist who raised the fuss, said that Xiaomi will make an option that allows the user to disable data collection in incognito mode. The new privacy setting now allows Mi Browser users to disable aggregated data collection feature while in Incognito Mode, but it bears noting that it’s not enabled by default.

If Xiaomi was serious about its “commitment to user privacy,” it would have sought users for their explicit consent. In its present state, it’s just an illusion of control.

In Ukraine, the data broker Sanix was arrested, which is accused of involvement in trading stolen user data. Hacker has been engaged in its malicious activities since at least 2018. The Ukrainian did not break anything, but collected and resold data obtained in the course of other hacks.

Sanix was reportedly involved in data collections Collection #1, #2, etc., which appeared in January 2019 and contained a total of more than 3.5 billion. email addresses, passwords, and phone numbers.

EasyJet Suffers Data Breach

British low-cost airline EasyJet reported a leak of information about 9 million customers and data of 2208 Bank cards. The airline claims that the data was obtained by hackers during a technically sophisticated cyberattack.

The leaked data included the email addresses and information about the flights. The company claims to have found no evidence that this data was used maliciously. EasyJect will contact customers affected by the leak in the coming days, with a deadline of may 26. The company has already contacted those customers whose Bank card details were stolen, the report said. Passengers ‘ passport details were not leaked.

The publication Motherboard, whose journalists are closely following the lawsuits between Facebook and the Israeli NSO Group, has unearthed yet another detail of Semites’ not entirely legal activities.

NSO produces Pegasus software designed to hack WhatsApp, and sells it all over the world to law enforcement agencies, intelligence agencies and private security companies. WhatsApp is being sued by Facebook.

Motherboard was able to obtain information from a former NSO employee who anonymously transmitted data regarding the Israeli company’s infrastructure, in particular the IP address used to infect the Pegasus victim. It turned out that between 2015 and 2016, several domains were tied to that IP. These included domains impersonating the resource of the Facebook security team and the FedEx parcel tracking service.

It was suspected that this IP address belonged to Amazon. That is, the Israeli NSO used a phishing page Facebook to infect smartphones from the American server. Nice 🙂

The RagnarLocker operator first installs Oracle VirtualBox on the compromised system and configures its full access to all local and shared disks. Then MicroXP v0.82 (stripped-down Windows XP SP3) is installed on the virtual machine and RagnarLocker is placed on it.

In this way, ransomware hides from antiviruses, as all the actions taken to encrypt the infected system files are performed by the VirtualBox process. This trick was revealed by the British antivirus Sophos, which says that it is the first time it has encountered such a trick.

VirtualBox is signed and antiviruses are treated less suspiciously by the signed processes. But as soon as this technique becomes mass, a detective will appear. It is possible to generate many ways of changing the file system with the help of white software, but such ways will not work very long.

Please leave your feedback. It takes less than one minute and helps us get better:

Jailbreak for any IOS devices

Last weekend, a team of information security experts and reverse engineers introduced a new version of the Unc0ver jailbreak (5.0.0). This tool works for almost any iPhone, even with the latest iOS 13.5 on board.

Unc0ver authors say it exploits a zero kernel vulnerability in the iOS kernel, which Apple experts are not yet aware of. The vulnerability was discovered by one of the team members, who is known under the pseudonym Pwn20wnd.

Pwn20wnd himself says that for the first time in five years, jailbreak is relevant even for the current, most recent version of the operating system. The last time a similar tool was released in 2014. The fact is that usually jailbreaks exploit old vulnerabilities in iOS and, accordingly, do not work with the current version of the operating system, where these “holes” are already fixed. As a result, owners of jailbroken devices often prefer not to just update the OS.

Shortcomings of the Jailbreak:

  1. iOS is one of the most secure operating systems, including due to the fact that the user has no access to the file system. If access to it is open, what happens when jailbreaking, picking up a trojan or a virus becomes much easier.
  2. Installing Jailbreak may cause problems with the device. Sometimes it happens that the iPhone or iPad turns into a “brick”, and often through the fault of the user, if he did not perform the action that he sees on the screen during the jailbreak procedure. Responsibility for this, of course, lies only with the owner of the device.
  3. Jailbreak void iPhone or iPad warranty.

At the same time, Pwn20wnd claims that the use of an unknown 0-day problem and jailbreak of devices with its help do not affect security in any way. It does not open the device for attacks. According to Pwn20wnd, Apple experts will release a patch for a new vulnerability in the next 2-3 weeks.

Unc0ver developers also write that they tested their jailbreak on iOS versions 11 to 13.5. Jailbreak does not work only for iOS versions 12.3 through 12.3.2 and 12.4.2 through 12.4.5.

Vulners weekly digest #8

Three traditional sections in our weekly digest. Enjoy!

Vulnerabilities and attacks

Last week, Microsoft released its monthly update – ‘the second Tuesday patch’, which we haven’t mentioned yet, but it was done by Aleksendr Leonov in his blog. On his blog, he gave a brief overview of this update.

Various researches have been published this week on several vulnerabilities from the Microsoft’s patch. Any road to an exploit starts with strong research 🙂

Ntlm relay with CVE-2020-1113

For a long time, many attackers like to use the NTLM realy technique in their operations. Firstly, there are many different protocols with which this can be implemented. Secondly, such attacks are difficult to detect at all stages of implementation.
Best explanation of how it works:

NTLM relay has been used and reused in several attacks:

CVE-2020-1113 was fixed in the may update of Microsoft’s. Read detailed research about update ntlmrelayx in impacket and adding support for the RPC protocol:

PrintDemon: Print Spooler Privilege Escalation, Persistence & Stealth CVE-2020-1048

CVE-2020-1048 was fixed in the May update of Microsoft’s. The research was released on the same day as the vulnerability fix 😉 Using Windows Print Spooler to elevate privileges, bypass EDR rules, gain persistence, and more. The full research consists of 2 parts:


PoC with Empire:


This vulnerability is also from the may update. Analysis in reasearch from checkpoint:


It’s time to close the topic with saltstack, because everything has already been overwied:

Metasploit module:

vBulletin SQL Injection CVE-2020-12720

vBulletin is a commercial forum engine and WCMS developed by Internet Brands Inc. This software is written in PHP and uses a MySQL server to maintain its database.

National Vulnerability Database (NVD) is also analyzing the flaw and revealed that the critical flaw originated from an incorrect access control issue that affects vBulletin before 5.5.6, 5.6.0 before 5.6.0, and 5.6.1 before 5.6.1.

Automation for exploit:

Easy for CVE-2019-15083

PoC for Cross-Site Scripting in ManageEngine Service Desk 10.0 (Software for IT support service). It might be interesting for red team operations to gather additional info or lateral movements:

Win Brute Logon

Our strength is in undocumented opportunities

Useful information about password brute force in Windows.

Open Account Lockout Policy and edit value Account lockout threshold with desired value from (1 to 999). Value represent the number of possible attempt before getting locked.

LockDown Policy wont work on Administrator account. At this moment, best protection for Administrator account (if Enabled) is to setup a very complex password.

BloodHound reports for blue teams

The tool was released on May 14th, 2020 during a Black Hills Information Security webcast, A Blue Teams Perspective on Red Team Tools.


Take webcam shots from target just sending a malicious link


Reverse shell using Windows Registry files (.reg)

Ransomware Hit ATM Giant Diebold Nixdorf

Diebold Nixdorf, a major provider of automatic teller machines (ATMs) and payment technology to banks and retailers, recently suffered a ransomware attack that disrupted ProLock operations

The Ransomware is delivered to the compromised system using the Qbot Trojan. ProLock was first recorded in March 2020. What’s interesting about ProLock is that, as the FBI says, ransomware is written with mistakes, so it can spoil encrypted files larger than 64MB when decrypted.

Pay $42m or Trump’s ‘dirty laundry’ goes online


On May 12, hackers attacked the resources of the New York law firm Grubman Shire Meiselas & Sacks and stole 756 Gb of confidential documents from its clients. Founder Allen Grubman is the most famous entertainment lawyer who works, among others, with Madonna, Lady Gaga, Elton John, Robert De Niro and U2.

Then the hackers demanded a ransom of $ 21 million. The investigation was undertaken by the FBI. At the same time, the feds reported that this hacking is an act of international terrorism (?!), And they are not negotiating with terrorists and will not pay the ransom. The group responsible for ransomware Sodinokibi was named guilty of hacking.

However, on Thursday the situation changed. Hackers said that they had scanned the stolen data array and found there the “dirty laundry” of US President Trump, so the ransom amount doubled – up to 42 million dollars.

‘ThunderSpy’ Attack

Research from the Dutch engineer björn Rotenberg (Björn Ruytenberg), who revealed new attack vectors for the Intel Thunderbolt 3 Protocol.

Thunderspy, as the researcher called his new attack vectors that allow an attacker to steal data from encrypted disks or read and write all system memory, even if the computer is locked or in sleep mode.

There is no protection for vulnerable devices other than physically disabling Thunderbolt. Even the software shutdown of Thunderbolt was bypassed by Roitenberg. Windows, Linux, and partially MacOS PCs – vulnerable.

Such vulnerabilities have little application to commercial hacking because they require even short-term, but mandatory physical access to the device under attack. But for law enforcement agencies, organizing such access is a common thing. That is, knowledgeable agencies have been able to gain access to computer content without compromise since at least 2011, when Thunderbolt appeared.

Vulners weekly digest #7

+1 integration for Vulners: undefined
Old and fresh vulnerabilities
Various news


This week Vullners integrated with data about Apple vulnerabilities!

Already available at Vulners DB:


Update news on vulnerabilities from our latest digest and sth new!

Gitlab exploit


Automation to exploit one of the latest vulnerabilities in gitlab. Of course, it’s possible to exploit it without it, but it’s always nice when automation for such exploitation appears.

Latest news about Saltstack


Continuation of the story that f-secure started. The first affected mobile operating system is LineageOS. Then a large blogging platform Ghost, with more than 750 thousand users. Then Digicert, Xen Orchestra and a number of small companies followed.

The exploit, which uses the vulnerabilities identified By f-Secure in Salt, was published on GitHub by several users at once and the metasploit module is also on the way:undefined

Full detailed timeline and other info about saltstack vulnerabilities:

Trixbox CVE-2020-7351

Trixbox is open-source system for deployment VoIP (asterisk inside). Vulnerability in Trixbox version 1.2.0 to inclusive in the “network” POST parameter of the “/maint/modules/endpointcfg/endpoint_devicemap.php” page. Successful exploitation allows for arbitrary command execution on the main operating system as the “asterisk” user.


SharePoint CVE-2020-0932 RCE

Microsoft in their last “The second Tuesday patch” announced fix for six vulnerabilities in SharePoint. There is no indication from the vendor why some of these vulnerabilities are rated as important, while others are rated as critical.

The most detailed write-up with great PoC:

SharePoint is used by many companies and accordingly attackers in their work, so you should not postpone updating your SharePoint servers.



Socks Over RDP:

“As penetration testers we frequently find ourselves in a situation where the only access that we are provided to a server or network is a Remote Desktop account. These servers are commonly called Jump boxes. It means that we need to perform our testing via this server. This usually introduces a few extra steps that takes time from us and our clients to setup and configure.”

Brute Shark:
Network Forensic Analysis Tool with usefull GUI and interesting functions. It includes: password extracting, building a network map, reconstruct TCP sessions, extract hashes of encrypted passwords and even convert them to a Hashcat format in order to perform an offline Brute Force attack.

Two BruteShark versions are available, A GUI based application (Windows) and a Command Line Interface tool (Windows and Linux).

This project is inspired by Print-My-Shel, which we cpecified in our previous weekly digest.

GDBFrontend is an easy, flexible and extensionable gui debugger.



Conferences 😦
Microsoft 🙂

Major Cybersecurity Conferences

Black Hat USA and DEFCON 28 Cyber Security Conferences will not be held in person this year due to the coronavirus pandemic. Instead, both conferences will be transformed into fully virtualized events. Black Hat USA on Aug. 1 to 6, 2020, and DEF CON 28 on Aug. 7 to 9, 2020.

DEF CON remote events will include a new on-line Mystery Challenge, a DEF CON is Canceled music album, remote CTFs (including Hack-a-Sat, Villages like the Packet Hacking Village, contests like the TeleChallenge, and Ham Exams) and a remote movie night and drink-up, he said.

Black Hat USA will be adapted into a virtual format that will be available for the entire global infosec community. More details on how the virtual conferences:

Microsoft damn…

The hacker group Shiny Hunters reported to the editorial Board that they hacked Microsoft’s GitHub account and got full access to the software company’s private repository.

Shiny Hunter downloaded 500Gb of closed projects that they initially wanted to sell, but now decided to place on the network for free download. The hack itself appears to have occurred on March 28.

As a teaser, hackers posted 1Gb of stolen data on a closed forum, but not all forum users considered the posted information real. Microsoft employees also say that the leak is fake, but the company does not officially comment.

APT Naikon

Check Point has released a report, which reported on the recent disclosure of a long-running and large-scale cyber operation involving the use of the new Aria-body backdoor and directed at public authorities in the Asia-Pacific region, including Australia, Indonesia, the Philippines, Vietnam, Thailand, Myanmar and Brunei. The company has been running since at least 2018, and most likely since 2017.

Based on the analysis of the Aria-body functionality, Check Point concludes that the main purpose of cyber operations is to gather intelligence. This includes not only hunting for documents that hackers are interested in, but also extracting data from removable media, recording screenshots, and keylogging.

Analysis of the Aria-body code revealed sufficient similarity with the XsFunction backdoor code, which, along with a partial intersection of the infrastructure of control centers, allowed us to talk about the involvement of the Chinese APT Naikon aka APT 30 and Override Panda in the new cyber operation. There has been no news about APT Naikon since 2015. The group has previously worked actively against countries bordering the South China sea.

Overview of the research:

Technical details with IOCs:

Vulners weekly digest #6

This review is more about exploiting vulnerabilities in attacks on various areas. We also gave examples of why security updates should not be ignored.

The most interesting vulnerabilities

If you use any tools / systems that are mentioned in this section, it is recommended to install security updates.

Gitlab multiple vulnerabilities

Many companies use such enterprise tools like Jira, Gitlab, Bitbucket and etc. Therefore, these tools are often a sweet target for attackers.This week a security patch was released to fix 13 vulnerabilities in Gitlab:

  • Path Traversal in NuGet Package Registry CVE-2020-12448. It allows to use a malicious NuGet package to read any *.nupkg file on the system.
  • OAuth Application Client Secrets Revealed CVE-2020-10187. It allows for any user to retrieve OAuth application client secrets after authorizing
  • Update Nokogiri dependency. Security fix for CVE-2020-7595
  • Update git. Security fix for CVE-2020-11008

The official description of remaining vulnerabilities:
These issues have been fixed in the latest release, and for many of them, the CVEs is pending status.
For one of the critical vulnerabilities software developer William Bowling (@vakkz) resieved 1k$ (Path Traversal) + 19k$ (RCE) = 20k$ with detailed info in his report.
Great work!



New metasploit module based on CVE-2019-15752 with local privilege escalation via Docker-Credential-Wincred.exe. This exploit leverages a vulnerability in docker desktop community editions prior to You can write a payload to a lower-privileged session to be executed automatically by the docker user at login.

Salt Bugs story


  • In mid-March this year, F-secure identified 2 vulnerabilities – CVE-2020-11651 (authentication bypass) and CVE-2020-11652 (directory-traversal) in the open-source Salt management framework. Vulnerabilities allow full remote code execution as root on servers in data centers and cloud environments
  • On April 29, Saltstack released a version of Salt V. 3000. 2, in which the vulnerabilities were fixed.
  • April 30, F-secure published write-up about vulnerabilities with the following note: “We expect that any competent hacker will be able to create 100 percent reliable exploits for these issues in under 24 hours.” It looks like a challenge for any security enthusiast, isn’t it? 🙂
  • A day after this publication, attacks began on the servers of the mobile operating system LineageOS. The developers said that the attackers used vulnerabilities in Salt.
  • A few days later, a popular blogging platform was also attacked, using vulnerabilities in Salt. The platform with 2 million installations, including organizations such as Nasa, Mozilla and DuckDuckGo.

F-Secure formally survived the time after the publication of the security updates, but it was clearly not enough for the vendors to update their systems and products.
p.s. the vulnerability is really easy to exploit 😉


Sysmon update v11.0 including features like file delete monitoring, reducing Reverse DNS lookup noise and more:

Shell code generator for the tiny ones. A useful tool to quickly generate shell code during CTF or other testing activity.

ROADtools is a framework to interact with Azure AD. It currently consists of a library (roadlib) and the ROADrecon Azure AD exploration tool. Meet one of the first versions of the BloodHound for AzureAD!


Ruthless ransomware, APT groups and Teams instead of ZOOM

Ransomware groups continue to target critical services

Microsoft Detection and Response Team (DART) has published an interesting post about ransomware and tips on how to deal with them. So far, attacks have affected aid organizations, medical billing companies, manufacturing, transportation, and government agencies. Ransomware attacks, however, are not limited to critical services, so organizations should be vigilant for signs of compromise.

To get access to target networks, recent extortion campaigns have used systems with Internet access with the following weaknesses:

  • Remote Desktop Protocol (RDP) or Virtual Desktop endpoints without multi-factor authentication
  • Old platforms like Windows Server 2003 or Windows Server 200 without actually security updates
  • Misconfigured web servers, including IIS, electronic health record (EHR) software, backup servers, or systems management servers
  • Citrix Application Delivery Controller (ADC) with CVE-2019-19781
  • Pulse Secure VPN systems affected by CVE-2019-11510

All ransomwares deployed in the same way and used mostly the same attack techniques. Ultimately, the specific ransom payload at the end of each attack chain was almost exclusively a stylistic choice made by the attackers.

List of active ransomware:

  • RobbinHood
  • Vatet loader
  • NetWalker
  • PonyFinal
  • Maze
  • REvil (aka Sodinokibi)
A motley crew of ransomware payloads

Few of these groups have gained fame for selling data, almost all of them have been seen viewing and filtering data during these attacks, even if they have not yet been advertised or sold. Currently, situations more often occur when, after the publication of vulnerabilities for a system/tool, a very short period of time elapses before an exploit/PoC appears.
Full report with technical datails:

Maze Ransomware – this week’s winner

Operators of the Maze ransomware were able to become famous a little more than others and compromised the network of the state Bank of Costa Rica (Banco BCR), as a result of which, among other things, they stole the data of 11 million Bank cards.

On their press release, hackers claim that they first gained access to the Bank’s network back in August 2019, but did not encrypt the data, because “the probable damage could have been too much for the bank”

Press release from Maze operators

As proof of theft, Maze published the numbers of 240 credit cards without the last 4 digits, as well as their expiration dates and CVC codes:


Recently, the American IT giant Cognizant, a company from NASDAQ-100, confirmed that it was hit by the Maze ransomware . Considering 30 billion dollars of capitalization of the company the sum of the repayment for data should make not one million, and even not one tenth of millions dollars.

PerSwaysion attacks

Group IB has released a report on the investigation of a series of phishing attacks under the symbol PerSwaysion.

PerSwaysion operation also lured victims with a non-malicious PDF, and later Microsoft file sharing services, including Sway, are used-hence the name of the phishing campaign. The hackers target high-level employees in the financial, legal, and real estate industries. Geographical preferences – USA, Canada, Singapore, Germany, UK, Netherlands, Hong Kong.

According to researchers, behind a series of attacks there are several hacker groups using the same infrastructure. Most of the PerSwaysion operations were orchestrated by scammers from Nigeria and South Africa who used a Vue.js JavaScript framework-based phishing kit, evidently, developed by and rented from Vietnamese speaking hackers.

Group-IB has also set-up an online web-page where anyone can check if their email address was compromised as part of PerSwaysion attacks—however, you should only use it and enter your email if you’re highly expecting to be attacked.

Microsoft Teams


Recently there has been a lot of news about holes in the ZOOM video conferencing service. But, as it turns out, their competitors are also not far behind.

The researchers found that in the process of delivering images, Microsoft Teams uses two authentication tokens “authtoken” and “skypetoken”, the second is generated using the first and with it you can intercept the Microsoft Teams account. The “authtoken” token can be obtained by attacking the “teams .microsoft .com” subdomains. And two such CyberArk subdomains were found – this is “aadsync-test .teams .microsoft .com” and “data-dev .teams .microsoft .com”.

According to CyberArk, they transferred all the data to Microsoft and they eliminated the vulnerability, including the incorrect configuration of the domain “teams .microsoft .com”.

Vulners weekly digest #5

+1 integration for Vulners
Review fresh vulnerabilities without Microsoft
News without COVID-19 and ZOOM

This week the Vullners integrated with a new great project:

It is already available:

Vulnerabilities, exploits or PoCs

Is it possible to make a digest without vulnerabilities in microsoft products? Let’s try to do it!

Multiple vulnerabilities in the IQrouter

Information security researchers often like to deal with noname network devices and find all sorts of vulnerabilities in them. This week’s target was the IQrouter and its firmware version 3.3.1:

The researcher also made an example of exploiting all these vulnerabilities:

RCE PoC for Sysaid v20.1.11

Sysaid is a free Help Desk software for IT support. CVE-2020-10569 allows unauthenticated access to upload any files, which can be used to execute commands on the system by chaining it with a GhostCat attack. Attackers could read app configuration files and steal passwords or API tokens, or they could write files to a server, such as backdoors or web shells:

Oracle Solaris

CVE-2020-2944 in this UNIX OS for versions 10 and 11. Vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Solaris executes to compromise it. Oracle has released a fix for all affected and supported versions of Solaris in the Critical Patch Update of April.


Multiple vulnerabilities in the QRadar Community Edition

QRadar one of the most famous SIEM system. Community edition is limited to 50 events per second and 5,000 network flows a minute, supports apps, but is based on a smaller footprint for non-enterprise use. Too many vulnerabilities were found in one of the latest releases of this version:

At the time of publication of this digest, the latest version of the QRadar is V7. 3. 3


Lulzbuster is a very fast and smart web directory and file enumeration tool written in C.

Get chromium browsers: passwords, credit cards, history, cookies, bookmarks.

Pwned is a simple command-line python script to check if you have a password that has been compromised in a data breach. The full scheme of the script:


MITRE releasing the results of evaluations
Apple zero-days in Mail app
The Incident Response Challenge 2020 – $$$

MITRE ATT&CK Evaluations

The main event of the week for many information security vendors – results of MITRE evaluation methodology based on APT29:

In late 2019, the ATT&CK Evaluations team evaluated 21 endpoint security vendors with their endpoint detection and response (EDR) products, using its now industry-standard open methodology, the ATT&CK framework.

For complete evaluation results, you can review the data published on the MITRE website.

VMware Carbon Black results:
Microsoft ATP results:



On April 22, ZecOps announced the use of two 0-day vulnerabilities in the Mail application in the wild, allowing full control of the correspondence of the attacked user on the entire line of iPad and iPhone devices.

Secops reported that it recorded the use of exploits in relation to:

  • employees of us companies from the Fortune 500 list;
  • Director of a carrier company from Japan;
  • German VIP;
  • MSSP (Managed Security Service Provider) from Saudi Arabia and Israel;
  • European journalist;
  • as well as suspicion of hacking the head of one of the Swiss companies.

To this Apple responds as expected “We have studied the zecops report and concluded that the identified errors do not pose a threat to users. We will close them in the next updates.”

ZecOps also promises to post more technical information about errors and the facts of their use after the patch is released.

The Incident Response Challenge 2020

Cybersecurity firm Cynet 21-st April announced the launch of a first of its kind challenge to enable Incident Response professionals to test their skills with 25 forensic challenges that were built by top researchers and analysts.

The challenge is available on and is open to anyone willing to test his or her investigation skills, between April 21st and May 15th.

Are you a hands-on forensic researcher, SOC analyst, or malware analyzer? Go to, get your hands dirty, and beat your peers to get the first prize!

Monthly Vulners Review #1

The first monthly vulners review.
Main Vulners events.
Only critical and important vulnerabilities.
Some intersting tools.
The most entertaining and flashy news.

Vulners events

There have been several events for Vulners this month:

  1. The revival of the blog;
  2. Translation of research Hidden Threat – Vulnerability Analysis using the news graph from Lydia Khramova;
  3. Intergated with Exploit Pack collection, which we mentioned last week;
  4. Appearance and description of the functionality OSS-Fuzz data in Vulners.

Vulnerabilities and Exploits

Of course we start with short review ‘The second Tuesday from Microsoft’.

This month’s Microsoft Patch Tuesday addresses 113 vulnerabilities and 19 of them – Critical.

0-day in font library

Microsoft patched two vulnerabilities (CVE-2020-0938 , CVE-2020-1020) in the Adobe Font Manager Library that were announced in March. We wrote about them at the beginning of the weekly digest #2.

For exploit these vulnerabilities, an attacker need to socially engineering, so that the user opens a malicious document or viewing the document in the Windows Preview pane.


If you use it, you will need to monitor for security updates. Microsoft released patches for SharePoint covering four RCE vulnerabilities (CVE-2020-0929, CVE-2020-0931, CVE-2020-0932, CVE-2020-0974). An attacker could exploit any of them by uploading a specially crafted SharePoint application package to an affected version of SharePoint. And one XSS CVE-2020-0927 that can be exploited by an authenticated attacker by sending a specially crafted request to an affected SharePoint server.

Kernel zero-day

The other zero-day is an elevation of privilege vulnerability CVE-2020-1027 in Windows kernel, discovered by the Google Project Zero team.

Hyper-V Escape

A remote code execution critical vulnerability CVE-2020-0910 is patched in Hyper-V, allowing a guest virtual machine to compromise the hypervisor, escaping from a guest virtual machine to the host.


HP ThinPro is a linux based operating system. This month we’re looking at two PoCs for two vulnerabilities for 6.x/7.x versions of this OS:

  1. PoC for CVE-2019-18910 Privileged Command Injection Vulnerability. The VPN does not safely handle user’s input data, it is therefore possible for an attacker to inject any commands to execute with root privileges on the device.
  2. PoC for CVE-2019-16286 Filter Bypass Attackers can btpass the restrictions that administrators set to run users’s applications to launch restricted applications and execute arbitrary commands on the device.

Centos Web panel
CWP is a free Web Hosting control panel designed for quick and easy management of (Dedicated & VPS) servers. CVE-2020-10230 or SQL injection in Centos Web Panel 7 and 6 via the /cwp_{SESSION_HASH}/admin/loader_ajax.php term parameter.


CVE-2020-1934 AND CVE-2020-1927 are some of the most popular vulnerabilities in the month.Vulnerable versions 2.4.x < 2.4.42. As history shows: If you find exploit for one of them, you will soon read about it in attacking news.

  • CVE-2020-1934: mod_proxy_ftp may use uninitialized memory when proxying to a malicious FTP server;
  • CVE-2020-1927: redirects via mod_rewrite l might be fooled by encoded newlines and redirect instead to an unexpected (malicious) URL.

Exploit for Apache Solr <8.3.0 / CVE-2019-17558
Apache Solr is an open-source enterprise-search platform, written in Java, from the Apache Lucene project. Solr can run as a standalone full text search server.

Metasploit module allows RCE via custom Velocity remplate. After identifying a list of Solr core names an attacker can send a specially crafted HTTP POST request to the Config API. Enabling resource loader in the solrconfig.xml file to true allow an attacker to use the Velocity template parameter in a specially crafted Solr request, leading to RCE. Currently, this module only supports Solr basic authentication


Nexus Repository Manager
RCE in Nexus <3.21.2 – CVE-2020-10199. Nexus is a very popular repository manager from Sonatype. It allows you to raise such a small Maven Central within your project.

Metasploit module exploits a Java Expression Language (EL) injection in Nexus Repository Manager to execute code like Nexus user. It is a post-authentication vulnerability, so credentials are required to exploit it. Any user regardless of privilege level may be used

Liferay Portal < 7.2.1
Liferay Portal is an open-source solution designed for centralized access to several different corporate applications in one place. Exploit for CVE-2020-7961 allows to execute remote arbitary code via JSON web services (JSONWS).


PlaySMS is a free and open source SMS management software and in th version <1.4.3 does not sanitize inputs from a malicious string. The TPL( template language is vulnerable to PHP code injection. The vulnerability is triggered when an attacker provides a username with a malicious payload. This malicious payload stored in the TPL template, which when re-rendered leads to code execution.

Exploit tested on the machine from Hack the box (Forlic):

Horde CVE-2020-8518
Horde Groupware Webmail Edition 5.2.22 allows injection of arbitrary PHP code via CSV data, iCalendar, vCard, etc., leading to remote code execution. Vulnerability allows authenticated users to inject arbitrary PHP code thus achieving remote code execution the server hosting the web application.


ThinkPHP – two in one combo
ThinkPHP is a open-source PHP framework. The metasploit module contains CVE-218-20062 and CVE-2018-9082 and use one of them for code injection as the web user. The module will automatically attempt to detect the version of the software.


In this part, we will list the most popular tools of the month that have just appeared or received an update.



mssqlproxy is a toolkit for lateral movement through a compromised Microsoft SQL Server via socket reuse. The client requires impacket and sysadmin privileges on the SQL server.

Attacks on industrial MS SQL are not common. This attacking attack technique is used by advanced attackers. It is not surprising that someone came up with and wrote a kind of reverse proxy

Detailed report about MS SQL CLR (check presentaition in the video description):
Other nice research about this theme:

Puma Security Serverless Prey

Serverless Prey is a collection of serverless functions (FaaS), that, once launched to a cloud environment and invoked, establish a TCP reverse shell, enabling the user to introspect the underlying container. Usually attackers develop custom tools of this kind or significantly modify existing ones.

Jackdaw – Tool To Collect All Information In Your Domain And Show You Nice Graphs
Look for description Vulners weekly digest #3


Project iKy v2.4.0

The utility and functionality of the tool is in doubt. According to the authors this tool to collect information from an email and shows results in a visual interface

Look for description at Vulners weekly digest #4

uDork – Google Hacking Tool
Look for description Vulners weekly digest #1

Purple teaming

It’s a good idea to check the sensational exploit and write new correlation rules: CVE-2020-0796 Windows SMBv3 LPE Exploit


_______       _____________          
_______       _____________          
___    |___  _______  /__(_)___  __  
__  /| |  / / /  __  /__  /__  |/_/  
_  ___ / /_/ // /_/ / _  / __>  <    
/_/  |_\__,_/ \__,_/  /_/  /_/|_| 
Automation for Windows Event Audit Policies for monitoring & incident response.


Look at Vulners weekly digest #3


Monthly rockstarts: COVID-19, Trickbot and ZOOM

COVID-19 and attacks

Attacks on hospitals were detected between 24 and 26 March and were initiated as part of coronavirus-related phishing campaigns that have become widespread in recent months.

The disclosure from Palo Alto Networks comes as cyber attacks have been hit in the past few weeks by the US Department of health and human services (HHS), biotech firm 10x Genomics, Brno University hospital in the Czech Republic and Hammersmith Medicines Research.

The theme of the pandemic and COVID-19 is an ideal target for the threat actors and cybercrime will go to any extent, including targeting organizations that are in the front lines and responding to the pandemic on a daily basis.

Ransomware and Trickbot

The emails, sent from a spoofed WHO email address (noreply@who[.]int), contained a text format (RTF) file that purported to spread information about the pandemic. When opened, the RTF file attempted to deliver a ransomware payload that exploits a known vulnerability (CVE-2012-0158) in Microsoft Office, which allows attackers to execute arbitrary code.

When opened, the malicious attachment drops a ransomware binary to the victim’s disk and then executes it.

The ransomware binary then encrypts various files extensions, including “.DOC”, “.ZIP”, “.PPT” and more. Some hospitals have been targeted by the Ryuk ransomware, according to security researcher “PeterM” on Twitter:

Attackers will continue to use CAVID-19 theme for cyber attacks due to the global pandemic scare – including malware attacks, malicious URLS, and identity fraud.


Two zero-day vulnerabilities were discovered for the Zoom video conferencing platform, which will allow threat actors to spy on people’s private video conferences and additionally use the target system.

One of the 0-day vulnerabilities relates to the ZOOM client under Windows and allows remote code execution in the attacked system, but can only be used in conjunction with other existing errors. For data about this hole, hackers ask for 500 thousand dollars, but, according to experts, this price is inflated by half.

The second 0-day vulnerability is present in ZOOM under Mac, but does not lead to remote code execution. Accordingly, its value is much less.

In our lasin our last 2 reviews, we have already written about the achievements of ZOOM 🙂