Vulners weekly digest #4

Your Exchange server stills sweety and other vulnerabilities.
Serious boost for pentest frameworks.
ZOOM continues to smoke and we continue write about it in our digest.


EXPLOITS and vulnerabilities

“If You Can’t Patch Your Email Server, You Should Not Be Running It”

CVE-2020-0688 becomes pupular. While the flaw was fixed as part of Microsoft’s February Patch Tuesday updates, researchers warned in a March advisory that unpatched servers are being exploited by APT actors. In one of the latest research from the RAPID7, it is reported that Exchange servers are still vulnerable to CVE-2020-0688. Researches observed attackers leverage the flaw to run system commands to conduct recon, deploy webshell backdoors and execute fileless frameworks for post-exploitation.

The exploit code that researchers from RAPID7 tested attempts show up in the Windows Application event log with source MSExchange Control Panel, level Error, and event ID 4. This log entry will include the compromised user account and long error message that includes thetext Invalid viewstate.

You can also review your IIS logs for requests to a path under /ecp (usually /ecp/default.aspx), which contain the string __VIEWSTATE and __VIEWSTATEGENERATOR. The long string in the middle of this request, as in the case of the Windows event log above, is a portion of the exploit payload. You will see the username of the compromised account name at the end of the log entry.

The update for CVE-2020-0688 should be installed on any mail server with the Exchange.

https://vulners.com/threatpost/THREATPOST:DF7C78725F19B2637603E423E56656D4

Video: https://youtu.be/7d_HoQ0LVy8

Vesta Control Panel Authenticated RCE

The vulnerability (CVE-2020-10808) was disclosed and fixed in late April. At the same time created pull request in metasploit repo. Vesta Control Panel is one of the most popular, simple and convenient panels for managing websites. Vesta Control Panel (VestaCP) through 0.9.8-26 allows Command Injection via the schedule/backup Backup Listing Endpoint.
The point of vulnerability is that an authenticated attacker with a low privileges can inject a payload in the file name starts with dot.

More detailed technical description with video POC: https://pentest.blog/vesta-control-panel-second-order-remote-code-execution-0day-step-by-step-analysis

LimeSurvey CVE-2020-11456

An open-source simple tool which you can install on your server for compile custom templates for surveys. You can use this tool to create custom templates for surveys using formatted text with image/video integration. LimeSurvey before 4.1.12+200324 has stored XSS in application/views/admin/surveysgroups/surveySettings.php and application/models/SurveysGroups.php

PoC: https://vulners.com/exploitdb/EDB-ID:48289


Tools

GitHound

GitHound v1.1 helps to find sensitive information across all of GitHub, uploaded by any user. According to the author, this tool helped him earn money 🙂 Cool tool for Bug Bounty Hunters.

SSHPry

What if we’ll have a tool that can show us a terminal of active SSH connection? and… maybe… control it? Record it? Investigate?

Author of SSHPry 2.0 implemented technique to get ALL read() strings of connected ssh client in SSHPry.py script that mirrors a terminal of connected SSH client.

Main features:

  • Control of target’s TTY
  • Built-In Keylogger
  • Console-Level phishing
  • Record & Replay previous sessions

The video better shows the functionality of the tool:

Ps-Tools

Have you ever needed to use tool like Process Explorer in your shell session? Ps-Tools provides such an opportunity. Why this if the same thing can be done through powershell? Powershell is currently under heavy security monitoring. The authors mention only Cobalt Strike in their research, but you can use it in any framework. For example: detects any security solutions (AV, EDR, etc.), collect more detailed information for compromise system or finding more opportunities for lateral movement.

This functional helps to better understand the systems and IT infrastructure from your target and periodically polling of this information allows a Red Team to react on possible changes within the IT environment (an investigation trigger, for example). Purple Teams should test it to develop new detection rules. It is assumed that this new functionality will be used in the most advanced penetration tests.


dangerous remote work

Due to the pandemic, many organizations began to work remotely. In this regard, APT groups increased their activity through phishing/spearfishing, using the COVID-19 context, and attempts to exploit zero-day vulnerabilities in many tools for remote work: video conferences, VPNs, remote acess tools and etc.

An April analysis from Kaspersky uncovered a total of 120,000 suspicious malware and adware packages in the wild masquerading as versions of the video calling app. The research found that among a total of 1,300 suspicious files not using the Skype name, 42 percent were disguised as Zoom, followed by WebEx (22 percent), GoToMeeting (13 percent), Flock (11 percent) and Slack (11 percent).

https://vulners.com/threatpost/THREATPOST:F3563336B135A1D7C1251AE54FDC6286

Example: Cisco ‘Critical Update’ Phishing Attack Steals Webex Credentials

CVE-2016-9223, a legitimate vulnerability in CloudCenter Orchestrator Docker Engine, which is Cisco management tool for applications in multiple data-center, private-cloud and public-cloud environments. This critical flaw allowed unauthenticated, remote attackers to install Docker containers with high privileges on affected systems. However, the vulnerability was fixed in the Cisco CloudCenter Orchestrator 4.6.2 patch release (also in 2016).

zoom, are you ok?

ZOOM is still the focus of a lot of news. Researchers have uncovered a database shared on an underground forum containing more than 2,300 compromised Zoom credentials. Compromised Zoom credentials could give cybercriminals access to web conference calls.

Attckers can join meeting and blast music or videos to interfere with the meeting. This practice, called “Zoom bombing,” has been spiking upwards over the past few weeks, despite the FBI cracking down on the issue and warning that those who take part in Zoom bombing could face jail time.

https://vulners.com/threatpost/THREATPOST:2FA23249E9EBD512847353C7FFC62505

Researchers warn users to stay on the lookout for bad actors spoofing web conferencing and virtual collaboration apps. In general, attackers are taking advantage of the panic around the coronavirus with phishing emails around financial relief, promises of a cure and symptom information details.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s