Vulners weekly digest #8

Three traditional sections in our weekly digest. Enjoy!


Vulnerabilities and attacks

Last week, Microsoft released its monthly update – ‘the second Tuesday patch’, which we haven’t mentioned yet, but it was done by Aleksendr Leonov in his blog. On his blog, he gave a brief overview of this update.

Various researches have been published this week on several vulnerabilities from the Microsoft’s patch. Any road to an exploit starts with strong research 🙂

Ntlm relay with CVE-2020-1113

For a long time, many attackers like to use the NTLM realy technique in their operations. Firstly, there are many different protocols with which this can be implemented. Secondly, such attacks are difficult to detect at all stages of implementation.
Best explanation of how it works:

NTLM relay has been used and reused in several attacks:

CVE-2020-1113 was fixed in the may update of Microsoft’s. Read detailed research about update ntlmrelayx in impacket and adding support for the RPC protocol:

https://blog.compass-security.com/2020/05/relaying-ntlm-authentication-over-rpc

PrintDemon: Print Spooler Privilege Escalation, Persistence & Stealth CVE-2020-1048

CVE-2020-1048 was fixed in the May update of Microsoft’s. The research was released on the same day as the vulnerability fix 😉 Using Windows Print Spooler to elevate privileges, bypass EDR rules, gain persistence, and more. The full research consists of 2 parts:

  1. https://windows-internals.com/printdemon-cve-2020-1048
  2. https://windows-internals.com/faxing-your-way-to-system

PoC with Empire: https://github.com/BC-SECURITY/Invoke-PrintDemon

CVE-2020-1143

This vulnerability is also from the may update. Analysis in reasearch from checkpoint: https://cpr-zero.checkpoint.com/vulns/cprid-2152

Saltstack

It’s time to close the topic with saltstack, because everything has already been overwied:

Metasploit module: https://vulners.com/metasploit/MSF:EXPLOIT/LINUX/MISC/SALTSTACK_SALT_UNAUTH_RCE

vBulletin SQL Injection CVE-2020-12720

vBulletin is a commercial forum engine and WCMS developed by Internet Brands Inc. This software is written in PHP and uses a MySQL server to maintain its database.

National Vulnerability Database (NVD) is also analyzing the flaw and revealed that the critical flaw originated from an incorrect access control issue that affects vBulletin before 5.5.6, 5.6.0 before 5.6.0, and 5.6.1 before 5.6.1.

Automation for exploit: https://vulners.com/packetstorm/PACKETSTORM:157716

Easy for CVE-2019-15083

PoC for Cross-Site Scripting in ManageEngine Service Desk 10.0 (Software for IT support service). It might be interesting for red team operations to gather additional info or lateral movements:

https://vulners.com/exploitdb/EDB-ID:48473


Win Brute Logon

Our strength is in undocumented opportunities

Useful information about password brute force in Windows.

Open Account Lockout Policy and edit value Account lockout threshold with desired value from (1 to 999). Value represent the number of possible attempt before getting locked.

LockDown Policy wont work on Administrator account. At this moment, best protection for Administrator account (if Enabled) is to setup a very complex password.

https://github.com/DarkCoderSc/win-brute-logon

BloodHound reports for blue teams

The tool was released on May 14th, 2020 during a Black Hills Information Security webcast, A Blue Teams Perspective on Red Team Tools.

https://github.com/DefensiveOrigins/PlumHound

SayCheese

Take webcam shots from target just sending a malicious link

https://vulners.com/kitploit/KITPLOIT:5133140664411328886

Evilreg

Reverse shell using Windows Registry files (.reg)

https://vulners.com/kitploit/KITPLOIT:8518534902880733012


Ransomware Hit ATM Giant Diebold Nixdorf

Diebold Nixdorf, a major provider of automatic teller machines (ATMs) and payment technology to banks and retailers, recently suffered a ransomware attack that disrupted ProLock operations

The Ransomware is delivered to the compromised system using the Qbot Trojan. ProLock was first recorded in March 2020. What’s interesting about ProLock is that, as the FBI says, ransomware is written with mistakes, so it can spoil encrypted files larger than 64MB when decrypted.

https://vulners.com/krebs/KREBS:844FF2B9143930EF190E45B7C1C84F58

Pay $42m or Trump’s ‘dirty laundry’ goes online

undefined

On May 12, hackers attacked the resources of the New York law firm Grubman Shire Meiselas & Sacks and stole 756 Gb of confidential documents from its clients. Founder Allen Grubman is the most famous entertainment lawyer who works, among others, with Madonna, Lady Gaga, Elton John, Robert De Niro and U2.

Then the hackers demanded a ransom of $ 21 million. The investigation was undertaken by the FBI. At the same time, the feds reported that this hacking is an act of international terrorism (?!), And they are not negotiating with terrorists and will not pay the ransom. The group responsible for ransomware Sodinokibi was named guilty of hacking.

However, on Thursday the situation changed. Hackers said that they had scanned the stolen data array and found there the “dirty laundry” of US President Trump, so the ransom amount doubled – up to 42 million dollars.

https://vulners.com/hackread/HACKREAD:EB8C10DB0B0A37DC44A7D11B10F66A47

‘ThunderSpy’ Attack

Research from the Dutch engineer björn Rotenberg (Björn Ruytenberg), who revealed new attack vectors for the Intel Thunderbolt 3 Protocol.

Thunderspy, as the researcher called his new attack vectors that allow an attacker to steal data from encrypted disks or read and write all system memory, even if the computer is locked or in sleep mode.

There is no protection for vulnerable devices other than physically disabling Thunderbolt. Even the software shutdown of Thunderbolt was bypassed by Roitenberg. Windows, Linux, and partially MacOS PCs – vulnerable.

Such vulnerabilities have little application to commercial hacking because they require even short-term, but mandatory physical access to the device under attack. But for law enforcement agencies, organizing such access is a common thing. That is, knowledgeable agencies have been able to gain access to computer content without compromise since at least 2011, when Thunderbolt appeared.

https://vulners.com/threatpost/THREATPOST:103AFBDE6D261555120729CAF7A921A4

Monthly Vulners Review #1

The first monthly vulners review.
Main Vulners events.
Only critical and important vulnerabilities.
Some intersting tools.
The most entertaining and flashy news.


Vulners events

There have been several events for Vulners this month:

  1. The revival of the blog;
  2. Translation of research Hidden Threat – Vulnerability Analysis using the news graph from Lydia Khramova;
  3. Intergated with Exploit Pack collection, which we mentioned last week;
  4. Appearance and description of the functionality OSS-Fuzz data in Vulners.

Vulnerabilities and Exploits

Of course we start with short review ‘The second Tuesday from Microsoft’.

This month’s Microsoft Patch Tuesday addresses 113 vulnerabilities and 19 of them – Critical.

0-day in font library

Microsoft patched two vulnerabilities (CVE-2020-0938 , CVE-2020-1020) in the Adobe Font Manager Library that were announced in March. We wrote about them at the beginning of the weekly digest #2.

For exploit these vulnerabilities, an attacker need to socially engineering, so that the user opens a malicious document or viewing the document in the Windows Preview pane.

SharePoint

If you use it, you will need to monitor for security updates. Microsoft released patches for SharePoint covering four RCE vulnerabilities (CVE-2020-0929, CVE-2020-0931, CVE-2020-0932, CVE-2020-0974). An attacker could exploit any of them by uploading a specially crafted SharePoint application package to an affected version of SharePoint. And one XSS CVE-2020-0927 that can be exploited by an authenticated attacker by sending a specially crafted request to an affected SharePoint server.

Kernel zero-day

The other zero-day is an elevation of privilege vulnerability CVE-2020-1027 in Windows kernel, discovered by the Google Project Zero team.

Hyper-V Escape

A remote code execution critical vulnerability CVE-2020-0910 is patched in Hyper-V, allowing a guest virtual machine to compromise the hypervisor, escaping from a guest virtual machine to the host.


Linux

HP ThinPro is a linux based operating system. This month we’re looking at two PoCs for two vulnerabilities for 6.x/7.x versions of this OS:

  1. PoC for CVE-2019-18910 Privileged Command Injection Vulnerability. The VPN does not safely handle user’s input data, it is therefore possible for an attacker to inject any commands to execute with root privileges on the device. https://vulners.com/zdt/1337DAY-ID-34147
  2. PoC for CVE-2019-16286 Filter Bypass Attackers can btpass the restrictions that administrators set to run users’s applications to launch restricted applications and execute arbitrary commands on the device. https://vulners.com/packetstorm/PACKETSTORM:156898

Centos Web panel
CWP is a free Web Hosting control panel designed for quick and easy management of (Dedicated & VPS) servers. CVE-2020-10230 or SQL injection in Centos Web Panel 7 and 6 via the /cwp_{SESSION_HASH}/admin/loader_ajax.php term parameter.

Apache

CVE-2020-1934 AND CVE-2020-1927 are some of the most popular vulnerabilities in the month.Vulnerable versions 2.4.x < 2.4.42. As history shows: If you find exploit for one of them, you will soon read about it in attacking news.

  • CVE-2020-1934: mod_proxy_ftp may use uninitialized memory when proxying to a malicious FTP server;
  • CVE-2020-1927: redirects via mod_rewrite l might be fooled by encoded newlines and redirect instead to an unexpected (malicious) URL.

Exploit for Apache Solr <8.3.0 / CVE-2019-17558
Apache Solr is an open-source enterprise-search platform, written in Java, from the Apache Lucene project. Solr can run as a standalone full text search server.

Metasploit module allows RCE via custom Velocity remplate. After identifying a list of Solr core names an attacker can send a specially crafted HTTP POST request to the Config API. Enabling resource loader in the solrconfig.xml file to true allow an attacker to use the Velocity template parameter in a specially crafted Solr request, leading to RCE. Currently, this module only supports Solr basic authentication

Java

Nexus Repository Manager
RCE in Nexus <3.21.2 – CVE-2020-10199. Nexus is a very popular repository manager from Sonatype. It allows you to raise such a small Maven Central within your project.

https://vulners.com/github/GHSA-G2F6-V5QH-H2MQ

Metasploit module exploits a Java Expression Language (EL) injection in Nexus Repository Manager to execute code like Nexus user. It is a post-authentication vulnerability, so credentials are required to exploit it. Any user regardless of privilege level may be used

Liferay Portal < 7.2.1
Liferay Portal is an open-source solution designed for centralized access to several different corporate applications in one place. Exploit for CVE-2020-7961 allows to execute remote arbitary code via JSON web services (JSONWS).

PHP

PlaySMS
PlaySMS is a free and open source SMS management software and in th version <1.4.3 does not sanitize inputs from a malicious string. The TPL(https://github.com/antonraharja/tpl) template language is vulnerable to PHP code injection. The vulnerability is triggered when an attacker provides a username with a malicious payload. This malicious payload stored in the TPL template, which when re-rendered leads to code execution.

Exploit tested on the machine from Hack the box (Forlic): https://vulners.com/metasploit/MSF:EXPLOIT/MULTI/HTTP/PLAYSMS_TEMPLATE_INJECTION

Horde CVE-2020-8518
Horde Groupware Webmail Edition 5.2.22 allows injection of arbitrary PHP code via CSV data, iCalendar, vCard, etc., leading to remote code execution. Vulnerability allows authenticated users to inject arbitrary PHP code thus achieving remote code execution the server hosting the web application.

Exploit: https://vulners.com/zdt/1337DAY-ID-34133

ThinkPHP – two in one combo
ThinkPHP is a open-source PHP framework. The metasploit module contains CVE-218-20062 and CVE-2018-9082 and use one of them for code injection as the web user. The module will automatically attempt to detect the version of the software.


TOOLS

In this part, we will list the most popular tools of the month that have just appeared or received an update.

Pentest

Mssqlproxy

undefined
mssqlproxy is a toolkit for lateral movement through a compromised Microsoft SQL Server via socket reuse. The client requires impacket and sysadmin privileges on the SQL server.

Attacks on industrial MS SQL are not common. This attacking attack technique is used by advanced attackers. It is not surprising that someone came up with and wrote a kind of reverse proxy

Detailed report about MS SQL CLR (check presentaition in the video description): https://www.youtube.com/watch?v=gydeYfyG_xY
Other nice research about this theme: https://blog.netspi.com/attacking-sql-server-clr-assemblies

Puma Security Serverless Prey

undefined
Serverless Prey is a collection of serverless functions (FaaS), that, once launched to a cloud environment and invoked, establish a TCP reverse shell, enabling the user to introspect the underlying container. Usually attackers develop custom tools of this kind or significantly modify existing ones.

Jackdaw – Tool To Collect All Information In Your Domain And Show You Nice Graphs
Look for description Vulners weekly digest #3

RECON

Project iKy v2.4.0

The utility and functionality of the tool is in doubt. According to the authors this tool to collect information from an email and shows results in a visual interface

Git-Hound
Look for description at Vulners weekly digest #4

uDork – Google Hacking Tool
Look for description Vulners weekly digest #1

Purple teaming

It’s a good idea to check the sensational exploit and write new correlation rules: CVE-2020-0796 Windows SMBv3 LPE Exploit

Audix

_______       _____________          
_______       _____________          
___    |___  _______  /__(_)___  __  
__  /| |  / / /  __  /__  /__  |/_/  
_  ___ / /_/ // /_/ / _  / __>  <    
/_/  |_\__,_/ \__,_/  /_/  /_/|_| 
Automation for Windows Event Audit Policies for monitoring & incident response.

https://vulners.com/kitploit/KITPLOIT:2268350346393093680

SauronEye


Look at Vulners weekly digest #3


News

Monthly rockstarts: COVID-19, Trickbot and ZOOM

COVID-19 and attacks

Attacks on hospitals were detected between 24 and 26 March and were initiated as part of coronavirus-related phishing campaigns that have become widespread in recent months.

The disclosure from Palo Alto Networks comes as cyber attacks have been hit in the past few weeks by the US Department of health and human services (HHS), biotech firm 10x Genomics, Brno University hospital in the Czech Republic and Hammersmith Medicines Research.

The theme of the pandemic and COVID-19 is an ideal target for the threat actors and cybercrime will go to any extent, including targeting organizations that are in the front lines and responding to the pandemic on a daily basis.

https://vulners.com/thn/THN:8007E43933D6EA07FB6E74E9DCC5FA70

Ransomware and Trickbot

The emails, sent from a spoofed WHO email address (noreply@who[.]int), contained a text format (RTF) file that purported to spread information about the pandemic. When opened, the RTF file attempted to deliver a ransomware payload that exploits a known vulnerability (CVE-2012-0158) in Microsoft Office, which allows attackers to execute arbitrary code.

When opened, the malicious attachment drops a ransomware binary to the victim’s disk and then executes it.

The ransomware binary then encrypts various files extensions, including “.DOC”, “.ZIP”, “.PPT” and more. Some hospitals have been targeted by the Ryuk ransomware, according to security researcher “PeterM” on Twitter:

Attackers will continue to use CAVID-19 theme for cyber attacks due to the global pandemic scare – including malware attacks, malicious URLS, and identity fraud.

https://vulners.com/threatpost/THREATPOST:FF75AF79B23F8B0D0CF546FC055B7911

ZOOM 🙂

Two zero-day vulnerabilities were discovered for the Zoom video conferencing platform, which will allow threat actors to spy on people’s private video conferences and additionally use the target system.

One of the 0-day vulnerabilities relates to the ZOOM client under Windows and allows remote code execution in the attacked system, but can only be used in conjunction with other existing errors. For data about this hole, hackers ask for 500 thousand dollars, but, according to experts, this price is inflated by half.

The second 0-day vulnerability is present in ZOOM under Mac, but does not lead to remote code execution. Accordingly, its value is much less.

In our lasin our last 2 reviews, we have already written about the achievements of ZOOM 🙂