Vulners weekly digest #5

+1 integration for Vulners
Review fresh vulnerabilities without Microsoft
Tools
News without COVID-19 and ZOOM


This week the Vullners integrated with a new great project: https://attackerkb.com

It is already available: https://vulners.com/search?query=type:attackerkb

Vulnerabilities, exploits or PoCs

Is it possible to make a digest without vulnerabilities in microsoft products? Let’s try to do it!

Multiple vulnerabilities in the IQrouter

Information security researchers often like to deal with noname network devices and find all sorts of vulnerabilities in them. This week’s target was the IQrouter and its firmware version 3.3.1:

The researcher also made an example of exploiting all these vulnerabilities:

https://vulners.com/packetstorm/PACKETSTORM:157300

RCE PoC for Sysaid v20.1.11

Sysaid is a free Help Desk software for IT support. CVE-2020-10569 allows unauthenticated access to upload any files, which can be used to execute commands on the system by chaining it with a GhostCat attack. Attackers could read app configuration files and steal passwords or API tokens, or they could write files to a server, such as backdoors or web shells:

https://vulners.com/packetstorm/PACKETSTORM:157314

Oracle Solaris

CVE-2020-2944 in this UNIX OS for versions 10 and 11. Vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Solaris executes to compromise it. Oracle has released a fix for all affected and supported versions of Solaris in the Critical Patch Update of April.

PoC: https://vulners.com/exploitdb/EDB-ID:48359

Multiple vulnerabilities in the QRadar Community Edition 7.3.1.6

QRadar one of the most famous SIEM system. Community edition is limited to 50 events per second and 5,000 network flows a minute, supports apps, but is based on a smaller footprint for non-enterprise use. Too many vulnerabilities were found in one of the latest releases of this version:

At the time of publication of this digest, the latest version of the QRadar is V7. 3. 3


Tools

Lulzbuster
Lulzbuster is a very fast and smart web directory and file enumeration tool written in C.

Adamantium-Thief
Get chromium browsers: passwords, credit cards, history, cookies, bookmarks.

Pwned
Pwned is a simple command-line python script to check if you have a password that has been compromised in a data breach. The full scheme of the script:


News

MITRE releasing the results of evaluations
Apple zero-days in Mail app
The Incident Response Challenge 2020 – $$$

MITRE ATT&CK Evaluations

The main event of the week for many information security vendors – results of MITRE evaluation methodology based on APT29: https://ela.st/mitre-eval-rd2

In late 2019, the ATT&CK Evaluations team evaluated 21 endpoint security vendors with their endpoint detection and response (EDR) products, using its now industry-standard open methodology, the ATT&CK framework.

For complete evaluation results, you can review the data published on the MITRE website.

VMware Carbon Black results: https://vulners.com/carbonblack/CARBONBLACK:8DEE9836AF3A9C5A0954C0941127CFC9
Microsoft ATP results: https://vulners.com/mssecure/MSSECURE:7C2EBC78AA9ED84F61D237B3E3AE3C1D

Apple

undefined

On April 22, ZecOps announced the use of two 0-day vulnerabilities in the Mail application in the wild, allowing full control of the correspondence of the attacked user on the entire line of iPad and iPhone devices.

Secops reported that it recorded the use of exploits in relation to:

  • employees of us companies from the Fortune 500 list;
  • Director of a carrier company from Japan;
  • German VIP;
  • MSSP (Managed Security Service Provider) from Saudi Arabia and Israel;
  • European journalist;
  • as well as suspicion of hacking the head of one of the Swiss companies.

To this Apple responds as expected “We have studied the zecops report and concluded that the identified errors do not pose a threat to users. We will close them in the next updates.”

ZecOps also promises to post more technical information about errors and the facts of their use after the patch is released.

https://vulners.com/thn/THN:7749C9AD2429E9716C12DEB1307ABB29

https://vulners.com/threatpost/THREATPOST:D091476FC2E5A0AFECA0813539BECDF9

The Incident Response Challenge 2020

Cybersecurity firm Cynet 21-st April announced the launch of a first of its kind challenge to enable Incident Response professionals to test their skills with 25 forensic challenges that were built by top researchers and analysts.

The challenge is available on https://incident-response-challenge.com/ and is open to anyone willing to test his or her investigation skills, between April 21st and May 15th.

Are you a hands-on forensic researcher, SOC analyst, or malware analyzer? Go to https://incident-response-challenge.com/, get your hands dirty, and beat your peers to get the first prize!

Vulners weekly digest #3

Weekly overview of new vulnerabilities, exploits, tools and other news from the world of information security.

Vulners has officially integrated with EXPLOITPACK on this week. Now customers can get even more information centrally about the required vulnerabilities

All interest in the difference 🙂


Exploits

undefined

Congratulations, this week there was an exloit for CVE-2020-0796. We wrote about this vulnerability in our previous digest:

Let’s start patching and test exploits (in own labs or for detecting purposes 🙂 )

DotNetNuke

A new module for DotNetNuke (versions 5.0.0 to 9.3.0-RC) was recently added in metasploit. Vulnerable versions store user profile information in the DNNPersonalization cookie in XML format. The expected structure includes the “type” attribute to sprcify the server which type of object to create during deserialization. It happens if the DNN is configured to handle 404 errors with its built-in error page (default configuration). Attacker can use this vulnerability for remote code execution on the target system.

https://vulners.com/zdt/1337DAY-ID-34183

Redis Replication Code Execution

Vulners sets own AI score for many exploits and vulnerabilities. Thus, exploit for Redis has gained a fairly high rating and becomes more popular due to a new bug fix. Extended functionality added after Redis 4.0.0 for executing arbitrary code has become vulnerable. To transmit the given extension it makes use of the feature of Redis which called replication between master and slave.

https://vulners.com/zdt/1337DAY-ID-34165

More research about Vulners AI score: https://vulners.blog/2020/04/02/hidden-threat-vulnerability-analysis-using-the-news-graph


INFOSEC TOOLS

JACKDAW

This tool help you help to collect information about domain, store it in a SQL database and show graph. It gain a better understanding of Active Directory objects interact with each-other . Main features:

  • Data acquisition;
  • Graph building;
  • Anomlaies detection

Webkiller v2.0

Simple tool for gathering infomation. If you don’t like to understand large and intricate OSINT frameworks, you will like this tool .

Pulsar 

Pulsar is an automated framework with GUI for Red teams, pentesters and Bounty Hunters. If you like to know about full-scale and holistic tools, it will fascinate you for a long time and can become a permanent tool. This framework integrated several projects:

The full structure of the project:

SauronEye

Simple search tool to find files containing specific keywords. Main features:


ZOOM and MITRE

If coronavirus is the number one topic in IT news, then ZOOM has definitely taken the second place in recent days.

The ZOOM client, when sending a URL to an internal chat, converts it into a hyperlink. However, along with this, it also converts the UNC paths that Windows uses to access network resources to hyperlinks.

When you click on such a hyperlink, Windows uses the SMB protocol and transfers the username and NTLM hash of the user’s password to the other side. The latter can be easily opened taking into account modern computing power.

Thus, an attacker, having sent a specially formed link to the application’s internal chat, can subsequently obtain a user login and password. In addition, a command to start a local application can be sent in UNC format. True, in this case, Windows will ask permission to run.

More detailed: https://vulners.com/thn/THN:679E49F88578E2E63101319B5AB7DAAC

Based on low AI score of news about ZOOM vulnerabilities, we can conclude that most of them are hype and do not make much sense:

One of the most important events for all who try to detect APT attacks and analyse endpoint logs – MITRE Sub-Techniques (beta). The current one is still the October 2019 version.

The version of ATT&CK with sub-techniques is only in beta right now to allow enough time for feedback and for organizations to determine how to transition. We are expecting to make we make it the official version sometime in July 2020.

One good example of demonstrating the benefits of sub-techniques is T1003. The name was changed slightly to OS Credential Dumping and the technique kept:

Technique T1003
Sub-techniques of this techniques

The added granularity will allow you to represent different types of credential dumping that can happen at a more detailed level than just mapping to the broader OS Credential Dumping. MITRE’re asking for feedback on technique and sub-technique pairings as well as any additional techniques or sub-technique ideas that help organize remaining techniques without sub-techniques.

More detailed info in MITRE blog: https://medium.com/mitre-attack/attack-subs-what-you-need-to-know-99bce414ae0b

Attack matrix for Kubernetes

On this week, Microsoft crafted an ATT&CK-like matrix comprising the major techniques that are relevant to container orchestration security, with focus on Kubernetes:

Understanding the attack surface of containerized environments is the first step of building security solutions for these environments. This matrix can help organizations identify the current gaps in their defenses coverage against the different threats that target Kubernetes.

https://vulners.com/mssecure/MSSECURE:B88202FB5B97F91B4C2853079E60CFF1