Vulners weekly digest #8

Three traditional sections in our weekly digest. Enjoy!


Vulnerabilities and attacks

Last week, Microsoft released its monthly update – ‘the second Tuesday patch’, which we haven’t mentioned yet, but it was done by Aleksendr Leonov in his blog. On his blog, he gave a brief overview of this update.

Various researches have been published this week on several vulnerabilities from the Microsoft’s patch. Any road to an exploit starts with strong research 🙂

Ntlm relay with CVE-2020-1113

For a long time, many attackers like to use the NTLM realy technique in their operations. Firstly, there are many different protocols with which this can be implemented. Secondly, such attacks are difficult to detect at all stages of implementation.
Best explanation of how it works:

NTLM relay has been used and reused in several attacks:

CVE-2020-1113 was fixed in the may update of Microsoft’s. Read detailed research about update ntlmrelayx in impacket and adding support for the RPC protocol:

https://blog.compass-security.com/2020/05/relaying-ntlm-authentication-over-rpc

PrintDemon: Print Spooler Privilege Escalation, Persistence & Stealth CVE-2020-1048

CVE-2020-1048 was fixed in the May update of Microsoft’s. The research was released on the same day as the vulnerability fix 😉 Using Windows Print Spooler to elevate privileges, bypass EDR rules, gain persistence, and more. The full research consists of 2 parts:

  1. https://windows-internals.com/printdemon-cve-2020-1048
  2. https://windows-internals.com/faxing-your-way-to-system

PoC with Empire: https://github.com/BC-SECURITY/Invoke-PrintDemon

CVE-2020-1143

This vulnerability is also from the may update. Analysis in reasearch from checkpoint: https://cpr-zero.checkpoint.com/vulns/cprid-2152

Saltstack

It’s time to close the topic with saltstack, because everything has already been overwied:

Metasploit module: https://vulners.com/metasploit/MSF:EXPLOIT/LINUX/MISC/SALTSTACK_SALT_UNAUTH_RCE

vBulletin SQL Injection CVE-2020-12720

vBulletin is a commercial forum engine and WCMS developed by Internet Brands Inc. This software is written in PHP and uses a MySQL server to maintain its database.

National Vulnerability Database (NVD) is also analyzing the flaw and revealed that the critical flaw originated from an incorrect access control issue that affects vBulletin before 5.5.6, 5.6.0 before 5.6.0, and 5.6.1 before 5.6.1.

Automation for exploit: https://vulners.com/packetstorm/PACKETSTORM:157716

Easy for CVE-2019-15083

PoC for Cross-Site Scripting in ManageEngine Service Desk 10.0 (Software for IT support service). It might be interesting for red team operations to gather additional info or lateral movements:

https://vulners.com/exploitdb/EDB-ID:48473


Win Brute Logon

Our strength is in undocumented opportunities

Useful information about password brute force in Windows.

Open Account Lockout Policy and edit value Account lockout threshold with desired value from (1 to 999). Value represent the number of possible attempt before getting locked.

LockDown Policy wont work on Administrator account. At this moment, best protection for Administrator account (if Enabled) is to setup a very complex password.

https://github.com/DarkCoderSc/win-brute-logon

BloodHound reports for blue teams

The tool was released on May 14th, 2020 during a Black Hills Information Security webcast, A Blue Teams Perspective on Red Team Tools.

https://github.com/DefensiveOrigins/PlumHound

SayCheese

Take webcam shots from target just sending a malicious link

https://vulners.com/kitploit/KITPLOIT:5133140664411328886

Evilreg

Reverse shell using Windows Registry files (.reg)

https://vulners.com/kitploit/KITPLOIT:8518534902880733012


Ransomware Hit ATM Giant Diebold Nixdorf

Diebold Nixdorf, a major provider of automatic teller machines (ATMs) and payment technology to banks and retailers, recently suffered a ransomware attack that disrupted ProLock operations

The Ransomware is delivered to the compromised system using the Qbot Trojan. ProLock was first recorded in March 2020. What’s interesting about ProLock is that, as the FBI says, ransomware is written with mistakes, so it can spoil encrypted files larger than 64MB when decrypted.

https://vulners.com/krebs/KREBS:844FF2B9143930EF190E45B7C1C84F58

Pay $42m or Trump’s ‘dirty laundry’ goes online

undefined

On May 12, hackers attacked the resources of the New York law firm Grubman Shire Meiselas & Sacks and stole 756 Gb of confidential documents from its clients. Founder Allen Grubman is the most famous entertainment lawyer who works, among others, with Madonna, Lady Gaga, Elton John, Robert De Niro and U2.

Then the hackers demanded a ransom of $ 21 million. The investigation was undertaken by the FBI. At the same time, the feds reported that this hacking is an act of international terrorism (?!), And they are not negotiating with terrorists and will not pay the ransom. The group responsible for ransomware Sodinokibi was named guilty of hacking.

However, on Thursday the situation changed. Hackers said that they had scanned the stolen data array and found there the “dirty laundry” of US President Trump, so the ransom amount doubled – up to 42 million dollars.

https://vulners.com/hackread/HACKREAD:EB8C10DB0B0A37DC44A7D11B10F66A47

‘ThunderSpy’ Attack

Research from the Dutch engineer björn Rotenberg (Björn Ruytenberg), who revealed new attack vectors for the Intel Thunderbolt 3 Protocol.

Thunderspy, as the researcher called his new attack vectors that allow an attacker to steal data from encrypted disks or read and write all system memory, even if the computer is locked or in sleep mode.

There is no protection for vulnerable devices other than physically disabling Thunderbolt. Even the software shutdown of Thunderbolt was bypassed by Roitenberg. Windows, Linux, and partially MacOS PCs – vulnerable.

Such vulnerabilities have little application to commercial hacking because they require even short-term, but mandatory physical access to the device under attack. But for law enforcement agencies, organizing such access is a common thing. That is, knowledgeable agencies have been able to gain access to computer content without compromise since at least 2011, when Thunderbolt appeared.

https://vulners.com/threatpost/THREATPOST:103AFBDE6D261555120729CAF7A921A4

Vulners weekly digest #7

+1 integration for Vulners: undefined
Old and fresh vulnerabilities
Tools
Various news


undefined

This week Vullners integrated with data about Apple vulnerabilities!

Already available at Vulners DB: https://vulners.com/search?query=type:apple


Vulnerabilities

Update news on vulnerabilities from our latest digest and sth new!

Gitlab exploit

undefined

Automation to exploit one of the latest vulnerabilities in gitlab. Of course, it’s possible to exploit it without it, but it’s always nice when automation for such exploitation appears.

https://vulners.com/exploitdb/EDB-ID:48431

Latest news about Saltstack

undefined

Continuation of the story that f-secure started. The first affected mobile operating system is LineageOS. Then a large blogging platform Ghost, with more than 750 thousand users. Then Digicert, Xen Orchestra and a number of small companies followed.

The exploit, which uses the vulnerabilities identified By f-Secure in Salt, was published on GitHub by several users at once and the metasploit module is also on the way:undefined

Full detailed timeline and other info about saltstack vulnerabilities: https://saltexploit.com

https://vulners.com/threatpost/THREATPOST:A1F6C89E2D2F2205B93C6727C24B908C

Trixbox CVE-2020-7351

Trixbox is open-source system for deployment VoIP (asterisk inside). Vulnerability in Trixbox version 1.2.0 to 2.8.0.4 inclusive in the “network” POST parameter of the “/maint/modules/endpointcfg/endpoint_devicemap.php” page. Successful exploitation allows for arbitrary command execution on the main operating system as the “asterisk” user.

Exploit: https://vulners.com/packetstorm/PACKETSTORM:157565

SharePoint CVE-2020-0932 RCE

Microsoft in their last “The second Tuesday patch” announced fix for six vulnerabilities in SharePoint. There is no indication from the vendor why some of these vulnerabilities are rated as important, while others are rated as critical.

The most detailed write-up with great PoC: https://www.thezdi.com/blog/2020/4/28/cve-2020-0932-remote-code-execution-on-microsoft-sharepoint-using-typeconverters

SharePoint is used by many companies and accordingly attackers in their work, so you should not postpone updating your SharePoint servers.


Tools

undefined

Socks Over RDP: https://github.com/nccgroup/SocksOverRDP

“As penetration testers we frequently find ourselves in a situation where the only access that we are provided to a server or network is a Remote Desktop account. These servers are commonly called Jump boxes. It means that we need to perform our testing via this server. This usually introduces a few extra steps that takes time from us and our clients to setup and configure.”

Brute Shark: https://github.com/odedshimon/BruteShark
Network Forensic Analysis Tool with usefull GUI and interesting functions. It includes: password extracting, building a network map, reconstruct TCP sessions, extract hashes of encrypted passwords and even convert them to a Hashcat format in order to perform an offline Brute Force attack.

Two BruteShark versions are available, A GUI based application (Windows) and a Command Line Interface tool (Windows and Linux).

Shellerator
This project is inspired by Print-My-Shel, which we cpecified in our previous weekly digest.

GDBFrontend
GDBFrontend is an easy, flexible and extensionable gui debugger.

Article: https://oguzhaneroglu.com/projects/gdb-frontend/


News

Conferences 😦
Microsoft 🙂
APT 😐

Major Cybersecurity Conferences

Black Hat USA and DEFCON 28 Cyber Security Conferences will not be held in person this year due to the coronavirus pandemic. Instead, both conferences will be transformed into fully virtualized events. Black Hat USA on Aug. 1 to 6, 2020, and DEF CON 28 on Aug. 7 to 9, 2020.

DEF CON remote events will include a new on-line Mystery Challenge, a DEF CON is Canceled music album, remote CTFs (including Hack-a-Sat, Villages like the Packet Hacking Village, contests like the TeleChallenge, and Ham Exams) and a remote movie night and drink-up, he said.

Black Hat USA will be adapted into a virtual format that will be available for the entire global infosec community. More details on how the virtual conferences:

https://vulners.com/threatpost/THREATPOST:4F7DA5B616227FD485369DAAEBE84656

Microsoft damn…

The hacker group Shiny Hunters reported to the editorial Board that they hacked Microsoft’s GitHub account and got full access to the software company’s private repository.

Shiny Hunter downloaded 500Gb of closed projects that they initially wanted to sell, but now decided to place on the network for free download. The hack itself appears to have occurred on March 28.

As a teaser, hackers posted 1Gb of stolen data on a closed forum, but not all forum users considered the posted information real. Microsoft employees also say that the leak is fake, but the company does not officially comment.

https://vulners.com/threatpost/THREATPOST:810608E8FBF789E16FA78CF73EDD7EB2

APT Naikon

Check Point has released a report, which reported on the recent disclosure of a long-running and large-scale cyber operation involving the use of the new Aria-body backdoor and directed at public authorities in the Asia-Pacific region, including Australia, Indonesia, the Philippines, Vietnam, Thailand, Myanmar and Brunei. The company has been running since at least 2018, and most likely since 2017.

Based on the analysis of the Aria-body functionality, Check Point concludes that the main purpose of cyber operations is to gather intelligence. This includes not only hunting for documents that hackers are interested in, but also extracting data from removable media, recording screenshots, and keylogging.

Analysis of the Aria-body code revealed sufficient similarity with the XsFunction backdoor code, which, along with a partial intersection of the infrastructure of control centers, allowed us to talk about the involvement of the Chinese APT Naikon aka APT 30 and Override Panda in the new cyber operation. There has been no news about APT Naikon since 2015. The group has previously worked actively against countries bordering the South China sea.

Overview of the research: https://vulners.com/threatpost/THREATPOST:96934F347B55F85990962035EF6F658D

Technical details with IOCs: https://vulners.com/securelist/SECURELIST:C96E2BC7AC745F58E5C3916C0AD13B0B