New article by our researchers Mikhail Klyuchnikov and Egor Dimitrenko about unauth RCEs in VMware products: "Hunting for bugs in VMware: View Planner and vRealize Business for Cloud".
Read the article: https://swarm.ptsecurity.com/hunting-for-bugs-in-vmware-view-planner-and-vrealize-business-for-cloud/
This is the first article about our VMware research. More to come!
Read the article: https://swarm.ptsecurity.com/hunting-for-bugs-in-vmware-view-planner-and-vrealize-business-for-cloud/
This is the first article about our VMware research. More to come!
π15
PT SWARM
We have reproduced the fresh CVE-2022-24086 Improper Input Validation vulnerability in Magento Open Source and Adobe Commerce. Successful exploitation could lead to RCE from an unauthenticated user.
We have successfully bypassed the patch for RCE in Magento Open Source and Adobe Commerce (CVE-2022-24086), and have sent the report to Adobe (we weren't the first). The new CVE-2022-24087 was issued. Hotfix is available now.
Patch ASAP!
Patch ASAP!
π7
Relaying Kerberos over DNS using krbrelayx and mitm6
π€ by Dirk-jan Mollema
In scenario, where attacker have the ability to spoof a DNS server via DHCPv6 spoofing with mitm6, he can get victim machines to reliably authenticate to him using Kerberos and their machine account. This authentication can be relayed to any service that does not enforce integrity, such as Active Directory Certificate Services (AD CS) http(s) based enrollment, which in turn makes it possible to execute code as SYSTEM on that host. This technique is faster, more reliable and less invasive than relaying WPAD authentication with mitm6, but does of course require AD CS to be in use.
π Contents:
β’ Kerberos over DNS
β’ Abusing DNS authentication
β’ Changes to krbrelayx and mitm6
β’ Attack example
β’ Defenses
β’ Mitigating mitm6
β’ Mitigating relaying to AD CS
β’ Tools
https://dirkjanm.io/relaying-kerberos-over-dns-with-krbrelayx-and-mitm6
π€ by Dirk-jan Mollema
In scenario, where attacker have the ability to spoof a DNS server via DHCPv6 spoofing with mitm6, he can get victim machines to reliably authenticate to him using Kerberos and their machine account. This authentication can be relayed to any service that does not enforce integrity, such as Active Directory Certificate Services (AD CS) http(s) based enrollment, which in turn makes it possible to execute code as SYSTEM on that host. This technique is faster, more reliable and less invasive than relaying WPAD authentication with mitm6, but does of course require AD CS to be in use.
π Contents:
β’ Kerberos over DNS
β’ Abusing DNS authentication
β’ Changes to krbrelayx and mitm6
β’ Attack example
β’ Defenses
β’ Mitigating mitm6
β’ Mitigating relaying to AD CS
β’ Tools
https://dirkjanm.io/relaying-kerberos-over-dns-with-krbrelayx-and-mitm6
π6
Adding save function to impacket's ```reg.py``` for Backup Operators to Domain Admin exploitation
https://github.com/SecureAuthCorp/impacket/pull/1257
save feature to reg.py allows for remote saving of registry hives. The feature can be used to escalate from Backup Operators to Domain Admin by retrieving a Domain Controller's hives and using them to obtain hash and act as the Domain Controller or as the domain admin directly.backup method which doesn't mirror an existing function of the original reg cmdlet but instead allows to dump SAM, SYSTEM and SECURITY "at once".https://github.com/SecureAuthCorp/impacket/pull/1257
GitHub
Adding save function to reg.py for Backup Operators to Domain Admin exploitation by ShutdownRepo Β· Pull Request #1257 Β· fortra/impacket
Adding the save feature to reg.py to allow for remote saving of registry hives.
The feature can be used to escalate from Backup Operators to Domain Admin by retrieving a Domain Controller's...
The feature can be used to escalate from Backup Operators to Domain Admin by retrieving a Domain Controller's...
π1
New article by our researcher Egor Dimitrenko about unauth vulnerabilities in VMware products: "Catching bugs in VMware: Carbon Black Cloud Workload and vRealize Operations Manager". This is the second in series of our VMware research.
Read the article: https://swarm.ptsecurity.com/catching-bugs-in-vmware-carbon-black-cloud-workload-appliance-and-vrealize-operations-manager/
Read the article: https://swarm.ptsecurity.com/catching-bugs-in-vmware-carbon-black-cloud-workload-appliance-and-vrealize-operations-manager/
π8
The Dirty Pipe Vulnerability
π€ by Max Kellermann
This is the story of CVE-2022-0847, a vulnerability in the Linux kernel since 5.8 which allows overwriting data in arbitrary read-only files. This leads to privilege escalation because unprivileged processes can inject code into root processes.
It is similar to CVE-2016-5195 βDirty Cowβ but is easier to exploit.
The vulnerability was fixed in Linux 5.16.11, 5.15.25 and 5.10.102.
π Contents:
β’ Abstract
β’ Corruption pt. I
β’ Access Logging
β’ Corruption pt. II
β’ Corruption pt. III
β’ Man staring at code
β’ Man staring at kernel code
β’ Pipes and Buffers and Pages
β’ Uninitialized
β’ Corruption pt. IV
β’ Exploiting
β’ Timeline
https://dirtypipe.cm4all.com
π€ by Max Kellermann
This is the story of CVE-2022-0847, a vulnerability in the Linux kernel since 5.8 which allows overwriting data in arbitrary read-only files. This leads to privilege escalation because unprivileged processes can inject code into root processes.
It is similar to CVE-2016-5195 βDirty Cowβ but is easier to exploit.
The vulnerability was fixed in Linux 5.16.11, 5.15.25 and 5.10.102.
π Contents:
β’ Abstract
β’ Corruption pt. I
β’ Access Logging
β’ Corruption pt. II
β’ Corruption pt. III
β’ Man staring at code
β’ Man staring at kernel code
β’ Pipes and Buffers and Pages
β’ Uninitialized
β’ Corruption pt. IV
β’ Exploiting
β’ Timeline
https://dirtypipe.cm4all.com
π4
Oracle Access Manager Pre-Auth RCE (CVE-2021β35587 Analysis)
π€ by Jang and Peter
Vulnerability in the Oracle Access Manager product of Oracle Fusion Middleware (component: OpenSSO Agent). Supported versions that are affected are 11.1.2.3.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability may give the attacker access to OAM server, to create any user with any privileges, or just get code execution in the victimβs server
https://testbnull.medium.com/oracle-access-manager-pre-auth-rce-cve-2021-35587-analysis-1302a4542316
π€ by Jang and Peter
Vulnerability in the Oracle Access Manager product of Oracle Fusion Middleware (component: OpenSSO Agent). Supported versions that are affected are 11.1.2.3.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability may give the attacker access to OAM server, to create any user with any privileges, or just get code execution in the victimβs server
https://testbnull.medium.com/oracle-access-manager-pre-auth-rce-cve-2021-35587-analysis-1302a4542316
π4
Veeam fixed an Unauth RCE (CVE-2022-26500, CVE-2022-26501) in Veeam Backup & Replication and Local Privilege Escalation (CVE-2022-26503) in Veeam Agent for Microsoft Windows found by our researcher Nikita Petrov.
Advisory: https://www.veeam.com/kb4288
Advisory: https://www.veeam.com/kb4288
π17
Rapid7 fixed an SQL-Injection (CVE-2022-0757) and an XSS (CVE-2022-0758) in Nexpose Vulnerability Scanner found by our researcher Aleksey Solovev.
Advisory: https://docs.rapid7.com/release-notes/nexpose/20220302/
Advisory: https://docs.rapid7.com/release-notes/nexpose/20220302/
π13
Ruby Deserialization - Gadget on Rails
π€ by Harsh Jaiswal
In this writeup research team went over the current state of previous ruby deserialization gadget chains and the process of finding new RCE gadgets. Researchers went over the fixes of previous gadget chains and found a new way to achive remote code execution on latest Rails framework.
π Contents:
β’ Motivation
β’ Pre-Requisite
β’ Current State of Previous Gadgets
β’ File Write and File Execution Gadget
β’β’ BackStory
β’β’ Initial File Write
β’ Moving away from DeprecatedInstanceVariableProxy class
β’β’ How we initiated the search?
β’β’ Latest Rails Remote Code Execution Gadget
β’ Conclusion
https://github.com/httpvoid/writeups/blob/main/Ruby-deserialization-gadget-on-rails.md
π€ by Harsh Jaiswal
In this writeup research team went over the current state of previous ruby deserialization gadget chains and the process of finding new RCE gadgets. Researchers went over the fixes of previous gadget chains and found a new way to achive remote code execution on latest Rails framework.
π Contents:
β’ Motivation
β’ Pre-Requisite
β’ Current State of Previous Gadgets
β’ File Write and File Execution Gadget
β’β’ BackStory
β’β’ Initial File Write
β’ Moving away from DeprecatedInstanceVariableProxy class
β’β’ How we initiated the search?
β’β’ Latest Rails Remote Code Execution Gadget
β’ Conclusion
https://github.com/httpvoid/writeups/blob/main/Ruby-deserialization-gadget-on-rails.md
X (formerly Twitter)
Harsh Jaiswal (@rootxharsh) on X
Building @hacktronai | researching at @httpvoid0x2f | auditing at
@cure53berlin | prev @zomato @vimeo @pdiscoveryio
@cure53berlin | prev @zomato @vimeo @pdiscoveryio
π7
π₯We have reproduced the fresh CVE-2022-22954 Server-Side Template Injection in VMware Workspace ONE Access.
Successful exploitation could lead to RCE from an unauthenticated user.
Patch ASAP!
Successful exploitation could lead to RCE from an unauthenticated user.
Patch ASAP!
π18
HPE fixed two vulnerabilities in OneView found by our researcher Nikita Abramov.
1οΈβ£ CVE-2022-23699 - Authentication Restriction Bypass
2οΈβ£ CVE-2022-23700 - Unauthorized Read Access to Files
Find out more β‘οΈ https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbgn04252en_us
1οΈβ£ CVE-2022-23699 - Authentication Restriction Bypass
2οΈβ£ CVE-2022-23700 - Unauthorized Read Access to Files
Find out more β‘οΈ https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbgn04252en_us
π5
New version of reFlutter is available to download!
Now reFlutter not only allows you to monitor traffic, but also shows absolute offsets of the functions in the target Android or iOS application. Root is not required.
https://github.com/Impact-I/reFlutter
Now reFlutter not only allows you to monitor traffic, but also shows absolute offsets of the functions in the target Android or iOS application. Root is not required.
https://github.com/Impact-I/reFlutter
π14
πCisco fixed an Authenticated Heap Overflow Vulnerability (CVE-2022-20737) in Cisco ASA found by our researcher Nikita Abramov.
The vulnerability allows an attacker to cause a DoS or to obtain portions of process memory from the device.
The advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-ssl-vpn-heap-zLX3FdX
The vulnerability allows an attacker to cause a DoS or to obtain portions of process memory from the device.
The advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-ssl-vpn-heap-zLX3FdX
π9
β οΈSynacor fixed an Authenticated RCE (CVE-2022-27925) in Zimbra Collaboration Suite found by our researcher Mikhail Klyuchnikov.
So far, no advisory, but the patch is available: https://wiki.zimbra.com/wiki/Security_Center
So far, no advisory, but the patch is available: https://wiki.zimbra.com/wiki/Security_Center
π5
New research by Alexander Popov: "A Kernel Hacker Meets Fuchsia OS"
Fuchsia OS is based on the Zircon microkernel and developed by Google. Alexander assessed it from the attacker's point of view.
Read the article: https://swarm.ptsecurity.com/a-kernel-hacker-meets-fuchsia-os/
Fuchsia OS is based on the Zircon microkernel and developed by Google. Alexander assessed it from the attacker's point of view.
Read the article: https://swarm.ptsecurity.com/a-kernel-hacker-meets-fuchsia-os/
PT SWARM
A Kernel Hacker Meets Fuchsia OS
Fuchsia is a general-purpose open-source operating system created by Google. It is based on the Zircon microkernel written in C++ and is currently under active development. The developers say that Fuchsia is designed with a focus on security, updatabilityβ¦
π14