Veeam fixed an Unauth RCE (CVE-2022-26500, CVE-2022-26501) in Veeam Backup & Replication and Local Privilege Escalation (CVE-2022-26503) in Veeam Agent for Microsoft Windows found by our researcher Nikita Petrov.
Advisory: https://www.veeam.com/kb4288
Advisory: https://www.veeam.com/kb4288
π17
Rapid7 fixed an SQL-Injection (CVE-2022-0757) and an XSS (CVE-2022-0758) in Nexpose Vulnerability Scanner found by our researcher Aleksey Solovev.
Advisory: https://docs.rapid7.com/release-notes/nexpose/20220302/
Advisory: https://docs.rapid7.com/release-notes/nexpose/20220302/
π13
Ruby Deserialization - Gadget on Rails
π€ by Harsh Jaiswal
In this writeup research team went over the current state of previous ruby deserialization gadget chains and the process of finding new RCE gadgets. Researchers went over the fixes of previous gadget chains and found a new way to achive remote code execution on latest Rails framework.
π Contents:
β’ Motivation
β’ Pre-Requisite
β’ Current State of Previous Gadgets
β’ File Write and File Execution Gadget
β’β’ BackStory
β’β’ Initial File Write
β’ Moving away from DeprecatedInstanceVariableProxy class
β’β’ How we initiated the search?
β’β’ Latest Rails Remote Code Execution Gadget
β’ Conclusion
https://github.com/httpvoid/writeups/blob/main/Ruby-deserialization-gadget-on-rails.md
π€ by Harsh Jaiswal
In this writeup research team went over the current state of previous ruby deserialization gadget chains and the process of finding new RCE gadgets. Researchers went over the fixes of previous gadget chains and found a new way to achive remote code execution on latest Rails framework.
π Contents:
β’ Motivation
β’ Pre-Requisite
β’ Current State of Previous Gadgets
β’ File Write and File Execution Gadget
β’β’ BackStory
β’β’ Initial File Write
β’ Moving away from DeprecatedInstanceVariableProxy class
β’β’ How we initiated the search?
β’β’ Latest Rails Remote Code Execution Gadget
β’ Conclusion
https://github.com/httpvoid/writeups/blob/main/Ruby-deserialization-gadget-on-rails.md
X (formerly Twitter)
Harsh Jaiswal (@rootxharsh) on X
Building @hacktronai | researching at @httpvoid0x2f | auditing at
@cure53berlin | prev @zomato @vimeo @pdiscoveryio
@cure53berlin | prev @zomato @vimeo @pdiscoveryio
π7
π₯We have reproduced the fresh CVE-2022-22954 Server-Side Template Injection in VMware Workspace ONE Access.
Successful exploitation could lead to RCE from an unauthenticated user.
Patch ASAP!
Successful exploitation could lead to RCE from an unauthenticated user.
Patch ASAP!
π18
HPE fixed two vulnerabilities in OneView found by our researcher Nikita Abramov.
1οΈβ£ CVE-2022-23699 - Authentication Restriction Bypass
2οΈβ£ CVE-2022-23700 - Unauthorized Read Access to Files
Find out more β‘οΈ https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbgn04252en_us
1οΈβ£ CVE-2022-23699 - Authentication Restriction Bypass
2οΈβ£ CVE-2022-23700 - Unauthorized Read Access to Files
Find out more β‘οΈ https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbgn04252en_us
π5
New version of reFlutter is available to download!
Now reFlutter not only allows you to monitor traffic, but also shows absolute offsets of the functions in the target Android or iOS application. Root is not required.
https://github.com/Impact-I/reFlutter
Now reFlutter not only allows you to monitor traffic, but also shows absolute offsets of the functions in the target Android or iOS application. Root is not required.
https://github.com/Impact-I/reFlutter
π14
πCisco fixed an Authenticated Heap Overflow Vulnerability (CVE-2022-20737) in Cisco ASA found by our researcher Nikita Abramov.
The vulnerability allows an attacker to cause a DoS or to obtain portions of process memory from the device.
The advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-ssl-vpn-heap-zLX3FdX
The vulnerability allows an attacker to cause a DoS or to obtain portions of process memory from the device.
The advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-ssl-vpn-heap-zLX3FdX
π9
β οΈSynacor fixed an Authenticated RCE (CVE-2022-27925) in Zimbra Collaboration Suite found by our researcher Mikhail Klyuchnikov.
So far, no advisory, but the patch is available: https://wiki.zimbra.com/wiki/Security_Center
So far, no advisory, but the patch is available: https://wiki.zimbra.com/wiki/Security_Center
π5
New research by Alexander Popov: "A Kernel Hacker Meets Fuchsia OS"
Fuchsia OS is based on the Zircon microkernel and developed by Google. Alexander assessed it from the attacker's point of view.
Read the article: https://swarm.ptsecurity.com/a-kernel-hacker-meets-fuchsia-os/
Fuchsia OS is based on the Zircon microkernel and developed by Google. Alexander assessed it from the attacker's point of view.
Read the article: https://swarm.ptsecurity.com/a-kernel-hacker-meets-fuchsia-os/
π14
From open redirect to RCE in one week
π€ by Anton ???
In this write-up the author tells a story of chaining multiple vulnerabilities to achieve RCE on several hosts of Mail.ru (VK). The exploit chain consists of following bugs: Open Redirect, Unsafe Deserialization, Kohana hack, LFI for Logs.
π Contents:
* Intro
* Functionality that caught my attention
* Possible scenarios
* Open redirect
* Deserialization
* Kohana
* Chaining all together
* Logs
* Null bytes
* Last poison
https://medium.com/@byq/from-open-redirect-to-rce-in-one-week-66a7f73fd082
π€ by Anton ???
In this write-up the author tells a story of chaining multiple vulnerabilities to achieve RCE on several hosts of Mail.ru (VK). The exploit chain consists of following bugs: Open Redirect, Unsafe Deserialization, Kohana hack, LFI for Logs.
π Contents:
* Intro
* Functionality that caught my attention
* Possible scenarios
* Open redirect
* Deserialization
* Kohana
* Chaining all together
* Logs
* Null bytes
* Last poison
https://medium.com/@byq/from-open-redirect-to-rce-in-one-week-66a7f73fd082
X (formerly Twitter)
Anton (@ByQwert) on X
sometimes I break something
π19
Active Exploitation of Confluence CVE-2022-26134
π€ by Rapid7
On June 2, 2022, Atlassian published a security advisory for CVE-2022-26134, a critical unauthenticated remote code execution vulnerability in Confluence Server and Confluence Data Center. The vulnerability was unpatched when it was published on June 2. As of June 3, both patches and a temporary workaround are available.
CVE-2022-26314 is an unauthenticated and remote OGNL injection vulnerability resulting in code execution in the context of the Confluence server (typically the confluence user on Linux installations). Given the nature of the vulnerability, internet-facing Confluence servers are at very high risk.
π Contents:
β’ Technical analysis
β’β’ The vulnerability
β’β’ Root cause
β’β’ The patch
β’β’ Payloads
β’ Mitigation guidance
https://www.rapid7.com/ja/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/
π€ by Rapid7
On June 2, 2022, Atlassian published a security advisory for CVE-2022-26134, a critical unauthenticated remote code execution vulnerability in Confluence Server and Confluence Data Center. The vulnerability was unpatched when it was published on June 2. As of June 3, both patches and a temporary workaround are available.
CVE-2022-26314 is an unauthenticated and remote OGNL injection vulnerability resulting in code execution in the context of the Confluence server (typically the confluence user on Linux installations). Given the nature of the vulnerability, internet-facing Confluence servers are at very high risk.
π Contents:
β’ Technical analysis
β’β’ The vulnerability
β’β’ Root cause
β’β’ The patch
β’β’ Payloads
β’ Mitigation guidance
https://www.rapid7.com/ja/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/
π5
π₯ We have reproduced CVE-2022-31626, an RCE in PHP <= 7.4.29 which can be triggered via a rogue MySQL/MariaDB server!
It's a Heap Overflow, works with MySQLi/PDO, and doesn't require LOAD LOCAL INFILE.
The PoC πhttps://github.com/CFandR-github/PHP-binary-bugs/tree/main/cve_2022_31626_remote_exploit
It's a Heap Overflow, works with MySQLi/PDO, and doesn't require LOAD LOCAL INFILE.
The PoC πhttps://github.com/CFandR-github/PHP-binary-bugs/tree/main/cve_2022_31626_remote_exploit
π13
𧩠Zoneminder fixed a Post-Auth RCE found by our researcher Ilya Yatsenko (@fulc2um).
See details in the advisory πhttps://github.com/ZoneMinder/zoneminder/releases/tag/1.36.16
See details in the advisory πhttps://github.com/ZoneMinder/zoneminder/releases/tag/1.36.16
π17
Account hijacking using "dirty dancing" in sign-in OAuth-flows
π€ by Frans RosΓ©n
Combining response-type switching, invalid state and redirect-uri quirks using OAuth, with third-party javascript-inclusions has multiple vulnerable scenarios where authorization codes or tokens could leak to an attacker. This could be used in attacks for single-click account takeovers. Frans RosΓ©n, Security Advisor at Detectify goes through three different scenarios found in the wild below and also suggests ways to reduce the risk.
π Contents:
β’ Background
β’ Current state and assumptions about OAuth credential leakage
β’ Explanation of different OAuth-dances
β’ Response modes
β’ A theory: stealing tokens through postMessage
β’ It took a lot of time to get here
β’ Non-happy paths in the OAuth-dance
β’ Break state intentionally
β’ Response-type/Response-mode switching
β’ Redirect-uri case shifting
β’ Redirect-uri path appending
β’ Redirect-uri parameter appending
β’ Redirect-uri leftovers or misconfigurations
β’ I ended up on a non-happy path. Now what?
β’ Here be more time
β’ URL-leaking gadgets
β’ Other ideas for leaking URLs
β’ A page on a domain that routes any postMessage to its opener
β’ Conclusion
β’ How can we fix this?
β’ How to reduce the risk
https://labs.detectify.com/2022/07/06/account-hijacking-using-dirty-dancing-in-sign-in-oauth-flows/
π€ by Frans RosΓ©n
Combining response-type switching, invalid state and redirect-uri quirks using OAuth, with third-party javascript-inclusions has multiple vulnerable scenarios where authorization codes or tokens could leak to an attacker. This could be used in attacks for single-click account takeovers. Frans RosΓ©n, Security Advisor at Detectify goes through three different scenarios found in the wild below and also suggests ways to reduce the risk.
π Contents:
β’ Background
β’ Current state and assumptions about OAuth credential leakage
β’ Explanation of different OAuth-dances
β’ Response modes
β’ A theory: stealing tokens through postMessage
β’ It took a lot of time to get here
β’ Non-happy paths in the OAuth-dance
β’ Break state intentionally
β’ Response-type/Response-mode switching
β’ Redirect-uri case shifting
β’ Redirect-uri path appending
β’ Redirect-uri parameter appending
β’ Redirect-uri leftovers or misconfigurations
β’ I ended up on a non-happy path. Now what?
β’ Here be more time
β’ URL-leaking gadgets
β’ Other ideas for leaking URLs
β’ A page on a domain that routes any postMessage to its opener
β’ Conclusion
β’ How can we fix this?
β’ How to reduce the risk
https://labs.detectify.com/2022/07/06/account-hijacking-using-dirty-dancing-in-sign-in-oauth-flows/
π6π1