Microsoft Exchange Powershell Remoting Deserialization leading to RCE (CVE-2023-21707)
π€ by testanull
While analyzing CVE-2022-41082, also known as Proxy Not Shell, researcher discovered CVE-2023-21707 vulnerability which he has detailed in this blog.
The vulnerability allows a privileged user to trigger RCE during a deserialization of untrusted data.
π Contents:
β Introduction
β The new variant
β Payload delivery
β Demo
β References
https://starlabs.sg/blog/2023/04-microsoft-exchange-powershell-remoting-deserialization-leading-to-rce-cve-2023-21707/
π€ by testanull
While analyzing CVE-2022-41082, also known as Proxy Not Shell, researcher discovered CVE-2023-21707 vulnerability which he has detailed in this blog.
The vulnerability allows a privileged user to trigger RCE during a deserialization of untrusted data.
π Contents:
β Introduction
β The new variant
β Payload delivery
β Demo
β References
https://starlabs.sg/blog/2023/04-microsoft-exchange-powershell-remoting-deserialization-leading-to-rce-cve-2023-21707/
π14π4
Bypass IIS Authorisation with this One Weird Trick - Three RCEs and Two Auth Bypasses in Sitecore 9.3
π€ by Dylan Pindur
Itβs time to look at Sitecore again! In 2021 Assetnote security research team took a look at Sitecore and found some nice vulnerabilities.
Some time has passed, Sitecore is still very prevalent and they decided they would have another look. In this round they looked at version 9.3. This isnβt the latest version, but it is slightly more popular and still within Sitecoreβs support period.
π Contents:
β Introduction
β Reconnaissance
β IIS Authorisation Bypass to RCE
β Unsafe Reflection
β Authorisation Bypass Two: EXM Boogaloo
β Bonus Authenticated RCE
β Conclusions
https://blog.assetnote.io/2023/05/10/sitecore-round-two/
π€ by Dylan Pindur
Itβs time to look at Sitecore again! In 2021 Assetnote security research team took a look at Sitecore and found some nice vulnerabilities.
Some time has passed, Sitecore is still very prevalent and they decided they would have another look. In this round they looked at version 9.3. This isnβt the latest version, but it is slightly more popular and still within Sitecoreβs support period.
π Contents:
β Introduction
β Reconnaissance
β IIS Authorisation Bypass to RCE
β Unsafe Reflection
β Authorisation Bypass Two: EXM Boogaloo
β Bonus Authenticated RCE
β Conclusions
https://blog.assetnote.io/2023/05/10/sitecore-round-two/
π5π1
CS:GO: From Zero to 0-day
π€ by Felipe & Alain
Researchers identified three independent remote code execution (RCE) vulnerabilities in the popular Counter-Strike: Global Offensive game. Each vulnerability can be triggered when the game client connects to our malicious python CS:GO server. This post details their journey through the CS:GO binary and conducts a technical deep dive into various identified bugs. They conclude by presenting a proof of concept (POC) exploit that leverages four different logic bugs into remote code execution in the gameβs client, triggered when a client connects to the server.
π Contents:
β TL;DR
β Introduction
β CS:GO
β Know your target
β The discovery of four logic bugs
β Full logic bug chain
β Video
β Closing Thoughts
β Timeline
https://neodyme.io/blog/csgo_from_zero_to_0day/
π€ by Felipe & Alain
Researchers identified three independent remote code execution (RCE) vulnerabilities in the popular Counter-Strike: Global Offensive game. Each vulnerability can be triggered when the game client connects to our malicious python CS:GO server. This post details their journey through the CS:GO binary and conducts a technical deep dive into various identified bugs. They conclude by presenting a proof of concept (POC) exploit that leverages four different logic bugs into remote code execution in the gameβs client, triggered when a client connects to the server.
π Contents:
β TL;DR
β Introduction
β CS:GO
β Know your target
β The discovery of four logic bugs
β Full logic bug chain
β Video
β Closing Thoughts
β Timeline
https://neodyme.io/blog/csgo_from_zero_to_0day/
π17
GitLab Arbitrary File Read (CVE-2023-2825) Analysis
π€ by Sonny
For the unaware, GitLab is a widely used, enterprise-grade web application for managing source code repositories at scale. In this blog post author will be discussing a fresh vulnerability that has been issued an advisory by Gitlab with a CVSS score of 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N).
An issue has been discovered in GitLab CE/EE affecting only version 16.0.0. An unauthenticated malicious user can use a path traversal vulnerability to read arbitrary files on the server when an attachment exists in a public project nested within at least five groups.
π Contents:
β Setting up the target environment
β Reproducing the bug
β But Why?
β How impactful is this vulnerability?
β Conclusion
https://labs.watchtowr.com/gitlab-arbitrary-file-read-gitlab-cve-2023-2825-analysis/
π€ by Sonny
For the unaware, GitLab is a widely used, enterprise-grade web application for managing source code repositories at scale. In this blog post author will be discussing a fresh vulnerability that has been issued an advisory by Gitlab with a CVSS score of 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N).
An issue has been discovered in GitLab CE/EE affecting only version 16.0.0. An unauthenticated malicious user can use a path traversal vulnerability to read arbitrary files on the server when an attachment exists in a public project nested within at least five groups.
π Contents:
β Setting up the target environment
β Reproducing the bug
β But Why?
β How impactful is this vulnerability?
β Conclusion
https://labs.watchtowr.com/gitlab-arbitrary-file-read-gitlab-cve-2023-2825-analysis/
π9
MOVEit Transfer CVE-2023-34362 Deep Dive and Indicators of Compromise
π€ by Zach Hanley
On May 31, 2023, Progress released a security advisory for their MOVEit Transfer application which detailed a SQL injection leading to remote code execution and urged customers to update to the latest version. The vulnerability, CVE-2023-34362, at the time of release was believed to have been exploited in-the-wild as a 0-day dating back at least 30 days.
π Contents:
β Taking a Peek β Patch Diffβing
β A Path to Exploitation
β’ The Path to Unclean Input
β’ The Path to SQL Injection
β’ The Path to Administrator Session
β’ The Path to Remote Code Execution
β’ Post-Exploitation Bonus
β Indicators of Compromise
https://www.horizon3.ai/moveit-transfer-cve-2023-34362-deep-dive-and-indicators-of-compromise/
π€ by Zach Hanley
On May 31, 2023, Progress released a security advisory for their MOVEit Transfer application which detailed a SQL injection leading to remote code execution and urged customers to update to the latest version. The vulnerability, CVE-2023-34362, at the time of release was believed to have been exploited in-the-wild as a 0-day dating back at least 30 days.
π Contents:
β Taking a Peek β Patch Diffβing
β A Path to Exploitation
β’ The Path to Unclean Input
β’ The Path to SQL Injection
β’ The Path to Administrator Session
β’ The Path to Remote Code Execution
β’ Post-Exploitation Bonus
β Indicators of Compromise
https://www.horizon3.ai/moveit-transfer-cve-2023-34362-deep-dive-and-indicators-of-compromise/
π8
Xortigate, or CVE-2023-27997 - The Rumoured RCE That Was
π€ by Aliz Hammond
When Lexfo Security teased a critical pre-authentication RCE bug in FortiGate devices on Saturday 10th, many people speculated on the practical impact of the bug. Would this be a true, sky-is-falling level vulnerability like the recent CVE-2022-42475? Or was it some edge-case hole, requiring some unusual and exotic requisite before any exposure? Others even went further, questioning the legitimacy of the bug itself. Details were scarce and guesswork was rife.
The watchTowr's team successfully reproduced the CVE-2023-27997 vulnerability and published detailed blogpost with a Python PoC for crashing the target device.
π Contents:
β Patch Diffing
β Exploitation
β Impact
β Rapid Response
https://labs.watchtowr.com/xortigate-or-cve-2023-27997/
π€ by Aliz Hammond
When Lexfo Security teased a critical pre-authentication RCE bug in FortiGate devices on Saturday 10th, many people speculated on the practical impact of the bug. Would this be a true, sky-is-falling level vulnerability like the recent CVE-2022-42475? Or was it some edge-case hole, requiring some unusual and exotic requisite before any exposure? Others even went further, questioning the legitimacy of the bug itself. Details were scarce and guesswork was rife.
The watchTowr's team successfully reproduced the CVE-2023-27997 vulnerability and published detailed blogpost with a Python PoC for crashing the target device.
π Contents:
β Patch Diffing
β Exploitation
β Impact
β Rapid Response
https://labs.watchtowr.com/xortigate-or-cve-2023-27997/
π7
Pre-authenticated RCE in VMware vRealize Network Insight β CVE-2023-20887
π€ by SinSinology
Researcher has recently identified and reported multiple vulnerabilities within VMware vRealize Network Insight by working with the Zero Day Initiative. Several of these vulnerabilities have been assigned a CVE:
β’ CVE-2023-20887
β’ CVE-2023-20888
β’ CVE-2023-20889
This post will examine the exploitation process of CVE-2023-20887 in VMware Aria Operations for Networks (formerly known as vRealize Network Insight). This vulnerability comprises a chain of two issues leading to Remote Code Execution (RCE) that can be exploited by unauthenticated attackers.
π Contents:
β Introduction
β Vulnerability Analysis
β The Bypass
β Proof of Concept
β PoC[.]py
β References
https://summoning.team/blog/vmware-vrealize-network-insight-rce-cve-2023-20887/
π€ by SinSinology
Researcher has recently identified and reported multiple vulnerabilities within VMware vRealize Network Insight by working with the Zero Day Initiative. Several of these vulnerabilities have been assigned a CVE:
β’ CVE-2023-20887
β’ CVE-2023-20888
β’ CVE-2023-20889
This post will examine the exploitation process of CVE-2023-20887 in VMware Aria Operations for Networks (formerly known as vRealize Network Insight). This vulnerability comprises a chain of two issues leading to Remote Code Execution (RCE) that can be exploited by unauthenticated attackers.
π Contents:
β Introduction
β Vulnerability Analysis
β The Bypass
β Proof of Concept
β PoC[.]py
β References
https://summoning.team/blog/vmware-vrealize-network-insight-rce-cve-2023-20887/
π8
FortiNAC - Just a few more RCEs
π€ by frycos
The researcher has identified multiple vulnerabilities in FortiNAC, including RCE with root privileges. He nicely explains the whole approach to researching software for security bugs.
In the blog post you'll find such things as:
β’ Java source code analyzing;
β’ XXE & argument injection identifying and exploitation;
β’ Some restriction bypasses;
β’ Vendor communication history.
π Contents:
β Recon
β Auditing Service Port 1050
β Auditing Service Port 5555
β XML External Entity
β Argument Injection
β Allow List Bypass - Argument Injection to Command Injection
β Sudo Restriction Bypass
β Conclusions
β Internet Exposure Check
β Indicators of Compromise (IoCs)
https://frycos.github.io/vulns4free/2023/06/18/fortinac.html
π€ by frycos
The researcher has identified multiple vulnerabilities in FortiNAC, including RCE with root privileges. He nicely explains the whole approach to researching software for security bugs.
In the blog post you'll find such things as:
β’ Java source code analyzing;
β’ XXE & argument injection identifying and exploitation;
β’ Some restriction bypasses;
β’ Vendor communication history.
π Contents:
β Recon
β Auditing Service Port 1050
β Auditing Service Port 5555
β XML External Entity
β Argument Injection
β Allow List Bypass - Argument Injection to Command Injection
β Sudo Restriction Bypass
β Conclusions
β Internet Exposure Check
β Indicators of Compromise (IoCs)
https://frycos.github.io/vulns4free/2023/06/18/fortinac.html
π5
AWS WAF Clients Left Vulnerable to SQL Injection Due to Unorthodox MSSQL Design Choice
π€ by Marc Olivier Bergeron
While doing research on Microsoft SQL (MSSQL) Server, a GoSecure ethical hacker found an unorthodox design choice that ultimately led to a web application firewall (WAF) bypass.
The researcher has found a way to execute a batch query in MSSQL without a semicolon.
SQL query
π Contents:
β In a nutshell
β The discovery
β A Review of What Is Publicly Known
β Bug or Feature?
β Abusing the bug to bypass AWS Web Application Firewall (WAF)
β Design Choice with Security Implications
β Timeline
β Conclusion
https://www.gosecure.net/blog/2023/06/21/aws-waf-clients-left-vulnerable-to-sql-injection-due-to-unorthodox-mssql-design-choice/
π€ by Marc Olivier Bergeron
While doing research on Microsoft SQL (MSSQL) Server, a GoSecure ethical hacker found an unorthodox design choice that ultimately led to a web application firewall (WAF) bypass.
The researcher has found a way to execute a batch query in MSSQL without a semicolon.
SQL query
SELECT 'test' SELECT 'test' will return the test string twice.π Contents:
β In a nutshell
β The discovery
β A Review of What Is Publicly Known
β Bug or Feature?
β Abusing the bug to bypass AWS Web Application Firewall (WAF)
β Design Choice with Security Implications
β Timeline
β Conclusion
https://www.gosecure.net/blog/2023/06/21/aws-waf-clients-left-vulnerable-to-sql-injection-due-to-unorthodox-mssql-design-choice/
π6
Encrypted Doesn't Mean Authenticated: ShareFile RCE (CVE-2023-24489)
π€ by Dylan Pindur
ShareFile is cloud-based file sharing and collaboration application. The software providing this feature is a .NET web application running under IIS called "Storage Zones Controller" (also sometimes called Storage Center) and this is what Assetnote team decided to target.
Through their research they were able to achieve unauthenticated arbitrary file upload and full remote code execution by exploiting a seemingly innocuous cryptographic bug. Citrix has released a security update and assigned this issue CVE-2023-24489.
π Contents:
β Introduction
β Where to Start?
β Authenticated, but Not Really
β A Simple Path Traversal
β Encryption != Authentication
β Block Ciphers and Padding
β Cipher Block Chaining
β Enough Cryptography, Show Me the Exploit
β What Have We Learned?
β Conclusions
https://blog.assetnote.io/2023/07/04/citrix-sharefile-rce/
π€ by Dylan Pindur
ShareFile is cloud-based file sharing and collaboration application. The software providing this feature is a .NET web application running under IIS called "Storage Zones Controller" (also sometimes called Storage Center) and this is what Assetnote team decided to target.
Through their research they were able to achieve unauthenticated arbitrary file upload and full remote code execution by exploiting a seemingly innocuous cryptographic bug. Citrix has released a security update and assigned this issue CVE-2023-24489.
π Contents:
β Introduction
β Where to Start?
β Authenticated, but Not Really
β A Simple Path Traversal
β Encryption != Authentication
β Block Ciphers and Padding
β Cipher Block Chaining
β Enough Cryptography, Show Me the Exploit
β What Have We Learned?
β Conclusions
https://blog.assetnote.io/2023/07/04/citrix-sharefile-rce/
π5
Adobe ColdFusion Pre-Auth RCE(s)
π€ by Rahul Maini,Harsh Jaiswal
The Adobe ColdFusion, widely recognized for its robust web development capabilities, recently released a critical security update. The update specifically targeted three security issues, among them, CVE-2023-29300, a highly concerning pre-authentication Remote Code Execution (RCE) vulnerability. This vulnerability poses a significant threat, allowing malicious actors to execute arbitrary code on vulnerable Coldfusion 2018, 2021 and 2023 installations without the need for prior authentication.
In this blog post, author aims to provide a comprehensive analysis of CVE-2023-29300, shedding light on the nature of the vulnerabilities, and their potential impact, and sharing the journey of code review undertaken by his team.
π Contents:
β Introduction
β What's in the patch?
β Parsing of WDDX Packet
β Finding the Sink
β Finding the Source
β Escalating JNDI Injection To RCE
β Updates
β Conclusion
https://blog.projectdiscovery.io/adobe-coldfusion-rce/
π€ by Rahul Maini,Harsh Jaiswal
The Adobe ColdFusion, widely recognized for its robust web development capabilities, recently released a critical security update. The update specifically targeted three security issues, among them, CVE-2023-29300, a highly concerning pre-authentication Remote Code Execution (RCE) vulnerability. This vulnerability poses a significant threat, allowing malicious actors to execute arbitrary code on vulnerable Coldfusion 2018, 2021 and 2023 installations without the need for prior authentication.
In this blog post, author aims to provide a comprehensive analysis of CVE-2023-29300, shedding light on the nature of the vulnerabilities, and their potential impact, and sharing the journey of code review undertaken by his team.
π Contents:
β Introduction
β What's in the patch?
β Parsing of WDDX Packet
β Finding the Sink
β Finding the Source
β Escalating JNDI Injection To RCE
β Updates
β Conclusion
https://blog.projectdiscovery.io/adobe-coldfusion-rce/
π7
Cookieless DuoDrop: IIS Auth Bypass & App Pool Privesc in ASP[.]NET Framework (CVE-2023-36899)
π€ by Soroush Dalili
In modern web development, while cookies are the go-to method for transmitting session IDs, the .NET Framework also provides an alternative: encoding the session ID directly in the URL. This method is useful to clients that do not support cookies.
Researcher identified a strange anomaly when the cookieless pattern was repeated twice. This resulted in two vulnerabilities reported to Microsoft as their impact and the exploitation were different:
β’ IIS restricted path bypass leading to potential authentication and path-filtration bypass
β’ Application Pool confusion leading to potential privilege escalations
π Contents:
β Introduction
β Finding the vulnerability
β IIS Restricted Path Bypass
β The root cause
β Application Pool Confusion
https://soroush.me/blog/2023/08/cookieless-duodrop-iis-auth-bypass-app-pool-privesc-in-asp-net-framework-cve-2023-36899/
π€ by Soroush Dalili
In modern web development, while cookies are the go-to method for transmitting session IDs, the .NET Framework also provides an alternative: encoding the session ID directly in the URL. This method is useful to clients that do not support cookies.
Researcher identified a strange anomaly when the cookieless pattern was repeated twice. This resulted in two vulnerabilities reported to Microsoft as their impact and the exploitation were different:
β’ IIS restricted path bypass leading to potential authentication and path-filtration bypass
β’ Application Pool confusion leading to potential privilege escalations
π Contents:
β Introduction
β Finding the vulnerability
β IIS Restricted Path Bypass
β The root cause
β Application Pool Confusion
https://soroush.me/blog/2023/08/cookieless-duodrop-iis-auth-bypass-app-pool-privesc-in-asp-net-framework-cve-2023-36899/
π8
π© Black Hat 2023 is over and you can find the links on the interesting researches (in our view) below:
β Three New Attacks Against JSON Web Tokens
β Smashing the State Machine: The True Potential of Web Race Conditions
β Weaponizing Plain Text: ANSI Escape Sequences as a Forensic Nightmare
β A Pain in the NAS: Exploiting Cloud Connectivity to PWN Your NAS
β Chained to Hit: Discovering New Vectors to Gain Remote and Root Access in SAP Enterprise Software
β Defender-Pretender: When Windows Defender Updates Become a Security Risk
β Jailbreaking an Electric Vehicle in 2023 or What It Means to Hotwire Tesla's x86-Based Seat Heater
βCookie Crumbles: Unveiling Web Session Integrity Vulnerabilities
β Diving into Windows Remote Access Service for Pre-Auth Bugs
β Bad io_uring: A New Era of Rooting for Android
β ODDFuzz: Hunting Java Deserialization Gadget Chains via Structure-Aware Directed Greybox Fuzzing
All sessions from Black Hat 2023: https://www.blackhat.com/us-23/briefings/schedule/index.html
β Three New Attacks Against JSON Web Tokens
β Smashing the State Machine: The True Potential of Web Race Conditions
β Weaponizing Plain Text: ANSI Escape Sequences as a Forensic Nightmare
β A Pain in the NAS: Exploiting Cloud Connectivity to PWN Your NAS
β Chained to Hit: Discovering New Vectors to Gain Remote and Root Access in SAP Enterprise Software
β Defender-Pretender: When Windows Defender Updates Become a Security Risk
β Jailbreaking an Electric Vehicle in 2023 or What It Means to Hotwire Tesla's x86-Based Seat Heater
βCookie Crumbles: Unveiling Web Session Integrity Vulnerabilities
β Diving into Windows Remote Access Service for Pre-Auth Bugs
β Bad io_uring: A New Era of Rooting for Android
β ODDFuzz: Hunting Java Deserialization Gadget Chains via Structure-Aware Directed Greybox Fuzzing
All sessions from Black Hat 2023: https://www.blackhat.com/us-23/briefings/schedule/index.html
π18
CVE-2023-36844 And Friends: RCE In Juniper Devices
π€ by Sonny
A recent out-of-cycle Juniper security bulletin caught team's attention, describing two bugs which, although only a 5.3 on the CVSS scale individually, supposedly could be combined for RCE. The bulletin actually contains four CVEs, as the two bugs apply to two separate platforms (the -EX switches and -SRX firewall devices). They'll focus just on the -SRX bugs, as they expect the -EX bugs to be identical. These are two individual flaws.
This is an interesting bug chain, utilising two bugs that would be near-useless in isolation and combining them for a 'world ending' unauthenticated RCE.
π Contents:
β First Impressions
β Of
β A Polluted Environment
β Preloading Libraries
β We don't need no steenkin' binaries
β Other bits and bobs
β Aftermath
β Proof of Concept
β Closing words
https://labs.watchtowr.com/cve-2023-36844-and-friends-rce-in-juniper-firewalls/
π€ by Sonny
A recent out-of-cycle Juniper security bulletin caught team's attention, describing two bugs which, although only a 5.3 on the CVSS scale individually, supposedly could be combined for RCE. The bulletin actually contains four CVEs, as the two bugs apply to two separate platforms (the -EX switches and -SRX firewall devices). They'll focus just on the -SRX bugs, as they expect the -EX bugs to be identical. These are two individual flaws.
This is an interesting bug chain, utilising two bugs that would be near-useless in isolation and combining them for a 'world ending' unauthenticated RCE.
π Contents:
β First Impressions
β Of
$internal_functions
β Interesting Internal Functionsβ A Polluted Environment
β Preloading Libraries
β We don't need no steenkin' binaries
β Other bits and bobs
β Aftermath
β Proof of Concept
β Closing words
https://labs.watchtowr.com/cve-2023-36844-and-friends-rce-in-juniper-firewalls/
π6
When URL parsers disagree (CVE-2023-38633)
π€ by Zac Sims
Canva's uses librsvg to quickly render user-provided SVGs into thumbnails later displayed as PNGs. By exploiting differences in URL parsers when rendering an SVG with librsvg, they showed it's possible to include arbitrary files from disk in the resulting image. The librsvg maintainers quickly patched the issue and issued a security vulnerability (CVE-2023-38633).
π Contents:
β Prequel
β XInclude
β There are rules
β Parser Mismatch
β Bypassing Validation
β Bypassing Canonicalization
β Proof of concept
β Patch
β Timeline
https://www.canva.dev/blog/engineering/when-url-parsers-disagree-cve-2023-38633/
If the link above doesn't work use a web archive version.
π€ by Zac Sims
Canva's uses librsvg to quickly render user-provided SVGs into thumbnails later displayed as PNGs. By exploiting differences in URL parsers when rendering an SVG with librsvg, they showed it's possible to include arbitrary files from disk in the resulting image. The librsvg maintainers quickly patched the issue and issued a security vulnerability (CVE-2023-38633).
π Contents:
β Prequel
β XInclude
β There are rules
β Parser Mismatch
β Bypassing Validation
β Bypassing Canonicalization
β Proof of concept
β Patch
β Timeline
https://www.canva.dev/blog/engineering/when-url-parsers-disagree-cve-2023-38633/
If the link above doesn't work use a web archive version.
π9
CVE-2023-34040 Spring Kafka Deserialization Remote Code Execution
π€ by pyn3rd
In Spring for Apache Kafka 3.0.9 and earlier and versions 2.9.10 and earlier, a possible deserialization attack vector existed, but only if unusual configuration was applied. An attacker would have to construct a malicious serialized object in one of the deserialization exception record headers.
The researcher described in detail the causes of the vulnerability and the method of its exploitation. This is a perfect example of how a vulnerability can be reproduced only based on information from advisory.
π Contents:
β Preface
β Concepts of Kafka
β Preparation
https://pyn3rd.github.io/2023/09/15/CVE-2023-34040-Spring-Kafka-Deserialization-Remote-Code-Execution/
π€ by pyn3rd
In Spring for Apache Kafka 3.0.9 and earlier and versions 2.9.10 and earlier, a possible deserialization attack vector existed, but only if unusual configuration was applied. An attacker would have to construct a malicious serialized object in one of the deserialization exception record headers.
The researcher described in detail the causes of the vulnerability and the method of its exploitation. This is a perfect example of how a vulnerability can be reproduced only based on information from advisory.
π Contents:
β Preface
β Concepts of Kafka
β Preparation
https://pyn3rd.github.io/2023/09/15/CVE-2023-34040-Spring-Kafka-Deserialization-Remote-Code-Execution/
π7
This media is not supported in your browser
VIEW IN TELEGRAM
π₯ We have reproduced the fresh CVE-2023-42793 in JetBrains TeamCity.
Authentication bypass allows an external attacker to gain administrative access to the server and execute any commands on it.
Update your software ASAP!
Authentication bypass allows an external attacker to gain administrative access to the server and execute any commands on it.
Update your software ASAP!
π41
[P2O Vancouver 2023] SharePoint Pre-Auth RCE chain (CVE-2023β29357 & CVE-2023β24955)
π€ by Janggggg
Researcher has achieved successful exploitation of a SharePoint target during Pwn2Own Vancouver 2023. While the live demonstration lasted only approximately 30 seconds, it is noteworthy that the process of discovering and crafting the exploit chain consumed nearly a year of meticulous effort and research to complete the full exploit chain.
This exploit chain leverages two vulnerabilities to achieve pre-auth remote code execution (RCE) on the SharePoint server:
β’ Authentication Bypass
β’ Code Injection
π Contents:
β Brief
β Affected products/Tested version
β Vulnerability #1: SharePoint Application Authentication Bypass
β Vulnerability #2: Code Injection in DynamicProxyGenerator.GenerateProxyAssembly()
β Demo
https://starlabs.sg/blog/2023/09-sharepoint-pre-auth-rce-chain/
π€ by Janggggg
Researcher has achieved successful exploitation of a SharePoint target during Pwn2Own Vancouver 2023. While the live demonstration lasted only approximately 30 seconds, it is noteworthy that the process of discovering and crafting the exploit chain consumed nearly a year of meticulous effort and research to complete the full exploit chain.
This exploit chain leverages two vulnerabilities to achieve pre-auth remote code execution (RCE) on the SharePoint server:
β’ Authentication Bypass
β’ Code Injection
π Contents:
β Brief
β Affected products/Tested version
β Vulnerability #1: SharePoint Application Authentication Bypass
β Vulnerability #2: Code Injection in DynamicProxyGenerator.GenerateProxyAssembly()
β Demo
https://starlabs.sg/blog/2023/09-sharepoint-pre-auth-rce-chain/
π9
This media is not supported in your browser
VIEW IN TELEGRAM
π₯ We have reproduced both CVE-2023β29357 and CVE-2023β24955 in Microsoft SharePoint.
The chain allows unauthenticated users to execute arbitrary commands on the server.
Update your software ASAP!
The chain allows unauthenticated users to execute arbitrary commands on the server.
Update your software ASAP!
π26π2
This media is not supported in your browser
VIEW IN TELEGRAM
β οΈ We have reproduced CVE-2023-22515 in Atlassian Confluence.
Broken access control allows unauthenticated users to gain administrative access to the web application!
Update your software ASAP!
Broken access control allows unauthenticated users to gain administrative access to the web application!
Update your software ASAP!
π29
Citrix Bleed: Leaking Session Tokens with CVE-2023-4966
π€ by Dylan Pindur
It's time for another round Citrix Patch Diffing! Earlier this month Citrix released a security bulletin which mentioned "unauthenticated buffer-related vulnerabilities" and two CVEs. These issues affected Citrix NetScaler ADC and NetScaler Gateway.
Researchers were interested in CVE-2023-4966, which was described as "sensitive information disclosure" and had a CVSS score of 9.4. The high score for an information disclosure vulnerability and the mention of "buffer-related vulnerabilities" piqued their interest. Their goal was to understand the vulnerability and develop a check for their Attack Surface Management platform.
π Contents:
β Introduction
β Patch Diffing
β Finding the Vulnerable Function
β Exploiting the Endpoint
β Verifying the Session Token
β Final Thoughts
https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966
π€ by Dylan Pindur
It's time for another round Citrix Patch Diffing! Earlier this month Citrix released a security bulletin which mentioned "unauthenticated buffer-related vulnerabilities" and two CVEs. These issues affected Citrix NetScaler ADC and NetScaler Gateway.
Researchers were interested in CVE-2023-4966, which was described as "sensitive information disclosure" and had a CVSS score of 9.4. The high score for an information disclosure vulnerability and the mention of "buffer-related vulnerabilities" piqued their interest. Their goal was to understand the vulnerability and develop a check for their Attack Surface Management platform.
π Contents:
β Introduction
β Patch Diffing
β Finding the Vulnerable Function
β Exploiting the Endpoint
β Verifying the Session Token
β Final Thoughts
https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966
π9