CVE-2023-34040 Spring Kafka Deserialization Remote Code Execution
π€ by pyn3rd
In Spring for Apache Kafka 3.0.9 and earlier and versions 2.9.10 and earlier, a possible deserialization attack vector existed, but only if unusual configuration was applied. An attacker would have to construct a malicious serialized object in one of the deserialization exception record headers.
The researcher described in detail the causes of the vulnerability and the method of its exploitation. This is a perfect example of how a vulnerability can be reproduced only based on information from advisory.
π Contents:
β Preface
β Concepts of Kafka
β Preparation
https://pyn3rd.github.io/2023/09/15/CVE-2023-34040-Spring-Kafka-Deserialization-Remote-Code-Execution/
π€ by pyn3rd
In Spring for Apache Kafka 3.0.9 and earlier and versions 2.9.10 and earlier, a possible deserialization attack vector existed, but only if unusual configuration was applied. An attacker would have to construct a malicious serialized object in one of the deserialization exception record headers.
The researcher described in detail the causes of the vulnerability and the method of its exploitation. This is a perfect example of how a vulnerability can be reproduced only based on information from advisory.
π Contents:
β Preface
β Concepts of Kafka
β Preparation
https://pyn3rd.github.io/2023/09/15/CVE-2023-34040-Spring-Kafka-Deserialization-Remote-Code-Execution/
π7
This media is not supported in your browser
VIEW IN TELEGRAM
π₯ We have reproduced the fresh CVE-2023-42793 in JetBrains TeamCity.
Authentication bypass allows an external attacker to gain administrative access to the server and execute any commands on it.
Update your software ASAP!
Authentication bypass allows an external attacker to gain administrative access to the server and execute any commands on it.
Update your software ASAP!
π41
[P2O Vancouver 2023] SharePoint Pre-Auth RCE chain (CVE-2023β29357 & CVE-2023β24955)
π€ by Janggggg
Researcher has achieved successful exploitation of a SharePoint target during Pwn2Own Vancouver 2023. While the live demonstration lasted only approximately 30 seconds, it is noteworthy that the process of discovering and crafting the exploit chain consumed nearly a year of meticulous effort and research to complete the full exploit chain.
This exploit chain leverages two vulnerabilities to achieve pre-auth remote code execution (RCE) on the SharePoint server:
β’ Authentication Bypass
β’ Code Injection
π Contents:
β Brief
β Affected products/Tested version
β Vulnerability #1: SharePoint Application Authentication Bypass
β Vulnerability #2: Code Injection in DynamicProxyGenerator.GenerateProxyAssembly()
β Demo
https://starlabs.sg/blog/2023/09-sharepoint-pre-auth-rce-chain/
π€ by Janggggg
Researcher has achieved successful exploitation of a SharePoint target during Pwn2Own Vancouver 2023. While the live demonstration lasted only approximately 30 seconds, it is noteworthy that the process of discovering and crafting the exploit chain consumed nearly a year of meticulous effort and research to complete the full exploit chain.
This exploit chain leverages two vulnerabilities to achieve pre-auth remote code execution (RCE) on the SharePoint server:
β’ Authentication Bypass
β’ Code Injection
π Contents:
β Brief
β Affected products/Tested version
β Vulnerability #1: SharePoint Application Authentication Bypass
β Vulnerability #2: Code Injection in DynamicProxyGenerator.GenerateProxyAssembly()
β Demo
https://starlabs.sg/blog/2023/09-sharepoint-pre-auth-rce-chain/
π9
This media is not supported in your browser
VIEW IN TELEGRAM
π₯ We have reproduced both CVE-2023β29357 and CVE-2023β24955 in Microsoft SharePoint.
The chain allows unauthenticated users to execute arbitrary commands on the server.
Update your software ASAP!
The chain allows unauthenticated users to execute arbitrary commands on the server.
Update your software ASAP!
π26π2
This media is not supported in your browser
VIEW IN TELEGRAM
β οΈ We have reproduced CVE-2023-22515 in Atlassian Confluence.
Broken access control allows unauthenticated users to gain administrative access to the web application!
Update your software ASAP!
Broken access control allows unauthenticated users to gain administrative access to the web application!
Update your software ASAP!
π29
Citrix Bleed: Leaking Session Tokens with CVE-2023-4966
π€ by Dylan Pindur
It's time for another round Citrix Patch Diffing! Earlier this month Citrix released a security bulletin which mentioned "unauthenticated buffer-related vulnerabilities" and two CVEs. These issues affected Citrix NetScaler ADC and NetScaler Gateway.
Researchers were interested in CVE-2023-4966, which was described as "sensitive information disclosure" and had a CVSS score of 9.4. The high score for an information disclosure vulnerability and the mention of "buffer-related vulnerabilities" piqued their interest. Their goal was to understand the vulnerability and develop a check for their Attack Surface Management platform.
π Contents:
β Introduction
β Patch Diffing
β Finding the Vulnerable Function
β Exploiting the Endpoint
β Verifying the Session Token
β Final Thoughts
https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966
π€ by Dylan Pindur
It's time for another round Citrix Patch Diffing! Earlier this month Citrix released a security bulletin which mentioned "unauthenticated buffer-related vulnerabilities" and two CVEs. These issues affected Citrix NetScaler ADC and NetScaler Gateway.
Researchers were interested in CVE-2023-4966, which was described as "sensitive information disclosure" and had a CVSS score of 9.4. The high score for an information disclosure vulnerability and the mention of "buffer-related vulnerabilities" piqued their interest. Their goal was to understand the vulnerability and develop a check for their Attack Surface Management platform.
π Contents:
β Introduction
β Patch Diffing
β Finding the Vulnerable Function
β Exploiting the Endpoint
β Verifying the Session Token
β Final Thoughts
https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966
π9
Refresh: Compromising F5 BIG-IP With Request Smuggling | CVE-2023-46747
π€ by Michael Weber and Thomas Hendrickson
As a result of the research researchers were able to identify an authentication bypass issue that led to complete compromise of an F5 system with the Traffic Management User Interface (TMUI) exposed. The bypass was assigned CVE-2023-46747, and is closely related to CVE-2022-26377. Like they recently reported Qlik RCE, the F5 vulnerability was also a request smuggling issue. In this blog authors will discuss their methodology for identifying the vulnerability, walk through the underlying issues that caused the bug, and explain the steps they took to turn the request smuggling into a critical risk issue. They will conclude with remediation steps and their thoughts on the overall process.
π Contents:
β Overview
β Mapping out the F5 BIG-IP Attack Surface
β F5 Traffic Management User Interface (TMUI) Overview
β Verifying AJP Smuggling
β AJP Smuggling and Server Interpretation
β But What To Do With the Smuggling?
β Remediation
β Conclusion
β Disclosure Timeline
https://www.praetorian.com/blog/refresh-compromising-f5-big-ip-with-request-smuggling-cve-2023-46747/
π€ by Michael Weber and Thomas Hendrickson
As a result of the research researchers were able to identify an authentication bypass issue that led to complete compromise of an F5 system with the Traffic Management User Interface (TMUI) exposed. The bypass was assigned CVE-2023-46747, and is closely related to CVE-2022-26377. Like they recently reported Qlik RCE, the F5 vulnerability was also a request smuggling issue. In this blog authors will discuss their methodology for identifying the vulnerability, walk through the underlying issues that caused the bug, and explain the steps they took to turn the request smuggling into a critical risk issue. They will conclude with remediation steps and their thoughts on the overall process.
π Contents:
β Overview
β Mapping out the F5 BIG-IP Attack Surface
β F5 Traffic Management User Interface (TMUI) Overview
β Verifying AJP Smuggling
β AJP Smuggling and Server Interpretation
β But What To Do With the Smuggling?
β Remediation
β Conclusion
β Disclosure Timeline
https://www.praetorian.com/blog/refresh-compromising-f5-big-ip-with-request-smuggling-cve-2023-46747/
π6
From Akamai to F5 to NTLM... with love
π€ by d3d
In this post, researcher is going to show the readers how he was able to abuse Akamai so he could abuse F5 to steal internal data including authorization and session tokens from their customers.
π Contents:
β Prerequisites
β Discovery
β On the Akamai hunt
β On the F5 hunt
β God Mode Pwnage
β NTLM or GTFO
β Closing
https://blog.malicious.group/from-akamai-to-f5-to-ntlm/
π€ by d3d
In this post, researcher is going to show the readers how he was able to abuse Akamai so he could abuse F5 to steal internal data including authorization and session tokens from their customers.
π Contents:
β Prerequisites
β Discovery
β On the Akamai hunt
β On the F5 hunt
β God Mode Pwnage
β NTLM or GTFO
β Closing
https://blog.malicious.group/from-akamai-to-f5-to-ntlm/
π10
Introducing wrapwrap: using PHP filters to wrap a file with a prefix and suffix
π€ by Charles Fol
wrapwrap marks another improvement to the PHP filter exploitation saga. Adding arbitrary prefixes to resources using php://filter is nice, but you can now add an arbitrary suffix as well, allowing you to wrap PHP resources into any structure. This beats code like:
or:
π Contents:
β Abstract
β Introduction
β Building wrapwrap
β’ Adding a prefix
β’ Fuzzing to no effect
β’ Not so random trimming
β’ The main idea
β’ Where is the end?
β’ Real suffix control: removing digits
β Using wrapwrap
β Conclusion
https://www.ambionics.io/blog/wrapwrap-php-filters-suffix
π€ by Charles Fol
wrapwrap marks another improvement to the PHP filter exploitation saga. Adding arbitrary prefixes to resources using php://filter is nice, but you can now add an arbitrary suffix as well, allowing you to wrap PHP resources into any structure. This beats code like:
$data = file_get_contents($_POST['url']);
$data = json_decode($data);
echo $data->message;
or:
$config = parse_ini_file($_POST['config']);
echo $config["config_value"];
π Contents:
β Abstract
β Introduction
β Building wrapwrap
β’ Adding a prefix
β’ Fuzzing to no effect
β’ Not so random trimming
β’ The main idea
β’ Where is the end?
β’ Real suffix control: removing digits
β Using wrapwrap
β Conclusion
https://www.ambionics.io/blog/wrapwrap-php-filters-suffix
π9
π΅ Cacti fixed 2 high severity vulnerabilities found by our researcher Aleksey Solovev.
π₯ CVE-2023-49084 β RCE via managing links;
π₯ CVE-2023-49085 β SQLi via managing poller devices.
Read the technical advisories here β
https://github.com/Cacti/cacti/security
π₯ CVE-2023-49084 β RCE via managing links;
π₯ CVE-2023-49085 β SQLi via managing poller devices.
Read the technical advisories here β
https://github.com/Cacti/cacti/security
GitHub
GitHub is where people build software. More than 150 million people use GitHub to discover, fork, and contribute to over 420 million projects.
π19
New article by our researcher @snovvcrash: "Python β€οΈ SSPI: Teaching #Impacket to Respect Windows SSO".
π₯· Read the blog post and you'll fly under the radar of endpoint security mechanisms as well as custom network detection rules more easily.
https://swarm.ptsecurity.com/python-sspi-teaching-impacket-to-respect-windows-sso/
π₯· Read the blog post and you'll fly under the radar of endpoint security mechanisms as well as custom network detection rules more easily.
https://swarm.ptsecurity.com/python-sspi-teaching-impacket-to-respect-windows-sso/
PT SWARM
Python β€οΈ SSPI: Teaching Impacket to Respect Windows SSO
One handy feature of our private Impacket (by @fortra) fork is that it can leverage native SSPI interaction for authentication purposes when operating from a legit domain context on a Windows machine. As far as the partial implementation of Ntsecapi representsβ¦
π33
π₯ Yealink fixed a post-auth OS command injection in Yealink Meeting Server found by our researcher.
Read the advisory: https://www.yealink.com/en/trust-center/security-advisories/2f2b990211c440cf
Read the advisory: https://www.yealink.com/en/trust-center/security-advisories/2f2b990211c440cf
π14
Atlassian Confluence - Remote Code Execution (CVE-2023-22527)
π€ by Rahul Maini & Harsh Jaiswal
CVE-2023-22527 is a critical vulnerability within Atlassian's Confluence Server and Data Center. This vulnerability has the potential to permit unauthenticated attackers to inject OGNL expressions into the Confluence Instance, thereby enabling the execution of arbitrary code and system commands.
π Contents:
β Technical Details
β’ Initial Analysis
β’ Identifying the Unauthenticated Attack Surface
β OGNL Expression Evaluation
β Remote Code Execution via OGNL Injection
https://blog.projectdiscovery.io/atlassian-confluence-ssti-remote-code-execution/
π€ by Rahul Maini & Harsh Jaiswal
CVE-2023-22527 is a critical vulnerability within Atlassian's Confluence Server and Data Center. This vulnerability has the potential to permit unauthenticated attackers to inject OGNL expressions into the Confluence Instance, thereby enabling the execution of arbitrary code and system commands.
π Contents:
β Technical Details
β’ Initial Analysis
β’ Identifying the Unauthenticated Attack Surface
β OGNL Expression Evaluation
β Remote Code Execution via OGNL Injection
https://blog.projectdiscovery.io/atlassian-confluence-ssti-remote-code-execution/
π11
π New article by our researcher Nikita Sveshnikov: "Bypassing browser tracking protection for CORS misconfiguration abuse."
Read the blog post to learn how certain misconfigurations can be exploited despite the built-in anti-tracking mechanisms.
https://swarm.ptsecurity.com/bypassing-browser-tracking-protection-for-cors-misconfiguration-abuse/
Read the blog post to learn how certain misconfigurations can be exploited despite the built-in anti-tracking mechanisms.
https://swarm.ptsecurity.com/bypassing-browser-tracking-protection-for-cors-misconfiguration-abuse/
PT SWARM
Bypassing browser tracking protection for CORS misconfiguration abuse
Cross-Origin Resource Sharing (CORS) is a web protocol that outlines how a web application on one domain can access resources from a server on a different domain. By default, web browsers have a Same-Origin Policy (SOP) that blocks these cross-origin requestsβ¦
π14
PortSwigger's Top 10 web hacking techniques of 2023!
Welcome to the Top 10 Web Hacking Techniques of 2023, community-powered effort to identify the most important and innovative web security research published in the last year.
π₯ Smashing the state machine: the true potential of web race conditions
π₯ Exploiting Hardened .NET Deserialization
π₯ SMTP Smuggling - Spoofing E-Mails Worldwide
4οΈβ£ PHP filter chains: file read from error-based oracle
5οΈβ£ Exploiting HTTP Parsers Inconsistencies
6οΈβ£ HTTP Request Splitting vulnerabilities exploitation
7οΈβ£ How I Hacked Microsoft Teams and got $150,000 in Pwn2Own
8οΈβ£ From Akamai to F5 to NTLM... with love
9οΈβ£ Cookie Crumbles: Breaking and Fixing Web Session Integrity
π can I speak to your manager? hacking root EPP servers to take control of zones
The entire nomination list you can find here: https://portswigger.net/research/top-10-web-hacking-techniques-of-2023-nominations-open
Welcome to the Top 10 Web Hacking Techniques of 2023, community-powered effort to identify the most important and innovative web security research published in the last year.
π₯ Smashing the state machine: the true potential of web race conditions
π₯ Exploiting Hardened .NET Deserialization
π₯ SMTP Smuggling - Spoofing E-Mails Worldwide
4οΈβ£ PHP filter chains: file read from error-based oracle
5οΈβ£ Exploiting HTTP Parsers Inconsistencies
6οΈβ£ HTTP Request Splitting vulnerabilities exploitation
7οΈβ£ How I Hacked Microsoft Teams and got $150,000 in Pwn2Own
8οΈβ£ From Akamai to F5 to NTLM... with love
9οΈβ£ Cookie Crumbles: Breaking and Fixing Web Session Integrity
π can I speak to your manager? hacking root EPP servers to take control of zones
The entire nomination list you can find here: https://portswigger.net/research/top-10-web-hacking-techniques-of-2023-nominations-open
π10
CVE-2024-27198 and CVE-2024-27199: JetBrains TeamCity Multiple Authentication Bypass Vulnerabilities (FIXED)
π€ by Rapid7
In February 2024, Rapid7βs vulnerability research team identified two new vulnerabilities affecting JetBrains TeamCity CI/CD server:
β’ CVE-2024-27198 is an authentication bypass vulnerability in the web component of TeamCity that arises from an alternative path issue (CWE-288) and has a CVSS base score of 9.8 (Critical).
β’ CVE-2024-27199 is an authentication bypass vulnerability in the web component of TeamCity that arises from a path traversal issue (CWE-22) and has a CVSS base score of 7.3 (High).
π Contents:
β Overview
β Impact
β Remediation
β Analysis
β’ CVE-2024-27198
β’ CVE-2024-27199
β Rapid7 customers
β Timeline
https://www.rapid7.com/blog/post/2024/03/04/etr-cve-2024-27198-and-cve-2024-27199-jetbrains-teamcity-multiple-authentication-bypass-vulnerabilities-fixed/
π€ by Rapid7
In February 2024, Rapid7βs vulnerability research team identified two new vulnerabilities affecting JetBrains TeamCity CI/CD server:
β’ CVE-2024-27198 is an authentication bypass vulnerability in the web component of TeamCity that arises from an alternative path issue (CWE-288) and has a CVSS base score of 9.8 (Critical).
β’ CVE-2024-27199 is an authentication bypass vulnerability in the web component of TeamCity that arises from a path traversal issue (CWE-22) and has a CVSS base score of 7.3 (High).
π Contents:
β Overview
β Impact
β Remediation
β Analysis
β’ CVE-2024-27198
β’ CVE-2024-27199
β Rapid7 customers
β Timeline
https://www.rapid7.com/blog/post/2024/03/04/etr-cve-2024-27198-and-cve-2024-27199-jetbrains-teamcity-multiple-authentication-bypass-vulnerabilities-fixed/
π11
π Source Code Disclosure in IIS 10.0! Almost.
There is a method to reveal the source code of some .NET apps. Here's how it works.
π https://swarm.ptsecurity.com/source-code-disclosure-in-asp-net-apps/
There is a method to reveal the source code of some .NET apps. Here's how it works.
π https://swarm.ptsecurity.com/source-code-disclosure-in-asp-net-apps/
π37
π± New article by our researcher Andrey Pesnyak: "Android Jetpack Navigation: Deep Links Handling Exploitation"
Read about a flaw that allows an attacker to launch any fragments in a navigation graph associated with an exported activity.
https://swarm.ptsecurity.com/android-jetpack-navigation-deep-links-handling-exploitation/
Read about a flaw that allows an attacker to launch any fragments in a navigation graph associated with an exported activity.
https://swarm.ptsecurity.com/android-jetpack-navigation-deep-links-handling-exploitation/
PT SWARM
Android Jetpack Navigation: Deep Links Handling Exploitation
The androidx.fragment.app.Fragment class available in Android allows creating parts of application UI (so-called fragments). Each fragment has its own layout, lifecycle, and event handlers. Fragments can be built into activities or displayed within otherβ¦
π22
π We're excited to unveil a new tool developed by our researcher @kiber_io: APKd. Now, you can effortlessly download APKs from AppGallery, APKPure, and RuStore directly from the terminal!
Check it out here: https://github.com/kiber-io/apkd
Check it out here: https://github.com/kiber-io/apkd
π37π3
π We've tested the new RCE in Microsoft Outlook (CVE-2024-21378) in a production environment and confirm it works well!
A brief instruction for red teams:
1. Compile our enhanced DLL;
2. Use NetSPI's ruler and wait!
No back connect required!
π₯ ππ
A brief instruction for red teams:
1. Compile our enhanced DLL;
2. Use NetSPI's ruler and wait!
No back connect required!
π₯ ππ
π30