Activity Feed

2

machevalia replied to nu11secur1ty's assessment of CVE-2023-23399

March 21, 2023 2:57pm UTC (3 days ago)•Edited 2 days ago

Is there more information about what exactly the vulnerable component in Excel is? I can’t find much information about this but I can’t image it is simply the shell function in VBA, that’s been a vector for some time. Any additional info would be appreciated. Thanks for sharing!

1

cdelafuente-r7 replied to cbeek-r7's assessment of CVE-2023-21716

March 21, 2023 2:14pm UTC (3 days ago)

Note that, even if user interaction is required, it can be minimal. According to Microsoft, the Preview Pane is also an attack vector, which means the user doesn’t need to open the file. Loading the RTF document in the Preview Pane should also trigger the vulnerability.

1

blackhome2016 assessed CVE-2023-21707

March 19, 2023 8:45am UTC (5 days ago)•Edited 5 days ago

Ratings

Attacker Value

High

Exploitability

Medium

Technical Analysis

Microsoft CVE-2023-21707: Microsoft Exchange Server Remote Code Execution Vulnerability

2

VoidSec replied to cbeek-r7's assessment of CVE-2023-21716

March 17, 2023 9:26pm UTC (6 days ago)•Edited 5 days ago

Word 2021 MSO (Version 2302 Build 16.0.16130.20186) 64-bit
Word 2021 MSO (Version 2302 Build 16.0.16130.20298) 64-bit
arevulnerable too

VoidSec reported CVE-2023-21716 as Exploited in the Wild

March 17, 2023 9:18pm UTC (6 days ago)

Indicated source as

Personally observed in an environment

LeriPI reported CVE-2021-29425 as Exploited in the Wild

March 17, 2023 8:37pm UTC (6 days ago)

1

zeroSteiner assessed CVE-2022-38108

March 17, 2023 6:23pm UTC (6 days ago)

Ratings

Attacker Value

Low

Exploitability

Very High

Common in enterprise Easy to weaponize Gives privileged access Vulnerable in default configuration Authenticated Requires elevated access

Technical Analysis

The SolarWinds Information Service (SWIS) is vulnerable to RCE by way of a crafted message received through the AMQP message queue. A malicious user that can authenticate to the AMQP service can publish such a crafted message whose body is a serialized .NET object which can lead to OS command execution as NT AUTHORITY\SYSTEM.

In order to authenticate to the AMQP service, a user would need to already have admin access to add a RabbitMQ user, or have recovered the credentials to the orion account that SolarWinds sets up automatically. For that reason, I’ve marked this as “Authenticated” and “Requires elevated access” because the orion account is not any ordinary user.

1

nu11secur1ty assessed CVE-2023-23399

March 17, 2023 10:57am UTC (1 week ago)•Edited 1 week ago

Ratings

Attacker Value

High

Exploitability

Medium

Difficult to patch Easy to weaponize Gives privileged access Unauthenticated Vulnerable in default configuration Requires user interaction

Technical Analysis

CVE-2023-23399

Description:

The malicious user can exploit the victim’s PC remotely.
For example, when the score indicates that the Attack Vector is Local and User Interaction is Required, this could describe an exploit in which an attacker, through social engineering, convinces a victim to download and open a specially crafted file from a website which leads to a local attack on their computer.
In this case, the malicious excel file create a very dangerous shell execution file, and after the victim will execute it, his PC maybe will never wake up normally, it depends on the case, which is very nasty.

STATUS: HIGH Vulnerability

[+]Exploit0:

Sub Check_your_salaries()
CreateObject("Shell.Application").ShellExecute "microsoft-edge:https://pornhub.com/"
End Sub

[+]Exploit1:

Sub cmd()
Dim Program As String
Dim TaskID As Double
On Error Resume Next
Program = "cmd.exe"
TaskID = Shell(Program, 1)
If Err <> 0 Then
MsgBox "Can't start " & Program
End If
End Sub