Last Login: October 09, 2020
J3rryBl4nks's Contributions (24)
Because the SSH key was published, this becomes a quick win for an attacker who encounters this service running with the default key in place. The mitigation would require easy steps, but the affected party might not even know they are vulnerable.
Due to this being an unauthenticated serialization exploit, the bar for exploitation is very low. Serialization is rampant in software, and most companies aren’t doing it correctly.
It’s realtively easy these days to exploit serialization vulnerabilities with ysoserial/yososerial.net and it will be a problem for years going forward.
Because this is a kernel panic, it is only useful if your goal is to take the host offline. Because DOS attacks are less useful overall to an attacker than RCE, LFI, or anything useful really, these vulnerabilities are not useful to have in your toolkit.
The fact that Alpine is widely used makes this an easy way to escalate privileges. Most Enterprises also don’t update their “Golden” containers that often. Privilege escalation on a host that is using containers is likely valuable as that host will likely have valuable information on it.
This de-serialization exploit can be performed without authentication in many instances. Because it leads to a reverse shell, this is incredibly valuable to an attacker.
There are many tools that will perform this exploit but my favorite is: https://github.com/joaomatosf/jexboss
Due to many legacy applications being internet facing with these vulnerabilities still present, this is an extremely valuable tool for an attacker to have in their arsenal.
This is an authenticated SQL Injection that should lead to a reverse shell.
It’s very easy to identify, and to exploit. The value is low because it is rarely seen on real machines.
The exploit for this is easy to pull off, but due to the low install base for this application, the exploit is not incredibly valuable.
Because there is no stored XSS (That I could find at least) you need to have interaction for this exploit. It is nice that you can change the admin password and then get SQL Injection to get a shell.
This is not installed on very many servers and is not incredibly valuable.
This SQL Injection is trivial to identify and exploit:
This injection will allow you to dump the contents of the database and can be done with low privilege access.
This application does not have a large install base and so it is not incredibly valuable.
This is an injection that is trivial to exploit and also to find.
You can see the POC in my github. The exploit does require authentication, but you can extract the admin hash through the other SQL injection vulnerability or through the CSRF to add an admin user.
Due to the low volume of installs, this isn’t incredibly useful in the wild.
You would have to chain this vulnerability with a working sandbox escape in order to get full value. While there are no doubt working sandbox escapes, this is only one piece of the exploit chain that is necessary to get a reliable foothold on a machine.
Often times there are full chain exploits published which include the code exec, sandbox escape, and a valid privesc but I have been unable to find a full chain for this exploit.
For the average attacker, this hill would be too high to climb to make this useful.
Due to the fact that files that are uploaded are able to be browsed to, this exploit means that an authenticated administrator could upload a reverse shell payload and get the connection back easily.
Many vendors will dismiss this type of vulnerability as not easily exploitable or within the bounds of what the program allows. I believe that it should never be possible for a web application to allow code execution to the underlying host unless that is core functionality of the software.
This same type of vulnerability seems to be present in a large number of monitoring software packages until they get egg on their face and patch it.
The Pandora FMS website lists a good target base that would allow you to start trying to compromise admin creds and get the file upload to hopefully get a foothold.
I would place this as valuable to attackers, but more difficult to exploit due to the fact that you have to be an authenticated admin user.
Due to being almost 100% non-existent in the wild, this is only useful in CTF environments. The exploit is extremely easy to trigger, and I weep for the machine that has this configured in the wild.
Due to public exploits being available : https://github.com/synacktiv/Exim-CVE-2019-15846, and the fact that Exim is installed on a large number of mail servers, the value to an attacker lies in the fact that this requires no authentication.
There is a deeper explanation of the vulnerability here: https://www.synacktiv.com/posts/exploit/scraps-of-notes-on-exploiting-exim-vulnerabilities.html
Due to public exploits being flaky and sometimes resulting in a Blue Screen on the victim, this exploit is still somewhat difficult to always replicate. If you have paid tools that have better versions of the exploit, it’s more reliable.
The fact that an exploit is included in newer versions of metasploit massively lowers the bar for being able to exploit this vulnerability.
The damage potential is astronomical as there are so many machines that expose RDP to the internet.
This exploit does not appear to need admin credentials in order to trigger: https://www.rapid7.com/db/vulnerabilities/WINDOWS-HOTFIX-MS14-054, https://www.tenable.com/plugins/nessus/77574
Any privilege escalation using built in Windows components is a valuable tool for attackers.
This service is incredibly common on the inside of Enterprise Environments. Would make for an extremely useful pivot to a resource that would likely have other valuable credentials on it.
Because obtaining valid Credentials in a Windows Environment is trivial, this is easy to exploit.
Because this is a viewstate serialization issue, the toolkits to create the attack payload are easy to find (https://github.com/pwntester/ysoserial.net) and the POC is readily available: https://github.com/euphrat1ca/CVE-2020-0618
This privilege escalation through how MSI packages handle symlinks is easily exploitable. Due to the POC being public: https://github.com/padovah4ck/CVE-2020-0683 it is easy to craft your own exploits for this.
Any org without a good patching cadence.would be vulnerable to this as a valid privilege escalation vector.
Due to the need to have an upgrade or an install trigger in order for this privesc to work, the value of the exploit to an attacker is decreased. You can drop your .dll and wait for an eventually privileged process to spawn as a result of the exploit, but you might have to wait a long time.
Due to widespread credential stuffing and password spraying attacks, the fact that this is a deserialization RCE due to hard coded encryption keys, the exploit is universally portable.
There are also POC scripts that just require you to get valid credentials.