J3rryBl4nks (80)

Last Login: May 05, 2020
Assessments
22
Score
80
7th Place

J3rryBl4nks's Contributions (24)

Sort by:
Filter by:
2
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

Because the SSH key was published, this becomes a quick win for an attacker who encounters this service running with the default key in place. The mitigation would require easy steps, but the affected party might not even know they are vulnerable.

2
Ratings
Technical Analysis

Due to this being an unauthenticated serialization exploit, the bar for exploitation is very low. Serialization is rampant in software, and most companies aren’t doing it correctly.

It’s realtively easy these days to exploit serialization vulnerabilities with ysoserial/yososerial.net and it will be a problem for years going forward.

2

I agree. The proliferation of OWA spraying tools makes me think that there are a lot of attackers that are going after this vulnerability right now.

1
Ratings
Technical Analysis

Because this is a kernel panic, it is only useful if your goal is to take the host offline. Because DOS attacks are less useful overall to an attacker than RCE, LFI, or anything useful really, these vulnerabilities are not useful to have in your toolkit.

1
Ratings
Technical Analysis

The fact that Alpine is widely used makes this an easy way to escalate privileges. Most Enterprises also don’t update their “Golden” containers that often. Privilege escalation on a host that is using containers is likely valuable as that host will likely have valuable information on it.

2
Ratings
Technical Analysis

This de-serialization exploit can be performed without authentication in many instances. Because it leads to a reverse shell, this is incredibly valuable to an attacker.

There are many tools that will perform this exploit but my favorite is: https://github.com/joaomatosf/jexboss

Due to many legacy applications being internet facing with these vulnerabilities still present, this is an extremely valuable tool for an attacker to have in their arsenal.

2
Ratings
  • Attacker Value
    Very Low
  • Exploitability
    Very High
Technical Analysis

This is an authenticated SQL Injection that should lead to a reverse shell.

https://github.com/J3rryBl4nks/eLection-TriPath-/blob/master/SQLiIntoRCE.md

It’s very easy to identify, and to exploit. The value is low because it is rarely seen on real machines.

2
Ratings
  • Attacker Value
    Low
  • Exploitability
    Very High
Technical Analysis

The exploit for this is easy to pull off, but due to the low install base for this application, the exploit is not incredibly valuable.

2
Ratings
  • Attacker Value
    Very Low
  • Exploitability
    Very High
Technical Analysis

Because there is no stored XSS (That I could find at least) you need to have interaction for this exploit. It is nice that you can change the admin password and then get SQL Injection to get a shell.

This is not installed on very many servers and is not incredibly valuable.

https://github.com/J3rryBl4nks/SOPlanning

2
Ratings
  • Attacker Value
    Low
  • Exploitability
    Very High
Technical Analysis

This SQL Injection is trivial to identify and exploit:

https://github.com/J3rryBl4nks/SOPlanning

This injection will allow you to dump the contents of the database and can be done with low privilege access.

This application does not have a large install base and so it is not incredibly valuable.

2
Ratings
  • Attacker Value
    Low
  • Exploitability
    Very High
Technical Analysis

This is an injection that is trivial to exploit and also to find.

https://github.com/J3rryBl4nks/SOPlanning

You can see the POC in my github. The exploit does require authentication, but you can extract the admin hash through the other SQL injection vulnerability or through the CSRF to add an admin user.

Due to the low volume of installs, this isn’t incredibly useful in the wild.

4
Ratings
  • Attacker Value
    High
  • Exploitability
    Very Low
Technical Analysis

You would have to chain this vulnerability with a working sandbox escape in order to get full value. While there are no doubt working sandbox escapes, this is only one piece of the exploit chain that is necessary to get a reliable foothold on a machine.

Often times there are full chain exploits published which include the code exec, sandbox escape, and a valid privesc but I have been unable to find a full chain for this exploit.

For the average attacker, this hill would be too high to climb to make this useful.

3
Ratings
Technical Analysis

Due to the fact that files that are uploaded are able to be browsed to, this exploit means that an authenticated administrator could upload a reverse shell payload and get the connection back easily.

Many vendors will dismiss this type of vulnerability as not easily exploitable or within the bounds of what the program allows. I believe that it should never be possible for a web application to allow code execution to the underlying host unless that is core functionality of the software.

This same type of vulnerability seems to be present in a large number of monitoring software packages until they get egg on their face and patch it.

The Pandora FMS website lists a good target base that would allow you to start trying to compromise admin creds and get the file upload to hopefully get a foothold.

I would place this as valuable to attackers, but more difficult to exploit due to the fact that you have to be an authenticated admin user.

4
Ratings
Technical Analysis

Due to being almost 100% non-existent in the wild, this is only useful in CTF environments. The exploit is extremely easy to trigger, and I weep for the machine that has this configured in the wild.

4

https://www.thezdi.com/blog/2020/2/24/cve-2020-0688-remote-code-execution-on-microsoft-exchange-server-through-fixed-cryptographic-keys

This has the exploit POC generation as a part of the blog. Using yososerial.net they generate a command that you can copy/paste and just change the payload.

3
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

Due to public exploits being available : https://github.com/synacktiv/Exim-CVE-2019-15846, and the fact that Exim is installed on a large number of mail servers, the value to an attacker lies in the fact that this requires no authentication.

There is a deeper explanation of the vulnerability here: https://www.synacktiv.com/posts/exploit/scraps-of-notes-on-exploiting-exim-vulnerabilities.html

3
Ratings
Technical Analysis

Due to public exploits being flaky and sometimes resulting in a Blue Screen on the victim, this exploit is still somewhat difficult to always replicate. If you have paid tools that have better versions of the exploit, it’s more reliable.

The fact that an exploit is included in newer versions of metasploit massively lowers the bar for being able to exploit this vulnerability.

The damage potential is astronomical as there are so many machines that expose RDP to the internet.

4
Ratings
Technical Analysis

Due to many public exploits for this flaw this is an incredibly valuable tool for an attacker to have in their arsenal. My favorite variant of this exploit is: https://github.com/g0tmi1k/Drupalgeddon2

3
Ratings
Technical Analysis

This exploit does not appear to need admin credentials in order to trigger: https://www.rapid7.com/db/vulnerabilities/WINDOWS-HOTFIX-MS14-054, https://www.tenable.com/plugins/nessus/77574

Any privilege escalation using built in Windows components is a valuable tool for attackers.

3
Ratings
Technical Analysis

Due to many enterprise environments using Confluence, and many of them exposing it to the internet, this vulnerability is incredibly useful.

There is a public POC available:https://github.com/Yt1g3r/CVE-2019-3396_EXP from which you could base other attacks.

2
Ratings
Technical Analysis

This service is incredibly common on the inside of Enterprise Environments. Would make for an extremely useful pivot to a resource that would likely have other valuable credentials on it.

Because obtaining valid Credentials in a Windows Environment is trivial, this is easy to exploit.

Because this is a viewstate serialization issue, the toolkits to create the attack payload are easy to find (https://github.com/pwntester/ysoserial.net) and the POC is readily available: https://github.com/euphrat1ca/CVE-2020-0618

2
Ratings
Technical Analysis

This privilege escalation through how MSI packages handle symlinks is easily exploitable. Due to the POC being public: https://github.com/padovah4ck/CVE-2020-0683 it is easy to craft your own exploits for this.

Any org without a good patching cadence.would be vulnerable to this as a valid privilege escalation vector.

4
Ratings
Technical Analysis

Due to the need to have an upgrade or an install trigger in order for this privesc to work, the value of the exploit to an attacker is decreased. You can drop your .dll and wait for an eventually privileged process to spawn as a result of the exploit, but you might have to wait a long time.

5
Ratings
Technical Analysis

Due to widespread credential stuffing and password spraying attacks, the fact that this is a deserialization RCE due to hard coded encryption keys, the exploit is universally portable.

There are also POC scripts that just require you to get valid credentials.