architect00 (16)

Last Login: June 09, 2021
Assessments
5
Score
16

architect00's Contributions (6)

Sort by:
Filter by:
1
Ratings
Technical Analysis

This vulnerability is abused in an exploitation chain. According to the Microsoft advisory it is abused with Adobe Acrobat CVE-2021-28550.

1
Ratings
Technical Analysis

This vulnerability is abused in an exploitation chain. According to the Microsoft advisory it is abused with Adobe Acrobat CVE-2021-28550.

1

Could you explain, why you rated the attacker value of this vulnerability higher than my assessment? I lowered the value because the windows version is not a common configuration in bigger organisations. I would argue, that they tend to use Windows LTSC versions.

2
Ratings
  • Attacker Value
    Medium
  • Exploitability
    Medium
Technical Analysis

Details

The vulnerability affects Internet Explorer 11 on all Windows Versions. It is located in the jscript9.dll library, which is used to execute javascript.

Possible attack vectors:

  • website content
  • activeX components in office documents

Google Project Zero released a PoC on 13.05.2021, which triggers the vulnerability and causes a crash. At the time of writing I could not find any weaponized exploit.

The CVSS rating of the vulnerability differs between Windows desktop versions and server versions. In server versions the CVSS Privileges Required is set to High. Desktop versions are rated with CVSS None. The reason could be, that IE enhanced protection mode is disabled on Windows desktop versions and enabled on server versions by default.

Rating explanation

My rating of the exploitability score was affected by the availability of the PoC and the Microsoft exploitability rating. In year 2020, Operation PowerFall was using a similar vulnerability (CVE-2020-1380) in IE. I expect to see exploits for CVE-2021-26419 in a similar context.

Attackers might gain direct control over the host after exploitation without a sandbox escape. IE 11 does have a enhanced protected mode (EPM), which runs IE in an AppContainer and acts as a sandbox. EPM was introduced with Windows 8 and is disabled by default on Windows desktop versions.

Sources

4
Ratings
  • Attacker Value
    Low
  • Exploitability
    Medium
Technical Analysis

The vulnerability only affects newer versions of Windows 10 / Server. Version 20H2 and 2004 of Windows 10 and Windows Server Core installations are affected according to the Microsoft Advisory.

The semi-annual channel versions are not that common in bigger organisations. This affected my rating on attacker value. I would argue , that most of them use the LTSC of older Windows versions. The attacker value is not very low, because the vulnerability has the potential of being used for lateral movement in a computer worm. So this might still be relevant to use in smaller organisations.

Microsoft rates this vulnerability “Exploitation more likely”. This means that exploitation would be reliable and Microsoft ist aware of exploits in past for similar vulnerabilities. This affected my Exploitability scoring towards Easy on this vulnerability.

Sources:

https://twitter.com/GossiTheDog/status/1392211087601410054
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31166

3
Ratings
  • Attacker Value
    High
  • Exploitability
    Medium
Technical Analysis

Vulnerability Overview

0patch released a blog article about their micro patch concerning CVE-2021-26897. It describes the root cause as

CVE-2021-26897 is a buffer overflow issue, whereby a series of oversized “dynamic update” DNS queries with SIG (signature) records causes writing beyond the buffer boundary when these records are saved to file.

According to the blog article the record saves happen

  • periodically or
  • when the DNS service stops

The analysis of 0patch was based on an article from the McAfee Labs. They provided enough information to enable 0patch to gain understanding were the vulnerability is located.

Successful exploitation of this vulnerability results in running code with Local System privileges. A attacker does need a domain joined computer and have access to a DNS server. The configuration of the DNS server needs to have Dynamic Updates activated.

In an Active Directory environment Dynamic Updates are enabled by default. The default setting secure dynamic updates only allows domain joined computers to update a DNS zone.

Score reasoning

I rated the Attack Value pretty high. Successful exploitation provides adversaries with high privileged access to domain controllers.
The Exploitability score is based on the fact, that the vulnerability can be reversed through public resources and seems to be a buffer overflow. Nevertheless the broader mass of adversaries might be waiting for a detailed writeup or P-o-C and act opportunistic.

Sources: