ccondon-r7 (62)

Last Login: October 24, 2020
Assessments
19
Score
62

ccondon-r7's Contributions (33)

Sort by:
Filter by:
3
Ratings
Technical Analysis

Pulse Secure’s 2019 vulns are garnering another wave of attention this week as a result of the NSA’s newly published list of CVEs exploited by Chinese state actors. Out of the batch of 2019 disclosures from Orange Tsai’s and Meh Chang’s research, CVE-2019-11510, an pre-authenticated arbitrary file read, was the highest priority for attackers and defenders. The pre-auth file read was a necessary primitive for CVE-2019-11539, a post-authentication vuln that enables attackers to execute commands as root on vulnerable Pulse Secure VPN servers.

Exploit chain: CVE-2020-11510 provides necessary info (plaintext/hashed creds, session IDs) that enables a remote attacker to leverage CVE-2020-11539 to execute commands with the highest privilege level. There’s a Metasploit exploit out that automates the exploit chain, but note that a valid admin session is needed. The original blog from the researchers who disclosed the vulns does a great job of explaining in-depth technical details, too—do check it out if you haven’t done so!

Pulse Secure patched these vulnerabilities in April, 2019. Technical details, public research, and exploits were released over the next six months. There’s been plenty of information available to attackers for quite some time now—I hope organizations have patched given the severity of the bugs and the critical position of SSL VPNs.

1

@elligottmc Sounds fair enough (not sure if Brent is active on here these days!), yep. This topic was our catch-all when Citrix hadn’t specified the included CVEs yet.

1
Ratings
  • Attacker Value
    Very High
Technical Analysis

The generally short shelf life of many browser vulnerabilities is offset by their value to attackers—and in some cases very nicely offset. This Chrome 0day arises from a heap buffer overflow in FreeType, a commonly-used open-source font engine. The public availability of patch details significantly improves shelf life calculus for attackers and exploit developers.

2
Ratings
Technical Analysis

There were a lot of vulns out this week, a number of which got quite a bit more news cycle attention than this one (lookin’ at you, Bad Neighbor). Unlike a few of those higher-hype bugs, however, this one is an active threat. Like other significant vulnerabilities from this year, the fact that this is authenticated isn’t a barrier for attackers and alas, shouldn’t be a consolation for those tasked with securing SharePoint environments.

@tsellers-r7 has a really great Twitter thread here on the number of publicly exposed, vulnerable SharePoint installations and version/support complexities that defenders may not realize they need to take into account. Metasploit Framework will also have module out in next week’s release.

2
Ratings
Technical Analysis

There’s high attacker value here if an attacker A) wants to cause a little mayhem, and/or B) can actually turn the DoS into reliable RCE. The first option is probably the likelier outcome in the immediate future. If Positive Technologies or Tripwire releases a PoC, the likelihood of broad exploitation probably rises significantly. For now, “patch fast but don’t panic” is good advice, as it always is with VPNs. There’s full analysis for this bug in the Rapid7 Analysis tab here.

2
Ratings
  • Attacker Value
    Very High
Technical Analysis

According to Black Arrow, it looks like this CVE is being exploited to deliver Kaiten malware. This is another of the batch Orange Tsai wrote about from among their MobileIron discoveries last month. @wvu-r7 has a bit more context on the auth bypass in his assessment of CVE-2020-15506, too.

3
Ratings
  • Attacker Value
    Very High
  • Exploitability
    High
Technical Analysis

We’re consistently seeing reports of this vulnerability being exploited in the wild and used to compromise organizations. I’m upping its attacker value rating based on the fact that evidently attackers are finding value in it.

1
2

@VoidSec Ah, that’s exactly what I was wondering! I’m really sorry your client was compromised, and thank you for reporting this as exploited in the wild.

2

Hey @VoidSec! Thanks for the assessment! I noticed you reported this as being exploited in the wild—I have absolutely no doubt that’s true, but I haven’t seen any confirmed reports of active exploitation (only public exploits being available). Have you seen differently? Wondering if I need to tweak my monitoring source list :)

2
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Medium
Technical Analysis

There’s more info in Rapid7’s analysis here, but as @tsellers-r7 and @smcintyre-r7 pointed out privately today, need for authenticated session + exposed PowerShell endpoint + user who belongs to specific Exchange groups = less opportunity for wide-scale attacks than something like February’s Exchange vuln. I’m interested to see how Steven Seeley’s exploit works if he releases it, though. Might be cause for quick re-evaluation.

3
Ratings
Technical Analysis

Same initial evaluation as CVE-2020-3566—namely that successful exploitation doesn’t appear thus far to yield useful access for attackers, though disruption to critical business services is still a major concern for service providers. If the DoS enables a new threat vector, attacker value on these vulns rises. I’m going to leave exploitability blank for the time being. Rapid7 has analysis here.

2
Ratings
Technical Analysis

At face value, this doesn’t seem to be a terribly high-value vuln from an attacker point of view. That’s not to say that impact to availability and disruption of business processes isn’t high-impact for infrastructure and service providers, just that the vulnerability is a denial of service that currently doesn’t look to offer attackers useful access. That changes pretty quickly if it turns out DoS exploitation gives rise to a different threat vector.

2
Ratings
  • Attacker Value
    High
Technical Analysis

This made CISA’s list of most exploited vulns from 2016-2019—fairly notable since it’s a 2019 vulnerability and had less time to percolate than others. There are newer SharePoint vulnerabilities and exploits out now that may replace this one, but the generalized takeaway is that SharePoint is a highly attractive attack target with a number of public exploits and proofs-of-concept available for known vulns.

1
Ratings
Technical Analysis

SANS ISC has said they’re seeing “small numbers of exploit attempts.” The exploit they’ve detected is identifying vulnerable systems “by reading benign LUA source code files.”

https://isc.sans.edu/diary/26426

3
Ratings
Technical Analysis

The exposed target population may be comparatively low to, say, the whole of the internet, but Rapid7 Labs has noted—rightly so—that a couple thousand exposed gateways is still a pretty concerning state of affairs when those gateways are protecting industrial control systems. Pre-authenticated RCE in VPN products guarding ICS/OT networks during a pandemic is, as the kids say, bad news bears—and that’s not to make light, because this ain’t light. The good news is that there are patches out for all these vulns, even though the downtime required to patch and verify effectively might be nothing to sneeze at. Longer analysis and recommendations by smart people here.

Researchers from around Rapid7’s world (and likely others, too!) have said today that there is likely lower-hanging fruit that will be surfaced in the coming days, particularly around nerve-wracking findings such as exposed Telnet administration ports. There’s a lot of well-justified attention on this grouping of vulns, and with that attention comes increased focus on attack opportunities in general…and the stuff we see clogging up our security noise machines won’t be the only stuff well-resourced attackers are paying attention to. Patch as soon as possible (and yep, easier said than done).

2
Ratings
Technical Analysis

I’m going to quote @hrbrmstr here: Since the registry config workaround doesn’t require a system restart, it seems like this is going to be a niche exploitation issue for organizations that haven’t config’d or patched their way to safety.

Still haven’t seen PoC past the DoS from maxpl0it (which is a very good Twitter username, unrelatedly) that surfaced quickly after the vuln details were published. Anecdotally, a few other researchers have mused that this probably isn’t the ripest or most valuable target for exploitation (famous last words, eh?).

5
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

This is an incredibly attractive and simple attack target: It’s an easily exploitable vulnerability in a highly-exposed HTTP interface (frequently user- and internet-facing) where successful exploitation allows remote, unauthenticated attackers to create user accounts with the highest possible privileges and generally declare themselves the feudal lords of critical SAP estates.

It’s difficult to imagine that widespread exploitation would take much time at all. SAP included a mitigation in the patch release details, but with so many mitigation bypasses coming out for other recent critical vulns, it’s definitely advisable to take CISA’s guidance to heart—i.e., patch over mitigation wherever possible and as quickly as possible.

3

Hey there, friend, just wanted to say thanks for all the great technical assessments recently. The team’s started looking forward to your evaluations. Much appreciated!

2

Nice, saw your gist with check logic, too—Metasploit should have an exploit out shortly. Sounds from the researcher working on it that his check method is similar. Thanks for the assessment, super appreciated!

3
Ratings
  • Attacker Value
    Very High
Technical Analysis

There have been several reports of exploitation in the wild as of July 4. The one I’ve seen cited the most is here.

1
Ratings
  • Attacker Value
    High
  • Exploitability
    High
Technical Analysis

Vuln affects versions 5.0.0 to 5.5.4 and is weaponized in the form of a Metasploit module: https://github.com/rapid7/metasploit-framework/pull/13512
Credit to Charles Fol for discovery and Zenofex for fast analysis and slick weaponization.

I keep thinking that it’s unlikely enterprises use vBulletin and this must be more of a risk to small- and medium-sized businesses, but looking at some of the companies that are said to be vBulletin customers, I suppose that’s not necessarily true. Article on in-the-wild exploitation here.

2

Nice, what a great assessment! Knowledge like this is exactly what we wanted to be able to capture and highlight when AttackerKB was first dreamt up. Thanks so much—if you ever want to collaborate on a Metasploit module (scanner, exploit, LPE, post-exploitation) for a vuln you’ve been looking at, let us know and we’ll be happy to help out!

1

@aaronsvk This is great! You’re the person who discovered the vuln, too, yes? Really nice work.

1

I appreciate that you included a specific threat model scenario here, thanks!

1

I can’t upvote this enough. What a great clarification on vulnerability definition!

3

Your Twitter thread on this was really helpful as @wvu-r7 was working through module code, thanks!

3
Ratings
Technical Analysis

There’s a Metasploit exploit module out for this now, and pen testers have reported that seeing vulnerable Exchange servers is common on engagements. As zeroSteiner has pointed out on Twitter, all that’s needed for reliable code execution is a domain user with a mailbox: https://twitter.com/zeroSteiner/status/1234983584177328129.
TrustedSec has a great write-up on IoCs here: https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/

1
Ratings
  • Attacker Value
    High
  • Exploitability
    Medium