cdelafuente-r7 (35)

Last Login: January 25, 2021
Assessments
10
Score
35

cdelafuente-r7's Contributions (11)

Sort by:
Filter by:
4
Ratings
Technical Analysis

Sudo is vulnerable to a local privilege escalation that enables any local user to gain root privileges. This is due to a heap-based buffer overflow when unescaping backslashes in the command’s arguments. This vulnerable code has been introduced in July 2011. According to the advisory, legacy versions from 1.8.2 to 1.8.31p2 and stable versions from 1.9.0 to 1.9.5p1 are vulnerable in their default configurations. Note that the local user password is not required to successfully exploit this vulnerability.

The exploitation is done by invoking “sudoedit -s” command to reach the vulnerable code and do an out-of-bounds write in heap memory. The security researchers were able to exploit this vulnerability and get a shell as root using 3 different methods. One of them, which seems to be the easiest and the most reliable, is demo’ed in this video.

I couldn’t find any PoC available, but there are enough technical details in the advisory to write an exploit. It is a critical bug and sudo should be patched immediately. It is very likely a working exploit will be publicly available soon.

2

As just said before, this vulnerability won’t get you elevated privileges, but, since the vulnerable process (splwow64.exe) is running with medium integrity level, it is possible to combine it with another remote code execution exploit to escape the Internet Explorer 11 sandbox and execute arbitrary code.

This has been patched by Microsoft in June 2020, but it was incomplete (this patch bypass is identified as CVE-2020-17008). Moreover, this patch introduced another vulnerability (Out-Of-Bounds read), disclosed by ZDI as a 0-day advisory on December 15th, 2020. All of these bugs have been corrected in January 2021 and identified as CVE-2021-1648.

3
Ratings
  • Attacker Value
    Low
  • Exploitability
    Very Low
Technical Analysis

No useful information has been published so far and most of the speculations found online are based on the CVSS 3.0 metrics found in the advisory. That said, the attack vector seems to be Local but can be exploited remotely, which means that some kind of malicious file needs to be placed locally to be scanned by Windows Defender and trigger the vulnerability. After talking about this with @smcintyre-r7 and @bwatters-r7, we can imagine that Remote means this file needs to be sent remotely somehow, for example, using a file upload in a website or an email attachment via Exchange.

Some considerations to keep in mind: Windows defender vulnerabilities get patched immediately and automatically, without user interactions. So, the exploitation window is very short. Finally, even if the exploitation succeeds, the evasion will be problematic, since the anti-virus will probably detect the attack.

3
Ratings
Technical Analysis

SpamTitan Gateway is an anti-spam appliance that protects against unwanted emails and malwares. Versions 7.01, 7.02, 7.03 and 7.07 are vulnerable to Remote Code Execution as root due to improper input sanitization. Note that only version 7.03 needs authentication and no authentication is required for versions 7.01, 7.02 and 7.07.

The attack consists in abusing the SpamTitan Gateway UI SNMP Management Settings feature to inject dangerous SNMPD command directives into the SNMP server configuration file. This is can be done in two steps:

  1. Send an HTTP POST request to the snmp-x.php page with a specially crafted community parameter:
    ...[SNIP]...&community=<community>" <ip>\nextend <random name> <payload>.
    This will end up being added to snmp.conf like this:
    …[SNIP]...
    rocommunity "<community>" <ip>
    extend <random name> <payload>
    …[SNIP]...
  2. Send an SNMP Get-Request to correct OID to trigger the payload.

Since a proof o concept and a Metasploit module are available, it is highly recommended to upgrade to the latest available version.

2
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Medium
Technical Analysis

This vulnerability affects Ignition 7 (prior to v7.9.14) and 8 (prior to v8.0.10), an Integrated Software Platform for SCADA systems to do cross-platform web-based deployment. These versions contain multiple vulnerabilities that, when chained together, can lead to preauth remote code execution with SYSTEM user privileges (advisory).

CVE-2020-10644 is one of these vulnerabilities (see also CVE-2020-12004) and is related to an input validation issue that leads to deserialization of untrusted data. By sending a request to the /system/gateway API endpoint and invoking getDiffs() action with a specially crafted payload, it is possible to bypass the validation routine and execute arbitrary code remotely.

This vulnerability is rated as critical, but to successfully exploit this, this must be chained with the two other vulnerabilities, as explained above and in the advisory. A Metasploit module exploiting these vulnerabilities is available here

1
Ratings
  • Attacker Value
    Medium
  • Exploitability
    Medium
Technical Analysis

This vulnerability affects Ignition 7 (prior to v7.9.14) and 8 (prior to v8.0.10), an Integrated Software Platform for SCADA systems to do cross-platform web-based deployment. These versions contain multiple vulnerabilities that, when chained together, can lead to preauth remote code execution with SYSTEM user privileges (advisory).

CVE-2020-12004 is one of these vulnerabilities (see also CVE-2020-10644) and is related to an access control issue that enables an attacker to retrieve sensitive information. The com.inductiveautomation.ignition.gateway.servlets.gateway.functions.ProjectDownload Java class provides several actions that do not require authentication. Particularly one of them, getDiffs(), can be used to access all the project data.

This is a medium risk issue when taken alone. However, as explained above, it can be critical when chained with other vulnerabilities.

3
Ratings
Technical Analysis

The installer component of Cisco AnyConnect Secure Mobility Client for Windows prior to 4.8.02042 is vulnerable to path traversal and allows local attackers to create/overwrite files in arbitrary locations as the SYSTEM user. By successfully exploiting this flaw, a local attacker will be able to execute arbitrary commands with elevated privileges and take full control of the system.

This write-up provides some additional information about practical exploitation than the original advisory. Basically, the attack consists of sending a specially crafted IPC message to the TCP port 62522 on the loopback device, which is exposed by the Cisco AnyConnect Secure Mobility Agent service. This service will then launch the vulnerable installer component (vpndownloader), which copies itself to an arbitrary location before being executed with SYSTEM user privileges. Combining this flaw with DLL hijacking technique, it is possible to execute arbitrary code in the context of the SYSTEM user.

Since two PoC’s (here and here ) and a weaponized Metasploit module are now available, it is highly recommended to update AnyConnect.

2
Ratings
Technical Analysis

This vulnerability enables attackers to break the security boundaries that an Active Directory forest claims to maintain. This is due to a flaw in Kerberos and forest trusts themselves. No details were disclosed so far, but the author (@_dirkjan) is going to talk about it at Blackhat Asia later this year (if Mr. Covid lets it happen).

This issue reminds me of this attack disclosed in 2018, which also targets Active Directory forest security boundaries. This leads to a complete compromise of resources in any forest with a two-way interforest trust. According to Microsoft advisory, the severity of @_dirkjan’s vulnerability is only rated as Important. If the level of compromise is similar than 2018’s attack, I believe it is much more critical.

2
Ratings
  • Attacker Value
    Medium
  • Exploitability
    Very High
Technical Analysis

This vulnerability only exists if the High Availability (HA) service of Cisco Smart Software Manager On-Prem is enabled, which is not by default. This service enables an attacker to authenticate using a high-privilege default account with a static password (hardcoded). This attack could be executed by anyone without any specific skills, all he has to do is to authenticate using the default password, and no valid login is even required.

This looks like a critical vulnerability, since you can have access (read and write) to the system’s data and change configurations. However, it looks like the level of privileges would not grant access to the sensitive parts of the system. So, that said, and considering the affected service is not enabled by default, it does not look that critical.

This requires more investigation to understand what can be done with this level of privileges. I did a very quick search on the internet and was not able to find this default password. Some patch reversing might need to be done to find it and start investigating.

1
Ratings
Technical Analysis

This is a privilege escalation vulnerability in Windows Installer and, since the proof of concept is public, this is considered as important.

The issue is due to an incorrect impersonation when setting the DACLs and writing to a file. Windows Installer performs these operations with SYSTEM privileges, even if started by an unprivileged user. By creating the proper symbolic links and winning a race condition, it is possible to take full control of any restricted file and escalate privileges.

Note that the current PoC is not weaponized, but it won’t take too long to add the proper payload.

4
Ratings
  • Attacker Value
    Low
  • Exploitability
    Very High
Technical Analysis

This plugin has approximately 1000 active installations and 24,816 downloads according to Wordpress. The vulnerable versions are approximately 25% of the active installations, which is not that much. Also, the attacker needs to be authenticated with a privileged account to make it exploitable, which reduce the likelihood of exploitation. However, the vulnerability is very easy to exploit: a simple HTTP POST request with a specially crafted ip parameter:

curl -b '<your_session_cookie>;' \
     -d 'ip=127.0.0.1|cat%20/etc/passwd&lookup=Lookup&submit=Submit%20request' \
     'http://my_wordpress.com/wp-admin/admin.php?page=plainview_activity_monitor&tab=activity_tools'

The root cause is a call to exec() with concatenation of unsanitized input (activities_overview.php:357):

exec( 'dig -x ' . $ip, $output );