rbowes-r7 (34)

Last Login: September 20, 2022
Assessments
10
Score
34

rbowes-r7's Latest (10) Contributions

Sort by:
Filter by:
1
Ratings
  • Attacker Value
    High
  • Exploitability
    Very High
Technical Analysis

Very easy patch to reverse and exploit to develop. Public proof of concept exist, as well as a Metasploit module. Very important to patch!

1
Ratings
Technical Analysis

This is a privilege-escalation vulnerability in Zimbra, to go from the zimbra user to root. As of writing, this has been publicly known for nearly a near, and reported to Zimbra for about a month.

Although it requires an account, there have been a whole pile of recent CVEs that get you there – CVE-2022-30333, CVE-2022-27925, and CVE-2022-27924

1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

This is basically cve-2022-27925 – it’s the same exploit, but you don’t send an auth cookie and it fails to prevent access.

2
Ratings
Technical Analysis

This is really bad – remote root on an organization’s email server, if combined with other (currently 0-day vulnerabilities). Patch ASAP!

1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very Low
Technical Analysis

Ultimately, this is annoying and unreliable to exploit, but we did get it working and confirm it’s a problem.

3
Ratings
Technical Analysis

While we focused on Zimbra in our analysis, there are almost certainly other targets for this vulnerability that we are not aware of yet.

Exploiting this against Zimbra is really bad – it can be done fairly quietly and it doesn’t require direct access to the server, and can easily lead to root access to the server hosting users’ email. This is super urgent to patch on Zimbra!

4
Ratings
Technical Analysis

CVE-2022-22954 came out at nearly the same time, is easier to exploit, and grants access to the underlying OS rather than the web interface. I think that’s going to be the issue that ends up mattering, and this will be overshadowed.

The biggest problem is that this requires an Internet-facing SSL server, so attacks can’t easily be automated.

6
Ratings
Technical Analysis

The patch was difficult to analyze, due to the sheer amount of code and changes. But once Horizon3 released a PoC, tracking down the root cause and analyzing what’s going on was much easier. Cheers!

3
Ratings
Technical Analysis

Super underwhelming, IMO – requires a confluence of bad configuration. Microsoft’s claims that they see vulnerable configurations in the wild are dubious – it takes some effort to make yourself vulnerable (I just used sudo to run as the networkd user, but that’s cheating). Definitely not a name-worthy vulnerability!

2
Ratings
Technical Analysis

With publicly available information, this was super trivial to exploit! In the Rapid7 analysis, I chained it together with what I thought was CVE-2022-22960 (I’m not sure it was anymore) to go from unauthenticated HTTPS access to root very easily.