xFreed0m (16)
Last Login: April 20, 2020
xFreed0m's Latest (7) Contributions
Technical Analysis
CVE-2020-1986 Secdo: Local authenticated users can cause Windows system crash
Attack Vector LOCAL
Attack Complexity LOW
Privileges Required LOW
User Interaction NONE
Scope UNCHANGED
Confidentiality Impact NONE
Integrity Impact NONE
Availability Impact HIGH
Description
Improper input validation vulnerability in Secdo allows an authenticated local user with ‘create folders or append data’ access to the root of the OS disk (C:) to cause a system crash on every login. This issue affects all versions Secdo for Windows.
Product Status
Secdo
Versions Affected
all versions on Windows
Severity: MEDIUM
CVSSv3.1 Base Score: 5.5 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Solution
This product is no longer supported and the issue will not be fixed. This issue can be easily mitigated by creating a “C:\proc” folder and not allowing unprivileged users to access to that folder, or ensuring unprivileged users do not have ‘create folder’ access to the root of a disk (C:).
Workarounds and Mitigations
Exploitation of this issue can be prevented by creating a “C:\proc” folder and not allowing unprivileged users to access that folder.
Acknowledgements
We like to thank Eviatar Gerzi of CyberArk Labs Team for discovering and reporting this issue.
Technical Analysis
CVE-2020-1985 Secdo: Incorrect Default Permissions
Attack Vector LOCAL
Attack Complexity LOW
Privileges Required LOW
User Interaction NONE
Scope UNCHANGED
Confidentiality Impact HIGH
Integrity Impact HIGH
Availability Impact HIGH
Description
Incorrect Default Permissions on C:\Programdata\Secdo\Logs folder in Secdo allows local authenticated users to overwrite system files and gain escalated privileges. This issue affects all versions Secdo for Windows.
Product Status
Secdo
Versions Affected
all versions on Windows
Severity: HIGH
CVSSv3.1 Base Score: 7.8 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Solution
This product is no longer supported and the issue will not be fixed. Change permission on C:\Programdata\Secdo\Logs folder to not allow unprivileged users access.
Workarounds and Mitigations
Change permission on C:\Programdata\Secdo\Logs to not allow unprivileged users access.
Acknowledgements
We like to thank Eviatar Gerzi of CyberArk Labs Team for discovering and reporting this issue.
Technical Analysis
CVE-2020-1984 Secdo: Privilege escalation via hardcoded script path
Attack Vector LOCAL
Attack Complexity LOW
Privileges Required LOW
User Interaction NONE
Scope UNCHANGED
Confidentiality Impact HIGH
Integrity Impact HIGH
Availability Impact HIGH
Description
Secdo tries to execute a script at a hardcoded path if present, which allows a local authenticated user with ‘create folders or append data’ access to the root of the OS disk (C:) to gain system privileges if the path does not already exist or is writable.
Product Status
Secdo
Versions Affected
all versions on Windows
Severity: HIGH
CVSSv3.1 Base Score: 7.8 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Solution
This product is no longer supported and the issue is not going to be fixed. The issue can be completely mitigated by ensuring that unprivileged users do not have ‘create folder’ access on the root of the filesystem such as C:\ or on a folder named C:\Common.
##Workarounds and Mitigations
This issue can be mitigated by :
- Ensure unprivileged users do not have ‘create folder’ access on the root of filesystem such as C:.
or
- Creating a folder named C:\Common and ensuring unprivileged users do not have ‘create folder’ access.
Acknowledgements
We like to thank Eviatar Gerzi of CyberArk Labs Team for discovering and reporting this issue.
Technical Analysis
LibSSH isn’t common as other SSH server softwares and vulnerability is pretty dates so finding this in the wild won’t be a walk in the park.
Having said that, if adversaries will find this software installed with a vulnerable version, exploitation is extremely easy (multiple exploit exists in the internet) and usually will provided access from the external to the server while fully bypassing the authentication.
for example – https://github.com/xFreed0m/CVE-2018-10933
Technical Analysis
An elevation of privilege vulnerability exists when the Windows Background Intelligent Transfer Service (BITS) improperly handles symbolic links. An attacker who successfully exploited this vulnerability could overwrite a targeted file leading to an elevated status.
To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.
The security update addresses the vulnerability by correcting how Windows BITS handles symbolic links.
Technical details can be found: https://itm4n.github.io/cve-2020-0787-windows-bits-eop/
Technical Analysis
the easiness of exploiting this vulnerability depends directly on the ability to get a working set of creds.
that means that if the organization has weak password policy, guessable passwords, leaked credentials or external interface that allows password spraying, obtaining such credentials will be easy for adversaries.
yup, its easy to get bulletproof hosting, run endless password spraying attacks against OWA\Office365 until you get creds, and then with this vuln it’s game over as Exchange in a core server that will almost always would yield DA creds.