xFreed0m (16)

Last Login: April 20, 2020
Assessments
6
Score
16

xFreed0m's Contributions (7)

Sort by:
Filter by:
1
Ratings
Technical Analysis

CVE-2020-1986 Secdo: Local authenticated users can cause Windows system crash

Attack Vector LOCAL
Attack Complexity LOW
Privileges Required LOW
User Interaction NONE
Scope UNCHANGED
Confidentiality Impact NONE
Integrity Impact NONE
Availability Impact HIGH

Description

Improper input validation vulnerability in Secdo allows an authenticated local user with ‘create folders or append data’ access to the root of the OS disk (C:) to cause a system crash on every login. This issue affects all versions Secdo for Windows.

Product Status
Secdo
Versions Affected
all versions on Windows
Severity: MEDIUM
CVSSv3.1 Base Score: 5.5 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

Solution

This product is no longer supported and the issue will not be fixed. This issue can be easily mitigated by creating a “C:\proc” folder and not allowing unprivileged users to access to that folder, or ensuring unprivileged users do not have ‘create folder’ access to the root of a disk (C:).

Workarounds and Mitigations

Exploitation of this issue can be prevented by creating a “C:\proc” folder and not allowing unprivileged users to access that folder.

Acknowledgements

We like to thank Eviatar Gerzi of CyberArk Labs Team for discovering and reporting this issue.

https://security.paloaltonetworks.com/CVE-2020-1986

1
Ratings
Technical Analysis

CVE-2020-1985 Secdo: Incorrect Default Permissions

Attack Vector LOCAL
Attack Complexity LOW
Privileges Required LOW
User Interaction NONE
Scope UNCHANGED
Confidentiality Impact HIGH
Integrity Impact HIGH
Availability Impact HIGH

Description

Incorrect Default Permissions on C:\Programdata\Secdo\Logs folder in Secdo allows local authenticated users to overwrite system files and gain escalated privileges. This issue affects all versions Secdo for Windows.

Product Status
Secdo
Versions Affected
all versions on Windows
Severity: HIGH
CVSSv3.1 Base Score: 7.8 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Solution

This product is no longer supported and the issue will not be fixed. Change permission on C:\Programdata\Secdo\Logs folder to not allow unprivileged users access.

Workarounds and Mitigations

Change permission on C:\Programdata\Secdo\Logs to not allow unprivileged users access.

Acknowledgements

We like to thank Eviatar Gerzi of CyberArk Labs Team for discovering and reporting this issue.

https://security.paloaltonetworks.com/CVE-2020-1985

1
Ratings
Technical Analysis

CVE-2020-1984 Secdo: Privilege escalation via hardcoded script path

Attack Vector LOCAL
Attack Complexity LOW
Privileges Required LOW
User Interaction NONE
Scope UNCHANGED
Confidentiality Impact HIGH
Integrity Impact HIGH
Availability Impact HIGH

Description

Secdo tries to execute a script at a hardcoded path if present, which allows a local authenticated user with ‘create folders or append data’ access to the root of the OS disk (C:) to gain system privileges if the path does not already exist or is writable.

Product Status

Secdo
Versions Affected
all versions on Windows
Severity: HIGH
CVSSv3.1 Base Score: 7.8 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Solution

This product is no longer supported and the issue is not going to be fixed. The issue can be completely mitigated by ensuring that unprivileged users do not have ‘create folder’ access on the root of the filesystem such as C:\ or on a folder named C:\Common.

##Workarounds and Mitigations
This issue can be mitigated by :

  • Ensure unprivileged users do not have ‘create folder’ access on the root of filesystem such as C:.

or

  • Creating a folder named C:\Common and ensuring unprivileged users do not have ‘create folder’ access.

Acknowledgements

We like to thank Eviatar Gerzi of CyberArk Labs Team for discovering and reporting this issue.

https://security.paloaltonetworks.com/CVE-2020-1984

1
Ratings
Technical Analysis

LibSSH isn’t common as other SSH server softwares and vulnerability is pretty dates so finding this in the wild won’t be a walk in the park.
Having said that, if adversaries will find this software installed with a vulnerable version, exploitation is extremely easy (multiple exploit exists in the internet) and usually will provided access from the external to the server while fully bypassing the authentication.
for example – https://github.com/xFreed0m/CVE-2018-10933

3
Ratings
Technical Analysis

An elevation of privilege vulnerability exists when the Windows Background Intelligent Transfer Service (BITS) improperly handles symbolic links. An attacker who successfully exploited this vulnerability could overwrite a targeted file leading to an elevated status.

To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.

The security update addresses the vulnerability by correcting how Windows BITS handles symbolic links.

Technical details can be found: https://itm4n.github.io/cve-2020-0787-windows-bits-eop/

2

yup, its easy to get bulletproof hosting, run endless password spraying attacks against OWA\Office365 until you get creds, and then with this vuln it’s game over as Exchange in a core server that will almost always would yield DA creds.

3
Ratings
Technical Analysis

the easiness of exploiting this vulnerability depends directly on the ability to get a working set of creds.
that means that if the organization has weak password policy, guessable passwords, leaked credentials or external interface that allows password spraying, obtaining such credentials will be easy for adversaries.