Another appliance vuln down...
CVE-2022-40684, affecting multiple
#Fortinet
solutions, is an auth bypass that allows remote attackers to interact with all management API endpoints.
Blog post and POC coming later this week. Patch now.
The new F5 RCE vulnerability, CVE-2022-1388, is trivial to exploit. We spent some time chasing unrelated diffs within the newest version, but
@jameshorseman2
ultimately got first blood. We'll release a POC next week to give more time for orgs to patch.
#f5
#CyberSecurity
CVE-2022-39952, announced today, allows for unauthenticated RCE against
#Fortinet
FortiNAC as the root user. Blog post and POC to be released soon.
See Fortinet's PSIRT:
Here is our technical deep dive for the
#Fortinet
CVE-2022-40684 Auth Bypass. POC within.
This year has been filled with interesting HTTP header abuse!
Check out a recent finding by one of our own, Naveen Sunkavally. CVE-2022-28219 is an unauth RCE for ManageEngine ADAudit Plus.
This XXE -> Deserialization chain often leads to host compromise as well as priv'd AD creds. Check out the blog post and POC:
Exploitation of multiple vulnerabilities affecting
#VMware
vRealize Log Insight leads to unauth RCE
🔺 CVE-2022-31704, CVE-2022-31706, CVE-2022-31711
🔺 IOC Blog tomorrow
🔺 POC / Deep-Dive Blog next week
See VMware Security Advisory:
Our technical analysis and POC for CVE-2022-22972 Authentication Bypass for
#VMware
Workspace ONE, vIDM, and vRealize Automation 7.6.
We've again passed our POC to
@GreyNoiseIO
to build early detections.
#CyberSecurity
With reports of
#Fortinet
CVE-2022-40684 being exploited in the wild, we have detailed some early Indicators of Compromise in the following blog to help organizations assess their environments.
The team is back at it successfully reproducing CVE-2022-22972 affecting multiple
#VMware
products such as Workspace ONE. Technical writeup and POC soon to follow.
Recommend to patch or mitigate immediately.
#CyberSecurity
🔍 New POC Available! We’ve developed a Proof of Concept for CVE-2023-20198 in
#Cisco
IOS XE. This authentication-bypass allows an attacker to create new users with privilege level 15. Check out the details in
Reproducing the recent
#ManageEngine
CVE-2022-47966 pre-auth RCE, which affects nearly all of their products, has definitely been eye-opening about some recent SAML research that flew under our radar. POC and blog to come.
Credit to the original researcher
@_l0gg
, nice find!
Our technical deep-dive of the recent
#ManageEngine
Pre-Auth RCE CVE-2022-47966.
POC exploit included for xmlsec <= 1.4.1. Other versions also exploitable.
The recent
#ConnectWise
#ScreenConnect
authentication bypass vulnerability is extremely trivial to reverse and exploit. Blog and exploit POC will drop soon.
The recent
#Fortinet
#FortiClient
Endpoint Management Server (EMS) SQL injection vulnerability, CVE-2023-48788, allows an unauth attacker to obtain RCE as SYSTEM on the server.
IOCs, POC, and deep-dive blog to be released next week. In the meantime, check DAS service logs for
CVE-2023-27524, a dangerous default configuration in
#Apache
#Superset
, allows an unauth attacker to:
🔺 Gain RCE
🔺 Harvest Creds
🔺 Compromise Data
We estimate there are roughly 2K+ servers on the Internet affected by this issue.
CVE-2024-0204, announced today but silently patched in December, details an authentication bypass in
#Fortra
#GoAnywhere
MFT. Check out our latest deep-dive where we detail the exploit and how /..;/ strikes again.
🔺 Patch Diffing
🔺 Exploit POC
🔺 Indicators of Compromise
Our technical deep-dive blog post for the recent
#VMware
vRealize Log Insight RCE vulnerability chain leading to root privileges.
💥CVE-2022-31704, CVE-2022-31706, CVE-2022-31711
💥POC exploit in post
CVE-2023-34362, affecting MOVEit Transfer, enables unauth RCE through a series of issues:
🔺 Custom Header abuse to SSRF
🔺 SQL injection
🔺 Forging External Trusted IdP Tokens
🔺 .NET Deserialization to RCE
Check out our latest post by
@JamesHorseman2
and
@hacks_zach
The recent
#Veeam
vuln, CVE-2023-27532, enables an unauth attacker to interact with an API to obtain creds as well as RCE as SYSTEM.
Our blog detailing the research and process of adapting the exploit to be cross-platform as well as the POC to dump creds:
CVE-2023-27350, affecting
#PaperCut
’s enterprise print mgmt software, enables an unauth attacker to achieve RCE as SYSTEM.
See our latest blog which details:
🔺 Analyzing the Patch
🔺 Developing an Exploit
🔺 Indicators of Compromise
🔺 Shodan Exposure
Today we are disclosing a critical SSRF vulnerability, CVE-2023-49785, in a popular Gen AI chatbot, NextChat a.k.a ChatGPT-Next-Web. This disclosure comes 107 days after initial report. There is no patch at this time.
Indicators of Compromise for
#ManageEngine
CVE-2022-47966:
🔺Log File Entries
🔺Shodan Exposure
🔺Potential Post-Exploitation Activities
Deep-dive blog and POC will be released next week.
Awesome effort by
@JamesHorseman2
, Naveen, and
@hacks_zach
Back again - more cmd injections for the
#Fortinet
#FortiSIEM
! Today we’re disclosing the details surrounding CVE-2024-23108 and CVE-2024-23109.
These result from the use of Python’s os.system() in scripts which an unauth attacker controls arguments.
CVE-2023-38035, announced yesterday, effects
#Ivanti
#Sentry
and enables a remote attacker to achieve remote code execution as root.
Blog post detailing IOCs, technical deep-dive, and exploit POC to be released later this week.
Last Friday we passed our POC to
@GreyNoiseIO
to build early detections. With reports of exploitation and multiple POCs now public here ours is. Advise to apply mitigations or patch immediately.
#f5
#CyberSecurity
CVE-2023-39143, assigned for a series of security issues effecting
#PaperCut
NG/MF, allows an unauth attacker to obtain RCE in the most common deployment configurations.
Today, we are releasing details to determine if the PaperCut server is vulnerable.
Today we are disclosing several vulnerabilities effecting the
#Fortinet
#FortiWLM
(Wireless LAN Manager). The vulnerabilities span from command injection, SQL injection, to file reads.
While most were patched late last year, 2 remain unpatched after 307 days from our initial
Our latest post by one of our recent team additions, Luke Harding, revisits CVE-2023-48788 - a SQL injection for
#Fortinet
#FortiClient
EMS.
He details exploitation obstacles and payload crafting between the two mainline versions of the software.
While we haven’t reversed the Cisco 0-day just yet, we do have the deep-dive and IOCs for CVE-2023-34051 affecting
#VMware
Aria Operations for Logs.
This vulnerability is a patch bypass discovered by
@JamesHorseman2
that allows for RCE as root under certain conditions.
It's been half a year since
#Log4Shell
broke. Our latest post details how common CVE-2021-44228 still is and how easy it is to exploit for low-skilled attackers.
POCs for:
💥 VMware Site Recovery Manager
💥 Elasticsearch 5
💥 OpenNMS
#CyberSecurity
The recent
#Progress
#OpenEdge
auth bypass, CVE-2024-1403, allows an unauth user to obtain admin perms to control svcs. While a path to RCE was not discovered in the limited time we dedicated, it is likely possible.
The gist, if username == “NT AUTHORITY/SYSTEM”: you may pass.
CVE-2023-43208 addresses an easily exploitable unauth RCE as SYSTEM in
#NextGen
Mirth Connect, an application commonly used by healthcare companies. This is bypass for a fix to a vuln previously reported by
@IHTeam_
. Update your Mirth Connect instances to 4.4.1!
This advisory
With the patches to
#Cisco
IOS XE’s CVE-2023-20198 and CVE-2023-20273 being released this week, we took a deep-dive into Cisco’s internal workings. This post details:
🔺 WebUI Internals
🔺 Patch Diff’s
🔺 Exploit Theory-Crafting
We hope this information leads to other
Our latest blog details a root-cause analysis of 2023’s
@CISACyber
's Known Exploited Vulnerabilities. Leading root causes:
🔺 Insecure Exposed Function
🔺 Memory Corruption
🔺 URL Path / Routing Abuse
Last year, we disclosed two critical vulnerabilities affecting
#PaperCut
and NextGen
#Mirth
Connect.
🔺 CVE-2023-39143 affects PaperCut and allows attackers to download, delete, and potentially upload files leading to RCE in certain configurations
🔺 CVE-2023-43208 is a
The 2.1.1 release of
#Apache
#Superset
fixes vulnerabilities we reported for admin RCE, LFI, and cred harvesting.
These are exploitable in conjunction with the auth bypass issue we previously reported CVE-2023-27524. We’re seeing 2K+ Internet-facing servers still affected by
The latest PaperCut NG/MF release 22.1.3 fixes several security issues we reported that allow attackers with no privileges to read/write arbitrary files in certain common configurations, leading to RCE.
CVE pending, more details in the coming weeks. Patch now!
If you missed
@JamesHorseman2
and
@hacks_zach
at their
#DEFCON
presentation recounting their first
#Pwn2Own
competition and research methodology, the blog detailing reversing the Lexmark printer and a POC for dumping credentials is now out!
Check out the recent Samba CVE-2021-44142 vuln check by
@JamesHorseman2
. This POC extends the work of
@0xsha
and identifies the vuln given write permissions on a share and bypasses some Western Digital specific hurdles to confirm the vulnerability.
GreyNoise has observed the first IP exploiting CVE-2022-40684, FortiOS Authentication Bypass Attempt. The IP leveraged the authentication bypass and attempted to export a backup of the FortiOS configuration.
Another
#log4shell
#RCE
POC.
Apereo CAS 6.3 and 6.4 vuln in the X-Forwarded-For and username field.
Typically deployed external facing to provide SSO. Rough
@shodanhq
query shows ~4.5K hosts. Apereo has released patches to address
#log4j
last month.
#cybersecurity
#BugBounty
Find a user within the Backup Operators group? Remotely dump the DC's SAM, SECURITY, and SYSTEM with this PoC that extends impacket to achieve domain admin. Thanks to
@filip_dragovic
for the TTP and
@mpgn_x64
for the Windows PoC.
#CyberSecurity
#redteam
1/n
We're a week into
#log4shell
. Here's what to know going into the weekend:
1. Log4j < 2.15 is widely exploitable to RCE via CVE-2021-44228.
2. The Log4j 2.15 patch was insufficient and in some cases allows RCE via CVE-2021-45046.
Curious how to remotely enumerate antivirus exclusions for Defender? Like
@n00py1
says, it's more common than you think. Microsoft even has official recommendations for exceptions and IT implements them poorly.
Don’t forget to check the exclusions on AV configuration. I was getting blocked dumping LSASS but then I ended up downloading mimikatz.exe straight to an excluded file path and it worked like a charm.
While the world is chasing
#log4j
, don't forget to also patch your Domain Controllers for CVE-2021-42278 which allows domain users to priv esc to domain admin.
Check out some POCs on github:
#pentest
#redteam
#cybersecurity
Researching the impacts of CVE-2021-44228, the most interesting insight is that prior 2018 (Java8 u191) Java shipped easily exploitable and log4j2 has been vuln since 2012. From 2012-2018 any Java app that included log4j is in the sweet spot for attackers.
Had an awesome time out at
#DEFCON
30 with the many of
@Horizon3Attack
team! Met some for the first time in person and for some was their first DEFCON! Looking forward to the next!
Should I worry?
State of Exploitation:
1. Attackers are “spraying and praying” for RCE on old Java versions
2. Attackers are easily dumping environment variables like AWS keys
3. Attackers are targeting specific apps like vCenter with vulnerable dependencies
2/n
What can I do? Practice Defense in Depth:
1. Locate Known Vulnerable Software
a. Check out the Netherlands CERT page for a comprehensive list of vendor applications and if they are vulnerable:
3/n
Looking Ahead:
The coming weeks will see more targeted attacks greatly increasing the risk of RCE. Get ahead now by taking a holistic approach to security.
8/n
Very excited that
@JamesHorseman2
and I will be participating in our first
#Pwn2Own
in Toronto next week! It’s been an interesting couple months, some lessons learned, looking forward to meeting other researchers, and sharing our research when we can!