Core Impact Monthly Chronicle: Exploits and Updates | April 2024
Core Impact Updates
SMB NTLM Information Dumper
This module improves the reconnaissance step for Active Directory testing, specifically gathering NTLM information using SMB/RPC protocols to prepare NTLMrelayx Man-in-the-middle attacks. Among other information, it retrieves:
- SMB Signing configuration information
- Domain configuration
- SMB Shares Out of the box tags for known server roles
This update modifies the out-of-the-box tags and folders. After its installation, search folders will be created instead of tags for Database Servers, Web Servers, and Network Devices. Additionally, when a machine is discovered within a domain, a new tag will be added with the domain name.
Core Impact Exploit Library Additions
One of Core Impact’s most valuable features is its certified exploit library. Fortra’s Core Security has a team of expert exploit writers that conduct research, evaluating and prioritizing the most relevant vulnerabilities in order to update the library with critical and useful exploits. Additionally, the QA team creates its own clean environment to validate each exploit before its release to ensure our standards and validate that it is safe and ready to use.
While you can keep track of new releases through our exploit mailing list, here is a more detailed summary of some of the most recent additions to the library.
CVE-2023-33246 – Apache RocketMQ Remote Command Execution Exploit
Authors: Esteban Kazimirow, Fernando Páez Barceló, Luis García Sierra (QA), & Nahuel Gonzalez (QA)
CVSS: 9.8 CRITICAL
Reference: CVE-2023-33246
A vulnerability was discovered in Apache RocketMQ, a distributed messaging and streaming platform. If exploited, an attacker could remotely execute commands at the same access level as the system user running the application. A flaw exists in the NameServer, Broker, and Controller components of ApacheMQ, making them accessible over the extranet without permission verification.
Attackers have been actively exploiting this vulnerability in the wild since last June and it has been added CISA’s Known Exploited Vulnerabilities Catalog. Users are urged to patch this vulnerability as soon as possible by upgrading to version 5.11 or higher.
With this exploit, a pen tester could imitate a threat actor and potentially gain full access and control of the domain by using the update configuration function or forged protocol content to execute commands.
CVE-2024-21413 – Microsoft Outlook Information Disclosure Exploit Update
Authors: Ricardo Narvaja and Nahuel González (QA)
CVSS: 9.8 CRITICAL
Reference: CVE-2024-21413
A critical vulnerability was discovered in Microsoft’s emailing platform, Microsoft Outlook. If exploited, attackers could bypass Microsoft’s security protocols, utilizing the email preview pane as a means to trigger an attack.
Since this vulnerability does not require elevated privileges or user interaction in order to exploit it, it has been highlighted as a vulnerability that should be prioritized for remediation.
This exploit allows pen testers to imitate an unauthorized attacker to gain unauthorized access using a crafted path, enabling them to steal NTLM hashes.
Initially released in February, this update adds support for unauthenticated SMTP servers.