Core Impact Monthly Chronicle: Exploits and Updates | August & September 2024

Core Impact Exploit Library Additions

One of Core Impact’s most valuable features is its certified exploit library. Fortra’s Core Security has a team of expert exploit writers that conduct research, evaluating and prioritizing the most relevant vulnerabilities in order to update the library with critical and useful exploits. Additionally, the QA team creates its own clean environment to validate each exploit before its release to ensure our standards and validate that it is safe and ready to use.

While you can keep track of new releases through our exploit mailing list, here is a more detailed summary of some of the most recent additions to the library.

CVE-2024-30051 - Microsoft Windows DWMCORE Elevation of Privilege Vulnerability Exploit

Authors: Ricardo Narvaja and Daniel De Luca (QA)

CVSS:  7.8 HIGH 

Reference: CVE-2024-30051

Key Vulnerability Details

• Boundary error within the Windows DWMCORE library can enable arbitrary memory write
• Affects multiple versions of Windows 10, Windows 11, and Windows Server
• Classified as Heap-based Buffer Overflow vulnerability (CWE-122)

Exploitation Impact and Mitigation

• Attackers can escalate privileges from a basic user to full SYSTEM level
• May lead to full system compromise and access to sensitive data
• Microsoft released a patch for this vulnerability in a May 2024 Security Update 

Attacks in the Wild 

• Actively being exploited since April 2024
• Often paired with QakBot Trojan

Exploitation Mechanism

• Verifies that target system has not been patched
• Leverages Heap Spray within Desktop Window Manager to overwrite adjacent memory
• Elevates privileges from a standard user to SYSTEM level
• Facilitates execution of arbitrary code with maximum system access rights

Additional Information

• Functional PoC and technical analysis available from Core Labs

CVE-2024-30088 - Microsoft Windows Kernel Elevation of Privilege Vulnerability Exploit 

Authors: Cristian Rubio, Luis García Sierra (QA), and Daniel De Luca (QA)

CVSS:  7.0 HIGH 

Reference: CVE-2024-30088

Key Vulnerability Details

• Weakness in system kernel executable, ntoskrnl.exe, can enable arbitrary memory write
• Affects multiple versions of Windows 10 and Windows 11, and Windows Server
• Classified as a Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)

Exploitation Impact and Mitigation

• Attackers can escalate privileges from a basic user to full SYSTEM access
• May lead to corruption or exfiltration of sensitive data
• Microsoft released a patch for this vulnerability in a June 2024 Security Update

Attacks in the Wild 

• No major attacks have been reported at this time

Exploitation Mechanism

• Leverages a race condition in the Windows kernel's token handling process to manipulate the current process token
• Elevates privileges from a standard user to SYSTEM level
• Facilitates execution of arbitrary code with maximum system access rights

CVE-2024-34102, CVE-2024-2961 - Magento eCommerce Websites CosmicSting and CNEXT Remote Code Execution Chain Exploit 

Authors: Marcos Accossatto and Nahuel Gonzalez (QA)

CVSS:  9.8 CRITICAL 

Reference: CVE-2024-34102, CVE-2024-2961

Key Vulnerability Details

• CVE-2024-34102 – Weakness in processing of XML input during the serialization process of Magento
• CVE-2024-2961 – Memory corruption weakness in the iconv() function of the GNU C Library for Linux programs 
• When chained together, can result in full remote code execution 
• Affects versions 2.4.7 and earlier of Adobe Commerce, versions 2.4.7 and earlier of Magento Open Source, and version 2.39 and earlier of GNU C Library 
• Classified as an Improper Restriction of XML External Entity Reference (CWE-611) and an Out-of-Bounds Write (CWE-787)

Exploitation Impact and Mitigation

• Chaining vulnerabilities could lead full control of the targeted system
• A hotfix, security update, and an isolated patch have been issued by Adobe to remediate CVE-2024-34102
• The 2.40 release of GNU C Library includes a patch for CVE-2024-2961

Attacks in the Wild 

• This vulnerability chain has been actively exploited in the wild since June 2024, impacting numerous e-commerce sites 
• Has been added to CISA’s Known Exploited Vulnerabilites Catalog 

Exploitation MechanismExploitation Mechanism

• Leverages XXE vulnerability to obtain authentication keys
• Uses authentication keys to escalate privileges and trigger heap buffer overflow
• Execute arbitrary commands on the target system

CVE-2024-21887, CVE-2023-46805, CVE-2024-21893 - Ivanti Connect Secure Unauthenticated Remote Code Execution Exploit Chain 

Authors: Fernando Páez Barceló and Nahuel Gonzalez (QA)

CVSS: 9.1 CRITICAL, 8.2 HIGH, 8.2 HIGH

Reference: CVE-2024-21887, CVE-2023-46805, CVE-2024-21893

Key Technical Details

• CVE-2024-21887 – Command injection vulnerability in web components of Ivanti Connect Secure
• CVE-2023-46805 – Authentication bypass vulnerability in the web component of Ivanti ICS and Ivanti Policy Secure
• CVE-2024-21893 – Server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure and Ivanti Policy Secure
• When chained together, can result in full remote code execution 
• Affects multiple versions of Ivanti Connect Secure, Ivanti Policy Secure, and ZTA Gateways
• Classified as Improper Neutralization of Special Elements used in an OS Command (CWE-78), Improper Authentication (CWE-287), and Server-Side Request Forgery (CWE-918)

Exploitation Impact and Mitigation 

• Powerful exploit chain that enables authentication bypass, injection and execution of arbitrary commands, and access restricted resources without authentication
• Can lead to complete control over targeted systems 
• Ivanti has published documentation on how to apply mitigations  

Attacks in the Wild 

• Reports of active exploitation attempts targeting these vulnerabilities as early as December 2023
• CISA issued an Emergency Directive to assist remediation efforts

Exploitation Mechanism

• Obtains the version of Ivanti Connect Secure installed on the system 
• Leverages a flaw in the SAML component to access certain restricted resources without authentication 
• Enables remote code execution with elevated privileges in the management component

CVE-2023-7028 - GitLab Password Reset Account Takeover Exploit

Authors: Lucas Dominikow and Arthur Lallemant (QA)

CVSS:  9.8 CRITICAL 

Reference: CVE-2023-7028

Key Vulnerability Details

• Lack of verification checks when sending password reset emails could lead to account takeovers
• Affects versions 16.1 prior to 16.1.5, 16.2 prior to 16.2.8, 16.3 prior to 16.3.6,16.4 prior to 16.4.4, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and16.7 prior to 16.7.2
• Classified as a Weak Password Recovery Mechanism for Forgotten Password (CWE-640)

Exploitation Impact and Mitigation 

• Unauthenticated attackers could potentially compromise user accounts by redirecting password resets to attacker-controlled email addresses
• Provides foothold and may allow attackers to access sensitive data, move laterally, or maintain long-term unauthorized access
• Gitlab addressed this vulnerability in versions 16.5.6, 16.6.4, and 16.7.2, with the patches also backported to versions 16.1.6, 16.2.9, 16.3.7, and 16.4.5.

Attacks in the Wild 

• CISA reported vulnerability has been exploited in the wild
• Has also been added to CISA’s Known Exploited Vulnerabilites Catalog 

Exploitation Mechanism

• Adds email to the JSON from /users/password endpoint
• Connects via IMAP to the pen tester’s email
• Parses the reset email and changes the password

CVE-2024-4885 - Progress WhatsUp Gold GetFileWithoutZip Directory Traversal Vulnerability Remote Code Execution Exploit

Authors: Marcos Accossatto and Luis García Sierra (QA)

CVSS:  9.8 CRITICAL 

Reference: CVE-2024-4885

Key Vulnerability Details

• Improper input validation in RecurringReport endpoint could result in arbitrary command injection
• Affects WhatsUp Gold versions 24.0 and below
• Classified as a Path Traversal— an Improper Limitation of a Pathname to a Restricted Director (CWE-22)

Exploitation Impact and Mitigation 

• Unauthenticated remote attackers could execute arbitrary commands
• Could result in full system compromise  
• Vulnerability has been addressed beginning in version 24.0.1

Attacks in the Wild 

• Actively exploited in the wild beginning in August 2024

Exploitation Mechanism

• Crafts a malicious request targeting the NmAPI/RecurringReport in WhatsUp Gold
• Utilizes directory traversal to execute malicious payload 
• Establish a foothold within the compromised system

CVE-2024-21413, CVE-2024-38021 - Microsoft Outlook Moniker Image Tag Information Disclosure Exploit

Authors: Ricardo Narvaja and Nahuel Gonzalez (QA)

CVSS:  9.8 CRITICAL,  8.8 HIGH

Reference: CVE-2024-21413, CVE-2024-38021

Key Vulnerability Details

• CVE-2024-21413 -- Improper handling of certain URL types in Outlook’s link processing could lead to remote code execution
• CVE-2024-38021 – Bypasses the initial patch for CVE-2024-21413
• Affects multiple versions of Microsoft Outlook, including Microsoft 365 Apps, Office 2016, 2019, and LTSC 2021
• Classified as an Improper Authentication (CWE-287) and Improper Input Validation (CWE-20)

Exploitation Impact and Mitigation 

• Unauthenticated remote attackers could bypass security mechanisms and steal NTLM hashes
• Could potentially execute arbitrary code through Outlook emails
• Microsoft released a patch for this vulnerability in a February 2024 Security Update

Attacks in the Wild 

• No major attacks have been reported at this time
• Microsoft confirmed vulnerability is “trivial to exploit”

Exploitation Mechanism

• If target is unpatched, uses an exclamation mark in URL link to bypass security
• If target is patched, uses image tag to bypass security restrictions
• Sends email with malicious image tag URL to target Outlook user
• If successful, victims machine sends NTLM hash which is captured by pen tester

CVE-2024-40711 - Veeam Backup and Replication Deserialization Vulnerability Remote Code Execution Exploit

Authors: Ricardo Narvaja and Nahuel Gonzalez (QA)

CVSS:  9.8 CRITICAL 

Reference: CVE-2024-40711

Key Vulnerability Details

• Improper handling of .NET deserialization could result in remote code execution 
• Affects Veeam Backup & Replication 12.1.2.172 and earlier version 12 builds
• Classified as Deserialization of Untrusted Data (CWE-502)

Exploitation Impact and Mitigation 

• Unauthenticated remote attackers could bypass existing protective measures and deploy arbitrary code remotely with SYSTEM level privileges 
• May lead to full compromise, with ability to access, modify, or delete backup data 
• Veeam remediated this vulnerability in version 12.2 of Veeam Backup and Replication

Attacks in the Wild 

• No major attacks have been reported at this time
• Veeam has issued warning of vulnerability’s severity

Exploitation Mechanism

• Crafts and delivers malicious .NET class type object
• Sends object to Veeam endpoint to trigger malicious payload 
• Enables execution of arbitrary code with SYSTEM privileges 

CVE-2024-6769 - Windows System Drive Remapping Local Privilege Escalation Exploit Update

Authors: Ricardo Narvaja and Daniel De Luca (QA)

CVSS:  6.7 HIGH 

Reference: CVE-2024-6769

Key Vulnerability Details

• Improper handling of drive remapping and activation contexts could enable escalation to full SYSTEM privileges 
• Affects multiple versions of Windows 10, Windows 11, and Windows Server 2016, 2019, and 2022
• Classified as an Untrusted Search Path (CWE-426)

Exploitation Impact and Mitigation 

• Authenticated user with medium privileges could escalate to SYSTEM level privileges
• Could lead to full compromise, with ability to access, manipulate, exfiltrate, or delete sensitive data 
• No patch is currently available

Attacks in the Wild 

• No major attacks have been reported at this time

Exploitation Mechanism

• Full details available in functional PoC from Core Labs

CVE-2024-38217 - Microsoft Smart App and Mark of the Web Bypass Tool Using LNK stomping  

Authors: Ricardo Narvaja and Nahuel Gonzalez (QA)

CVSS:  5.4 HIGH 

Reference: CVE-2024-38217

Key Vulnerability Details

• Improper validation or mishandling of file attributes enable Mark of the Web (MoTW) bypass and could lead to malware deployment
• Zero-Day
• Affects multiple versions of Windows 10 and 11
• Classified as Protection Mechanism Failure (CWE-693)

Exploitation Impact and Mitigation 

• Attackers can bypass MoTW security mechanism and avoid having malicious files flagged 
• Attackers could use this mechanism to deploy malware, potentially gaining access to sensitive data or other systems
• Microsoft released a patch for this vulnerability in a September 2024 Security Update

Attacks in the Wild 

• Has been abused in the wild since February 2018
• Has been added to CISA’s Known Exploited Vulnerabilites Catalog 

Exploitation Mechanism

• Crafts LNK files which have non-standard attack paths
• Files are modified by explorer.exe, removing MoTW label
• File is executed without having gone through security checks