Core Impact Monthly Chronicle: Exploits and Updates | Feb 2024
Core Impact Updates
During the month of February, updates have been made to Core Impact to enhance its functionality. New modules have been added to perform Active Directory attacks taking advantage of new features from the latest version of Impacket. There is also a new Web Applications Fuzzer that can find some of the directories and files that are not referenced by the pages discovered during the web crawling process.
Core Impact Exploit Library Additions
One of Core Impact’s most valuable features is its certified exploit library. Fortra’s Core Security has a team of expert exploit writers that conduct research, evaluating and prioritizing the most relevant vulnerabilities in order to update the library with critical and useful exploits. Additionally, the QA team creates its own clean environment to validate each exploit before its release to ensure our standards and validate that it is safe and ready to use.
While you can keep track of new releases through our exploit mailing list, here is a more detailed summary of some of the most recent additions to the library.
CVE-2023-36563 – Microsoft WordPad Exploit
Authors: Fernando Páez Barceló and Luis García Sierra (QA)
CVSS: 6.5 MEDIUM
Reference: CVE-2023-36563
A remote code execution vulnerability was discovered in Microsoft WordPad, a word processing tool for Windows operating systems. Attackers can send a malicious file that, when opened in WordPad, allows them to access sensitive data. This vulnerability has been actively exploited in the wild and is listed in CISA’s Known Exploited Vulnerabilities Catalog.
This exploit allows pen testers to simulate an authenticated attacker and exploit this vulnerability by using a malicious file to perform an NTLM relay attack.
CVE-2023-6875 – Wordpress Post Smtp Mailer Plugin Authorization Bypass Exploit
Authors: Esteban Kazimirov and Luis García Sierra (QA)
CVSS: 9.8 CRITICAL
Reference: CVE-2023-6875
An authorization vulnerability was found in WordPress POST SMTP Mailer email log, an email delivery plugin for WordPress websites. A data conversion issue within the plugin enables unauthenticated attackers to reset the API key used to authenticate the mailer and view sensitive log data—including password reset emails.
Pen testers can simulate an attacker and use a password reset email to gain administrator privileges, enabling them to potentially exfiltrate sensitive information, deploy additional attacks, or cause critical business disruptions.
CVE-2023-50164- Apache Struts 2 Remote Code Execution Exploit
Authors: Lucas Dominikow, Arthur Lallemant (QA), and Luis García Sierra (QA)
CVSS: 9.8 CRITICAL
Reference: CVE-2023-50164
A vulnerability was found in Apache Struts 2, an open-source framework commonly used for developing java web applications. If exploited, attackers can manipulate file upload parameters to enable path traversal, which could potentially lead to the uploading of malicious files.
Attackers are actively attempting to exploit this vulnerability in the wild. A previous vulnerability in Apache Struts 2 led to the Equifax breach, so users are urged to patch this vulnerability as soon as possible by upgrading to Struts 2.5.33, 6.3.0.2 or greater.
Using this exploit, pen testers can upload a file with embedded malware, potentially allowing them to steal sensitive data, disrupt critical services, or complete a full system takeover.
Microsoft Windows Event Logging Service DoS
Authors: Cristian Rubio and Daniel De Luca (QA)
A Denial of Service vulnerability exists in Event Logging Service when an authenticated attacker connects to the target system and sends specially crafted requests. If exploited, attackers can cease the logging of events within critical software, enabling them to leave no trace of their actions. For example, if an attacker installs an agent on a domain-joined Workstation, they can remotely stop the Domain Controller's Event Log service.
The February Windows Updates did not patch this “EventLogCrasher” 0day, but a free micropatch exists through the 0patch blog.
Using this exploit, pen testers can simulate an attacker and corrupt the system log, impairing the target environment’s detection and forensic capabilities.
CVE-2023-6546 - Linux Kernel Local Privilege Escalation Exploit
Authors: Lucas Dominikow and Nahuel González (QA)
CVSS: 7.0 HIGH
Reference: CVE-2023-6546
A vulnerability was found in the Linux Kernel as a result of a race condition in the n_gsm driver in which there is insufficient locking when operations are performed on an object. If exploited, an attacker could elevate their privileges and execute arbitrary code in the context of the kernel.
Pen testers can imitate a local attacker with credentials to execute low-privileged code and use this exploit to further escalate their privileges.
CVE-2024-21413 - Microsoft Outlook Information Disclosure Exploit
Authors: Ricardo Narvaja and Nahuel González (QA)
CVSS: 9.8 CRITICAL
Reference: CVE-2024-21413
A critical vulnerability was discovered in Microsoft’s emailing platform, Microsoft Outlook. If exploited, attackers could bypass Microsoft’s security protocols, utilizing the email preview pane as a means to trigger an attack.
Since this vulnerability does not require elevated privileges or user interaction in order to exploit it, it has been highlighted as a vulnerability that should be prioritized for remediation.
This exploit allows pen testers to imitate an unauthorized attacker to gain unauthorized access using a crafted path, enabling them to steal NTLM hashes.
CVE-2024-23897- Jenkins CLI Arbitrary File Read Exploit
Authors: Fernando Páez Barceló, Luis García Sierra (QA), and Arthur Lallemant (QA)
CVSS: 7.5 HIGH
Reference: CVE-2024-23897
A vulnerability was discovered in Jenkins, an open-source Java automation server. A flaw exists in the CLI command parser that, when exploited, enables attackers to access and read arbitrary files in the Jenkins controller’s file system.
Attackers are actively exploiting this vulnerability in the wild. Users are urged to update to version 2.442, which patches this issue.
This exploit enables pen testers to imitate an attacker to access sensitive data and potentially compromise the system.