Core Impact Monthly Chronicle: Exploits and Updates | Jan 2024
One of Core Impact’s most valuable features is its certified exploit library. Fortra’s Core Security has a team of expert exploit writers that conduct research, evaluating and prioritizing the most relevant vulnerabilities in order to update the library with critical and useful exploits. Additionally, the QA team creates its own clean environment to validate each exploit before its release to ensure our standards and validate that it is safe and ready to use.
While you can keep track of new releases through our exploit mailing list, here’s a more detailed summary of some of the most recent additions to the library.
CVE-2023-30989 – IBM Performance Tools Privilege Escalation Exploit
Authors: Marcos Accossatto and Luis García Sierra (QA)
CVSS: : : 7.8 HIGH
Reference: CVE-2023-30989
An improper privilege management vulnerability was discovered in IBM Performance Tools. When exploited, an authenticated local with command line access can elevate their privileges, potentially gaining all object access to the host operating system.
This exploit allows pen testers to simulate an authenticated attacker and exploit this vulnerability by abusing the QPFR/QAVCPP program, eventually achieving full control of the compromised system and its resources.
CVE-2023-3460 – WordPress Ultimate Member Plugin Remote Code Execution Exploit
Authors: Esteban Kazimirow and Arthur Lallemant (QA)
CVSS: 9.8 CRITICAL
Reference: CVE-2023-3460
A vulnerability was found in WordPress Ultimate Member, a plugin for WordPress websites that enables individuals to sign up and become members. A flaw in the plugin registration form enables malicious actors to change certain values for the account to be registered, including the "wp_capabilities" value, which determines the user's role on the website. If exploited, an unauthenticated attacker can register as an administrator and take full control of the website.
This vulnerability is actively being exploited in the wild, with as many as 200,000 WordPress websites at risk of having attackers create secret admin accounts. Users are urged to disable the plugin or immediately update to version 2.6.7, which patches the vulnerability.
Using this exploit, pen testers can imitate unauthenticated attackers to create new accounts with administrative privileges, allowing them to exfiltrate data, install malware, make unwanted changes to websites, disrupt operations, or shut down the website completely. This exploit has also now been updated to include a print in the module output window.
CVE-2023-28218- Microsoft Windows AFD Privilege Escalation Exploit
Authors: Cristian Rubio and Arthur Lallemant (QA)
CVSS: 7.0 HIGH
Reference: CVE-2023-28218
A vulnerability was found in the Windows Ancillary Function Driver (AFD) for WinSock. AFD.sys is vulnerable to a double-fetch that causes an integer overflow, which can result in out-of-bounds memory write to non-paged pool memory. If exploited, attackers could escalate privileges on the Windows operating system, potentially leading to data exfiltration, malware deployment, or complete system takeover.
Using this exploit, pen testers can simulate an unauthenticated attacker and execute arbitrary code with SYSTEM privileges by calling to the WSASendMsg function with crafted parameters.
CVE-2023-22527- Atlassian Confluence OGNL Injection Exploit
Authors: Marcos Accossatto and Arthur Lallemant (QA)
CVSS: 10.0 CRITICAL
Reference: CVE-2023-22527
A critical Server-Side Template Injection (SSTI) vulnerability was found in older versions Confluence, a knowledge management tool from Atlassian. This vulnerability enables attackers to inject OGNL expressions, potentially allowing them to gain full control of a compromised server.
This vulnerability is being actively exploited in the wild, with thousands of attempts taking place in less than a week. Users are urged to prioritize updating to the latest instance of Confluence.
This exploit allows pen testers to imitate unauthenticated remote attackers and to execute OS system commands, allowing them to exfiltrate data, deploy malware, or otherwise disrupt business operations.
CVE-2024-0204 - Fortra GoAnywhere MFT InitialAccountSetup Direct Request Vulnerability Checker
Authors: Marcos Accossatto and Daniel De Luca (QA)
CVSS: 9.8 CRITICAL
Reference: CVE-2024-0204
An authentication bypass vulnerability was discovered in GoAnywhere MFT, Fortra’s secure managed file transfer solution. If exploited, an attacker could create an admin user via the administration portal.
There have been failed exploit attempts of this vulnerability in wild. Though there have been no reports of successful attacks, users are urged to update to version 7.4.1, which includes a patch for this vulnerability.
This exploit allows pen testers to imitate an unauthorized attacker to generate an administrative account, enabling them to potential exfiltrate sensitive information, deploy additional attacks, or cause critical business disruptions.