Core Impact Monthly Chronicle: Exploits and Updates | July 2024
Core Impact Exploit Library Additions
One of Core Impact’s most valuable features is its certified exploit library. Fortra’s Core Security has a team of expert exploit writers that conduct research, evaluating and prioritizing the most relevant vulnerabilities in order to update the library with critical and useful exploits. Additionally, the QA team creates its own clean environment to validate each exploit before its release to ensure our standards and validate that it is safe and ready to use.
While you can keep track of new releases through our exploit mailing list, here is a more detailed summary of some of the most recent additions to the library.
CVE-2024-28995 - SolarWinds Serv-U FTP Server Path Traversal Vulnerability Exploit
Authors: Esteban Kazimirow and Luis García Sierra (QA)
CVSS: 7.5 HIGH
Reference: CVE-2024-28995
A vulnerability was found in Serv-U, a managed file transfer and file transfer protocol solution from SolarWinds. If exploited, an unauthenticated, remote attacker could potentially access sensitive information from files stored on an organization’s server.
This vulnerability is actively being exploited in the wild, especially in smash-and-grab attacks, in which malicious actors extort victims using data that was swiftly extracted from vulnerable file transfer solutions. Users are urged to upgrade to version Serv-U 15.4.2.157 as soon as possible.
With this exploit, a pen tester could imitate a threat actor to exploit the directory traversal, download a file, and save it locally to a specified location.
CVE-2024-1800 & CVE-2024-4358 - Progress Telerik Report Server Vulnerabilities Exploit
Authors: Marcos Accossatto and Daniel De Luca (QA)
CVSS: 9.9 CRITICAL, 9.8 CRITICAL
Reference: CVE-2024-1800, CVE-2024-4358
Two vulnerabilities were discovered in the reporting platform, Progress Telerik Report Server. CVE-2024-1800 is an insecure deserialization vulnerability. If exploited, an attacker could remotely run malicious code on a target server. CVE-2024-4358 is an authentication bypass vulnerability. If exploited, an unauthenticated attacker could bypass verification systems, enabling them to potentially view, modify, or delete reports and configurations without needing valid credentials.
Due to the severity of these vulnerabilities, users are urged to update to Report Server 2024 Q2 (10.1.24.514) in order to avoid the creation of rogue administrative accounts.
This exploit chains these two vulnerabilities together, enabling a pen tester to deploy an agent that will run with root user privileges, allowing him to make unauthorized changes, extract data, or compromise the system.
CVE-2023-36802 – Microsoft Streaming Service Elevation of Privilege Vulnerability Exploit—Update
Authors: Cristian Rubio and Luis García Sierra (QA)
CVSS: 7.8 HIGH
Reference: CVE-2023-36802
A vulnerability was found in the Windows Streaming service, which runs as SYSTEM, and can be exploited to allow local users to gain elevated privileges on the Windows operating system.
This vulnerability has multiple instances of being exploited in the wild.
This exploit takes advantage of this recent Microsoft vulnerability in the streaming service within Windows Kernel. It can be used to simulate an attacker that uses this vulnerability to escalate their privileges, gaining access to sensitive data or pivoting to eventually achieve full system control.
Originally released in November 2023, this exploit has been updated to add reliability improvements when checking if the target is vulnerable
CVE-2024-5276 - FileCatalyst Workflow JOBID SQL Injection Vulnerability Exploit
Authors: Fernando Páez Barceló and Daniel De Luca (QA)
CVSS: 9.8 CRITICAL
Reference: CVE-2024-5276
A critical vulnerability was discovered in FileCatalyst, an accelerated file transfer software solution from Fortra. If exploited, an attacker could access sensitive data, disrupt services, or gain full control over a target system.
Due to the severity of the vulnerability, users are urged to update to version 5.1.6 build 139 to ensure an attacker cannot modify application data.
With this exploit, pen testers can assess if an organization’s system is vulnerable by using this module to create an administrative user (without authentication) and proceed through validation mechanisms using this newly created user.
CVE-2021-26855 & CVE-2021-27065 - Microsoft Exchange Proxylogon Remote Code Execution Vulnerability Exploit—Update
Authors: Marcos Accossatto and Daniel De Luca (QA)
CVSS: 9.8 CRITICAL, 7.8 HIGH
Reference: CVE-2021-26855 CVE-2021-27065
These vulnerabilities are part of the ProxyLogon exploit chain, which impacted thousands of customers globally when initially discovered due to its ease of use and ability to provide an attacker with persistent system access. Though updates mitigating these flaws have been available since 2021, unpatched systems may still be vulnerable, especially in environments where patch management is challenging or neglected.
This exploit uses the chain of CVE-2021-26855 with CVE-2021-27065. This combination of a server-side request forgery vulnerability and an arbitrary file write vulnerability enables a pen tester to execute commands with SYSTEM privileges in the Microsoft Exchange Server.
Originally released in March 2021, this exploit has been updated to add several parameters for module flexibility and more log verbosity on errors, as well as fix a bug when using autodiscover to retrieve email SID.
CVE-2024-29824 - Ivanti Core Server EPM Remote Code Execution Exploit
Authors: Esteban Kazimirow and Daniel De Luca (QA)
CVSS: 9.6 CRITICAL
Reference: CVE-2024-29824
An SQL injection vulnerability was found in Ivanti Endpoint Manager. If exploited, an attacker could execute arbitrary commands on the Ivanti EPM core server, enabling them to access, modify, and extract sensitive data.
Due to the severity of the vulnerability, users are urged to implement the May 2024 Hotfix as soon as possible to protect against this and several other vulnerabilities.
Using this exploit, a pen tester could simulate an unauthenticated attacker within the same network and execute arbitrary code.