Core Impact Monthly Chronicle: Exploits and Updates | June 2024
Core Impact Exploit Library Additions
One of Core Impact’s most valuable features is its certified exploit library. Fortra’s Core Security has a team of expert exploit writers that conduct research, evaluating and prioritizing the most relevant vulnerabilities in order to update the library with critical and useful exploits. Additionally, the QA team creates its own clean environment to validate each exploit before its release to ensure our standards and validate that it is safe and ready to use.
While you can keep track of new releases through our exploit mailing list, here is a more detailed summary of some of the most recent additions to the library.
CVE-2024-24919 - Check Point Security Gateway Traversal Exploit
Authors: Marcos Accossatto and Daniel De Luca (QA)
CVSS: 8.6 HIGH
Reference: CVE-2024-24919
A directory traversal vulnerability was found in Check Point’s Network Security gateway products, including CloudGuard Network, Quantum Maestro, Quantum Scalable Chassis, Quantum Security Gateways, and Quantum Spark appliances. If exploited, attackers can extract system files from these gateways.
This vulnerability was a ZeroDay flaw that has been exploited by attackers since April. Users are urged to patch this vulnerability as soon as possible by implementing the available Hotfix.
With this exploit, a pen tester could simulate an unauthenticated attacker and access and download sensitive data, including password hashes for local accounts. These hashes could then be cracked and used to potentially elevate privileges.
CVE-2023-36003 - Microsoft Windows InitializeXamlDiagnosticsEx Local Privilege Escalation Exploit
CVSS: 7.3 HIGH
Reference: CVE-2023-36003
A vulnerability was discovered in the XAML Diagnostics API in Windows, which is designed to inspect XAML applications. If exploited, an authorized attacker with regular user privileges may be able to inject a malicious file and then convince a user to execute a UWP application.
This exploit enables a pen tester to imitate an authorized attacker and potentially gain full SYSTEM privileges.
CVE-2024-27348 - Apache HugeGraph Gremlin Script Remote Code Execution Exploit
Authors: Marcos Accossatto, Luis García Sierra (QA) and Daniel De Luca (QA)
CVSS: 9.8 CRITICAL
Reference: CVE-2024-27348
A critical vulnerability was discovered in Apache HugeGraph, an open-source graph database. If exploited, attackers could achieve remote code execution using the graph traversal language, Gremlin, to bypass sandbox restrictions.
Given the criticality of this vulnerability and the public availability of exploit code, users are urged to upgrade to version 1.3 as soon as possible.
Pen testers can use this exploit to imitate a remote attacker, potentially extracting sensitive data or gaining full control of the server.
CVE-2024-4577 - PHP CGI Argument Injection Vulnerability Remote Code Execution Exploit
Authors: Marcos Accossatto and Luis García Sierra (QA)
CVSS: 9.8 CRITICAL
Reference: CVE-2024-4577
A critical vulnerability was discovered in PHP when used with Apache and PHI-CGI on Windows systems configured to use certain code features. If exploited, attackers can use an argument injection to execute arbitrary code.
Attempts have already been made to exploit this vulnerability in the wild. Additionally, as this vulnerability impacts every version of PHP on Windows, users are urged to implement the fix as soon as possible.
With this exploit, pen testers can imitate a remote attacker and pass options to PHP binary being run, eventually executing system commands in the context of the affected application.
CVE-2018-2628 - Oracle WebLogic Server WLS Remote Code Execution Exploit—Update
Authors: Fernando Páez Barceló and Daniel De Luca (QA)
CVSS: 9.8 CRITICAL
Reference: CVE-2018-2628
A vulnerability was found in the server component of Oracle Fusion Middleware, a platform that enables the development, deployment, and management of enterprise applications, primary in cloud environments. When exploited, an attacker could potentially take control of an Oracle WebLogic Server.
This exploit enables a pen tester to simulate an unauthenticated attacker with network access through the T3 protocol could send a serialized object to execute code on vulnerable hosts, eventually obtaining full privileges for the entire target system.
Originally released in December 2023, this exploit has been updated to fix an issue that occurred when used in a pivoted context.
CVE-2024-21887 & CVE-2023-46805 - Ivanti Connect Secure Unauthenticated Remote Code Execution Exploits
Authors: Fernando Páez Barceló and Nahuel Gonzalez (QA)
CVSS: 9.1 CRITICAL & 8.2 CRITICAL
Reference: CVE-2024-21887 and CVE-2023-46805
This module exploits two vulnerabilities. First, it uses CVE-2023-46805, which is an authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure. When exploited, it allows the execution of commands and control check bypass, leveraging the lack of authentication in "/api/v1/totp/user-backup-code" and allowing unauthenticated access and path traversal.
Then, the module uses the command injection CVE-2024-21887 vulnerability to execute remote commands in "/api/v1/license/key-status/path:node_name"
The exploit allows testers to deploy a Core Impact agent to gain full access into the compromised machine.
Attackers have actively exploited these vulnerabilities in the wild, including a recent incident in which the Mirai botnet was deployed. They have been added CISA’s Known Exploited Vulnerabilities Catalog and CISA has also released a joint advisory to consider the significant risks of continuing to operate these devices. Users are urged to patch this vulnerability as soon as possible.
Using this exploit, pen testers can imitate an attacker, enabling them to gain a foothold and potentially fully compromise an internal enterprise network.
CVE-2024-26229 - Microsoft Windows CSC Service Privilege Escalation Exploit
Authors: Cristian Rubio and Arthur Lallemant (QA)
CVSS: 7.8 HIGH
Reference: CVE-2024-26229
A privilege escalation vulnerability was discovered in the Client Side Caching Driver (csc.sys) in Microsoft Windows. Since the driver Is vulnerable to a memory corruption, it is at risk of an arbitrary memory write. If exploited, an attacker with limited credentials could escalate privileges and potentially execute arbitrary code.
With this exploit, pen testers can simulate a local unprivileged user and allow them to gain SYSTEM privileges, which could lead to unauthorized actions including modifying configurations, deploying malware, or exfiltrating sensitive information.