Core Impact Monthly Chronicle: Exploits and Updates | March 2024
Core Impact Exploit Library Additions
One of Core Impact’s most valuable features is its certified exploit library. Fortra’s Core Security has a team of expert exploit writers that conduct research, evaluating and prioritizing the most relevant vulnerabilities in order to update the library with critical and useful exploits. Additionally, the QA team creates its own clean environment to validate each exploit before its release to ensure our standards and validate that it is safe and ready to use.
While you can keep track of new releases through our exploit mailing list, here is a more detailed summary of some of the most recent additions to the library.
CVE-2024-21412 - Microsoft Windows Internet Shortcut SmartScreen Bypass Exploit
Authors: Cristian Rubio and Luis García Sierra (QA)
CVSS: 8.1 HIGH
Reference: CVE-2024-21412
A zero-day vulnerability was discovered in SmartScreen, a cloud-based anti-phishing and anti-malware component in several Windows applications. An unauthenticated attacker could send a file that, when opened, bypasses security checks.
This vulnerability was initially exploited by the Water Hydra and DarkCasino hacking group, using spearphishing emails to deploy the DarkMe RAT. A patch is now available.
This module can be used by pen testers for exploiting the SmartScreen security feature to execute arbitrary code on affected installations of Microsoft Windows.
CVE-2023-6875 – Wordpress Post Smtp Mailer Plugin Authorization Bypass Exploit Update
Authors: Esteban Kazimirov and Luis García Sierra (QA)
CVSS: 9.8 CRITICAL
Reference: CVE-2023-6875
An authorization vulnerability was found in WordPress POST SMTP Mailer email log, an email delivery plugin for WordPress websites. A data conversion issue within the plugin enables unauthenticated attackers to reset the API key used to authenticate the mailer and view sensitive log data—including password reset emails.
Pen testers can simulate an attacker and use a password reset email to gain administrator privileges, enabling them to potentially exfiltrate sensitive information, deploy additional attacks, or cause critical business disruptions.
Initially released in February, this update adds support for LINUX and enhances documentation.
CVE-2024-27198 - JetBrains TeamCity Exploit
Authors: Marcos Accossatto and Luis García Sierra (QA)
CVSS: 9.8 CRITICAL
Reference: CVE-2024-27198
An authentication bypass vulnerability exists in JetBrains TeamCity, a build management and continuous integration server. An alternative path flaw exists in the web component of TeamCity. If exploited, an unauthenticated attacker could bypass authentication checks and achieve administrative control of a TeamCity server.
Attackers are actively exploiting this vulnerability in the wild. It is now listed in CISA’s Known Exploited Vulnerabilities Catalog. Users are urged to patch this vulnerability as soon as possible by upgrading to version 2023.11.4.
Using this exploit, pen testers could imitate an unauthenticated attacker and potentially execute arbitrary code to gain control of a TeamCity server’s projects, builds, agents, and artifacts.
CVE-2024-1709 - ConnectWise ScreenConnect Authentication Bypass Remote Code Execution Exploit
Authors: Fernando Páez Barceló and Daniel De Luca (QA)
CVSS: 10.0 CRITICAL
Reference: CVE-2024-1709
An authentication bypass vulnerability exists in the server component of ConnectWise ScreenConnect, a self-hosted remote desktop application. A flaw exists in how string comparisons are managed in the request path. If exploited, an attacker can bypass security checks and access the setup wizard, allowing them to create an administrative user.
Mass exploitation of this vulnerability has been identified, with attackers using it to deploy different ransomware variants, infostealers, RATs, and worms. It is now listed in CISA’s Known Exploited Vulnerabilities Catalog and users are urged to immediately update their servers to version 23.9.8.
Using this exploit, pen testers can simulate an attacker, generating an admin account and uploading a malicious ScreenConnect extension, which can potentially enable the execution of arbitrary code on the server.
CVE-2024-21762 - Fortiguard FortiOS SSL VPN Chunked Transfer-Encoding Vulnerability Checker
Authors: Marcos Accossatto and Nahuel González (QA)
CVSS: 9.8 CRITICAL
Reference: : CVE-2024-21762
An out-of-bounds write issue in FortiOS, Fortinet’s operating system, was discovered. If exploited, an unauthenticated remote attacker could execute OS system commands.
This vulnerability has been exploited in the wild and is now part of CISA’s Known Exploited Vulnerabilities Catalog and users are urged to update to a fixed release.
CVE-2024-0259 - Fortra Robot Schedule Enterprise Exploit
Authors: Ricardo Narvaja and Daniel De Luca (QA)
CVSS: 7.3 HIGH
Reference: CVE-2024-0259
A privileged escalation vulnerability was found in Fortra's Robot Schedule Enterprise Agent for Windows. Once exploited, a threat actor with low-level permissions can replace the service executable with a malicious binary. Once restarted, the substituted binary can execute with local system privileges upon restarting the service.
Users with versions prior to 3.04 are susceptible to this vulnerability and are advised to update as soon as possible.
Pen testers can use this exploit to overwrite the service executable, escalate their privileges, and potentially change system settings, deploy malware, or gain access to sensitive information.