Core Impact Monthly Chronicle: Exploits and Updates | May 2024

Core Impact Updates

New UI and Usability Improvements for Reports 

The Core Impact Reports have been modernized, with data reviewed to improve its actionability and user friendliness.

Phishing Attacks Efficiency Improvements

The links generated by Core Impact for phishing attacks and client-side exploits have had IOCs removed. Additionally, running simulations has been simplified and reduces the risk of being blocked by email platforms. 

Core Impact Exploit Library Additions

One of Core Impact’s most valuable features is its certified exploit library. Fortra’s Core Security has a team of expert exploit writers that conduct research, evaluating and prioritizing the most relevant vulnerabilities in order to update the library with critical and useful exploits.  Additionally, the QA team creates its own clean environment to validate each exploit before its release to ensure our standards and validate that it is safe and ready to use.

While you can keep track of new releases through our exploit mailing list, here is a more detailed summary of some of the most recent additions to the library.

CVE-2023-36036 - Microsoft Windows Cloud Files Privilege Escalation Exploit

Authors: Cristian Rubio and Arthur Lallemant (QA) 

CVSS: 7.8 HIGH

Reference: CVE-2023-36036

A vulnerability was discovered in the Windows Cloud Files Mini Filter Driver. If exploited, an attacker could initiate a buffer overflow, leading to an out-of-bounds memory write to paged pool memory. Subsequently, an attacker could execute arbitrary code with SYSTEM privileges. 

Attackers have actively exploited this vulnerability in the wild and it has been added CISA’s Known Exploited Vulnerabilities Catalog. Users are urged to patch this vulnerability as soon as possible.

With this exploit, a pen tester could imitate a threat actor and gain full access privileges, ultimately achieving control of the domain.  

CVE-2024-4040 - CrushFTP Server-Side Template Injection Exploit 

Authors: Marcos Accossatto and Daniel De Luca (QA)

CVSS: 10.0 CRITICAL

Reference: CVE-2024-4040

A critical vulnerability was found in CrushFTP servers, which are multi-protocol and multi-platform. A server-side template injection flaw enables attackers to insert malicious payloads into a template, which can then be executed by the server.  

This can have severe consequences, including the leakage of server variables, arbitrary file reading, and eventually remote code execution.  

This vulnerability was a ZeroDay flaw that has continued to be used by attackers in the wild. Users are urged to patch this vulnerability as soon as possible by upgrading to version 11.1.0 or above.

With this exploit, a pen tester could imitate a threat actor and bypass authentication mechanisms using leaked session tokens. If the token belongs to an admin, they could execute malicious code and gain full control over the server. 

CVE-2024-3400 – PaloAlto PAN-OS Unmarshal Reflection Vulnerability Checker 

Authors: Marcos Accossatto and Luis García Sierra (QA) 

CVSS: 10.0 CRITICAL

Reference: CVE-2024-3400

An unmarshal reflection vulnerability was discovered in the GlobalProtect feature PAN-OS software, which runs Palo Alto Networks firewalls. If exploited, an unauthenticated attacker could potentially execute arbitrary code with root-level privileges

This vulnerability is actively being exploited in wild. Most recently, RedTail Cryptominer, one of the largest cryptomining groups currently in operation, has taken advantage of CVE-2024-3400 on multiple targets.  

Users are urged to upgrade to a fixed version as soon as possible.

This module performs the vulnerability verification by completing a control check using a random file name, attempting to create that file, and then performing the control check again.  

CVE-2024-4956 – Sonatype Nexus Repository Directory Traversal Exploit

Authors: Marcos Accossatto and Luis García Sierra (QA) 

CVSS: 7.5 HIGH

Reference: CVE-2024-4956

A critical vulnerability was discovered in Sonatype Nexus Repository, a central platform for storing components, binaries, and building artifacts. If exploited, an unauthenticated attacker could gain access to any file in the system and exfiltrate sensitive information.  

Given the relative ease of this exploit, users are urged to upgrade to version 3.68.1 as soon as possible to protect against possible attacks exploiting this vulnerability.

This module exploits the directory traversal to download the file specified in the "FILE PATH" parameter and to save it locally in the location specified in the "OUTPUT PATH" parameter.