Core Impact Monthly Chronicle: Exploits and Updates | November 2024

Core Impact Exploit Library Additions

One of Core Impact’s most valuable features is its certified exploit library. Fortra’s Core Security has a team of expert exploit writers that conduct research, evaluating and prioritizing the most relevant vulnerabilities in order to update the library with critical and useful exploits. Additionally, the QA team creates its own clean environment to validate each exploit before its release to ensure our standards and validate that it is safe and ready to use.

While you can keep track of new releases through our exploit mailing list, here is a more detailed summary of some of the most recent additions to the library.

CVE-2023-43208- NextGen Healthcare Mirth Connect Deserialization Remote Code Execution Exploit

Authors: Lucas Dominikow and Luis García Sierra (QA)

CVSS: 9.8 CRITICAL

Reference: CVE-2023-43208

Key Vulnerability Details

• Insecure data deserialization could lead to remote code execution
• This vulnerability permits malicious users to bypass the patch for CVE-2023-37679
• Affects all Mirth Connect versions prior to 4.4.1
• Classified as Improper Neutralization of Special Elements used in an OS Command (CWE-78) and Deserialization of Untrusted Data (CWE-502)

Exploitation Impact and Mitigation 

• Unauthenticated user could gain initial system access and compromise critical healthcare data 
• Patch has been released and users are advised to upgrade to the latest version

Attacks in the Wild 

• Actively being exploited in the wild
• Has been added to CISA’s Known Exploited Vulnerabilites Catalog
• Microsoft has reported this vulnerability being exploited by ransomware threat actors, including nation-state actors and cybercrime groups

Exploitation Mechanism

1. The exploit module crafts and deploys a specially crafted XML payload.
2. The payload is processed by Xstream library’s insecure unmarshalling.
3. ChainedTransformer class executes using ConstantTransformer to get Runtime class.
4. InvokeTransfromer chains to access and invoke getRuntime.
5. Malicious code can then be executed on the server.

CVE-2024-35250 - Windows Ks Driver KSPROPERTY Privilege Escalation Exploit

Authors: Esteban Kazimirow and Nahuel Gonzalez (QA)

CVSS: 7.8 HIGH

Reference: CVE-2024-35250

Key Vulnerability Details

• Flaw exists in the Kernel Streaming (ks.sys driver), allowing arbitrary IOCTL_KS_PROPERTY operations, including arbitrary write primitives, process token replacement, and token privilege abuse 
• This double-fetch vulnerability in KspPropertyHandler can lead to privilege escalation at the kernel level
• Affects multiple versions of Windows 10, Windows 11, and Windows Server 2008-2022
• Classified as Untrustred Pointer Deference (CWE-822)

Exploitation Impact and Mitigation

• Authenticated attackers with low level privileges can elevate access to the SYSTEM level
• May lead to full system compromise and access to sensitive data
• Microsoft released a patch for this vulnerability in a June Security Update

Attacks in the Wild 

• No major attacks have been reported at this time

Exploitation Mechanism

1. Exploit module opens an audio device with read/write access.
2. It then accesses details in kernel space by getting the memory address of a kernel object associated with a process
3. Memory is allocated to create a fake RTL_BITMAP structure in user space, allowing arbitrary memory read/write operations.
4. The module retrieves the base address of a kernel module (ntoskrnl.exe) to locate functions within kernel space.
5. The address of a gadget is computed in the kernel for use in memory manipulation operations.
6. Data is written to a specific memory address, allowing the system's memory space to be modified.
7. The current process token is changed to gain system privileges.
8. The thread mode is restored to avoid BSOD.

CVE-2024-5910,CVE-2024-9464 - Palo Alto Networks Expedition Remote Code Execution Exploit 

Authors: Lucas Dominikow and Nahuel Gonzalez (QA)

CVSS: 9.8 CRITICAL,  6.5 MEDIUM  

Reference: CVE-2024-5910, CVE-2024-9464 

Key Vulnerability Details

• CVE-2024-5910 – A critical authentication bypass vulnerability resulting from missing authentication mechanism
• CVE-2024-9464 – A command injection vulnerability that enables authenticated attackers to execute arbitrary OS commands as root
• When chained together, can result in unauthenticated arbitrary command execution 
• Affects all versions of Expedition prior to version 1.2.96
• Classified as Missing Authentication for Critical Function (CWE-306) and Improper Neutralization of Special Elements used in an OS Command (CWE-78)

Exploitation Impact and Mitigation

• Attackers can gain initial unauthenticated access using CVE-2024-5910, then elevate their access to root privileges using CVE-2024-9464
• Can lead to full system compromise
• Patches have been released for both vulnerabilities

Attacks in the Wild 

• CVE-2024-5910 has been exploited in the wild and was added to CISA’s Known Exploited Vulnerabilites Catalog

Exploitation Mechanism

1. Exploit module crafts special request to the endpoint /OS/startup/restore/restoreAdmin.php to reset the admin password.
2. Once reset, the operator can use the new password to authenticate their credentials.
3. The module will then craft a special request to the endpoint /bin/CronJobs.php to deploy an agent.
4. The endpoint can be used to insert commands in the table cronjobs from pandb.
5. Once a command is inserted, the target will execute it.

CVE-2024-9474, CVE-2024-0012 - Palo Alto Networks OS (PAN-OS) Remote Code Execution Exploit

Authors: Lucas Dominikow and Nahuel Gonzalez (QA)

CVSS:  7.2 MEDIUM, 9.8 CRITICAL 

Reference: CVE-2024-9474, CVE-2024-0012

Key Vulnerability Details

• CVE-2024-9474 – A privilege escalation vulnerability that allows authenticated attackers to execute commands with root privileges
• CVE-2024-0012 – An authentication bypass vulnerability that enables unauthenticated attackers to perform administrator actions
• When chained together, can lead to remote code execution  
• Affects multiple versions of PAN-OS
• Classified as Improper Neutralization of Special Elements used in an OS Command (CWE-78) and Missing Authentication for Critical Function (CWE-306)

Exploitation Impact and Mitigation

• Attackers can gain a foothold using CVE-2024-9474, then use CVE-2024-0012 to perform administrative actions
• Can lead to full system compromise
• Patches have been released for both vulnerabilities in PAN-OS 11.2.4-h1, PAN-OS 11.1.5-h1, PAN-OS 11.0.6-h1, PAN-OS 10.2.12-h2, and PAN-OS 10.1.14-h6

Attacks in the Wild 

• This vulnerability chain has been actively exploited since November 2024
• Both vulnerabilities have been added to CISA’s Known Exploited Vulnerabilites Catalog

Exploitation Mechanism

1. The exploit module sends a request containing a header parameter for authentication bypass (CVE-2024-0012) to inject a command within a "user" request body parameter (CVE-2024-9474).
2. An elevated user session ID is sent in the response and the injected command is written to a local session cache file.
3. A request is sent with the elevated session ID to trigger evaluation of the injected local session cache file.
4. The process is repeated with all the necessary commands to deploy an agent.

CVE-2024-1403- Progress OpenEdge authorizeUser Authentication Bypass Vulnerability Checker

Authors: Marcos Accossatto and Luis García Sierra (QA)

CVSS: 10.0 CRITICAL 

Reference: CVE-2024-1403

Key Technical Details

• A critical authentication bypass vulnerability may lead to unauthorized access 
• A flaw in the in the authorizeUser() function improperly validates certain usernames and passwords 
• Affects OpenEdge versions 11.7.18 and earlier, 12.2.13 and earlier, and 12.8.0
• Classified as Authentication Bypass by Primary Weakness (CWE-305)

Exploitation Impact and Mitigation 

• Unauthenticated attacker could establish a foothold, deploy malicious payloads, escalate privileges, and establish persistence
• Could lead to full compromise, with ability to access, manipulate, exfiltrate, or delete sensitive data 
• Vulnerability has been patched in OpenEdge LTS updates: 11.7.19, 12.2.14, and 12.8.1

Attacks in the Wild 

• No major attacks have been reported at this time

Exploitation Mechanism

1. The module creates an instance of the com.progress.chimera.adminserver.AdminContext class via the com.progress.chimera.adminserver.IAdminServer interface.
2. It then performs a vulnerability verification.
3. All requests to target will be made using Java RMI requests.

Microsoft Windows Event Logging Service DoS Update 

Authors: Cristian Rubio and Daniel De Luca (QA)

Key Vulnerability Details

• A Denial-of-Service attack can be triggered when an authenticated attacker connects to the target system and sends specially crafted requests
• A flaw in Event Logging Service can lead to the impairment of an environment’s detection and forensic capabilities
• Affects multiple versions of Windows 10 and Windows 11

Exploitation Impact and Mitigation 

• Attackers can cease the logging of events within critical software
• Allows threat actors to leave no trace of their actions
• Windows 11 24H2 is the only version to have this issue patched
• A free micropatch is available through the 0patch blog for all other versions

Attacks in the Wild 

• No major attacks have been reported at this time

Exploitation Mechanism

1. Exploit module targets the ElfrRegisterEventSourceW method through the EventLog Remoting Protocol.
2. A specialized UNICODE_STRING object is crafted and sent to the target system.
3. The wevtsvc!VerifyUnicodeString function processes the object, causing a null-pointer deference.
4. Windows Event Log service will then crash, disabling critical logging capabilities.

Update

• This exploit was first released in February 2024
• This update adds reliability improvements to check if the target is vulnerable

CVE-2024-30090 - Microsoft Kernel Streaming WOW Thunk Service Driver Elevation of Privilege Vulnerability Exploit

Authors: Cristian Rubio and Luis García Sierra (QA)

CVSS: 7.0 HIGH 

Reference: CVE-2024-30090

Key Vulnerability Details

• A double-fetch vulnerability exists in the Kernel Streaming service module (ksthunk.sys), allowing attackers to perform arbitrary memory decrements through race conditions
• This race condition flaw can lead to privilege escalation through kernel memory manipulation
• Affects all Windows versions from Windows 7 to Windows 11 and Server editions 
• Classified as Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) and Untrusted Pointer Dereference (CWE-822)

Exploitation Impact and Mitigation

• Authenticated attackers with low level privileges can escalate privileges to SYSTEM user
• May lead to data compromise, exfiltration, or corruption
• Microsoft released a patch for this vulnerability in a June Security Update

Attacks in the Wild 

• No major attacks have been reported at this time

Exploitation Mechanism

• Exploit module retrieves kernel address of nt!SeDebugPrivilege.
• It then creates a new thread to win the race condition.
• The double-fetch is triggered three times and overwrites nt!SeDebugPrivilege.
• A new process can be created, running the agent as SYSTEM.