Core Impact Monthly Chronicle: Exploits and Updates | Dec 2023
One of Core Impact’s most valuable features is its certified exploit library. Fortra’s Core Security has a team of expert exploit writers that conduct research, evaluating and prioritizing the most relevant vulnerabilities in order to update the library with critical and useful exploits. Additionally, the QA team creates its own clean environment to validate each exploit before its release to ensure our standards and validate that it is safe and ready to use.
While you can keep track of new releases through our exploit mailing list, here’s a more detailed summary of some of the most recent additions to the library.
CVE-2018-2628 – Oracle WebLogic Server Remote Code Execution Exploit
Authors: Fernando Páez Barceló and Daniel De Luca (QA)
CVSS: 9.8 CRITICAL
Reference: CVE-2018-2628
A vulnerability was found in the server component of Oracle Fusion Middleware, a platform that enables the development, deployment, and management of enterprise applications, primary in cloud environments. When exploited, an attacker could potentially take control of an Oracle WebLogic Server.
This exploit enables a pen tester to simulate an unauthenticated attacker with network access through the T3 protocol could send a serialized object to execute code on vulnerable hosts, eventually obtaining full privileges for the entire target system.
CVE-2023-20598 – AMD Radeon™ Graphics Privilege Escalation Exploit
Authors: Cristian Rubio and Luis García Sierra (QA)
CVSS: 7.8 HIGH
Reference: CVE-2023-20598
A privilege management vulnerability was discovered in the driver of AMD Radeon™ Graphics Cards, primarily used for gaming and media streaming. Threat actors could potentially use this vulnerability for arbitrary code execution.
This exploit allows pen testers to simulate an authenticated attacker and create an IOCTL request to gain I/O control over arbitrary hardware ports or physical addresses.
CVE-2022-28219 - Zoho ManageEngine Remote Code Execution Exploit Update
Authors: Marcos Accossatto and Daniel De Luca (QA)
CVSS: 9.8 CRITICAL
Reference: CVE-2022-28219
A vulnerability was found in ADAudit Plus, a compliance tool from Zoho ManageEngine that provides visibility into Windows environments. This vulnerability is multi-faceted, with issues surrounding java deserialization, blind XML external entities (XXE), and path traversal. If exploited, a malicious actor could potentially gain network control and launch malware, disrupt operations, or exfiltrate sensitive data.
This exploit was previously released in October 2022. The module attack logic has now been updated for launching in webapps RPTs.
CVE-2023-35359 - Windows File History Service Privilege Escalation Exploit Update
Authors: Esteban Kazimirow, Nahuel González (QA), and Daniel De Luca (QA)
CVSS: 7.8 HIGH
Reference: CVE-2023-35359
A vulnerability was found in the Windows file history service, which runs as SYSTEM, and can be exploited to allow local users to gain elevated privileges on the Windows operating system.
The file history service can be started by ordinary users with low-level privileges. When the service is started, the core file fhsvc.dll is loaded and then the vulnerable function CManagerThread::QueueBackupForLoggedOnUser is hit. When this function is executed, it will imitate the currently logged-in user and load fhcfg.dll.
This exploit was previously released in October 2023. This updated version enables pen testers to customize the file path where the exploit will write a file in the target host.
CVE-2023-4911 - Linux Looney Tunables GLIBC Local Privilege Escalation Exploit
Authors: Lucas Dominikow and Arthur Lallemant (QA)
CVSS: 7.8 HIGH
Reference: CVE-2023-4911
An buffer overflow weakness was found in the GNU C library’s Id.so dynamic loader, impacting popular Linux platforms, including Fedora, Ubuntu, and Debian. If exploited, attackers could gain full root access to systems running these platforms.
This vulnerability has multiple instances of being exploited in the wild and has been added to CISA’s Known Exploited Vulnerabilities Catalog, which required Federal Civilian Executive Branch (FCEB) agencies to remediate the vulnerability by December 12, 2023. CISA has also urged any affected organizations to remediate the vulnerability as soon as possible.
This exploit allows pen testers to imitate local attackers and create crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with escalated privileges.
CVE-2023-38043 – Ivanti Secure Access VPN Client Privilege Escalation Exploit
Authors: Ricardo Narvaja, Esteban Kazimirow, and Daniel De Luca (QA)
Development Partners: Dima van de Wouw and Pieter Ceelen from Fortra’s Outflank
CVSS: 7.8 HIGH
Reference: CVE-2023-38043
Ivanti Secure Access Client was discovered to have a local privilege escalation vulnerability. From a low-privileged user mode, it exploits a vulnerability in the kernel driver to overwrite the agent process token privileges with system process token privileges. The kernel driver symbolic link has an ACL defining that Everyone can open a handle to it.
With this exploit, a pen tester can imitate an authenticated attacker, enabling them to elevate their privileges, gain access to sensitive data, and deploy malware.
Ivanti privilege escalation was presented at BSidesLondon. Northwave allowed us to include a full weaponized version in Core Impact and we want to thank them, and specifically @tijme and Alex for their contributions.
NOCVE - Windows System Drive Remapping Local Privilege Escalation Exploit
Authors: Esteban Kazimirow and Daniel De Luca (QA)
This vulnerability was presented at Ekoparty 2023 security conference by Nicolas A. Economou.
It takes advantage of a usermode design flaw that was recently discovered—the combination of a Windows dark "functionality" (recently revealed by Google Project Zero) and an insufficient check.
It enables pen testers to inject DLLs into privileged processes that contain an embedded manifest file with the tags level="asInvoker" and uiAccess="true". This allows a user in the administrator group to elevate from Medium to High integrity level.
References
https://github.com/bluefrostsecurity/Windows-Drive-Remapping-EoP
https://static.bluefrostsecurity.de/files/lab/I_am_high-presentation.pdf