Core Impact Monthly Chronicle: Exploits and Updates | Dec 2023

One of Core Impact’s most valuable features is its certified exploit library. Fortra’s Core Security has a team of expert exploit writers that conduct research, evaluating and prioritizing the most relevant vulnerabilities in order to update the library with critical and useful exploits. Additionally, the QA team creates its own clean environment to validate each exploit before its release to ensure our standards and validate that it is safe and ready to use. 

While you can keep track of new releases through our exploit mailing list, here’s a more detailed summary of some of the most recent additions to the library. 

CVE-2018-2628 – Oracle WebLogic Server Remote Code Execution Exploit 

Authors: Fernando Páez Barceló and Daniel De Luca (QA) 

CVSS: 9.8 CRITICAL

Reference: CVE-2018-2628 

A vulnerability was found in the server component of Oracle Fusion Middleware, a platform that enables the development, deployment, and management of enterprise applications, primary in cloud environments. When exploited, an attacker could potentially take control of an Oracle WebLogic Server. 

This exploit enables a pen tester to simulate an unauthenticated attacker with network access through the T3 protocol could send a serialized object to execute code on vulnerable hosts, eventually obtaining full privileges for the entire target system. 

CVE-2023-20598 – AMD Radeon™ Graphics Privilege Escalation Exploit 

Authors: Cristian Rubio and Luis García Sierra (QA) 

CVSS: 7.8 HIGH 

Reference: CVE-2023-20598 

A privilege management vulnerability was discovered in the driver of AMD Radeon™ Graphics Cards, primarily used for gaming and media streaming. Threat actors could potentially use this vulnerability for arbitrary code execution.  

This exploit allows pen testers to simulate an authenticated attacker and create an IOCTL request to gain I/O control over arbitrary hardware ports or physical addresses.  

CVE-2022-28219 - Zoho ManageEngine Remote Code Execution Exploit Update  

Authors: Marcos Accossatto and Daniel De Luca (QA) 

CVSS: 9.8 CRITICAL 

Reference: CVE-2022-28219 

A vulnerability was found in ADAudit Plus, a compliance tool from Zoho ManageEngine that provides visibility into Windows environments. This vulnerability is multi-faceted, with issues surrounding java deserialization, blind XML external entities (XXE), and path traversal. If exploited, a malicious actor could potentially gain network control and launch malware, disrupt operations, or exfiltrate sensitive data.   

This exploit was previously released in October 2022. The module attack logic has now been updated for launching in webapps RPTs.

CVE-2023-35359 - Windows File History Service Privilege Escalation Exploit Update  

Authors: Esteban Kazimirow, Nahuel González (QA), and Daniel De Luca (QA) 

CVSS: 7.8 HIGH 

Reference: CVE-2023-35359  

A vulnerability was found in the Windows file history service, which runs as SYSTEM, and can be exploited to allow local users to gain elevated privileges on the Windows operating system. 

The file history service can be started by ordinary users with low-level privileges. When the service is started, the core file fhsvc.dll is loaded and then the vulnerable function CManagerThread::QueueBackupForLoggedOnUser is hit. When this function is executed, it will imitate the currently logged-in user and load fhcfg.dll.  

This exploit was previously released in October 2023. This updated version enables pen testers to customize the file path where the exploit will write a file in the target host. 

CVE-2023-4911 - Linux Looney Tunables GLIBC Local Privilege Escalation Exploit  

Authors: Lucas Dominikow and Arthur Lallemant (QA) 

CVSS: 7.8 HIGH 

Reference: CVE-2023-4911  

An buffer overflow weakness was found in the GNU C library’s Id.so dynamic loader, impacting popular Linux platforms, including Fedora, Ubuntu, and Debian. If exploited, attackers could gain full root access to systems running these platforms.  

This vulnerability has multiple instances of being exploited in the wild and has been added to CISA’s Known Exploited Vulnerabilities Catalog, which required Federal Civilian Executive Branch (FCEB) agencies to remediate the vulnerability by December 12, 2023. CISA has also urged any affected organizations to remediate the vulnerability as soon as possible.  

This exploit allows pen testers to imitate local attackers and create crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with escalated privileges. 

CVE-2023-38043 – Ivanti Secure Access VPN Client Privilege Escalation Exploit 

Authors: Ricardo Narvaja, Esteban Kazimirow, and Daniel De Luca (QA) 

Development Partners: Dima van de Wouw and Pieter Ceelen from Fortra’s Outflank  

CVSS: 7.8 HIGH 

Reference: CVE-2023-38043  

Ivanti Secure Access Client was discovered to have a local privilege escalation vulnerability. From a low-privileged user mode, it exploits a vulnerability in the kernel driver to overwrite the agent process token privileges with system process token privileges. The kernel driver symbolic link has an ACL defining that Everyone can open a handle to it. 

With this exploit, a pen tester can imitate an authenticated attacker, enabling them to elevate their privileges, gain access to sensitive data, and deploy malware. 

Ivanti privilege escalation was presented at BSidesLondon. Northwave allowed us to include a full weaponized version in Core Impact and we want to thank them, and specifically @tijme and Alex for their contributions. 

NOCVE - Windows System Drive Remapping Local Privilege Escalation Exploit