Core Impact Monthly Chronicle: Exploits and Updates | Nov 2023
One of Core Impact’s most valuable features is its certified exploit library. Fortra’s Core Security has a team of expert exploit writers that conduct research, evaluating and prioritizing the most relevant vulnerabilities in order to update the library with critical and useful exploits. Additionally, the QA team creates its own clean environment to validate each exploit before its release to ensure our standards and validate that it is safe and ready to use.
While you can keep track of new releases through our exploit mailing list, here’s a more detailed summary of some of the most recent additions to the library.
CVE-2023-47246 - SysAid on-prem UserEntry accountID Path Traversal RCE Exploit
Authors: Marcos Accossatto and Luis García Sierra (QA)
CVSS: 9.8 CRITICAL
Reference: CVE-2023-47246
A vulnerability was found in SysAid On-Premise before 23.3.36, where a path traversal vulnerability leads to code execution after an attacker writes a file to the Tomcat webroot.
This vulnerability has multiple instances of being exploited in the wild.
This exploit enables a pen tester to simulate an unauthenticated attacker to upload aWAR archive containing a WebShell and other payloads into the webroot of the SysAid Tomcat web service, leading to the deployment of an implant and the machine compromise.
CVE-2023-36802 - Microsoft Streaming Service Elevation of Privilege Vulnerability Exploit
Authors: Cristian Rubio and Luis García Sierra (QA)
CVSS: 7.8 HIGH
Reference: CVE-2023-36802
A vulnerability was found in the Windows Streaming service, which runs as SYSTEM, and can be exploited to allow local users to gain elevated privileges on the Windows operating system.
This vulnerability has multiple instances of being exploited in the wild.
This exploit takes advantage of this recent Microsoft vulnerability in the streaming service within Windows Kernel. It can be used to simulate an attacker that uses this vulnerability to escalate their privileges, gaining access to sensitive data or pivoting to eventually achieve full system control.
CVE-2023-22518 - Atlassian Confluence setup-restore Improper Auth RCE Exploit
Authors: Marcos Accossatto and Nahuel González (QA)
CVSS: 10.0 CRITICAL
Reference: CVE-2023-22518
A vulnerability was found in Confluence, a knowledge management tool from Atlassian. This improper authorization vulnerability can be exploited by an unauthenticated attacker in order to reset an instance of Confluence in order to create an admin account.
This vulnerability has multiple instances of being exploited in the wild. For example, Cerber ransomware has employed this in its process, exploiting it in order to escalate privileges.
This exploit uses an improper authorization vulnerability in Atlassian Confluence to replace the database contents and create a new admin user in the target system. The created admin account is then used to upload a Servlet plugin JAR file to deploy an agent. The deployed agent will run with the same privileges as the Confluence instance.
As the exploitation of this vulnerability implies a reset of the application configuration, we also released a checker to confirm it without breaking the configuration.
CVE-2023-46747 - F5 BIG-IP Configuration Utility Authentication Bypass Escalation Exploit
Authors: Marcos Accossatto and Nahuel González (QA)
CVSS: 10.0 CRITICAL
Reference: CVE-2023-46747
BIG IP is a portfolio of products from F5 that focus on application security, delivery, and performance. A request smuggling vulnerability was discovered in the configuration utility component that enables an attacker with network access to create an administrative user and execute arbitrary system commands.
This vulnerability has multiple instances of being exploited in the wild and has been added to CISA’s Known Exploited Vulnerabilities Catalog.
CVE-2023-20198 – Cisco IOS XE WMSA Encoding Bypass Exploit
Authors: Marcos Accossatto and Nahuel González (QA)
CVSS: 10.0 CRITICAL
Reference: CVE-2023-20198
The network operating system, Cisco, was discovered to have a remote code execution vulnerability in its web user interface. An unauthenticated remote attacker exploiting this vulnerability could create an account with maximum privilege (level 15) access.
Since this is a zero-day vulnerability, it had already been exploited in the wild prior to discovery. In fact, over 40,000 devices were found to have been compromised shortly after its discovery.
Using this module, a pen tester can connect to the remote host and attempts to determine by sending specially crafted requests, and if the target is found to be vulnerable, the module will create a new local administrator user in the target system using the provided credentials.