Core Impact Monthly Chronicle: Exploits and Updates | Oct 2023

One of Core Impact’s most valuable features is its certified exploit library. Fortra’s Core Security has a team of expert exploit writers that conduct research, evaluating and prioritizing the most relevant vulnerabilities in order to update the library with critical and useful exploits.  Additionally, the QA team creates its own clean environment to validate each exploit before its release to ensure our standards and validate that it is safe and ready to use.

While you can keep track of new releases through our exploit mailing list, here’s a more detailed summary of some of the most recent additions to the library.

CVE-2023-35359 - Windows File History Service FHSVC Privilege Escalation Exploit 

Authors: Esteban Kazimirov, Ricardo Narvaja and Nahuel González (QA)

CVSS: 7.8 HIGH

Reference: CVE-2023-35359

A vulnerability was found in the Windows file history service, which runs as SYSTEM, and can be exploited to allow local users to gain elevated privileges on the Windows operating system.

The file history service can be started by ordinary users with low-level privileges. When the service is started, the core file fhsvc.dll is loaded and then the vulnerable function CManagerThread::QueueBackupForLoggedOnUser is hit. When this function is executed, it will imitate the currently logged-in user and load fhcfg.dll.

This exploit takes advantage of this recent Microsoft vulnerability in the file history service within Windows Kernel. It can be used to simulate an attacker that uses this vulnerability to escalate their privileges, gaining access to sensitive data or pivoting to eventually achieve full system control.

CVE-2023-20887 – VMWare Aria Remote OS Command Injection Exploit

Authors: Marcos Accossatto and Arthur Lallemant (QA)

CVSS: 9.8 CRITICAL

Reference: CVE-2023-20887

Aria Operations for Networks is a network monitoring tool that was discovered to contain a command injection vulnerability. This is caused by a command injection flaw within the code as well as a bypass of the reverse proxy that shields the RPC interface. There are known instances of this vulnerability being exploited in the wild. 

This exploit can imitate a threat actor using this vulnerability to execute arbitrary code, which may ultimately result in total system control.  

CVE-2023-36874 - Windows Error Reporting Service Privilege Escalation Exploit

Authors: Ricardo Narvajaand Luis García Sierra (QA)

CVSS: 7.8 HIGH

Reference: CVE-2023-36874

This Windows vulnerability was the result of an application not properly imposing security restrictions in the Windows Error Reporting Service, leading to security restrictions bypass and privilege escalation. This vulnerability has multiple instances of actively being exploited in the wild, and has even been added to CISA’s catalog of known exploited vulnerabilities.

This exploit can be used to simulate an attacker with low level privileges and enable them to elevate their credentials to a SYSTEM user, giving them full control of the system. 

CVE-2023-38831 – WinRAR File Extension Code Execution Exploit  

Authors: Fernando Páez Barceló and Luis García Sierra (QA)

CVSS: 7.8 HIGH

Reference: CVE-2023-38831

CVE-2023-38831 is a critical vulnerability in which attackers are able to generate modified RAR or ZIP archives that contain both safe and malicious files. Typically, the same name would be used for both the harmless file and a folder that contains malicious scripts. This vulnerability has been executed in the wild. Most notably, it has been used to breach cryptocurrency trading accounts, infecting them with malware and possibly stealing assets.

This exploit allows testers to deploy the same tactic of using the same name to make it difficult to discern the benign file from the folder containing malware scripts. Once executed, these scripts could launch malware, gain access to sensitive data, or escalate privileges and potentially achieve full control of the system. 

CVE-2023-40044 – Progress WS_FTP Server Remote Code Execution Exploit

Authors: Marcos Accossatto and Nahuel-González (QA)

CVSS: 10 CRITICAL

Reference: CVE-2023-40044

A .NET deserialization vulnerability was found in the file sharing program, WinSock File Transfer Protocol (WS_FTP). An attacker without any privileges would be able execute commands using an http request. This vulnerability has been exploited in the wild, particularly by ransomware groups. 

This exploit enables pen testers to simulate an unauthenticated remote attacker to execute arbitrary commands, potentially compromising the entire system. 

CVE-2023-42793 – Jetbrains TeamCity RPC2 Authentication Remote Code Execution Exploit

Authors: Marcos Accossatto and Luis García Sierra (QA)

CVSS: 9.8 CRITICAL

Reference: CVE-2023-42793

JetBrains’ TeamCity is a continuous integration and continuous deployment (CI/CD) server that was discovered to have an authentication bypass vulnerability. This vulnerability quickly gathered attention as it is fairly simple to exploit and does not require a valid account on the target. Though a patch was promptly released, intelligence firms quickly began to see ransomware groups weaponizing this flaw.  

Using this exploit, pen testers can simulate a remote attacker and execute system commands, gaining access to source code, service secrets, and private keys or take control of the entire server. 

CVE-2023-26258 – ArcServe UDP Agent Authentication Bypass Exploit

Authors: Fernando Páez Barceló and Luis García Sierra (QA)

CVSS: 9.8 CRITICAL

Reference: CVE-2023-26258

A critical authentication bypass vulnerability was found in the 7.0-9.0 versions of Arcserve Unified Data Protection (UDP), an enterprise backup and recovery solution. The vulnerability causes a lack of input validation in the service, which would allow threat actors to retrieve and decrypt credentials, eventually gaining access to the administrative interface. This vulnerability is particularly susceptible to ransomware attacks, due to the nature of the tool. A ransomware group would have the ability to steal or delete system backups, leaving an organization with no other means to have their data or infrastructure restored. 

Using this exploit, pen testers could simulate an attacker using getVersionInfo to expose the AuthUUID token in the WebService. From there, the token can be used to obtain a valid session. 

CVE-2023-29360 – Microsoft Streaming Service Privilege Escalation Exploit

Authors: Cristian Rubio and Luis García Sierra (QA)

CVSS: 8.4 HIGH

Reference: CVE-2023-29360

A vulnerability was found in Microsoft Kernel Streaming Server that would allow an attacker to execute code with elevated credentials. A flaw present in the kernel module of the MS KS Server (mskssrv.sys) lacks proper validation of a user-supplied value, allowing the mapping of arbitrary memory addresses. Using this vulnerability, a threat actor could run code with elevated privileges.

Using this exploit, a pen tester could run an assumed breach scenario, in which an attacker with low-level credentials could use this vulnerability to execute arbitrary code, eventually gaining full SYSTEM privileges. 

CVE-2023-21769 – Microsoft Message Queuing Denial of Service Exploit Update

Authors: Cristian Rubio and Daniel De Luca (QA)

CVSS: 7.5 HIGH

Reference: CVE-2023-21769

A denial-of-service vulnerability exists in Microsoft Message Queuing. By exploiting this vulnerability, an unauthenticated attacker could connect to the target system and send specially crafted requests. 

This exploit update adds CVE-2023-21554, a critical remote execution vulnerability also present in the Microsoft Message Queuing Service, to the vulnerabilities exploited by the module. Also Windows Server 2019 was added to supported systems.

CVE-2023-22515 – Atlassian Confluence Broken Access Control Remote Code Execution Exploit

Authors: Marcos Accossatto and Luis García Sierra (QA)

CVSS: 9.8 CRITICAL

Reference: CVE-2023-22515

Confluence, Atlassian’s enterprise collaborative workspace tool, was discovered to have a broken access control vulnerability due to incorrect filtering implemented within the SafeParametersInterceptor class. If exploited, an attacker could create an unauthorized administrator account, gaining access to Confluence Servers and potentially exfiltrating sensitive information and installing malicious plugins. 

The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Multi-State Information Sharing and Analysis Center (MS-ISAC) issued a joint Cybersecurity Advisory (CSA) to alert organizations to the active exploitation of this vulnerability, with at least one confirmed to be by nation-state threat actors. As this vulnerability can be easily exploited, there is an expectation widespread and continued exploitation.

Using this exploit, pen testers can simulate an attacker, changing Confluence’s configuration to create an administrator account. Once created, they could execute system commands by installing a malicious Servlet plugin JAR file. 

CVE-2023-46604 – Apache ActiveMQ Openwire Java Library Remote Code Execution Exploit

Authors: Marcos Accossatto , Nahuel González (QA), Arthur Lallemant (QA), and Daniel De Luca (QA)

CVSS: 10 CRITICAL

Reference: CVE-2023-46604

A critical remote code execution vulnerability was discovered in Apache ActiveMQ, a Java based message broker. If exploited, an attacker could modify serialized class types in the OpenWire protocol, gaining the same privileges as the ActiveMQ server. Threat actors could intercept messages, interrupt workflows, exfiltrate sensitive data, or pivot to other parts of the IT infrastructure. This vulnerability is actively being exploited in the wild by attackers using ransomware binaries.

This exploit enables pen testers to simulate an unauthenticated remote attacker to execute arbitrary commands, ultimately achieving full system compromise. 

Product Updates

Besides working on exploits, the Core Impact team provides continuous updates on the product to increase the functionality, provide new techniques, and improve performance and usability.

Some of the most recent updates include:

• Wifi Pineapple Mark VII compatibility update: Core Impact wireless tests can now be launched using the most modern device from Pineapple. This feature allows the launch of a Fake Wifi AP to capture information travelling through the air and to validate the reliability of the users connecting to the network through Wifi.
• Rotating Proxies and User Agents for Web application testing: As websites tend to protect their data and access, to avoid IP rate limit and user-agent checks, it is now possible to rotate both to avoid this kind of detection while crawling.