Impact | Core Security

This module chains 2 vulnerabilities to deploy an agent in the target system that will run with NT AUTHORITY\\SYSTEM user privileges. The first vulnerability is an authentication bypass present in the doLogin function of the com.ca.arcserve.edge.app.base.ui.server.EdgeLoginServiceImpl class. The second vulnerability is an authenticated path traversal file upload present in the doPost method of the com.ca.arcserve.edge.app.base.ui.server.servlet.ImportNodeServlet class. This module will use the first vulnerability to authenticate against the target application using a POST HTTP request to the /management/wizardLogin endpoint, providing a random username and no password parameter. Then, it will use the second vulnerability to upload a JSP file to the Program Files/Arcserve/Unified Data Protection/Management/TOMCAT/webapps/management directory. Finally, it will deploy an agent using a GET HTTP request to the uploaded JSP file inside the /management endpoint.

The Windows NT operating system kernel executable (ntoskrnl.exe) present in Microsoft Windows is vulnerable to a race condition, which can result in arbitrary memory write. This module allows a local unprivileged user to execute arbitrary code with SYSTEM privileges. The steps performed by the exploit are: Discover an exploit primitive Perform heap feng shui to come up with a memory layout Allocate enough "GOLD" objects using the GetUIDllName function Free some of them to create some holes using the FreeDiagInstance function Allocate a worker "GOLD" object to trigger the use-after-free vulnerability Delete the "RequestMakeCall" key value and create a REG_BINARY type key with controlled content. Then, I allocate some key value heaps to ensure they occupy the hole left by the worker object XFG mitigation

The Kernel Streaming WOW Thunk Service module (ksthunk.sys) present in Microsoft Windows is vulnerable to an out-of-bounds write, which can result in arbitrary memory write. This module allows a local unprivileged user to execute arbitrary code with SYSTEM privileges. The steps performed by the exploit are: Spray the memory with data queue entries Trigger the OOB write to overwrite the victim entry Leak adjacent pool memory and bypass KASLR Forge a data queue entry to get an arbitrary memory read Leak the address of the current process token Leak the address of the SYSTEM process token Create a new data queue entry and leak its IRP Forge an IRP and the data queue entry Read 1 byte to trigger the arbitrary write and get SYSTEM privileges

This module chains 4 vulnerabilities to deploy an agent in a Linux target system that will run with the cups-browsed daemon user privileges. The first vulnerability is cups-browsed which binds on UDP INADDR_ANY:631 trusting any packet from any source to trigger a Get-Printer-Attributes IPP request to an attacker controlled URL. The second vulnerability is in libcupsfilters were function cfGetPrinterAttributes5 does not validate or sanitize the IPP attributes returned from an IPP server, providing attacker controlled data to the rest of the CUPS system. The third vulnerability is in libppd were function ppdCreatePPDFromIPP2 does not validate or sanitize the IPP attributes when writing them to a temporary PPD file, allowing the injection of attacker controlled data in the resulting PPD. The last vulnerability is in cups-filters were foomatic-rip allows arbitrary command execution via the FoomaticRIPCommandLine PPD parameter. This module will start a fake IPP Server that will be used to deliver the payload to exploit the last 3 vulnerabilities. This will create a fake printer on the system. Then, it will send a packet to the target to exploit the first vulnerability. Finally, the attack chain will be triggered by sending an HTTP request to the CUPS Management Interface to print a test page on the fake printer, which in turn, will execute the commands that will deploy the agent. The url for the CUPS Management Interface can be set with the CUPS_MANAGEMENT_URL parameter. If no value is specified, then http and tcp port 631 will be used. If the final step fails (i.e. if the CUPS Management Interface only listens in the local interface) the module will keep running for a period of time waiting for the target system to create a print job on the fake printer that will deliver the attack to deploy the agent. The wait time (in seconds) can be changed with the ATTACK_TIMEOUT parameter. The default/minimal value is 90 seconds.

In GeoServer prior to versions 2.23.6, 2.24.4, and 2.25.2, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions. The GeoTools library API that GeoServer calls evaluates property/attribute names for feature types in a way that unsafely passes them to the commons-jxpath library which can execute arbitrary code when evaluating XPath expressions. This XPath evaluation is intended to be used only by complex feature types (i.e., Application Schema data stores) but is incorrectly being applied to simple feature types as well which makes this vulnerability apply to all GeoServer instances. In order to exploit this vulnerability, this module sends an evil XPath expression that after being processed by the commons-jxpath library allows us to deploy an agent.

This tool bypasses Mark of the Web and Smart Screen in order to execute blocked files which usually have been downloaded from internet. It involves crafting LNK files that have non-standard target paths or internal structures. When clicked, these LNK files are modified by explorer.exe with the canonical formatting. This modification leads to removal of the MotW label before security checks are performed, this results in the execution of the locked file bypassing the warnings.

This module uses a .NET deserialization vulnerability to deploy an agent in Veeam Backup and Replication that will run with the NT AUTHORITY\SYSTEM user privileges. First, the module will register an endpoint in the local webserver that will be used in the attack to send a serialized gadget to the target that will execute system commands to deploy the agent. Finally, it will trigger the vulnerability by crafting a System.Runtime.Remoting.ObjRef .NET class type object and sending it to the /VeeamAuthService .NET remoting endpoint using an external .NET executable. The deserialization of the crafted object will force a POST HTTP request to the local webserver, which will, in turn, deliver the serialized gadget that will deploy the agent.

This exploit leverages an Information Disclosure vulnerability in Microsoft Outlook. By sending a mail crafting a malicious path and using the "img src" tag, an attacker can coerce authentication to an untrusted server and steal NTLM hashes. The link points to an SMB server. When the client opens Outlook, if the user is on the trusted list, without clicking, it connects to the SMB server and obtains the NTLM user hashes. In case the user is not on the trusted user list, in order to exploit the vulnerability, the client must click on the attached link. This exploit does not install an agent, it manages to obtain the NTML hash of a legitimate user. It is possible to use tools like "John the Ripper" to attempt decrypting the original password associated with the hash.

This module uses a directory traversal vulnerability to deploy an agent in Progress WhatsUp Gold that will run with the IIS APPPOOL\NmConsole user privileges. The module will launch a local webserver that will be used in the attack to send poisoned responses and to upload a webshell to the target. Then it will trigger the vulnerability via the /NmAPI/RecurringReport endpoint. Finally, it will buteforce a webshell name trying to find the one uploaded by the server, that will deploy an agent. The webshell will be saved in the "C:\Program Files (x86)\Ipswitch\WhatsUp\html\NmConsole\Data\ExportedReports" directory of the target.

Subscribe to Impact

Privacy Policy

Cookie Policy

Terms of Service

Accessibility

Impressum