Pre-authenticated RCE in VMware vRealize Network Insight — CVE-2023-20887

👤 by SinSinology

Researcher has recently identified and reported multiple vulnerabilities within VMware vRealize Network Insight by working with the Zero Day Initiative. Several of these vulnerabilities have been assigned a CVE:

• CVE-2023-20887
• CVE-2023-20888
• CVE-2023-20889

This post will examine the exploitation process of CVE-2023-20887 in VMware Aria Operations for Networks (formerly known as vRealize Network Insight). This vulnerability comprises a chain of two issues leading to Remote Code Execution (RCE) that can be exploited by unauthenticated attackers.

📝 Contents:
● Introduction
● Vulnerability Analysis
● The Bypass
● Proof of Concept
● PoC[.]py
● References

https://summoning.team/blog/vmware-vrealize-network-insight-rce-cve-2023-20887/

FortiNAC - Just a few more RCEs

👤 by frycos

The researcher has identified multiple vulnerabilities in FortiNAC, including RCE with root privileges. He nicely explains the whole approach to researching software for security bugs.

In the blog post you'll find such things as:
• Java source code analyzing;
• XXE & argument injection identifying and exploitation;
• Some restriction bypasses;
• Vendor communication history.

📝 Contents:
● Recon
● Auditing Service Port 1050
● Auditing Service Port 5555
● XML External Entity
● Argument Injection
● Allow List Bypass - Argument Injection to Command Injection
● Sudo Restriction Bypass
● Conclusions
● Internet Exposure Check
● Indicators of Compromise (IoCs)

https://frycos.github.io/vulns4free/2023/06/18/fortinac.html

AWS WAF Clients Left Vulnerable to SQL Injection Due to Unorthodox MSSQL Design Choice

👤 by Marc Olivier Bergeron

While doing research on Microsoft SQL (MSSQL) Server, a GoSecure ethical hacker found an unorthodox design choice that ultimately led to a web application firewall (WAF) bypass.
The researcher has found a way to execute a batch query in MSSQL without a semicolon.

SQL query SELECT 'test' SELECT 'test' will return the test string twice.

📝 Contents:
● In a nutshell
● The discovery
● A Review of What Is Publicly Known
● Bug or Feature?
● Abusing the bug to bypass AWS Web Application Firewall (WAF)
● Design Choice with Security Implications
● Timeline
● Conclusion

https://www.gosecure.net/blog/2023/06/21/aws-waf-clients-left-vulnerable-to-sql-injection-due-to-unorthodox-mssql-design-choice/

Encrypted Doesn't Mean Authenticated: ShareFile RCE (CVE-2023-24489)

👤 by Dylan Pindur

ShareFile is cloud-based file sharing and collaboration application. The software providing this feature is a .NET web application running under IIS called "Storage Zones Controller" (also sometimes called Storage Center) and this is what Assetnote team decided to target.
Through their research they were able to achieve unauthenticated arbitrary file upload and full remote code execution by exploiting a seemingly innocuous cryptographic bug. Citrix has released a security update and assigned this issue CVE-2023-24489.

📝 Contents:
● Introduction
● Where to Start?
● Authenticated, but Not Really
● A Simple Path Traversal
● Encryption != Authentication
● Block Ciphers and Padding
● Cipher Block Chaining
● Enough Cryptography, Show Me the Exploit
● What Have We Learned?
● Conclusions

https://blog.assetnote.io/2023/07/04/citrix-sharefile-rce/

Adobe ColdFusion Pre-Auth RCE(s)

👤 by Rahul Maini,Harsh Jaiswal

The Adobe ColdFusion, widely recognized for its robust web development capabilities, recently released a critical security update. The update specifically targeted three security issues, among them, CVE-2023-29300, a highly concerning pre-authentication Remote Code Execution (RCE) vulnerability. This vulnerability poses a significant threat, allowing malicious actors to execute arbitrary code on vulnerable Coldfusion 2018, 2021 and 2023 installations without the need for prior authentication.

In this blog post, author aims to provide a comprehensive analysis of CVE-2023-29300, shedding light on the nature of the vulnerabilities, and their potential impact, and sharing the journey of code review undertaken by his team.

📝 Contents:
● Introduction
● What's in the patch?
● Parsing of WDDX Packet
● Finding the Sink
● Finding the Source
● Escalating JNDI Injection To RCE
● Updates
● Conclusion

https://blog.projectdiscovery.io/adobe-coldfusion-rce/

Cookieless DuoDrop: IIS Auth Bypass & App Pool Privesc in ASP[.]NET Framework (CVE-2023-36899)

👤 by Soroush Dalili

In modern web development, while cookies are the go-to method for transmitting session IDs, the .NET Framework also provides an alternative: encoding the session ID directly in the URL. This method is useful to clients that do not support cookies.
Researcher identified a strange anomaly when the cookieless pattern was repeated twice. This resulted in two vulnerabilities reported to Microsoft as their impact and the exploitation were different:
• IIS restricted path bypass leading to potential authentication and path-filtration bypass
• Application Pool confusion leading to potential privilege escalations

📝 Contents:
● Introduction
● Finding the vulnerability
● IIS Restricted Path Bypass
● The root cause
● Application Pool Confusion

https://soroush.me/blog/2023/08/cookieless-duodrop-iis-auth-bypass-app-pool-privesc-in-asp-net-framework-cve-2023-36899/

🎩 Black Hat 2023 is over and you can find the links on the interesting researches (in our view) below:

● Three New Attacks Against JSON Web Tokens

● Smashing the State Machine: The True Potential of Web Race Conditions

● Weaponizing Plain Text: ANSI Escape Sequences as a Forensic Nightmare

● A Pain in the NAS: Exploiting Cloud Connectivity to PWN Your NAS

● Chained to Hit: Discovering New Vectors to Gain Remote and Root Access in SAP Enterprise Software

● Defender-Pretender: When Windows Defender Updates Become a Security Risk

● Jailbreaking an Electric Vehicle in 2023 or What It Means to Hotwire Tesla's x86-Based Seat Heater

●Cookie Crumbles: Unveiling Web Session Integrity Vulnerabilities

● Diving into Windows Remote Access Service for Pre-Auth Bugs

● Bad io_uring: A New Era of Rooting for Android

● ODDFuzz: Hunting Java Deserialization Gadget Chains via Structure-Aware Directed Greybox Fuzzing

All sessions from Black Hat 2023: https://www.blackhat.com/us-23/briefings/schedule/index.html

CVE-2023-36844 And Friends: RCE In Juniper Devices

👤 by Sonny

A recent out-of-cycle Juniper security bulletin caught team's attention, describing two bugs which, although only a 5.3 on the CVSS scale individually, supposedly could be combined for RCE. The bulletin actually contains four CVEs, as the two bugs apply to two separate platforms (the -EX switches and -SRX firewall devices). They'll focus just on the -SRX bugs, as they expect the -EX bugs to be identical. These are two individual flaws.

This is an interesting bug chain, utilising two bugs that would be near-useless in isolation and combining them for a 'world ending' unauthenticated RCE.

📝 Contents:
● First Impressions
● Of $internal_functions
● Interesting Internal Functions
● A Polluted Environment
● Preloading Libraries
● We don't need no steenkin' binaries
● Other bits and bobs
● Aftermath
● Proof of Concept
● Closing words

https://labs.watchtowr.com/cve-2023-36844-and-friends-rce-in-juniper-firewalls/

When URL parsers disagree (CVE-2023-38633)

👤 by Zac Sims

Canva's uses librnoscript to quickly render user-provided SVGs into thumbnails later displayed as PNGs. By exploiting differences in URL parsers when rendering an SVG with librnoscript, they showed it's possible to include arbitrary files from disk in the resulting image. The librnoscript maintainers quickly patched the issue and issued a security vulnerability (CVE-2023-38633).

📝 Contents:
● Prequel
● XInclude
● There are rules
● Parser Mismatch
● Bypassing Validation
● Bypassing Canonicalization
● Proof of concept
● Patch
● Timeline

https://www.canva.dev/blog/engineering/when-url-parsers-disagree-cve-2023-38633/

If the link above doesn't work use a web archive version.

CVE-2023-34040 Spring Kafka Deserialization Remote Code Execution

👤 by pyn3rd

In Spring for Apache Kafka 3.0.9 and earlier and versions 2.9.10 and earlier, a possible deserialization attack vector existed, but only if unusual configuration was applied. An attacker would have to construct a malicious serialized object in one of the deserialization exception record headers.

The researcher described in detail the causes of the vulnerability and the method of its exploitation. This is a perfect example of how a vulnerability can be reproduced only based on information from advisory.

📝 Contents:
● Preface
● Concepts of Kafka
● Preparation

https://pyn3rd.github.io/2023/09/15/CVE-2023-34040-Spring-Kafka-Deserialization-Remote-Code-Execution/

🔥 We have reproduced the fresh CVE-2023-42793 in JetBrains TeamCity.

Authentication bypass allows an external attacker to gain administrative access to the server and execute any commands on it.

Update your software ASAP!

[P2O Vancouver 2023] SharePoint Pre-Auth RCE chain (CVE-2023–29357 & CVE-2023–24955)

👤 by Janggggg

Researcher has achieved successful exploitation of a SharePoint target during Pwn2Own Vancouver 2023. While the live demonstration lasted only approximately 30 seconds, it is noteworthy that the process of discovering and crafting the exploit chain consumed nearly a year of meticulous effort and research to complete the full exploit chain.

This exploit chain leverages two vulnerabilities to achieve pre-auth remote code execution (RCE) on the SharePoint server:
• Authentication Bypass
• Code Injection

📝 Contents:
● Brief
● Affected products/Tested version
● Vulnerability #1: SharePoint Application Authentication Bypass
● Vulnerability #2: Code Injection in DynamicProxyGenerator.GenerateProxyAssembly()
● Demo

https://starlabs.sg/blog/2023/09-sharepoint-pre-auth-rce-chain/

💥 We have reproduced both CVE-2023–29357 and CVE-2023–24955 in Microsoft SharePoint.

The chain allows unauthenticated users to execute arbitrary commands on the server.

Update your software ASAP!

⚠️ We have reproduced CVE-2023-22515 in Atlassian Confluence.

Broken access control allows unauthenticated users to gain administrative access to the web application!

Update your software ASAP!

Citrix Bleed: Leaking Session Tokens with CVE-2023-4966

👤 by Dylan Pindur

It's time for another round Citrix Patch Diffing! Earlier this month Citrix released a security bulletin which mentioned "unauthenticated buffer-related vulnerabilities" and two CVEs. These issues affected Citrix NetScaler ADC and NetScaler Gateway.

Researchers were interested in CVE-2023-4966, which was described as "sensitive information disclosure" and had a CVSS score of 9.4. The high score for an information disclosure vulnerability and the mention of "buffer-related vulnerabilities" piqued their interest. Their goal was to understand the vulnerability and develop a check for their Attack Surface Management platform.

📝 Contents:
● Introduction
● Patch Diffing
● Finding the Vulnerable Function
● Exploiting the Endpoint
● Verifying the Session Token
● Final Thoughts

https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966

Refresh: Compromising F5 BIG-IP With Request Smuggling | CVE-2023-46747

👤 by Michael Weber and Thomas Hendrickson

As a result of the research researchers were able to identify an authentication bypass issue that led to complete compromise of an F5 system with the Traffic Management User Interface (TMUI) exposed. The bypass was assigned CVE-2023-46747, and is closely related to CVE-2022-26377. Like they recently reported Qlik RCE, the F5 vulnerability was also a request smuggling issue. In this blog authors will discuss their methodology for identifying the vulnerability, walk through the underlying issues that caused the bug, and explain the steps they took to turn the request smuggling into a critical risk issue. They will conclude with remediation steps and their thoughts on the overall process.

📝 Contents:
● Overview
● Mapping out the F5 BIG-IP Attack Surface
● F5 Traffic Management User Interface (TMUI) Overview
● Verifying AJP Smuggling
● AJP Smuggling and Server Interpretation
● But What To Do With the Smuggling?
● Remediation
● Conclusion
● Disclosure Timeline

https://www.praetorian.com/blog/refresh-compromising-f5-big-ip-with-request-smuggling-cve-2023-46747/

From Akamai to F5 to NTLM... with love

👤 by d3d

In this post, researcher is going to show the readers how he was able to abuse Akamai so he could abuse F5 to steal internal data including authorization and session tokens from their customers.

📝 Contents:
● Prerequisites
● Discovery
● On the Akamai hunt
● On the F5 hunt
● God Mode Pwnage
● NTLM or GTFO
● Closing

https://blog.malicious.group/from-akamai-to-f5-to-ntlm/

Introducing wrapwrap: using PHP filters to wrap a file with a prefix and suffix

👤 by Charles Fol

wrapwrap marks another improvement to the PHP filter exploitation saga. Adding arbitrary prefixes to resources using php://filter is nice, but you can now add an arbitrary suffix as well, allowing you to wrap PHP resources into any structure. This beats code like:

$data = file_get_contents($_POST['url']);
$data = json_decode($data);
echo $data->message;

or:

$config = parse_ini_file($_POST['config']);

echo $config["config_value"];

📝 Contents:
● Abstract
● Introduction
● Building wrapwrap
• Adding a prefix
• Fuzzing to no effect
• Not so random trimming
• The main idea
• Where is the end?
• Real suffix control: removing digits
● Using wrapwrap
● Conclusion

https://www.ambionics.io/blog/wrapwrap-php-filters-suffix

🌵 Cacti fixed 2 high severity vulnerabilities found by our researcher Aleksey Solovev.

💥 CVE-2023-49084 – RCE via managing links;
💥 CVE-2023-49085 – SQLi via managing poller devices.

Read the technical advisories here ↓
https://github.com/Cacti/cacti/security

New article by our researcher @snovvcrash: "Python ❤️ SSPI: Teaching #Impacket to Respect Windows SSO".

🥷 Read the blog post and you'll fly under the radar of endpoint security mechanisms as well as custom network detection rules more easily.

https://swarm.ptsecurity.com/python-sspi-teaching-impacket-to-respect-windows-sso/

🖥 Yealink fixed a post-auth OS command injection in Yealink Meeting Server found by our researcher.

Read the advisory: https://www.yealink.com/en/trust-center/security-advisories/2f2b990211c440cf