Skip to content
PwnDefend
  • Base
  • Comms Room
    • Customer Feedback
    • Company Information
    • Security Management
  • Services
    • Consulting Services
      • Enterprise Security Posture Assessment
      • Cyber Security Assurance & Security Testing Services
      • IT Security Healthchecks
      • Active Directory Assessment Services
      • Managed Remediation Services
    • Emergency Cyber Incident Response Support
    • Our Success Stories
    • Partner Services
  • Blog
  • Privacy

CVE-2022-26809 – Critical Windows RPC Vulnerability

Vulnerability Information

RatingCritical
CVEcve-2022-26809
MITRECVE – CVE-2022-26809 (mitre.org)
CVSSCVSS:3.1 9.8
ImpactRemote Code Execution (RCE)
Exploit in the wildCurrently not observed
Difficulty to Exploit (if PoC available)Very Low
Network PositionTCP/IP Routable or Network Adjacent
Authentication Required to ExploitNo
AffectedWindows Client/Server OS
Typical Service PortsTCP 135,139,445
Vendor Patch AvailableYes
Exploitable in Default OOB (out of the box) configurationUnknown
Exploitable Client/ServerBelieved to be client and server side exploitable
Read more “CVE-2022-26809 – Critical Windows RPC Vulnerability” →
Log4Shell

Log4Shell exploitation and hunting on VMware Horizon (CVE-2021-44228)

TLDR

Go and run this on the connection servers:

https://github.com/mr-r3b00t/CVE-2021-44228

It’s crude so also look for the modified timestamps, recent unexpected blast service restarts and if you have process logging go and check for suspicious child processes over the period. Once you have checked, run a backup, then if they aren’t patched, patch the servers! (i know patching isn’t as simple as just patch!)

Read more “Log4Shell exploitation and hunting on VMware Horizon (CVE-2021-44228)” →

CVE-2021-22005 – vCenter RCE

Introduction

Protecting admin interfaces is a really good idea, network segmentation however is one thing that many organisations struggle with. Most networks are what we call flat. They may be carved up into VLANs but generally speaking, in a lot of networks if you are “inside” then you have full access across the TCP/IP space.

Now here we are talking about the internal attack surface, so a threat actor would need network routable access which should not be the case for things like vcenter interfaces from the internet, however it appears that’s not really exactly how the world works.

Let’s look in Shodan! Read more “CVE-2021-22005 – vCenter RCE” →

Exchange Emergency Mitigation Service with new CU Update

This is a big thing in the Exchange world from my POV! I believe this is dropping sometime today (28th September!)

History

Exchange OWA, ECP etc. are exposed online not only for mailbox access, calendar sharing but also are a requirement for hybrid mode sync capabilities.

Vulnerabilities in Exchange this year (ProxyLogon/ProxyShell) have shown how problematic an attack surface this is. The good news is, Microsoft have created a feature for Exchange to help mitigate these attacks in the future via the EM Service!

Read more “Exchange Emergency Mitigation Service with new CU Update” →

Vulnerability Management – Actually doing it!

Vulnerability Management, Assessments and Vulnerability scanning is sometimes treated a with distain in the Offensive security community, I personally don’t understand that. Vulnerability management is key to inputting into security strategy, architecture, and operations. It’s coupled heavily to many other processes such as:

  • Asset Management
  • Risk Management
  • Patch Management
  • Change & Release Management
  • Security Testing
  • Security Monitoring

Before we start deploying let’s think about some areas for consideration when performing vulnerability scans:

  • Scope
    • Asset/Hosts
      • IP Ranges
      • Hostnames
    • Connectivity
      • VPNs
      • LAN/WAN
    • Device Types and Configuration
      • Domain
      • Workgroup
      • Appliance
      • ICS
      • Printers
      • Network Equipment
    • Unauthenticated View
    • Authenticated View
      • Auth Types
      • Protocols
    • Scheduling
    • Authority to execute
  • Impact
    • Performance
    • Availability
    • Confidentiality
  • Objectives and Outcomes
  • Reporting
    • Information Flow
    • Report Storage and Confidentiality

Read more “Vulnerability Management – Actually doing it!” →

A picture containing text, electronics, monitor, indoor Description automatically generated

Razer Privilege Escalation Vulnerability

“And I looked and behold a pale horse: and his name that sat on him was Death, and Hell followed with him.”

Firstly, Kudos to @j0nh4t for finding this!

I woke up this morning to see twitter fun with a LPE discovered in the Razer driver installation. Basically, when you plug a Razer mouse into a Windows machine, it will download (via windows update) and execute a process as system which has user interaction. This interface includes an install path selector, with this a right click + SHIFT (LULZ) on whitespace will allow you to launch a command prompt/PowerShell window (as SYSTEM).

A black shoe on a wood surface

Description automatically generated with medium confidence

A picture containing text, electronics, monitor, indoor

Description automatically generated Read more “Razer Privilege Escalation Vulnerability” →

Why are ransomware attacks so devastating? – Part 1

Introduction

“Ransomware is a major issue!”

Hang on maybe we need to re-phrase that:

“Weak security postures are a major issue!”

or perhaps.. why not both!

I’ve been working with digital technology management for over 20 years, I started out when I was a kid (literally) fixing people’s PCs in their offices, removing malware, improving configurations, writing batch file menus, and playing games. As time has gone on technology has shrunk and continually become more and more of our everyday lives.

Back in 2003 I responded internally to MSBlaster, an SMB worm that had a devastating effect for the time, by today’s standards it was child play, however I remember saying “it’s a good job it didn’t delete everything whilst it was here.” (Or something very similar. Post NACHI/Blaster my friends and I were talking about how worse it could get. Fast forward in time and it’s much worse. Yet when I look at networks, they don’t look very different to how they did back in the 2000s.

Despite a multi-billion-dollar cyber security industry, it seems daily that organisations are succumbing to “cyber-attacks” which commonly include ransomware. Why are they successful and why are they so impactful? Well, let’s take a look! Read more “Why are ransomware attacks so devastating? – Part 1” →

Dumping Credentails with MIMIKATZ and Passing the Hash (PTH)

I kid you not, I forget the commands, so I thought, hey let’s write a small blog post on credential dumping and pass the hash.

To achieve this we need: Debug privileges on a single machine or we need access to a disk that does not have full disk encryption. We also need the password to be re-used.

Mimikatz

Ok for this demo I’m going to run with the out of the box release for Mimikatz on a domain joined windows PC with Defender disabled.

To gain system we launch mimikatz from an admin shell and run:

privilege::debug

token::elevate

Now we are SYSTEM we access a range of high privilege level areas. Read more “Dumping Credentails with MIMIKATZ and Passing the Hash (PTH)” →

PetitPotam

From Zero to DA using ‘PetitPotam’

Introduction

Whilst I was on ‘holiday’ (seriously even when on holiday I almost always must do some work!) a few Windows vulnerabilities were published. Great work by Gilles Lionel, Benjamin Delpy and many many others!

Lab Setup

  • A Domain Controller
  • A Separate ADCS Install with Web Enrolment or two DCs one with ADCS installed.
  • A windows Client Device (non-domain joined)
  • An attacker device (I used Kali)

You do not need any domain credentials to conduct this exploit chain, so from a network adjacent unauthenticated position you can get DA with the right circumstances (default configuration). Read more “From Zero to DA using ‘PetitPotam’” →

Ransomware Realities

Everything is much worse now, or is it? 

”The world is burning, the world is burning but then if you look around, it always has been…” 

Computer systems and security go together much like chalk and cheese! Probably sounds a bit odd but miniaturization, consumerization and mobility have put more technology out in the world than we can really comprehend, yet technology security is still dramatically overlooked by most organizations. 

The insane pace of change, the drive for faster, better, cheaper and the reality that it probably isn’t a stretch to say most people (and organizations) do not really understand what ‘secure’ or ‘hardened’ looks like.

Read more “Ransomware Realities” →

Posts navigation

1 2

Recent Posts

  • How to use Putty as a SOCKS Proxy
  • Infrastructure Penetration Testing Realities
  • UK NCSC Active Cyber Defence (ACD)
  • Offensive KEV Alpha 0.1
  • Security Awareness Training Example

Recent Comments

No comments to show.

Archives

  • June 2022
  • May 2022
  • April 2022
  • March 2022
  • February 2022
  • January 2022
  • December 2021
  • November 2021
  • October 2021
  • September 2021
  • August 2021
  • July 2021
  • May 2021
  • April 2021
  • March 2021
  • February 2021
  • January 2021
  • December 2020
  • November 2020
  • October 2020
  • September 2020
  • August 2020
  • July 2020
  • March 2020
  • February 2020
  • January 2020
  • October 2019
  • May 2019
  • April 2019
  • March 2019
  • February 2019
  • January 2019
  • December 2018
  • October 2018
  • September 2018
  • August 2018
  • July 2018

Categories

  • Architecture
  • Breach
  • Company News
  • CTF
  • Defence
  • Defense
  • Education
  • Guides
  • Hacking
  • Leadership
  • OSINT
  • Reviews
  • Strategy
  • Threat Intel
  • Uncategorized
  • Vulnerabilities
Copyright (c) Xservus Limited