exploits – PwnDefend

OMG The Cyber SKY is falling down!

Ok a bit dramatic, but that’s often what you might feel if you spend lots of time in the vulnerability space (which if you work in cyber security.. you probably do!). We often hear about the NEXT: STUXNET, HEARTBLEED, WANNACRY/ETERNAL BLUE, LOG4J etc. but actually when it comes to it… the number of times we have word endangering unauthenticated remote code execution that is a danger to global society is far less than when we have other vulnerabilities. It’s the exception not the rule.

Vulnerabilities

Microsoft Outlook Elevation of Privilege Vulnerability (CVE-2023-23397)

Regarding: CVE-2023-23397

This is a fast publish, use at own risk.

See guidance from Microsoft: CVE-2023-23397 – Security Update Guide – Microsoft – Microsoft Outlook Elevation of Privilege Vulnerability

If you need to mitigate the latest Outlook vulnerability which abuses an SMB/WebDav call using the Calendar invite feature you can consider the following:

Vulnerabilities

ESXIArgs Vulnerable ESXi Spreadsheet

I knocked this up quickly but I “think” it’s accurate. Use at own risk etc.

ESXi-RCE-Vulnerable-Builds Download

Let me know if you find any errors/changes required etc.

Education

Vulnerability Prioritisation

I’ve got 99 vulnerabilities but log4j ain’t one!

Most organisations have hundreds to thousands of vulnerabilities. They range across the spectrum from:

CRITICAL
HIGH
MEDIUM
LOW
INFORMATIONAL

The challenge comes in trying to determine how to prioritise. Which ways could we go?

Where do we start?

Vulnerabilities

Exchange Emergency Mitigation (EM) service

Yesterday I created a honeypot running Exchange 2019 in the lab. I configured very little and setup a test rule as per the MS blog to stop the SSRF from the “Autodiscover” endpoint to the Powershell function call. I put a custom response with some humour (coz why not!) but I disabled the rule:

This rule was placed in the Autodiscover virtual directory which in Exchange by default is here:

C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\autodiscover\web.config

My custom rule:

<rules>

</conditions>

</rule>

</rules>

</rewrite>

This morning I checked the Honeypot, and I found the following:

Graphical user interface, text, application, email

Description automatically generated

This rule is hosted in:

C:\inetpub\wwwroot\web.config

<rules>

</conditions>

</rule>

</rules>

</rewrite>

As you can see this was modified at 03:21 01/10/2022

Graphical user interface, text, application

Description automatically generated

This comes from:

Exchange Emergency Mitigation Service (Exchange EM Service) | Microsoft Learn

“Exchange Emergency Mitigation (EM) service”

Text

Description automatically generated

You can check if this is enabled by running the following PowerShell:

Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn; 

Get-OrganizationConfig | Select-Object MitigationsEnabled

So here we can see that with this enabled, the Exchange server will download and deploy the HTTP re-write rules automatically (if the server has the required version/config etc.)

You can enable or disable it with the following:

Set-OrganizationConfig -MitigationsEnabled $true
Set-OrganizationConfig -MitigationsEnabled $false

You can check this feature works using the following (modify path as required for relevent exchange version)

. "C:\Program Files\Microsoft\Exchange Server\V15\Scripts\Test-MitigationServiceConnectivity.ps1"

Check the MS docs and check your Exchange Server version to see if you have this feature etc.

GCM exsetup |%{$_.Fileversioninfo}

You learn something new everyday!

Defence

Offensive KEV Alpha 0.1

Working out what exploits to care about is a tough job, kill chains, availability of exploits, complexity, data flows, controls etc. all play a part in understanding a vulnerability and how it affects your organisational risk. To support this effort I’ve started to compile a list of public exploits against CISA Known Exploited Vulnerabilities (KEV). This may be useful for defensive and offensive security pros.

Hacking

Linux Privilege Escalation

When you gain access to a target node you will want to explore, the exact method you use to do this will depend upon operational security considerations, time constraints and style. You will be looking for a range of elements to support progressing an objective.

It should be noted that the objective may NOT require elevation. You may be trying to obtain data and access might already be possible using the context you have assumed.

You also may need to move from a www-data user to a named user account or get to root level of access. If so there’s a range of questions we should be asking ourselves:

Defence

Offensive KEV Updates! CISA releases 38 more CVEs to…

Life in the vulnerability and exploit space is never dull

Spotted on twitter (thanks Danny!):

already ahead of u 😉 you know that all the infosec pros have to read every one…. well ones relvent to their environment/scope…. 😛 x pic.twitter.com/AnMqiLjNvB
— MrR3b00t | #StandWithUkraine #DefendAsOne (@UK_Daniel_Card) June 9, 2022

https://www.zdnet.com/article/cisa-warning-hackers-are-exploiting-these-36-significant-cybersecurity-vulnerabilities-so-patch-now/

CISA updates the known exploited vulnerabilities list (KEV) yesterday with another 38 updates!

That means an update is required for OFFESNIVE KEV!

Threat Intel

Learn to SOC: Java Webshell via confluence

When running honeypots you never have to wait too long for something to drop!

This moring we had a new hit in the pot, so I decided to invesigate but also to blog and show how we could go about investigating the logs and paylods etc.

Education

PWNDEFND: Known Exploitable Vulnerabilities (KEV) – AKA: Offensive KEV

There’s thousand of vulnerabilities, but do you ever struggle work out what ones might actually be useful to you if you are defending or attacking?

Well don’t worry I’ve started to document some things that might help you both attack and defend in CYBERSPACE!