Traditionally, Microsoft in the spotlight after monthly update
- Vulnerabilities: Microsoft patched zero-day which detected in the wild!
- Tools: Cool zeek tool and others
- News: Alexa hacked and Canon update (again)
- Research: You know what to do
Feedback -> here
Microsoft released a monthly security update (every other Tuesday) that fixed 120 vulnerabilities, 17 of which received the highest criticality rating and two were zero-day vulnerabilities.
Main part with zero-day:
- The first 0-day vulnerability CVE-2020-1464 concerns the mechanism of checking Windows files signing and allows an intruder to download an incorrectly signed file during exploitation;
- The second 0-day, CVE-2020-1380, is in the mechanism for processing Internet Explorer scripts. Since this mechanism is also used by other Microsoft software, such as Office, these products are also subject to error. The vulnerability allows the hacker to remotely execute arbitrary code and was found in the wild.
The last vulnerability was discovered by Kaspersky’s lab. The day after the monthly update was released, the technical details were published. An exploit for this vulnerability was discovered in May this year during an attack called Operation PowerFall. At that time, a company from South Korea was hit.
RCE at Artica Web Proxy. Solution allowing to manage proxy-server via Web Ajax console with Squid. Vulnerability allows an attacker to bypass privilege discovery and obtain web server administrator rights using SQL injection.
RCE is back (patch your vBulletin again!)
In September 2019, an anonymous researcher discovered a dangerous zero-day vulnerability in the forum engine vBulletin. The bug allowed any PHP command to be executed on a remote server. Amir Etemadieh said on his blog that the patch for CVE-2019-16759 was ineffective, could be bypassed and the bug could still be exploited by attackers.
A fix for this bug was released just a day after the problem was disclosed, but not everyone has yet managed to install the update in time.
curl -s http://SITE/ajax/render/widget_tabbedcontainer_tab_panel -d 'subWidgets[template]=widget_php&subWidgets[config][code]=echo%20shell_exec("id"); exit;'
Combo of Cisco 7937G vulnerabilities:
- CVE-2020-16139 denial-of-service (with reset);
- CVE-2020-16138 denial-of-service;
- CVE-2020-16137 Change SSH credentials.
Good luck in your internal pentests!
This analyzer parses GQUIC traffic in Bro/Zeek for logging and detection purposes. It examines the initial exchange between a client and server communicating over GQUIC, and extracts the information contained in the connection’s client hello packet and server rejection packet. Currently, this protocol analyzer supports GQUIC versions Q039 to Q046.
It is a tool for analyzing amazon resources.
A proof of concept crypto virus to spread user awareness about attacks and implications of ransomwares. Phirautee is written purely using PowerShell and does not require any third-party libraries.
Code developed to steal certain browser config files (history, preferences, etc)
Check Point reported that it was able to hack Amazon Alexa’s virtual assistant. It was reported that 200 million Alexa-powered devices were sold, a significant part of which are smart home components. Amazon says Alexa is powered by artificial intelligence. Users can enhance its capabilities using skills – additional features developed by third parties. Through this mechanism, the researchers hacked Alexa.
To carry out the attack, it is enough for the user to follow the malicious link sent to him by the attackers. Researchers with the hacked Alexa were able to obtain data: history of voice commands, personal information of the victim, technical data of the compromised device, etc.
This attack allows you to intercept VoLTE voice calls on 4G and 5G networks. VoLTE (Voice over LTE) – transmission of voice over LTE as a data stream. The attack is based on the fact that most mobile operators do not configure their base stations well, as a result of which VoLTE uses the same keys in two consecutive close calls.
To check the vulnerability of the ReVoLTE attack, the researchers released the Mobile Sentinel application for Android, which determines whether a specific base station is vulnerable or not. The app requires a Rooted Qualcomm-based smartphone.
Canon was able to restore the functionality of their systems in a short time, which indicates the presence of a backup, but they did not pay the ransom and Maze began to publish the data stolen from the company.
So far, the attackers claim that they have posted only 5% of the stolen information on their website. The published file is a 2.2 GB STRATEGICPLANNINGpart62.zip archive. No critical data available.
New redteaming story, hope you guys enjoy it!
Did you play in Open SOC? Informative write-up: https://pberba.github.io/security/2020/08/11/defcon-28-blueteam-opensoc-ctf
Windows Debugger API — The End of Versioned Structures:
List of bug bounty writeups (2012 – 2020): https://pentester.land/list-of-bug-bounty-writeups.html
Feedback -> here