New article by our researcher Egor Dimitrenko about unauth vulnerabilities in VMware products: "Catching bugs in VMware: Carbon Black Cloud Workload and vRealize Operations Manager". This is the second in series of our VMware research.
Read the article: https://swarm.ptsecurity.com/catching-bugs-in-vmware-carbon-black-cloud-workload-appliance-and-vrealize-operations-manager/
Read the article: https://swarm.ptsecurity.com/catching-bugs-in-vmware-carbon-black-cloud-workload-appliance-and-vrealize-operations-manager/
π8
The Dirty Pipe Vulnerability
π€ by Max Kellermann
This is the story of CVE-2022-0847, a vulnerability in the Linux kernel since 5.8 which allows overwriting data in arbitrary read-only files. This leads to privilege escalation because unprivileged processes can inject code into root processes.
It is similar to CVE-2016-5195 βDirty Cowβ but is easier to exploit.
The vulnerability was fixed in Linux 5.16.11, 5.15.25 and 5.10.102.
π Contents:
β’ Abstract
β’ Corruption pt. I
β’ Access Logging
β’ Corruption pt. II
β’ Corruption pt. III
β’ Man staring at code
β’ Man staring at kernel code
β’ Pipes and Buffers and Pages
β’ Uninitialized
β’ Corruption pt. IV
β’ Exploiting
β’ Timeline
https://dirtypipe.cm4all.com
π€ by Max Kellermann
This is the story of CVE-2022-0847, a vulnerability in the Linux kernel since 5.8 which allows overwriting data in arbitrary read-only files. This leads to privilege escalation because unprivileged processes can inject code into root processes.
It is similar to CVE-2016-5195 βDirty Cowβ but is easier to exploit.
The vulnerability was fixed in Linux 5.16.11, 5.15.25 and 5.10.102.
π Contents:
β’ Abstract
β’ Corruption pt. I
β’ Access Logging
β’ Corruption pt. II
β’ Corruption pt. III
β’ Man staring at code
β’ Man staring at kernel code
β’ Pipes and Buffers and Pages
β’ Uninitialized
β’ Corruption pt. IV
β’ Exploiting
β’ Timeline
https://dirtypipe.cm4all.com
π4
Oracle Access Manager Pre-Auth RCE (CVE-2021β35587 Analysis)
π€ by Jang and Peter
Vulnerability in the Oracle Access Manager product of Oracle Fusion Middleware (component: OpenSSO Agent). Supported versions that are affected are 11.1.2.3.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability may give the attacker access to OAM server, to create any user with any privileges, or just get code execution in the victimβs server
https://testbnull.medium.com/oracle-access-manager-pre-auth-rce-cve-2021-35587-analysis-1302a4542316
π€ by Jang and Peter
Vulnerability in the Oracle Access Manager product of Oracle Fusion Middleware (component: OpenSSO Agent). Supported versions that are affected are 11.1.2.3.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability may give the attacker access to OAM server, to create any user with any privileges, or just get code execution in the victimβs server
https://testbnull.medium.com/oracle-access-manager-pre-auth-rce-cve-2021-35587-analysis-1302a4542316
π4
Veeam fixed an Unauth RCE (CVE-2022-26500, CVE-2022-26501) in Veeam Backup & Replication and Local Privilege Escalation (CVE-2022-26503) in Veeam Agent for Microsoft Windows found by our researcher Nikita Petrov.
Advisory: https://www.veeam.com/kb4288
Advisory: https://www.veeam.com/kb4288
π17
Rapid7 fixed an SQL-Injection (CVE-2022-0757) and an XSS (CVE-2022-0758) in Nexpose Vulnerability Scanner found by our researcher Aleksey Solovev.
Advisory: https://docs.rapid7.com/release-notes/nexpose/20220302/
Advisory: https://docs.rapid7.com/release-notes/nexpose/20220302/
π13
Ruby Deserialization - Gadget on Rails
π€ by Harsh Jaiswal
In this writeup research team went over the current state of previous ruby deserialization gadget chains and the process of finding new RCE gadgets. Researchers went over the fixes of previous gadget chains and found a new way to achive remote code execution on latest Rails framework.
π Contents:
β’ Motivation
β’ Pre-Requisite
β’ Current State of Previous Gadgets
β’ File Write and File Execution Gadget
β’β’ BackStory
β’β’ Initial File Write
β’ Moving away from DeprecatedInstanceVariableProxy class
β’β’ How we initiated the search?
β’β’ Latest Rails Remote Code Execution Gadget
β’ Conclusion
https://github.com/httpvoid/writeups/blob/main/Ruby-deserialization-gadget-on-rails.md
π€ by Harsh Jaiswal
In this writeup research team went over the current state of previous ruby deserialization gadget chains and the process of finding new RCE gadgets. Researchers went over the fixes of previous gadget chains and found a new way to achive remote code execution on latest Rails framework.
π Contents:
β’ Motivation
β’ Pre-Requisite
β’ Current State of Previous Gadgets
β’ File Write and File Execution Gadget
β’β’ BackStory
β’β’ Initial File Write
β’ Moving away from DeprecatedInstanceVariableProxy class
β’β’ How we initiated the search?
β’β’ Latest Rails Remote Code Execution Gadget
β’ Conclusion
https://github.com/httpvoid/writeups/blob/main/Ruby-deserialization-gadget-on-rails.md
X (formerly Twitter)
Harsh Jaiswal (@rootxharsh) on X
Building @hacktronai | researching at @httpvoid0x2f | auditing at
@cure53berlin | prev @zomato @vimeo @pdiscoveryio
@cure53berlin | prev @zomato @vimeo @pdiscoveryio
π7
π₯We have reproduced the fresh CVE-2022-22954 Server-Side Template Injection in VMware Workspace ONE Access.
Successful exploitation could lead to RCE from an unauthenticated user.
Patch ASAP!
Successful exploitation could lead to RCE from an unauthenticated user.
Patch ASAP!
π18
HPE fixed two vulnerabilities in OneView found by our researcher Nikita Abramov.
1οΈβ£ CVE-2022-23699 - Authentication Restriction Bypass
2οΈβ£ CVE-2022-23700 - Unauthorized Read Access to Files
Find out more β‘οΈ https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbgn04252en_us
1οΈβ£ CVE-2022-23699 - Authentication Restriction Bypass
2οΈβ£ CVE-2022-23700 - Unauthorized Read Access to Files
Find out more β‘οΈ https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbgn04252en_us
π5
New version of reFlutter is available to download!
Now reFlutter not only allows you to monitor traffic, but also shows absolute offsets of the functions in the target Android or iOS application. Root is not required.
https://github.com/Impact-I/reFlutter
Now reFlutter not only allows you to monitor traffic, but also shows absolute offsets of the functions in the target Android or iOS application. Root is not required.
https://github.com/Impact-I/reFlutter
π14
πCisco fixed an Authenticated Heap Overflow Vulnerability (CVE-2022-20737) in Cisco ASA found by our researcher Nikita Abramov.
The vulnerability allows an attacker to cause a DoS or to obtain portions of process memory from the device.
The advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-ssl-vpn-heap-zLX3FdX
The vulnerability allows an attacker to cause a DoS or to obtain portions of process memory from the device.
The advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-ssl-vpn-heap-zLX3FdX
π9
β οΈSynacor fixed an Authenticated RCE (CVE-2022-27925) in Zimbra Collaboration Suite found by our researcher Mikhail Klyuchnikov.
So far, no advisory, but the patch is available: https://wiki.zimbra.com/wiki/Security_Center
So far, no advisory, but the patch is available: https://wiki.zimbra.com/wiki/Security_Center
π5
New research by Alexander Popov: "A Kernel Hacker Meets Fuchsia OS"
Fuchsia OS is based on the Zircon microkernel and developed by Google. Alexander assessed it from the attacker's point of view.
Read the article: https://swarm.ptsecurity.com/a-kernel-hacker-meets-fuchsia-os/
Fuchsia OS is based on the Zircon microkernel and developed by Google. Alexander assessed it from the attacker's point of view.
Read the article: https://swarm.ptsecurity.com/a-kernel-hacker-meets-fuchsia-os/
PT SWARM
A Kernel Hacker Meets Fuchsia OS
Fuchsia is a general-purpose open-source operating system created by Google. It is based on the Zircon microkernel written in C++ and is currently under active development. The developers say that Fuchsia is designed with a focus on security, updatabilityβ¦
π14
From open redirect to RCE in one week
π€ by Anton ???
In this write-up the author tells a story of chaining multiple vulnerabilities to achieve RCE on several hosts of Mail.ru (VK). The exploit chain consists of following bugs: Open Redirect, Unsafe Deserialization, Kohana hack, LFI for Logs.
π Contents:
* Intro
* Functionality that caught my attention
* Possible scenarios
* Open redirect
* Deserialization
* Kohana
* Chaining all together
* Logs
* Null bytes
* Last poison
https://medium.com/@byq/from-open-redirect-to-rce-in-one-week-66a7f73fd082
π€ by Anton ???
In this write-up the author tells a story of chaining multiple vulnerabilities to achieve RCE on several hosts of Mail.ru (VK). The exploit chain consists of following bugs: Open Redirect, Unsafe Deserialization, Kohana hack, LFI for Logs.
π Contents:
* Intro
* Functionality that caught my attention
* Possible scenarios
* Open redirect
* Deserialization
* Kohana
* Chaining all together
* Logs
* Null bytes
* Last poison
https://medium.com/@byq/from-open-redirect-to-rce-in-one-week-66a7f73fd082
X (formerly Twitter)
Anton (@ByQwert) on X
sometimes I break something
π19
Active Exploitation of Confluence CVE-2022-26134
π€ by Rapid7
On June 2, 2022, Atlassian published a security advisory for CVE-2022-26134, a critical unauthenticated remote code execution vulnerability in Confluence Server and Confluence Data Center. The vulnerability was unpatched when it was published on June 2. As of June 3, both patches and a temporary workaround are available.
CVE-2022-26314 is an unauthenticated and remote OGNL injection vulnerability resulting in code execution in the context of the Confluence server (typically the confluence user on Linux installations). Given the nature of the vulnerability, internet-facing Confluence servers are at very high risk.
π Contents:
β’ Technical analysis
β’β’ The vulnerability
β’β’ Root cause
β’β’ The patch
β’β’ Payloads
β’ Mitigation guidance
https://www.rapid7.com/ja/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/
π€ by Rapid7
On June 2, 2022, Atlassian published a security advisory for CVE-2022-26134, a critical unauthenticated remote code execution vulnerability in Confluence Server and Confluence Data Center. The vulnerability was unpatched when it was published on June 2. As of June 3, both patches and a temporary workaround are available.
CVE-2022-26314 is an unauthenticated and remote OGNL injection vulnerability resulting in code execution in the context of the Confluence server (typically the confluence user on Linux installations). Given the nature of the vulnerability, internet-facing Confluence servers are at very high risk.
π Contents:
β’ Technical analysis
β’β’ The vulnerability
β’β’ Root cause
β’β’ The patch
β’β’ Payloads
β’ Mitigation guidance
https://www.rapid7.com/ja/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/
π5