CVE-2024-38821
- 1 Post
CVE Info
Fediverse
CVE-2024-38821: Authorization Bypass of Static Resources in WebFlux Applications
Technical Details and Analysis:
https://patchnow24x7.com/blog-1/f/cve-2024-38821-authorization-bypass-flaw-in-spring-webflux-app
#PatchNOW
#Spring
#Vulnerability
#hacked
#Cyberattack
#infosec
#informationsecurity
#CyberSecurityAwareness
#DataBreach
#cybersecurity
CVE-2024-30103
- 1 Post
- 11 Interactions
CVE Info
Fediverse
-7-
Outlook Unleashing RCE Chaos: CVE-2024-30103 & CVE-2024-38021 - Michael Gorelik, Arnold Osipov
Sometimes, a vendor releases a patch fixing a vulnerability you are working on. Disappointing, isn't it?
In this talk, Michael and Arnold show how they turned two patches for Outlook issues back into vulnerabilities!
First, the focus is Outlook custom forms — a feature allowing creation of tailored messages in emails.
Under the hood, forms are COM objects, defining a new form type means creating a config file for it, with a value copied to the registry specifying the COM server handler for it.
So, what if we make the key point at some DLL that we control? That's immediately RCE! To block this, Outlook uses a denylist that filters out registry keys allowing RCE like inprocserver32, localserver, etc.
A vulnerability from earlier this year found the denylist matching fails if you specify an absolute path rather than a relative path (so a \CLSID\...\inprocserver32= is a-okay!). This allows hijacking any COM object in the registry. Luckily, this vulnerability has been patched. But, remember the premise of the talk?
The patch disallowed starting the path with a backslash. So what did Michael and Arnold do? Add a backslash at the end! This works because RegCreateKeyExA deletes the last backslash in the path. However, this happens after the denylist check, which passes and so we have a vulnerability!
Second, the talk looks at Outlook Moniker objects—those are "smart links" in Outlook, allowing you to send emails embedding special links like Ca lender invites, Excel files, etc.
Being simple pointers, it is possible for malicious actors to send emails with references to remote files, potentially leaking NTLM credentials if the user clicks them. Fortunately, Outlook blocks these links.
Unfortunately, earlier this year it was found that if you add an exclamation mark (!) at the end of the link, Outlook blocking won't work.
The reason is a bit complicated, but in short—the link is being treated as a special kind of Moniker, triggering a different flow composed of a few functions, which are vulnerable to remote file access.
This vulnerability was patched by installing a hook on a certain vulnerable function at the end of the flow. The hook checks if a certain flag is set, and if so, blocks the call. The flag is set at the beginning of a function earlier in the flow. So only when the two functions are chained, the call is blocked.
Notice the issue? If another Moniker-related flow eventually reaches the vulnerable function without passing through the first one, the flag isn't set and the patch won't work!
Indeed, the researchers discovered such a flow—a link within an image tag instead of a hyperlink
While a bit convoluted for someone who hasn't touched COM objects for at least a decade, this is still an eye-opening talk on the possibility of finding vulnerabilities in patches.
CVE-2024-38021
- 1 Post
- 11 Interactions
CVE Info
Fediverse
-7-
Outlook Unleashing RCE Chaos: CVE-2024-30103 & CVE-2024-38021 - Michael Gorelik, Arnold Osipov
Sometimes, a vendor releases a patch fixing a vulnerability you are working on. Disappointing, isn't it?
In this talk, Michael and Arnold show how they turned two patches for Outlook issues back into vulnerabilities!
First, the focus is Outlook custom forms — a feature allowing creation of tailored messages in emails.
Under the hood, forms are COM objects, defining a new form type means creating a config file for it, with a value copied to the registry specifying the COM server handler for it.
So, what if we make the key point at some DLL that we control? That's immediately RCE! To block this, Outlook uses a denylist that filters out registry keys allowing RCE like inprocserver32, localserver, etc.
A vulnerability from earlier this year found the denylist matching fails if you specify an absolute path rather than a relative path (so a \CLSID\...\inprocserver32= is a-okay!). This allows hijacking any COM object in the registry. Luckily, this vulnerability has been patched. But, remember the premise of the talk?
The patch disallowed starting the path with a backslash. So what did Michael and Arnold do? Add a backslash at the end! This works because RegCreateKeyExA deletes the last backslash in the path. However, this happens after the denylist check, which passes and so we have a vulnerability!
Second, the talk looks at Outlook Moniker objects—those are "smart links" in Outlook, allowing you to send emails embedding special links like Ca lender invites, Excel files, etc.
Being simple pointers, it is possible for malicious actors to send emails with references to remote files, potentially leaking NTLM credentials if the user clicks them. Fortunately, Outlook blocks these links.
Unfortunately, earlier this year it was found that if you add an exclamation mark (!) at the end of the link, Outlook blocking won't work.
The reason is a bit complicated, but in short—the link is being treated as a special kind of Moniker, triggering a different flow composed of a few functions, which are vulnerable to remote file access.
This vulnerability was patched by installing a hook on a certain vulnerable function at the end of the flow. The hook checks if a certain flag is set, and if so, blocks the call. The flag is set at the beginning of a function earlier in the flow. So only when the two functions are chained, the call is blocked.
Notice the issue? If another Moniker-related flow eventually reaches the vulnerable function without passing through the first one, the flag isn't set and the patch won't work!
Indeed, the researchers discovered such a flow—a link within an image tag instead of a hyperlink
While a bit convoluted for someone who hasn't touched COM objects for at least a decade, this is still an eye-opening talk on the possibility of finding vulnerabilities in patches.
CVE-2023-29389
- 1 Post
- 1 Interaction
CVE Info
Fediverse
@reverseics throwback to CVE-2023-29389 which was exploited in the wild to steal a Toyota RAV4:
Toyota RAV4 2021 vehicles automatically trust messages from other ECUs on a CAN bus, which allows physically proximate attackers to drive a vehicle by accessing the control CAN bus after pulling the bumper away and reaching the headlight connector, and then sending forged "Key is validated" messages via CAN Injection, as exploited in the wild in (for example) July 2022.
Dr. Ken Tindell: CAN Injection: keyless car theft
CVE-2024-38812
- 1 Post
CVE Info
Fediverse
VMware failed to fully address vCenter Server RCE flaw CVE-2024-38812 https://securityaffairs.com/170096/security/vmware-failed-to-fix-rce-vcenter-server-cve-2024-38812.html
CVE-2024-38202
- 1 Post
- 8 Interactions
CVE Info
Fediverse
Safebreach: An Update on Windows Downdate
You might remember "Windows Downdate" (wordplay of update, originally published 07 August 2024) in which Windows systems could be "rolled back" to vulnerable versions. This resulted in the publicly disclosed zero-days CVE-2024-21302, CVE-2024-38202, and advisory Windows Elevation of Privilege Vulnerability Chain Mitigation Guidance. "the Windows Update takeover which was reported to Microsoft as well, has remained unpatched, as it did not cross a defined security boundary." The vulnerability reporter has now published vulnerability details for this, by downgrading the patch for "ItsNotASecurityBoundary" Driver Signature Enforcement (DSE) bypass.
#infosec #cybersecurity #CVE_2024_21302 #CVE_2024_38202 #WindowsDowndate #zeroday #vulnerability #CVE #ItsNotASecurityBoundary
CVE-2024-21302
- 1 Post
- 8 Interactions
CVE Info
Fediverse
Safebreach: An Update on Windows Downdate
You might remember "Windows Downdate" (wordplay of update, originally published 07 August 2024) in which Windows systems could be "rolled back" to vulnerable versions. This resulted in the publicly disclosed zero-days CVE-2024-21302, CVE-2024-38202, and advisory Windows Elevation of Privilege Vulnerability Chain Mitigation Guidance. "the Windows Update takeover which was reported to Microsoft as well, has remained unpatched, as it did not cross a defined security boundary." The vulnerability reporter has now published vulnerability details for this, by downgrading the patch for "ItsNotASecurityBoundary" Driver Signature Enforcement (DSE) bypass.
#infosec #cybersecurity #CVE_2024_21302 #CVE_2024_38202 #WindowsDowndate #zeroday #vulnerability #CVE #ItsNotASecurityBoundary
CVE-2024-6670
KEV- 1 Post
- 1 Interaction
CVE Info
Fediverse
Info.: Progress has added another CRITICAL Authentication Bypass vulnerability in WhatsUp Gold with CVE-2024-7763 to its August, 16 security notification which included CVE-2024-6670.
Blog: https://patchnow24x7.com/blog-1/f/info-progress-has-added-cve-2024-7763-to-its-aug16-notification
CVE-2024-7763
- 1 Post
- 1 Interaction
CVE Info
Fediverse
Info.: Progress has added another CRITICAL Authentication Bypass vulnerability in WhatsUp Gold with CVE-2024-7763 to its August, 16 security notification which included CVE-2024-6670.
Blog: https://patchnow24x7.com/blog-1/f/info-progress-has-added-cve-2024-7763-to-its-aug16-notification