CHANGELOG.md Added to Initial Access Repository

We added a CHANGELOG.md file to archive the release notes we publish every Friday. The archive dates back to June 10, 2024 (sorry, we didn't start writing release notes until then!).

README.md Updates

Each exploit in the initial-access/feeds directory now has a README.md that contains YAML to generate the initial-access.json file. This is mostly an automation thing on our side, but it also means that Shodan, GreyNoise, and Censys queries are all available in the same directory as the exploit.

CVE-2024-40348 Bazarr Secrets Leak

We developed an exploit, version scanner, pcap, network rules, and Shodan/Censys/GreyNoise queries for this vulnerability (we note that the affected product is misspelled as Bazaar throughout the vuln intel space). The exploit leaks the bazaar configuration which is full of various secrets. The team noted an unexpected amount of these online (thousands) but no signs of exploitation on GreyNoise yet.

CVE-2024-7314 AJ-Report Auth Bypass + RCE

We developed an exploit, version scanner, pcap, network rules, and Shodan/Censys/GreyNoise queries for this vulnerability as well. The exploit establishes a reverse shell using the Java Nashorn engine. We also note that it appears GreyNoise has seen this in the wild.

CVE-2024-29510: Ghostscript File Format RCE

We developed an exploit and YARA rule for this memory corruption bug affecting Ghostscript. The exploit generates a file that can exploits Ghostscript on arm64 or x64, and creates a reverse shell (via implant or just available tools). For this vulnerability we note that the Debian/Ubuntu packages for Ghostscript are not vulnerable to this CVE because they disable file access. So vulnerable instances likely will have to have been compiled from source.

IDSTower Integration

We documented how IDSTower can use our Suricata rules API.

go-exploit-cache + RunZero

go-exploit-cache was updated to convert RunZero asset JSON into a go-exploit database. There is one limitation here: basically RunZero caps HTTP bodies at 4KB so larger bodies will not be cached/find their way into the go-exploit database.

go-exploit 1.23.1 Release

go-exploit was updated to 1.23.1. The new release contains support for file format exploits and local exploits.