As part of our Flax Typhoon coverage, the team looked at this vulnerability affecting Four-Faith industrial routers (an interesting target set by itself). Exploitation is straight forward, and to our knowledge unpatched. The only challenge is it requires auth. However, we stumbled upon two zero day while analyzing these systems. Our exploit for CVE-2019-12168 is paired with CVE-2024-9643 (see below) for unauthenticated RCE. We also delivered pcap, Snort/Suricata rules, Shodan/Censys queries, and a GreyNoise query. Our Censys query flags ~12k of these on the internet with a concentration in Turkey.
The administrative web server has backdoor credentials hard-coded into the httpd binary. Use of these credentials gives full access to the admin web server. The exploit for this vulnerability, extracts the devices configuration, stores it to disk, and parses out useful credentials. We also delivered pcap, Snort/Suricata rules, Shodan/Censys queries, and a screenshot of the credentials as seen by a decompiler.
We have contacted Four-Faith to disclose this issue.
The administrative web server has a hidden or backdoor API that allows remote and unauthenticated attackers to invoke a variety of functionality without using authentication: including the functionality for CVE-2019-12168. The team delivered an exploit, pcap, Snort/Suricata rules, Shodan/Censys queries, and a GreyNoise query.
We have contacted Four-Faith to disclose this issue.
As part of continuing coverage for Flax Typhoon, the team added an exploit, version scanner, pcap, and signatures for an arbitrary file write in Apache RocketMQ. The vulnerability lies in a flawed patch to RocketMQ's name server component; this was originally included in an attempt to patch CVE-2023-33246. VulnCheck's exploit is able to achieve RCE by writing a self-removing crontab to /etc/cron.d, triggering a command payload upon cron job execution. The team noted several thousand internet-exposed RocketMQ servers between Shodan and Censys.
We received a tip from a trusted threat intel organization that a well-known threat actor has been exploiting this issue (there is no open source reporting that supports that, so we take them at their word). The team delivered an exploit, version scanner, pcap, Snort/Suricata rules, and a Censys query. We note that the Censys query yields few results.
The team spent some time catching up with vulnerable docker images for historical work. New images were released for OFBiz (CVE-2021-44228), Confluence (CVE-2023-22515 and CVE-2022-26134), ActiveMQ (CVE-2023-46604), Apache Superset (CVE-2023-27524), Chamilo (CVE-2023-3368), and Metabase (CVE-2023-38646).
go-exploit 1.29.0 was released and the Initial Access repository was updated to use that version. Of note, there was a bug fix in our RocketMQ protocol implementation, a reworking of our automatic user-agent updater (and bumpt to the latest Windows Chrome UA), and an update to how we handle custom exploits flags so that they can known beforehand (e.g. programmatically).