Happy Friday! The following are the release notes from the VulnCheck Initial Access team covering our last week of work:
On Thursday, the team conducted a rapid response on CVE-2024-41713 following the watchTower full disclosure. The team quickly delivered search engine queries for all four engines. Our Censys query flags nearly 9,000 servers. Additionally, our GreyNoise query, which was returning no results on Thursday, now has has multiple malicious results on Friday. The team also delivered a PCAP and network signatures.
We had previously added a malicious postscript file generation tool for CVE-2024-29510 (Ghostscript memory corruption), but had not found an unauthenticated and remote context to apply it to. After much research, we determined ownCloud is vulnerable to this CVE when installed along a vulnerable Ghostscript version. Additionally, its exploitable remotely and without authentication when a "public link" is created to allow for guest uploads.
The team created a vulnerable docker image and restructured the old cve-2024-29510 to accomadate the new ownCloud exploit variant (as well as made changes to the exploit to accommodate -dFIXEDMEDIA which, if not addressed, breaks the exploit vector). Additionally, the team created YARA and network signatures for the ownCloud-variant, and produced a GreyNoise query as well.
This vulnerability was added to VulnCheck KEV in mid-November and now has a dozen public exploits. The affected plugin, Really Simple Security, offers 2FA support for Wordpress and reports 4 million active installations (read: a large amount of targets).
The team developed an exploit for the bypass that will attempt to upload a malicious plugin, resulting in RCE. The team also delivered an asset detection and version scanner, pcap, network signatures, and GreyNoise query. We also delivered Shodan, Censys, FOFA, and ZoomEye queries, but fingerprinting is ideally done off of the Wordpress login page, which is not typically indexed by these services (since it doesn't sit at or get redirected to from /). So those queries don't give a complete view into the actual attack surface. Likely scanning for Wordpress login pages and using our version scanner would produce significantly better results.
read_pass() Command InjectionThe team developed an exploit, signatures, and queries for CVE-2024-7591, a command injection in Kemp Technologies' LoadMaster, a load balancer appliance available in virtual form. Kemp is owned by Progress Software. The vulnerability lies in the /usr/wui/progs/util.sh shell script, where the read_pass() function evaluates arbitrary input in the shell. VulnCheck's exploit combines the command injection with a privilege escalation via a SUID-root ssh binary. The exploit will spawn a reverse root shell by leveraging OpenSSH's ProxyCommand option and Bash's /dev/tcp pseudo-device. The Censys query the team developed find ~700 LoadMaster servers online using the supplied queries.
IP Intel added detection for a group of web panels used by information stealer infrastructure. The panels are used by Ailurophile, PoisonX, and Bby Stealer. Ailurophile and PoisonX using phishing as a primary vector and appear to be by the same creator, while Bby Stealer is a different platform focusing on Discord servers.
go-exploit 1.31.1 was released to address a bug involving -o and FileFormat exploits, and pull in updated dependencies. The entire initial access repository was updated to the latest version. Additionally, a SID collusion issue was fixed in the Suricata and Snort feeds.