The team conducted a rapid response when this CVE, affecting multiple Cleo products, was added to VulnCheck KEV due to reporting from Huntress, Rapid7, and WatchTowr. The team was able to develop fingerprints using Shodan, Censys, FOFA, and ZoomEye. Additionally, the team added pcap, and network signatures based on the WatchTowr research. Additionally, we added this GreyNoise query which appears inactive at the time of writing.
Continuing last week's work of exploiting ownCloud via Ghostcript, this week we use CVE-2023-28879, a buffer overflow in postscript parsing. We included two exploits in the feed, one generic exploit for creating malicious files and one specific to owncloud. The team produced a vulnerable owncloud docker image, and produced network signatures, pcap, a YARA rule, and search engine queries. This week we also find that our Google query picks up some targets using the public link feature that we use for unauth exploitation.
The team developed an exploit, version scanner, signatures, queries, and a Docker target for CVE-2024-47533, an authentication bypass in the XML-RPC API for Cobbler, an open-source Linux deployment server. By sending an empty username with the password -1, an attacker can bypass authentication for the API, leading to total compromise of the service. VulnCheck's exploit is able to validate the target, check its version, and return a login token that can be used against the service to alter the server's configuration. For more information on Cobbler's XML-RPC API and how to use a login token, please see this document.
The team analyzed the public validations and weaponized an unauthenticated time-based blind SQL injection against the Palo Alto Expedition system. This required writing custom injection queries and the tooling to handle time based blind injections. Of note, as this is a time-based blind injection, the exploit can take upwards of an hour to retrieve a credential. The team confirmed original reporting of light real world exposure and created network signatures and pcaps.
Draytek Vigor routers models 300B, 2960, and 3900 before version 1.5.3 are affected by this format string vulnerability. While the team explored multiple avenues of stack corruption, further research is required to control execution to gain remote code execution. The team delivered a pcap, Suricata signature, and Shodan, Censys, ZoomEye, FOFA, Google, and GreyNoise queries.