Happy holidays! As a reminder, we are on reduced capacity through next week, but will continue landing content. Here is the work the VulnCheck Initial Access team finished over the last week:
This vulnerability only affects Apache Tomcat on Windows when the default servlet is used and read-only is disabled (read: not the default configuration). We think this deployment is likely to be quite rare. However, with hundreds of thousands of internet-facing Tomcat instances, there are bound to be a few.
The team developed an exploit that uploads a minimal JSP webshell. The exploit comes with pcap, YARA rule, network signatures, and Shodan/Censys/FOFA/ZoomEye queries.
The team developed an unauth RCE memory corruption exploit for Netatalk (often used by NAS devices for AFP support). While not necessarily a household name, our Censys query flags ~64k online and our Shodan query finds ~39k vulnerable instances. Variations on this vulnerability have been featured in a number of pwn2own competitions, and while not on either CISA KEV or VulnCheck KEV, it seems highly likely that it has been exploited in the wild in some context.
Our exploit features a version check and ASLR bypass. We also delivered a vulnerable docker, pcap, Snort/Suricata signatures, and search engine queries.
register_argc_argv RCEThe team created an exploit, pcap, signatures, YARA, and queries for CVE-2024-56145, a remote code execution vulnerability in Craft CMS when the PHP setting register_argc_argv is enabled (the default in the official distribution). The exploit injects a Twig template via an FTP callback supplied in the HTTP query string, resulting in the execution of a system command. Instructions for configuring the FTP callback are provided in the exploit directory's README.md. The team noted the widespread popularity of this CMS in the thousands of hosts visible online using our queries, although no exploitation on the GreyNoise tag as of yet.
We found that, very recently, ZoomEye had deprecated their old search syntax and URL format without warning, and didn't maintain any backwards compatibility! Which essentially meant most of our ZoomEye queries were broken/useless. This week, we rewrote them all in the new syntax/URL scheme. Sorry for any interruption this may have caused!
Last week, the team provided content for a new CVE being exploited in the wild. Pursuant to our disclosure policy for vulnerabilities being exploited in the wild, we released a brief blog on the issue earlier today.