Happy Friday! If you have a minute, please check out our VulnCheck Initial Access Intelligence 2024 Review! Otherwise, the following is the summary of the work the team accomplished over the last week:
The admin SOAP interface for WSO2 is missing authentication for account creation. The team developed an exploit, pcap, version scanner, network signatures, queries, and vulnerable Docker image to demonstrate this vulnerability. WSO2 is a high-value target, previously listed on VulnCheck KEV and associated with named threat actors like Lazarus and Hezb, unattributed Chinese groups, and ransomware groups as well. The team notes the affected endpoint is associated with malicious IPs on GreyNoise.
The team developed an exploit to exploit the Reposilite server via incorrect path handling in the JavaDoc implementation. This bug requires the target to be hosting a JavaDoc file and for it to be accessible from an unauthenticated perspective. Our exploit iterates on all exposed directory paths and attempts to identify JavaDoc locations for exploitation automatically. Additionally, the team identified an path to retrieve command line flags that are passed for administrative rights via /proc/self/cmdline which had not been documented previously.
The public exploits for this vulnerability currently incorrectly use a Reposilite test workspace JavaDoc which does not exist in the default or commonly deployed configurations and are likely to never give correct information.
The team developed version scanners, provided PCAPs, Suricata and Snort rules, a target Docker container, and queries for Google, GreyNoise, FOFA, ZoomeEye, Censys, and Shodan. Of note, the GreyNoise queries indicate active exploitation, but all utilizing the previously stated non-default package that is certainly not likely to exist.
Inspired by research published by the GitHub Security Team, we developed a version scanner, network rules, vulnerable Docker image, and search queries for CVE-2024-5082 affecting Sonatype Nexus Repository 2. Nexus Repository 2 already has a vulnerability listed in VulnCheck KEV that regularly sees exploitation attempts, so we wouldn't be surprised to see this one eventually added. Censys flags more than 10,000 targets, but we think this vulnerability's true value will be how long it will likely stick around inside developer networks.
Continuing an effort to clean up a backlog of older WordPress plugins that were under active exploitation the team created an exploit for the Backup Migration WordPress Plugin. This vulnerability arises from importing a file containing attacker controlled header data, which allows for a PHP filter injection that can be turned into a remote code execution.
During development, the team identified that other public exploits of this vulnerability utilized POST requests for parsing the PHP payload, but this was error prone and likely lead to many false negatives. The POST array in PHP is not guaranteed to be available before the header parsing, which is where this vulnerability exists, which means that in PHP-FCM configurations the vulnerability might have been missed. This version switches to a GET parameter for the exploitation, which ensures it'll work in most configurations at the expense of the parameter containing the PHP payload being exposed in a GET parameter that may be logged.
The team has provided a version scanner, exploit, PCAPs, and queries for Google and GreyNoise. Unfortunately no easy identification on default crawled pages was identified and only the previous stated queries are available.
The team has finalized updating the entire Initial Access Intelligence catalog to include FOFA, ZoomEye, Google, and Baidu queries (when possible), all Snort/Suricata rules now have deployment metadata, and the targetEncryptedComms field is available for every CVE via the API and README.md YAML.
Additionally, the FOFA, ZoomEye, Google, and Baidu URLs are now available via the initial access index API. For example, https://api.vulncheck.com/v3/index/initial-access?cve=CVE-2024-11680:
"googleQueries": [
"https://www.google.com/search?q=intitle%3A%22Log+in+%C2%BB+ProjectSend+%22+%2Bintext%3A%22account+yet%22"
],
"googleRawQueries": [
"intitle:\"Log in » ProjectSend \" +intext:\"account yet\""
],
"baiduQueries": [
"https://www.baidu.com/s?ie=utf-8&wd=intitle%3A%22Log%20in%20%C2%BB%20ProjectSend%20%22"
],
"baiduRawQueries": [
"intitle:\"Log in » ProjectSend \""
],
"fofaQueries": [
"https://en.fofa.info/result?qbase64=dGl0bGU9IkxvZyBpbiAmcmFxdW87ImJvZHk9ImNrZWRpdG9yLmpzImJvZHk9ImpxdWVyeS1taWdyYXRlLm1pbi5qcyIgUEhQU0VTU0lE"
],
"zoomEyeQueries": [
"https://www.zoomeye.ai/searchResult?q=dGl0bGU9IiZyYXF1bzsiICYmIGh0dHAuaGVhZGVyPSJQSFBTRVNTSUQiICYmIGh0dHAuYm9keT0iY2tlZGl0b3IuanMi"
],
The API team aims to add raw FOFA and ZoomEye queries to the API next week.