Happy Friday! Another busy week in Initial Access Intelligence, here are the notes from the team's deliveries this week:
A partner recently had an exploit for this vulnerability hit their honeypot, and Shadow Server has a decently long list of exploit attempts (including yesterday). The team developed an exploit that can create a normal reverse shell or drop binaries for reverse shells. Additionally, we created pcaps, Suricata/Snort Signatures, Shodan, Censys, FOFA, ZoomEye, Google, and GreyNoise queries, as well as a vulnerable docker image. It should be noted that the Censys query flags a bizarre amount of targets.
The team created a remote code execution exploit for NetAlertX 23.01.14 - 24.9.12, exploiting a lack of authentication on the settings utilities file that allowed for attackers to modify settings. Command settings for NetAlertX were not modifiable in the web interface, but when passed directly to the backup handling scripts could allow for an attacker to modify and trigger the commands, allowing for arbitrary command execution.
The team developed an exploit, version scanner, provided PCAP captures, a target Docker container, and created network signatures for Suricata and Snort. The team created queries for Shodan, Censys, FOFA, ZoomEye, and GreyNoise.
The team created an exploit, version scanner, pcap, network signatures, queries, and a Docker target for CVE-2023-25826, an unauthenticated command injection in OpenTSDB, an open-source time series database. Technically, the vulnerability isn't a command injection: gnuplot parameter injection allows for the execution of operating system commands. We haven't seen exploitation in the wild yet, though Metasploit and Nuclei modules exist for the vulnerability.
The team created a remote code execution exploit for Netatalk versions under 3.1.13, exploiting an issue in the Parse Entities function that allows for reading an address in libc, and then writing the address of the libc system() function over other functions to achieve arbitrary command execution. This involved creating a protocol library for the AFP protocol and identifying bypasses to write raw AppleDouble files.
The team developed signatures for 2 variations of the attack, along with an exploit, version scanner, provided PCAP captures, and created network signatures for Suricata and Snort. The team created queries for Shodan, Censys, FOFA, ZoomEye, and GreyNoise. A vulnerable docker image is being finalized.
A handful of vulnerabilities were flipped from "zero day" to... not. CVE-2025-0364, CVE-2024-9643, CVE-2024-9644, and CVE-2024-23690 were published to cve.org with minimal details. CVE-2024-40890 and CVE-2024-40891 received a deeper examination on our blog, and CVE-2024-6131 (BYOB) was determined to be a novel take on CVE-2024-45256, so the CVE was rejected and the exploits/artifacts moved to the CVE-2024-45246 sub-directory.
go-exploit 1.36.0 was released with an implementation of the netatalk protocol.
The team added BADBOX Botnet tracking based on research published by Censys and BitSight.