Happy Friday! The following covers the VulnCheck Initial Access Intelligence team's development work this week:
The third in our series of Netatalk exploits, the team developed an unauth RCE stack-based buffer overflow exploit for Netatalk, complete with a ret2libc style ROP chain payload to bypass ASLR. This software is often used by NAS devices for AFP support.
While not necessarily a household name, our Censys query flags ~64k online and our Shodan query finds ~39k vulnerable instances. This vulnerability was reported in a Pwn2Own competition, but currently has little to no public exploitation information. We also delivered a vulnerable Docker, pcap, Snort/Suricata signatures, and search engine queries.
The team created an exploit, pcaps, network signatures, a YARA rule, and queries for CVE-2021-21972, a file upload RCE in VMware vCenter Server. By uploading an OVA file - which is really just a tar file - an unauthenticated attacker can trigger a path traversal to write a file on the system. Our exploit targets the Linux appliance and writes a JSP webshell to where the HTML5 vSphere Client is deployed. This vulnerability continues to be exploited, and our internet search queries still show thousands of vCenter Servers online, making this a popular target for access to enterprise networks.
A new Tomcat exploit was added this week which uses a partial PUT request to upload a serialized payload that is then deserialized by a second request resulting in remote code execution. This particular exploit has an EPSS Percentile of 99% and a Nuclei template that was made two days prior to this writing.
Despite the non-default conditions required for exploitation, this attack is already being reported to have been exploited in the wild. Though this should come as no surprise given the popularity of Tomcat.
Network signatures, pcaps, and a target Docker environment are all available alongside this exploit.
Continuing last week's work on known Sitecore vulnerabilities, the team created an exploit for a 2024 unauthenticated path traversal that could leak arbitrary files. Our exploit adds the ability to search non-default Windows drives, attempts more potential target paths, and adds support for arbitrary file retrieval with smart detection for the differentiation between empty files and non-existent files. The exploit may lead to deserialization remote code execution exploitation via the leaking of the Telerik encryption keys.
As with the prior Sitecore exploit, the default 10.4.x release installs in a vulnerable configuration, and requires manual patching of the instances.