Citrix Bleed: Leaking Session Tokens with CVE-2023-4966
π€ by Dylan Pindur
It's time for another round Citrix Patch Diffing! Earlier this month Citrix released a security bulletin which mentioned "unauthenticated buffer-related vulnerabilities" and two CVEs. These issues affected Citrix NetScaler ADC and NetScaler Gateway.
Researchers were interested in CVE-2023-4966, which was described as "sensitive information disclosure" and had a CVSS score of 9.4. The high score for an information disclosure vulnerability and the mention of "buffer-related vulnerabilities" piqued their interest. Their goal was to understand the vulnerability and develop a check for their Attack Surface Management platform.
π Contents:
β Introduction
β Patch Diffing
β Finding the Vulnerable Function
β Exploiting the Endpoint
β Verifying the Session Token
β Final Thoughts
https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966
π€ by Dylan Pindur
It's time for another round Citrix Patch Diffing! Earlier this month Citrix released a security bulletin which mentioned "unauthenticated buffer-related vulnerabilities" and two CVEs. These issues affected Citrix NetScaler ADC and NetScaler Gateway.
Researchers were interested in CVE-2023-4966, which was described as "sensitive information disclosure" and had a CVSS score of 9.4. The high score for an information disclosure vulnerability and the mention of "buffer-related vulnerabilities" piqued their interest. Their goal was to understand the vulnerability and develop a check for their Attack Surface Management platform.
π Contents:
β Introduction
β Patch Diffing
β Finding the Vulnerable Function
β Exploiting the Endpoint
β Verifying the Session Token
β Final Thoughts
https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966
Refresh: Compromising F5 BIG-IP With Request Smuggling | CVE-2023-46747
π€ by Michael Weber and Thomas Hendrickson
As a result of the research researchers were able to identify an authentication bypass issue that led to complete compromise of an F5 system with the Traffic Management User Interface (TMUI) exposed. The bypass was assigned CVE-2023-46747, and is closely related to CVE-2022-26377. Like they recently reported Qlik RCE, the F5 vulnerability was also a request smuggling issue. In this blog authors will discuss their methodology for identifying the vulnerability, walk through the underlying issues that caused the bug, and explain the steps they took to turn the request smuggling into a critical risk issue. They will conclude with remediation steps and their thoughts on the overall process.
π Contents:
β Overview
β Mapping out the F5 BIG-IP Attack Surface
β F5 Traffic Management User Interface (TMUI) Overview
β Verifying AJP Smuggling
β AJP Smuggling and Server Interpretation
β But What To Do With the Smuggling?
β Remediation
β Conclusion
β Disclosure Timeline
https://www.praetorian.com/blog/refresh-compromising-f5-big-ip-with-request-smuggling-cve-2023-46747/
π€ by Michael Weber and Thomas Hendrickson
As a result of the research researchers were able to identify an authentication bypass issue that led to complete compromise of an F5 system with the Traffic Management User Interface (TMUI) exposed. The bypass was assigned CVE-2023-46747, and is closely related to CVE-2022-26377. Like they recently reported Qlik RCE, the F5 vulnerability was also a request smuggling issue. In this blog authors will discuss their methodology for identifying the vulnerability, walk through the underlying issues that caused the bug, and explain the steps they took to turn the request smuggling into a critical risk issue. They will conclude with remediation steps and their thoughts on the overall process.
π Contents:
β Overview
β Mapping out the F5 BIG-IP Attack Surface
β F5 Traffic Management User Interface (TMUI) Overview
β Verifying AJP Smuggling
β AJP Smuggling and Server Interpretation
β But What To Do With the Smuggling?
β Remediation
β Conclusion
β Disclosure Timeline
https://www.praetorian.com/blog/refresh-compromising-f5-big-ip-with-request-smuggling-cve-2023-46747/
From Akamai to F5 to NTLM... with love
π€ by d3d
In this post, researcher is going to show the readers how he was able to abuse Akamai so he could abuse F5 to steal internal data including authorization and session tokens from their customers.
π Contents:
β Prerequisites
β Discovery
β On the Akamai hunt
β On the F5 hunt
β God Mode Pwnage
β NTLM or GTFO
β Closing
https://blog.malicious.group/from-akamai-to-f5-to-ntlm/
π€ by d3d
In this post, researcher is going to show the readers how he was able to abuse Akamai so he could abuse F5 to steal internal data including authorization and session tokens from their customers.
π Contents:
β Prerequisites
β Discovery
β On the Akamai hunt
β On the F5 hunt
β God Mode Pwnage
β NTLM or GTFO
β Closing
https://blog.malicious.group/from-akamai-to-f5-to-ntlm/
Introducing wrapwrap: using PHP filters to wrap a file with a prefix and suffix
π€ by Charles Fol
wrapwrap marks another improvement to the PHP filter exploitation saga. Adding arbitrary prefixes to resources using php://filter is nice, but you can now add an arbitrary suffix as well, allowing you to wrap PHP resources into any structure. This beats code like:
or:
π Contents:
β Abstract
β Introduction
β Building wrapwrap
β’ Adding a prefix
β’ Fuzzing to no effect
β’ Not so random trimming
β’ The main idea
β’ Where is the end?
β’ Real suffix control: removing digits
β Using wrapwrap
β Conclusion
https://www.ambionics.io/blog/wrapwrap-php-filters-suffix
π€ by Charles Fol
wrapwrap marks another improvement to the PHP filter exploitation saga. Adding arbitrary prefixes to resources using php://filter is nice, but you can now add an arbitrary suffix as well, allowing you to wrap PHP resources into any structure. This beats code like:
$data = file_get_contents($_POST['url']);
$data = json_decode($data);
echo $data->message;
or:
$config = parse_ini_file($_POST['config']);
echo $config["config_value"];
π Contents:
β Abstract
β Introduction
β Building wrapwrap
β’ Adding a prefix
β’ Fuzzing to no effect
β’ Not so random trimming
β’ The main idea
β’ Where is the end?
β’ Real suffix control: removing digits
β Using wrapwrap
β Conclusion
https://www.ambionics.io/blog/wrapwrap-php-filters-suffix
π΅ Cacti fixed 2 high severity vulnerabilities found by our researcher Aleksey Solovev.
π₯ CVE-2023-49084 β RCE via managing links;
π₯ CVE-2023-49085 β SQLi via managing poller devices.
Read the technical advisories here β
https://github.com/Cacti/cacti/security
π₯ CVE-2023-49084 β RCE via managing links;
π₯ CVE-2023-49085 β SQLi via managing poller devices.
Read the technical advisories here β
https://github.com/Cacti/cacti/security
GitHub
GitHub is where people build software. More than 100 million people use GitHub to discover, fork, and contribute to over 420 million projects.
New article by our researcher @snovvcrash: "Python β€οΈ SSPI: Teaching #Impacket to Respect Windows SSO".
π₯· Read the blog post and you'll fly under the radar of endpoint security mechanisms as well as custom network detection rules more easily.
https://swarm.ptsecurity.com/python-sspi-teaching-impacket-to-respect-windows-sso/
π₯· Read the blog post and you'll fly under the radar of endpoint security mechanisms as well as custom network detection rules more easily.
https://swarm.ptsecurity.com/python-sspi-teaching-impacket-to-respect-windows-sso/
PT SWARM
Python β€οΈ SSPI: Teaching Impacket to Respect Windows SSO
One handy feature of our private Impacket (by @fortra) fork is that it can leverage native SSPI interaction for authentication purposes when operating from a legit domain context on a Windows machine. As far as the partial implementation of Ntsecapi representsβ¦
π₯ Yealink fixed a post-auth OS command injection in Yealink Meeting Server found by our researcher.
Read the advisory: https://www.yealink.com/en/trust-center/security-advisories/2f2b990211c440cf
Read the advisory: https://www.yealink.com/en/trust-center/security-advisories/2f2b990211c440cf
Atlassian Confluence - Remote Code Execution (CVE-2023-22527)
π€ by Rahul Maini & Harsh Jaiswal
CVE-2023-22527 is a critical vulnerability within Atlassian's Confluence Server and Data Center. This vulnerability has the potential to permit unauthenticated attackers to inject OGNL expressions into the Confluence Instance, thereby enabling the execution of arbitrary code and system commands.
π Contents:
β Technical Details
β’ Initial Analysis
β’ Identifying the Unauthenticated Attack Surface
β OGNL Expression Evaluation
β Remote Code Execution via OGNL Injection
https://blog.projectdiscovery.io/atlassian-confluence-ssti-remote-code-execution/
π€ by Rahul Maini & Harsh Jaiswal
CVE-2023-22527 is a critical vulnerability within Atlassian's Confluence Server and Data Center. This vulnerability has the potential to permit unauthenticated attackers to inject OGNL expressions into the Confluence Instance, thereby enabling the execution of arbitrary code and system commands.
π Contents:
β Technical Details
β’ Initial Analysis
β’ Identifying the Unauthenticated Attack Surface
β OGNL Expression Evaluation
β Remote Code Execution via OGNL Injection
https://blog.projectdiscovery.io/atlassian-confluence-ssti-remote-code-execution/
π New article by our researcher Nikita Sveshnikov: "Bypassing browser tracking protection for CORS misconfiguration abuse."
Read the blog post to learn how certain misconfigurations can be exploited despite the built-in anti-tracking mechanisms.
https://swarm.ptsecurity.com/bypassing-browser-tracking-protection-for-cors-misconfiguration-abuse/
Read the blog post to learn how certain misconfigurations can be exploited despite the built-in anti-tracking mechanisms.
https://swarm.ptsecurity.com/bypassing-browser-tracking-protection-for-cors-misconfiguration-abuse/
PT SWARM
Bypassing browser tracking protection for CORS misconfiguration abuse
Cross-Origin Resource Sharing (CORS) is a web protocol that outlines how a web application on one domain can access resources from a server on a different domain. By default, web browsers have a Same-Origin Policy (SOP) that blocks these cross-origin requestsβ¦
PortSwigger's Top 10 web hacking techniques of 2023!
Welcome to the Top 10 Web Hacking Techniques of 2023, community-powered effort to identify the most important and innovative web security research published in the last year.
π₯ Smashing the state machine: the true potential of web race conditions
π₯ Exploiting Hardened .NET Deserialization
π₯ SMTP Smuggling - Spoofing E-Mails Worldwide
4οΈβ£ PHP filter chains: file read from error-based oracle
5οΈβ£ Exploiting HTTP Parsers Inconsistencies
6οΈβ£ HTTP Request Splitting vulnerabilities exploitation
7οΈβ£ How I Hacked Microsoft Teams and got $150,000 in Pwn2Own
8οΈβ£ From Akamai to F5 to NTLM... with love
9οΈβ£ Cookie Crumbles: Breaking and Fixing Web Session Integrity
π can I speak to your manager? hacking root EPP servers to take control of zones
The entire nomination list you can find here: https://portswigger.net/research/top-10-web-hacking-techniques-of-2023-nominations-open
Welcome to the Top 10 Web Hacking Techniques of 2023, community-powered effort to identify the most important and innovative web security research published in the last year.
π₯ Smashing the state machine: the true potential of web race conditions
π₯ Exploiting Hardened .NET Deserialization
π₯ SMTP Smuggling - Spoofing E-Mails Worldwide
4οΈβ£ PHP filter chains: file read from error-based oracle
5οΈβ£ Exploiting HTTP Parsers Inconsistencies
6οΈβ£ HTTP Request Splitting vulnerabilities exploitation
7οΈβ£ How I Hacked Microsoft Teams and got $150,000 in Pwn2Own
8οΈβ£ From Akamai to F5 to NTLM... with love
9οΈβ£ Cookie Crumbles: Breaking and Fixing Web Session Integrity
π can I speak to your manager? hacking root EPP servers to take control of zones
The entire nomination list you can find here: https://portswigger.net/research/top-10-web-hacking-techniques-of-2023-nominations-open
CVE-2024-27198 and CVE-2024-27199: JetBrains TeamCity Multiple Authentication Bypass Vulnerabilities (FIXED)
π€ by Rapid7
In February 2024, Rapid7βs vulnerability research team identified two new vulnerabilities affecting JetBrains TeamCity CI/CD server:
β’ CVE-2024-27198 is an authentication bypass vulnerability in the web component of TeamCity that arises from an alternative path issue (CWE-288) and has a CVSS base score of 9.8 (Critical).
β’ CVE-2024-27199 is an authentication bypass vulnerability in the web component of TeamCity that arises from a path traversal issue (CWE-22) and has a CVSS base score of 7.3 (High).
π Contents:
β Overview
β Impact
β Remediation
β Analysis
β’ CVE-2024-27198
β’ CVE-2024-27199
β Rapid7 customers
β Timeline
https://www.rapid7.com/blog/post/2024/03/04/etr-cve-2024-27198-and-cve-2024-27199-jetbrains-teamcity-multiple-authentication-bypass-vulnerabilities-fixed/
π€ by Rapid7
In February 2024, Rapid7βs vulnerability research team identified two new vulnerabilities affecting JetBrains TeamCity CI/CD server:
β’ CVE-2024-27198 is an authentication bypass vulnerability in the web component of TeamCity that arises from an alternative path issue (CWE-288) and has a CVSS base score of 9.8 (Critical).
β’ CVE-2024-27199 is an authentication bypass vulnerability in the web component of TeamCity that arises from a path traversal issue (CWE-22) and has a CVSS base score of 7.3 (High).
π Contents:
β Overview
β Impact
β Remediation
β Analysis
β’ CVE-2024-27198
β’ CVE-2024-27199
β Rapid7 customers
β Timeline
https://www.rapid7.com/blog/post/2024/03/04/etr-cve-2024-27198-and-cve-2024-27199-jetbrains-teamcity-multiple-authentication-bypass-vulnerabilities-fixed/
π Source Code Disclosure in IIS 10.0! Almost.
There is a method to reveal the source code of some .NET apps. Here's how it works.
π https://swarm.ptsecurity.com/source-code-disclosure-in-asp-net-apps/
There is a method to reveal the source code of some .NET apps. Here's how it works.
π https://swarm.ptsecurity.com/source-code-disclosure-in-asp-net-apps/
π± New article by our researcher Andrey Pesnyak: "Android Jetpack Navigation: Deep Links Handling Exploitation"
Read about a flaw that allows an attacker to launch any fragments in a navigation graph associated with an exported activity.
https://swarm.ptsecurity.com/android-jetpack-navigation-deep-links-handling-exploitation/
Read about a flaw that allows an attacker to launch any fragments in a navigation graph associated with an exported activity.
https://swarm.ptsecurity.com/android-jetpack-navigation-deep-links-handling-exploitation/
PT SWARM
Android Jetpack Navigation: Deep Links Handling Exploitation
The androidx.fragment.app.Fragment class available in Android allows creating parts of application UI (so-called fragments). Each fragment has its own layout, lifecycle, and event handlers. Fragments can be built into activities or displayed within otherβ¦
π We're excited to unveil a new tool developed by our researcher @kiber_io: APKd. Now, you can effortlessly download APKs from AppGallery, APKPure, and RuStore directly from the terminal!
Check it out here: https://github.com/kiber-io/apkd
Check it out here: https://github.com/kiber-io/apkd
π We've tested the new RCE in Microsoft Outlook (CVE-2024-21378) in a production environment and confirm it works well!
A brief instruction for red teams:
1. Compile our enhanced DLL;
2. Use NetSPI's ruler and wait!
No back connect required!
π₯ ππ
A brief instruction for red teams:
1. Compile our enhanced DLL;
2. Use NetSPI's ruler and wait!
No back connect required!
π₯ ππ
CVE-2024-3400 - Technical Analysis
π€ by Rapid7
Rapid7βsanalysis of this vulnerability has identified that the exploit is in fact an exploit chain, consisting of two distinct vulnerabilities: an arbitrary file creation vulnerability in the GlobalProtect web server, for which no discrete CVE has been assigned, and a command injection vulnerability in the device telemetry feature, designated as CVE-2024-3400.
If device telemetry is disabled, it is still possible to leverage the file creation vulnerability; at time of writing, however, Rapid7 has not identified an alternative way to leverage the file creation vulnerability for successful exploitation.
π Contents:
β Overview
β Analysis
β’ Rooting the Device
β’ Diffing the Patch
β’ Arbitrary File Creation
β’ Command Injection Exploitation
β IOCs
β Remediation
https://attackerkb.com/topics/SSTk336Tmf/cve-2024-3400/rapid7-analysis
π€ by Rapid7
Rapid7βsanalysis of this vulnerability has identified that the exploit is in fact an exploit chain, consisting of two distinct vulnerabilities: an arbitrary file creation vulnerability in the GlobalProtect web server, for which no discrete CVE has been assigned, and a command injection vulnerability in the device telemetry feature, designated as CVE-2024-3400.
If device telemetry is disabled, it is still possible to leverage the file creation vulnerability; at time of writing, however, Rapid7 has not identified an alternative way to leverage the file creation vulnerability for successful exploitation.
π Contents:
β Overview
β Analysis
β’ Rooting the Device
β’ Diffing the Patch
β’ Arbitrary File Creation
β’ Command Injection Exploitation
β IOCs
β Remediation
https://attackerkb.com/topics/SSTk336Tmf/cve-2024-3400/rapid7-analysis
Exploiting CVE-2024-32002: RCE via git clone
π€ by Amal Murali
A new RCE in Git caught researcher's attention on a recent security feed, labeled CVE-2024-32002. The idea of an RCE being triggered through a simple
Whatβs the fun in just reading about an RCE? He wanted to see it wreak havoc β maybe launch a rogue application, or worse, wipe out his directories. At least, he wanted it to pop his calculator. In this post, He will walk you through his journey of reversing the Git RCE, from initial discovery to crafting a working exploit.
π Contents:
β Basic Reconnaissance
β’ git under the hood
β’ Symlinks
β Digging into the source code
β’ Inspecting
β’ Inspecting
β Piecing everything together
β Getting the RCE
β’ Weaponizing a GitHub repository
β Working PoC
https://amalmurali.me/posts/git-rce/
π€ by Amal Murali
A new RCE in Git caught researcher's attention on a recent security feed, labeled CVE-2024-32002. The idea of an RCE being triggered through a simple
git clone
command fascinated him. Given Gitβs ubiquity and the widespread use of the clone command, he was instantly intrigued. Could something as routine as cloning a repository really open the door to remote code execution? His curiosity was piqued, and he had to investigate. Plus, who doesnβt want an excuse to break stuff in the name of research?Whatβs the fun in just reading about an RCE? He wanted to see it wreak havoc β maybe launch a rogue application, or worse, wipe out his directories. At least, he wanted it to pop his calculator. In this post, He will walk you through his journey of reversing the Git RCE, from initial discovery to crafting a working exploit.
π Contents:
β Basic Reconnaissance
β’ git under the hood
β’ Symlinks
β Digging into the source code
β’ Inspecting
builtin/submodule--helper.c
β’ Inspecting
t/t7406-submodule-update.sh
β Piecing everything together
β Getting the RCE
β’ Weaponizing a GitHub repository
β Working PoC
https://amalmurali.me/posts/git-rce/
𧧠Our researcher Igor Sak-Sakovskiy has discovered an XXE in Chrome and Safari by ChatGPT!
Bounty: $28,000 πΈ
Here is the write-up π https://swarm.ptsecurity.com/xxe-chrome-safari-chatgpt/
Bounty: $28,000 πΈ
Here is the write-up π https://swarm.ptsecurity.com/xxe-chrome-safari-chatgpt/