Jump to content
OpenSecurity.global

Kevin Beaumont

Members
  • Content Count

    205
  • Joined

  • Last visited

  • Days Won

    20
  • Invited by

    DarkOverlord

Kevin Beaumont last won the day on October 16

Kevin Beaumont had the most liked content!

Community Reputation

96 Excellent

Personal Information

  • Bio
    Security Operations Centre Manager, once got punched in the arm by Lucy Lawless.

Recent Profile Visitors

2,540 profile views
  1. Nice reference to you and Marcus on Microsoft Defender Security Centre, Kev... I see you continue to keep a low profile 🙂 Don't forget my offer to find your house and be there with a cup of tea when you wake up.

  2. I think as usual with Chrome stuff, as no code is disclosed nobody will know the deets.
  3. Cheers. It looks like you need to have a pretty specific config to end up vulnerable to this.
  4. I had to start the site in DR, we lost about an hour's new posts, if anybody made them.  Sorreeeee.

  5. Moving this topic public as the issue has made the media: https://news.sky.com/story/job-applicants-worried-as-hundreds-of-thousands-of-cvs-exposed-online-11836935
  6. For a home Mac I wouldn’t bother.
  7. That probably isn’t the use cases for HIBP, eg they don’t provide passwords.
  8. I did a PoC with it at Crabbers back in 2016, but didn't reach the pentesting phase I'm afraid. I aborted out of it for cost reasons more than anything, and at the time the product functionality wasn't very broad (I bet it has improved a lot since). With Windows 10 nowadays it has lots of exploit protection built in, e.g. at current jobbing we have all the different exploit prevention technology turned on with Group Policy in Windows 10 pilot:
  9. I haven't seen anything in my honeypots, just the usual RDP bruteforce stuff.
  10. There's some more background on how a group used this used to hack Twitter and claim bug bounty: https://blog.orange.tw/2019/09/attacking-ssl-vpn-part-3-golden-pulse-secure-rce-chain.html
  11. For some reason the vendor is lying press about the scale of the issue, saying a majority of customers have patched. Interesting response plan.
  12. Some logs you can retrieve with this remotely: https://host/dana-na/../dana/html5acc/guacamole/../../../../../../data/runtime/logs/log.admin.vc0?/dana/html5acc/guacamole/ https://host/dana-na/../dana/html5acc/guacamole/../../../../../../data/runtime/logs/log.access.vc0?/dana/html5acc/guacamole/ As an attacker you can use these to figure out to some degree if the box has been tampered with already. Note that to have a hope of figuring out exactly what attackers tampered with, you need to manually (it is disabled by default) enable "Unauthenticated Web Requests" logging under System -> Logs/Monitoring in the Pulse Secure admin centre. As a result of this many orgs compromised before they installed the patch will not realise if attackers have created backdoors, and they may still be compromised. I recommend turning on logging, and looking at the admin logs - it won't catch everything (because HTTP requests aren't logged) but you might find other signs of tampering. Shoutout to Alyssa Herrera who continues to figure out this vulnerability.
  13. An anonymous researcher has pointed out you can remotely retrieve Active Directory usernames and passwords with this vulnerability - the passwords are encrypted, but always with the same passphrase ("NEOTERIS-FORM-CONFIRMATION"). So, essentially, not encrypted. Other hardcoded encryption keys are PSECURE-ADMINPWD-KEY, JUNIPER-ADMINPWD-KEY and others.
×
×
  • Create New...

Important Information

We use cookies as we're cookie monsters. Privacy Policy