Kevin Beaumont
-
Content Count
209 -
Joined
-
Last visited
-
Days Won
23 -
Invited by
DarkOverlord
Recent Profile Visitors
-
I've fixed the issue where email invites were broken, and a bunch of other under the hood issues.
-
Nice reference to you and Marcus on Microsoft Defender Security Centre, Kev... I see you continue to keep a low profile 🙂 Don't forget my offer to find your house and be there with a cup of tea when you wake up.
-
CVE-2019-13720 discussion
Kevin Beaumont replied to Nicholas L's topic in Public vulnerability discussion
I think as usual with Chrome stuff, as no code is disclosed nobody will know the deets. -
php-fpm RCE Exploit
Kevin Beaumont replied to Daniel Cuthbert's topic in Public vulnerability discussion
Cheers. It looks like you need to have a pretty specific config to end up vulnerable to this. -
I had to start the site in DR, we lost about an hour's new posts, if anybody made them. Sorreeeee.
-
Quarter of a million CVs data leak - S3 bucket
Kevin Beaumont replied to Kevin Beaumont's topic in Publicly disclosed
Moving this topic public as the issue has made the media: https://news.sky.com/story/job-applicants-worried-as-hundreds-of-thousands-of-cvs-exposed-online-11836935 -
For a home Mac I wouldn’t bother.
-
That probably isn’t the use cases for HIBP, eg they don’t provide passwords.
-
bluekeep BlueKeep - RDP vulnerability exploitation tracking
Kevin Beaumont replied to Kevin Beaumont's topic in General Discussion
Why do you think that? -
I did a PoC with it at Crabbers back in 2016, but didn't reach the pentesting phase I'm afraid. I aborted out of it for cost reasons more than anything, and at the time the product functionality wasn't very broad (I bet it has improved a lot since). With Windows 10 nowadays it has lots of exploit protection built in, e.g. at current jobbing we have all the different exploit prevention technology turned on with Group Policy in Windows 10 pilot:
-
bluekeep BlueKeep - RDP vulnerability exploitation tracking
Kevin Beaumont replied to Kevin Beaumont's topic in General Discussion
I haven't seen anything in my honeypots, just the usual RDP bruteforce stuff. -
There's some more background on how a group used this used to hack Twitter and claim bug bounty: https://blog.orange.tw/2019/09/attacking-ssl-vpn-part-3-golden-pulse-secure-rce-chain.html
-
For some reason the vendor is lying press about the scale of the issue, saying a majority of customers have patched. Interesting response plan.
-
Some logs you can retrieve with this remotely: https://host/dana-na/../dana/html5acc/guacamole/../../../../../../data/runtime/logs/log.admin.vc0?/dana/html5acc/guacamole/ https://host/dana-na/../dana/html5acc/guacamole/../../../../../../data/runtime/logs/log.access.vc0?/dana/html5acc/guacamole/ As an attacker you can use these to figure out to some degree if the box has been tampered with already. Note that to have a hope of figuring out exactly what attackers tampered with, you need to manually (it is disabled by default) enable "Unauthenticated Web Requests" logging under System -> Logs/Monitoring in the Pulse Secure admin centre. As a result of this many orgs compromised before they installed the patch will not realise if attackers have created backdoors, and they may still be compromised. I recommend turning on logging, and looking at the admin logs - it won't catch everything (because HTTP requests aren't logged) but you might find other signs of tampering. Shoutout to Alyssa Herrera who continues to figure out this vulnerability.
-
For info - seen no scanning for this in the wild.
