Kevin Beaumont

I think as usual with Chrome stuff, as no code is disclosed nobody will know the deets.

Cheers. It looks like you need to have a pretty specific config to end up vulnerable to this.

Moving this topic public as the issue has made the media: https://news.sky.com/story/job-applicants-worried-as-hundreds-of-thousands-of-cvs-exposed-online-11836935

For a home Mac I wouldn’t bother.

That probably isn’t the use cases for HIBP, eg they don’t provide passwords.

Why do you think that?

I did a PoC with it at Crabbers back in 2016, but didn't reach the pentesting phase I'm afraid. I aborted out of it for cost reasons more than anything, and at the time the product functionality wasn't very broad (I bet it has improved a lot since). With Windows 10 nowadays it has lots of exploit protection built in, e.g. at current jobbing we have all the different exploit prevention technology turned on with Group Policy in Windows 10 pilot:

I haven't seen anything in my honeypots, just the usual RDP bruteforce stuff.

There's some more background on how a group used this used to hack Twitter and claim bug bounty: https://blog.orange.tw/2019/09/attacking-ssl-vpn-part-3-golden-pulse-secure-rce-chain.html

For some reason the vendor is lying press about the scale of the issue, saying a majority of customers have patched. Interesting response plan.

Some logs you can retrieve with this remotely: https://host/dana-na/../dana/html5acc/guacamole/../../../../../../data/runtime/logs/log.admin.vc0?/dana/html5acc/guacamole/ https://host/dana-na/../dana/html5acc/guacamole/../../../../../../data/runtime/logs/log.access.vc0?/dana/html5acc/guacamole/ As an attacker you can use these to figure out to some degree if the box has been tampered with already. Note that to have a hope of figuring out exactly what attackers tampered with, you need to manually (it is disabled by default) enable "Unauthenticated Web Requests" logging under System -> Logs/Monitoring in the Pulse Secure admin centre. As a result of this many orgs compromised before they installed the patch will not realise if attackers have created backdoors, and they may still be compromised. I recommend turning on logging, and looking at the admin logs - it won't catch everything (because HTTP requests aren't logged) but you might find other signs of tampering. Shoutout to Alyssa Herrera who continues to figure out this vulnerability.

For info - seen no scanning for this in the wild.

An anonymous researcher has pointed out you can remotely retrieve Active Directory usernames and passwords with this vulnerability - the passwords are encrypted, but always with the same passphrase ("NEOTERIS-FORM-CONFIRMATION"). So, essentially, not encrypted. Other hardcoded encryption keys are PSECURE-ADMINPWD-KEY, JUNIPER-ADMINPWD-KEY and others.

Scanning the wild for data.mdb, which include usernames and passwords in plain text. On a live Pulse Secure SSL VPN firewall, from a prior unseen IP.

You should be okay to do that now, I increased the rate limit a bit.

Yes, lots. I pay $20 a month for here, for WAF rules and rate limiting.

The Bad Packets estimate has been revised up to 14,500 vulnerable endpoints for this issue.

Bad Packets did a sweep, over 2500 endpoints across 72 countries are exposed to this & being exploited. The vulnerability is 4 months old, organisations really need to patch. https://badpackets.net/over-2500-pulse-secure-vpn-endpoints-vulnerable-to-cve-2019-11510/

Cloudflare pricing is public: https://www.cloudflare.com/en-gb/plans/

Pretty crazy discovery from XMPPwocky - this vulnerability is possible because the code has hardcoded logic to allow directory traversal etc if a certain path is sent - that path happens to allow exploitation.

Oh I get you. Yeah, I wouldn't rush out patching for this, just patch as usual process.

CVE-2019-15107 is being exploited in the wild. It's a pre-auth exploit which allows admin password change, a.k.a. RCE, introduced by an attacker via a backdoor in the application. Via BinaryEdge.io: Timeline April 2018 - an attacker backdoor'd WebMin's Sourceforge repo via build process. 17th August 2019 - 0day exploit available to exploit vulnerability. 17th August 2019 - WebMin issue advisory 20th August 2019 - mass exploitation seen in wild.

The original attacker IP is a bit noisy 😄 https://www.abuseipdb.com/check/91.121.209.213 You're not wrong.