Jump to content
OpenSecurity.global

Kevin Beaumont

Members
  • Content Count

    205
  • Joined

  • Last visited

  • Days Won

    20
  • Invited by

    DarkOverlord

Posts posted by Kevin Beaumont


  1. On 9/18/2019 at 10:35 PM, Steve Walsh said:

    Cheers guys. My org recently had a sextortion attack. Used 1647 unique outlook address with a PDF attached which was password protected. The name of the PDF was the name of previously used password and contained within psf was usual sextortion bullshit with a link to a wallet. All mails involved were in have I been pwned. So I'd like to connect with the API to do password audits.

    That probably isn’t the use cases for HIBP, eg they don’t provide passwords. 


  2. I did a PoC with it at Crabbers back in 2016, but didn't reach the pentesting phase I'm afraid.  I aborted out of it for cost reasons more than anything, and at the time the product functionality wasn't very broad (I bet it has improved a lot since).

    With Windows 10 nowadays it has lots of exploit protection built in, e.g. at current jobbing we have all the different exploit prevention technology turned on with Group Policy in Windows 10 pilot:

    image.thumb.png.0ac9bcebdb2a39323b52e7fa07b9667b.png


  3. Some logs you can retrieve with this remotely:

    • https://host/dana-na/../dana/html5acc/guacamole/../../../../../../data/runtime/logs/log.admin.vc0?/dana/html5acc/guacamole/
    • https://host/dana-na/../dana/html5acc/guacamole/../../../../../../data/runtime/logs/log.access.vc0?/dana/html5acc/guacamole/

    As an attacker you can use these to figure out to some degree if the box has been tampered with already.

    Note that to have a hope of figuring out exactly what attackers tampered with, you need to manually (it is disabled by default) enable "Unauthenticated Web Requests" logging under System -> Logs/Monitoring in the Pulse Secure admin centre.  As a result of this many orgs compromised before they installed the patch will not realise if attackers have created backdoors, and they may still be compromised.  I recommend turning on logging, and looking at the admin logs - it won't catch everything (because HTTP requests aren't logged) but you might find other signs of tampering.

    Shoutout to Alyssa Herrera who continues to figure out this vulnerability.


  4. 18 minutes ago, Steve Walsh said:

    It was part of the August patch updates. Not related to the RDP vulnerability. But the issue came with the patch. So if you were quick off the mark, it hurt you a bit https://www.ghacks.net/2019/08/15/visual-basic-issues-in-windows-august-2019-updates/

    Oh I get you.  Yeah, I wouldn't rush out patching for this, just patch as usual process.


  5. CVE-2019-15107 is being exploited in the wild.  It's a pre-auth exploit which allows admin password change, a.k.a. RCE, introduced by an attacker via a backdoor in the application.

    Via BinaryEdge.io:

    image.thumb.png.40dd75cdec005022e02a37b9487c5e4e.png

     

    Timeline

    April 2018 - an attacker backdoor'd WebMin's Sourceforge repo via build process.

    17th August 2019 - 0day exploit available to exploit vulnerability.

    17th August 2019 - WebMin issue advisory

    20th August 2019 - mass exploitation seen in wild.

×
×
  • Create New...

Important Information

We use cookies as we're cookie monsters. Privacy Policy