Jump to content

Kevin Beaumont

  • Content Count

  • Joined

  • Last visited

  • Days Won

  • Invited by


Everything posted by Kevin Beaumont

  1. An anonymous researcher has pointed out you can remotely retrieve Active Directory usernames and passwords with this vulnerability - the passwords are encrypted, but always with the same passphrase ("NEOTERIS-FORM-CONFIRMATION"). So, essentially, not encrypted. Other hardcoded encryption keys are PSECURE-ADMINPWD-KEY, JUNIPER-ADMINPWD-KEY and others.
  2. Scanning the wild for data.mdb, which include usernames and passwords in plain text. On a live Pulse Secure SSL VPN firewall, from a prior unseen IP.
  3. You should be okay to do that now, I increased the rate limit a bit.
  4. Yes, lots. I pay $20 a month for here, for WAF rules and rate limiting.
  5. The Bad Packets estimate has been revised up to 14,500 vulnerable endpoints for this issue.
  6. Bad Packets did a sweep, over 2500 endpoints across 72 countries are exposed to this & being exploited. The vulnerability is 4 months old, organisations really need to patch. https://badpackets.net/over-2500-pulse-secure-vpn-endpoints-vulnerable-to-cve-2019-11510/
  7. Cloudflare pricing is public: https://www.cloudflare.com/en-gb/plans/
  8. Pretty crazy discovery from XMPPwocky - this vulnerability is possible because the code has hardcoded logic to allow directory traversal etc if a certain path is sent - that path happens to allow exploitation.
  9. CVE-2019-15107 is being exploited in the wild. It's a pre-auth exploit which allows admin password change, a.k.a. RCE, introduced by an attacker via a backdoor in the application. Via BinaryEdge.io: Timeline April 2018 - an attacker backdoor'd WebMin's Sourceforge repo via build process. 17th August 2019 - 0day exploit available to exploit vulnerability. 17th August 2019 - WebMin issue advisory 20th August 2019 - mass exploitation seen in wild.
  10. The original attacker IP is a bit noisy 😄 https://www.abuseipdb.com/check/ You're not wrong.
  11. is continuing to scan the internet for this. Also on AbuseIPDB: https://www.abuseipdb.com/check/
  12. I mean.. why are the passwords output, regardless of the bug? This does not feel okay, it seems super ‘completely insecure and deliberately backdoored’ to me.
  13. It's a good question, you could argue it's 'just' scanning. But a 'home' IP yada, if they're finding stuff I imagine they're changing the path.
  14. CVE-2019-11510, impacting Pulse Secure SSL VPN, is being exploited in the wild. I've seen it being exploited today, a few hours ago for first time, via BinaryEdge. Timeline 24th April 2019 - Vendor advisory. 14th August 2019 - TLP Rainbow post. 20th August 2019 - exploit posted publicly. 22nd August 2019 - exploitation in wild. Pulse Secure is one of the "Zero Trust" secure SSL VPN systems where you get pwned by 1996 ../../ exploits.
  15. CVE-2018-13379 is being exploited in the wild on Fortigate SSL VPN firewalls. These exist as a perimeter security control, so it's a bad vulnerability. Using BinaryEdge.io I can see scanning activity from last night for first time for this vulnerability: The scanning traffic is taking place across the whole internet it appears, spray and pray style. The vulnerability is ridiculously easy to exploit, it's a 1996 style pre-auth ../ webserver exploit to read plain text administrator credentials: Timeline May 24th 2019 - Vendor posts advisory - https://fortiguard.com/psirt/FG-IR-18-384 June 4th 2019 - Vendor updates advisory to correct impacted versions August 9th 2019 - Blog explaining the different vulnerabilities in FortiOS, including this one. August 14th 2019 - Exploit appears on GitHub and exploitation details posted in TLP Rainbow. August 17th 2019 - Another exploit, checks if vulnerable before exploit. August 21nd 2019 - Exploitation seen in wild.
  16. Or VirtualBox. OpenSecurity runs on a single server with 2gb of RAM btw and a crap processor.
  17. yeah that's a good way of doing it. Personally I use Microsoft Authenticator, which lets you add Google Authenticator tokens - and backs up to iCloud on iOS. It's obviously still flawed as you can recover iCloud via SMS, of course.
  18. Join with a bunch of numbers at the end, and I'll strip them off as I see 'em. It was to stop people signing up as Dave and such.
  19. There's a few of these 😄 already seen exploit traffic in honeypot btw.
  20. Yeah it really does depend on the tooling. I found Rapid7 poor for reporting as it’s too rigid, I basically ended up being unable to provide mgmt with the numbers in a format they wanted (rightly) because the tool didn’t support it.
  • Create New...

Important Information

We use cookies as we're cookie monsters. Privacy Policy