Search the Community

A track of BlueKeep CVE-2019-0708 scanners and exploits. Scanners https://github.com/zerosum0x0/CVE-2019-0708 - first uploaded May 22nd 2019 https://www.rapid7.com/db/modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep - first uploaded May 25th 2019 Remote code execution exploits Unreleased Technical writeups @0xeb_bp has released a technical writeup. It doesn't contain code but it does make clear how to reach exploitation, at least on XP. 0xeb_bp_BlueKeep_Technical_Analysis.pdf

CVE-2018-13379 is being exploited in the wild on Fortigate SSL VPN firewalls. These exist as a perimeter security control, so it's a bad vulnerability. Using BinaryEdge.io I can see scanning activity from last night for first time for this vulnerability: The scanning traffic is taking place across the whole internet it appears, spray and pray style. The vulnerability is ridiculously easy to exploit, it's a 1996 style pre-auth ../ webserver exploit to read plain text administrator credentials: Timeline May 24th 2019 - Vendor posts advisory - https://fortiguard.com/psirt/FG-IR-18-384 June 4th 2019 - Vendor updates advisory to correct impacted versions August 9th 2019 - Blog explaining the different vulnerabilities in FortiOS, including this one. August 14th 2019 - Exploit appears on GitHub and exploitation details posted in TLP Rainbow. August 17th 2019 - Another exploit, checks if vulnerable before exploit. August 21nd 2019 - Exploitation seen in wild.

CVE-2019-11510, impacting Pulse Secure SSL VPN, is being exploited in the wild. I've seen it being exploited today, a few hours ago for first time, via BinaryEdge. Timeline 24th April 2019 - Vendor advisory. 14th August 2019 - TLP Rainbow post. 20th August 2019 - exploit posted publicly. 22nd August 2019 - exploitation in wild. Pulse Secure is one of the "Zero Trust" secure SSL VPN systems where you get pwned by 1996 ../../ exploits.

Two researchers have a talk upcoming at DefCon about SSL VPN vulnerabilities, and they've started (although not in the talk) by detailing a unauthenticated remote code execution vulnerability in Palo-Alto GlobalProtect, their VPN system: http://blog.orange.tw/2019/07/attacking-ssl-vpn-part-1-preauth-rce-on-palo-alto.html The short version is: - Bad vulnerability - Actually exploitable - Because it's on both your VPN and firewall box (Palo-Alto do both), the attacker owns your network via the internet - They released a patch for the issue a year ago, but didn't issue a CVE or tell people about the issues for whatever reason - so you want to check if you actually run a vulnerable version still. Vendor advisory here after I tweeted about it: https://securityadvisories.paloaltonetworks.com/Home/Detail/158

Came across this on my travels: https://portswigger.net/daily-swig/webmin-backdoor-blamed-on-software-supply-chain-breach Webmin software was backdoored for over a year. If you're using one of those vulnerable versions, update now! According to shodan and some google dorks, there are quite a lot still vulnerable