James Wickett’s Post

OpenRefine's Zip Slip Vulnerability Could Let Attackers Execute Malicious Code: A high-severity security flaw has been disclosed in the open-source OpenRefine data cleanup and transformation tool that could result in arbitrary code execution on affected systems. Tracked as CVE-2023-37476 (CVSS score: 7.8), the vulnerability is a Zip Slip vulnerability that could have adverse impacts when importing a specially crafted project in versions 3.7.3 and below. "Although OpenRefine https://lnkd.in/gGMmTKrm

Have you heard about CVE-2023-39848? 🤔 I believe many of my security colleagues have had the opportunity to experiment with Damn Vulnerable Web Application (DVWA). It's an intentionally vulnerable application created for learning and training purposes, utilized by penetration testers to enhance their knowledge. However, were you aware that in August of this year, a researcher managed to create a CVE for SQL Injection in that application? 😂 CVE-2023-39848 in NIST Database: https://lnkd.in/d_jT6PdE

"While the flaw does have the potential to impact curl users, the requirements to exploit the vulnerability make it far less dangerous than initially expected, as it requires that the curl client be configured to use a SOCKS5 proxy when making connections to a remote site and for automatic redirections to be enabled. Furthermore, there is also a timing requirement to successfully exploit the flaw, requiring a slow SOCKS5 connection to the remote site." To exploit this flaw, an attacker could create a website that redirects a visitor to a very long hostname (think thousands of characters), which will cause the inputted data to trigger the heap buffer overflow bug and crash the program. While fairly easy to exploit, researchers have told BleepingComputer that the existing proof-of-concept exploits only cause curl to crash, leading to a denial of service attack rather than to code execution. Furthermore, as most people using Curl are not connecting through SOCKS5, the bug would not affect them. https://lnkd.in/gumdTAd3

CVE-2020-15518 I found two vulnerabilities in the driver while writing a post about vulnerabilities I had previously discovered in the same driver, lol. While it's always good to find vulnerabilities, it also means a delay in publication of my DMA access finding. So, in the meantime, I recovered a post about CVE-2020-15518, the vulnerability in VeeamFSR.sys that was published years ago. I lost it when moving the blog, but now it's back. VeeamFSR.sys is a legacy file system filter driver that allows user-mode applications to take control over any I/O request passing through the file system. The driver pends every I/O request that matches the pattern provided by the application and allows the application to manipulate parameters of the request: read or modify its data, pass the request to the file system stack, or just fail it. The driver neither checks the identity of the caller nor the permissions of the target object, giving any user, even non-privileged ones, absoulte power over all file system requests. The post demonstrates how to utilize IO controls exposed by VeeamFSR.sys to perform the aforementioned manipulations. For example, the snippets provided in the post monitor all open operations for every file named Cthon98.txt. Once such a file is opened, they search for the 'hunter2' string in the data of all subsequent reads from the file. Upon finding it, they replace the string with '*' symbols, akin to the classic bash.org meme. The post is available here: https://lnkd.in/dB6dVcGS

Hackers Using MOVEit Flaw to Deploy Web Shells, Steal Data: Exploiting vulnerabilities in file transfer software for businesses and medical practices can result in a treasure trove of valuable data and the opportunity to try to extort oh, so many victims. First it was an Accellion vulnerability, exploited by Cl0p (past coverage). Then it was a Fortra GoAnywhere vulnerability, exploited by Cl0p (past coverage). Now we are hearing about a MOVEit flaw being exploited. Michael Novinson reports: Adversaries are taking advantage of a recently patched vulnerability in Progress Software’s managed file transfer product to deploy web shells and steal data. An unknown threat actor began exploiting the critical SQL injection vulnerability in MOVEit Transfer on May 27 and in some cases has taken data within minutes of deploying the web shells. Security researchers at Mandiant attribute the activity to a newly created threat cluster with unknown motivations dubbed UNC4857 that has gone after organizations across a wide range of industries based in Canada, India and the United States (see: Hackers Exploit Progress MOVEit File Transfer Vulnerability).  Read more at GovInfoSecurity.

F5 is warning of active abuse of a critical security flaw in BIG-IP less than a week after its public disclosure that could result in the execution of arbitrary system commands as part of an exploit chain. Tracked as CVE-2023-46747 (CVSS score: 9.8), the vulnerability allows an unauthenticated attacker with network access to the BIG-IP system through the management port to achieve code execution. A proof-of-concept (PoC) exploit has since been made available by ProjectDiscovery. It impacts the following versions of the software - 17.1.0 (Fixed in 17.1.0.3 + Hotfix-BIGIP-17.1.0.3.0.75.4-ENG) 16.1.0 - 16.1.4 (Fixed in 16.1.4.1 + Hotfix-BIGIP-16.1.4.1.0.50.5-ENG) 15.1.0 - 15.1.10 (Fixed in 15.1.10.2 + Hotfix-BIGIP-15.1.10.2.0.44.2-ENG) 14.1.0 - 14.1.5 (Fixed in 14.1.5.6 + Hotfix-BIGIP-14.1.5.6.0.10.6-ENG) 13.1.0 - 13.1.5 (Fixed in 13.1.5.1 + Hotfix-BIGIP-13.1.5.1.0.20.2-ENG) Now the company is alerting that it has "observed threat actors using this vulnerability to exploit CVE-2023-46748," which refers to an authenticated SQL injection vulnerability in the BIG-IP Configuration utility.