www.coresecurity.com
Open in
urlscan Pro
2606:4700::6812:acc
Public Scan
URL:
https://www.coresecurity.com/blog/core-impact-monthly-chronicle-exploits-and-updates-november-2024
Submission: On January 06 via api from IN — Scanned from DE
Submission: On January 06 via api from IN — Scanned from DE
Form analysis 0 forms found in the DOM
Text Content
Cookie-Präferenzen
Skip to main content
* Fortra.com
* Contact Us
* Support
* All Fortra Products
* FREE TRIALS
* Fortra.com
* Contact Us
* Support
* All Fortra Products
* FREE TRIALS
* Cyber Threat Toggle Dropdown
PRODUCTS
* Core Impact Penetration testing software
* Cobalt Strike Red team software
* Outflank Security Tooling (OST) Evasive attack simulation
* Event Manager Security information and event management
* Powertech Antivirus Server-level virus protection
* Product Bundles Layered security solutions
SOLUTIONS
* Penetration Testing
* Penetration Testing Services
* Offensive Security
* Threat Detection
* Security Information and Event Management
* Penetration Testing Services Security consulting services
* Identity Toggle Dropdown
PRODUCTS
* Access Assurance Suite User provisioning and governance
* Core Password & Secure Reset Self-service password management
* Core Privileged Access Manager (BoKS) Privileged access management
(PAM)
SOLUTIONS
* Privileged Access Management
* Identity Governance & Administration
* Password Management
* See How to Simplify Access in Your Organization | Request a Demo
* Industries Toggle Dropdown
* Healthcare
* Financial Services
* Federal Government
* Retail
* Utilities & Energy
* Higher Education
* Compliance
* Resources Toggle Dropdown
* Upcoming Webinars & Events
* Blogs
* Case Studies
* Videos
* Datasheets
* Guides
* Training
* Compliance
* All Resources
* CoreLabs Toggle Dropdown
* Advisories
* Exploits
* Articles
* Impacket
* About Toggle Dropdown
* Partners
* Careers
* Newsroom
* Contact Us
1. Home
2. Blog
3. Core Impact Monthly Chronicle: Exploits and Updates | November 2024
CORE IMPACT MONTHLY CHRONICLE: EXPLOITS AND UPDATES | NOVEMBER 2024
CORE IMPACT EXPLOIT LIBRARY ADDITIONS
One of Core Impact’s most valuable features is its certified exploit library.
Fortra’s Core Security has a team of expert exploit writers that conduct
research, evaluating and prioritizing the most relevant vulnerabilities in order
to update the library with critical and useful exploits. Additionally, the QA
team creates its own clean environment to validate each exploit before its
release to ensure our standards and validate that it is safe and ready to use.
While you can keep track of new releases through our exploit mailing list, here
is a more detailed summary of some of the most recent additions to the library.
CVE-2023-43208- NEXTGEN HEALTHCARE MIRTH CONNECT DESERIALIZATION REMOTE CODE
EXECUTION EXPLOIT
Authors: Lucas Dominikow and Luis García Sierra (QA)
CVSS: 9.8 CRITICAL
Reference: CVE-2023-43208
KEY VULNERABILITY DETAILS
* Insecure data deserialization could lead to remote code execution
* This vulnerability permits malicious users to bypass the patch for
CVE-2023-37679
* Affects all Mirth Connect versions prior to 4.4.1
* Classified as Improper Neutralization of Special Elements used in an OS
Command (CWE-78) and Deserialization of Untrusted Data (CWE-502)
EXPLOITATION IMPACT AND MITIGATION
* Unauthenticated user could gain initial system access and compromise critical
healthcare data
* Patch has been released and users are advised to upgrade to the latest
version
ATTACKS IN THE WILD
* Actively being exploited in the wild
* Has been added to CISA’s Known Exploited Vulnerabilites Catalog
* Microsoft has reported this vulnerability being exploited by ransomware
threat actors, including nation-state actors and cybercrime groups
EXPLOITATION MECHANISM
1. The exploit module crafts and deploys a specially crafted XML payload.
2. The payload is processed by Xstream library’s insecure unmarshalling.
3. ChainedTransformer class executes using ConstantTransformer to get Runtime
class.
4. InvokeTransfromer chains to access and invoke getRuntime.
5. Malicious code can then be executed on the server.
CVE-2024-35250 - WINDOWS KS DRIVER KSPROPERTY PRIVILEGE ESCALATION EXPLOIT
Authors: Esteban Kazimirow and Nahuel Gonzalez (QA)
CVSS: 7.8 HIGH
Reference: CVE-2024-35250
KEY VULNERABILITY DETAILS
* Flaw exists in the Kernel Streaming (ks.sys driver), allowing arbitrary
IOCTL_KS_PROPERTY operations, including arbitrary write primitives, process
token replacement, and token privilege abuse
* This double-fetch vulnerability in KspPropertyHandler can lead to privilege
escalation at the kernel level
* Affects multiple versions of Windows 10, Windows 11, and Windows Server
2008-2022
* Classified as Untrustred Pointer Deference (CWE-822)
EXPLOITATION IMPACT AND MITIGATION
* Authenticated attackers with low level privileges can elevate access to the
SYSTEM level
* May lead to full system compromise and access to sensitive data
* Microsoft released a patch for this vulnerability in a June Security Update
ATTACKS IN THE WILD
* No major attacks have been reported at this time
EXPLOITATION MECHANISM
1. Exploit module opens an audio device with read/write access.
2. It then accesses details in kernel space by getting the memory address of a
kernel object associated with a process
3. Memory is allocated to create a fake RTL_BITMAP structure in user space,
allowing arbitrary memory read/write operations.
4. The module retrieves the base address of a kernel module (ntoskrnl.exe) to
locate functions within kernel space.
5. The address of a gadget is computed in the kernel for use in memory
manipulation operations.
6. Data is written to a specific memory address, allowing the system's memory
space to be modified.
7. The current process token is changed to gain system privileges.
8. The thread mode is restored to avoid BSOD.
CVE-2024-5910,CVE-2024-9464 - PALO ALTO NETWORKS EXPEDITION REMOTE CODE
EXECUTION EXPLOIT
Authors: Lucas Dominikow and Nahuel Gonzalez (QA)
CVSS: 9.8 CRITICAL, 6.5 MEDIUM
Reference: CVE-2024-5910, CVE-2024-9464
KEY VULNERABILITY DETAILS
* CVE-2024-5910 – A critical authentication bypass vulnerability resulting from
missing authentication mechanism
* CVE-2024-9464 – A command injection vulnerability that enables authenticated
attackers to execute arbitrary OS commands as root
* When chained together, can result in unauthenticated arbitrary command
execution
* Affects all versions of Expedition prior to version 1.2.96
* Classified as Missing Authentication for Critical Function (CWE-306) and
Improper Neutralization of Special Elements used in an OS Command (CWE-78)
EXPLOITATION IMPACT AND MITIGATION
* Attackers can gain initial unauthenticated access using CVE-2024-5910, then
elevate their access to root privileges using CVE-2024-9464
* Can lead to full system compromise
* Patches have been released for both vulnerabilities
ATTACKS IN THE WILD
* CVE-2024-5910 has been exploited in the wild and was added to CISA’s Known
Exploited Vulnerabilites Catalog
EXPLOITATION MECHANISM
1. Exploit module crafts special request to the endpoint
/OS/startup/restore/restoreAdmin.php to reset the admin password.
2. Once reset, the operator can use the new password to authenticate their
credentials.
3. The module will then craft a special request to the endpoint
/bin/CronJobs.php to deploy an agent.
4. The endpoint can be used to insert commands in the table cronjobs from
pandb.
5. Once a command is inserted, the target will execute it.
CVE-2024-9474, CVE-2024-0012 - PALO ALTO NETWORKS OS (PAN-OS) REMOTE CODE
EXECUTION EXPLOIT
Authors: Lucas Dominikow and Nahuel Gonzalez (QA)
CVSS: 7.2 MEDIUM, 9.8 CRITICAL
Reference: CVE-2024-9474, CVE-2024-0012
KEY VULNERABILITY DETAILS
* CVE-2024-9474 – A privilege escalation vulnerability that allows
authenticated attackers to execute commands with root privileges
* CVE-2024-0012 – An authentication bypass vulnerability that enables
unauthenticated attackers to perform administrator actions
* When chained together, can lead to remote code execution
* Affects multiple versions of PAN-OS
* Classified as Improper Neutralization of Special Elements used in an OS
Command (CWE-78) and Missing Authentication for Critical Function (CWE-306)
EXPLOITATION IMPACT AND MITIGATION
* Attackers can gain a foothold using CVE-2024-9474, then use CVE-2024-0012 to
perform administrative actions
* Can lead to full system compromise
* Patches have been released for both vulnerabilities in PAN-OS 11.2.4-h1,
PAN-OS 11.1.5-h1, PAN-OS 11.0.6-h1, PAN-OS 10.2.12-h2, and PAN-OS 10.1.14-h6
ATTACKS IN THE WILD
* This vulnerability chain has been actively exploited since November 2024
* Both vulnerabilities have been added to CISA’s Known Exploited Vulnerabilites
Catalog
EXPLOITATION MECHANISM
1. The exploit module sends a request containing a header parameter for
authentication bypass (CVE-2024-0012) to inject a command within a "user"
request body parameter (CVE-2024-9474).
2. An elevated user session ID is sent in the response and the injected command
is written to a local session cache file.
3. A request is sent with the elevated session ID to trigger evaluation of the
injected local session cache file.
4. The process is repeated with all the necessary commands to deploy an agent.
CVE-2024-1403- PROGRESS OPENEDGE AUTHORIZEUSER AUTHENTICATION BYPASS
VULNERABILITY CHECKER
Authors: Marcos Accossatto and Luis García Sierra (QA)
CVSS: 10.0 CRITICAL
Reference: CVE-2024-1403
KEY TECHNICAL DETAILS
* A critical authentication bypass vulnerability may lead to unauthorized
access
* A flaw in the in the authorizeUser() function improperly validates certain
usernames and passwords
* Affects OpenEdge versions 11.7.18 and earlier, 12.2.13 and earlier, and
12.8.0
* Classified as Authentication Bypass by Primary Weakness (CWE-305)
EXPLOITATION IMPACT AND MITIGATION
* Unauthenticated attacker could establish a foothold, deploy malicious
payloads, escalate privileges, and establish persistence
* Could lead to full compromise, with ability to access, manipulate,
exfiltrate, or delete sensitive data
* Vulnerability has been patched in OpenEdge LTS updates: 11.7.19, 12.2.14, and
12.8.1
ATTACKS IN THE WILD
* No major attacks have been reported at this time
EXPLOITATION MECHANISM
1. The module creates an instance of the
com.progress.chimera.adminserver.AdminContext class via the
com.progress.chimera.adminserver.IAdminServer interface.
2. It then performs a vulnerability verification.
3. All requests to target will be made using Java RMI requests.
MICROSOFT WINDOWS EVENT LOGGING SERVICE DOS UPDATE
Authors: Cristian Rubio and Daniel De Luca (QA)
KEY VULNERABILITY DETAILS
* A Denial-of-Service attack can be triggered when an authenticated attacker
connects to the target system and sends specially crafted requests
* A flaw in Event Logging Service can lead to the impairment of an
environment’s detection and forensic capabilities
* Affects multiple versions of Windows 10 and Windows 11
EXPLOITATION IMPACT AND MITIGATION
* Attackers can cease the logging of events within critical software
* Allows threat actors to leave no trace of their actions
* Windows 11 24H2 is the only version to have this issue patched
* A free micropatch is available through the 0patch blog for all other versions
ATTACKS IN THE WILD
* No major attacks have been reported at this time
EXPLOITATION MECHANISM
1. Exploit module targets the ElfrRegisterEventSourceW method through the
EventLog Remoting Protocol.
2. A specialized UNICODE_STRING object is crafted and sent to the target
system.
3. The wevtsvc!VerifyUnicodeString function processes the object, causing a
null-pointer deference.
4. Windows Event Log service will then crash, disabling critical logging
capabilities.
UPDATE
* This exploit was first released in February 2024
* This update adds reliability improvements to check if the target is
vulnerable
CVE-2024-30090 - MICROSOFT KERNEL STREAMING WOW THUNK SERVICE DRIVER ELEVATION
OF PRIVILEGE VULNERABILITY EXPLOIT
Authors: Cristian Rubio and Luis García Sierra (QA)
CVSS: 7.0 HIGH
Reference: CVE-2024-30090
KEY VULNERABILITY DETAILS
* A double-fetch vulnerability exists in the Kernel Streaming service module
(ksthunk.sys), allowing attackers to perform arbitrary memory decrements
through race conditions
* This race condition flaw can lead to privilege escalation through kernel
memory manipulation
* Affects all Windows versions from Windows 7 to Windows 11 and Server
editions
* Classified as Improper Restriction of Operations within the Bounds of a
Memory Buffer (CWE-119) and Untrusted Pointer Dereference (CWE-822)
EXPLOITATION IMPACT AND MITIGATION
* Authenticated attackers with low level privileges can escalate privileges to
SYSTEM user
* May lead to data compromise, exfiltration, or corruption
* Microsoft released a patch for this vulnerability in a June Security Update
ATTACKS IN THE WILD
* No major attacks have been reported at this time
EXPLOITATION MECHANISM
* Exploit module retrieves kernel address of nt!SeDebugPrivilege.
* It then creates a new thread to win the race condition.
* The double-fetch is triggered three times and overwrites nt!SeDebugPrivilege.
* A new process can be created, running the agent as SYSTEM.
Meet the Author
DANIEL DE LUCA
Software Development Manager
View Profile
Meet the Author
PABLO ZURRO
Cybersecurity Product Manager
Core Security, by Fortra
View Profile
Related Content
Blog
Open Source vs. Enterprise: Why Not All Exploits are Created Equal
Blog
Core Impact Monthly Chronicle: Exploits and Updates | October 2024
Blog
Core Impact Monthly Chronicle: Exploits and Updates | August & September 2024
Blog
Core Impact Monthly Chronicle: Exploits and Updates | July 2024
LEARN MORE ABOUT CORE IMPACT
WATCH DEMO
* Email Us
* X Find us on Twitter
* LinkedIn Find us on LinkedIn
* Facebook Find us on Facebook
* YouTube Find us on YouTube
PRODUCTS
* Access Assurance Suite
* Core Impact
* Cobalt Strike
* Event Manager
* Browse All Products
SOLUTIONS
* IDENTITY GOVERNANCE
* PAM
* IGA
* IAM
* Password Management
* Vulnerability Management
* Compliance
* CYBER THREAT
* Penetration Testing
* Red Team
* Phishing
* Threat Detection
* SIEM
RESOURCES
* Upcoming Webinars & Events
* Corelabs Research
* Blog
* Training
ABOUT
* Our Company
* Partners
* Careers
* Accessibility
* info@fortra.com
Also of Interest
* What is Identity Governance and Administration
* Penetration Testing Services
* Self-Service Password Management
SUPPORT
PRIVACY POLICY
CONTACT
IMPRESSUM
COOKIE POLICY
Copyright © Fortra, LLC and its group of companies. Fortra™, the Fortra™ logos,
and other identified marks are proprietary trademarks of Fortra, LLC.