About Administrador

This author has not yet filled in any details.
So far Administrador has created 188 blog entries.

CVE-2023-34362: SQL Injection in Progress Software’s MOVEit Transfer

By |8 Jun. 2023|

On May 31, 2023, Progress informed about a critical vulnerability (CVE-2023-34362) in its MOVEit Transfer software, which could potentially lead to privilege escalation and unauthorized access on affected systems through SQL injection (SQLi) in the MOVEit Transfer web application. MOVEit Transfer is a software developed by Progress Software that provides secure collaboration and automated file transfers for sensitive data. It is widely used by numerous organizations globally. Depending on the database engine used, such as MySQL, Microsoft SQL Server, or Azure SQL, an attacker may be able to gain access to the database's structure and contents, and even execute SQL statements to modify or delete data. It is important to note that these attacks can occur over protocols like HTTP ...

> Read More
Comments Off on CVE-2023-34362: SQL Injection in Progress Software’s MOVEit Transfer

CVE-2023-32353: Local privilege escalation via iTunes in Windows

By |8 Jun. 2023|

Information has been disclosed about a new high criticality vulnerability that affects the Apple iTunes software in Windows environments. This vulnerability would allow an attacker who had access as a non-privileged user on a machine to escalate privileges to local administrator. This vulnerability is caused by incorrectly setting permissions on one of the folders created during the installation of the software: C:\ProgramData\Apple Computer\iTunes\SC Info This folder would have write permissions for any user, so an unprivileged user could delete it, and create a symbolic link pointing to any system folder such as c:Windows. Subsequently, using the repair function of the installation binary, the rewriting of certain files could be forced, allowing privileges to be escalated up to SYSTEM access. This ...

> Read More
Comments Off on CVE-2023-32353: Local privilege escalation via iTunes in Windows

MSSQL linked servers: abusing ADSI for password retrieval

By |7 Jun. 2023|

Introduction When we talk about Microsoft SQL Server linked servers, we usually think of links to another SQL Server instances. However, this is only one of the multiple available options, so today we are going to delve into the Active Directory Service Interfaces (ADSI) provider, which allows querying the AD using the LDAP protocol. After discussing its inner workings, we are presenting a new technique to retrieve cleartext linked login passwords and, in some cases, the password of the current security context. This has proven useful in several of our Red Team engagements. ADSI Through the ADSI provider we can create a link to a domain controller (sp_addlinkedserver) and then perform queries using the SELECT statement and the OPENQUERY function: ...

> Read More
Comments Off on MSSQL linked servers: abusing ADSI for password retrieval

Some notes and reflections on the Terminator threat

By |2 Jun. 2023|

Throughout the week, a tool called «Terminator» has been discussed in the media, which would allow attackers to disable antivirus, EDR, and XDR platforms. Terminator utilizes a well-known technique called «Bring Your Own Vulnerable Driver» (BYOVD). This technique abuses legitimate drivers that, due to vulnerabilities, can be interacted with by malicious programs, forcing them to execute malicious code in Ring 0 (Kernel). This approach is particularly useful for attacking systems with robust user-level defenses. The BYOVD technique is based on the premise that, although modern operating systems have improved their security to prevent user-level privilege escalation, they are still vulnerable to threats that come from the kernel level. Attackers can exploit insecure or outdated device drivers to gain access to ...

> Read More
Comments Off on Some notes and reflections on the Terminator threat

CVE-2023-2825: Critical vulnerability affects Gitlab

By |30 May. 2023|

Information about a new critical vulnerability affecting Gitlab software has been disclosed. This vulnerability would allow a remote attacker to exploit a path traversal problem to read arbitrary files on the server when an attachment exists in a public project nested within at least five groups. N+1 groups are needed to be able to scale N directories. In a default installation, 11 groups would be needed to reach the server root directory, as the uploaded files are stored in the following path: /var/opt/gitlab/gitlab-rails/uploads/@hashed/<a>/<b>/<secret>/<secret>/<file> Gitlab Inc. is an open source company and is the leading provider of GitLab software, a version control and DevOps web service based on Git. CVE-2023-2825 main characteristics The main characteristics of the CVE-2023-2825 vulnerability are detailed ...

> Read More
Comments Off on CVE-2023-2825: Critical vulnerability affects Gitlab

DNS Water Torture: how not to drown in this tsunami of requests

By |24 May. 2023|

Through DNS Water Torture, attackers send an avalanche of requests to saturate the capacities of DNS servers and cause a denial of service Companies are the main target of many cybercriminals. And in many cases, DNS servers are the yellow circle at which they aim their arrows. Thus, through denial-of-service attacks such as DNS Water Torture, attackers try to deny DNS service and prevent access to web services, among others. DDoS attacks attempt to disrupt the activity of websites and organisations' systems by launching vast volumes of requests. Also known as distributed denial-of-service attacks, they seek to saturate server capacities, causing a collapse and impacting the experience of legitimate users. Attacks of this nature have taken place more than two ...

> Read More
Comments Off on DNS Water Torture: how not to drown in this tsunami of requests

CVE-2023-32233: Privilege escalation in Linux Kernel due to a Netfilter nf_tables vulnerability

By |18 May. 2023|

Recently, a user-after-free vulnerability (CVE-2023-32233) has been published that would allow unprivileged local users to obtain root permissions on Linux Kernel versions 6.3.1 and earlier. The issue, which was reported by researchers Patryk Sondej and Piotr Krysiuk, is due to improper handling of anonymous sets in the Netfilter nf_tables module that can be exploited to execute read and write actions in the kernel memory space. It should be noted that the affected nf_tables module is enabled by default in many Linux distributions, so the number of potentially affected systems is high. Although the vulnerability was reported on 8 May 2023, functional proofs of concept are being released in public repositories in the recent days, and show successful execution of the ...

> Read More
Comments Off on CVE-2023-32233: Privilege escalation in Linux Kernel due to a Netfilter nf_tables vulnerability

CVE-2023-27363: Proof of concept for remote code execution in Foxit Reader

By |15 May. 2023|

Following the initial announcement of a critical vulnerability (CVE-2023-27363) which allows remote code execution in Foxit Reader, a functional proof-of-concept has recently been released that shows the exploitation of the vulnerability through the creation of a specially crafted PDF document. The following GIF published on Github shows the PoC execution: Foxit Reader is a free popular PDF document reader that is widely used, and is often chosen as an alternative to Adobe's PDF document reader. The vulnerability CVE-2023-27363, which was initially reported by the researcher Andrea Micalizzi, exploits a problem in the handling of certain JavaScript code when validating the cPath parameter in the exportXFAData method. This situation allows arbitrary writing of files in the system in the context of ...

> Read More
Comments Off on CVE-2023-27363: Proof of concept for remote code execution in Foxit Reader

Fancy Bear and where to find them

By |28 Mar. 2023|

Spain has been targeted by several APT (Advanced Persistent Threat) recently [1], amongst which we can find APT-28, also known as Fancy Bear. This group has many different names, depending on the researched referring to them. Some of those names are: Sofacy, Group 74, Pawn Storm, Sednit and Strontium. Here we will refer to this group as Fancy Bear. Who is Fancy Bear? Fancy Bear is a Russian APT group, which is supposedly related to the GRU (Russian Chief Intelligence Office). They started acting between 2004 and 2004 and their main goal is espionage and information theft. They are specially interested in information that could be useful for the Russian government. Because of this, they normally target sector related to ...

> Read More
Comments Off on Fancy Bear and where to find them

BlueTrust, goodbye to Bluetooth privacy

By |8 Mar. 2023|

BlueTrust is the name of a new technique developed by Tarlogic that makes it possible to discover trust relationships between Bluetooth devices to obtain data of interest about their users. We continue with the series of research articles on Bluetooth technology and the existing attacks on this protocol. Previously, the BIAS and BLESA attacks (introduction to BIAS and BLESA attacks); and KNOB and BLURtooth (KNOB and BLURtooth attacks) were analysed theoretically. This article presents how to reproduce and implement BIAS and KNOB attacks. As one might expect, the leap from the academic (and theoretical) world to the real (and practical) world is neither immediate nor straightforward. The main problems and obstacles encountered and how they have been overcome will be ...

> Read More
Comments Off on BlueTrust, goodbye to Bluetooth privacy

We are using cookies to give you the best experience on our website. You can find out more about which cookies we are using or switch them off in Cookies Settings

Necessary

Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.

3rd Party Cookies

This website uses Google Analytics to collect anonymous information such as the number of visitors to the site, and the most popular pages. Keeping this cookie enabled helps us to improve our website.

Cookies policy