Trojan under the .NET platform remains unchanged for a hundred years (22nd Jul 2020)

Preface: SharePoint will simply not use Framework versions for which they do not apply. For example, SharePoint 2010 uses .NET 2.0. If you install .NET 4, it will remain unused by SharePoint 2010. SharePoint 2019 uses .NET 4.7 and any lower version will simply not be used.

Background: Using Microsoft sharepoint as CRM, or external protal are popular setup past few years. SharePoint is a web-based platform built atop an ASP.NET framework. It is favored by many companies because the interface can be fully integrated with Microsoft Office.
Remark: SharePoint Server includes a set of web parts that users can add to pages after installing the product. If an organization needs custom web parts, a developer can write custom ASP.NET web parts and install them.

Design weakness: For .NET platform applications. By default, the executable string “Response.Write” after connection establish. Because the code-behind modules are compiled first, all of the output that is generated by Response.Write, Response.WriteFile, or inline server-side <SCRIPT> tags appears before any HTML tags when the HTML output is sent to the browser. Coincidentally, the chopper’s technique have way to conduct the attack to .NET Framework ASP.NET app.

Current status: The cyber criminals will be targeted insecure default configurations in common web servers. General speaking, they used their initial unauthorized access to place malicious web shell programs and credential-stealing software on victim networks, which allowed them to remotely execute commands on victim computers and related entities.

Windows 10 command “wsreset” co-exists with “mklink” generate a way of User Account Control bypass. (21st JUl 2020)

Preface: UAC bypass has following techniques – using Eventvwr and the Registry Key or using COM Handler Hijack

A new way with different technique: WSReset[.]exe open the Windows Store app and clear Windows Store Cache when Windows store cache is damaged or you encounter problems when using Windows Store. If an attacker can create a link that points this \InetCookies path (refer to attached diagram) to a target directory of attacker’s choice, the target directory will be the one deleted when wsreset runs.

Observation: UAC bypass power extend to evade access control. Security expert found this design weakness and conduct a proof of concept to shown on how to delete antivirus folder. Thus make it malfunction after reboot.
This findings awaken myself. The Microsoft UAC a security boundary provides opportunity for attacker.
From technical point of view, quite a lot of antivirus has file lock when the process running. Attacker may not make use of this method to compromise a machine.
However Directory junctions can be performed by any user and does not require administrator privileges making it perfect for exploiting by attacker. We keep our eye open, see whether vendor should address this technical matter.

Sometimes he is a friend, but suddenly….(MAR-10296782-1.v1 – SOREFANG) – 29th Jul 2020 [Recently goal: Targeting COVID-19 Research, Vaccine Development ]

Preface: It looks that who have vaccine of COVID-19 will be grant the dominance of the world.

Reference: DVC APIs will help you to implement modules on the server and client side of a Remote Desktop Services connection that communicate with each other.A remote code execution vulnerability exists in Remote Desktop Services. When an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests,…… (CVE-2019-1182)

Description: Perhaps my research does not clearly reflect the actual status of the current malicious goal. However every people is looking for vaccine. My personal interest bring my attention to a malware so called “SOREFANG”. It looks that a vendor became a victim of this case. It was because attacker or APT group do a re-engineering their VPN software. As a matter of fact, their company footprint a large in China. The details of my observation and research are written down on attached diagram. For those who is interested. Please refer attached diagram for reference.

Highlight: Vendor announcement : The only vulnerable servers are the Sangfor servers running firmware versions M6.1 and M6.3R1. The statement revealed that other servers are clean and are not affected by the zero-day used by attacker.

Oracle cve-2020-14606 & CVE-2020-14701. It makes interested people want to know more (17-7-2020)

Preface: The addition of a forged TCP packet to an existing TCP session. Can only be performed on unsecured sessions (not HTTPS).

About Oracle Critical Patch Update – July 2020 : When I open the related Oracle article. It was amazing that containing a whole bunch of vulnerability details. Meanwhile I had headache that how to conduct my analysis in correct way. As usual, Oracle do not want to disclose the details on vulnerability, may be this is the company policy!

In short, I had did research and analytic on SD WAN topic. As mentioned, the data provided by vendor not clear and therefore I did the analytic and summarize my findings based on below circumstances. My observation found the following matter close to vulnerability (CVE-2020-14606).

In Oracle SD-WAN Edge 8.2 features guide has the following details:
Issue:29989632 (19500) – User Names can now contain several special characters that were previously disallowed: @, /, and \ . (APN 8.1 P1)
Issue:29986230 (15145) – The special characters ‘/’, ‘ \ ‘, and ‘@’ are now permitted in Aware usernames.

Speculation: Perhaps the regular expression not correctly filter special character “\” especially special character “\” contain in HTTP and causes the HTTP Response Splitting.

For the rest of the vulnerabilities, please refer to the link – https://www.oracle.com/security-alerts/cpujul2020verbose.html

Point of view – CVE-2020-1350 Windows DNS Server RCE (14th Jul 2020)

Preface: Perhaps we ignore DNS server side design weakness so far. It is on the way impacting cyber security world.

Background: DNS is a hierarchical client-server protocol. Each domain is served by one or more DNS servers, meaning requests for subdomains are sent to these servers. Replies can also be cached by intermediate servers in order to improve performance.

(CVE-2020-1350) Vulnerability detail: A remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests.

Official detail – https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350

Observation: The RDLENGTH bounds-check design weakness may relate to trigger this flaw. If pointer overflows wrap around (undefined behaviour) this would allow an attacker to circumvent the bounds-check and exposes a buffer overflow vulnerability since the attacker controlled addrlen is later used in memcpy(addr_out, bufpos, addrlen), potentially allowing a code execution.

Even you have Phoenix shield, all depends on endpoint – 14th jul 2020

Preface: Mobile has 50.13%, Desktop has 47.06% – June 2019 – June 2020

Background: MobileIron helps you simplify the configuration of enterprise settings including email, Wi-Fi, and VPN and more. Meanwhile, MobileIron provides unified endpoint and enterprise mobility management (EMM) for mobile devices.

Vulnerabilities details: Please refer to url https://www.mobileiron.com/en/blog/mobileiron-security-updates-available

Comment: The official announcement did not provide a reason for the vulnerability. We can use assumption to understand the popular cyber attack techniques. Apart from scenario displayed on attached diagram. The attacker can exploit malware to do the attack. For instance, attacker can implant malware to the endpoint by phishing attack. It can read the plaintext derived credentials from the flash storage after the software token has been activated, and transmit them to the adversary responsible for the malware, who can then use them at will on a different machine.

reflections on the poc – aruba clearpass policy manager multiple vulnerabilities (13th Jul 2020)

Preface: WiFi features from beginning phase a small group of access extended to enterprises infrastructure nowadays. Even the IoT 4.0 and Industrial system especially ICS and IACS system will be found his footprint.

Background: Aruba’s ClearPass Policy Manager, part of the Aruba 360 Secure Fabric, provides role- and device-based secure network access control for IoT, BYOD, corporate devices, as well as employees, contractors and guests across any multivendor wired, wireless and VPN infrastructure.

About the subject: The official announcement has been released on 2nd June 2020 – https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2020-005.txt

However the details of PoC just released 2 days ago. The PoC shown that it require using the C preprocessor generic programming interface defined in unistd[.]h. In additional it require to use compiler and conduct the re-engineering for payload library.
But the most important thing is that to successfully utilize the PoC code, user authentication is required. However, if the system administrator has not patched CVE-2018-7076 in the past. It will provide benefits for attackers. Easily exploit vulnerabilities discovered in June 2020.

security focus: Citrix security bulletin CTX276688 (9th JUl 2020)

Preface: Typically, North-South traffic is load balanced by Ingress devices such as Citrix ADCs while East-West traffic is load balanced by kube-proxy. Since kube-proxy only provides limited layer-4 load balancing, service owners can utilize the Citrix ingress controller to achieve sophisticated layer-7 controls for East-West traffic using the Ingress CPX ADCs.

Security Focus: With reference with Citrix technical article (Security Bulletin CTX276688). There are total of 11 vulnerabilities. Because of CVE-2020-8191 (Reflected Cross Site Scripting (XSS)). And therefore it provides a way for attacker utilize XSS vulnerability to steal the session cookie. This design weakness is similar to responding to other vulnerabilities that require user credentials.

Background: The NSIP address is the IP address at which you access the Citrix ADC appliance for management purposes. The appliance can have only one NSIP, which is also called the management IP address. You must add this IP address when you configure the Citrix ADC for the first time. You cannot remove an NSIP address.

Vulnerability detail: Citrix ADC and Citrix Gateway could allow a remote authenticated attacker to gain elevated privileges on the system, caused by an unspecified flaw. By sending a specially-crafted request, an authenticated attacker could exploit this vulnerability to gain elevated privilege. Utilize XSS vulnerability to steal the session cookie.

Official announcement – https://support.citrix.com/article/CTX276688

VMware release security update for VeloCloud – 7th Jul 2020

Background: The VMware SD-WAN Orchestrator provides centralized enterprise-wide installation, configuration and real-time monitoring in addition to orchestrating the data flow through the cloud network.

Technical highlight – The VeloCloud Orchestrator (VCO) stores only flow statistics with high resolution to provide visibility and troubleshooting capability.
By default, a maximum of one million flows are rolled up per edge per day. This averages out to approximately 3500 flows per 5-minute push.

Vulnerability details: In 3.3.0 release, the VeloCloud Orchestrator (VCO) stores only flow statistics with high resolution to provide visibility and troubleshooting capability. In 3.3.2 release, VCO supports retention of flow stats for upto one year by rolling up flow stats for every edge on a daily basis. So, the VeloCloud Orchestrator requires connect to MySQL server. Meanwhile it has design weakness. The original design does not apply correct input validation which allows for blind SQL-injection.

Impact: A crafted SQL queries and obtain data to which they are not privileged.

Official announcement – https://www.vmware.com/security/advisories/VMSA-2020-0016.html

Bootstrap modal forms capable live add edit delete datatables records – stay alert (7th jul 2020)

Preface: Bootstrap modal forms are displayed-on-action pop-up forms that are used for gathering data from website visitors and to register or log users.

Background: PHPZAG[.]COM is a programming blog that publishes practical and useful tutorials for programmers and web developers.

Solution formulated by PHPZAG – Live Add, Edit and Delete Datatables Records with Ajax, PHP & MySQL, solution formulated by PHPZAG.
Step 1 – Handle modal form submit using jQuery and make Ajax request with action addRecord to add new records.
Step 2 – Use call method addRecord() on action addRecord to add new records.
Step 3 – Create method addRecord() in class Records.php to add new records into MySQL database.

The vulnerability found on 19th May 2020, but NVD published on 7th July , 2020 finally. The source file can be download in the following url – https://www.phpzag.com/live-add-edit-delete-datatables-records-with-ajax-php-mysql/

Vulnerability details:
CVE-2020-8519 SQL injection in search parameter
CVE-2020-8520 SQL Injection in line 29 with ‘order’ and ‘column’ parameter
CVE-2020-8521 SQL Injection line 35 with ‘start’ and ‘length’ parameters

antihackingonline.com