My favorite Threats of 2022!

Follina MSDT (CVE-2022-30190)

Follina is a remote code execution (RCE) vulnerability in the Microsoft Support Diagnostic Tool (MSDT). This vulnerability permits a remote attacker to use a Microsoft Office document template to execute via MSDT. This works thanks to the ability of Microsoft Office document templates to download additional content from a remote server. If the size of the downloaded content is large enough it can overwrite the memory it causing a buffer overflow and allowing a payload of PowerShell code to be executed without the notification of the user. After this, an attacker can install programs, view, change, delete data, or create new accounts in the context allowed by the user’s rights.

**Buffer overflow: Fills the allocated memory of a variable like a cup, when a cup is full its overflows, the same happens to the allocated memory size permitting us the execute commands with the privileges of the user who executed the program.

Remediation: Before Microsoft was patched the only solution was to delete the registry of MSDT which caused this vulnerability.

On June 14 2022 Microsoft released a patch for this vulnerability.

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-30190

For those who wants to learn more i leave two links:

https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e

https://www.huntress.com/blog/microsoft-office-remote-code-execution-follina-msdt-bug

Dirty Pipe (CVE-2022-0847)

The last great Linux kernel vulnerability affects Linux Kernels from version 5.8 onwards and allows privilege escalation by writing read-only-locked files. But which devices are affected? Well, the latest versions of Android and some distributions such as Ubuntu, Debian and Fedora.

Workflow of the vulnerability:

I will try not to go into technical details, but we have to understand some concepts before diving into this vulnerability.

Pipe flags: Specify characteristics like status and permissions, we are gonna use this to elevate our privileges.

Pages: The smallest unit of memory controlled by the CPU. These are usually about 4kib in modern systems. They are used when reading and writing files from the disk.
Page cache: Part of the kernel that manages pages.

Pipes: Used for inter-process communications, shared memory pages are often used where one process reads and another writes.

First, we open a file in reading mode, which can later be written on.
We are creating a pipe with the pipe () system call. This function gives the same process access to the descriptors that allow writing and reading.

Afterwards, we write any type of data into this pipe to fill it and have the memory pages flagged with the PIPE_BUF_FLAG_CAN_MERGE flag.

When every page has been marked, it permits the kernel to free them by reading all the information pipe had it written.

After this, when the kernel reserves memory pages it will not initialize their flags and they will be marked the PIPE_BUFF_FLAG_CAN_MERGE flag.

Then it will use the splice() function to load the file that had been opened at the beginning and directly overwrites the data in the pipe.

Okay, this was bland, but I wanted to show how this works to understand better the nature of this vulnerability. What is interesting is that an attacker with the right script can overwrite every file on the system which has read permission.

After gaining a foothold in a system an attacker can elevate its privileges using this type of kernel vulnerability and install a ransom, steal your data, manipulate transactions…etc.

Remediation: Nice and simple, update your kernel.

Patched versions of the Linux kernel have been released for supported major kernel versions specifically, the vulnerability has been patched in Linux kernel versions 5.16.11, 5.15.25 and 5.10.102.

Log4j (CVE-2021-44228)

This vulnerability was discovered on December 9^th of 2021 with a severity score of 10.0 (the most critical designation) and offers remote code execution (RCE) on hosts engaging with software that utilizes this logj4 version.

If left unfixed, attackers can break into systems, steal passwords and logins, extract data, and infect networks with malicious software.

This is a logging package used by millions of applications around the world, creating an enormous attack surface. We will see this vulnerability for years to come.

Remediation: Update your applications with the latest version of Log4j (currently 2.17.0). After version 2.16.0, JNDI is fully disabled, Message Lookups are removed and the DoS vulnerability (CVE-2021-45046) is not resent.

Atlassian hardcoded credentials

This is an exploit from the end of last month so it’s fairly new. Atlassian is a software engineering company that warned its customers to immediately patch a critical vulnerability that allows remote adversaries to log into the unpatched Confluence Server and Data Center Servers.

These credentials become exposed after the installation of the Questions for Confluence app (ver 2.7.34, 27.35 and 3.0.2) on Data Center and Confluence Servers for a user account with the username disabledsystemuser. This is a common thing among developers to help them make their product better, they possibly forget to eliminate the user.

This vulnerability has been patched on 22/7/22.

Remediation: Updating the questions for the Confluence app to a fixed version (greater than 3.0.5) which removes the hardcoded user.

VMware vulnerabilities

At this year, we had 3 remote code execution vulnerabilities (CVE-2022-31658, CVE-2022-31659, CVE-2022-31665) and another 3 local privilege escalation vulnerabilities(CVE-2022-31660,CVE-2022-31661,CVE-2022-31664) .

On the second of August VMware warned sysadmins to apply a critical path, this patch fixes an authentication bypass security flaw affecting local domain users in some of their products and enabling unauthenticated attackers to escalate their privileges to admin.

This flaw (CVE-2022-31656) has a severity of 9.8 so if your VMware version is affected patch up immediately. On the day of writing this post, there is no evidence of exploitation in the wild.

Remediation: Install the newest security updates for VMware

These were my favourite CVE of the year 2022, but if I have to pick one it will be Follina. My first and favourite advanced exploiting technique was macroing (injecting malicious code in the doc-docx file so when the user enables edition the code runs.)It was patched since Office 2007, but it can still work if you create a doc file in older office software. The only downside is that the user has to enable the edition…

But that’s for another day, hope you all enjoyed today’s post and that you are having a nice weekend!

Share this post: on Twitter on Facebook on Google+ on LinkedIn