End-of-Day report
Timeframe: Freitag 06-12-2019 18:00 - Montag 09-12-2019 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
News
SCshell: Fileless Lateral Movement Using Service Manager
During red team engagements, lateral movement in a network is crucial. In addition, as a critical part of exploit chains, security solutions put a lot of effort to detect this movement. Techniques such as remote WMI and PsExec are fairly well detected. In the case of WMI, WmiPrvSe.exe will be the parent process responsible for spawning the process, making the detection a bit easier. PsExec on its end will push a file on the remote system and register a new service.
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/scshell-fileless-lateral-movement-using-service-manager/
We thought they were potatoes but they were beans (from Service Account to SYSTEM again)
Nevertheless, we decided to do some further research in order to understand if any bypass of the new OXID resolver restrictions, which in fact inhibits resolver requests over a port different to 135, is still possible.
https://decoder.cloud/2019/12/06/we-thought-they-were-potatoes-but-they-were-beans/
Detecting unsafe path access patterns with PathAuditor
Posted by Marta Ro-ek, Google Summer Intern 2019, and Stephen Röttger, Software Engineer #!/bin/shcat /home/user/fooWhat can go wrong if this command runs as root? Does it change anything if foo is a symbolic link to /etc/shadow? How is the output going to be used? Depending on the answers to the questions above, accessing files this way could be a vulnerability. The vulnerability exists in syscalls that operate on file paths, such as open, rename, chmod, or exec.
https://security.googleblog.com/2019/12/detecting-unsafe-path-access-patterns.html
Vulnerabilities
NVIDIA Patches Severe Flaws in Mercedes Infotainment System Chips
NVIDIA released security updates for six high severity vulnerabilities found in the Tegra Linux Driver Package (L4T) for Jetson AGX Xavier, TK1, TX1, TX2, and Nano chips used in Mercedes-Benzs MBUX infotainment system and Bosch self-driving computer systems.
https://www.bleepingcomputer.com/news/security/nvidia-patches-severe-flaws-in-mercedes-infotainment-system-chips/
Security updates for Monday
Security updates have been issued by CentOS (SDL), Debian (htmldoc, librabbitmq, nss, openjdk-7, openslp-dfsg, and phpmyadmin), Fedora (chromium, community-mysql, kernel, libidn2, oniguruma, proftpd, and rabbitmq-server), Mageia (ansible, clamav, evince, firefox, graphicsmagick, icu, libcryptopp, libtasn1, libtiff, libvncserver, libvpx, lz4, nss, openexr, openjpeg2, openssl, phpmyadmin, python-psutil, python-twisted, QT, sdl2_image, SDL_image, sysstat, thunderbird, and tnef), Oracle (firefox), [...]
https://lwn.net/Articles/806832/
OpenSSL: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen
http://www.cert-bund.de/advisoryshort/CB-K19-1045
[dos] Omron PLC 1.0.0 - Denial of Service (PoC)
https://www.exploit-db.com/exploits/47757
[webapps] Alcatel-Lucent Omnivista 8770 - Remote Code Execution
https://www.exploit-db.com/exploits/47761
[webapps] Yachtcontrol Webapplication 1.0 - Unauthenticated Remote Code Execution
https://www.exploit-db.com/exploits/47760
Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in FasterXML jackson-databind
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-ibm-cloud-pak-for-data-affected-by-vulnerability-in-fasterxml-jackson-databind-5/
Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in FasterXML jackson-databind
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-ibm-cloud-pak-for-data-affected-by-vulnerability-in-fasterxml-jackson-databind-4/
Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in FasterXML jackson-databind
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-ibm-cloud-pak-for-data-affected-by-vulnerability-in-fasterxml-jackson-databind-3/
Security Bulletin: IBM Planning Analytics Local is affected by security vulnerabilities
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-planning-analytics-local-is-affected-by-security-vulnerabilities/
Security Bulletin: Vulnerability affects IBM Watson Assistant for IBM Cloud Pak for Data
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-affects-ibm-watson-assistant-for-ibm-cloud-pak-for-data/
Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in FasterXML jackson-databind
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-ibm-cloud-pak-for-data-affected-by-vulnerability-in-fasterxml-jackson-databind-2/
Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in FasterXML jackson-databind
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-ibm-cloud-pak-for-data-affected-by-vulnerability-in-fasterxml-jackson-databind/
Security Bulletin: IBM Transparent Could Tiering is affected by a vulnerability in Apache Commons Compress (CVE-2019-12402)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-transparent-could-tiering-is-affected-by-a-vulnerability-in-apache-commons-compress-cve-2019-12402/
Security Bulletin: IBM Transparent Cloud Tiering is affected by Netty vulnerability
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-transparent-cloud-tiering-is-affected-by-netty-vulnerability/
Security Bulletin: Multiple vulnerabilities in Node.js affect IBM Transparent Cloud Tiering
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-node-js-affect-ibm-transparent-cloud-tiering/
Security Bulletin: IBM Spectrum Scale Transparent Cloud Tiering is affected by multiple vulnerabilities in IBM® Runtime Environment Java- Version 8
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-scale-transparent-cloud-tiering-is-affected-by-multiple-vulnerabilities-in-ibm-runtime-environment-java-version-8/