CVE-2020-16952

Discovered: Proof-of-Concept released & vulnerability patched by Microsoft on October 13

Impacted Tech:

Microsoft SharePoint Foundation 2013 Service Pack 1
Microsoft SharePoint Enterprise Server 2016
Microsoft SharePoint Server 2019

Note that SharePoint Online via Office365 is not affected.

Attacker Location: Authenticated access to SharePoint with page creation permission

Highlights: Public proof of concept is available and is very easy to exploit using breached credentials or chaining it with a phishing attack.

What should I do? Apply the patch from Microsoft as soon as possible.

References:

MSFT Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16952
Researcher’s Advisory and PoC: https://srcincite.io/advisories/src-2020-0022/
Metasploit Module: https://github.com/rapid7/metasploit-framework/pull/14265

CVE-2020-1472

Discovered: Patched by Microsoft on August’s Patch Tuesday. Disclosed on September 11. Multiple public exploits available at the time of patching.

Impacted tech: Cryptography of Netlogon protocol

Attacker Location: Compromised internal computer

Highlights: Unbelievably easy to exploit

Leet was recently made aware of a critical vulnerability in Netlogon’s cryptography. The technical details were disclosed by Secura on September 11, but the vulnerability was patched on August 11 (Patch Tuesday).

CVE-2020-1472 (dubbed Zerologon) allows an attacker to elevate to change the computer account password of any domain connected computer from their initial foothold on an internal network, so long as the compromised machine can connect to the target machine. Secura states that “by forging an authentication token for specific Netlogon functionality, [attackers are] able to call a function to set the computer password of the Domain Controller [or any other computer] to a known value. After that, the attacker can use this new password to take control over the domain controller and steal credentials of a domain admin.”

There are multiple publicly available exploits and tools to check if you’re vulnerable.

This repository has a PoC and a restoration script to restore the domain controller password.
https://github.com/dirkjanm/CVE-2020-1472

What should I do?
Deploy the patch from August 11

References:

Secura’s Blog Post & Whitepaper:
https://www.secura.com/blog/zero-logon
https://www.secura.com/pathtoimg.php?id=2055

Microsoft’s Advisory (outdated at the time of this writing, rated as “Exploitation Less Likely” because there were no publicly available exploits when it was written on August 11).
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472

CVE-2019-0230

Struts allows developers to use “forced double evaluation” for tag attributes. Using this feature with user input allows malicious OGNL (Object-Graph Navigation Language) expressions to be injected by an external attacker. Depending on the injected payload, this can result in remote code execution.

In their recent announcement, Apache said “we continue to urge developers building upon Struts 2 to not use %{…} or ${…} syntax referencing unvalidated user modifiable input in tag attributes, since this is the ultimate fix for this class of vulnerabilities.”

There is public exploit code available for this vulnerability.

This issue was fixed in Apache Struts 2.5.22, which was released in November 2019.

A critical vulnerability has been found in TeamViewer’s URI scheme that can trick the application into initiating a connection with attacker-owned remote SMB share which can allow an attacker to obtain password hashes which can be cracked offline.
An example of this attack is shown below:

Simply browsing to a web page with a similar URI will leak the username and NTLMv2 hashed password to the attacker, allowing them to authenticate to the victim’s computer and other systems on the network. An attacker can also use tools like Responder to relay the request, which allows for arbitrary remote code execution.
While there is no evidence of this vulnerability being executed in the wild, the simplicity of the attack leads us to believe that it is a matter of time. Leet highly recommends that anyone using TeamViewer upgrade to version 15.8.3 as soon as possible. 

Additional details can be found at the original blog post: https://thehackernews.com/2020/08/teamviewer-password-hacking.html