Technical Advisory: Pulse Connect Secure – RCE via Uncontrolled Archive Extraction – CVE-2021-22937 (Patch Bypass)

Vendor: Ivanti Pulse Secure Vendor URL: https://www.pulsesecure.net/ Versions affected: Pulse Connect Secure (PCS) 9.11R11.5 or below Systems Affected: Pulse Connect Secure (PCS) Appliances Author: Richard Warren <richard.warren[at]nccgroup[dot]trust> Advisory URL: https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44858 CVE Identifier: CVE-2021-22937 Risk: 7.2 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Summary The Pulse Connect Secure appliance suffers from an uncontrolled archive extraction vulnerability which allows an attacker to overwrite … Continue reading Technical Advisory: Pulse Connect Secure – RCE via Uncontrolled Archive Extraction – CVE-2021-22937 (Patch Bypass)

Technical Advisory: Dell SupportAssist Local Privilege Escalation (CVE-2021-21518)

Vendor: Dell / PC-Doctor Vendor URL: https://www.dell.com/support/contents/en-uk/article/product-support/self-support-knowledgebase/software-and-downloads/supportassist Versions affected: SupportAssist for Windows version 3.7 or higher, between 2020-08-28 and 2020-10-22 Systems Affected: Windows Author: richard.warren[at]nccgroup[dot]com Advisory URL: https://www.dell.com/support/kbdoc/000184012 CVE Identifier: CVE-2021-21518 Risk: CVSSv3.1: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) Summary When running PC-Doctor modules, the Dell SupportAssist service attempted to load DLLs from a world-writable directory. Furthermore, it did … Continue reading Technical Advisory: Dell SupportAssist Local Privilege Escalation (CVE-2021-21518)

Technical Advisory: Pulse Connect Secure – Arbitrary File Read via Logon Message (CVE-2020-8255)

Vendor: Pulse Secure Vendor URL: https://www.pulsesecure.net/ Versions affected: Pulse Connect Secure (PCS) 9.1Rx or below Systems Affected: Pulse Connect Secure (PCS) Appliances CVE Identifier: CVE-2020-8255 Advisory URL: https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601 Risk: 4.9 Medium CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N Authors: Richard Warren - richard.warren[at]nccgroup[dot]com David Cash – david.cash[at]nccgroup[dot]com Summary Pulse Connect Secure suffers from an arbitrary file read vulnerability in the pre/post … Continue reading Technical Advisory: Pulse Connect Secure – Arbitrary File Read via Logon Message (CVE-2020-8255)

Technical Advisory: Pulse Connect Secure – RCE via Uncontrolled Gzip Extraction (CVE-2020-8260)

Vendor: Pulse SecureVendor URL: https://www.pulsesecure.net/Versions affected: Pulse Connect Secure (PCS) 9.1Rx or belowSystems Affected: Pulse Connect Secure (PCS) AppliancesCVE Identifier: CVE-2020-8260Advisory URL: https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601Risk: 7.2 High CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HAuthors:Richard Warren - richard.warren[at]nccgroup[dot]comDavid Cash – david.cash[at]nccgroup[dot]com Summary The Pulse Connect Secure appliance suffers from an uncontrolled gzip extraction vulnerability which allows an attacker to overwrite arbitrary files, resulting in … Continue reading Technical Advisory: Pulse Connect Secure – RCE via Uncontrolled Gzip Extraction (CVE-2020-8260)

Technical Advisory – Pulse Connect Secure – RCE via Template Injection (CVE-2020-8243)

Vendor: Pulse Secure Vendor URL: https://www.pulsesecure.net/ Versions affected: Pulse Connect Secure (PCS) 9.1Rx or below, Pulse Policy Secure (PPS) 9.1Rx or below Systems Affected: Pulse Connect Secure (PCS) Appliances Authors: Richard Warren - richard.warren[at]nccgroup[dot]com, David Cash – david.cash[at]nccgroup[dot]com CVE Identifier: CVE-2020-8243 Advisory URL: https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44588 Risk: 7.2 High CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Summary Pulse Connect Secure (PCS) appliances before … Continue reading Technical Advisory – Pulse Connect Secure – RCE via Template Injection (CVE-2020-8243)

Smuggling HTA files in Internet Explorer/Edge

In this blog post, we will demonstrate how attackers can serve malicious HTML Application (HTA) [1] files in a way that may bypass traditional proxy filtering. We will also cover some defensive mechanisms that can be used to prevent such attacks. Background When carrying out Red Team engagements for our clients, we often attempt to gain code … Continue reading Smuggling HTA files in Internet Explorer/Edge

SCOMplicated? – Decrypting SCOM “RunAs” credentials

This post will detail how it is possible to compromise a System Center Operations Manager (SCOM) server and extract the plaintext RunAs credentials from the database. We will also provide tips on how to detect such attacks. What are RunAs credentials? In brief, when creating a SCOM workflow, RunAs profiles (and in turn RunAs accounts) … Continue reading SCOMplicated? – Decrypting SCOM “RunAs” credentials

Remote Exploitation of Microsoft Office DLL Hijacking (MS15-132) via Browsers

A number of weeks back, security researcher Parvez Anwar posted a number of DLL hijacking vulnerabilities within Microsoft Office on Twitter [1]. The following week, Microsoft released MS15-132, which addressed some of these vulnerabilities, along with a large number of very similar bugs reported by others in various guises. [2] [3]. The vulnerabilities that were uncovered were reported to affect … Continue reading Remote Exploitation of Microsoft Office DLL Hijacking (MS15-132) via Browsers

Content Security Policies and Popular CMS Systems

The problem Recently I have been looking into Content Security Policy (CSP) and how widely it has been deployed. If you are unfamiliar with CSP, then a very good explanation can be found here. Basically, CSP provides a way to protect against Cross Site Scripting (XSS) and similar content injection attacks by defining exactly what should … Continue reading Content Security Policies and Popular CMS Systems