Hello world!At JUMPSEC we’ve managed to get our hands on tickets to what is probably the greatest cyber security event in the calendar, HackFu!In order to be in with a chance of winning you simply need to complete the following challenge which you can download here (the download contains all the information needed to complete the challenge): https://drive.google.com/file/d/1WFU23lFzGtxW4U5_FPzlbM4auHSZTiGt/view?usp=sharing The deadline for submissions is 6th January 2021, we will announce the lucky winner on 8th January 2021. You don't need to but feel free to add a bit of detail on your submission - we love hearing about the creative ways in which people solve our challenges.In order to be eligible to win a HackFu ticket you must be able to attend HackFu on Friday 29th January 2021 between 09:30 and 17:30 GMT (it is an online event due to the global pandemic) and you must be at least...
JUMPSEC LABS
The JUMPSEC Lab is a place where the the technical team get creative and showcase their latest security research, publications, interesting news and general thoughts! We love what we do and are passionate about security, with some great upcoming projects planned, bookmark our site and stick around to see what we are working on.
Detecting known DLL hijacking and named pipe token impersonation attacks with Sysmon
Recently we posted a bunch of advisories relating to Ivanti Unified Endpoint Manager, a couple of which are for vulnerabilities which can be used to achieve local privilege escalation. We will give a brief explanation of the vulnerabilities and an example of Sysmon configuration rules to log exploitation attempts, along with the rationale behind them so you can adapt them to your existing configuration if needed.
Advisory CVE-2020-13773 – Ivanti Unified Endpoint Manager Reflected XSS
Software: Ivanti Endpoint ManagerAffected Versions: <= 2020.1.1Vendor page: www.ivanti.comCVE Reference: CVE-2020-13773Published: 13/11/2020CVSS 3.1 Score: 5.5 -...
Advisory CVE-2020-13769 – Ivanti Unified Endpoint Manager SQL injection
A number of web components in Endpoint Manager do not properly sanitize user input when executing SQL queries, leaving the application vulnerable to injection attacks towards the underlying database. On a standard installation with default options, the account used to query the database is database administrator.
Advisory CVE-2020-13772 – Ivanti Unified Endpoint Manager system information disclosure
Ivanti Unified Endpoint Manager’s “ldcient” component expose information about the system that could be used in further attacks against the system.
Advisory CVE-2020-13774 – Ivanti Unified Endpoint Manager authenticated RCE via file upload
Improper validation on file upload functionality present in Ivanti Unified Endpoint Manager’s web management console permits an authenticated user to upload .aspx files and execute them on the MS IIS server’s context. The issue is caused by insufficient file extension validation and insecure file operations on the uploaded image, which upon failure will leave the temporarily created files in an accessible location on the server.
Advisory CVE-2020-13770 – Ivanti Unified Endpoint Manager named pipe token impersonation privilege escalation
Several services are accessing named pipes with default or overly permissive security attributes; as these services run as user ‘NT AUTHORITY\SYSTEM’, the issue can be used to escalate privileges from a local standard or service account having SeImpersonatePrivilege (eg. user ‘NT AUTHORITY\NETWORK SERVICE’).
Advisory CVE-2020-13771 – Ivanti Unified Endpoint Manager DLL search order hijacking privilege escalation
Various services running as user ‘NT AUTHORITY\SYSTEM’ rely on Windows’ DLL search order for loading DLL files that are not present on the filesystem. Under certain circumstances, a local attacker would be able to place a malicious DLL file to obtain code execution in the vulnerable service’s context to elevate privileges.
Pwning Windows Event Logging with YARA rules
The Event Log coupled with Windows Event Forwarding and Sysmon can be extremely powerful in the hands of defenders, allowing them to detect attackers every step of the way. Obviously this is an issue for the attackers. Before privilege escalation it is limited what we can do to evade event logging, but once privileges have been elevated it is an equal playing field. In the past I have released a...
Defending Your Malware
Malware is an important part of an engagement, though as many security solutions are now evolving past rudimentary signature comparisons to using more advanced techniques to detect malicious activity, it is important that we as attackers understand the methods they are using and how we can avoid them. Consider the following code I wrote for example. #include <stdio.h> #include <windows.h>...
shad0w
Post exploitation is large part of a red team engagement. While many organisations begin to mature and start to deploy a range of sophisticated Endpoint Detection & Response solutions (EDR) onto their networks, it requires us, as attackers to also mature. We need to upgrade our arsenal to give us the capabilities to successfully operate on their networks. That is why today, I am releasing shad0w.
shad0w is a post exploitation framework which is designed to operate covertly on such networks, providing the operator with much greater control over their engagements. Over future blog posts I will go into greater detail on the intricacies of how shad0w works. This blog post will, therefore, serve as an introduction into the usage and features that shad0w has to offer.
GitHub Activity
Detecting known DLL hijacking and named pipe token impersonation attacks with Sysmon https://t.co/zaCERBG3ys #sysmon #blueteam #privesc #detection
Advisory CVE-2020-13773 – Ivanti Unified Endpoint Manager Reflected XSS https://t.co/gpqpRsoalK #ivanti #landesk #cve #xss
Advisory CVE-2020-13769 – Ivanti Unified Endpoint Manager SQL injection https://t.co/ViP2ZH2M8o #ivanti #landesk #cve #sqli
Advisory CVE-2020-13774 – Ivanti Unified Endpoint Manager authenticated RCE via file upload https://t.co/Qtux51SyMr #ivanti #landesk #rce #cve
Advisory CVE-2020-13771 – Ivanti Unified Endpoint Manager DLL search order hijacking privilege escalation https://t.co/eJK5T2K0Nd #ivanti #landesk
Advisory CVE-2020-13770 – Ivanti Unified Endpoint Manager named pipe token impersonation privilege escalation https://t.co/6rBlfB7LxP #ivanti #landesk
Disclaimer
The information provided on this website is to be used for educational purposes only. The author is in no way responsible for any misuse of the information provided. Any actions and or activities related to the material contained within this website is solely your responsibility.