Latest Articles
QUEST KACE Desktop Authority Pre-Auth Remote Code Execution (CVE-2021-44031)
Software: QUEST KACE Desktop Authority Affected Versions: 11.1 and earlier. Vendor page: https://www.quest.com/products/kace-desktop-authority/ CVE Reference: CVE-2021-44031 Published: 19/11/2021 CVSS 3.1 Score: 9.8 Critical Attack Vector: Pre-authenticated Remote Code Execution Credits: Tom Ellson JUMPSEC recently discovered multiple vulnerabilities in Quest KACE Desktop Authority 11.1. This is an endpoint management system that is used widely across the globe and is prevalent within a wide range of organisations. A pre-auth remote code execution on the KACE Desktop Authority platform exists in which successful exploitation of these vulnerabilities would allow an adversary to achieve remote code execution without first needing to authenticate to the service.
September 8, 2022,Tom Ellison
Abusing SharedUserData For Defense Evasion and Exploitation
Over the past few weeks, I have been working on a custom packer in my spare time. In doing so, I needed to create a method of delaying execution within the unpacker stub that didn’t use any pre-defined functions. This post documents what I discovered during this project as well as some future plans I have for this method. What is SharedUserData and Why does it exist? _KUSER_SHARED_DATA Structure KSYSTEM_TIME Structure SystemsTime Attribute How can this be abused? Get Epoch Time without Function Calls in C Time Dependent explout development What is SharedUserData and why does it exist? The main purpose of SharedUserData is to provide all windows processes (Windows NT+) with a global and consistent method of obtaining frequently accessed information such as current system time, or interrupt ticks. This is faster than having to incur the performance deficit of making a syscall or calling a function such as RtlTimeToSecondsSince1980.
August 11, 2022,Jordan Jay
(ZOHO) ManageEngine Desktop Central - Path Traversal / Arbitrary File Write
Software: Zoho ManageEngine Desktop Central Affected Versions: Before 10.0.662 Vendor page: https://www.manageengine.com/products/desktop-central/vulnerabilities-in-reports-module.html CVE Reference: CVE-2021-46165 & CVE-2021-46166 Published: 09/01/2022 CVSS 3.1 Score: 8.8 High Attack Vector: SQL Injection / Arbitrary File Write Credits: Tom Ellson This is the second post in our two part series on ManageEngine Desktop Central. All of the reported issues have since been acknowledged and resolved by ManageEngine. JUMPSEC researchers have discovered multiple vulnerabilities in ManageEngine Desktop Central Application (MEDC). This is an endpoint management system that is used widely across the globe and is a prevalent vendor. Successful exploitation of these vulnerabilities would allow an adversary to execute code in the context of highest integrity (NT AUTHORITY / SYSTEM).
August 2, 2022,Tom Ellison