Latest Articles

Detecting known DLL hijacking and named pipe token impersonation attacks with Sysmon

Background Recently we posted a bunch of advisories relating to Ivanti Unified Endpoint Manager, a couple of which are for vulnerabilities which can be used to achieve local privilege escalation. At JUMPSEC, whenever we find a new vulnerability, we like to challenge ourselves to write rules to detect it being exploited. We learn a lot doing this, it’s kind of fun tweaking the exploit to try and evade detection and really challenges us to write good detection rulesets.

Read more →

November 13, 2020,Andrei Constantin Scutariu

Advisory CVE-2020-13774 - Ivanti Unified Endpoint Manager authenticated RCE via file upload

Software: Ivanti Endpoint Manager Affected Versions: <= 2020.1; <= 2019.1.3 Vendor page: www.ivanti.com CVE Reference: CVE-2020-13774 Published: 12/11/2020 CVSS 3.1 Score: 9.9 - AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H Attack Vector: Remote, authenticated Credits: Andrei Constantin Scutariu, Lenk Ratchakrit, Calvin Yau Summary Improper validation on file upload functionality present in Ivanti Unified Endpoint Manager’s web management console permits an authenticated user to upload .aspx files and execute them on the MS IIS server’s context. The issue is caused by insufficient file extension validation and insecure file operations on the uploaded image, which upon failure will leave the temporarily created files in an accessible location on the server.

Read more →

November 12, 2020,Andrei Constantin Scutariu

Advisory CVE-2020-13770 - Ivanti Unified Endpoint Manager named pipe token impersonation privilege escalation

Software: Ivanti Unified Endpoint Manager Affected Versions: <= 2020.1.1 Vendor page: www.ivanti.com CVE Reference: CVE-2020-13770 Published: 11/11/2020 CVSS 3.1 Score: 8.8 - AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H Attack Vector: Local Credits: Andrei Constantin Scutariu, Lenk Ratchakrit, Calvin Yau Summary Several services are accessing named pipes with default or overly permissive security attributes; as these services run as user ‘NT AUTHORITY\SYSTEM’, the issue can be used to escalate privileges from a local standard or service account having SeImpersonatePrivilege (eg. user ‘NT AUTHORITY\NETWORK SERVICE’).

Read more →

November 11, 2020,Andrei Constantin Scutariu