The JUMPSEC Lab is a place where the the technical team get creative and showcase their latest security research, publications, interesting news and general thoughts! We love what we do and are passionate about security, with some great upcoming projects planned, bookmark our site and stick around to see what we are working on.
JUMPSEC investigators recently observed an adversary weaponising PowerShell Jobs to schedule their attack whilst responding to an incident. We discuss what PowerShell Jobs are, how they can be leveraged for malicious purposes, and how defenders can protect, detect, and respond to neutralise the threat.
The Windows registry is a vast and complex topic and cannot be understood and defended in one article. One particular area of interest from a security perspective is registry run keys. In this article, we discuss who uses them, how to uncover abuse, and how to eradicate evil from them.
In this post, Caleb explores Depix and its potential to recover sensitive text from reports that were redacted by the original authors.
Recently we posted a bunch of advisories relating to Ivanti Unified Endpoint Manager, a couple of which are for vulnerabilities which can be used to achieve local privilege escalation. We will give a brief explanation of the vulnerabilities and an example of Sysmon configuration rules to log exploitation attempts, along with the rationale behind them so you can adapt them to your existing configuration if needed.
Software: Ivanti Endpoint ManagerAffected Versions: <= 2020.1.1Vendor page: www.ivanti.comCVE Reference: CVE-2020-13773Published: 13/11/2020CVSS 3.1 Score: 5.5 - AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:LAttack Vector: Remote, authenticatedCredits: Andrei Constantin Scutariu, Lenk Ratchakrit, Calvin Yau Summary Various web pages on Ivanti Unified Endpoint Manager web management console lack proper...
A number of web components in Endpoint Manager do not properly sanitize user input when executing SQL queries, leaving the application vulnerable to injection attacks towards the underlying database. On a standard installation with default options, the account used to query the database is database administrator.
Ivanti Unified Endpoint Manager’s “ldcient” component expose information about the system that could be used in further attacks against the system.
Improper validation on file upload functionality present in Ivanti Unified Endpoint Manager’s web management console permits an authenticated user to upload .aspx files and execute them on the MS IIS server’s context. The issue is caused by insufficient file extension validation and insecure file operations on the uploaded image, which upon failure will leave the temporarily created files in an accessible location on the server.
Several services are accessing named pipes with default or overly permissive security attributes; as these services run as user ‘NT AUTHORITY\SYSTEM’, the issue can be used to escalate privileges from a local standard or service account having SeImpersonatePrivilege (eg. user ‘NT AUTHORITY\NETWORK SERVICE’).
Various services running as user ‘NT AUTHORITY\SYSTEM’ rely on Windows’ DLL search order for loading DLL files that are not present on the filesystem. Under certain circumstances, a local attacker would be able to place a malicious DLL file to obtain code execution in the vulnerable service’s context to elevate privileges.
The Event Log coupled with Windows Event Forwarding and Sysmon can be extremely powerful in the hands of defenders, allowing them to detect attackers every step of the way. Obviously this is an issue for the attackers. Before privilege escalation it is limited what we can do to evade event logging, but once privileges have been elevated it is an equal playing field. In the past I have released a...
The information provided on this website is to be used for educational purposes only. The author is in no way responsible for any misuse of the information provided. Any actions and or activities related to the material contained within this website is solely your responsibility.
