#nginx 0-day on latest nginx-1.21.6

Github: https://github.com/gamozolabs/nginx_shitpost

by https://twitter.com/gamozolabs

windows #spooler service #LPE which was patched on #patchtuesday

https://github.com/grigoritchy/pocs/tree/main/windows/spooler-splenumforms-iov

bypass EDR( crowdstrike and microsoft defender) 2022
— Abuse situations where the sensor is not configured and not updated
—The researcher has used the following 12 techniques:

1.Shellcode encryption
2.Reducing entropy
3.Escaping the (local) AV sandbox
4.Import table obfuscation
5.Disabling Event Tracing for Windows (ETW)
6.Evading common malicious API call patterns
7.Direct system calls and evading “mark of the syscall”
8.Removing hooks in ntdll.dll
9.Spoofing the thread call stack
10.In-memory encryption of beacon
11.A custom reflective loader
12.OpSec configurations in your Malleable profile

https://vanmieghem.io/blueprint-for-evading-edr-in-2022/

#EDR #crowdstrike #endpoint

Inspired by 7-Zip CVE-2022-29072 this vulnerability also exist in XVI32
by: will dormann

https://twitter.com/wdormann/status/1516217431437500419?s=21&t=f9YqLUEf65ykpDUdF5MCYw

7zip: https://t.iss.one/Peneter_Tools/305

Security Researcher Maddie stone from google’s Project Zero has published a blog to review in-the-wild 0-days exploits discovered in 2021:

I added Pocs or available exploits for easier access

Blog :

https://googleprojectzero.blogspot.com/2022/04/the-more-you-know-more-you-know-you.html


Exploits:


RCE in #Apache HTTP CVE-2021-41773

https://github.com/thehackersbrain/CVE-2021-41773


14 in Google #Chrome

6 JavaScript Engine - v8 (CVE-2021-21148, CVE-2021-30551, CVE-2021-30563, CVE-2021-30632, CVE-2021-37975, CVE-2021-38003)

https://github.com/xmzyshypnc/CVE-2021-30551

https://github.com/Phuong39/PoC-CVE-2021-30632

https://github.com/github/securitylab/tree/main/SecurityExploits/Chrome/v8/CVE-2021-37975

2 DOM Engine - Blink (CVE-2021-21193 & CVE-2021-21206)

1 WebGL (CVE-2021-30554)

1 IndexedDB (CVE-2021-30633)

1 webaudio (CVE-2021-21166)

1 Portals (CVE-2021-37973)

1 Android Intents (CVE-2021-38000)

1 Core (CVE-2021-37976)



7 in Webkit #safari

4 Javascript Engine - JavaScript Core (CVE-2021-1870, CVE-2021-1871, CVE-2021-30663, CVE-2021-30665)

1 IndexedDB (CVE-2021-30858)

1 Storage (CVE-2021-30661)

1 Plugins (CVE-2021-1879)



4 in #IE

MSHTML browser engine (CVE-2021-26411, CVE-2021-33742, CVE-2021-40444)

Javascript Engine - JScript9 (CVE-2021-34448)


10 in #Windows

2 Enhanced crypto provider (CVE-2021-31199, CVE-2021-31201)

2 NTOS kernel (CVE-2021-33771, CVE-2021-31979)

2 Win32k (CVE-2021-1732, CVE-2021-40449)

https://github.com/Al1ex/WindowsElevation/tree/master/CVE-2021-1732

https://github.com/Kristal-g/CVE-2021-40449_poc

1 Windows update medic (CVE-2021-36948)

1 SuperFetch (CVE-2021-31955)

https://github.com/freeide/CVE-2021-31955-POC

1 dwmcore.dll (CVE-2021-28310)

https://github.com/Rafael-Svechinskaya/IOC_for_CVE-2021-28310/blob/main/Malicious%20Payloads

1 ntfs.sys (CVE-2021-31956)

https://github.com/aazhuliang/CVE-2021-31956-EXP



5 in #iOS and #macOS

IOMobileFrameBuffer (CVE-2021-30807, CVE-2021-30883)

https://github.com/jsherman212/iomfb-exploit

XNU Kernel (CVE-2021-1782 & CVE-2021-30869)

https://github.com/synacktiv/CVE-2021-1782

CoreGraphics (CVE-2021-30860)

https://github.com/jeffssh/CVE-2021-30860

CommCenter (FORCEDENTRY sandbox escape - CVE requested, not yet assigned)



7 in #Android

Qualcomm Adreno GPU driver (CVE-2020-11261, CVE-2021-1905, CVE-2021-1906)

ARM Mali GPU driver (CVE-2021-28663, CVE-2021-28664)

Upstream Linux kernel (CVE-2021-1048, CVE-2021-0920)



5 in Microsoft #Exchange Server

(CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065)

https://github.com/0xAbdullah/CVE-2021-26855

https://github.com/sirpedrotavares/Proxylogon-exploit

https://github.com/hictf/CVE-2021-26855-CVE-2021-27065

(CVE-2021-42321)

https://github.com/DarkSprings/CVE-2021-42321

PoC for an NTLM relay attack dubbed DFSCoerce.
The method leverages the Distributed File System: Namespace Management Protocol (MS-DFSNM) to seize control of a Windows domain.
https://github.com/Wh04m1001/DFSCoerce

It's a Docker Environment for pentesting which having all the required tool for VAPT.
https://github.com/RAJANAGORI/Nightingale
Tools List:
https://owasp.org/www-project-nightingale/

Penetration Testing Sample Report
There are bunch of pentest reports can be found on https://pentestreports.com/reports/

Node.js security releases announced - high severity vulnerabilities in all active versions

https://groups.google.com/g/nodejs-sec/c/TXKhlMr55UA/m/Sqak2IJnBAAJ

Amsi-Bypass-Powershell

This repo contains some Antimalware Scan Interface (AMSI) bypass / avoidance methods i found on different Blog Posts.

Most of the scripts are detected by AMSI itself. So you have to find the trigger(https://github.com/RythmStick/AMSITrigger) and change the signature at the part via variable/function renaming, string replacement or encoding and decoding at runtime. Alternatively obfuscate them via ISESteroids and or Invoke-Obfuscation to get them working. You can also take a look at blog(https://s3cur3th1ssh1t.github.io/Bypass_AMSI_by_manual_modification/) post about manually changing the signature to get a valid bypass again.


https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell

Source:
https://i.blackhat.com/Asia-22/Friday-Materials/AS-22-Korkos-AMSI-and-Bypass.pdf

For more and Reference :

https://twitter.com/ShitSecure

CVE-2022-32250 (CVE-2022-1966) - A 6 year old bug in the Linux kernel exploited by NCCGroup
https://www.openwall.com/lists/oss-security/2022/05/31/1
Get those patches :
https://access.redhat.com/security/cve/CVE-2022-1966
https://ubuntu.com/security/CVE-2022-1966
https://www.debian.org/security/2022/dsa-5161
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-32250

Security firm SpectreOps has open-sourced a new tool called Koh that can be used to capture Windows account authentication tokens for new logon sessions and reuse them for future attacks
https://github.com/GhostPack/Koh
https://posts.specterops.io/koh-the-token-stealer-41ca07a40ed6

CVE-2022-32212: Node.js arbitrary code execution vulnerability
Recently, Node.js released an advisory to fix seven vulnerabilities including three separate HTTP Request Smuggling, one code execution (CVE-2022-32212), and other flaws.
https://securityonline.info/cve-2022-32212-node-js-arbitrary-code-execution-vulnerability/

Aqua Team Nautilus recently discovered that all Node.js versions earlier than 16.16.0 (LTS) and 14.20.0 on Windows are vulnerable to dynamic link library (DLL) hijacking if OpenSSL is installed on the host. Attackers can exploit this vulnerability(CVE-2022-32223) to escalate their privileges and establish persistence in a target environment. The vulnerability can also provide another way to embed malicious code into packages.

https://blog.aquasec.com/cve-2022-32223-dll-hijacking

Open-source analytics and interactive visualization solution Grafana received a critical update recently to fix two high-severity security vulnerabilities that enabled account takeover(CVE-2022-31107).
https://securityonline.info/cve-2022-31107-grafana-oauth-account-takeover-vulnerability/

UnRAR before 6.12 on Linux and UNIX allows directory traversal to write to files during an extract (aka unpack) operation, as demonstrated by creating a ~/.ssh/authorized_keys file. NOTE: WinRAR and Android RAR are unaffected.
https://attackerkb.com/topics/RCa4EIZdbZ/cve-2022-30333/rapid7-analysis
#unrar #zimbra

Multiple Vulnerabilities in Atlassian Products (CVE-2022-26136, CVE-2022-26137, CVE-2022-26138)

nuclei add a template for hardcoded vulnerability:

https://github.com/projectdiscovery/nuclei-templates/pull/4889

Atlassian advisory :

https://confluence.atlassian.com/doc/confluence-security-advisory-2022-07-20-1142446709.html

blog:

https://bugalert.org/content/notices/2022-07-20-atlassian.html?src=r

#Atlassian #hardcoded