Rich Warren

@buffaloverflow@infosec.exchange
851 Followers
83 Following
49 Posts
Red Team & Offensive Security Research
Bloghttps://rw.md
Twitterhttps://twitter.com/buffaloverflow
GitHubhttps://github.com/rxwx
Show threadRich WarrenJul 11, 2023

Here is the advisory:

https://research.nccgroup.com/2023/07/03/technical-advisory-nullsoft-scriptable-installer-system-nsis-insecure-temporary-directory-usage/

Technical Advisory - Nullsoft Scriptable Installer System (NSIS) - Insecure Temporary Directory Usage

The NSIS uninstaller package did not enforce appropriate permissions on the temporary directory used during the uninstall process. Furthermore, it did not ensure that the temporary directory was removed before running executable content from it. This could potentially result in privilege escalation under certain scenarios.

NCC Group Research Blog
Show threadRich WarrenJul 10, 2023
If you have access to EDR/SIEM telemetry you can also search for instances of Un_[A-Z]\.exe (usually Un_A.exe) running as SYSTEM
Show threadRich WarrenJul 10, 2023

If you want to find vulnerable software, go onto GitHub or public sandboxes etc and look for software that has a service and (un)installs NSIS packages. Triggering an uninstall may be possible through RPC/COM methods or perhaps custom IPC. I’m sure you will find some 👀

Some example code to get started with a poc:

https://gist.github.com/rxwx/1717e95e5ec11bea12d33e93a3832508

Determine redirection path for SxS DotLocal DLL Hijacking

Determine redirection path for SxS DotLocal DLL Hijacking - GetSxsPath.cs

Gist
Rich WarrenJul 10, 2023

Last week NSIS released a new version which addresses a privilege escalation issue I reported (CVE-2023-37378).

Its an interesting one which affects certain setups where you can trigger an uninstaller as SYSTEM. I found various software including endpoint management and security software where this is exploitable :)

https://github.com/advisories/GHSA-5r79-3284-v2f8

CVE-2023-37378 - GitHub Advisory Database

Nullsoft Scriptable Install System (NSIS) before 3.09...

GitHub
Rich WarrenJul 6, 2023

I’ve not been using social media much recently, since I find it a mostly negative experience (and I have enough of that at $dayjob).
However, I do miss keeping up with the latest news and cool research and catching up with folks.

I’m going to give Threads a go, maybe the grass is greener, maybe not. If it stops me clicking the blue bird icon and immediately feeling depressed then it’s worth a try 🙂

https://www.threads.net/@buffaloverflow

Rich Warren (@buffaloverflow) on Threads

3 Followers. Red Team & Offensive Security Research

Threads
Rich WarrenDec 13, 2022
Fortinet missed a trick. You’re supposed to release critical stuff like that on patch Tuesday so it gets buried in other news 🙃
Rich WarrenNov 19, 2022

Updated the #ProxyNotRelay blog with the impacket PoC.

Code: https://github.com/rxwx/impacket

Blog: https://rw.md/2022/11/09/ProxyNotRelay.html

GitHub - rxwx/impacket: Impacket is a collection of Python classes for working with network protocols.

Impacket is a collection of Python classes for working with network protocols. - GitHub - rxwx/impacket: Impacket is a collection of Python classes for working with network protocols.

GitHub
Rich WarrenNov 16, 2022
Ron BowesNov 16, 2022

I'm excited to share of my work that came out today! Specifically, a handful of vulnerabilities in #F5 #BIGIP devices that I worked on through the summer, and worked with the vendor to get patched (F5 was awesome to work with, btw!).

I wrote a super detailed #blog post, and also wrote a full PoC. #Metasploit modules (both for the exploits and some post-exploitation data-gathering) are incoming as well!

The most important of the issues is #RCE via a #CSRF vulnerability in the #SOAP interface (#CVE_2022_41622), which is pretty cool (though requires a confluence of conditions to actually matter). I also had to bypass #SELinux to actually exploit this on the path I chose, which is kinda cool.

The other is authenticated RCE, to which they assigned #CVE_2022_41800, though even I, the person who found it, doesn't really think it's a big deal. It's a nice way to get a #Meterpreter session on your test box, at least?

I also published a bunch of my #tools for analyzing F5, including scripts to build, parse, and #MitM requests to their proprietary (I think?) database protocol (these require a valid login to use, but there's no user separation so there's a bit of #LPE).

I'll also be speaking about this research in much more detail (as much as I can in 45 minutes :) ) in my #HushCon talk on Dec 2!

CVE-2022-41622 and CVE-2022-41800 (FIXED): F5 BIG-IP and iControl REST Vulnerabilities and Exposures | Rapid7 Blog

Rapid7
Rich WarrenNov 16, 2022
Trend Zero Day InitiativeNov 16, 2022
Control Your Types or Get Pwned: Remote Code Execution in Exchange PowerShell Backend - @chudypb provides the details of CVE-2022-41040 and CVE-2022-41082. These were the #Exchange bugs used in active attacks and recently patched.
https://www.zerodayinitiative.com/blog/2022/11/14/control-your-types-or-get-pwned-remote-code-execution-in-exchange-powershell-backend
Zero Day Initiative — Control Your Types or Get Pwned: Remote Code Execution in Exchange PowerShell Backend

By now you have likely already heard about the in-the-wild exploitation of Exchange Server, chaining CVE-2022-41040 and CVE-2022-41082. It was originally submitted to the ZDI program by the researcher known as “DA-0x43-Dx4-DA-Hx2-Tx2-TP-S-Q from GTSC”. After successful validation, it was immediately

Zero Day Initiative
Rich WarrenNov 16, 2022
Confusing British exploit developers is a great mitigation. Good job MSFT 😁