Tag Archive for: escalation

Hackers Are Exploiting This Microsoft Outlook Privilege Escalation Security Flaw


critical outlook privilege escalation vulnerability found patch now

Microsoft recently patched a zero-click privilege escalation vulnerability within Microsoft Outlook, tracked as CVE-2023-2339 and rated a 9.8/10 on the Common Vulnerability Scoring System (CVSS). Left unchecked, this vulnerability could allow a threat actor to capture sensitive information from any user account that receives the malicious email and impersonate that user.

The vulnerability lies in a feature of Microsoft Outlook which allows a custom sound file to be loaded for notifications. Specifically, the sound file does not have to be local on the machine but can reside on a remote file share accessible via a Universal Naming Convention (UNC) path.

An attacker can craft a special email, typically containing a malicious calendar or meeting invite, which also forces the victim’s computer to load a remotely hosted notification sound from an SMB share the attacker controls. The victim’s computer automatically tries to authenticate via New Technology LAN Manager (NTLM), exposing hashed credentials to attacker. The attacker can then either attempt to recover the credentials via cracking, or else use them in a replay attack to authenticate with other services. 

pwned 2 critical outlook privilege escalation vulnerability found patch now

Critically, this process requires no interaction from the victim. Outlook automatically initiates the compromised remote file share as soon as the malicious message arrives in the victim’s inbox.

To mitigate this, users or system administrators will need to install the necessary Microsoft Outlook security update or restrict NTLM’s use for authentication. Further, organizations could also block outbound SMB traffic over port 445. This prevents the remote file sharing authentication attempt from occurring over the Internet. Microsoft has also released an audit tool on GitHub to see if your organization has been affected.

TrustedSec reports that Russian military intelligence has exploited this vulnerability for about a year, so patch now to stay secure.

Source…

Microsoft Discovers Nimbuspwn Privilege Escalation Vulnerability on Linux Systems Granting Hackers Root Permissions


Microsoft discovered a privilege escalation vulnerability in Linux environments that could allow an attacker to take over computer systems.

The vulnerabilities collectively referred to as Nimbuspwn could be chained together to gain root privileges, allowing an attacker to create backdoors, deploy malicious payloads, and perform root code execution.

Microsoft says Nimbuspwn vulnerabilities could potentially be leveraged as a vector for ransomware deployment and other sophisticated threats, including nation-state cyber-espionage.

Nimbuspwn Linux privilege escalation vulnerability explained

Microsoft 365 defender research team began by listening to messages on the system bus leading them to review the code for the networkd-dispatcher.

They discovered information leaks via Directory Info Disclosure in Blueman and Directory Info Disclosure in PackageKit (CVE-2022-0987). Further probes led to the discovery of more issues on the networkd-dispatcher whose daemon runs at boot with root privileges.

A review of networkd-dispatcher code led to the discovery of directory traversal, symlink race, and time-of-check-time-of-use race conditions.

Microsoft says the networkd-dispatcher daemon used the “_run_hooks_for_state” method to discover and run scripts depending on the network state.

The method returns executable script files from the “/etc/networkd-dispatcher/.d” owned by the root user and the root group. The daemon then runs each script using the subprocess.Popen process.

Vulnerabilities in the networkd-dispatcher components:

  • The use of symbolic links – Microsoft discovered that the subprocess.Popen follows symbolic links in the discovery and running of scripts in the base directory.
  • Directory traversal vulnerability (CVE-2022-29799) – Microsoft discovered that the control flow fails to sanitize the OperationalState and the AdministrativeState states. Since the states are responsible for creating the executable script paths, an attacker could escape the “/etc/networkd-dispatcher” directory using the “../../” directory traversal patterns.
  • Time-of-check-time-of-use race condition (CVE-2022-29800) – Microsoft discovered a time gap between the discovery and execution of the root…

Source…

7-Zip zero-day vulnerability grants privilege escalation


PSA: A security researcher recently discovered a vulnerability in the file archiver 7-Zip that could grant attackers high privileges and let them execute code. Developers haven’t released a patch yet, but users can quickly nullify this security hole in the meantime.

Last week, researcher Kağan Çapar found and published a zero-day vulnerability in 7-Zip that can grant privilege escalation and command execution. Designated CVE-2022-29072, it affects Windows users running version 21.07 — the latest version as of now.

As the video below shows, an attacker with limited access to a system can activate the vulnerability by opening the “Help” window in 7-Zip under Help->Contents and dragging a file with the .7z extension into that window. Any file with that extension will work. It doesn’t have to be a real 7z archive.

By running a child process under the 7zFM.exe process, the vulnerability can elevate the attacker’s privileges and let them run commands on the target system. Çapar blames this on a misconfiguration in the file 7z.dll and heap overflow.

The Windows HTML helper file may also share some blame, as other programs can allow command execution through it. Çapar mentions a similar vulnerability that works through the Windows HTML helper file and WinRAR.

Deleting the file “7-zip.chm” in the 7-Zip root folder can mitigate the issue until devs patch it. It’s unclear when that will be.

Source…

Wireless coexistence – New attack technique exploits Bluetooth, WiFi performance features for ‘inter-chip privilege escalation’



Stephen Pritchard

23 December 2021 at 15:28 UTC

Updated: 23 December 2021 at 15:43 UTC

Attackers can use connections between wireless chips to steal data or credentials, researchers find

Security shortcomings involving shared on-chip resources for different wireless technologies creates a means to steal data and passwords, security researchers warn

Vulnerabilities in wireless chip designs could allow malicious hackers to steal data and passwords from devices, according to security researchers.

According to the group, from the Technical University of Darmstadt’s Secure Mobile Networking Group (Germany) and the University of Brescia’s CNIT (Italy), attackers could exploit “wireless coexistence” or shared component features on millions of mobile devices.

Wireless devices often use radio components with shared resources, combination chips or System on a Chip (SoC) designs. These SoCs are responsible for multiple radio interfaces, including Bluetooth, WiFi, LTE (4G) and 5G.

But, as the researchers note, these interfaces typically share components, such as memory, and resources including antennae and wireless spectrum. Designers utilize wireless coexistence to allow resource sharing and maximize network performance. In doing so, they create security flaws that are hard, or even impossible, to patch.

“While SoCs are constantly optimized towards energy efficiency, high throughput, and low latency communication, their security has not always been prioritized,” the researchers warn.

Over-the-air exploit

In tests, researchers built a mobile test rig for under $100, and in an over-the-air exploit made use of a Bluetooth connection to obtain network passwords and manipulate traffic on a WiFi chip. Coexistence attacks enable a novel type of lateral privilege escalation across chip boundaries, they state.

The researchers were able to create a proof-of-concept exploitation of shared resources on technologies from Silicon Labs, Broadcomm, and Cypress. The group found nine CVEs, which they disclosed to the chip companies, as well as the Bluetooth SIG and associated manufacturers that use coexistence interfaces.

Catch up on the latest mobile security news and analysis

Attackers can escalate “privileges laterally from one wireless chip or core into another”. And serial…

Source…