Latest Articles
Advisory CVE-2020-13770 - Ivanti Unified Endpoint Manager named pipe token impersonation privilege escalation
Software: Ivanti Unified Endpoint Manager Affected Versions: <= 2020.1.1 Vendor page: www.ivanti.com CVE Reference: CVE-2020-13770 Published: 11/11/2020 CVSS 3.1 Score: 8.8 - AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H Attack Vector: Local Credits: Andrei Constantin Scutariu, Lenk Ratchakrit, Calvin Yau Summary Several services are accessing named pipes with default or overly permissive security attributes; as these services run as user ‘NT AUTHORITY\SYSTEM’, the issue can be used to escalate privileges from a local standard or service account having SeImpersonatePrivilege (eg. user ‘NT AUTHORITY\NETWORK SERVICE’).
November 11, 2020,Andrei Constantin Scutariu
Advisory CVE-2020-13771 - Ivanti Unified Endpoint Manager DLL search order hijacking privilege escalation
Software: Ivanti Unified Endpoint Manager Affected Versions: <= 2020.1.1 Vendor page: www.ivanti.com CVE Reference: CVE-2020-13771 Published: 11/11/2020 CVSS 3.1 Score: 8.1 - AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H Attack Vector: Local Credit: Andrei Constantin Scutariu, Lenk Ratchakrit, Calvin Yau Summary Various services running as user ‘NT AUTHORITY\SYSTEM’ rely on Windows’ DLL search order for loading DLL files that are not present on the filesystem. Under certain circumstances, a local attacker would be able to place a malicious DLL file to obtain code execution in the vulnerable service’s context to elevate privileges.
November 11, 2020,Andrei Constantin Scutariu
Pwning Windows Event Logging with YARA rules
The Event Log coupled with Windows Event Forwarding and Sysmon can be extremely powerful in the hands of defenders, allowing them to detect attackers every step of the way. Obviously this is an issue for the attackers. Before privilege escalation it is limited what we can do to evade event logging, but once privileges have been elevated it is an equal playing field. In the past I have released a method to evade this logging by loading a malicious kernel driver and hooking the NtTraceEvent syscall. This method is effective but has two issues. The main issue is the risk associated with loading a kernel driver and patching syscalls as there is the potential to cause a BSOD on the machine which for obvious reasons a very bad thing. The other issue is that it will simply stop all events from being reported, so while the hook is active that machine will no longer be sending events to the SOC or SIEM. Its a real possibility that defenders would notice this sudden lack of events. So is there a way to only filter out the events caused by an attacker while also remaining completely inside usermode? Yes.
September 4, 2020,bats3c