OK, where are we with Spring stuff? 1) CVE-2022-22963 is a thing, and it affects Spring Cloud Connector. It's RCE, so the CVSS score of 5.4 seems way off. 2) Spring4Shell / SpringShell, invented by Cyber Kendra, isn't a Spring vulnerability at all.
Does that sound about right?
And just for the Twitter record, @VMwareTanzu assigned CVE-2022-22963 a CVSS score of 5.4
Yet it's an unauthenticated RCE vulnerability.
Which in my mind puts it closer to a 9.8.
And to tie up this thread, I've confirmed that #SpringShell / #Spring4Shell *IS* indeed a thing.
This wasn't immediately obvious because of Cyber Kendra linking SpringShell to a commit for a COMPLETELY UNRELATED issue that is NOT A VULNERABILITY.
<sigh>
Can confirm! The #Spring4Shell exploit in the wild appears to work against the stock "Handling Form Submission" sample code from spring.io
If the sample code is vulnerable, then I suspect there are indeed real-world apps out there that are vulnerable to RCE...
Ways that Cyber Kendra made this worse for everyone: 1) Sensational blog post indicating that this is going to ruin the internet (red flag!). 2) Linking to a git commit about deserialization that has absolutely nothing to do with the issue demonstrated by the original party.
The original researcher also made this a touch more confusing/misleading than it needed to be as well. To one not familiar with Java, the long list of requirements makes it seem like one may need to intentionally make an app vulnerable. This is not the case.
Oh, this is good.
Think you're typing into a pop-up window? Make sure that you try to drag it OUTSIDE OF the content area of the page first.
Surely normal human beings do this.
But wait!
We security folks know that the content area of a browser is 100% under control of somebody else. We wouldn't design a system where a user must visually verify something within this space, right?
Let's look at a site that is apparently popular for some reason: Pinterest
Am I picking on Pinterest? Nope.
This is a standard OAuth login technique. For example, here's an Auth0 demo page.
Are we relying on end users knowing that they need to drag pop-ups outside of the content area of a browser to know that it's legit?
If you enabled Extended Protection for Authentication (EPA) for your AD CS server this summer to protect against PetitPotam, good for you.
If you haven't, well, I've got some bad news for you...
Nothing more than a system on the same (V)LAN as a domain-joined host is required. No password knowledge necessary.
By using mitm6 + krbrelayx to relay a kerberos ticket to an AD CS that hasn't been locked down, we get a certificate that can get us to Domain Admin.
The defenses against this are:
- Enable TLS + EPA in IIS on any AD CS system you use. This is the same thing that protected you against the PetitPotam attack chain.
- If you don't use IPv6, block with firewalls both DHCPv6 and ICMPv6 traffic. dirkjanm.io/relaying-kerbe…
I cannot stress how wrong the NVD / Mitre entry is for CVE-2021-44228.
The fact that you're running a current JRE version does NOT protect against RCE with log4j!
How did the CVE entry get to be wrong?
Two days ago, @iamamoose corrected the vulnerability description in CVE: github.com/CVEProject/cve…
12 hours ago, the fix was reverted so that it's incorrect again: github.com/CVEProject/cve…
Can anybody explain to my simple brain why?
I'd love to hear from @CVEannounce or anybody at @MITREcorp as to why an officially accepted commit to the CVEProject cvelist repo was automatically clobbered with HARMFULLY INCORRECT data as part of an automatic "-Synchronized-Data." commit two days later.
Trusted App
Based on my knowledge of word meanings, you're telling me that this app is trustworthy.
This is about as sage advice as saying "Look for the padlock to know that you're safe" ...
in a web browser where any site can make the address bar show whatever address they want.
PublisherDisplayName ... where does that come from?
That's right, the app author choses whatever they want.
This is the information that is presented to the user all while saying that the app is "Trusted"
Who are they to disagree?
This seems... broken?
This all (including the fake "Adobe Inc." app) has been public for about a month: news.sophos.com/en-us/2021/11/…
Given how broken this all seems, you probably wouldn't want the ability to click into an AppX installer, right? Good. See: gist.github.com/wdormann/90fce…
Note that while the exploit doesn't appear to work as-is on Windows 10, it definitely still shows behaviors that shouldn't be allowed.
That is, it still allows a non-elevated prompt to modify the contents of C:\Windows\system32 with SYSTEM privileges.
Scratch that...
It IS compatible with Windows 10. It's just not terribly reliable as-is to achieve LPE.
It took multiple attempts, each reverting to the same VM snapshot, but here are shots of a successful run.