Gitworm Profile picture
Apr 9 10 tweets 12 min read
Some more information on the #Nginx #0day by @_Blue_hornet as shared via DM and published here with permission: Image
Update on the #Nginx 1.18 #0day:
Around 20 minutes ago @_Blue_hornet started a Github Repo arround the exploit:
github.com/AgainstTheWest…

Some more hints on the Exploit:
- Related to #Spring4Shell
- Created by #BrazenEagle
- Related to ldap-auth demon used together with #Nginx Image
@_Blue_hornet Another Update containing a potential temporary #workaround has been pushed to Github just now.
Also confirming that #ldap-auth daemon is indeed vulnerable. Also mentioning that @Atlassian accounts are affected.

#0day #ldap #injection #nginx Image
@campuscodi So as this Tweet is getting some reach, some might be asking themselves how @_Blue_hornet operates.
@PogoWasRight did an interview with them arround 6 days ago and I think it is worth a read :)

Link:
databreaches.net/an-interview-w…
@_Blue_hornet @Atlassian For those who want/need even more info, here is an internal message by ATW on this #exploit and its capabilities.
Seems ATW is unsure for now if it is an #LDAP issue or if its only affecting #Nginx Image
Ok, as this tweet get's way more exposure then I am used to, please keep the following in mind:
Everything I share is based on claims by @_Blue_hornet .
I have not seen a PoC, I have not seen a successfull exploitation and I do not know if any of this is true.
I do not warrant!
@_Blue_hornet @Atlassian So, in an unexpected turn of events @_Blue_hornet went dark.
They suggested its forever.
I am unsure how to procede now.
A lot of noise I willingly shared as I trusted in them and now this.
For the time beeing, I will quote my tweet from before:

Image
So it seems @_Blue_hornet has updated the Github Repo several times since my last tweet.
Nothing too important in my eyes, but mentioning it just in case:
github.com/AgainstTheWest…

At least shows that he/they are still maintaining the Repo :)
As several people have pointed out, it seems @nginx has released an article about the vulnerability described above. The article points out ways to mitigate and states that ONLY THE #Nginx REFERENCE IMPLEMENTATION IS AFFECTED.

nginx.com/blog/addressin…

#nginxday #0day

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Gitworm

Gitworm Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @Gi7w0rm

Mar 4
The #ContiLeaks contained some messages consisting of IP:Username:pass combinations for #Conti infrastructure.
This allows us to connect certain #Trickbot activcity with the #Conti group:

1/x Image
The IP's in the image are the following:
117.252.69[.]134
117.252.68[.]15
116.206.153[.]212
103.78.13[.]150
103.47.170[.]131
103.47.170[.]130
118.91.190[.]42
117.197.41[.]36
117.222.63[.]77
117.252.69[.]210

2/x
Using @MaltegoHQ together with OTX/Alienvault and
@virustotal integration, we are able to connect several of these IP's to #Trickbot activity:

3/x Image
Read 8 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(