Mar 19 2024

PoC exploit for critical Fortra FileCatalyst MFT vulnerability released (CVE-2024-25153)

Category: Security vulnerabilitiesdisc7 @ 6:21 pm

Proof-of-concept (PoC) exploit code for a critical RCE vulnerability (CVE-2024-25153) in Fortra FileCatalyst MFT solution has been published.

About CVE-2024-25153

Fortra FileCatalyst is an enterprise managed file transfer (MFT) software solution that includes several components: FileCatalyst Direct, Workflow, and Central.

CVE-2024-25153 is a directory traversal vulnerability in FileCatalyst Workflow’s web portal that could allow a remote authenticated threat actor to execute arbitrary code on vulnerable servers.

“A directory traversal within the ‘ftpservlet’ of the FileCatalyst Workflow Web Portal allows files to be uploaded outside of the intended ‘uploadtemp’ directory with a specially crafted POST request. In situations where a file is successfully uploaded to web portal’s DocumentRoot, specially crafted JSP files could be used to execute code, including web shells,” the company noted in the advisory.

The vulnerability was first discovered in August 2023 and patched a few days later in the FileCatalyst version 5.1.6 Build 114, but had no CVE identifier at the time.

The identifier was assigned after Fortra became a CVE Numbering Authority (CNA) in December 2023.

The company and Tom Wedgbury, the security researcher that discovered and reported the flaw, planned its coordinated disclosure in March 2024.

CVE-2024-25153 PoC exploit released

Fortra’s security advisory and Wedgbury’s blog post with technical details and the PoC have been published on Wednesday.

There are currently no indications of the vulnerability being exploited in the wild, but organizations are nevertheless advised to apply the available patch (if they haven’t already).

When a PoC for a critical authentication bypass vulnerability (CVE-2024-0204) in Fortra’s GoAnywhere MFT solution was recently made public, exploit attempts began soon after.

In late January 2023, the Cl0p ransomware group leveraged a zero-day vulnerability (CVE-2023-0669) in the same solution, and stole data of over 130 victim organizations.

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: PoC exploit code

Apr 25 2023

PoC Exploit Code Released for Critical Papercut Flaw

Category: Security vulnerabilitiesDISC @ 9:39 am

Threat actors are actively taking advantage of critical vulnerabilities present in the PaperCut MF/NG print management software. 

This exploitation aims to plant Atera remote management software onto the targeted servers to gain control over them. From more than 70,000 companies globally, it has over 100 million active users. 

The vulnerabilities affecting the PaperCut MF/NG print management software are tracked as follows:-

Remote threat actors can exploit these vulnerabilities to gain unauthorized access and execute arbitrary code on PaperCut servers that have been compromised.

These flaws can be exploited without user interaction and are relatively easy to carry out, granting the attacker SYSTEM privileges. Recently, in the Shodan search engine, it has been observed that around 1700 PaperCut servers were exposed to the internet.

PoC Exploit Code

PaperCut MF and PaperCut NG versions 20.1.7, 21.2.11, and 22.0.9, and later releases, have addressed both vulnerabilities. 

That’s why security experts strongly advise users to upgrade to any of these patched versions to mitigate the risks associated with these flaws.

Horizon3 has recently released technical information, and a proof-of-concept (PoC) exploit for CVE-2023-27350

Attackers can leverage this exploit to bypass authentication and execute arbitrary code on PaperCut servers that have not been patched.

By misusing the ‘Scripting’ feature for printers, the RCE exploit enables cybercriminals to achieve remote code execution.

Although Huntress has developed a PoC exploit to illustrate the danger associated with the ongoing attacks, they have not made it publicly available.

Currently, unpatched PaperCut servers are under attack, and the exploit code developed by Horizon3 is expected to be adopted by other threat actors for launching similar attacks in the future.

The CVE-2023-27350 vulnerability has been included in the list of actively exploited vulnerabilities by CISA.

Not only that, but even CISA has directed all federal agencies to secure their systems within the next three weeks, by May 12, 2023, to prevent further exploitation.

To prevent remote exploitation of the PaperCut servers, Huntress urged administrators to immediately implement the necessary security measures that cannot currently patch their PaperCut servers. 

During the analysis, experts at Horizon3 identified a JAR that contains the SetupCompleted class in:-

  • C:\Program Files\PaperCut NG\server\lib\pcng-server-web-19.2.7.jar

In the SetupCompleted flow, the session of the anonymous user is unintentionally authenticated due to an error in the code. 

While this function is triggered only after a user’s password is validated via a login process. In web applications, this type of vulnerability is dubbed:-

  • Session Puzzling

Huntress revealed that among the Windows machines with PaperCut installed in the customer environments they safeguard, approximately 1,000 were identified. 

As per their observation, nearly 900 of those machines were still unpatched, and only one had been patched among the three macOS machines they monitored.

Organizations using PaperCut must ensure they have installed either PaperCut MF or NG versions 20.1.7, 21.2.11, or 22.0.9 to prevent exploitation.

InfoSec Threats
 | InfoSec books | InfoSec tools | InfoSec services

Tags: Critical Papercut Flaw, PoC exploit code

Mar 11 2021

Expert publishes PoC exploit code for Microsoft Exchange flaws

Category: Security vulnerabilitiesDISC @ 11:26 pm

On March 2nd, Microsoft has released emergency out-of-band security updates that address four zero-day issues (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) in all supported Microsoft Exchange versions that are actively exploited in the wild.

The IT giant reported that at least one China-linked APT group, tracked as HAFNIUM, chained these vulnerabilities to access on-premises Exchange servers to access email accounts, and install backdoors to maintain access to victim environments. According to Microsoft, the Hafnium APT exploited these vulnerabilities in targeted attacks against US organizations. 

This week, the independent security researcher Nguyen Jang published on GitHub a proof-of-concept tool to hack Microsoft Exchange servers. The tool chains two of the ProxyLogon vulnerabilities recently addressed by Microsoft.

The availability of the proof-of-concept code was first reported by The Record.

“A Vietnamese security researcher has published today the first functional public proof-of-concept exploit for a group of vulnerabilities in Microsoft Exchange servers known as ProxyLogon, and which have been under heavy exploitation for the past week.” reads the post published by The Record. “The proof-of-concept code was published on GitHub earlier today. A technical write-up (in Vietnamese) is also available on blogging platform Medium.”

The availability of the exploit online was immediately noticed by several cyber security experts, including Marcus Hutchins.

A few hours after the publication, GitHub took down the PoC hacking tool because it posed a threat to Microsoft’s customers using the Microsoft Exchange solution. 

“We understand that the publication and distribution of proof of concept exploit code has educational and research value to the security community, and our goal is to balance that benefit with keeping the broader ecosystem safe,” the spokesperson said in an email sent to the Vice.. “In accordance with our Acceptable Use Policies, we disabled the gist following reports that it contains proof of concept code for a recently disclosed vulnerability that is being actively exploited.”

Expert publishes PoC exploit code for Microsoft Exchange flaws

Tags: Microsoft Exchange flaws, PoC exploit code