Updates on PrintNightmare

After the CVE-2021-1675 and CVE-2021-34527 updates on Print Spooler issue, some new updates about the PrintNightmare vulnerabilities added today.

• CVE-2021-34527 affects all versions of Windows (including but not limited to DC). 
  
• Successful exploitation requires authentication and results in remote code execution (RCE) and local privilege escalation (LPE) on a vulnerable target.
• To fully remediate risk introduced by CVE-2021-34527, Windows systems administrators must disable Point and Print across their environments. This is an essential step in the remediation process, without which the out-of-band updates are ineffective.

Conclusion is, CVE-2021-34527 did not remediate the vulnerability as long as Point and Print was still enabled.

Link:

• https://attackerkb.com/topics/MIHLz4sY3s/cve-2021-34527-printnightmare?referrer=notificationEmail#rapid7-analysis
  

Slaughterbots

 

This is video to demonstrate how dangerous "Smart Weapon" is. And if this isn't what you want, please take action at http://autonomousweapons.org/

Links:

• KARGU - Autonomous Tactical Multi-Rotor Attack UAV - https://www.youtube.com/watch?v=Oqv9yaPLhEk
• STM KARGU (Autonomous Tactical Multi-Rotor Attack UAV) - https://www.youtube.com/watch?v=9HCDQwRdk20
• https://buzzorange.com/citiorange/2021/12/07/killer-robots/ 
  

 

PrintNightmare, Critical Windows Print Spooler Vulnerability

See Microsoft's new guidance for the Print spooler vulnerability (CVE-2021-34527) and apply the necessary workarounds. 

“while Microsoft has released an update for CVE-2021-1675, it is important to realize that this update does not address the public exploits that also identify as CVE-2021-1675.” An attacker can exploit this vulnerability—nicknamed PrintNightmare—to take control of an affected system.

 

 [*] Searching cve-[['2021-34527']] vulnerability definitions within Kenna.VI+....


[ CVE Description ]
 [*] CVE_ID : CVE-2021-34527
 [_] Desc   : Microsoft Windows could allow a remote attacker to execute arbitrary code on the system, caused by a flaw in the Print Spooler service. By persuading a victim to open a specially-crafted content, an attacker could exploit this vulnerability to execute arbitrary code on the system with SYSTEM privileges.

 [_] C:2021-06-10 / P:2021-07-01 / L:2021-07-01
 [*] Vuln Risk           : 25.0
 [*] Exploited [trend]   : 0 [holding]
 [_] Exploit/likehood    : False/None

 [*] Malware sample : 0
 [*] Exploits/POC   : [0]
 [_] Fixes          : [0]
 [_] Threat Actors  : [0]
 [_] CVSS2 / CVSS3  : [ 7.2 / 7.8 ]

 [_] Vuln Products  : [0]

[ CVE Malware Family Info : None ]

[ High_Profile_Vulnerability ]
 [!!!]   CVE-2021-34527 (25.0) : []


 ** [5] threads completed [2 tasks] / [1.8 KB] within [1.94 sec].

Update on the Printer Spooler Vulnerability

Malware attack and successful exploitation are found for the cve-2021-1675. It can be  easily exploited and become a popular target with daily trend of going UP.

Initially, this vulnerability was categorized as LPE (Local Privileges Escalation), and been changed to RCE (Remote Code Execution) later (June 21).

Here's the latest vulnerability intelligence from KennaVI+.

[ CVE Description ]
 [*] CVE_ID : CVE-2021-1675
 [_] Desc   : Windows Print Spooler Elevation of Privilege Vulnerability

[ Kenna.VM Summary ]
 [*] Vuln Risk              : 77.227
 [*] Easily_Exploit         : True
 [*] Malware_Exploit        : True
 [*] Popular_Target         : True
 [*] Active_Internet_Breach : True

[ Kenna.VI+ ]
 [*] Successful_Exploitations  : 3
 [*] Velocity (D/W/M)          : 2/3/3
 [*] Daily_Trend               : up
 [*] Pre_NVD                   : True [_FALSE_]
 [*] RCE                       : True [_FALSE_]
 [*] Predicted_Exploitable     : 3 (0.2499% confidence)

[ Kenna.VI+ Details ]
 [_] Created_at    : 2020-12-02T22:00:10Z
 [_] Published     : 2021-06-08T23:15:00Z
 [_] Last_Modified : 2021-06-10T23:21:00Z

[ Links / References ]
 [*] Malware sample : 1
 [_] Exploits [2]:
     [ --> ]   created_at : 2021-06-30T14:00:00Z
     [ --> ]  external_id : kenna.CVE-2021-1675
     [ --> ]         name : CVE-2021-1675: PrintNightmare
     [ --> ]       source : kenna
     [ --> ]          url : https://github.com/afwu/PrintNightmare

     [ --> ]   created_at : 2021-07-01T07:00:29Z
     [ --> ]  external_id : None
     [ --> ]         name : Win64.Exploit.CVE-2021-1675
     [ --> ]       source : reversing_labs
     [ --> ]          url : None

 [_] Fixes [2]:
     [ --> ]  external_id : 91772
     [ --> ]          url : https://support.microsoft.com/en-in/help/5003635
     [ --> ]      product : windows
     [ --> ] published_at : 2021-06-09T01:30:40Z

     [ --> ]  external_id : msft-cve-2021-1675
     [ --> ]          url : None
     [ --> ]      product : None
     [ --> ] published_at : 2021-06-08T00:00:00Z

 [_] Threat Actors [0]:
     [ --> ] None

[ CVSS2 / CVSS3  Details ]

                | Impact  |   |                | CVSS_Access
================+=========+===+================+==============
   Availability | Partial |   |     Complexity | Medium
Confidentiality | Partial |   |         Vector | Network
      Integrity | Partial |   | Authentication | None required

              |                                   CVSS_V2 |                                                    CVSS_V3
==============+===========================================+===========================================================
   Base Score |                                     6.800 |                                                      7.800
Exploit_Score |                                     8.600 |                                                      1.800
 Impact_Score |                                     6.400 |                                                      5.900
     Temporal |                                     5.000 |                                                       None
       Vector | AV:N/AC:M/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C | CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

[ Others ]
 [*] Vulnerable Products [4] :
     [ --> ] cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*
     [ --> ] cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*
     [ --> ] cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*
     [ --> ] cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*


[ CVE Malware Family Info : None ]

[ CVE History : CVE-2021-1675 ]
 [*] ID              : 2658603
 [*] Vuln Risk Score : 77
 [*] History         : 4

   [**] changed_at : 2021-06-09T04:14:45.000Z
   [**]       from : 25
   [**]         to : 20

   [**] changed_at : 2021-06-10T04:26:09.000Z
   [**]       from : 20
   [**]         to : 22

   [**] changed_at : 2021-06-11T04:09:42.000Z
   [**]       from : 22
   [**]         to : 33

   [**] changed_at : 2021-07-01T04:15:49.000Z
   [**]       from : 33
   [**]         to : 77

[ High_Profile_Vulnerability ]
 [!!!]    CVE-2021-1675 (77.227) : ['hpv_exploit', 'hpv_malware', 'hpv_poc']


 ** [5] threads completed [3 tasks] / [2.39 KB] within [2.95 sec].

Attack and Defend: The Dangers of Modern Distributed Applications

 My notes:

• Modern application: API Gateway
• Certificate transparency for discovery web target
• JWT web token at https://jwt.io/
  
• OAuth/bearer token Vs session cookies
• OAuth Phantom token, Split token
  
• Static File storage, CDN
  
• Evil JQuery Javascript, https://github.com/JohnHoder/Javascript-Keylogger
• script integrity and crossorigin  attributes at https://www.srihash.org/  
• Monolith VS distributed web architecture 
  

Links:

• https://certificate.transparency.dev/ 
• https://sslmate.com/certspotter/