My SharePoint RCE got fixed: CVE-2024-38018. Site Member privs should be enough to exploit.

I also found a DoS vuln that got patched today: CVE-2024-43466.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38018

From COM Object Fundamentals To UAC Bypasses - Tijme Gommers

https://www.youtube.com/watch?v=481SI_HWlLs

"This patch day, Microsoft introduced new garbage collection mechanism in win32k. In addition to the previously introduced type isolation mechanism, there is now garbage collection, making it more difficult to control the heap feng shui."

More info: https://x.com/TinySecEx/status/1833697218983080428

Happy #PatchTuesday from Microsoft: 79 new CVEs, 4 NEW EXPLOITED ZERO DAYS:

• CVE-2024-43491 (9.8 critical) Microsoft Windows Update Remote Code Execution Vulnerability (EXPLOITED)
• CVE-2024-38226 (7.3 high) Microsoft Publisher Security Feature Bypass Vulnerability (EXPLOITED)
• CVE-2024-38217 (5.4 medium) Windows Mark of the Web Security Feature Bypass Vulnerability (EXPLOITED and PUBLICLY DISCLOSED)
• CVE-2024-38014 (7.8 high) Windows Installer Elevation of Privilege Vulnerability (EXPLOITED)

EDIT: @BleepingComputer has mentioned that CVE-2024-38217 was marked publicly disclosed. Updated this to reflect it. See related reporting Microsoft September 2024 Patch Tuesday fixes 4 zero-days, 79 flaws

#microsoft #vulnerability #zeroday #eitw #activeexploitation #cve

Straight Outta Kapton

Measuring non-determinism in the Linux kernel

https://shape-of-code.com/2024/09/08/measuring-non-determinism-in-the-linux-kernel/

Citrix security advisory: Citrix Workspace app for Windows Security Bulletin CVE-2024-7889 and CVE-2024-7890
Happy #PatchTuesday from Citrix.

• CVE-2024-7889 (CVSSv4: 7.0 high) LPE
• CVE-2024-7890 (CVSSv4: 5.4 medium) LPE

Fixed in Citrix Workspace app for Windows 2405 and later versions, Citrix Workspace app for Windows 2402 CU1 LTSR and later versions. No mention of exploitation.

#citrix #vulnerability #cve #citrixworkspace

New vulnerability report from Talos:

Adobe Acrobat Reader Annotation Object Page Race Condition Vulnerability

https://talosintelligence.com/vulnerability_reports/TALOS-2024-2011

CVE-2024-39420

Ivanti security advisory: September 2024 Security Update
Happy #PatchTuesday from Ivanti. There are some serious vulnerabilities. I want to emphasize that Ivanti stated they "have no evidence of these vulnerabilities being exploited in the wild." See the following advisories:

• Security Advisory EPM September 2024 for EPM 2024 and EPM 2022
• Security Advisory Ivanti Cloud Service Appliance (CSA) (CVE-2024-8190)
• Security Advisory Ivanti Workspace Control (IWC)

The big ones:

• CVE-2024-29847 (perfect 10.0 critical 🥳 cc: @cR0w) deserialization in the agent portal of Ivanti EPM before 2022 SU6/September 2024 update allows unauth RCE
• CVE-2024-32840, CVE-2024-32842, CVE-2024-32843, CVE-2024-32845, CVE-2024-32846, CVE-2024-32848, CVE-2024-34783, CVE-2024-34785: unspecified SQL injection in Ivanti EPM before 2022 SU6/September 2024 update allow remote authenticated attacker with admin privileges to RCE

#ivanti #vulnerability #cve #epm #iwc #csa

It is shocking that after moving from Google workspace to Proton as the back office for our professional email adresses etc, all the major Dutch institutions are blocking us as spam. All our contacts have to whitelist us individually. So I think we are forced to go back to Google, where we had this problem occasionally but not as massively as now. It seems the reason is that Microsoft, used by almost all institutions in NL, simply blocks all Proton mail .😈 ( DNS=OK configured)

I would like to impress upon product managers that a code security review does not consist of me sitting down with the files in alphabetical order and reading each and every line exactly once in order and checking off whether it is or isn’t secure

New Project Zero issue:

is_compat flag in adsprpc driver leads to access of userland provided addresses as kernel pointers

https://project-zero.issues.chromium.org/issues/42451710

CVE-2024-21455

This widely shared infographic uses a trick to make its message appear much stronger than it actually is. It seems to show a strong correlation between energy consumption and the wealth of a country. By using a logarithmic scale, the correlation appears much stronger than it actually is. I covered this before in articles, and now have also uploaded a short video ⚡💸🎥 https://www.youtube.com/watch?v=2xZ6CihdKu0 🧵

Deception and Kerckhoffs’s Cryptographic Principle

https://www.smokescreen.io/deception-and-kerckhoffss-cryptographic-principle/

(Re: yesterdays fun little shitpost)

[RSS] Analysis of GitHub Enterprise vulnerabilities (CVE-2024-0507/CVE-2024-0200)

https://blog.convisoappsec.com/en/analysis-of-github-enterprise-vulnerabilities-cve-2024-0507-cve-2024-0200/

There is a known issue in the latest stable 4.1.5902 we wanted to make folks aware of. If you save a bndb while debugging, the database can get into an improper state and it may appear to lose user changes. The issue is resolved in the latest dev builds.

For those who are using the latest stable, you can either switch to dev or avoid saving during debugging (saving after debugging is unaffected). Impacted users can contact support (https://binary.ninja/support/) or see: https://github.com/Vector35/debugger/issues/612

watchTowr: Veeam Backup & Response - RCE With Auth, But Mostly Without Auth (CVE-2024-40711)
Reference: CVE-2024-40711 (9.8 critical, disclosed 04 September 2024 by Veeam) Veeam Backup & Replication: A deserialization of untrusted data vulnerability with a malicious payload can allow an unauthenticated remote code execution (RCE). This vulnerability was reported by reported by Florian Hauser @frycos with CODE WHITE Gmbh @codewhitesec.

watchTowr doing what they do best, root cause analysis of vulnerabilities and breaking it down Barney style. Veeam Backup and Replication's CVE-2024-40711 has an authenticated RCE with a 9.8? watchTowr does patch-diffing (a lot of code and rambling). They name drop James Forshaw @tiraniddo in referencing “Stupid is as Stupid Does When It Comes to .NET Remoting”

Okay in reading through this, CVE-2024-40711 is actually comprised of two separate bugs. Veeam silently patched an improper authorization bug, then the deserialisation bug 3 months later. watchTowr claims that there is a way to bypass CVE-2024-40711 (details are still under embargo). They do not release a proof of concept due to the current situation and proclivity for ransomware actors to go after Veeam backups.

#cve_2024_40711 #vulnerability #rootcauseanalysis #cve #veeam #infosec #cybersecurity

Data-Oriented Design Revisited: Type Safety in the Zig Compiler

https://www.youtube.com/watch?v=KOZcJwGdQok

Discussions: https://discu.eu/q/https://www.youtube.com/watch?v=KOZcJwGdQok

#programming #ziglang

3 more weeks before my Windows Kernel Exploitation training at #HEXACON2024
Don't miss out! More info on contents -> https://www.hexacon.fr/trainer/halbronn/

New Project Zero issue:

PowerVR: DEVMEMXINT_RESERVATION::ppsPMR references PMRs but does not lock their physical addresses

https://project-zero.issues.chromium.org/issues/42451698

CVE-2024-34747