Article: Actively exploited Apache 0-day also allows remote code execution

This vulnerability, CVE-2021-41773, affect Apache web servers running v2.4.49 (current release is v2.4.51) appeared to be only a directory traversal vulnerability however if “mod_cgi” is enabled, and the default “Require all denied” option is missing from the configuration it can lead to an attacker gaining remote code execution running at the same privilege level as the web server, which is the “www-data”  account in most cases).

Links:

Article: Apple fixes iOS zero-day used to deploy NSO iPhone spyware

“Apple has released security updates to fix two zero-day vulnerabilities that have been seen exploited in the wild to attack iPhones and Macs. One is known to be used to install the Pegasus spyware on iPhones.

The vulnerabilities are tracked as CVE-2021-30860 and CVE-2021-30858, and both allow maliciously crafted documents to execute commands when opened on vulnerable devices.

The CVE-2021-30860 CoreGraphics vulnerability is an integer overflow bug discovered by Citizen Lab that allows threat actors to create malicious PDF documents that execute commands when opened in iOS and macOS.

CVE-2021-30858 is a WebKit use after free vulnerability allowing hackers to create maliciously crafted web page that execute commands when visiting them on iPhones and macOS. Apple states that this vulnerability was disclosed anonymously.

“Apple is aware of a report that this issue may have been actively exploited,” the company said in security advisories published today regarding both vulnerabilities.

While Apple did not release any further information on how the vulnerabilities were used in attacks, Citizen Lab has confirmed that CVE-2021-30860 is a zero-day zero-click iMessage exploit named ‘FORCEDENTRY.’

The FORCEDENTRY exploit was discovered to be used to bypass the iOS BlastDoor security feature to deploy the NSO Pegasus spyware on devices belonging to Bahraini activists.”

Links:

New vulnerability in Windows: Windows MSHTML (CVE-2021-40444)

“Last Tuesday, Microsoft disclosed a new zero-day vulnerability in Windows MSHTML (CVE-2021-40444) that allows threat actors to create malicious documents, including Office and RTF docs, to execute commands on a victim’s computer remotely..

Even though there are no security updates available for the CVE-2021-40444 vulnerability, as it was discovered used in active attacks by EXPMON and Mandiant, Microsoft decided to disclose the vulnerability and provide mitigations to help prevent its exploitation.

These mitigations work by blocking ActiveX controls and Word/RTF document previews in Windows Explorer.”

Links

Article: Shadow Credentials-Abusing Key Trust Account Mapping for Account Takeover

A security research firm named SpectreOps recently released an article on how to take over User and Computer objects in an Active Directory using discretionary access control list (DACL) based attacks. DACL is a subsystem in Windows that deals with authorization for requesting access to Windows objects.

Links

A tool to help identify hash types

Have you ever gotten password hashes and didn’t know what hashing algorithm generated it? There is now an open-source tool to help cyber security professionals to identify hashes called “Name That Hash.” It supports the identification of over 3000 hash formats.

Links

CVE-2021-3560: A Newly Discover LPE that has been in Linux for 7 Years

GitHub recent published their findings on a vulnerability that has been in Linux for at least 7 years. This vulnerability is a local privilege escalation and may be the first of it’s kind found in what is a new class of vulnerabilities affecting all Linux systems using dbus.  From a user shell and attacker can gain root privileges through dbus using polkit. This affects the following popular Linux distros: Ubuntu 20.04 and Debian “Bullseye”, and RHEL 8.

Links