Manage Engine hits with a critical flaw

A critical vulnerability (CVE-2020-11552) in ManageEngine ADSelfService Plus, an Active Directory password-reset solution, could allow attackers to remotely execute commands with system level privileges on the target Windows host.

CVE-2020-11552

ManageEngine ADSelfService Plus is developed by ManageEngine, a division of Zoho Corporation, a software development company that focuses on web-based business tools and information technology.

“ADSelfService Plus supports self-service password reset for WFH and remote users by enabling users to reset Windows password from their own machines and updating the cached credentials through a VPN client,” the company touts.

It also supports sending password expiration notifications to remote users through email, SMS, and push notifications; provides admins with a way to force 2-factor authentication for Windows logons; and provides users with secure access to all SAML-supported enterprise applications (e.g., Office 365, G Suite, Salesforce) through AD-based single sign-on.

The ManageEngineADSelfService Plus thick client software enables users to perform a password reset or an account unlock action by using self-service option on the Windows login screen. When one of these options is selected, the client software is launched and connects to a remote ADSelfServicePlus server to facilitate the self-service operations.

“A security alert can/will be triggered when ‘an unauthenticated attacker having physical access to the host issues a self-signed SSLcertificate to the client’. Or, ‘a (default) self-signed SSLcertificate is configured on ADSelfService Plus server’.

“‘ViewCertificate’ option from the security alert will allow an attacker with physical access or a remote attacker with RDP access, to export a displayed certificate to a file. This will further cascade to the standard dialog/wizard which will open file explorer as SYSTEM. By navigating file explorer through ‘C:\windows\system32\’, acmd.exe can be launched as a SYSTEM.”

ManageEngine patched CVE-2020-11552 twice, because the first patch only fixed the issue partially. Admins are advised to upgrade to ADSelfService Plus build 6003, which contains the complete security fix.

If Https with TLS 1.3..! Censored..⛔

China’s Great Firewall “is now blocking HTTPS connections with TLS 1.3 and which use ESNI (Encrypted Server Name Indication)

The reason for the ban is obvious for experts. HTTPS connections negotiated via TLS 1.3 and ESNI prevent third-party observers from detecting what website a user is attempting to access. This effectively blinds the Chinese government’s Great Firewall surveillance tool from seeing what users are doing online.

There is a myth surrounding HTTPS connections that network observers (such as internet service providers) cannot see what users are doing. This is technically incorrect. While HTTPS connections are encrypted and prevent network observers from viewing/reading the contents of an HTTPS connection, there is a short period before HTTPS connections are established when third-parties can detect to what server the user is connecting. This is done by looking at the HTTPS connection’s SNI (Server Name Indication) field.

HTTPS connections negotiated via older versions of the TLS protocol (such as TLS 1.1 and TLS 1.2), the SNI field is visible in plaintext.

Bug in Windows.. Printers can be hijacked

Windows users have been warned to ensure their security protections are up to date following the disclosure of a new bug that could affects printer services.

Researchers were able to bypass recent patches to exploit a flaw that could allow hackers to take over a private network after hijacking individual printing devices.

The flaw affects Windows Print Spooler, the service that manages the printing process, giving third-parties admin privileges that could be exploited to run malware.

Printer security

The researchers discovered that they could take advantage of CVE-2020-1048 by crafting malicious files that are parsed by Windows Print Spooler, including .SHD (Shadow) files that contain metadata for print jobs such as the ID of the system user, and SPL (Spool) files that contain the data that is due to be printed.

These files are processed by a function called ProcessShadowJobs, which places SHD files into the spooler folder when printing starts.

However as Windows Print Spooler runs with SYSTEM privileges and any user can drop SHD files into its folder, the researchers were able to use modified SHD files to include a SYSTEM SID, add it to the Spooler’s folder, and restart the computer for the Spooler to perform the task with the rights of the most privileged account on Windows.

Microsoft now says it will fix the flaw in its next security update, scheduled for August 11, but this means some user systems remain at risk until then with no fix in sight.

Users may want to hold off downloading any initial Microsoft patches though, after recent releases did more harm than good, with the June 2020 update causing serious problems with printers – breaking printer functionality completely, or elements of it, such as causing wireless printing to fail.

MacOS macros in to spotlight

Building successful macro attacks means getting past several layers of security, but a Black Hat speaker found a way through.
Microsoft Office is no stranger to vulnerabilities and exploits.

Most of those vulnerabilities led from Microsoft Office to Microsoft Windows, but it’s possible for an attacker to take an exploit path from Microsoft Office to macOS .

The Human Error

In most of the macro-based attacks, human intervention on the part of the victim is required at least once, and usually twice, Wardle said. First, the victim must click on an email attachment or malicious link in order to download and open the infected document. Next, in most cases macros will not run on a system by default — they must be given explicit permission to run by the user.

Most macro-based attacks have two stages, Wardle explained. In the first — the stage given explicit permission to run by the victim — code executes that checks the system status, checks for the presence of anti-malware software, and then downloads the second stage. It’s the second stage payload that contains the “working” code of the attack, whether it’s skimming credentials, creating a bot, or encrypting the system’s data as part of a ransomware scheme.

Out of the (Sand)box

Modern malware writers have an additional hurdle to overcome. Microsoft Office now executes all macros in a “sandbox,” a walled-off environment within the operating system that prevents code from gaining persistence or interacting with the system as a whole. The goal for malware writers is breaking out of the sandbox.

Researchers found ways to include SYLK files and XLM code that make macros execute whether or not they’re invoked or allowed. They still run within the sandbox. Wardle showed that it’s possible to create files through a macro — files that can be placed outside the macro and can be built to auto execute on system boot. That combination is the key to persistence, one of the golden tickets that attackers pursue in any campaign.

What kind of files can fit the twin bill?

A ZIP file, dropped into the proper subdirectory, will be invoked automatically. While the latest macOS endpoint security framework should detect such a file’s creation, Wardle said that there’s room for research here