Zero-day Vulnerability Database
Zero-day vulnerabilities discovered: 41
Remote code execution in Huawei HG532 routers
CVE-2017-17215
Command injection
The vulnerability allows a remote attacker with administrator privileges to perform command injection attack on the target system.The weakness exists due to the implementation of the TR-064 (technical report standard), an application layer protocol for remote management, in the Huawei devices was exposed on the public Internet through Universal Plug and Play (UPnP) protocol at port 37215. A remote attacker can inject shell meta-characters “$()” in the NewStatusURL and NewDownloadURL, inject arbitrary commands and execute arbitrary code.
Successful exploitation of the vulnerability allows to download and execute the malicious payload on the Huawei routers and upload Satori botnet that may result in system compromise.
Note: the vulnerability is being actively exploited.
The vulnerability has been used in Satori attacks against Huawei's router model HG532. The most targeted countries include the United States, Italy, Germany, and Egypt.
Software: Huawei HG532
Known/fameous malware:
Satori botnet, Mirai malware
Information disclosure in Roundcube
CVE-2017-16651
Information disclosure
The vulnerability allows a remote authenticated attacker to obtain potentially sensitive information on the target system.The weakness exists due to insufficient validation of file-based attachment plugins and _task=settings&_action=upload-display&_from=timezone requests. A remote attacker can modify the login form and submit it with valid credentials (username/password) of an email account, send a specially crafted HTTP request and gain unauthorized access to arbitrary files on the host's filesystem, including configuration files of Roundcube.
Note: the vulnerability is being actively exploited.
Software: Roundcube
Remote code execution in Adobe Flash Player
CVE-2017-11292
Type confusion
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a type confusion error when processing .swf files. A remote unauthenticated attacker can create a specially crafted .swf file, trick the victim into opening it and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note: this vulnerability is being actively exploited in the wild.
According to Kaspersky Lab, the vulnerability has being exploited by the BlackOasis threat actor. The recent attacks leveraging today's zero-day sent malicious Office documents to victims, which came with an embedded ActiveX object that contained the Flash CVE-2017-11292 exploit.
Software: Adobe Flash Player
Known/fameous malware:
FINSPY
Remote code execution in Microsoft Office
CVE-2017-11826
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to boundary error when handling malicious content. A remote attacker can send a specially crafted .doc file, trick the victim into opening it, trigger memory corruption and execute arbitrary code with system privileges.
Successful exploitation of the vulnerability may result in system compromise.
Note: the vulnerability is being actively exploited.
The weakness was reported to Microsoft by researchers at China-based security firm Qihoo 360. The experts said they first observed an attack exploiting this vulnerability on September 28. The attacks targeted a small number of the company’s customers and they involved malicious RTF files.
Software: Microsoft Office
Backdoor in CCleaner
Backdoor
CCleaner version 5.33.6162 and CCleaner Cloud version 1.07.3191 were shipped with a backdoor code from official vendor’s website. The incident was detected on September 12.The malicious version was released on August 15. Users, who downloaded CCleaner between August 15 and September 12, are affected.
Avast reported a security breach, which involved compromise of one of the CCleaner distribution servers. As a result, the adversary was able to distribute a backdoored version of CCleaner application between August 15 and September 12. The compromised version of CCleaner was distributed from the official vendor's website.
Software: CCleaner
Remote code execution in Microsoft .NET Framework
CVE-2017-8759
Improper input validation
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to uncpecified error when processing untrusted input. A remote unauthenticated attacker can execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note: this vulnerability is being actively exploited in the wild.
The vulnerability was detected by FireEye researchers. The attacker used Microsoft Office RTF document to leverage RCE in .NET Framework and deploy FINSPY malware. The malicious document “Проект.doc” (MD5: fe5c4d6bb78e170abf5cf3741868ea4c) had Russian name and might have been used to target a Russian speaker.
Software: Microsoft .NET Framework
Known/fameous malware:
FINSPY
Backdoor in NetSarang software
Backdoor
The vulnerability allows a remote attacker to gain complete control over affected system.The weakness exists due to presence of backdoor functionality in the nssock2.dll library. After installation, the backdoor ShadowPad activates itself by sending a DNS TXT request for a specific domain. After successful activation, a remote attacker can gain full access to the affected system.
The backdoor has the ability to connect to a malicious C&C server and executed commands, sent by malicious actors.
The backdoor was discovered on August 4, 2017 by Kaspersky Labs researchers.
A backdoor code was detected in NetSarang software on August 4, 2017. Next day, on August 5 the developer has released an update to resolve the issue. As of August 15, there is an evidence, that the code has being utilized by one instance in Hong Kong.
The malicious code was delivered to the vendor's clients by compromising the software update mechanism. The backdoor was included into updates, issued on July 18, 2017. The update contained ShadowPad backdoor.
Software: Xftp
Known/fameous malware:
ShadowPad backdoor
The malicious code was delivered to the vendor's clients by compromising the software update mechanism. The backdoor was included into updates, issued on July 18, 2017. The update contained ShadowPad backdoor.
Privilege escalation in Linux kernel
CVE-2017-7533
Race condition
The vulnerability allows a local user to execute arbitrary code with escalated privileges.The vulnerability exists due to a race condition in the fsnotify implementation in the Linux kernel through 4.12.4. A local user can create an application, which leverages simultaneous execution of the inotify_handle_event and vfs_rename functions and trigger memory corruption and denials of service attack or execute arbitrary code on the target system with root privileges.
Successful exploitation of this vulnerability may allow a local user to obtain elevated privileges on the system.
Note: this vulnerability is being active exploited in the wild for 32-bit systems in August 2017.
Software: Linux kernel
Backdoor in Web Developer Google Chrome extension
Backdoor
The vulnerability allows a remote attacker to gain unauthorized access to victim's browser.The vulnerability exists due to presence of backdoor code in Web Development Google Chrome extension 0.4.9, distributed via Google Web Store.
The browser extension for Google Chrome has been hijacked on Google Web Store.
Software: Web Developer (Chrome extension)
Backdoor in Copyfish Google Chrome extension
Backdoor
The vulnerability allows a remote attacker to gain unauthorized access to victim's browser.The vulnerability exists due to presence of backdoor code in Copyfish Google Chrome extension 2.8.5, distributed via Google Web Store.
The browser extension has been hijacked on Google Web Store.
Software: Copyfish (Chrome extension)
Backdoor in Social Fixer Google Chrome extension
Backdoor
The vulnerability allows a remote attacker to gain unauthorized access to victim's browser.The vulnerability exists due to presence of backdoor code in Social Fixer Google Chrome extension 20.1.1, distributed via Google Web Store.
The browser extension was hijacked on July 3, 2017 and a backdoor was distributed via Google Web Store. The attackers have published non-existing version of the extension 20.1.1.
Software: Social Fixer (Chrome extension)
Backdoor in M.E.Doc software
Backdoor
The security issue exists due to presence of backdoor code in updates, distributed from the official website. After update installation, the system becomes infected with NotPetya ransomware.Malware, present in the code, also performs various attempts to infect other systems.
The backdoor code was distributed via automatic update functionality. The infected version 10.01.189 contained backdoor code, which downloaded and installed NotPetya ransomware along with other tools, indented to distribute malware within local network. 75% of victims were located in Ukraine.
Software: M.E.Doc
Known/fameous malware:
NotPetya
The backdoor code was distributed via automatic update functionality. The infected version 10.01.189 contained backdoor code, which downloaded and installed NotPetya ransomware along with other tools, indented to distribute malware within local network. 75% of victims were located in Ukraine.
Multiple vulnerabilities in Drupal
CVE-2017-6922
Security restrictions bypass
The vulnerability allows a remote attacker to bypass security restrictions on the target system.The weakness exists due to insufficient file protection. A remote attacker can bypass access restrictions and view private files that have been uploaded by an anonymous user but not permanently attached to content on the site.
Successful exploitation of the vulnerability may result in access bypass.
Note: The vulnerability was being actively exploited for spam purposes.
There are confirmed reports indicating that this vulnerability has been publicly exploited in spam campaigns. The attackers were creating accounts, uploading files with spam links to advertise or influence SEO rankings.
Software: Drupal
Backdoor in Chrometana Google Chrome extension
Backdoor
The vulnerability allows a remote attacker to gain unauthorized access to victim's browser.The vulnerability exists due to presence of backdoor code in Chrometana Google Chrome extension 1.1.3, distributed via Google Web Store.
The browser extension was hijacked on Google Web Store. That update included alert10.js, malware that opens popups saying you have a virus.
Software: Chrometana (Chrome extension)
Remote code execution in Windows Search service
CVE-2017-8543
Buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to boundary error when Windows Search handles objects in memory. A remote unauthenticated attacker can send specially crafted messages to the Windows Search service and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note: this vulnerability is being actively exploited in the wild.
Software: Windows
Remote code execution when processing .LNK files in Microsoft Windows
CVE-2017-8464
Improper input validation
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to an error when processing .LNK files. A remote attacker can create a specially crafted .LNK file and execute arbitrary code on the target system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
Note: the vulnerability is being actively exploited in the wild.
Software: Windows
Backdoor in Infinity New Tab Google Chrome extension
Backdoor
The vulnerability allows a remote attacker to gain unauthorized access to victim's browser.The vulnerability exists due to presence of backdoor code in Infinity New Tab Google Chrome extension 3.12.3, distributed via Google Web Store.
The browser extension was hijacked on Google Web Store. The injected script was displaying and advertisement via alert10.js script, informing victims that their PC has been infected with malware and suggesting to purchase fake antivirus.
Software: Infinity New Tab (Chrome extension)
Buffer overflow in Microsoft Windows RDP for Windows XP/2003
CVE-2017-0176
Buffer overflow
The vulnerability allows a remote attacker to compromise vulnerable system.The vulnerability exists due to a boundary error in the Smart Card authentication code in gpkcsp.dll within Windows Remote Desktop services. A remote attacker can send specially crafted packets to the vulnerable system, trigger buffer overflow and execute arbitrary code on the target system.
Successful exploitation of the vulnerability may allow an attacker to gain complete control over the affected system.
Note: this vulnerability was publicly disclosed by the Shadow Brokers hacking team along with a fully functional exploit known as "“EsteemAudit".
The vulnerability is being exploited in the wild.
The vulnerability was disclosed by the Shadow Brokers hacking team.
Software: Windows
Known/fameous malware:
EsteemAudit
Two remote code execution vulnerabilities when processing EPS files in Microsoft Office
CVE-2017-0262
Type confusion
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a type confusion error when processing EPS wiles within Microsoft Office documents. A remote unauthenticated attacker can create a specially crafted document, trick the victim into opening it and execute arbitrary code on the target system with privileges of the current victim.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note: this vulnerability is being actively exploited in the wild.
The vulnerability was used by APT28 team along with another zero-day CVE-2017-0263.
Software: Microsoft Office
Known/fameous malware:
GAMEFISH
Multiple vulnerabilities in Win32.sys in Microsoft Windows
CVE-2017-0263
Elevation of privilege
The vulnerability allows a local user to elevate privileges on the system.
The vulnerability exists due to boundary error in Win32k.sys driver. A local user can escalate privileges on the system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note: this vulnerability is being actively exploited.
The vulnerability was used by APT28 team along with another zero-day CVE-2017-0262.
Software: Windows
Known/fameous malware:
GAMEFISH
Multiple vulnerabilities in Microsoft Internet Explorer
CVE-2017-0222
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to boundary error. A remote attacker can create a specially crafted website, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution.Note: the vulnerability is being actively exploited.
Software: Microsoft Internet Explorer
Remote code execution in QNAP QTS
Improper access control
The vulnerability allows a remote attacker to compromise vulnerable device.
The vulnerability exists due to unknown error, which leads to QNAP device compromise. Vulnerability details are not disclosed yet.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable device.
Note: the vulnerability is being actively exploited in the wild.
QNAP reported a security issue involving unauthorized access to the QNAP devices. Several QNAP NAS devices running QTS have been injected with XMR mining programs, specifically from mineXMR.com.
Software: QNAP QTS
Remote command injection in Ghostscript
CVE-2017-8291
Type confusion
The vulnerability allows a remote unauthenticated attacker to execute arbitrary commands on a targeted system.The weakness exists due to type confusion error when processing user-supplied parameters passed to the .rsdparams and .eqproc functions in ghostscript. A remote attacker can submit a specially crafted .eps document, execute code in the context of the ghostscript process and bypass -dSAFER protection.
Successful exploitation of the vulnerability may result in system compromise.
Note: this vulnerability is being exploited in the wild.
Software: Ghostscript
Remote code execution in IMAP server in IBM Lotus Domino
CVE-2017-1274
Stack-based buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing mailbox names in the EXAMINE IMAP command. A remote authenticated attacker can send an EXAMINE IMAP command containing an overly long mailbox name, trigger stack-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
Note: this vulnerability has been exploited in the wild and was disclosed by the Shadow Brokers leak.
The list of affected products, according to software vendor:
- IBM Domino 9.0.1 through 9.0.1 Feature Pack 8 Interim Fix 1
- IBM Domino 9.0 through 9.0 Interim Fix 7
- IBM Domino 8.5.3 through 8.5.3 Fix Pack 6 Interim Fix 16
- IBM Domino 8.5.2 through 8.5.2 Fix Pack 4
- IBM Domino 8.5.1 through 8.5.1 Fix Pack 5
The exploit code was disclosed by the Shadow Brokers leak.
Software: IBM Domino
Known/fameous malware:
EMPHASISMINE exploit
Two remote code execution vulnerabilities when processing EPS files in Microsoft Office
CVE-2017-0261
Use-after-free
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a use-after-free error when processing EPS images within Microsoft Office files. A remote attacker can create a specially crafted Office file with malicious EPS image, trick the victim into opening it and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of this vulnerability may allow an attacker to compromise vulnerable system.
Note: this vulnerability is being actively exploited in the wild.
The vulnerability was used by Turla and an unknown financially motivated actor.
Software: Microsoft Office
Known/fameous malware:
SHIRIME
NETWIRE
Links:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/2017-2605
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0261
https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html
https://blogs.technet.microsoft.com/msrc/2017/05/09/coming-together-to-address-encapsulated-postscri...
Multiple vulnerabilities in Microsoft Internet Explorer
CVE-2017-0210
Cross-domain scripting
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability is caused by incorrect filtration of input data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in victim’s browser in security context of another domain.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
Note: this vulnerability is being exploited in the wild.
Software: Microsoft Internet Explorer
Remote code execution in Microsoft Office
CVE-2017-0199
Improper input validation
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation. A remote unauthenticated attacker can create a specially crafted Office document, trick the victim into opening it with Microsoft Office or WordPad and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of this vulnerability may result in compromise vulnerable system.
Note: the vulnerability is being actively exploited.
The detected samples are organized as Word files containing Dridex botnet ID 7500 (more specially, RTF files with “.doc” extension name). The exploit works on all Microsoft Office versions, including the latest Office 2016 running on Windows 10. The earliest attack dates to late January, according to McAfee.
According to FireEye, the malware leveraging this vulnerability was used to target Russian-speaking victims. As early as Jan. 25, 2017, lure documents referencing a Russian Ministry of Defense decree and a manual allegedly published in the "Donetsk People's Republic" exploited CVE-2017-0199 to deliver FINSPY payloads.
This vulnerability was also used by Patya.A ransomware in malware outbreak on 27 June, 2017 as one of the attack vectors.
Software: Microsoft Office
Known/fameous malware:
Malware.Binary.Rtf
Dridex botnet
FINSPY
LATENTBOT
Petya.A
According to FireEye, the malware leveraging this vulnerability was used to target Russian-speaking victims. As early as Jan. 25, 2017, lure documents referencing a Russian Ministry of Defense decree and a manual allegedly published in the "Donetsk People's Republic" exploited CVE-2017-0199 to deliver FINSPY payloads.
This vulnerability was also used by Patya.A ransomware in malware outbreak on 27 June, 2017 as one of the attack vectors.
Links:
https://securingtomorrow.mcafee.com/mcafee-labs/critical-office-zero-day-attacks-detected-wild/
https://www.fireeye.com/blog/threat-research/2017/04/acknowledgement_ofa.html
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199
https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199_useda.html
https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html
Remote code execution in Microsoft IIS 6.0
CVE-2017-7269
Buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in ScStoragePathFromUrl() function in the WebDAV service when processing overly long HTTP header beginning with "If: <http://" in a PROPFIND request. A remote unauthenticated attacker can trigger buffer overflow and execute arbitrary code on the target system with privileges of the IIS service.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
Note: this vulnerability is being actively exploited in the wild in July and August 2016.
There are reports that this vulnerability is being actively exploited in the wild against legacy installations of Microsoft IIS 6.0 in July and August 2016. At the time of publication the product was no longer supported by the vendor. However Microsoft has decided to release a security patch to address this issue on June 13, 2017.
Software: Microsoft IIS
Known/fameous malware:
EXPLODINGCAN
There are reports that this vulnerability is being actively exploited in the wild against legacy installations of Microsoft IIS 6.0 in July and August 2016. At the time of publication the product was no longer supported by the vendor. However Microsoft has decided to release a security patch to address this issue on June 13, 2017.
Spoofing attack in Telegram Desktop for Windows
Spoofing attack
The vulnerability allows a remote attacker to perform spoofing attack.The vulnerability exists due to improper parsing of right-to-left override (RLO) character when processing names of the transmitted files in Telegram Desktop for Windows. A remote attacker can create a specially crafted filename with malicious content (e.g. a JavaScript file), disguise it as an image and trick the victim into opening it.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
Note: this vulnerability has been exploited in the wild since March until October in 2017, according to Kaspersky Lab and was silently fixed by the vendor.
According to Kaspersky Lab, this vulnerability was exploited in the wild since March 2017 until October 2017. The attackers used the vulnerability to install cryptocurrency miners on victims’ computers.
Software: Telegram Desktop for Windows
According to Kaspersky Lab, this vulnerability was exploited in the wild since March 2017 until October 2017. The attackers used the vulnerability to install cryptocurrency miners on victims’ computers.
Remote code execution in Cluster Management Protocol in Cisco IOS and IOS XE
CVE-2017-3881
Improper input validation
The vulnerability allows a remote attacker to gain access to vulnerable device.
The vulnerability exists due to improper input validation in Cisco Cluster Management Protocol (CMP) implementation and failure to restrict usage of CMP-specific Telnet options only to internal, local communications between cluster members. A remote unauthenticated attacker can send specially crafted CMP-specific Telnet options while establishing a Telnet session with an affected Cisco device configured to accept Telnet connections and cause the affected device to reload or obtain full control over vulnerable device.
Successful exploitation of this vulnerability may allow an attacker to gain full access to vulnerable device.
Note: information about this vulnerability was publicly disclosed by WikiLeaks documents dubbed CIA Vault 7.
The vulnerability was disclosed by WikiLeaks in documents dubbed CIA Vault 7. It is believed that this vulnerability was used by CIA agents to penetrate government and corporate networks.
Software: Cisco IOS
Multiple vulnerabilities in Microsoft Windows SMB Server
CVE-2017-0145
Improper input validation
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to an error when parsing requests in Microsoft Server Message Block 1.0 (SMBv1) server. A remote unauthenticated attacker can send specially crafted SMB packets and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
On April 14, 2017 the Shadow Brokers team made the exploit pack publicly available. The exploits are believed to be stolen from the NSA.
It is unclear, which CVE has been assigned to this vulnerability. Possible CVEs: CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0148.
Software: Windows
Known/fameous malware:
EternalSynergy exploit
It is unclear, which CVE has been assigned to this vulnerability. Possible CVEs: CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0148.
Multiple vulnerabilities in Microsoft Windows SMB Server
CVE-2017-0144
Improper input validation
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to an error when parsing requests in Microsoft Server Message Block 1.0 (SMBv1) server. A remote unauthenticated attacker can send specially crafted SMB packets and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
On April 14, 2017 the Shadow Brokers team made the exploit pack publicly available. The exploits are believed to be stolen from the NSA.
It is unclear, which CVE has been assigned to this vulnerability. Possible CVEs: CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0148.
This vulnerability was used to spread WannaCry and NotPetya ransomwere.
Software: Windows
Known/fameous malware:
EternalRomance exploit
WannaCry
NotPetya
It is unclear, which CVE has been assigned to this vulnerability. Possible CVEs: CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0148.
This vulnerability was used to spread WannaCry and NotPetya ransomwere.
Multiple vulnerabilities in Microsoft Windows SMB Server
CVE-2017-0147
Information disclosure
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to an error when parsing requests in Microsoft Server Message Block 1.0 (SMBv1) server. A remote unauthenticated attacker can send specially crafted SMB packets and gain access to potentially sensitive data.
Successful exploitation of this vulnerability may allow an attacker to gain access to potentially sensitive information.
Note: this vulnerability has been exploited in the wild and is publicly known as EternalChampion exploit.
On April 14, 2017 the Shadow Brokers team made the exploit pack publicly available. The exploits are believed to be stolen from the NSA.
Software: Windows
Known/fameous malware:
EternalChampion exploit
Multiple vulnerabilities in Microsoft Windows SMB Server
CVE-2017-0146
Improper input validation
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to an error when parsing requests in Microsoft Server Message Block 1.0 (SMBv1) server. A remote unauthenticated attacker can send specially crafted SMB packets and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note: this vulnerability has been exploited in the wild and is publicly known as EternalChampion exploit.
On April 14, 2017 the Shadow Brokers team made the exploit pack publicly available. The exploits are believed to be stolen from the NSA.
Software: Windows
Known/fameous malware:
EternalChampion exploit
Multiple vulnerabilities in Microsoft Windows SMB Server
CVE-2017-0143
Improper input validation
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to an error when parsing requests in Microsoft Server Message Block 1.0 (SMBv1) server. A remote unauthenticated attacker can send specially crafted SMB packets and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
On April 14, 2017 the Shadow Brokers team made the exploit pack publicly available. The exploits are believed to be stolen from the NSA.
It is unclear, which CVE has been assigned to this vulnerability. Possible CVEs: CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0148.
On May 12, 2017 the malicious team has hit over 100,000 organizations in 150 countries. The hackers encrypted files from the target system and demanded 300-600$.
Software: Windows
Known/fameous malware:
WannaCry (Wana Decryptor) malware (the hackers added .WCRY extention to the targte files). The malware is believed to be connected to Lazarus Group from North Korea.
EternalBlue exploit.
It is unclear, which CVE has been assigned to this vulnerability. Possible CVEs: CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0148.
On May 12, 2017 the malicious team has hit over 100,000 organizations in 150 countries. The hackers encrypted files from the target system and demanded 300-600$.
Multiple vulnerabilities in Microsoft Windows
CVE-2017-0005
Privilege escalation
The vulnerability allows a local attacker to gain elevated privileges on the target system.The weakness exists due to improper handling of objects in memory by Windows Graphics Device Interface (GDI). A local attacker can run a specially crafted application, gain elevated privileges and execute arbitrary code on the affected system.
Successful exploitation of the vulnerability may result in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The vulnerability was used by Zirconium cyber-espionage group against older versions of Windows.
Software: Windows
Information disclosure in Microsoft XML Core Services
CVE-2017-0022
Information disclosure
The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.
The vulnerability exists due to improper handling of objects in memory by Microsoft XML Core Services (MSXML). A remote unauthenticated attacker can create a specially crafted Web site, trick the victim into visiting it and test for the presence of files on disk.
Successful exploitation of this vulnerability results in information disclosure.
Note: the vulnerability was being actively exploited.
This vulnerability was used in the AdGholas malvertising campaign and later integrated into the Neutrino exploit kit. The vulnerability was reported to Microsoft in September 2016. The first malware sample, discovered in the wild, is connected with AdGholas campaign in July 2016. The exploit came back again in September 2016 with the Neutrino exploit kit.
Software: Microsoft XML Core Services
Known/fameous malware:
Neutrino exploit kit
Multiple vulnerabilities in Microsoft Internet Explorer
CVE-2017-0149
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to boundary error when accessing objects in memory. A remote unauthenticated attacker can create a specially crafted web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note: this vulnerability is being actively exploited in the wild.
Software: Microsoft Internet Explorer
Remote code execution in Mikrotik RouterOS HTTP server
Stack-based buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The vulnerability exists due to a boundary error within the HTTP server component. A remote attacker can send a specially crafted HTTP POST request to the affected device and trigger stack-based buffer overflow.
Successful exploitation of the vulnerability may allow an attacker to execute arbitrary code on the target system.
Note: this vulnerability was disclosed in the "Vault 7" leak by Wikileaks project. The codename of the exploit affecting Mikrotik RouterOS is ChimayRed.
Remote code execution exploit was revealed during Vault 7 leak. It is possible, that this vulnerability was used to compromise Mikrotik routers in Slingshot APT campaign.
Software: MikroTik RouterOS
Known/fameous malware:
ChimayRed
Backdoor in Web Paint Google Chrome extension
Backdoor
The vulnerability allows a remote attacker to gain unauthorized access to victim's browser.The vulnerability exists due to presence of backdoor code in Web Paint Google Chrome extension 1.2.1, distributed via Google Web Store.
The browser extension was hijacked on Google Web Store. The attackers were able to distributed malware to the extension user's. The attack occurred around March 1, 2017.
Software: Web Paint (Chrome extension)
Multiple vulnerabilities in cPanel
CVE-2017-5613
Format string vulnerability
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a format string error within cgiemail and cgiecho binaries when processing template files. A remote authenticated attacker can create a specially crafted file, containing form string specifiers and execute arbitrary code on the target system.
Successful exploitation may allow an attacker to compromise vulnerable system.
Note: this vulnerability has been exploited in the wild and was disclosed by the Shadow Brokers leak. The exploit is known as ElegantEagle.
The exploit code was disclosed by the Shadow Brokers leak dubbed ElegantEagle, exploiting vulnerability in cgiemail.
Software: cPanel
Known/fameous malware:
ElegantEagle exploit