Paul Van Der Haas
From Discovery to Disclosure: ReCrystallize Server Vulnerabilities
TL&DR – While on an assessment, I found an instance of ReCrystallize Server. It had many problems, some of which had to do with insufficient hardening on the client’s side while others were new vulnerabilities I found that when chained together, achieve Remote Code Execution (RCE). These vulnerabilities were disclosed to ReCrystallize Software and MITRE.
Besides the disclosed vulnerabilities, some “features” were also used for malicious purposes. The replication and validation of the findings were done on my own test environment.
Let me store that for you
A while ago Jonas Lykkegaard disclosed a zeroday that could be used to create files in the SYSTEM folder. CVE-2020-16885 got assigned for this vulnerability, and was since patched with KB4580346. This vulnerability was very convenient for Dynamic-link library (DLL) side-loading, which I will show in this blog post. Below you can find his original Twitter message.
Unprivileged users are not allowed to create files in system32 folder- on hyper-v hosts they finally realised that unprivileged lives matters too as anyone can now create files there , with creater as owner, just open like this: pic.twitter.com/Pd6nnqhcKZ
DirectAccess and Kerberos Resource-based Constrained Delegation
Background Are you tired of working from home due to COVID? While this is quite a unique situation we find ourselves in, it also provides some fresh opportunities. Lately we have assessed several environments that was meant to provide a secure way for working from home. For one specific engagement, a client delivered one of their laptops that was domain joined. The laptop was accompanied with credentials of a low privilege domain user. The secure connection to their office was provided using DirectAccess.
Page 1 of 1