Blog

Archive for November 10th, 2020

Traffic Analysis Quiz: DESKTOP-FX23IK5, (Wed, Nov 11th)

Introduction

It’s time for another ISC traffic analysis quiz!  Like previous quizzes, this one consists of a packet capture (pcap) of infection traffic, and you also get a list of the alerts (both as an image where the alerts are shown in Squil and a text file with more details).

You can find the pcap and alerts here.

What type of infection is this?  The alerts file should tell you.  I also have a text file with notes that better explains what this infection is, in case the alerts don’t clearly provide you with answers.

Requirements

This type of analysis requires Wireshark.  Wireshark is my tool of choice to review pcaps of infection activity.  However, default settings for Wireshark are not optimized for web-based malware traffic.  That’s why I encourage people to customize Wireshark after installing it.  To help, I’ve written a series of tutorials.  The ones most helpful for this quiz are:

Unlike previous exercises, there are no actual malware binaries in the traffic.  Some encoded binary objects can be extracted from the pcap, but they are not malicious on their own.

Final words

Again, files associated with this quiz (pcap, alerts, and notes) can be found here.

If you found this fun, we have previous traffic analysis quizzes:


Brad Duncan
brad [at] malware-traffic-analysis.net

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

Microsoft November 2020 Patch Tuesday, (Tue, Nov 10th)

This month we got patches for 112 vulnerabilities. Of these, 17 are critical and one was previously disclosed and is already being exploited according to Microsoft.

Amongst critical vulnerabilities, there is a CVSSv3 9.8 remote code execution in Windows Network File System (CVE-2020-17051). There are no details regarding the vulnerable component neither how the vulnerability could be exploited. The vulnerability affects virtually all supported Windows versions and is classified by Microsoft as ‘Exploitation More Likely’ which means that an exploit could be created in such a way that an attacker could consistently exploit this vulnerability.

The exploited and already disclosed one is a Windows Kernel Local Elevation of Privilege vulnerability (CVE-2020-17087). This vulnerability has been chained with Google Chrome CVE-2020-15999 to perform privilege escalation and gain administrator access to a system. More details about this vulnerability can be found at [1].

A third vulnerability worth mentioning here is remote code execution (RCE) in Microsoft Sharepoint (CVE-2020-17061). According to the advisory, it requires no user interaction and is classified as ‘Exploitation More Likely’.

See Renato’s dashboard for a more detailed breakout: https://patchtuesdaydashboard.com

Description
CVE Disclosed Exploited Exploitability (old versions) current version Severity CVSS Base (AVG) CVSS Temporal (AVG)
AV1 Video Extension Remote Code Execution Vulnerability
%%cve:2020-17105%% No No Less Likely Less Likely Critical 7.8 6.8
Azure DevOps Server and Team Foundation Services Spoofing Vulnerability
%%cve:2020-1325%% No No Less Likely Less Likely Important 5.4 4.7
Azure Sphere Denial of Service Vulnerability
%%cve:2020-16986%% No No Less Likely Less Likely Important 6.2 5.4
Azure Sphere Elevation of Privilege Vulnerability
%%cve:2020-16981%% No No Less Likely Less Likely Important 6.1 5.3
%%cve:2020-16988%% No No Less Likely Less Likely Critical 6.9 6.0
%%cve:2020-16989%% No No Less Likely Less Likely Important 5.4 4.7
%%cve:2020-16992%% No No Less Likely Less Likely Important 7.5 7.5
%%cve:2020-16993%% No No Less Likely Less Likely Important 5.4 4.7
Azure Sphere Information Disclosure Vulnerability
%%cve:2020-16985%% No No Less Likely Less Likely Important 6.2 5.4
%%cve:2020-16990%% No No Less Likely Less Likely Important 6.2 5.4
Azure Sphere Tampering Vulnerability
%%cve:2020-16983%% No No Less Likely Less Likely Important 5.7 5.0
Azure Sphere Unsigned Code Execution Vulnerability
%%cve:2020-16970%% No No Less Likely Less Likely Important 8.1 7.1
%%cve:2020-16982%% No No Less Likely Less Likely Important 6.1 5.3
%%cve:2020-16984%% No No Less Likely Less Likely Important 6.2 5.4
%%cve:2020-16987%% No No Less Likely Less Likely Important 6.2 5.4
%%cve:2020-16991%% No No Less Likely Less Likely Important 6.2 5.4
%%cve:2020-16994%% No No Less Likely Less Likely Important 6.2 5.4
Chakra Scripting Engine Memory Corruption Vulnerability
%%cve:2020-17048%% No No Less Likely Less Likely Critical 4.2 3.8
%%cve:2020-17054%% No No Less Likely Less Likely Important 4.2 3.7
DirectX Elevation of Privilege Vulnerability
%%cve:2020-16998%% No No More Likely More Likely Important 7.0 6.1
HEIF Image Extensions Remote Code Execution Vulnerability
%%cve:2020-17101%% No No Less Likely Less Likely Critical 7.8 6.8
HEVC Video Extensions Remote Code Execution Vulnerability
%%cve:2020-17106%% No No Less Likely Less Likely Critical 7.8 6.8
%%cve:2020-17107%% No No Less Likely Less Likely Critical 7.8 6.8
%%cve:2020-17108%% No No Less Likely Less Likely Critical 7.8 6.8
%%cve:2020-17109%% No No Less Likely Less Likely Critical 7.8 6.8
%%cve:2020-17110%% No No Less Likely Less Likely Critical 7.8 6.8
Internet Explorer Memory Corruption Vulnerability
%%cve:2020-17053%% No No More Likely More Likely Critical 7.5 6.7
Kerberos Security Feature Bypass Vulnerability
%%cve:2020-17049%% No No Less Likely Less Likely Important 6.6 5.8
Microsoft Browser Memory Corruption Vulnerability
%%cve:2020-17058%% No No Less Likely Less Likely Critical 7.5 6.7
Microsoft Defender for Endpoint Security Feature Bypass Vulnerability
%%cve:2020-17090%% No No Less Likely Less Likely Important 5.3 4.6
Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability
%%cve:2020-17005%% No No Important 5.4 4.7
%%cve:2020-17006%% No No Less Likely Less Likely Important 5.4 4.7
%%cve:2020-17018%% No No Less Likely Less Likely Important 5.4 4.7
%%cve:2020-17021%% No No Less Likely Less Likely Important 5.4 4.7
Microsoft Excel Remote Code Execution Vulnerability
%%cve:2020-17019%% No No Less Likely Less Likely Important 7.8 6.8
%%cve:2020-17064%% No No Less Likely Less Likely Important 7.8 6.8
%%cve:2020-17065%% No No Less Likely Less Likely Important 7.8 6.8
%%cve:2020-17066%% No No Less Likely Less Likely Important 7.8 6.8
Microsoft Excel Security Feature Bypass Vulnerability
%%cve:2020-17067%% No No Less Likely Less Likely Important 7.8 6.8
Microsoft Exchange Server Denial of Service Vulnerability
%%cve:2020-17085%% No No Less Likely Less Likely Important 6.2 5.4
Microsoft Exchange Server Remote Code Execution Vulnerability
%%cve:2020-17083%% No No Less Likely Less Likely Important 5.5 4.8
%%cve:2020-17084%% No No Less Likely Less Likely Important 8.5 7.4
Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability
%%cve:2020-17062%% No No Less Likely Less Likely Important 7.8 6.8
Microsoft Office Online Spoofing Vulnerability
%%cve:2020-17063%% No No Less Likely Less Likely Important 6.8 5.9
Microsoft Raw Image Extension Information Disclosure Vulnerability
%%cve:2020-17081%% No No Less Likely Less Likely Important 5.5 4.8
Microsoft SharePoint Information Disclosure Vulnerability
%%cve:2020-16979%% No No Less Likely Less Likely Important 5.3 4.6
%%cve:2020-17017%% No No Less Likely Less Likely Important 5.3 4.6
Microsoft SharePoint Remote Code Execution Vulnerability
%%cve:2020-17061%% No No More Likely More Likely Important 8.8 7.7
Microsoft SharePoint Spoofing Vulnerability
%%cve:2020-17015%% No No Less Likely Less Likely Low 4.3 3.8
%%cve:2020-17016%% No No Less Likely Less Likely Important 8.0 7.0
%%cve:2020-17060%% No No Less Likely Less Likely Important 5.4 4.7
Microsoft Teams Remote Code Execution Vulnerability
%%cve:2020-17091%% No No Less Likely Less Likely Important 7.8 6.8
Microsoft Word Security Feature Bypass Vulnerability
%%cve:2020-17020%% No No Less Likely Less Likely Important 3.3 2.9
Raw Image Extension Remote Code Execution Vulnerability
%%cve:2020-17078%% No No Less Likely Less Likely Critical 7.8 6.8
%%cve:2020-17079%% No No Less Likely Less Likely Critical 7.8 6.8
%%cve:2020-17082%% No No Less Likely Less Likely Critical 7.8 6.8
%%cve:2020-17086%% No No Less Likely Less Likely Important 7.8 6.8
Remote Desktop Protocol Client Information Disclosure Vulnerability
%%cve:2020-17000%% No No Less Likely Less Likely Important 5.5 4.8
Remote Desktop Protocol Server Information Disclosure Vulnerability
%%cve:2020-16997%% No No Less Likely Less Likely Important 7.7 6.7
Scripting Engine Memory Corruption Vulnerability
%%cve:2020-17052%% No No More Likely More Likely Critical 7.5 6.7
Visual Studio Code JSHint Extension Remote Code Execution Vulnerability
%%cve:2020-17104%% No No Less Likely Less Likely Important 7.8 6.8
Visual Studio Tampering Vulnerability
%%cve:2020-17100%% No No Less Likely Less Likely Important 5.5 4.8
WebP Image Extensions Information Disclosure Vulnerability
%%cve:2020-17102%% No No Less Likely Less Likely Important 5.5 4.8
Win32k Elevation of Privilege Vulnerability
%%cve:2020-17010%% No No More Likely More Likely Important 7.8 6.8
%%cve:2020-17038%% No No More Likely More Likely Important 7.8 6.8
Win32k Information Disclosure Vulnerability
%%cve:2020-17013%% No No Less Likely Less Likely Important 5.5 4.8
Windows Bind Filter Driver Elevation of Privilege Vulnerability
%%cve:2020-17012%% No No Less Likely Less Likely Important 7.8 6.8
Windows Camera Codec Information Disclosure Vulnerability
%%cve:2020-17113%% No No Less Likely Less Likely Important 5.5 5.0
Windows Canonical Display Driver Information Disclosure Vulnerability
%%cve:2020-17029%% No No Less Likely Less Likely Important 5.5 4.8
Windows Client Side Rendering Print Provider Elevation of Privilege Vulnerability
%%cve:2020-17024%% No No Less Likely Less Likely Important 7.8 6.8
Windows Common Log File System Driver Elevation of Privilege Vulnerability
%%cve:2020-17088%% No No More Likely More Likely Important 7.8 7.2
Windows Delivery Optimization Information Disclosure Vulnerability
%%cve:2020-17071%% No No Less Likely Less Likely Important 5.5 4.8
Windows Error Reporting Denial of Service Vulnerability
%%cve:2020-17046%% No No Less Likely Less Likely Low 5.5 5.0
Windows Error Reporting Elevation of Privilege Vulnerability
%%cve:2020-17007%% No No Less Likely Less Likely Important 7.0 6.1
Windows Function Discovery SSDP Provider Information Disclosure Vulnerability
%%cve:2020-17036%% No No Less Likely Less Likely Important 5.5 4.8
Windows GDI+ Remote Code Execution Vulnerability
%%cve:2020-17068%% No No Less Likely Less Likely Important 7.8 6.8
Windows Graphics Component Information Disclosure Vulnerability
%%cve:2020-17004%% No No Less Likely Less Likely Important 5.5 4.8
Windows Hyper-V Security Feature Bypass Vulnerability
%%cve:2020-17040%% No No Less Likely Less Likely Important 6.5 5.7
Windows Kernel Elevation of Privilege Vulnerability
%%cve:2020-17035%% No No Less Likely Less Likely Important 7.8 6.8
Windows Kernel Local Elevation of Privilege Vulnerability
%%cve:2020-17087%% Yes Yes Detected Detected Important 7.8 7.2
Windows KernelStream Information Disclosure Vulnerability
%%cve:2020-17045%% No No Less Likely Less Likely Important 5.5 4.8
Windows MSCTF Server Information Disclosure Vulnerability
%%cve:2020-17030%% No No Less Likely Less Likely Important 5.5 4.8
Windows NDIS Information Disclosure Vulnerability
%%cve:2020-17069%% No No Less Likely Less Likely Important 5.5 4.8
Windows Network File System Denial of Service Vulnerability
%%cve:2020-17047%% No No Less Likely Less Likely Important 7.5 6.7
Windows Network File System Information Disclosure Vulnerability
%%cve:2020-17056%% No No More Likely More Likely Important 5.5 4.8
Windows Network File System Remote Code Execution Vulnerability
%%cve:2020-17051%% No No More Likely More Likely Critical 9.8 8.5
Windows Port Class Library Elevation of Privilege Vulnerability
%%cve:2020-17011%% No No Less Likely Less Likely Important 7.8 6.8
Windows Print Configuration Elevation of Privilege Vulnerability
%%cve:2020-17041%% No No Less Likely Less Likely Important 7.8 6.8
Windows Print Spooler Elevation of Privilege Vulnerability
%%cve:2020-17001%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-17014%% No No Less Likely Less Likely Important 7.8 7.0
Windows Print Spooler Remote Code Execution Vulnerability
%%cve:2020-17042%% No No Less Likely Less Likely Critical 8.8 7.7
Windows Remote Access Elevation of Privilege Vulnerability
%%cve:2020-17055%% No No Less Likely Less Likely Important 7.8 6.8
%%cve:2020-17025%% No No Less Likely Less Likely Important 7.8 6.8
%%cve:2020-17026%% No No Less Likely Less Likely Important 7.8 6.8
%%cve:2020-17027%% No No Less Likely Less Likely Important 7.8 6.8
%%cve:2020-17028%% No No Less Likely Less Likely Important 7.8 6.8
%%cve:2020-17031%% No No Less Likely Less Likely Important 7.8 6.8
%%cve:2020-17032%% No No Less Likely Less Likely Important 7.8 6.8
%%cve:2020-17033%% No No Less Likely Less Likely Important 7.8 6.8
%%cve:2020-17034%% No No Less Likely Less Likely Important 7.8 6.8
%%cve:2020-17043%% No No Less Likely Less Likely Important 7.8 6.8
%%cve:2020-17044%% No No Less Likely Less Likely Important 7.8 6.8
Windows Spoofing Vulnerability
%%cve:2020-1599%% No No Less Likely Less Likely Important 5.5 4.8
Windows USO Core Worker Elevation of Privilege Vulnerability
%%cve:2020-17075%% No No Less Likely Less Likely Important 7.8 6.8
Windows Update Medic Service Elevation of Privilege Vulnerability
%%cve:2020-17070%% No No Less Likely Less Likely Important 7.8 6.8
Windows Update Orchestrator Service Elevation of Privilege Vulnerability
%%cve:2020-17073%% No No Less Likely Less Likely Important 7.8 6.8
%%cve:2020-17074%% No No Less Likely Less Likely Important 7.8 6.8
%%cve:2020-17076%% No No Less Likely Less Likely Important 7.8 6.8
Windows Update Stack Elevation of Privilege Vulnerability
%%cve:2020-17077%% No No Less Likely Less Likely Important 7.8 6.8
Windows WalletService Elevation of Privilege Vulnerability
%%cve:2020-17037%% No No Less Likely Less Likely Important 7.8 6.8
Windows WalletService Information Disclosure Vulnerability
%%cve:2020-16999%% No No Less Likely Less Likely Important 5.5 4.8
Windows Win32k Elevation of Privilege Vulnerability
%%cve:2020-17057%% No No More Likely More Likely Important 7.0 6.1

 

References:
[1] https://attackerkb.com/topics/y8mmBHc710/cve-2020-17087-windows-kernel-local-privilege-escalation-0day?referrer=home


Renato Marinho
Morphus Labs| LinkedIn|Twitter

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →