Core Impact

June 2020

Version: 19.1.11

June 29, 2020

Enhancements
  • New Exploits:
    • ATI Technologies Driver atillk64 Kernel Arbitrary Read Write Local Privilege Escalation Exploit: AMD ATI atillk64 allows low-privileged users to interact directly with physical memory by calling one of several driver routines that map physical memory into the virtual address space of the calling process. This could enable low-privileged users to achieve NT AUTHORITY\SYSTEM privileges via a DeviceIoControl call associated with MmMapIoSpace, IoAllocateMdl, MmBuildMdlForNonPagedPool, or MmMapLockedPages. (CVE-2020-12138)
    • Eaton HMiSoft VU3 File Parsing Buffer Overflow Exploit: The specific flaw exists within the parsing of wTextLen information within VU3 files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. (CVE-2020-10639)
    • Cisco AnyConnect Secure Mobility Client Uncontrolled Search Path Privilege Escalation Exploit: A vulnerability in the installer component of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated local attacker to copy user-supplied files to system level directories with system level privileges. The vulnerability is due to the incorrect handling of directory paths. An attacker could exploit this vulnerability by creating a malicious file and copying the file to a system directory. An exploit could allow the attacker to copy malicious files to arbitrary locations with system level privileges. This could include DLL pre-loading, DLL hijacking, and other related attacks. (CVE-2020-3153)
    • Artica Pandora FMS Events Remote OS Command Injection Exploit: The target parameter in events.php in Pandora FMS 7.0NG 742, 743 and 744 allows remote authenticated users to execute arbitrary OS commands. (CVE-2020-13851)
    • OpenAudit Remote Code Execution: An issue was discovered in Open-AudIT 3.3.1. There is shell metacharacter injection via attributes to an open-audit/configuration/ URI. An attacker can exploit this by adding an excluded IP address to the global discovery settings (internally called exclude_ip). This exclude_ip value is passed to the exec function in the discoveries_helper.php file (inside the all_ip_list function) without being filtered, which means that the attacker can provide a payload instead of a valid IP address. (CVE-2020-12078)
    • Trident Z Lighting Control Driver Local Privilege Escalation Exploit: The ene.sys driver in Trident Z Lighting Control before v1.00.17 allow local non-privileged users (including low-integrity level processes) to read and write to arbitrary physical memory locations, and consequently gain NT AUTHORITY\SYSTEM privileges. (CVE-2020-12446)
    • Advantech WebAccess SCADA DATACORE IOCTL 0x523e Buffer Overflow Exploit: The specific flaw exists within DATACORE server. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of Administrator. (CVE-2020-12002)
    • Microsoft .NET Framework Elevation of Privilege Vulnerability Exploit: An elevation of privilege vulnerability exists in .NET Framework which could allow an attacker to elevate their privilege level. (CVE-2020-1066)
Other Fixes
  • Microsoft Windows Diagnostic Tracking Service Arbitrary File Read: An information vulnerability exists when Windows Connected User Experiences and Telemetry Service improperly discloses file information. Successful exploitation of the vulnerability could allow the attacker to read any file on the file system. To exploit the vulnerability, an attacker would have to log onto an affected system and run a specially crafted application. The update addresses the vulnerability by changing the way Windows Connected User Experiences and Telemetry Service discloses file information. (CVE-2020-0863)
  • Fix WebApps fingerprinting heuristics that were leading to wrong Framework identification: This update fixes some border cases where the website's Application Framework or Web Application was being wrong identified.
  • Fix Nessus report not fully imported: Nessus scanner import was not adding every open port to the entity created in Impact. Unknown services running on those ports were were skipped. Now they are added to the entity as open ports, but specifying that it's an "unknown" service.

May 2020

Version: 19.1.10

May 29, 2020

Enhancements
  • Microsoft Exchange Validation Key Remote OS Command Injection Exploit Update: .NET deserialization vulnerability in the Microsoft Exchange Control Panel web page allows authenticated attackers to execute OS commands with SYSTEM privileges. The lack of randomization in the validationKey and decryptionKey values at installation allows an attacker to create a crafted viewstate to execute OS commands via .NET deserialization. This update adds payload generation error detection and dependencies documentation. (CVE-2020-0688)

  • New Exploits:
    • Windows Search Indexer get_RootURL Race Condition Privilege Escalation Exploit: A race condition exists in Windows Search Indexer, when the put_RootURL function wrote a user-controlled data in the memory of CSearchRoot+0x14.AT the same time, the get_RootURL function read the data located in the memory of CSearchRoot+0x14. The vulnerability was caused by the access to a shared variable between two different methods of the same instance. (CVE-2020-0735)

    • WECON LeviStudioU MulStatus szFilename Exploit: The specific flaw exists within the handling of XML files. When parsing the szFilename attribute of the MulStatus element. (CVE-2019-6537)

    • Oracle Coherence T3 ReflectionExtractor Deserialization Vulnerability Remote Code Execution: Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Caching,CacheStore,Invocation). Supported versions that are affected are 3.7.1.17, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle Coherence. Successful attacks of this vulnerability can result in takeover of Oracle Coherence. (CVE-2020-2555)

    • Liferay Portal JSONWS Java Deserialization Vulnerability Remote Code Execution Exploit: Deserialization of Untrusted Data in Liferay Portal prior to 7.2.1 CE GA2 allows remote attackers to execute arbitrary code via JSON web services (JSONWS). (CVE-2020-7961)

    • Advantech WebAccess SCADA DATACORE IOCTL 0x5227 Buffer Overflow Exploit: This vulnerability allows remote attackers to execute arbitrary code on affected installations of Advantech WebAccess/SCADA. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of IOCTL 0x00005227 in DATACORE.exe. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of Administrator. (CVE-2020-12002)

    • TeamViewer post-exploitation IG: This update adds a new post-exploitation module, Password Dump from TeamViewer, which leverages reverse-engineered encryption keys to decrypt TeamViewer password data from the registry on a compromised Windows host.

Other Updates
  • WebApps Web Proxy Certificate Update

April 2020

Version: 19.1.9

Apl 30, 2020

Enhancements
  • Assorted Improvements for Exploits: This update contains minor improvements and fixes to several exploit modules.
  • Import Output XML Report from OpenVAS: This update add support to import the output from OpenVAS to Core Impact
  • Exploits Maintenance CVE Numbers 22: This update provides modules that were released prior to a CVE number being assigned (typically noted as NOCVE) with the correct CVE number as well as updating modules with invalid CVE numbers.
  • New Exploits:
    • Microsoft Windows Ws2ifsl UaF Local Privilege Escalation Exploit: An elevation of privilege vulnerability exists in the way that ws2ifsl.sys (Winsock) handles objects in memory, aka 'Windows Elevation of Privilege Vulnerability'. (CVE-2019-1215)

    • Microsoft Windows SMBv3 SMBGhost Elevation of Privilege Vulnerability Exploit: An unauthenticated attacker can connect to the target system using SMBv3 and sends specially crafted requests to exploit the vulnerability. This module exploits this vulnerability in the local system in order to achieve an elevation of privilege. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0796)

    • Kinetica Admin getLogs Function Remote OS Command Injection Exploit: The Kinetica Admin web application did not properly sanitise the input for the function getLogs. This lack of sanitisation could be exploited to allow an authenticated attacker to run remote code on the underlying operating system. (CVE-2020-8429)

    • Microsoft Windows Background Intelligent Transfer Service Elevation of Privilege Vulnerability Exploit: An elevation of privilege vulnerability exists when the Windows Background Intelligent Transfer Service (BITS) improperly handles symbolic links. An attacker who successfully exploited this vulnerability could overwrite a targeted file leading to an elevated status and take control of an affected system. (CVE-2020-0787)

    • Fuji Electric V-Server Lite VPR File Parsing Overflow Exploit: The specific flaw exists within the processing of VPR files. (CVE-2020-10646)

    • Open-AudIT m_devices.php Remote PHP File Upload Vulnerability Exploit: The sub_resource_create function of class M_devices in m_devices.php of Open-AudIT 3.2.2 allows remote authenticated users to upload arbitrary PHP files, allowing the execution of arbitrary php code in the system. (CVE-2020-11942)

Other Fixes
  • Microsoft Windows SMBv3 CoronaBlue Vulnerability DoS Update: An unauthenticated attacker can connect to the target system using SMBv3 and sends specially crafted requests to exploit the vulnerability. The module exploits this vulnerability in order to generate a Denial of Service This update contains minor fixes to it. (CVE-2020-0796)

March 2020

Version: 19.1.8

Mar 31, 2020

Enhancements
  • New Command Injection Library Method: A new command injection method was added to the library using certutil.exe to achieve code execution. -Some CI and Remote exploits were updated to use the new technique. -A library method using Powershell was updated to be more stealthy.
  • Microsoft Exchange Validation Key Remote OS Command Injection Exploit Update Improvements: .NET deserialization vulnerability in the Microsoft Exchange Control Panel web page allows authenticated attackers to execute OS commands with SYSTEM privileges. The lack of randomization in the validationKey and decryptionKey values at installation allows an attacker to create a crafted viewstate to execute OS commands via .NET deserialization. (CVE-2020-0688)

  • Microsoft Exchange Validation Key Remote OS Command Injection Exploit Update: .NET deserialization vulnerability in the Microsoft Exchange Control Panel web page allows authenticated attackers to execute OS commands with SYSTEM privileges. The lack of randomization in the validationKey and decryptionKey values at installation allows an attacker to create a crafted viewstate to execute OS commands via .NET deserialization. (CVE-2020-0688)

  • New Exploits:
    • CORSAIR iCUE Driver Local Privilege Escalation Exploit: The CorsairLLAccess64.sys and CorsairLLAccess32.sys drivers in CORSAIR iCUE before 3.25.60 allow local non-privileged users (including low-integrity level processes) to read and write to arbitrary physical memory locations, and consequently gain NT AUTHORITY\SYSTEM privileges, via a function call such as MmMapIoSpace. (CVE-2020-8808)

    • Microsoft SQL Server Reporting Services Remote OS Command Injection Exploit: A deserialization vulnerability in Microsoft SQL Server Reporting Services allows an authenticated attacker to execute arbitrary commands in the context of the Report Server service account. (CVE-2020-0618)

    • Integard Pro NoJs Parameter Buffer Overflow Exploit: Integard Pro is prone to a buffer overflow when handling a specially crafted HTTP POST request. (CVE-2019-16702)

    • Microsoft Exchange Validation Key Remote OS Command Injection Exploit: .NET deserialization vulnerability in the Microsoft Exchange Control Panel web page allows authenticated attackers to execute OS commands with SYSTEM privileges. The lack of randomization in the validationKey and decryptionKey values at installation allows an attacker to create a crafted viewstate to execute OS commands via .NET deserialization. (CVE-2020-0688)

    • Microsoft Windows Service Tracing Privilege Escalation Exploit: An arbitrary privileged file move operation exists in Microsoft Windows Service Tracing. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Kernel properly handles objects in memory. (CVE-2020-0668)

    • Delta Industrial Automation CNCSoft ScreenEditor DPB File Parsing Buffer Overflow Exploit: This vulnerability allows remote attackers to execute arbitrary code on affected installations of Delta Industrial Automation CNCSoft ScreenEditor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DPB files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length buffer. An attacker can leverage this vulnerability to execute code in the context of Administrator. (CVE-2020-7002)

    • Microsoft Windows SMBv3 CoronaBlue Vulnerability DoS: An unauthenticated attacker can connect to the target system using SMBv3 and sends specially crafted requests to exploit the vulnerability. This module exploits this vulnerability in order to generate a Denial of Service. (CVE-2020-0796)

    • OpenSMTPD Remote Code Execution Exploit: smtp_mailaddr in smtp_session.c in OpenSMTPD 6.6, as used in OpenBSD 6.6 and other products, allows remote attackers to execute arbitrary commands as root via a crafted SMTP session, as demonstrated by shell metacharacters in a MAIL FROM field. This affects the "uncommented" default configuration. The issue exists because of an incorrect return value upon failure of input validation. (CVE-2020-7247)

    • Microsoft Windows Installer Elevation of Privilege Vulnerability Exploit: An elevation of privilege vulnerability exists in the Windows Installer when MSI packages process symbolic links. An attacker who successfully exploited this vulnerability could bypass access restrictions to add or remove files. (CVE-2020-0683)

Other Fixes
  • Viper RGB Driver Read Write IO Ports DoS Update: This update adds the CVE number. (CVE-2020-9756)

February 2020

Version: 19.1.7

Feb 29, 2020

Enhancements
  • Assorted Improvements for Exploits: This update contains minor improvements and fixes to several exploit modules. (CVE-2019-11581)

  • AV Evasion Improvements V13: HTTP connections started to get detected, this update is an improvement for those connections to be stealthier.
  • New Exploits:
    • Microsoft Windows Remote Desktop DejaBlue DoS: A denial of service vulnerability exists in Remote Desktop Services -formerly known as Terminal Services- when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. (CVE-2019-1181)

    • Microsoft Windows CoreShellComServerRegistrar Open Process Local Privilege Escalation Exploit: An elevation of privilege vulnerability exists when Windows Core Shell COM Server Registrar improperly handles COM calls. An attacker who successfully exploited this vulnerability could potentially set certain items to run at a higher level and thereby elevate permissions. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses this vulnerability by correcting unprotected COM calls. (CVE-2019-1184)

    • Viper RGB Driver Read Write IO Ports DoS: The IOCTL Codes 0x80102050 and 0x80102054 allow a low privileges user to read/write 1/2/4 bytes from/to an IO port. This could be leveraged in a number of ways to ultimately run code with elevated privileges. (NOCVE-9999-127139)

    • Viper RGB Driver Kernel Buffer Overflow Local Privilege Escalation Exploit: This module exploits a buffer overflow vulnerability in Viper RGB MsIo64.sys vulnerability allows unprivileged local users to execute code with SYSTEM privileges. (CVE-2019-19452)

Other Fixes
  • WebApps Vulnerability Test Module Output fixes:
  • Cisco Data Center Network Manager HostEnclHandler getVmHostData SQL Injection Vulnerability Exploit Update: This module uses an authentication bypass and a SQL injection vulnerability in order to upload and execute a JSP file in the Wildfly virtual file system webapps directory. This update fixes OS detection when detecting DCNM version. (CVE-2019-15976)

January 2020

Version: 19.1.6

Jan 31, 2020

Enhancements
  • New Exploits:
    • Linux PTRACE_TRACEME Local Privilege Escalation Exploit: In the Linux kernel before 5.1.17, ptrace_link in kernel/ptrace.c mishandles the recording of the credentials of a process that wants to create a ptrace relationship, which allows local users to obtain root access by leveraging certain scenarios with a parent-child process relationship, where a parent drops privileges and calls execve (potentially allowing control by an attacker). (CVE-2019-13272)

    • Microsoft Windows Win32k xxxMNFindWindowFromPoint Vulnerability Exploit: An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-0808)

    • Windows Error Reporting Manager Arbitrary File Move Elevation of Privilege Exploit: An elevation of privilege vulnerability exists when Windows Error Reporting manager improperly handles hard links. An attacker who successfully exploited this vulnerability could overwrite a targeted file leading to an elevated status. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The security update addresses the vulnerability by correcting how Windows Error Reporting manager handles hard links. (CVE-2019-1315)

    • Citrix ADC and Gateway Directory Traversal Vulnerability Exploit: Citrix Application Delivery Controller (ADC) and Citrix Gateway are prone to a directory traversal vulnerability that allows attackers to upload an XML file via newbm.pl and execute system commands. (CVE-2019-19781)

    • Cisco Data Center Network Manager HostEnclHandler getVmHostData SQL Injection Vulnerability Exploit: This module uses an authentication bypass and a SQL injection vulnerability in order to upload and execute a JSP file in the Wildfly virtual file system webapps directory.(CVE-2019-15976)

    • MSI Afterburner RTCore64 Privilege Escalation Exploit: The driver in Micro-Star MSI Afterburner 4.6.2.15658 (aka RTCore64.sys and RTCore32.sys) allows any authenticated user to read and write to arbitrary memory, I/O ports, and MSRs. (CVE-2019-16098)

December 2019

Version: 19.1.5

Dec 31, 2019

Enhancements
  • Assorted Improvements for Exploits: This update contains minor improvements and fixes to several exploit modules. Two fixes were made to RemoteCommandExecution and WebappRemoteCodeExecution Exploits which prevented them to execute all the configured attack methods Two more fixes were made to ComplexXorEgg which was failing to generate a valid stub when certain starting conditions were met
  • AV Evasion Improvements V12: The 32-bit agent wrappers were changed to be more evasive. The decoder stub now has a metamorphic functionality.
  • New Exploits:
    • Microsoft Internet Explorer Scripting Engine Memory Corruption Exploit: A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs, view, change, or delete data, or create new accounts with full user rights. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website. An attacker could also embed an ActiveX control marked safe for initialization in an application or Microsoft Office document that hosts the IE rendering engine. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability. (CVE-2019-0752)

    • Robot Attack Vulnerability Analyzer: This module will send various malformed messages over ssl to the target service in order to detect a discrepancy between the server's responses, if this is the case, it will mark said target as vulnerable to this kind of attacks (ROBOT attack) (NOCVE-9999-127128)

    • Microsoft Windows UPnP Device Host Local Privilege Escalation Exploit: This module exploits two vulnerabilities (CVE-2019-1405 & CVE-2019-1322) in order to get SYSTEM privileges. The first one "UPnP Device Host" allows us to get SERVICE privileges. The second one "Update Orchestrator Service" allows us to escalate from SERVICE to SYSTEM. (CVE-2019-1405)

    • File Sharing Wizard POST Method Exploit: File Sharing Wizard is prone to a buffer-overflow when handling a specially crafted HTTP POST parameter. (CVE-2019-16724)

    • Viper RGB Driver Kernel Arbitrary Read Write Local Privilege Escalation Exploit: The MsIo64.sys and MsIo32.sys drivers in Patriot Viper RGB allow local users (including low integrity processes) to read and write to arbitrary memory locations, and consequently gain NT AUTHORITY\SYSTEM privileges, by mapping \Device\PhysicalMemory into the calling process via ZwOpenSection and ZwMapViewOfSection. (CVE-2019-18845)

Other Fixes
  • Microsoft Windows Remote Desktop Protocol BlueKeep DoS Update: A Denial of Service exists in Remote Desktop Services formerly known as Terminal Services when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This update corrects wrong category specification. (CVE-2019-0708)

November 2019

Version: 19.1.4

Nov 30, 2019

Enhancements
  • Linux Kernel libfutex Privilege Escalation Exploit Update: This module has improvements for the Linux Kernel libfutex exploit. (CVE-2014-3153)

  • Apache Solr Velocity Template Remote OS Command Injection Exploit Update: A vulnerability in the Apache Solr Velocity template allows unauthenticated attackers to execute arbitrary OS commands. This update adds automatic core name detection and newer supported versions. (NOCVE-9999-127120)

  • Microsoft Windows Remote Desktop Protocol BlueKeep Use After Free Exploit Update 2: This update adds support for Windows 7 SP1 x64. (CVE-2019-0708)

  • New Exploits:
    • Kibana Timelion Visualizer Remote Javascript OS Command Injection Exploit: An arbitrary code execution vulnerability in the Kibana Timelion visualizer allows an attacker with access to the application to send a request that will attempt to execute javascript code with permissions of the Kibana process on the host system. (CVE-2019-7609)

    • Apache Solr Velocity Template Remote OS Command Injection Exploit: A vulnerability in the Apache Solr Velocity template allows unauthenticated attackers to execute arbitrary OS commands. (NOCVE-9999-127120)

    • SolarWinds Dameware Mini Remote Control Unauthenticated RCE Exploit: The Solarwinds Dameware Mini Remote Client agent supports smart card authentication by default which allows a user to upload an executable to be executed on the DWRCS.exe host. An unauthenticated, remote attacker can request smart card login and upload and execute an arbitrary executable. (CVE-2019-3980)

    • rConfig ajaxServerSettingsChk and search_crud Remote OS Command Injection Exploit: An unauthenticated OS command injection vulnerability in rConfig using the rootUname parameter present in ajaxServerSettingsChk.php allows an attacker to send a request that will attempt to execute OS commands with permissions of the rConfig process on the host system. Also, an authenticated OS command injection vulnerability using the catCommand parameter present in search.crud.php allows an attackers to do the same as previous, but credentials are required. (CVE-2019-16662)

    • AVEVA InduSoft Web Studio Remote Command Injection Exploit: Unauthenticated remote command injection vulnerability in Indusoft Web Studio 8.1 SP2. The vulnerability is exercised via the custom remote agent protocol that is typically found on port 1234 or 51234. An attacker can issue a specially crafted command 66 which causes IWS to load a DB connection file off of a network share using SMB. The DB file can contain OS commands that will be executed at the privilege level used by IWS. (CVE-2019-6545)

    • WECON LeviStudioU SMtext Buffer Overflow Exploit: The specific flaw exists within the handling of XML files. When parsing the ShortMessage SMtext element, the process does not properly validate the length of user-supplied data prior to copying it to a buffer. (NOCVE-9999-127119)

    • Apache Solr ENABLE_REMOTE_JMX_OPTS JMX-RMI Remote Code Execution Exploit: Apache Solr is prone to a remote vulnerability that allows attackers to take advantage of an insecure deployment of the JMX/RMI service used to manage and monitor the Java Virtual Machine. By exploiting known methods, it is possible to remotely load an MLet file from an attacker controlled web server that points at a jar file. (CVE-2019-12409)

October 2019

Version: 19.1.3

Oct 31, 2019

Enhancements
  • Atlassian Confluence Widget Connector Macro Vulnerability Exploit Improvements: This update adds several mechanisms in order for this exploit to work while pivoting on unix family systems (Linux, OpenBSD/FreeBSD, and macOS) (CVE-2019-3396)
  • Samba Pipe dlopen Remote Code Execution Exploit Update: This update makes this exploit also work on 32 bit targets (CVE-2017-7494)
  • Client Side email templates processing improvements
  • New Exploits:
    • Check Point Endpoint Security Initial Client Privilege Escalation Exploit: Check Point Endpoint Security includes data security, network security, advanced threat prevention, forensics, and remote access VPN solutions. Some parts of the software run as a Windows service executed as ''NT AUTHORITY\SYSTEM,'' which provides it with very powerful permissions, this vulnerability can be exploited to achieve privilege escalation, gaining access with NT AUTHORITY\SYSTEM level privileges. (CVE-2019-8461)

    • LibreOffice LibreLogo Python Global Event Scripting Vulnerability Exploit: By abusing document's event feature in LibreOffice and the LibreLogo script, an attacker can execute arbitrary python code from within a malicious document silently, without user warning. This module performs a bypass of CVE-2019-9848 by using global script events. (CVE-2019-9851)

    • FreeBSD IOCTL CDIOCREADSUBCHANNELSYSSPACE Local Privilege Escalation Exploit: A bug in the cdrom driver allows users with read access to the cdrom device to arbitrarily overwrite kernel memory when media is present thereby allowing a malicious user in the operator group to gain root privileges. (CVE-2019-5602)

    • Sudo Root With User ID Local Privilege Escalation Exploit: This module exploits a flaw in the way sudo implemented running commands with arbitrary user ID. If a sudoers entry is written to allow the attacker to run a command as any user except root, this flaw can be used by the attacker to bypass that restriction. (CVE-2019-14287)

    • Advantech WebAccess SCADA GetUserPasswd BwPAlarm Buffer Overflow Exploit: The flaw exists in the GetUserPasswd function in BwPAlarm.dll due to improper validation of user-supplied data before copying the data to a fixed size stack-based buffer when processing an IOCTL 70603 RPC message. (CVE-2018-18999)

    • Disk Pulse Enterprise Import Command Local Buffer Overflow Exploit: A Buffer Overflow exists when parsing .XML files by Command Import. The vulnerability is caused due to a boundary error when handling a crafted .XML files. (CVE-2017-7310)

Other Fixes
  • Av Evasion Specific Modules: This update adds 3 new modules related to the AV evasion component. Two of them allow to deploy a network agent either by leveraging Powershell fileless or MSHTA tactics. The other one implements a office attack trhough Microsoft Excel DDE, allowing to deploy a network agent through the client side vector.
  • Network RPT Wizards Update: This update has some minor fixes for the Network RPT Wizards

September 2019

Version: 19.1.2

Sep 30, 2019

Enhancements
  • Stability improvements in agent channel: This update improves Impact stability when disconnecting agents which were deployed with 'Install Agent using ssh' and the 'reuse connection' channel (default channel for this module).
  • Retry option for the TCP port scanner: We have added an option to the module "Port Scanner - Fast SYN". So that, it can retry probes that didn't generate a response, improving accuracy. By default the retry value is 6, meaning that a probe that didn't respond will be resend up to 6 times or until a response is found.
  • New Exploits:
    • Adobe ColdFusion JNBridge Remote Code Execution Exploit: Adobe ColdFusion is prone to a remote vulnerability that allows attackers to take advantage of an insecure deployment of the JNBridge protocol. (CVE-2019-7839)
    • Fuji Electric Alpha5 Smart Loader Exploit: Fuji Electric Alpha5 Smart Loader is prone to a buffer overflow when handling a specially crafted csp file. (CVE-2018-14788)
    • Microsoft Internet Explorer VBScript UAF Exploit (2019): A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. (NOCVE-9999-127115)

    • Microsoft Windows Win32k Elevation Of Privilege Exploit: An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. (CVE-2019-0803)

    • Microsoft Windows Win32k xxxMNOpenHierarchy Vulnerability Exploit v1: An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1132)

August 2019

Version: 19.1.1

Aug 31, 2019

Enhancements
  • New Exploits:
    • LibreOffice LibreLogo Python Scripting Vulnerability Exploit v19_1.: By abusing document's event feature in LibreOffice and the LibreLogo script, an attacker can execute arbitrary python code from within a malicious document silently, without user warning. (CVE-2019-9848)

    • MAPLE Computer SNMP Administrator Exploit v19_1.: Maple Computer SNMP Administrator is prone to a buffer-overflow by sending a specially crafted packet with an overly long string on port 987. (CVE-2019-13577)

Other Fixes
  • Exploits Catchup Update for impact 19.1: This update includes 15 exploits that were released for 18.2 but didn't make it into 19.1 plus some exploit and AV evasion improvements.

  • Vulnerability Checker Modules not executed to test vulnerabilities imported with Network Vulnerability Scanner Validator.
  • Network modules from ''Information Gathering/Vulnerability checkers'' category are not launched in the context of Vulnerability Scanner Validator to test imported vulnerabilities. These modules were moved from RPT AP to RPT IG execution in the context of IMPACT 18.2 release. In the context of this changes, they were excluded from the Vulnerability Scanner Validator execution.
Version 19.1

Aug 1, 2019

Enhancements
  • Updated Local Information Gathering (LIG) modules (password dump & cookie retrievers) to show the before in the customer deliverable.
  • Enhanced support for SQLi Database Injections for Network SQL Agent and SQL Injection Analyzer/SQL Agents for the following:
    • SQL Server 2017
    • SQL Server 2016
    • SQL Server 2014
    • SQL Server 2012
    • SQL Server 2008 R2
    • MySQL 8.0
    • MySQL 5.7
    • MariaDB 10.2
    • PostgreSQL 10.5
  • Easily identify compromised hosts from Network RPTs with a Vulnerable Hosts search folder.
  • Updated list of supported and certified platforms for v2019a:

    Certified: Windows 10 Enterprise 64 bit (April 2018 Update - Version: 1803), Windows 10 Pro 64 bit (April 2018 Update - Version: 1803), Windows 10 Enterprise 64 bit (May 2019 Update - Version: 1903), Windows 10 Pro 64 bit (May 2019 Update - Version: 1903).

    Supported: Windows Server 2016 Standard, Windows Server 2019 Standard.

    No longer Supported: Windows 7 Ultimate SP1 64 bit, Windows 7 Enterprise SP1 64 bit, Windows 7 Professional SP1 64 bit, Windows 8.1 Enterprise 64 bit, Windows Server 2008 R2 SP1, Windows Server 2012, Windows Server 2012 R2.

  • Refreshed WebApps IG RPT module output.
  • Refreshed WebApps AP RPT module output.
  • Implemented AS-REPs roasting attack.
  • Updated Network SQL Agent & Database Identity Verifiers to support the latest versions of db engines.
  • Show all web pages with vulnerabilities when selecting 'Vulnerable pages'.
  • Show a visual indicator of privilege level of the agents.
  • Create built-in search folder for connected OS Agents.
  • Extended webapps's vulnerability search folder criteria to look for pages with *any* vulnerability.
  • Updated Impacket library for Impact v2019a.
  • Support added for macOS 10.12/10.13/10.14 versions.
  • Run vulnerability checkers as part of RPTs.
  • Added new mechanism to integrate third party Python libraries.
  • Improved Wizard Workflow for Network IG/AP.
  • Added Impact Network pentest REST Automation API for specific vulnerabilities/exploits.
  • Updated mimikatz to latest version for Impact v2019a.
  • Updated Nmap database files for Impact v2019a.
  • Updated support to current version of Metasploit for Impact v2019a.
  • Updated Nikto database for Impact v2019a.
  • Updated Identity Manager dictionaries for Impact v2019a.
Deprecated Features

In an effort to maintain and support up to date features and components Core Impact 19.1 deprecated the following features:

  • Removed obsolete mobile devices functionality.
  • Removed support for Surveillance camera testing.
  • Removed PatchLink VMS / STAT Guardian importers.
  • Removed modules related to Insight Enterprise from Impact.
  • Removed WiFi modules that use AirPcap devices in favor of WiFi Pineapple.

 

Back to Product Index