Normal view

There are new articles available, click to refresh the page.
Today — 11 June 2024Zero Day Initiative - Blog

The June 2024 Security Update Review

11 June 2024 at 17:31

Somehow, we’ve made it to the sixth patch Tuesday of 2024, and Microsoft and Adobe have released their regularly scheduled updates. Take a break from your regular activities and join us as we review the details of their latest security alerts. If you’d rather watch the full video recap covering the entire release, you can check out the Patch Report webcast on our YouTube channel. It should be posted within a couple of hours after the release.

Adobe Patches for June 2024

For June, Adobe released 10 patches addressing 165(!) CVEs in Adobe Cold Fusion, Photoshop,  Experience Manager, Audition, Media Encoder, FrameMaker Publishing Server, Adobe Commerce, Substance 3D Stager, Creative Cloud Desktop, and Acrobat Android. The fix for Experience Manager is by far the largest with a whopping 143 CVEs addressed. However, all but one of these bugs are simply cross-site scripting (XSS) vulnerabilities. The patch for Cold Fusion fixes two bugs, but neither are code execution bugs. That’s the same case for the patch addressing bugs in Audition. The fix for Media Encoder has a single OOB Read memory leak fixed. The update for Photoshop also has just one bug – a Critical-rated code execution issue. That’s also the story for the Substance 3D Stager patch.

The patch for FrameMaker Publishing Server has only two bugs, but one is a CVSS 10 and the other is a 9.8. If you’re using this product, this should be the first patch you test and deploy. The patch for Commerce should also be high on your test-and-deploy list as it corrects 10 bugs, including some Critical-rated code execution vulns. The patch for Creative Cloud Desktop fixes a single code execution bug. Finally, the patch for Acrobat Android corrects two security feature bypasses.

None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Adobe categorizes these updates as a deployment priority rating of 3.

Microsoft Patches for April 2024

This month, Microsoft released 49 CVEs in Windows and Windows Components; Office and Office Components; Azure; Dynamics Business Central; and Visual Studio. If you include the third-party CVEs being documented this month, the CVE count comes to 58. A total of eight of these bugs came through the ZDI program, and that does include some of the cases reported during the Pwn2Own Vancouver contest in March.

Of the new patches released today, only one is rated Critical, and 48 are rated Important in severity. This release is another small release when compared to the monster that was April.

Only one of the CVEs listed today is listed as publicly known, but that’s actually just a third-party update that’s now being integrated into Microsoft products. Nothing is listed as being under active attack. Let’s take a closer look at some of the more interesting updates for this month, starting with the lone Critical-rated patch for this month:

-       CVE-2024-30080 – Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability
This update receives a CVSS rating of 9.8 and would allow remote, unauthenticated attackers to execute arbitrary code with elevated privileges of systems where MSMQ is enabled. That makes this wormable between those servers, but not to systems where MSMQ is disabled. This is similar to the “QueueJumper” vulnerability from last year, but it’s not clear how many affected systems are exposed to the internet. While it is likely a low number, now would be a good time to audit your networks to ensure TCP port 1801 is not reachable.  

-       CVE-2024-30103 – Microsoft Outlook Remote Code Execution Vulnerability
This patch corrects a bug that allows attackers to bypass Outlook registry block lists and enable the creation of malicious DLL files. While not explicitly stated, attackers would likely then use the malicious DLL files to perform some form of DLL hijacking for further compromise. The good news here is that the attacker would need valid Exchange credentials to perform this attack. The bad news is that the exploit can occur in the Preview Pane. Considering how often credentials end up being sold in underground forums, I would not ignore this fix.  

-       CVE-2024-30078 – Windows Wi-Fi Driver Remote Code Execution Vulnerability
This vulnerability allows an unauthenticated attacker to execute code on an affected system by sending the target a specially crafted network packet. Obviously, the target would need to be in Wi-Fi range of the attacker and using a Wi-Fi adapter, but that’s the only restriction. Microsoft rates this as “exploitation less likely” but considering it hits every supported version of Windows, it will likely draw a lot of attention from attackers and red teams alike.

Here’s the full list of CVEs released by Microsoft for June 2024:

CVE Title Severity CVSS Public Exploited Type
CVE-2024-30080 Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability Critical 9.8 No No RCE
CVE-2024-35255 Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability Important 5.5 No No EoP
CVE-2024-35254 † Azure Monitor Agent Elevation of Privilege Vulnerability Important 7.1 No No EoP
CVE-2024-37325 † Azure Science Virtual Machine (DSVM) Elevation of Privilege Vulnerability Important 9.8 No No EoP
CVE-2024-35252 Azure Storage Movement Client Library Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2024-30070 DHCP Server Service Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2024-29187 * GitHub: CVE-2024-29187 WiX Burn-based bundles are vulnerable to binary hijack when run as SYSTEM Important 7.3 No No EoP
CVE-2024-35253 Microsoft Azure File Sync Elevation of Privilege Vulnerability Important 4.4 No No EoP
CVE-2024-35263 Microsoft Dynamics 365 (On-Premises) Information Disclosure Vulnerability Important 5.7 No No Info
CVE-2024-35248 Microsoft Dynamics 365 Business Central Elevation of Privilege Vulnerability Important 7.3 No No EoP
CVE-2024-35249 Microsoft Dynamics 365 Business Central Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-30072 Microsoft Event Trace Log File Parsing Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2024-30104 Microsoft Office Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2024-30101 Microsoft Office Remote Code Execution Vulnerability Important 7.5 No No RCE
CVE-2024-30102 Microsoft Office Remote Code Execution Vulnerability Important 7.3 No No RCE
CVE-2024-30103 Microsoft Outlook Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-30100 Microsoft SharePoint Server Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2024-30097 Microsoft Speech Application Programming Interface (SAPI) Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-30089 Microsoft Streaming Service Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-30090 Microsoft Streaming Service Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2023-50868 * MITRE: CVE-2023-50868 NSEC3 closest encloser proof can exhaust CPU Important 7.5 Yes No DoS
CVE-2024-29060 Visual Studio Elevation of Privilege Vulnerability Important 6.7 No No EoP
CVE-2024-30052 Visual Studio Remote Code Execution Vulnerability Important 4.7 No No RCE
CVE-2024-30082 Win32k Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-30087 Win32k Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-30091 Win32k Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-30085 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-30076 Windows Container Manager Service Elevation of Privilege Vulnerability Important 6.8 No No EoP
CVE-2024-30096 Windows Cryptographic Services Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2024-30063 Windows Distributed File System (DFS) Remote Code Execution Vulnerability Important 6.7 No No RCE
CVE-2024-30064 Windows Kernel Elevation of Privilege Vulnerability Important 8.8 No No EoP
CVE-2024-30068 Windows Kernel Elevation of Privilege Vulnerability Important 8.8 No No EoP
CVE-2024-30088 Windows Kernel Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2024-30099 Windows Kernel Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2024-35250 Windows Kernel-Mode Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-30084 Windows Kernel-Mode Driver Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2024-30074 Windows Link Layer Topology Discovery Protocol Remote Code Execution Vulnerability Important 8 No No RCE
CVE-2024-30075 Windows Link Layer Topology Discovery Protocol Remote Code Execution Vulnerability Important 8 No No RCE
CVE-2024-30077 Windows OLE Remote Code Execution Vulnerability Important 8 No No RCE
CVE-2024-35265 Windows Perception Service Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2024-30069 Windows Remote Access Connection Manager Information Disclosure Vulnerability Important 4.7 No No Info
CVE-2024-30094 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2024-30095 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2024-30083 Windows Standards-Based Storage Management Service Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2024-30062 Windows Standards-Based Storage Management Service Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2024-30093 Windows Storage Elevation of Privilege Vulnerability Important 7.3 No No EoP
CVE-2024-30065 Windows Themes Denial of Service Vulnerability Important 5.5 No No DoS
CVE-2024-30078 Windows Wi-Fi Driver Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-30086 Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-30066 Winlogon Elevation of Privilege Vulnerability Important 5.5 No No EoP
CVE-2024-30067 WinLogon Elevation of Privilege Vulnerability Important 5.5 No No EoP
CVE-2024-5493 * Chromium: CVE-2024-5493 Heap buffer overflow in WebRTC High N/A No No RCE
CVE-2024-5494 * Chromium: CVE-2024-5494 Use after free in Dawn High N/A No No RCE
CVE-2024-5495 * Chromium: CVE-2024-5495 Use after free in Dawn High N/A No No RCE
CVE-2024-5496 * Chromium: CVE-2024-5496 Use after free in Media Session High N/A No No RCE
CVE-2024-5497 * Chromium: CVE-2024-5497 Out of bounds memory access in Keyboard Inputs High N/A No No RCE
CVE-2024-5498 * Chromium: CVE-2024-5498 Use after free in Presentation API High N/A No No RCE
CVE-2024-5499 * Chromium: CVE-2024-5499 Out of bounds write in Streams API High N/A No No RCE

* Indicates this CVE had been released by a third party and is now being included in Microsoft releases.

† Indicates further administrative actions are required to fully address the vulnerability.


Looking at the other fixes addressing code execution bugs, there are a couple that stand out. In addition to the Wi-Fi bug above, there are two similar bugs in the Link Layer Topology Discovery Protocol with similar exploit vectors. The difference is that for these two bugs, the target needs to be running the Network Map functionality for the attack to succeed. There are several “open-and-own” type vulnerabilities getting patched. The one to look out for would be the Office bug that states, “The Preview Pane is an attack vector, but additional user interaction is required.” It’s not clear how that would manifest. The exploit for DFS requires an adjacent attacker to already be executing code on a target, which reads more like an EoP to me. The OLE bug requires connecting to a malicious SQL server. The bug in the Speech Application Programming Interface (SAPI) requires a user to click a link to connect to the attacker’s server. Lastly, the code execution bug in Dynamics 365 requires authentication, which again sounds more like an EoP, but it also states no user interaction is required. It’s an odd write-up that implies it’s unlikely to be exploited in the wild.

More than half of this month’s release corrects privilege escalation bugs, but the majority of these lead to SYSTEM-level code execution if an authenticated user runs specially crafted code. Other privilege escalation bugs would allow the attacker to get to the level of the running application. The bugs in Winlogon are somewhat intriguing as they could allow an attacker to replace valid file content with specially crafted file content. One of the kernel bugs could be used for a container escape. The bug in the Perception Service could allow elevation to the “NT AUTHORITY\LOCAL SERVICE” account. The vulnerability in Visual Studio requires an attacker to create a malicious extension. An authenticated user would then need to create a Visual Studio project that uses that extension. If they manage all of that, it would lead to admin privileges.

The bug in Azure Identity Libraries and Microsoft Authentication Library allows attackers to read any file on the target with SYSTEM privileges. The privilege escalation in Azure Monitor Agent could let attackers delete files and folders. If you’ve disabled Automatic Extension Upgrades, you’ll need to perform a manual update to ensure the Monitor Agent is at the latest version. Speaking of extra actions, the bug in the Azure Science Virtual Machine (DSVM) requires you to upgrade your DSVM to Ubuntu 20.04. If you’re not familiar with this procedure, Microsoft provides this article for guidance. Attackers who exploit this bug could gain access to user credentials, which would allow them to impersonate authorized users.

There are only three information disclosure bugs receiving fixes this month and only one results in info leaks consisting of unspecified memory contents. The bug in the on prem version of Dynamics 365 could allow an attacker to exfiltrate all the data accessible to the logged-on user. The vulnerability in the Cryptographic Services could disclose sensitive information such as KeyGuard (KG) keys, which are intended to be per-boot and used to protect sensitive data. If an attacker could potentially use these to decrypt anything encrypted with those keys.

The final bugs for June address Denial-of-Service (DoS) vulnerabilities in Windows and Azure components. Unfortunately, Microsoft provides no additional information about these bugs and how they would manifest on affected systems. They do note the DoS in the DHCP Server does not affect those who have configured failover for their DHCP setup.

There are no new advisories in this month’s release.

Looking Ahead

The next Patch Tuesday of 2024 will be on July 9, and I’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!

Before yesterdayZero Day Initiative - Blog

CVE-2024-30043: Abusing URL Parsing Confusion to Exploit XXE on SharePoint Server and Cloud

Yes, the title is right. This blog covers an XML eXternal Entity (XXE) injection vulnerability that I found in SharePoint. The bug was recently patched by Microsoft. In general, XXE vulnerabilities are not very exciting in terms of discovery and related technical aspects. They may sometimes be fun to exploit and exfiltrate data (or do other nasty things) in real environments, but in the vulnerability research world, you typically find them, report them, and forget about them.

So why am I writing a blog post about an XXE? I have two reasons:

·       It affects SharePoint, both on-prem and cloud instances, which is a nice target. This vulnerability can be exploited by a low-privileged user.
·       This is one of the craziest XXEs that I have ever seen (and found), both in terms of vulnerability discovery and the method of triggering. When we talk about overall exploitation and impact, this Pwn2Own win by Chris Anastasio and Steven Seeley is still my favorite.

The vulnerability is known as CVE-2024-30043, and, as one would expect with an XXE, it allows you to:

·       Read files with SharePoint Farm Service account permission.
·       Perform Server-side request forgery (SSRF) attacks.
·       Perform NTLM Relaying.
·       Achieve any other side effects to which XXE may lead.

Let us go straight to the details.

BaseXmlDataSource DataSource

Microsoft.SharePoint.WebControls.BaseXmlDataSource is an abstract base class, inheriting from DataSource, for data source objects that can be added to a SharePoint Page. DataSource can be included in a SharePoint page, in order to retrieve data (in a way specific to a particular DataSource). When a BaseXmlDataSource is present on a page, its Execute method will be called at some point during page rendering:

At [1], you can see the Execute method, which accepts a string called request. We fully control this string, and it should be a URL (or a path) pointing to an XML file. Later, I will refer to this string as DataFile.

At this point, we can derive this method into two main parts: XML fetching and XML parsing.

       a) XML Fetching

At [2], this.FetchData is called and our URL is passed as an input argument. BaseXmlDataSource does not implement this method (it’s an abstract class).

FetchData is implemented in three classes that extend our abstract class:
SoapDataSource - performs HTTP SOAP request and retrieves a response (XML).
XmlUrlDataSource - performs a customizable HTTP request and retrieves a response (XML).
SPXmlDataSource - retrieves an existing specified file on the SharePoint site.

We will revisit those classes later.

       b) XML Parsing

At [3], the xmlReaderSettings.DtdProcessing member is set to DtdProcessing.Prohibit, which should disable the processing of DTDs.

At [4] and [5], the xmlTextReader.XmlResolver is set to a freshly created XmlSecureResolver. The request string, which we fully control, is passed as the securityUrl parameter when creating the XmlSecureResolver

At [6], the code creates a new instance of XmlReader.

Finally, it reads the contents of the XML using a while-do loop at [7].

At first glance, this parsing routine seems correct. The document type definition (DTD) processing of our XmlReaderSettings instance is set to Prohibit, which should block all DTD processing. On the other hand, we have the XmlResolver set to XmlSecureResolver.

From my experience, it is very rare to see .NET code, where:
• DTDs are blocked through XmlReaderSettings.
• Some XmlResolver is still defined.

I decided to play around and sent in a general entity-based payload at some test code I wrote similar to the code shown above (I only replaced XmlSecureResolver with XmlUrlResolver for testing purposes):

As expected, no HTTP request was performed, and a DTD processing exception was thrown. What about this payload?

It was a massive surprise to me, but the HTTP request was performed! According to that, it seems that when you have .NET code where:
XmlReader is used with XmlTextReader and XmlReaderSettings.
XmlReaderSettings.DtdProcessing is set to Prohibit.
• An XmlTextReader.XmlResolver is set.

The resolver will first try to handle the parameter entities, and only afterwards will perform the DTD prohibition check! An exception will be thrown in the end, but it still allows you to exploit the Out-of-Band XXE and potentially exfiltrate data (using, for example, an HTTP channel).

The XXE is there, but we have to solve two mysteries:

• How can we properly fetch the XML payload in SharePoint?
• What’s the deal with this XmlSecureResolver?

XML Fetching and XmlSecureResolver

As I have already mentioned, there are 3 classes that extend our vulnerable BaseXmlDataSource. Their FetchData method is used to retrieve the XML content based on our URL. Then, this XML will be parsed with the vulnerable XML parsing code.

Let’s summarize those 3 classes:

       a) XmlUrlDataSource

       • Accepts URLs with a protocol set to either http or https.
       • Performs an HTTP request to fetch the XML content. This request is customizable. For example, we can select which HTTP method we want to use.
       • Some SSRF protections are implemented. This class won’t allow you to make HTTP requests to local addresses such as or Still, you can use it freely to reach external IP address space.

       b) SoapDataSource

       • Almost identical to the first one, although it allows you to perform SOAP requests only (body must contain valid XML, plus additional restrictions).
       • The same SSRF protections exist as in XmlUrlDataSource.

       c) SPXmlDataSource

       • Allows retrieval of the contents of SharePoint pages or documents. If you have a file test.xml uploaded to the sample site, you can provide a URL as follows: /sites/sample/test.xml.

At this point, those HTTP-based classes look like a great match. We can:
• Create an HTTP server.
• Fetch malicious XML from our server.
• Trigger XXE and potentially read files from SharePoint server.

Let’s test this. I’m creating an XmlUrlDataSource, and I want it to fetch the XML from this URL:

poc.xml contains the following payload:

The plan is simple. I want to test the XXE by executing an HTTP request to the localhost (SSRF).

We must also remember that whatever URL that we specify as our source also becomes the securityUrl of the XmlSecureResolver. Accordingly, this is what will be executed:

Figure 1 XmlSecureResolver initialization

Who cares anyway? YOLO and let’s move along with the exploitation. Unfortunately, this is the exception that appears when we try to execute this attack:

Figure 2 Exception thrown during XXE->SSRF

It seems that “Secure” in XmlSecureResolver stands for something. In general, it is a wrapper around various resolvers, which allows you to apply some resource fetching restrictions. Here is a fragment of the Microsoft documentation:

“Helps to secure another implementation of XmlResolver by wrapping the XmlResolver object and restricting the resources that the underlying XmlResolver has access to.”

In general, it is based on Microsoft Code Access Security. Depending on the provided URL, it creates some resource access rules. Let’s see a simplified example for the

Figure 3 Simplified sample restrictions applied by XmlSecureResolver

In short, it creates restrictions based on protocol, hostname, and a couple of different things (like an optional port, which is not applicable to all protocols). If we fetch our XML from, we won’t be able to make a request to http://localhost because the host does not match.

The same goes for the protocol. If we fetch XML from the attacker’s HTTP server, we won’t be able to access local files with XXE, because neither the protocol (http:// versus file://) nor the host match as required.

To summarize, this XXE is useless so far. Even though we can technically trigger the XXE, it only allows us to reach our own server, which we can also achieve with the intended functionalities of our SharePoint sources (such as XmlDataSource). We need to figure out something else.

SPXmlDataSource and URL Parsing Issues

At this point, I was not able to abuse the HTTP-based sources. I tried to use SPXmlDataSource with the following request:


The idea is simple. We are a SharePoint user, and we can upload files to some sites. We upload our malicious XML to the http://sharepoint/sites/mysite/test.xml document and then we:
       • Create SPXmlDataSource
       • Set DataFile to /sites/mysite/test.xml.

SPXmlDataSource will successfully retrieve our XML. What about XmlSecureResolver? Unfortunately, such a path (without a protocol) will lead to a very restrictive policy, which does not allow us to leverage this XXE.

It made me wonder about the URL parsing. I knew that I could not abuse HTTP-based XmlDataSource and SoapDataSource. The code was written in C# and it was pretty straightforward to read – URL parsing looked good there. On the other hand, the URL parsing of SPXmlDataSource is performed by some unmanaged code, which cannot be easily decompiled and read.

I started thinking about a following potential exploitation scenario:
       • Delivering a “malformed” URL.
       • SPXmlDataSource somehow manages to handle this URL, and retrieves my uploaded XML successfully.
       • The URL gives me an unrestricted XmlSecureResolver policy and I’m able to fully exploit XXE.

This idea seemed good, and I decided to investigate the possibilities. First, we have to figure out when XmlSecureResolver gives us a nice policy, which allows us to:
       • Access a local file system (to read file contents).
       • Perform HTTP communication to any server (to exfiltrate data).

Let’s deliver the following URL to XmlSecureResolver:


Bingo! XmlSecureResolver creates a policy with no restrictions! It thinks that we are loading the XML from the local file system, which means that we probably already have full access, and we can do anything we want.

Such a URL is not something that we should be able to deliver to SPXmlDataSource or any other data source that we have available. None of them is based on the local file system, and even if they were, we are not able to upload files there.

Still, we don’t know how SPXmlDataSource is handling URLs. Maybe my dream attack scenario with a malformed URL is possible? Before even trying to reverse the appropriate function, I started playing around with this SharePoint data source, and surprisingly, I found a solution quickly:


Let’s see how SPXmlDataSource handles it (based on my observations):

Figure 4 SPXmlDataSource - handling of malformed URL

This is awesome. Such a URL allows us to retrieve the XML that we can freely upload to SharePoint. On the other hand, it gives us an unrestricted access policy in XmlSecureResolver! This URL parsing confusion between those two components gives us the possibility to fully exploit the XXE and perform a file read.

The entire attack scenario looks like this:

Figure 5 SharePoint XXE - entire exploitation scenario


Let’s have a look at the demo, to visualize things better. It presents the full exploitation process, together with the debugger attached. You can see that:
       • SPXmlDataSource fetches the malicious XML file, even though the URL is malformed.
       • XmlSecureResolver creates an unrestricted access policy.
       • XXE is exploited and we retrieve the win.ini file.
       • “DTD prohibited” exception is eventually thrown, but we were still able to abuse the OOB XXE.

The Patch

The patch from Microsoft implemented two main changes:
       • More URL parsing controls for SPXmlDataSource.
       • XmlTextReader object also prohibits DTD usage (previously, only XmlReaderSettings did that).

In general, I find .NET XXE-protection settings way trickier than the ones that you can define in various Java parsers. This is because you can apply them to objects of different types (here: XmlReaderSettings versus XmlTextReader). When XmlTextReader prohibits the DTD usage, parameter entities seem to never be resolved, even with the resolver specified (that’s how this patch works). On the other hand, when XmlReaderSettings prohibits DTDs, parameter entities are resolved when the XmlUrlResolver is used. You can easily get confused here.


A lot of us thought that XXE vulnerabilities were almost dead in .NET. Still, it seems that you may sometimes spot some tricky implementations and corner cases that may turn out to be vulnerable. A careful review of .NET XXE-related settings is not an easy task (they are tricky) but may eventually be worth a shot.

I hope you liked this writeup. I have a huge line of upcoming blog posts, but vulnerabilities are waiting for the patches (including one more SharePoint vulnerability). Until my next post, you can follow me @chudypb and follow the team on Twitter, Mastodon, LinkedIn, or Instagram for the latest in exploit techniques and security patches.

MindShaRE: Decapping Chips for Electromagnetic Fault Injection (EMFI)

Recently, the automotive VR team has undertaken an effort to reproduce the software extraction attack against one of the target devices used during the Automotive Pwn2Own 2024 held in Tokyo, Japan. The electromagnetic fault injection (EMFI) approach was chosen to attempt an attack against the existing readout protection mechanisms. This blog post details preparatory steps to speed up the attack, hopefully considerably.

Electromagnetic fault injection

In general, fault injection attacks against hardware attempt to produce some sort of gain for an attacker by injecting faults into a device under attack by manipulating clock pulses, supply voltages, temperature, electromagnetic fields around the device, and aiming short light pulses at certain locations on the device. Of these vectors, EMFI stands out as probably the only attack approach that requires close to no modifications of the device under attack, with all action being conducted at a quite short distance. The attack then proceeds by moving an EM probe above the device in very small increments and triggering an EM pulse. With any luck, this would disturb the normal operation of the device under attack in just the right way to cause the desired effect.

Practically speaking, some sort of an EM pulse tool is required to conduct the attack. In this case, the PicoEMP was chosen for that purpose, which has been mounted on a modified 3D printer carriage.

Figure 1 - The ChipSHOUTER-PicoEMP

However, the device in question (a GD32F407Z by GigaDevice) is physically rather large, with the package measuring 20mm by either side. Considering how long each individual attempt runs, the fact that the attempt needs to be retried multiple times to collect meaningful outcome statistics, and rather small increments used to move the probe, it would make sense to narrow down the search area as much as possible. Injecting EM faults into the epoxy encapsulation would not bring much of an effect.


Unfortunately, the encapsulation is not transparent and does not allow for easy visual identification of the die in the package. This means that some way of getting the die out is required to measure it, or better yet, leave the die in the package so it will be possible to measure both the die dimensions and the position of the die within the package.

There are multiple approaches to decapsulation, or decapping for short:

·      Mechanical: sanding or milling the package, cracking the encapsulation when heated
·      Chemical: applying acid to dissolve encapsulation
·      Thermal: placing the package in a furnace to burn encapsulation away
·      Optical: using a laser to burn encapsulation away in a precise manner

Of these, many require specialized equipment (mill, laser, furnace, fume hood for nitric acid), are time-consuming (sanding), or do not preserve important information (cracking the package). The choice was thus limited to what was available: hot sulfuric acid.

DANGER: Hot sulfuric acid is extremely corrosive; avoid spilling and wear proper PPE at all times.

DANGER: Sulfuric acid vapors are extremely corrosive; avoid inhaling and work in a well-ventilated area (fume hood or outside).

NOTE: Study relevant safety information including but not limited to materials handling, spill containment, and clean-up procedures before working with any hazardous chemicals.

NOTE: This blog post was written purely for educational purposes; any attempts to replicate the work are at your own risk.

Decapping process

As my home lab is, sadly, not equipped with a fume hood, all work was conducted outside.

Figure 2 - Example of tools used

The following tools were used:

·      Sulfuric acid, 96%
·      A heat source in the form of a hot air station
·      A crocodile clip “helping hands”
·      A squirt bottle with acetone
·      A PE pipette
·      A waste container.

To begin, the device under attack is fixed in the clip, and a small drop of acid was applied with the pipette in the package center.

Figure 3 - Applying sulfuric acid

The device was then heated using the hot air station set to 200°C  and a moderate air flow of around 40%. The aim of this process is to slowly dissolve the packaging epoxy. The device was heated until some fuming was observed from the drop and stopped before any bubbling would occur. If the acid gets hot enough to produce bubbles, the material will form a hard carbonized “cake” which will be problematic to remove. Unfortunately, this has been a problem before.

After the acid visibly darkened, which should take around 1 minute +- 50%, the heating was stopped, and the device was allowed to cool down somewhat. Then, the acid was washed off with acetone into the waste container. The device then was dried off with hot air to remove moisture.

The process was then repeated multiple times, with each iteration removing a bit of the packaging material. This was captured in the following series of images (more steps were taken than is presented here):

Figure 4 - Time lapse of decapping process

A stack of dice slowly emerged from the package: the larger one is the microcontroller itself, and the smaller one is the serial Flash memory holding all the programmed code and data. Unfortunately, the current process does not preserve the bond wires, rendering the device inoperable. Its operation was not required in our case. This could possibly be mitigated by using a 98% acid and anhydrous acetone – something to attempt in the future.


The end result of the decapping process is pictured below.

Figure 5 - End result of decapping

Using a graphics editor, it is possible to take measurements in pixels of the package, the die, and the die positioning. This came out to be the following:

·      Package size 1835x1835 pixels (measured) = 20x20 mm (known from the datasheet)
·      Pixels per mm: 91.75
·      Die size 366x366 pixels (measured) = 4x4mm (computed)
·      Die offset from bottom left: 745x745 pixels (measured) = 8.12x8.12mm (computed)

The obtained numbers are immediately useful to program the EM probe motion restricted to the die area only. To find out how much experiment time this could save, let’s compute the areas: 4x4 = 16 mm2 for the die itself, and 20x20 = 400 mm2 for the whole package. This is 25 times decrease in the area and thus the experiment time.

Another approach that could avoid the decapping process is moving the probe in a spiral fashion, starting from the package center and moving outwards. This is of course possible to implement. However, the challenge here is the possibility of the two dice getting packaged side-to-side instead of being stacked like in this example – this would severely decrease the gain from this approach. Given the decapping only takes no more than 1-2 hours including cleanup, this was deemed well worth the information gained – and the die pictures obtained.


I hope you enjoyed this brief tutorial. Again, please take caution when using sulfuric acid or any other corrosive agents. Please dispose of waste materials responsibly. The world of hardware hacking offers many opportunities for discovery. We’ll continue to post guides and methodologies in future posts. Until then, you can follow the team on Twitter, Mastodon, LinkedIn, or Instagram for the latest in exploit techniques and security patches.

The May 2024 Security Update Review

14 May 2024 at 17:28

Welcome to the second Tuesday of May. As expected, Adobe and Microsoft have released their standard bunch of security patches. Take a break from your regular activities and join us as we review the details of their latest advisories. If you’d rather watch the full video recap covering the entire release, you can check it out here:

Apple Patches for May 2024

Apple kicked off the May release cycle with a group of updates for their macOS and iOS platforms. Most notable is a fix for CVE-2024-23296 for iOS 16.7.8 and iPadOS 16.7.8. This vulnerability is a memory corruption issue in RTKit that could allow attackers to bypass kernel memory protections. The initial patch was released back in March, but Apple noted additional fixes would be coming, and here they are. This bug is reported as being under active attack, so if you’re using a device with an affected OS, make sure you get the update.

Apple also patched the Safari bug demonstrated at Pwn2Own Vancouver by Master of Pwn Winner Manfred Paul.

Adobe Patches for May 2024

For May, Adobe released eight patches addressing 37 CVEs in Adobe Acrobat and Reader, Illustrator, Substance3D Painter, Adobe Aero, Substance3D Designer, Adobe Animate, FrameMaker, and Dreamweaver. Eight of these vulnerabilities were reported through the ZDI program. The update for Reader should be the priority. It includes multiple Critical-rated bugs that are often used by malware and ransomware gangs. While none of these bugs are under active attack, it is likely some will eventually be exploited. The patch for Illustrator also addresses a couple of Critical-rated bugs that could result in arbitrary code execution. The patch for Aero (an augmented reality authoring and publishing tool) fixes a single code execution bug. Unless I’m mistaken, this is the first Adobe patch for this product.

The fix for Adobe Animate fixes eight bugs, seven of which result in Critical-rated code execution. The patch for FrameMaker also fixes several code execution bugs. These are classic open-and-own bugs that require user interaction. That’s the same for the single bug fixed in Dreamweaver. The patch for Substance 3D Painter addresses four bugs, two of which are rated Critical, while the patch for Substance 3D Designer fixes a single Important-rated memory leak.

None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Adobe categorizes these updates as a deployment priority rating of 3.

Microsoft Patches for May 2024

This month, Microsoft released 59 CVEs in Windows and Windows Components; Office and Office Components; .NET Framework and Visual Studio; Microsoft Dynamics 365; Power BI; DHCP Server; Microsoft Edge (Chromium-based); and Windows Mobile Broadband. If you include the third-party CVEs being documented this month, the CVE count comes to 63. A total of two of these bugs came through the ZDI program. As with last month, none of the bugs disclosed at Pwn2Own Vancouver are fixed with this release. With Apple and VMware fixing the vulnerabilities reported during the event, Microsoft stands alone as the only vendor not to produce patches from the contest.

Of the new patches released today, only one is rated Critical, 57 are rated Important, and one is rated Moderate in severity. This release is roughly a third of the size of last month’s, so hopefully that’s a sign that a huge number of fixes in a single month isn’t going to be a regular occurrence.

Two of the CVEs released today are listed as under active attack, and one other is listed as publicly known at the time of the release. Microsoft doesn’t provide any indication of the volume of attacks, but the DWM Core bug appears to me to be more than a targeted attack. Let’s take a closer look at some of the more interesting updates for this month, starting with the DWM bug currently exploited in the wild:

-       CVE-2024-30051 – Windows DWM Core Library Elevation of Privilege Vulnerability
This bug allows attackers to escalate the SYSTEM on affected systems. These types of bugs are usually combined with a code execution bug to take over a target and are often used by ransomware. Microsoft credits four different groups for reporting the bug, which indicates the attacks are widespread. They also indicate the vulnerability is publicly known. Don’t wait to test and deploy this update as exploits are likely to increase now that a patch is available to reverse engineer.

-       CVE-2024-30043 – Microsoft SharePoint Server Information Disclosure Vulnerability
This vulnerability was reported to Microsoft by ZDI researcher Piotr Bazydło and represents an XML external entity injection (XXE) vulnerability in Microsoft SharePoint Server 2019. An authenticated attacker could use this bug to read local files with SharePoint Farm service account user privileges. They could also perform an HTTP-based server-side request forgery (SSRF), and – most importantly – perform NLTM relaying as the SharePoint Farm service account. Bugs like this show why info disclosure vulnerabilities shouldn’t be ignored or deprioritized.

-       CVE-2024-30033 – Windows Search Service Elevation of Privilege Vulnerability
This is another bug reported through the ZDI program and has a similar impact to the bug currently being exploited, although it manifests through a different mechanism. This is a link following bug in the Windows Search service. By creating a pseudo-symlink, an attacker could redirect a delete call to delete a different file or folder as SYSTEM. We discussed how this could be used to elevate privileges here. The delete happens when restarting the service. A low-privileged user can't restart the service directly. However, this could easily be combined with a bug that allows a low-privileged user to terminate any process by PID. After failure, the service will restart automatically, successfully triggering this vulnerability.

-       CVE-2024-30050 – Windows Mark of the Web Security Feature Bypass Vulnerability
We don’t normally detail Moderate-rated bugs, but this type of security feature bypass is quite in vogue with ransomware gangs right now. They zip their payload to bypass network and host-based defenses, they use a Mark of the Web (MotW) bypass to evade SmartScreen or Protected View in Microsoft Office. While we have no indication this bug is being actively used, we see the technique used often enough to call it out. Bugs like this one show why Moderate-rated bugs shouldn’t be ignored or deprioritized.

Here’s the full list of CVEs released by Microsoft for May 2024:

CVE Title Severity CVSS Public Exploited Type
CVE-2024-30051 Windows DWM Core Library Elevation of Privilege Vulnerability Important 7.8 Yes Yes EoP
CVE-2024-30040 Windows MSHTML Platform Security Feature Bypass Vulnerability Important 8.8 No Yes SFB
CVE-2024-30046 ASP.NET Core Denial of Service Vulnerability Important 5.9 Yes No DoS
CVE-2024-30044 Microsoft SharePoint Server Remote Code Execution Vulnerability Critical 8.8 No No RCE
CVE-2024-30045 .NET and Visual Studio Remote Code Execution Vulnerability Important 6.3 No No RCE
CVE-2024-30053 † Azure Migrate Spoofing Vulnerability Important 7.5 No No Spoofing
CVE-2024-32002 * CVE-2023-32002 Recursive clones on case-insensitive filesystems that support symlinks are susceptible to Remote Code Execution Important 9.8 No No RCE
CVE-2024-30019 DHCP Server Service Denial of Service Vulnerability Important 6.5 No No DoS
CVE-2024-30047 Dynamics 365 Customer Insights Spoofing Vulnerability Important 7.6 No No Spoofing
CVE-2024-30048 Dynamics 365 Customer Insights Spoofing Vulnerability Important 7.6 No No Spoofing
CVE-2024-32004 * GitHub: CVE-2024-32004 GitHub: CVE-2023-32004 Remote Code Execution while cloning special-crafted local repositories Important 8.8 No No RCE
CVE-2024-30041 Microsoft Bing Search Spoofing Vulnerability Important 5.4 No No Spoofing
CVE-2024-30007 Microsoft Brokering File System Elevation of Privilege Vulnerability Important 8.8 No No EoP
CVE-2024-30042 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2024-26238 Microsoft PLUGScheduler Scheduled Task Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-30054 Microsoft Power BI Client Javascript SDK Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2024-30043 Microsoft SharePoint Server Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2024-30006 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-29994 Microsoft Windows SCSI Class System File Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-30027 NTFS Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-30028 Win32k Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-30030 Win32k Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-30038 Win32k Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-30034 Windows Cloud Files Mini Filter Driver Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2024-30031 Windows CNG Key Isolation Service Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-29996 Windows Common Log File System Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-30025 Windows Common Log File System Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-30037 Windows Common Log File System Driver Elevation of Privilege Vulnerability Important 7.5 No No EoP
CVE-2024-30016 Windows Cryptographic Services Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2024-30020 Windows Cryptographic Services Remote Code Execution Vulnerability Important 8.1 No No RCE
CVE-2024-30036 Windows Deployment Services Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2024-30032 Windows DWM Core Library Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-30035 Windows DWM Core Library Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-30008 Windows DWM Core Library Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2024-30011 Windows Hyper-V Denial of Service Vulnerability Important 6.5 No No DoS
CVE-2024-30010 Windows Hyper-V Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-30017 Windows Hyper-V Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-30018 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-29997 Windows Mobile Broadband Driver Remote Code Execution Vulnerability Important 6.8 No No RCE
CVE-2024-29998 Windows Mobile Broadband Driver Remote Code Execution Vulnerability Important 6.8 No No RCE
CVE-2024-29999 Windows Mobile Broadband Driver Remote Code Execution Vulnerability Important 6.8 No No RCE
CVE-2024-30000 Windows Mobile Broadband Driver Remote Code Execution Vulnerability Important 6.8 No No RCE
CVE-2024-30001 Windows Mobile Broadband Driver Remote Code Execution Vulnerability Important 6.8 No No RCE
CVE-2024-30002 Windows Mobile Broadband Driver Remote Code Execution Vulnerability Important 6.8 No No RCE
CVE-2024-30003 Windows Mobile Broadband Driver Remote Code Execution Vulnerability Important 6.8 No No RCE
CVE-2024-30004 Windows Mobile Broadband Driver Remote Code Execution Vulnerability Important 6.8 No No RCE
CVE-2024-30005 Windows Mobile Broadband Driver Remote Code Execution Vulnerability Important 6.8 No No RCE
CVE-2024-30012 Windows Mobile Broadband Driver Remote Code Execution Vulnerability Important 6.8 No No RCE
CVE-2024-30021 Windows Mobile Broadband Driver Remote Code Execution Vulnerability Important 6.8 No No RCE
CVE-2024-30039 Windows Remote Access Connection Manager Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2024-30009 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-30014 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability Important 7.5 No No RCE
CVE-2024-30015 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability Important 7.5 No No RCE
CVE-2024-30022 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability Important 7.5 No No RCE
CVE-2024-30023 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability Important 7.5 No No RCE
CVE-2024-30024 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability Important 7.5 No No RCE
CVE-2024-30029 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability Important 7.5 No No RCE
CVE-2024-30033 Windows Search Service Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2024-30049 Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-30059 Microsoft Intune for Android Mobile Application Management Tampering Vulnerability Important 6.1 No No Tampering
CVE-2024-30050 Windows Mark of the Web Security Feature Bypass Vulnerability Moderate 5.4 No No SFB
CVE-2024-4331 * Chromium: CVE-2024-4331 Use after free in Picture In Picture High N/A No No RCE
CVE-2024-4368 * Chromium: CVE-2024-4368 Use after free in Dawn High N/A No No RCE

* Indicates this CVE had been released by a third party and is now being included in Microsoft releases.

† Indicates further administrative actions are required to fully address the vulnerability.


There’s just one Critical-rated bug this month, and it deals with a remote code execution (RCE) vulnerability in SharePoint server. An authenticated attacker could use this bug to execute arbitrary code in the context of the SharePoint Server. While permissions are needed for this to occur, any authorized user on the server has the needed level of permissions.

Looking at the other RCE bugs, we see a lot of vulnerabilities in rarely used protocols. The Windows Mobile Broadband driver and the Routing and Remote Access Service (RRAS) make up the bulk of this category. More notable are the two bugs in Hyper-V. One of these would allow an authenticated attacker to execute code on the host system. This would result in a guest-to-host escape, but Microsoft doesn’t indicate what level the code execution occurs on the host OS. After a couple of months with many SQL-related fixes, there’s just one this month. As with the previous bugs, you would need to connect to a malicious SQL server. The bug in Cryptographic Services requires a machine-in-the-middle (MITM) but could lead to a malicious certificate being imported onto the target system. The RCE bugs are rounded out with open-and-own style bugs in Excel and .NET and Visual Studio.

Moving on to the elevation of privilege (EoP) patches in this month’s release, almost all lead to SYSTEM-level code execution if an authenticated user runs specially crafted code. While there isn’t a lot else to say about these bugs, they are often used by attackers to take over a system when combined with a code execution bug – like the Excel bug mentioned above. They convince a user to open a specially crafted Excel document that executes the EoP and takes over the system. The lone exception to this is the bug in the Brokering File System component. The vulnerability allows attackers to gain the ability to authenticate against a remote host using the current user’s credentials. The attack could be launched from a low-privileged AppContainer, which would allow the attacker to execute code or access resources at a higher integrity level than that of the AppContainer execution environment.

We’ve already discussed the MotW security feature bypass (SFB), and the only other SFB vulnerability receiving a fix this month is the MSHTML engine. Just when you thought you were safe from Internet Explorer, the Trident engine rears its ugly head. This bug allows an unauthenticated attacker to get code execution if they can convince a user to open a malicious document. The code execution occurs in the context of the user, so this is another reminder not to log on with Admin privileges unless you absolutely need to.

There are only seven information disclosure bugs receiving fixes this month, and we’ve already covered the one in SharePoint. As usual, most of these vulnerabilities only result in info leaks consisting of unspecified memory contents. The bug in Power BI could result in the disclosing of “sensitive information,” but Microsoft doesn’t narrow down what type of “sensitive information” could be leaked. Similarly, the bug in Deployment Services could leak “file contents.” Microsoft provides no information on whether that’s any arbitrary file contents or only specific files, so your guess is as good as mine.

The May release includes four spoofing bugs. The first is a stored cross-site scripting (XSS) bug in Azure Migrate. There’s not a straightforward patch for this one. You need the latest Azure Migrate Agent and ConfigManager updates. More info on how to do that can be found here. There are two spoofing bugs in Dynamics 365, but they read more like XSS bugs. The final spoofing bug addressed this month is in the Bing search engine. An attacker could modify the content of the vulnerable link to redirect the victim to a malicious site.

There’s a single Tampering bug addressed in this release fixing a bug in Microsoft Intune Mobile Application Management. An attacker could gain sensitive information on a target device that has been rooted.

The final bugs for May are Denial-of-Service (DoS) vulnerabilities in ASP.NET, DHCP server, and Hyper-V. Unfortunately, Microsoft provides no additional information about these bugs and how they would manifest on affected systems.

There are no new advisories in this month’s release.

Looking Ahead

The next Patch Tuesday of 2024 will be on June 11, and I’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!

CVE-2024-21115: An Oracle VirtualBox LPE Used to Win Pwn2Own

In this guest blog from Pwn2Own winner Cody Gallagher, he details CVE-2024-21115 – an Out-of-Bounds (OOB) Write that occurs in Oracle VirtualBox that can be leveraged for privilege escalation. This bug was recently patched by Oracle in April. Cody has graciously provided this detailed write-up of the vulnerability and how he exploited it at the contest.

The core bug used for this escape is a relative bit clear on the heap from the VGA device. The bug is in function vgaR3DrawBlank, which is called from vgaR3UpdateDisplay. The bug can be triggered with a single core and 32MB of VRAM, and possibly less. All testing was done using the default graphics controller for Linux (VMSVGA). It should work on others as well.

As for the exploit, I could not get it to work with those constraints. For my exploit, I require at least 65 MB of VRAM but am using 128 MB to be safe. It requires 4 cores because of the race condition I use.

The Vulnerability

Inside the VGAState struct there is a bitmap used for tracking dirty pages in the vram buffer so that it knows whether it needs to redraw that part of the frame buffer.

This bitmap is large enough to hold the total number of pages even when using the max vram allowable by vbox, which is 256MB. However, inside vgaR3DrawBlank, when it attempts to clear the dirty page bits it incorrectly multiplies start_addr by 4 before doing so:

We can see here that if we are able to set start_addr to a value greater than 64MB, it will clear bits outside the bounds of the bitmap. Alternatively, even if start_addr is below 64MB, so that it starts clearing within the bitmap, the bit clear operation can continue past the bitmap's end.

Examining how start_addr is set, we can see that it allows any value up to vram_size:

Later in the code, vbe_start_addr is stored into start_addrand and vbe_line_offset is stored into line_offset. This happens when vgaR3UpdateBasicParams calls vgaR3GetOffsets. This update occurs whenever a new graphic or text is being drawn.

As long as our vram_size is greater than 64MB we will able to clear bits in heap memory following the bitmap.

The following are the values I set up to trigger the bug. All of these are settable via ioport communication.

These values are chosen to zero out a specific bit, but if the VBE_DISPI_INDEX_VIRT_WIDTH is increased it will most likely overwrite enough data to cause a segfault. For the exact ioport comms used, please reference the exploit code.

The Exploit

I explored several paths to find something we can zero out that would be usable to gain reliable code execution. I ended up looking at CritSect inside of VGAState. This critical section is used so that only 1 thread at a time can process in and out instructions for each device, as well as any loads or stores to the mmio region. There are several things we are concerned with in the critical section. The relevant structures are as follows:

When a thread locks the critical section, it adds 1 to cLockers, updates NativeThreadOwner to the current thread, and adds 1 to cNestings.

If a different thread then attempts to lock this same section it will see that cLockers is set and will attempt to wait its turn to lock. There is first an optimized wait, in which it will attempt to spin for some microseconds to see if it can quickly acquire the lock.

If that fails it will the block on the EventSem semaphore.

This hEvent value is just an int. Each time a critical section is created, a new hEvent value will be allocated in sequential fashion. When we look at the critical section of VGAState we can see the value of hEvent is 0x23.

The first 4 bytes are u32Magic, and the hEvent value can be seen at offset 0x18. With this information in hand, I realized that if we can find another critical section with an hEvent, we can modify the hEvent of VGState to match that of the other critical section. Then we can use that confusion to produce a race condition in any VGA ioport or mmio read/write. After looking around I found that VMMDev was using the hEvent value of 0x21.

After some testing, I found that the hEvent values are consistent between runs because they are assigned sequentially on startup. The critical sections for VMMDev and VGA are created directly after the processor-related critical sections. So long as the processor chipset doesn't change, these should remain constant.

I will note here that there are other critical sections that could potentially be used, but I chose to write my exploit using the VMMDev critical section.

First, we use our bit clearing bug to turn 0x23 into 0x21. Subsequently, whenever there are two threads, one holding the critical section for VMMDev and one holding the critical section for VGA, when either thread releases its critical section it can wake up a thread waiting for either device. Our plan is to use this race condition to wake a thread waiting for VGA prematurely, which is to say, while some other thread is still using VGA.

This is not good enough yet, though. Even if we hit the race, VirtualBox throws a SigTrap shortly thereafter. This is because when the racing thread locks the critical section, it changes NativeThreadOwner. When the first thread tries to unlock the critical section, the NativeThreadOwner does not match, causing the error.

Upon discovering this we also see that there is a way to completely turn off an individual critical section. There is a bit in fFlags called RTCRITSECT_FLAGS_NOP. If this bit is set then it will ignore all locking and unlocking operations for that particular critical section.

This poses a challenge for us, though. The only bug we have is a bit clear, so we have no way to set this flag. Instead, we must find a way to set the flag from our racing VGA thread before the first VGA thread exits and crashes the process.

When looking for a way to accomplish this, I found an ioport for writing data to vbe_regs in VGAState:

       uint16_t vbe_regs[VBE_DISPI_INDEX_NB];

This ioport allows us to specify vbe_index as an arbitrary short, and then it will write an arbitrary short to vbe_regs[vbe_index] in vbe_ioport_write_data. The write is protected by a bounds check on the index, but we can circumvent the check by using the race condition we manufactured.

To exploit, we start a VGA request on one thread (the “worker”) specifying a valid vbe_index, and a second VGA request on a second thread (the “racer”) specifying a bad vbe_index. Normally the racer request would need to wait for the worker to finish, but by racing two VMMDev requests (on two other threads) we can wake the racerVGA thread prematurely, modifying the vbe_index after the workerthread has finished validating it but before using it.

Note that, for this to succeed, the racer thread must be woken at a critical moment during execution of the worker. To make this race easier to win, we can take advantage of a memset in vbe_ioport_write_data where we control the length. For the worker request, we make this a large number so we have a longer window in which to win the race. In testing, I found we can easily get this to over 1 millisecond which is a massive amount of time during which we can win the race.

After winning the race, we can see the desired effect.

By means of the vgaR3DrawBlank bug we have changed hEvent from 0x23 to 0x21, and by means of the vbe_ioport_write race we have changed the fFlags member at offset 0x14 to 0xf, disabling the critical section. Now that the critical section is fully disabled, we can easily race VGA threads against each other. The next step is to find a read and a better write with our new and improved race condition.

Both the write and the read can be achieved by corrupting the same value. In VGAState there is a field of struct type VMSVGASTATE, and that struct contains a field named cScratchRegion.

cScratchRegion is used to track the size of the buffer au32ScratchRegion, which stores data during VMSVGA IO port communication. In functions vmsvgaIORead and vmsvgaIOWrite we can read and write this buffer based on the value of cScratchRegion.

Using the vbe_ioport_write race one more time, we can corrupt cScratchRegion. This gives us a fully controlled buffer overread and buffer overflow of a buffer within VGAState.

From here we need to find a way to get arbitrary execution. Conveniently, each device in VirtualBox has a PDMPCIDEV allocated directly after it in memory. Since it is part of the initial allocation for the device, we can be assured it will always be there.

At the beginning of the structure there is a pointer to the static string vga located in VBoxDD.dll. We can use our buffer overread to read this pointer and infer the base address of VBoxDD.dll. The structure also has a nested PDMPCIDEVINT structure, which contains several easily accessible function pointers:

The function pointers pfnConfigRead and pfnConfigWrite can be overwritten by our buffer overflow. Afterwards, we can trigger calls to these function pointers using PCI ioports.

To prepare for calling these function pointers, we first call pciIOPortAddressWrite to set uConfigRegto to specify the PCI device we want to read from or write to. In our case, that value can be found in the uDevFn value at the beginning of the PDMPCIDEV struct.

After we set uConfigReg, we can then call pciIOPortDataWrite, which will call pci_data_write. This function will call our function pointer with some controlled arguments.

When the function pointer is called, arg1 ends up being the value of pDevInsR3 which is fully user-controlled by means of our buffer overflow. arg2 points to the PDMPCIDEV struct after our VGAState, which means we can control data at that location. With a fully controlled arg1 and arg2, we can start to write our final execution chain.

These libraries use Windows Control Flow Guard so we are not able to make indirect calls to arbitrary code. Fortunately for us, CFG allows calls to arbitrary functions in other libraries, so it doesn’t prevent us from calling WinExec("calc").

First, we need to use our buffer read/write primitives to construct an arbitrary read so we can get the address of kernel32.dll. We currently have the base address for VBoxDD.dll only, so we will have to find something to use in that library. When looking through functions in VBoxDD.dll I found one that will work perfectly for what we want to do.

Our arg1 is fully controlled, so this read routine will allow us to take memory from arg1+0x2d8 and store it into the memory pointed to by arg2. arg2 points directly after VGAState in memory, so we can read it afterwards with our buffer overread. This effectively gives us an arbitrary read primitive. With this, we can leak pointers to functions in other libraries through VBoxDD.dlls IAT.

VBoxDD.dll imports several functions from kernel32.dll, so we can read any one of those import table entries to get a pointer into kernel32.dll. From there we can scan backward using our read until we encounter the PE magic at the beginning of kernel32.dll, which gives us the base.

Next, we scan for the export table of kernel32.dll. We start by reading out all the table addresses.

We then scan through the names table until we find the name WinExec. Having obtained the index, we can use the ordinal and address tables to get the function address. Finally we write calc into heap memory we control and call WinExec("calc").


This bug can be triggered on a large percentage of virtual machines because it is an easily accessible path in VGA. I believe this can probably be turned into at least a DOS on any VM with at least 32MB of VRAM.

The way I exploited it has significantly more constraints, which restricts the number of machines affected by the full escape. It still may be possible to turn this bug into a full escape under a wider range of conditions, but that was not part of my research.

Thanks again to Cody for providing this thorough write-up. This was his first Pwn2Own event, and we certainly hope to see more submissions from him in the future. Until then, follow the team on Twitter, Mastodon, LinkedIn, or Instagram for the latest in exploit techniques and security patches.

CVE-2024-2887: A Pwn2Own Winning Bug in Google Chrome

In this guest blog from Master of Pwn winner Manfred Paul, he details CVE-2024-2887 – a type confusion bug that occurs in both Google Chrome and Microsoft Edge (Chromium). He used this bug as a part of his winning exploit that led to code execution in the renderer of both browsers. This bug was quickly patched by both Google and Microsoft. Manfred has graciously provided this detailed write-up of the vulnerability and how he exploited it at the contest.

In this blog, I describe a means of exploiting the V8 JavaScript and WebAssembly engine to gain execution of arbitrary shellcode inside the renderer process. This includes a bypass of the V8 memory sandbox (Ubercage), though code execution is still constrained by the process isolation-based browser sandbox. For demonstration purposes, this limitation can be removed by running the browser with the --no- sandbox flag.

Root Cause of the WebAssembly Universal Type Confusion

A WebAssembly module may contain a type section that defines a list of custom “heap types”. In the base specification, this is used only to declare function types, but with the adoption of the garbage collection (GC) proposal [PDF], this section can additionally define struct types, allowing for the use of composite, heap-allocated types in WebAssembly.

Normally, a struct declared in this section may only reference structs that precede it (structs with a lower type index). To support mutually recursive data structures, a feature called recursive type groups is available. Instead of declaring the (potentially) mutually recursive types as individual entries in the type section, a recursive group is declared as a single type section entry. Within this group, individual types are declared, which are thereby allowed to reference each other.

With this in mind, consider the function responsible for parsing the type section from the binary WebAssembly format in v8/src/wasm/module-decoder-impl.h:

At (1), the limit kV8MaxWasmTypes (currently equal to 1,000,000) is passed as a maximum to consume_count(), ensuring that at most this many entries are read from the type section. When recursive type groups were added, this check became insufficient. While this code will permit only kV8MaxWasmTypes entries of the type section to be read, each of those can potentially be a recursive type group containing more than one individual type definition.

This insufficiency was clearly noticed at the time of this change, as together with recursive type groups a second check was added at (2). Here, for each recursive type group, it is checked that the addition of the constituent types would not exceed the kV8MaxWasmTypes limit.

However, this second check is still not enough. While it protects the indices of each type allocated inside a recursive group, the presence of those groups also has implications for types declared outside this group, as each recursive group adds to the total count of declared types.

To make this clearer, imagine a type section consisting of two entries: one recursive group containingkV8MaxWasmTypes entries, and following that group, one non-recursive type. The check at (1) is passed, as the section only has two entries. While processing the recursive group, the check at (2) is also passed, as the section has exactly kV8MaxWasmTypes entries. For the following single type, there is no further check: at (3) the type is simply allocated at the next free index. In this case, the index will be kV8MaxWasmTypes, exceeding the usual maximum of kV8MaxWasmTypes-1. If there were more than one non-recursive type at the end of the type section, they would similarly get assigned kV8MaxWasmTypes+1, kV8MaxWasmTypes+2, and so forth, as type indices.

Impact of the Root Cause

Exceeding the maximal number of declared heap types might seem like a very harmless resource exhaustion bug at first. However, due to some internal details of how V8 handles WebAssembly heap types, it directly allows constructing some very powerful exploit primitives.

In v8/src/wasm/value-type.h, the encoding of heap types is defined:

Here, V8 assumes that all user-defined heap types will be assigned indices smaller than kV8MaxWasmTypes. Larger indices are reserved for fixed, internal heap types (beginning with kFunc). This results in our own type declarations aliasing one of these internal types, leading to many opportunities for type confusion.

Universal WebAssembly Type Confusion

To leverage this encoding ambiguity into a full type confusion, let’s first consider the opcode, which produces a reference to a new struct created from fields given on the stack. The caller specifies the desired struct type by passing its type index. The relevant check on the type index can be found in v8/src/wasm/function-body-decoder-impl.h:

Following the validation logic into the has_struct() method from v8/src/wasm/wasm-module.h:

Since we can make types.size() exceed the usual limit of kV8MaxWasmTypes, we can make the check pass even if when passing an index larger than this value. This allows us to create a reference of an arbitrary internal type that points to the struct we can freely define.

On the other hand, consider now the handling of the ref.cast instruction:

Here, a type check elimination is performed. If TypeCheckAlwaysSucceeds returns true, then no actual type check is emitted and the value is simply reinterpreted as the target type.

The function TypeCheckAlwaysSucceeds ultimately calls IsHeapSubtypeOfImpl defined in v8/src/wasm/

This means that if our declared type index aliases the constant HeapType::kNone, the type check will always be elided if we cast to any non-function, non-external reference. In combination, we can use this to turn any reference type into any other by the following steps:

  1. In the type section, define a structure type with a single field of type anyref, and make this struct have a type index equal to HeapType::kNone using the bug described above.

  2. Place a non-null reference value of any type on the top of the stack and call with the type index set to HeapType::kNone. This will succeed, as has_struct() validates the index against the index established via the previous step.

  3. Also, declare a struct with a normal type index lower than kV8MaxWasmTypes with a single field of the target reference type. Call ref.cast with this this struct’s type index. The engine will not perform any type check, as the input value is at this point understood to be reference type HeapType::kNone.

  4. Finally, read back the reference stored in the struct by executing struct.get.

This arbitrary casting of reference types allows transmuting any value type into any other by referencing it, changing the reference type, and then dereferencing it – a universal type confusion.

In particular, this directly contains nearly all usual JavaScript engine exploitation primitives as special cases:

• Transmuting int to int* and then dereferencing results in an arbitrary read.

• Transmuting int to int* and then writing to that reference results in an arbitrary write.

• Transmuting externrefto int is the addrOf() primitive, obtaining the address of a JavaScript object.

• Transmuting int to externref is the fakeObj() primitive, forcing the engine to treat an arbitrary value as a pointer to a JavaScript object.

While casting from HeapType::kNone to an externref is not allowed, remember that we are actually operating on one more level of indirection - transmuting to externref involves casting to a reference to a struct containing one externref member.

Note however that these “arbitrary” reads and writes are still contained in the V8 memory sandbox, as all involved pointers to heap-allocated structures are tagged, compressed pointers inside the heap cage, not full 64-bit raw pointers.

Integer Underflow Leading to V8 Sandbox Escape

The primitives described above allow for freely manipulating and faking most JavaScript objects. However, all of this happens inside the limited memory space of the V8 sandbox. “Trusted” objects such as WebAssembly instance data cannot yet be manipulated. We will now turn our attention to a bug that can be used to escape the memory sandbox.

An often-used object for JavaScript engine exploits is ArrayBuffer and its corresponding views, (i.e. typed arrays), as it allows for direct, untagged access to some region of memory.

To prevent access to pointers outside the V8 sandbox, sandboxed pointers are used to designate a typed array’s corresponding backing store. Similarly, an ArrayBuffer’s length field is always loaded as a “bounded size access”, inherently limiting its value to a maximum of 235 − 1.

However, in modern JavaScript, the handling of typed arrays has become quite complex due to the introduction of resizable ArrayBuffers (RABs) and their sharable variant, growable SharedArrayBuffers (GSABs). Both variants feature the ability to change their length after the object has been created with the shared variant being restricted to never shrink. In particular, for typed arrays with these kinds of buffers, the array length can never be cached and must be recomputed on each access.

Additionally, ArrayBuffers also feature an offset field, describing the start of the data in the actual underlying backing store. This offset must be taken into account when computing the length.

Let’s now look at the code responsible for building a TypedArray’s length access in the optimizing Turbofan compiler. It can be found in v8/src/compiler/ Note that most non-RAB/GSAB cases and the code responsible for dispatching are omitted for simplicity:

For arrays backed by a resizable ArrayBuffer, we can see at (1) that the length is computed as floor((byte_length - byte_offset) / element_size). Crucially, there is an underflow check. If byte_offset exceeds byte_length, then 0 is returned instead.

Curiously though, in the case of a GSAB-backed array, the corresponding underflow check is missing. Thus, if byte_offset is larger than byte_length, an underflow occurs and the subtraction wraps around to something close to the maximum unsigned 64-bit integer 264. As both of these fields are found in the (by now) attacker-controlled array object, we can easily trigger this using the sandboxed arbitrary read/write primitives discussed previously. This results in access to the whole 64-bit address space, as the length computed by this function is used to bound any typed array accesses (in JIT-compiled code).

Exploitation for Arbitrary Shellcode Execution

Using the two bugs described above, exploitation becomes fairly straightforward. The primitives described in the Universal WebAssembly Type Confusion section directly give arbitrary reads and writes within the V8 memory sandbox. This can then be used to manipulate a growable SharedArrayBuffer to have an offset greater than its length. A previously JIT-compiled read/write function can then be used to access and overwrite data anywhere in the process’s address space. An appropriate target for overwrite is the compiled code of a WebAssembly module, since that resides in an RWX (read-write-execute) page and can be overwritten with shellcode.

Thanks again to Manfred for providing this thorough write-up. He has contributed multiple bugs to the ZDI program over the last few years, and we certainly hope to see more submissions from him in the future. Until then, follow the team on Twitter, Mastodon, LinkedIn, or Instagram for the latest in exploit techniques and security patches.

CVE-2024-20697: Windows Libarchive Remote Code Execution Vulnerability

In this excerpt of a Trend Micro Vulnerability Research Service vulnerability report, Guy Lederfein and Jason McFadyen of the Trend Micro Research Team detail a recently patched remote code execution vulnerability in Microsoft Windows. This bug was originally discovered by the Microsoft Offensive Research & Security Engineering team. Successful exploitation could result in arbitrary code execution in the context of the application using the vulnerable library. The following is a portion of their write-up covering CVE-2024-20697, with a few minimal modifications.

An integer overflow vulnerability exists in the Libarchive library included in Microsoft Windows. The vulnerability is due to insufficient bounds checks on the block length of a RARVM filter used for Intel E8 preprocessing, included in the compressed data of a RAR archive.

A remote attacker could exploit this vulnerability by enticing a target user into extracting a crafted RAR archive. Successful exploitation could result in arbitrary code execution in the context of the application using the vulnerable library.

The Vulnerability

The RAR file format supports data compression, error recovery, and multiple volume spanning. Several versions of the RAR format exist: RAR1.3, RAR1.5, RAR2, RAR3, and the most recent version, RAR5. Different compression and decompression algorithms are used for different versions of RAR.

The following describes the RAR format used by versions 1.5, 2.x, and 3.x. A RAR archive consists of a series of variable-length blocks.

Each block begins with a header. The following table is the common structure of a RAR block header:

The RarBlock Marker is the first block of a RAR archive and serves as the signature of a RAR formatted file:

This block always contains the following byte sequence at the beginning of every RAR file:

           0x52 0x61 0x72 0x21 0x1A 0x07 0x00 (ASCII: "Rar!\x1A\x07\x00")

The ArcHeader is the second block in a RAR file and has the following structure:

The ArcHeader block is followed by one or more FileHeader blocks. These blocks have the following structure:

Note that the above offsets are relative to the existence of the optional fields.

The EndBlock block will signify the end of the RAR archive. This block has the following structure:

For each FileHeader block in the RAR archive, if the Method field is not set to "Store" (0x30), then the Data field will contain the compressed file data. The method of decompression depends on the RAR version used to compress the data. The RAR version needed to extract the compressed data is recorded in the UnpVer field of the FileHeader block.

Of relevance to this report is the RAR extraction method used by RAR format version 2.9 (a.k.a. RAR4), which is used when the UnpVer field is set to 29. The compressed data may be compressed either using the Lempel-Ziv (LZ) algorithm or using Prediction by Partial Matching (PPM) compression. This report will not describe in full detail the extraction algorithm, but only summarize the relevant parts for understanding the vulnerability. For a reference implementation of the extraction algorithm, see the Unpack::Unpack29() function in the UnRAR source code.

When the libarchive library attempts to extract the contents of a file from a RAR archive, if the file data is compressed (i.e. the Method field is not set to "Store"), the function read_data_compressed() will be called to extract the compressed data. The compressed data is composed of multiple blocks, each of which can be compressed using the LZ algorithm (denoted by the first bit of the block set to 0) or using PPM compression (denoted by the first bit of the block set to 1). Initially, the function parse_codes() will be called to decode the tables necessary to extract the file data. If a block of data compressed using the LZ algorithm is encountered, the expand() function will be called to decompress the data. In the expand() function, symbols are read from the compressed data by calling read_next_symbol() in a loop. In the function read_next_symbol(), the symbol will be decoded according to the Huffman table decoded in function parse_codes().

If the decoded symbol is 257, the function read_filter() will be called to read a RARVM filter, which has the following structure:

Note that the above offsets are relative to the existence of the optional fields.

The calculation of the size of the Code field is as follows: If the lowest 3 bits of the Flags field (will be referred to as LENGTH) are less than 6, the code size is (LENGTH + 1). If LENGTH is set to 6, the code size is (LengthExt1 + 7). If LENGTH is set to 7, the code size is (LengthExt1 << 8) | LengthExt2. After the code length is calculated and the code itself is copied into a buffer, the code, its length, and the filter flags are sent to the parse_filter() function to parse the code section.

Within the code section, numbers are parsed by calling the function membr_next_rarvm_number(). This function reads 2 bits, and according to their value, determines how many bits to read to parse the value. If the first 2 bits are 0, 4 value bits will be read; if they are 1, 8 value bits will be read; if they are 2, 16 value bits will be read; and if they are 3, 32 value bits will be read.

Function parse_filter() will parse the code section, which has the following structure:

Note that if the READ_REGISTERS flag is not set, the registers will be initialized, such that the 5th register is set to the block length, which is either read from the code section (if the READ_BLOCK_LENGTH flag is set), or carried over from the block length of the previous filter.

After these fields are parsed in parse_filter(), the ByteCode field and its length are sent to the function compile_program(). In this function, the first byte of the bytecode is verified to be equal to the XOR of all other bytes in the bytecode. If true, it will set the fingerprint field of the rar_program_code struct to the value of the CRC-32 algorithm run on the full bytecode, combined with the bytecode length shifted left 32 bits.

Back in the function parse_filter(), after all fields are calculated for the filter, therar_filter struct will be initialized by calling create_filter() with the rar_program_code struct containing the fingerprint field and the register values calculated. These values will be set to the prog field and the initialregisters fields of the rar_filter struct, respectively.

Once processing of the filter is done, function run_filters() is called to run the parsed filter. This function initializes the vm field of the rar_filters struct with a structure of type rar_virtual_machine. This structure contains a registers field, which is an array of 8 integers, and a memory field of size 0x40004. Then, each filter is executed by calling execute_filter(). If the fingerprint field of the rar_program_code struct associated with the executed filter is equal to either 0x35AD576887 or 0x393CD7E57E, the execute_filter_e8() function is called. This function reads the block length from the 5th field of the initialregisters array. Then, a loop is run for replacing instances of 0xE8 and/or 0xE9 within the VM memory, with the block length used as the loop exit condition.

An integer overflow vulnerability exists in the Libarchive library included in Microsoft Windows. The vulnerability is due to insufficient bounds checks on the block length of a RARVM filter used for Intel E8 preprocessing, included in the compressed data of a RAR archive. Specifically, if the archive contains a RARVM filter whose fingerprint field is calculated as either 0x35AD576887 or 0x393CD7E57E, it will be executed by calling execute_filter_e8(). If the 5th register of the filter is set to a block length of 4, the loop condition in this function, which is set to the block length minus 5, will overflow to 0xFFFFFFFF. Since the VM memory has a size of 0x40004, this will result in memory accesses that are out of the bounds of the heap-based buffer representing the VM memory.

A remote attacker could exploit this vulnerability by enticing a target user into extracting a crafted RAR archive, containing a RARVM filter that has its 5th register set to 4. Successful exploitation could result in arbitrary code execution in the context of the application using the vulnerable library.


• All multi-byte integers are in little-endian byte order.
• All offsets and sizes are in bytes unless otherwise specified.
• Since there is no official documentation of the RAR4 format, the description is based on the UnRAR and libarchive source code. Field names are either copied from source code or given based on functionality.

Detection Guidance

To detect an attack exploiting this vulnerability, the detection device must monitor and parse traffic on the common ports where a RAR archive might be sent, such as FTP, HTTP, SMTP, IMAP, SMB, and POP3.

The detection device must look for the transfer of RAR files and be able to parse the RAR file format. Currently, there is no official documentation of the RAR file format. This detection guidance is based on the source code for extracting RAR archives provided by the UnRAR program and the libarchive library.

The common structure of a RAR block header is detailed above. The detection device must first look for a RarBlock Marker, which is the first block of a RAR archive and serves as the signature of a RAR formatted file:

The detection device can identify this block by looking for the following byte sequence:

          0x52 0x61 0x72 0x21 0x1A 0x07 0x00 ("Rar!\x1A\x07\x00")

If found, the device must then identify the ArcHeader, which is the second block in a RAR file and is detailed above. The ArcHeader block is followed by one or more FileHeader blocks, whose structure is also detailed above. Note that the above offsets are relative to the existence of the optional fields.

The detection device must parse each FileHeader block and inspect its Method field. If the value of the Method field is greater than 0x30, the detection device must inspect the Data field of the FileHeader block, containing the compressed file data. The compressed data may be compressed either using the Lempel-Ziv (LZ) algorithm or using Prediction by Partial Matching (PPM) compression. This detection guidance will not describe in full detail the extraction algorithm. For a reference implementation of the extraction algorithm, see the Unpack::Unpack29() function in the UnRAR source code.

The compressed data is composed of multiple blocks, each of which can be compressed using the LZ algorithm (denoted by the first bit of the block set to 0) or using PPM compression (denoted by the first bit of the block set to 1). The detection device must extract each block according to the algorithm used to compress it. If a block compressed using the LZ algorithm is encountered, the detection device must decode the Huffman tables from the beginning of the compressed data. The detection device must then iterate over the remaining compressed data and decode each symbol based on the generated Huffman tables. If the symbol 257 is encountered, the following data must be parsed as a RARVM filter, which has the following structure:

Note that the above offsets are relative to the existence of the optional fields.

The detection device must then calculate the size of the Code field. The calculation of the size of the Code field is as follows: If the lowest 3 bits of the Flags field (will be referred to as LENGTH) are less than 6, the code size is (LENGTH + 1). If LENGTH is set to 6, the code size is (LengthExt1 + 7). If LENGTH is set to 7, the code size is (LengthExt1 << 8) | LengthExt2. After the size of the Code field is calculated, the Code field must be parsed according to the following structure:

All numerical fields within this structure (FilterNum, BlockStart, BlockLength, register values, and ByteCodeLen) must be read according to the algorithm implemented in the RarVM::ReadData() function of the UnRAR source code. The algorithm reads 2 bits of data, signifying the number of bits of data containing the numerical value. Note that some of the fields in this structure are optional and depend on flags set in the Flags field of the RARVM filter structure.

After extracting all necessary fields, the detection device must check for the following conditions:

• The CRC-32 checksum of the ByteCode field is 0xAD576887 and the ByteCodeLen field is 0x35 OR the CRC-32 checksum of the ByteCode field is 0x3CD7E57E and the ByteCodeLen field is 0x39.
• The READ_REGISTERS flag is set and the value of the 5th register of the Registers field is set to 4 OR the READ_BLOCK_LENGTH flag is set and the value of the BlockLength field is set to 4. If both these conditions are met, the traffic should be considered suspicious. An attack exploiting this vulnerability is likely underway.


• All multi-byte integers are in little-endian byte order.
• All offsets and sizes are in bytes unless otherwise specified.


Microsoft patched this vulnerability in January 2024 and assigned it CVE-2024-20697. While they did not recommend any mitigating factors, there are some additional measures you can take to help protect from this bug being exploited. This includes not extracting RAR archive files from untrusted sources and filtering traffic using the guidance provided in the section “Detection Guidance” section of this blog. Still, it is recommended to apply the vendor patch to completely address this issue.

Special thanks to Guy Lederfein and Jason McFadyen of the Trend Micro Research Team for providing such a thorough analysis of this vulnerability. For an overview of Trend Micro Research services please visit

The threat research team will be back with other great vulnerability analysis reports in the future. Until then, follow the team on Twitter, Mastodon, LinkedIn, or Instagram for the latest in exploit techniques and security patches.

The April 2024 Security Updates Review

9 April 2024 at 17:49

It’s the second Tuesday of the month, and Adobe and Microsoft have released a fresh crop of security updates. Take a break from your other activities and join us as we review the details of their latest advisories. If you’d rather watch the full video recap covering the entire release, you can check it out here:

Adobe Patches for April 2024

For April, Adobe released nine patches addressing 24 CVEs in Adobe After Effects, Photoshop, Commerce, InDesign, Experience Manager, Media Encoder, Bridge, Illustrator, and Adobe Animate. The largest of these updates is for Experience Manager, however, all of the bugs being patched are simple Cross-site Scripting (XSS) bugs. Still, if exploited, these Important-severity bugs could lead to code execution if exploited. The only other patches that address multiple CVEs are the fixes for Animate and Commerce. The patch for Animate addresses four bugs. Two of these are rated Critical and could lead to arbitrary code execution. The patch for Commerce also fixes two Critical-rated bugs, one XSS and one improper input validation bug. Both could lead to code execution.

Then we have several patches that are all info leaks due to an Out-Of-Bounds (OOB) read. These were all reported by the same person, and it makes me wonder if there is shared code between these products that makes them all vulnerable. In any case, After Effects, Photoshop, InDesign, Bridge, and Illustrator all fall into this category. That just leaves the update for Media Encoder. This patch fixes a single buffer overflow that could lead to code execution.

None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Adobe categorizes these updates as a deployment priority rating of 3.

Microsoft Patches for April 2024

This month, Microsoft released a whopping 147 new CVEs in Microsoft Windows and Windows Components; Office and Office Components; Azure; .NET Framework and Visual Studio; SQL Server; DNS Server; Windows Defender; Bitlocker; and Windows Secure Boot. If you include the third-party CVEs being documented this month, the CVE count comes to 155. A total of three of these bugs came through the ZDI program. None of the bugs disclosed at Pwn2Own Vancouver are fixed with this release.

Of the new patches released today, only three are rated Critical, 142 are rated Important, and two are rated Moderate in severity. This is the largest release from Microsoft this year and the largest since at least 2017. As far as I can tell, it’s the largest Patch Tuesday release from Microsoft of all time. It’s not clear if this is due to a backlog from the slower months or a surge in vulnerability reporting. It will be interesting to see which trend continues.

None of the CVEs released today are listed as currently under active attack and none are listed as publicly known at the time of release. However, the bug reported by ZDI threat hunter Peter Girnus was found in the wild. We have evidence this is being exploited in the wild, and I’m listing it as such.

Let’s take a closer look at some of the more interesting updates for this month, starting with a bug we consider to be currently exploited in the wild:

-       CVE-2024-29988 – SmartScreen Prompt Security Feature Bypass Vulnerability
This is an odd one, as a ZDI threat researcher found this vulnerability being in the wild, although Microsoft currently doesn’t list this as exploited. I would treat this as in the wild until Microsoft clarifies. The bug itself acts much like CVE-2024-21412 – it bypasses the Mark of the Web (MotW) feature and allows malware to execute on a target system. Threat actors are sending exploits in a zipped file to evade EDR/NDR detection and then using this bug (and others) to bypass MotW.

-       CVE-2024-20678 – Remote Procedure Call Runtime Remote Code Execution Vulnerability
There is a long history of RPC exploits being seen in the wild, so any RPC bug that could lead to code execution turns heads. This bug does require authentication, but it doesn’t require any elevated permission. Any authenticated user could hit it. It’s not clear if you could hit this if you authenticated as Guest or an anonymous user. A quick search shows about 1.3 million systems with TCP port 135 exposed to the internet. I expect a lot of people will be looking to exploit this in short order.

-       CVE-2024-20670 – Outlook for Windows Spoofing Vulnerability
This bug is listed as a spoofing bug, but based on the end result of exploitation, I would consider this information disclosure. In this case, the information disclosed would be NTLM hashes, which could then be used for Spoofing targeted users. Either way, a user would need to click something in an email to trigger this vulnerability. The Preview Pane is NOT an attack vector. However, we have seen a rash of NTLM relaying bugs over the last few months. With the wide user base of Outlook, this will likely be targeted by threat actors in the coming months.

-       CVE-2024-26221 – Windows DNS Server Remote Code Execution Vulnerability
This is one of seven DNS RCE bugs being patched this month and all are documented identically. These bugs allow RCE on an affected DNS server if the attacker has the privileges to query the DNS server. There is a timing factor here as well, but if the DNS queries are timed correctly, the attacker can execute arbitrary code on the target server. Although not specifically stated, it seems logical that the code execution would occur at the level of the DNS service, which is elevated. I really don’t need to tell you that your DNS servers are critical targets, so please take these bugs seriously and test and deploy the patches quickly.

Here’s the full list of CVEs released by Microsoft for April 2024:

*Note that post-release, Microsoft confirmed CVE-2024-26234 is also under active attack. The table has been updated to reflect this new information

CVE Title Severity CVSS Public Exploited Type
CVE-2024-29988 SmartScreen Prompt Security Feature Bypass Vulnerability Important 8.8 No Yes RCE
CVE-2024-26234 Proxy Driver Spoofing Vulnerability Important 6.7 Yes Yes Spoofing
CVE-2024-21322 Microsoft Defender for IoT Remote Code Execution Vulnerability Critical 7.2 No No RCE
CVE-2024-21323 Microsoft Defender for IoT Remote Code Execution Vulnerability Critical 8.8 No No RCE
CVE-2024-29053 Microsoft Defender for IoT Remote Code Execution Vulnerability Critical 8.8 No No RCE
CVE-2024-21409 .NET, .NET Framework, and Visual Studio Remote Code Execution Vulnerability Important 7.3 No No RCE
CVE-2024-29063 † Azure AI Search Information Disclosure Vulnerability Important 7.3 No No Info
CVE-2024-28917 † Azure Arc-enabled Kubernetes Extension Cluster-Scope Elevation of Privilege Vulnerability Important 6.2 No No EoP
CVE-2024-21424 † Azure Compute Gallery Elevation of Privilege Vulnerability Important 6.5 No No EoP
CVE-2024-29993 Azure CycleCloud Elevation of Privilege Vulnerability Important 8.8 No No EoP
CVE-2024-26193 † Azure Migrate Remote Code Execution Vulnerability Important 6.4 No No RCE
CVE-2024-29989 † Azure Monitor Agent Elevation of Privilege Vulnerability Important 8.4 No No EoP
CVE-2024-20665 BitLocker Security Feature Bypass Vulnerability Important 6.1 No No SFB
CVE-2024-26212 DHCP Server Service Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2024-26215 DHCP Server Service Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2024-26195 DHCP Server Service Remote Code Execution Vulnerability Important 7.2 No No RCE
CVE-2024-26202 DHCP Server Service Remote Code Execution Vulnerability Important 7.2 No No RCE
CVE-2024-26219 HTTP.sys Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2024-2201 * Intel: CVE-2024-2201 Branch History Injection Important 4.7 No No Info
CVE-2024-23593 * Lenovo: CVE-2024-23593 Zero Out Boot Manager and drop to UEFI Shell Important 7.8 No No SFB
CVE-2024-23594 * Lenovo: CVE-2024-23594 Stack Buffer Overflow in LenovoBT.efi Important 6.4 No No SFB
CVE-2024-26256 libarchive Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2024-29990 † Microsoft Azure Kubernetes Service Confidential Container Elevation of Privilege Vulnerability Important 9 No No EoP
CVE-2024-26213 Microsoft Brokering File System Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2024-28904 Microsoft Brokering File System Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-28905 Microsoft Brokering File System Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-28907 Microsoft Brokering File System Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-21324 Microsoft Defender for IoT Elevation of Privilege Vulnerability Important 7.2 No No EoP
CVE-2024-29054 Microsoft Defender for IoT Elevation of Privilege Vulnerability Important 7.2 No No EoP
CVE-2024-29055 Microsoft Defender for IoT Elevation of Privilege Vulnerability Important 7.2 No No EoP
CVE-2024-26257 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2024-26158 Microsoft Install Service Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-26209 Microsoft Local Security Authority Subsystem Service Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2024-26208 Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability Important 7.2 No No RCE
CVE-2024-26232 Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability Important 7.3 No No RCE
CVE-2024-28929 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-28930 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-28931 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-28932 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-28933 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-28934 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-28935 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-28936 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-28937 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-28938 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-28941 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-28943 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-29043 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-28906 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-28908 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-28909 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-28910 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-28911 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-28912 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-28913 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-28914 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-28915 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-28926 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-28927 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-28939 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-28940 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-28942 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-28944 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-28945 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-29044 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-29045 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability Important 7.5 No No RCE
CVE-2024-29046 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-29047 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-29048 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-29982 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-29983 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-29984 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-29985 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-26251 Microsoft SharePoint Server Spoofing Vulnerability Important 6.8 No No Spoofing
CVE-2024-26254 Microsoft Virtual Machine Bus (VMBus) Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2024-26210 Microsoft WDAC OLE DB Provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-26244 Microsoft WDAC OLE DB Provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-26214 Microsoft WDAC SQL Server ODBC Driver Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-20670 Outlook for Windows Spoofing Vulnerability Important 8.1 No No Spoofing
CVE-2024-20678 Remote Procedure Call Runtime Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-20669 † Secure Boot Security Feature Bypass Vulnerability Important 6.7 No No SFB
CVE-2024-20688 † Secure Boot Security Feature Bypass Vulnerability Important 7.1 No No SFB
CVE-2024-20689 † Secure Boot Security Feature Bypass Vulnerability Important 7.1 No No SFB
CVE-2024-26168 † Secure Boot Security Feature Bypass Vulnerability Important 6.8 No No SFB
CVE-2024-26171 † Secure Boot Security Feature Bypass Vulnerability Important 6.7 No No SFB
CVE-2024-26175 † Secure Boot Security Feature Bypass Vulnerability Important 7.8 No No SFB
CVE-2024-26180 † Secure Boot Security Feature Bypass Vulnerability Important 8 No No SFB
CVE-2024-26189 † Secure Boot Security Feature Bypass Vulnerability Important 8 No No SFB
CVE-2024-26194 † Secure Boot Security Feature Bypass Vulnerability Important 7.4 No No SFB
CVE-2024-26240 † Secure Boot Security Feature Bypass Vulnerability Important 8 No No SFB
CVE-2024-26250 † Secure Boot Security Feature Bypass Vulnerability Important 6.7 No No SFB
CVE-2024-28896 † Secure Boot Security Feature Bypass Vulnerability Important 7.5 No No SFB
CVE-2024-28897 † Secure Boot Security Feature Bypass Vulnerability Important 6.8 No No SFB
CVE-2024-28898 † Secure Boot Security Feature Bypass Vulnerability Important 6.3 No No SFB
CVE-2024-28903 † Secure Boot Security Feature Bypass Vulnerability Important 6.7 No No SFB
CVE-2024-28919 † Secure Boot Security Feature Bypass Vulnerability Important 6.7 No No SFB
CVE-2024-28920 † Secure Boot Security Feature Bypass Vulnerability Important 7.8 No No SFB
CVE-2024-28921 † Secure Boot Security Feature Bypass Vulnerability Important 6.7 No No SFB
CVE-2024-28922 † Secure Boot Security Feature Bypass Vulnerability Important 4.1 No No SFB
CVE-2024-28923 † Secure Boot Security Feature Bypass Vulnerability Important 6.4 No No SFB
CVE-2024-28924 † Secure Boot Security Feature Bypass Vulnerability Important 6.7 No No SFB
CVE-2024-28925 † Secure Boot Security Feature Bypass Vulnerability Important 8 No No SFB
CVE-2024-29061 † Secure Boot Security Feature Bypass Vulnerability Important 7.8 No No SFB
CVE-2024-29062 † Secure Boot Security Feature Bypass Vulnerability Important 7.1 No No SFB
CVE-2024-26241 Win32k Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-21447 Windows Authentication Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-29056 Windows Authentication Elevation of Privilege Vulnerability Important 4.3 No No EoP
CVE-2024-29050 Windows Cryptographic Services Remote Code Execution Vulnerability Important 8.4 No No RCE
CVE-2024-26228 Windows Cryptographic Services Security Feature Bypass Vulnerability Important 7.8 No No SFB
CVE-2024-26229 Windows CSC Service Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-26237 Windows Defender Credential Guard Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-26226 Windows Distributed File System (DFS) Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2024-29066 Windows Distributed File System (DFS) Remote Code Execution Vulnerability Important 7.2 No No RCE
CVE-2024-26221 Windows DNS Server Remote Code Execution Vulnerability Important 7.2 No No RCE
CVE-2024-26222 Windows DNS Server Remote Code Execution Vulnerability Important 7.2 No No RCE
CVE-2024-26223 Windows DNS Server Remote Code Execution Vulnerability Important 7.2 No No RCE
CVE-2024-26224 Windows DNS Server Remote Code Execution Vulnerability Important 7.2 No No RCE
CVE-2024-26227 Windows DNS Server Remote Code Execution Vulnerability Important 7.2 No No RCE
CVE-2024-26231 Windows DNS Server Remote Code Execution Vulnerability Important 7.2 No No RCE
CVE-2024-26233 Windows DNS Server Remote Code Execution Vulnerability Important 7.2 No No RCE
CVE-2024-26172 Windows DWM Core Library Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2024-26216 Windows File Server Resource Management Service Elevation of Privilege Vulnerability Important 7.3 No No EoP
CVE-2024-29064 Windows Hyper-V Denial of Service Vulnerability Important 6.2 No No Info
CVE-2024-26183 Windows Kerberos Denial of Service Vulnerability Important 6.5 No No DoS
CVE-2024-26248 Windows Kerberos Elevation of Privilege Vulnerability Important 7.5 No No EoP
CVE-2024-20693 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-26218 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-26220 Windows Mobile Hotspot Information Disclosure Vulnerability Important 5 No No Info
CVE-2024-26211 Windows Remote Access Connection Manager Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-26207 Windows Remote Access Connection Manager Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2024-26217 Windows Remote Access Connection Manager Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2024-26255 Windows Remote Access Connection Manager Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2024-28900 Windows Remote Access Connection Manager Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2024-28901 Windows Remote Access Connection Manager Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2024-28902 Windows Remote Access Connection Manager Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2024-26252 Windows rndismp6.sys Remote Code Execution Vulnerability Important 6.8 No No RCE
CVE-2024-26253 Windows rndismp6.sys Remote Code Execution Vulnerability Important 6.8 No No RCE
CVE-2024-26179 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-26200 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-26205 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-26245 Windows SMB Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-29052 Windows Storage Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-26230 Windows Telephony Server Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-26239 Windows Telephony Server Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-26242 Windows Telephony Server Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2024-26235 Windows Update Stack Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-26236 Windows Update Stack Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2024-26243 Windows USB Print Driver Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2024-29992 Azure Identity Library for .NET Information Disclosure Vulnerability Moderate 5.5 No No Info
CVE-2024-20685 Azure Private 5G Core Denial of Service Vulnerability Moderate 5.9 No No DoS
CVE-2024-29049 Microsoft Edge (Chromium-based) Webview2 Spoofing Vulnerability Moderate 4.1 No No Spoofing
CVE-2024-29981 Microsoft Edge (Chromium-based) Spoofing Vulnerability Low 4.3 No No Spoofing
CVE-2024-3156 * Chromium: CVE-2024-3156 Inappropriate implementation in V8 High N/A No No RCE
CVE-2024-3158 * Chromium: CVE-2024-3158 Use after free in Bookmarks High N/A No No RCE
CVE-2024-3159 * Chromium: CVE-2024-3159 Out of bounds memory access in V8 High N/A No No RCE

* Indicates this CVE had been released by a third party and is now being included in Microsoft releases.

† Indicates further administrative actions are required to fully address the vulnerability.


Moving on to the Critical-rated bugs, all impact Microsoft Defender for IoT. An authenticated attacker with file upload privileges could get arbitrary code execution through a path traversal vulnerability. They would need to upload specially crafted files to sensitive locations on the target. It’s not clear how likely this would be, but anything that targets your defensive tools should be taken seriously.

All told, there are almost 70 fixes for bugs that could lead to code execution in this release. The (somewhat) good news is that nearly half of these impact SQL server components. In these cases, an attacker would need to have an affected system connect to a specially crafted SQL database and perform a query. If you can socially engineer that, then you will get code execution. However, that does seem unlikely. More practically, I would concern myself with the DNS and DHCP code execution bugs in this release. I’ve already mentioned the DNS bugs. For the DHCP bugs, the attacker would need elevated privileges. This would be a good time to audit your DHCP server to see who has privileges and who should be removed. The fix for Azure Migrate is only network adjacent, but you’ll need to take extra steps to be fully protected. You need to the latest Azure Migrate Appliance's AutoUpdater, which ensures MSI installers downloaded from the Download Center have been authentically signed by Microsoft prior to installation. Check here for more details. There is an update for Excel to address an open-an-own bug, but you’re out of luck if you’re on macOS. Updates for Apple users are not available yet.

There’s a mountain of elevation of privilege (EoP) patches in this month’s release, and in most cases, exploitation requires an attacker to log on the an affected system then run their code. Again, this usually results in getting code to elevate to SYSTEM. The Azure EoPs are a little bit different and require some extra steps. The bug in Azure Arc-enabled Kubernetes could allow an attacker to gain access to sensitive information, such as Azure IoT Operations secrets and potentially other credentials or access tokens stored within the Kubernetes cluster. You’ll also need to update any affected Extensions that are used in your environment and ensure you update your Azure Arc Agent. The bug in Azure Content Gallery also needs extra actions to be protected. This bug has been mitigated by the latest change to the Azure Compute Gallery (ACG) image creation permission requirements, which means you’ll need to check the permissions and possibly update them. For information on how to update permissions, see here for details. For the Azure Monitor Agent EoP, you need to make sure you have Automatic Extension Upgrades enabled. If you don’t you can manually get the updates following these instructions. Finally, the bug in the Azure Kubernetes Service also needs some extra work. To be fully protected, you need to ensure you are running the latest version of “az confcom” and Kata Image. If you don’t have “az conform” installed, you can get the latest version by running the command “az extension add -n conform”. See the bulletin for full details.

Moving on to the security feature bypass (SFB) bugs, how in the world are there 23 different SFB patches for Secure Boot? As if that isn’t enough, you’ll need to take additional steps to be protected. The patch fixes the bugs, but the protections aren’t enabled by default. You’ll need to check out this KB article and follow the instructions listed there. With 23 bugs and manual actions needed to address them, I don’t think we should call it “secure” boot anymore. Other SFB bugs include one that could bypass RSA signature verification and a bug in BitLocker that could also bypass secure boot. At least that one just requires a patch and no extra steps.

There are more than a dozen information disclosure bugs. Fortunately, most only result in info leaks consisting of unspecified memory contents. The bug in Azure AI Search could allow an attacker to obtain sensitive API Keys. While this bug has been mitigated by a recent update to Azure AI Search's backend infrastructure, you’ll need to manually rotate specific credentials that have been notified through Azure Service Health alerts. The bug in Azure Identity Library for .NET could divulge data inside the targeted website like IDs, tokens, nonces, and other sensitive information. At least there are no additional steps beyond the patch for this one. Finally, the bug in Windows DFS could disclose the ever-descriptive “sensitive information”.

The April release is rounded out by a handful of spoofing and denial-of-service (DoS) bugs. Microsoft doesn’t provide a lot of useful information here, but if you need to focus on something, the DoS bugs in the DHCP service are where I’d start. Shutting down DHCP for any time in an enterprise will likely lead to a “no fun at all” day.

Finally, Microsoft has updated ADV99001 with the latest servicing stack updates. Be sure to check them out.

Looking Ahead

The next Patch Tuesday of 2024 will be on May 14, and I’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!

Pwn2Own Vancouver 2024 - Day Two Results

21 March 2024 at 15:58

Welcome to the second and final day of Pwn2Own Vancouver 2024! We saw some amazing research yesterday, including a Tesla exploit and a single exploit hitting both Chrome and Edge. So far, we have paid out $723,500 for the event, and we’re poised to hit $1,000,000 again. Today looks to be just as exciting with more attempts in virtualization, browser sandbox escapes, and the Pwn2Own’s first ever Docker escape, so stay tuned for all of the results!

And that’s a wrap! Pwn2Own Vancouver 2024 has come to a close. In total, we awarded $1,132,500 for 29 unique 0-days. We’re also happy to award Manfred Paul with the title of Master of Pwn. He won $202,500 and 25 points total. Combining the last three events (Toronto, Automotive, and Vancouver), we’ve awarded $3,494,750 for this year’s Pwn2Own events. Here’s how the Top 10 of this event added up:

Congratulations to all the winners. We couldn’t hold this event without the hard work of the contestants. And thanks to the vendors as well. They now have 90 days to fix these vulnerabilities. Special thanks to Tesla for their sponsorship and support. For details of each of today’s exploits, see the entries below.

SUCCESS - Marcin Wiązowski used an improper input validation bug to escalate privileges on Windows 11. He earns $15,000 and 3 Master of Pwn points.

SUCCESS - STAR Labs SG's exploit of VMware Workstation used two bugs. One is an uninitialized variable, but the other was previously known. They still win $30,000 and 6 Master of Pwn points.

SUCCESS - ColdEye used two bugs, including a UAF, to exploit Oracle VirtualBox. He even managed to leave the guest OS intact. His guest-to-host escape earns him $20,000 and 4 Master of Pwn points.

SUCCESS - Manfred Paul (@_manfp) used an OOB Write for the RCE and an exposed dangerous function bug to achieve his sandbox escape of Mozilla Firefox. He earns another $100,000 and 10 Master of Pwn points, which puts him in the lead with 25.

SUCCESS - First time Pwn2Own contestant Gabriel Kirkpatrick (gabe_k of used an always tricky race condition to escalate privileges on #Windows 11. He earns $15,000 and 3 Master of Pwn points.

SUCCESS - Edouard Bochin (@le_douds) and Tao Yan (@Ga1ois) from Palo Alto Networks used an OOB Read plus a novel technique for defeating V8 hardening to get arbitrary code execution in the renderer. They were able to exploit Chrome and Edge with the same bugs, earning $42,500 and 9 Master of Pwn points.

BUG COLLISION - STAR Labs SG successfully demonstrated their privilege escalation on Ubuntu desktop. However, they used a bug that was previously reported. They still earn $5,000 and 1 Master of Pwn point.

BUG COLLISION - Although the Hackinside Team was able to escalate privileges on Windows 11 through an integer underflow, the bug was known by the vendor. They still earn $7,500 and 1.5 Master of Pwn points.

SUCCESS -Seunghyun Lee (@0x10n) of KAIST Hacking Lab used a UAF to RCE in the renderer on both Microsoft Edge and Google Chrome. He earns $85,000 and 9 Master of Pwn points. That brings his contest total to $145,000 and 15 Master of Pwn points.

SUCCESS - The first Docker desktop escape at Pwn2Own involved two bugs, including a UAF. The team from STAR Labs SG did great work in the demonstration and earned $60,000 and 6 Master of Pwn points.

SUCCESS - Valentina Palmiotti (@chompie1337) with IBM X-Force used an Improper Update of Reference Count bug to escalate privileges on Windows 11. She nailed her first #Pwn2Own event and walks away with $15,000 and 3 Master of Pwn points.

BUG COLLISION - The final entry of Pwn2Own Vancouver 2024 ends as a collision as Theori used a bug that was previously know to escalate privileges on Ubuntu desktop. He still wins $5,000 and 1 Master of Pwn point.

Pwn2Own Vancouver 2024 - Day One Results

20 March 2024 at 15:39

Welcome to the first day of Pwn2Own Vancouver 2024! We have two amazing days of research planned, including every browser, SharePoint, and Tesla. We’ll be updating this blog in real time as results become available. We have a full schedule of attempts today, so stay tuned! All times are Pacific Daylight Time (GMT -7:00).

And we’re done with Day One of Pwn2Own Vancouver 2024. We awarded $732,500 USD for 19 unique 0-days. See below for the details of each event. Here are the Master of Pwn standings after the first day:

SUCCESS - AbdulAziz Hariri of Haboob SA was able to execute their code execution attack against Adobe Reader. He combined an an API Restriction Bypass and a Command Injection bug. He earns himself $50,000 and 5 Master of Pwn points.

SUCCESS - The DEVCORE Research Team was able to execute their LPE attack against Windows 11. They combined a couple of bugs, including a somewhat risky TOCTOU race condition. They earn $30,000 and 3 Master of Pwn points.

FAILURE - The Starlabs SG team was unable to get their exploit of Microsoft SharePoint working within the time allotted.

SUCCESS - Seunghyun Lee (@0x10n) of KAIST Hacking Lab was able to execute their exploit of the Google Chrome web browser using a single UAF bug. They earn $60,000 and 6 Master of Pwn points.

SUCCESS - Gwangun Jung (@pr0ln) and Junoh Lee (@bbbig12) from Theori (@theori_io) combined an uninitiallized variable bug, a UAF, and a heap-based buffer overflow to escape VMware Workstation and then execute code as SYSTEM on the host Windows OS. This impressive feat earns them $130,000 and 13 Master of Pwn points.

BUG COLLISION - The DEVCORE Team was able to execute their LPE attack against Ubuntu Linux. However, the bug they used was previously known. They still earn $10,000 and 1 Master of Pwn points.

SUCCESS - Bruno PUJOS and Corentin BAYET from REverse Tactics (@Reverse_Tactics) combined two Oracle VirtualBox bugs - including a buffer overflow - along with a Windows UAF to escape the guest OS and execute code as SYSTEM on the host OS. This fantastic research earns them $90,000 and 9 Master of Pwn points.

SUCCESS - The Synacktiv (@synacktiv) team used a single integer overflow to exploit the Tesla ECU with Vehicle (VEH) CAN BUS Control. The win $200,000, 20 Master of Pwn points, and a new Tesla Model 3 (their second!).

SUCCESS - Kyle Zeng from ASU SEFCOM used an ever tricky race condition to escalate privileges on Ubuntu Linux desktop. This earns him him $20,000 and 20 Master of Pwn points.

SUCCESS - Cody Gallagher used a single OOB Write bug to exploit Oracle VirtualBox. His first ever Pwn2Own attempt results in him winning $20,000 (second round win) and 4 Master of Pwn points.

SUCCESS - Manfred Paul (@_manfp) gets RCE on the Apple Safari browser with an integer underflow bug plus a PAC bypass using a weakness in Apple Safari. He wins himself $60,000 and 6 Master of Pwn points.

FAILURE - STAR Labs SG could not get their exploit of VMware ESXi working within the time allotted.

SUCCESS - Dungdm (@_piers2) of Viettel Cyber Security used two bugs, including the ever-risky race condition, to exploit Oracle VirtualBox. As a round 3 winner, they receive $20,000 and 4 Master of Pwn points.

SUCCESS - Manfred Paul (@_manfp) executed a double-tap exploit on both Chrome and Edge browsers with the rare CWE-1284 Improper Validation of Specified Quantity in Input. His Round 2 win earns him $42,500 and 15 Master of Pwn points.

That’s a wrap on Day One of Pwn2Own Vancouver 2024. We awarded $732,500 for 19 unique bugs. Tune in tomorrow to see if Synacktive can hold on to their Master of Pwn lead or if Manfred Paul is able to overtake them.

Pwn2Own Vancouver 2024 - The Full Schedule

20 March 2024 at 00:13

Welcome to Pwn2Own Vancouver 2024! This year’s event promises to be the largest-ever Vancouver event - both in terms of entries and potential prizes. If everything hits, we will end up paying out over $1,300,000 in cash and prizes - including a Tesla Model 3. We’ve got two full days of exciting competition ahead. As always, we began our contest with a random drawing to determine the order of attempts. If you missed it, you can watch the replay here.

The complete schedule for the contest is below (all times Pacific Daylight Time [UTC - 7:00]).

Note: All times subject to change

Day One

Wednesday, March 20 – 0930              

AbdulAziz Hariri of Haboob SA targeting Adobe Reader in the Enterprise Applications category.

Wednesday, March 20 – 1000              

DEVCORE Research Team targeting Microsoft Windows 11 in the Local Privilege Escalation category.

Wednesday, March 20 – 1030              

STAR Labs SG targeting Microsoft SharePoint in the Server category.

Wednesday, March 20 – 1100              

Seunghyun Lee (@0x10n) of KAIST Hacking Lab targeting Google Chrome in the Web Browser category.

Wednesday, March 20 – 1200              

Theori targeting VMware Workstation with an additional Windows Kernel LPE vulnerability in the Virtualization category.

Wednesday, March 20 – 1230              

DEVCORE Research Team targeting Ubuntu Desktop in the Local Privilege Escalation category.

Wednesday, March 20 – 1300              

Bruno PUJOS and Corentin BAYET from REverse Tactics (@Reverse_Tactics) targeting Oracle VirtualBox with an additional Windows Kernel LPE vulnerability in the Virtualization category.

Wednesday, March 20 – 1430              

Synacktiv targeting Tesla ECU with Vehicle (VEH) CAN BUS Control in the Automotive category.

Wednesday, March 20 – 1500              

Kyle Zeng from ASU SEFCOM targeting Ubuntu Desktop in the Local Privilege Escalation category.

Wednesday, March 20 – 1530              

Cody Gallagher targeting Oracle VirtualBox in the Virtualization category.

Wednesday, March 20 – 1600              

Manfred Paul (@_manfp) targeting Apple Safari in the Web Browser category.

Wednesday, March 20 – 1700              

STAR Labs SG targeting VMware ESXi in the Virtualization category.

Wednesday, March 20 – 1800              

Team Viettel targeting Oracle VirtualBox in the Virtualization category.

Wednesday, March 20 – 1830              

Manfred Paul (@_manfp) targeting Google Chrome with Double Tap addon in the Web Browser category.

Day Two 

Thursday, March 21 – 0930   

Marcin Wiązowski targeting Microsoft Windows 11 in the Local Privilege Escalation category.

Thursday, March 21 – 1000   

STAR Labs SG targeting VMware Workstation in the Virtualization category.

Thursday, March 21 – 1030   

ColdEye targeting Oracle VirtualBox in the Virtualization category.

Thursday, March 21 – 1100   

Manfred Paul (@_manfp) targeting Mozilla Firefox with Sandbox Escape in the Web Browser category.

Thursday, March 21 – 1200   

Gabriel Kirkpatrick (gabe_k of targeting Microsoft Windows 11 in the Local Privilege Escalation category.

Thursday, March 21 – 1230   

STAR Labs SG targeting Ubuntu Desktop in the Local Privilege Escalation category.

Thursday, March 21 – 1300   

Edouard Bochin (@le_douds) and Tao Yan (@Ga1ois) from Palo Alto Networks targeting Google Chrome with Double Tap addon in the Web Browser category.

Thursday, March 21 – 1430   

HackInside targeting Microsoft Windows 11 in the Local Privilege Escalation category.

Thursday, March 21 – 1500   

STAR Labs SG targeting Docker Desktop in the Cloud Native / Container category.

Thursday, March 21 – 1530   

Seunghyun Lee (@0x10n) of KAIST Hacking Lab targeting Microsoft Edge (Chromium) with Double Tap Addon in the Web Browser category.

Thursday, March 21 – 1630   

Valentina Palmiotti with IBM X-Force targeting Microsoft Windows 11 in the Local Privilege Escalation category.

Thursday, March 21 – 1700   

Theori targeting Ubuntu Desktop in the Local Privilege Escalation category. 

We’ll be publishing results live on the blog as the contest unfolds. We’ll also be posting brief video highlights to Twitter, YouTube, Mastodon, LinkedIn, and Instagram, so follow us on your favorite flavor of social media for the latest news from the event.

The March 2024 Security Update Review

12 March 2024 at 17:29

It’s the second Tuesday of the month, and Adobe and Microsoft have released a fresh crop of security updates. Take a break from your other activities and join us as we review the details of their latest advisories. If you’d rather watch the full video recap covering the entire release, you can check it out here:

Adobe Patches for March 2024

For March, Adobe released six patches addressing 56 vulnerabilities in Adobe Experience Manager, Premiere Pro, ColdFusion, Adobe Bridge, Lightroom, and Adobe Animate. Two of these bugs were submitted through the ZDI Program. The largest is the update for Experience Manager, which addresses 44 CVEs. However, all but two of these are simple cross-site scripting (XSS) bugs. The fix for Adobe Animate corrects four CVEs. Only one of these CVEs is rated Critical and could lead to arbitrary code execution if a user opens a specially crafted file on an affected system. The other three bugs are all memory leaks resulting from Out-of-Bounds (OOB) Read bugs. The patch for Premiere Pro fixes two Critical-rated bugs that also require user interaction to gain code execution.

For those still running ColdFusion, there’s a single Critical-rated arbitrary file system read bug getting fixed. Adobe also recommends updating your ColdFusion JDK/JRE LTS version to the latest update release. The fix for Adobe Bridge addresses three Critical rated and one Important severity bug. The worst could lead to code execution when opening a specially crafted file. The final patch fixes a single code execution bug in Lightroom. Adobe also made the odd decision to stop tweeting when its patches become available and limiting communication to just email subscriptions. Let’s hope they reverse that decision as many people (myself included) rely on the twitter feed for notifications.

And with this release, anyone targeting Adobe Reader at next week’s Pwn2Own Vancouver event can breathe a sigh of relief. It seems your exploits won’t be patched before the event.  

None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Adobe categorizes these updates as a deployment priority rating of 3.

Microsoft Patches for March 2024

This month, Microsoft released 59 new patches addressing CVEs in Microsoft Windows and Windows Components; Office and Office Components; Azure; .NET Framework and Visual Studio; SQL Server; Windows Hyper-V; Skype; Microsoft Components for Android; and Microsoft Dynamics. In addition to the new CVEs, multiple Chromium bugs are being incorporated into the release, bringing the total number of CVEs to 64. One of these bugs was reported through the ZDI program.

Of the new patches released today, two are rated Critical, and 57 are rated Important in severity. This is a relatively low volume for March, especially considering this is the last patch cycle before the Pwn2Own contest next week. Vendors usually try to patch as much as possible knowing we update all targets to the latest release. Considering Microsoft has several targets in the contest, it’s interesting to see such a small release.

None of the CVEs released today are listed as publicly known or under active attack, but that could change. After the February release, Microsoft revised multiple updates to indicate they were being actively exploited. For now, nothing is listed as in the wild. I’ll update this blog should that change.

Let’s take a closer look at some of the more interesting updates for this month, starting with a Critical-rated Hyper-V bug:

-       CVE-2024-21407 – Windows Hyper-V Remote Code Execution Vulnerability
This is one of the two Critical-rated bugs for this month, and this is the only one that could result in code execution. This vulnerability would allow a user on a guest OS to execute arbitrary code on the host OS. This is often referred to as a guest-to-host escape and could be used to impact other guest OSes on the server. It’s a shame we won’t see this bug get exploited at Pwn2Own next week, where it could have won $250,000. Maybe next year.

-       CVE-2024-26198 – Microsoft Exchange Server Remote Code Execution Vulnerability
It seems there are Exchange patches almost every month now, and March is no different. This bug is a classic DLL loading vulnerability. An attacker places a specially crafted file in a location they control. They then entice a user to open the file, which loads the crafted DLL and leads to code execution. Last month, Microsoft stated the Exchange bug was being actively exploited only after the release. This bug is currently NOT listed as exploited in the wild, but I’ll update this blog should Microsoft change its mind (again).

-       CVE-2024-21334 – Open Management Infrastructure (OMI) Remote Code Execution Vulnerability
This bug rates the highest CVSS rating for this release with a 9.8. It would allow a remote, unauthenticated attacker to execute code on OMI instances on the Internet. It’s not clear how many of these systems are reachable through the Internet, but it’s likely a significant number. Microsoft gives this an “Exploitation less likely” rating, but considering this is a simple Use After Free (UAF) bug on a juicy target, I would expect to see scanning for TCP port 5986 on the uptick soon.

-       CVE-2024-21400 – Microsoft Azure Kubernetes Service Confidential Container Elevation of Privilege Vulnerability
This bug allows an unauthenticated attacker to access the untrusted AKS Kubernetes node and AKS Confidential Container to take over confidential guests and containers. Successful exploitation would allow the attacker to steal credentials and affect other resources. While that’s bad enough, patching won’t be straightforward. Customers must ensure they are running the latest version of “az confcom” and Kata Image. The bulletin contains additional information on the commands needed. Be sure to check it out.

Here’s the full list of CVEs released by Microsoft for March 2024:

CVE Title Severity CVSS Public Exploited Type
CVE-2024-21408 Windows Hyper-V Denial of Service Vulnerability Critical 5.5 No No DoS
CVE-2024-21407 Windows Hyper-V Remote Code Execution Vulnerability Critical 8.1 No No RCE
CVE-2024-21392 .NET and Visual Studio Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2024-26203 Azure Data Studio Elevation of Privilege Vulnerability Important 7.3 No No EoP
CVE-2024-21421 † Azure SDK Spoofing Vulnerability Important 7.5 No No Spoofing
CVE-2024-21431 Hypervisor-Protected Code Integrity (HVCI) Security Feature Bypass Vulnerability Important 7.8 No No SFB
CVE-2023-28746 * Intel: CVE-2023-28746 Register File Data Sampling (RFDS) Important N/A No No Info
CVE-2024-21438 Microsoft AllJoyn API Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2024-21390 Microsoft Authenticator Elevation of Privilege Vulnerability Important 7.1 No No EoP
CVE-2024-21400 † Microsoft Azure Kubernetes Service Confidential Container Elevation of Privilege Vulnerability Important 9 No No EoP
CVE-2024-20671 Microsoft Defender Security Feature Bypass Vulnerability Important 5.5 No No SFB
CVE-2024-26164 Microsoft Django Backend for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-21419 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability Important 7.6 No No XSS
CVE-2024-26198 Microsoft Exchange Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-26201 Microsoft Intune Linux Agent Elevation of Privilege Vulnerability Important 6.6 No No EoP
CVE-2024-21451 Microsoft ODBC Driver Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-26159 Microsoft ODBC Driver Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-21440 Microsoft ODBC Driver Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-26162 Microsoft ODBC Driver Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-26199 Microsoft Office Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-26190 Microsoft QUIC Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2024-21426 Microsoft SharePoint Server Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2024-21448 † Microsoft Teams for Android Information Disclosure Vulnerability Important 5 No No Info
CVE-2024-21441 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-21444 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-21450 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-26161 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-26166 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-21434 Microsoft Windows SCSI Class System File Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-21446 NTFS Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-21330 Open Management Infrastructure (OMI) Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-21334 Open Management Infrastructure (OMI) Remote Code Execution Vulnerability Important 9.8 No No RCE
CVE-2024-26204 Outlook for Android Information Disclosure Vulnerability Important 7.5 No No Info
CVE-2024-21411 † Skype for Consumer Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-21418 Software for Open Networking in the Cloud (SONiC) Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-26165 Visual Studio Code Elevation of Privilege Vulnerability Important 8.8 No No EoP
CVE-2024-26160 Windows Cloud Files Mini Filter Driver Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2024-26170 Windows Composite Image File System (CimFS) Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-26185 Windows Compressed Folder Tampering Vulnerability Important 6.5 No No Tampering
CVE-2024-26169 Windows Error Reporting Service Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-21437 Windows Graphics Component Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-21436 Windows Installer Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-21427 Windows Kerberos Security Feature Bypass Vulnerability Important 7.5 No No SFB
CVE-2024-26181 Windows Kernel Denial of Service Vulnerability Important 5.5 No No DoS
CVE-2024-26182 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-26173 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-26176 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-26178 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-21443 Windows Kernel Elevation of Privilege Vulnerability Important 7.3 No No EoP
CVE-2024-26174 Windows Kernel Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2024-26177 Windows Kernel Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2024-21435 Windows OLE Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-21433 Windows Print Spooler Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2024-26197 Windows Standards-Based Storage Management Service Denial of Service Vulnerability Important 6.5 No No DoS
CVE-2024-21439 Windows Telephony Server Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2024-21432 Windows Update Stack Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2024-21430 Windows USB Attached SCSI (UAS) Protocol Remote Code Execution Vulnerability Important 5.7 No No RCE
CVE-2024-21429 Windows USB Hub Driver Remote Code Execution Vulnerability Important 6.8 No No RCE
CVE-2024-21442 Windows USB Print Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-21445 Windows USB Print Driver Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2024-26167 Microsoft Edge for Android Spoofing Vulnerability Unknown 4.3 No No Spoofing
CVE-2024-2173 * Chromium: CVE-2024-2173 Out of bounds memory access in V8 High N/A No No RCE
CVE-2024-2174 * Chromium: CVE-2024-2174 Inappropriate implementation in V8 High N/A No No RCE
CVE-2024-2176 * Chromium: CVE-2024-2176 Use after free in FedCM High N/A No No RCE

* Indicates this CVE had been released by a third party and is now being included in Microsoft releases.

† Indicates further administrative actions are required to fully address the vulnerability.


The only other Critical-rated bug is a Denial-of-Service (DoS) vulnerability in Hyper-V Server. Microsoft does not indicate how extensive the DoS is or if the system automatically recovers, but considering its rating, the bug likely shuts down the entire system.

Moving on to the other remote code execution bugs, as we saw last month, there are many impacting SQL clients that would require connecting to a malicious SQL server. Practical exploitation is unlikely without significant social engineering. That’s not the case for the bug in Django Backend for SQL Server. This vulnerability is a classic SQL injection via unsanitized parameters. There’s also a DLL loading bug for Windows OLE. The RCE bug in SharePoint requires user interaction in that the threat actor needs to convince the user to open a specially crafted file. Social engineering will also be required for the Skype for Consumer vulnerability. You’ll also need to manually download the latest version of Skype here as there doesn’t seem to be an automated upgrade option. The final two RCE bugs are a bit rare in that they require physical access to the target system. Both vulnerabilities rely on the attacker plugging a device into an open USB port. It’s uncommon to see patches for bugs with this physical attack vector, but it’s good to see Microsoft is willing to make updates for these types of issues.

Speaking of rarities, there is a single patch for a Tampering bug in the Windows compressed folder component. Microsoft doesn’t give any indication of how the vulnerability would manifest other than to say it requires a user to open a specially crafted file. After that, it’s not clear what is actually being tampered with, although the inclination is to believe an attacker could change file contents with this bug.

There are more than 20 elevation of privilege (EoP) patches in this month’s release. In most cases, a local attacker would need to run specially crafted code to elevate to SYSTEM. The bug in the telephony component would lead to the similar (but distinctly different) “NT AUTHORITY\Network Service” privilege. The bug in the Azure Data Studio would only elevate to the permission level of the user running the application. Another reminder to not do daily tasks with administrative privileged accounts. The bug in the Microsoft Intune Linux Agent bypasses compliance checks when using custom compliance scripts, thus altering the results. The bug in the Authenticator app sounds quite bad as it could bypass 2FA, but it requires a fair bit of user interaction to succeed. An attacker needs to be already executing code on the target and have the user close and re-open the Authenticator application. The vulnerability in the Windows Installer would allow an attacker to delete files. We recently blogged about a similar bug in the .NET framework. The bug in OMI is interesting in that an attacker could exploit it to communicate as Root with an OMI server. The final EoP patch for March affects the Software for Open Networking in the Cloud (SONiC) component. Successful exploitation would allow an attacker to escalate to Root in the Border Gateway Protocol (BGP) container and perform specific actions that enable them to escape the container.

There are three separate Security Feature Bypass (SFB) patches in this month’s release with the most impactful affecting Windows Defender. The good news is that you’ll likely need to take no action as the Defender engine automatically updates itself. The bad news is that if you’re in an isolated environment or have Defender disabled, you’ll likely need to manually verify the Defender version. Given that this bug allows attackers to prevent Defender from starting, it’s best to make sure you have that patch applied. The bug in the hypervisor-protected code integrity (HVCI) could allow an attacker to bypass code integrity protections, but it requires administrator-level permissions. Another rarity, as exploits that begin with admin permissions rarely get fixed. The final SFB update fixes a bug in Kerberos that could lead to impersonating other users.  

The March release includes five information disclosure bugs, but unusually, only one leaks unspecified memory contents. The two bugs in the kernel could allow an attacker to view registry keys they would otherwise not be able to access. The bug in Teams for Android would allow the reading of files from the private directory of the app. You’ll also need to manually get this update from the Google Play Store. That’s also the case for Outlook for Android. That bug allows attackers to view the ineffable “file contents”. In addition to the one already documented, the March release includes fixes for five different denial-of-service (DoS) bugs in various. However, Microsoft provides no real information or details for them.

There are two spoofing bugs receiving patches this month, and the Microsoft Edge for Android is a strange one. It was actually published earlier this month but without an actual fix. Instead, it notes, “The security update for Edge for Android is not immediately available.” It seems odd that Microsoft would choose to publish information about the bug without also pushing a fix for the bug. Perhaps it will be updated soon. The other spoofing bug is in the Azure SDK, and you may or may not need to take extra steps to be fully protected. If you are running a deployment created before October 19, 2023, you will need to manually upgrade Azure-core to Azure Core Build 1.29.5 or higher. If you have a deployment from after October 19, you should receive the patch automatically.

There is one new advisory for this month as Microsoft announces the deprecation of Oracle’s libraries within Exchange. This is a long time coming and a welcome change, as Exchange was essentially 0-day’ed every time Oracle updated their libraries.

Finally, there is a single cross-site scripting (XSS) bug in Microsoft Dynamics fixed this month.

Looking Ahead

Be sure to look out for updates from Pwn2Own Vancouver, and if you’re at the CanSecWest conference, please stop by to say hello. I like it when people say hello. The next Patch Tuesday of 2024 will be on April 9, and I’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!

CVE-2023-36049: Microsoft .NET CRLF Injection Arbitrary File Write/Deletion Vulnerability

In this excerpt of a Trend Micro Vulnerability Research Service vulnerability report, Justin Hung and Yazhi Wang of the Trend Micro Research Team detail a recently patched privilege escalation vulnerability in .NET Framework and Visual Studio. This bug was originally discovered by Piotr Bazydło of Trend Micro’s Zero Day Initiative (ZDI). Successful exploitation of this vulnerability would allow a remote attacker to write or delete files in the context of the FTP server. The following is a portion of their write-up covering CVE-2023-36049, with a few minimal modifications.

A remote command execution vulnerability has been reported in the Microsoft .NET Framework and Visual Studio. This vulnerability is due to improper validation of user input. An attacker could exploit this vulnerability by sending malicious requests to the FTP servers. Successful exploitation could allow the attacker to write or delete files in the context of the FTP server.

The Vulnerability

The .NET Framework is a software framework for Microsoft Windows that provides development and execution tools for software applications. Applications written for the .NET Framework are executed in the Common Language Runtime (CLR) environment. The CLR takes .NET applications as Common Intermediate Language (CIL) object code and uses a just-in-time (JIT) compiler to compile the CIL object code to native code for the target platform.

FTP is the File Transfer Protocol described in RFC 959 and other RFCs. FTP uses two separate TCP connections - one for control and another for data transfer. A connection to the listening port from the FTP client forms the control stream on which FTP service commands are passed from the FTP client to the FTP server and on occasion from the FTP server to the FTP client. FTP service commands are used for authentication, file transfer, file system functions, etc. FTP commands have the following syntax:

         <command> <SP> [parameters] <CRLF>

where is the string of the command name, and [parameters] are optional or multiple depending on the command. represents the new line sequence Carriage Return (CR) followed by Line Feed (LF) and represents a space character that splits the command and parameters or parameters themselves. The following is an example of an RETR command, which is used to begin the transmission of a file from the remote host.

         RETR remote-filename

A separate TCP connection is used for the transfer of data when a command, such as STOR, RETR, LIST, and so on, is received. Information, such as command results, the content of the transferred file, and so on are exchanged via this data stream connection. This data stream connection can be initiated by the client or the server. The client can issue the PASV command to request the FTP server to open an ephemeral port to wait for connections from the client. If the client wishes to wait for connections from the server instead, a PORT command is issued.

A command injection vulnerability exists in Microsoft .NET Framework. The vulnerability is due to insufficient validation of FTP command parameters and FTP URI requests. More specifically, the .NET Framework implements a class FtpControlStream to handle basic FTP control connections. In the implementation, it calls an internal function FormatFtpCommand() to form a valid FTP command with command and parameters as arguments. However, when the vulnerable function handles the FTP parameters, it fails to validate if the parameters include CRLF characters. It will form the following FTP commands when the command is "RETR" and the parameter is "onefile<CRLF>DELE otherfile\<CRLF>":

Similarly, another internal function FtpWebRequest() fails to validate if the URI argument contains or not. A malicious FTP URI could make the vulnerable function send malicious FTP command after the FTP connection established.

The attack vector depends on how the vulnerable .NET functions are used in the FTP applications. An attacker could exploit this vulnerability by sending malicious requests to the FTP server. Successful exploitation could allow the attacker to write or delete files in the context of the FTP server.

Source Code Walkthrough

The following code snippet was taken from .NET commit 0ed0438152b25a8a19bcc87eb335fa8a089ac8db. Comments added by Trend Micro have been highlighted.

In src/libraries/System.Net.Requests/src/System/Net/FtpControlStream.cs:

In src/libraries/System.Net.Requests/src/System/Net/FtpWebRequest.cs:

Detection Guidance

To detect an attack exploiting this vulnerability, the detection device must monitor and parse all FTP traffic, which is on TCP port 21 by default.

The detection device must inspect if there are multiple FTP commands (multiple CRLF) sent in one packet. If found, the traffic should be considered suspicious, and an attack exploiting this vulnerability is likely underway.

Note that since most FTP servers accept multiple FTP commands in one packet, there might be false positives using this detection guidance in normal FTP traffic.


Microsoft addressed this vulnerability by releasing a patch in November, however, it has been revised multiple times. The most notable revision adds PowerShell versions 7.2, 7.3, and 7.4 as affected platforms. If you are unable to apply the patch, you can prevent exploitation by refusing to accept FTP URIs from untrusted peers or otherwise filtering FTP traffic. Still, it is recommended to apply the vendor fix to fully resolve this vulnerability.

Special thanks to Justin Hung and Yazhi Wang of the Trend Micro Research Team for providing such a thorough analysis of this vulnerability. For an overview of Trend Micro Research services please visit

The threat research team will be back with other great vulnerability analysis reports in the future. Until then, follow the team on Twitter, Mastodon, LinkedIn, or Instagram for the latest in exploit techniques and security patches.

The February 2024 Security Update Review

12 February 2024 at 15:16

It’s the second patch Tuesday of the year, and Adobe and Microsoft have released a fresh crop of security updates just in time to be our Valentine. Take a break from your other activities and join us as we review the details of their latest advisories. For those interested in the Microsoft 0-day discovered by the ZDI Threat Hunting Team, you can watch this special edition of the Patch Report:

If you’d rather watch the full video recap covering the entire release, you can check out here:

Adobe Patches for February 2024

For February, Adobe released six patches addressing 29 CVEs in Adobe Acrobat and Reader, Commerce, Substance 3D Painter, FrameMaker Publishing Server, Audition, and Substance 3D Designer. A total of four of these bugs were reported through the ZDI program. If you need to prioritize, I would suggest starting with the update for Acrobat and Reader. The patch fixes five Critical-rated arbitrary code execution bugs that are often used in phishing and ransomware campaigns. The fix for Commerce also has a couple of Critical-rated code execution bugs being addressed. Considering this is an aptly named commerce platform, rolling patches quickly here also makes sense.

The updates for Substance 3D Painter and Substance 3D Designer address nine and one bug respectively. The most severe of these would result in arbitrary code execution, but they also require user interaction – something like opening a specially crafted file or browsing to a malicious URL. The patch for the FrameMaker Publishing Server (not to be confused with FrameMaker itself) fixes a security feature bypass (SFB) that’s rated at a CVSS 9.8. Although not specifically stated, that reads like either a complete authentication bypass or hard-coded credentials. The final patch for Adobe Audition corrects a single heap-based buffer overflow that could lead to arbitrary code execution.

None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Adobe categorizes these updates as a deployment priority rating of 3.

Microsoft Patches for February 2024

This month, Microsoft released 72 new patches addressing CVEs in Microsoft Windows and Windows Components; Office and Office Components; Azure; .NET Framework and ASP.NET; SQL Server; Windows Hyper-V; and Microsoft Dynamics. In addition to the new CVEs, multiple Chromium bugs are being incorporated into the release, bringing the total number of CVEs to 78. Two of these bugs were reported through the ZDI program, including one of the bugs under active attack.

Of the new patches released today, five are rated Critical, 65 are rated Important, and two are rated Moderate in severity. This is a relatively typical volume of fixes for a February release, and so far, the number of fixes from Adobe and Microsoft is lower than last year over the same time. It will be interesting to see if this trend continues throughout 2024.

Two of these CVEs are listed as under active attack at the time of release, although neither is listed as publicly known. Let’s take a closer look at some of the more interesting updates for this month, starting with the discovery made by the ZDI Threat Hunting team:

-       CVE-2024-21412 – Internet Shortcut Files Security Feature Bypass Vulnerability
This is the bug found by Peter Girnus and the rest of the ZDI Threat Hunting team. I won’t go into great detail about the technical aspects of the bug because my colleagues at Trend Micro Research have already done that here. The video above also provides some context and a demonstration of the vulnerability. This bug is currently targeting forex traders with a remote access trojan through forum posts and responses, but we expect it to spread now that it is publicly known. Trend Micro customers are already protected by various filters and virtual patches, but everyone else should test and deploy this fix as soon as possible.

-       CVE-2024-21351 – Windows SmartScreen Security Feature Bypass Vulnerability
This is the other actively exploited bug being patched this month, and it appears to be very similar to the previous ITW exploit. Windows uses Mark-of-the-Web (MotW) to distinguish files that originate from an untrusted location. SmartScreen bypasses in Windows Defender allow attackers to evade this inspection and run code in the background. Microsoft does not indicate how widespread these attacks may be but you should expect exploits to increase as threat actors add this to their toolkits. Again, test and deploy this update quickly.

-       CVE-2024-21410 – Microsoft Exchange Server Elevation of Privilege Vulnerability
*Note: On February 14, Microsoft updated their advisory to indicate this bug is being actively exploited in the wild
It’s been a minute since we’ve had an Exchange Server patch, and this vulnerability doesn’t disappoint with a CVSS rating of 9.8. A remote, unauthenticated attacker could use this bug to relay NTLM credentials and impersonate other users on the Exchange server. Patching won’t be straightforward either – if there is such a thing as a straightforward patch for Exchange Server. You’ll need to make sure to install the Exchange Server 2019 Cumulative Update 14 (CU14) update and ensure the Extended Protection for Authentication (EPA) feature is enabled. Microsoft has provided this article with additional information for Exchange administrators.

-       CVE-2024-21413 – Microsoft Outlook Remote Code Execution Vulnerability
*Note: On February 14, Microsoft updated their advisory to indicate this bug is being actively exploited in the wild - then they changed the bulletin again and said it wasn’t

This is an intriguing bug that allows an attacker to bypass the Office Protected View and open a file in editing mode rather than protected mode. Not only does this somehow allow code execution to occur, but it could also occur in the Preview Pane. This vulnerability also rates a CVSS of 9.8, so the severity isn’t being overstated. Also, users of the 32- and 64-bit versions of Office 2016 will need to install multiple updates to fully address this vulnerability. Be sure to close all running Office apps when installing these fixes to help avoid a reboot, which is listed as a “Maybe” for the Office 2016 patches.

Here’s the full list of CVEs released by Microsoft for February 2024:

CVE Title Severity CVSS Public Exploited Type
CVE-2024-21412 Internet Shortcut Files Security Feature Bypass Vulnerability Important 8.1 No Yes SFB
CVE-2024-21351 Windows SmartScreen Security Feature Bypass Vulnerability Moderate 7.6 No Yes SFB
CVE-2024-21410 † Microsoft Exchange Server Elevation of Privilege Vulnerability Critical 9.8 No Yes EoP
CVE-2024-21413 † Microsoft Outlook Remote Code Execution Vulnerability Critical 9.8 No No RCE
CVE-2024-21380 Microsoft Dynamics Business Central/NAV Information Disclosure Vulnerability Critical 8 No No Info
CVE-2024-20684 Windows Hyper-V Denial of Service Vulnerability Critical 6.5 No No DoS
CVE-2024-21357 Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability Critical 7.5 No No RCE
CVE-2024-21386 .NET Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2024-21404 .NET Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2024-21329 Azure Connected Machine Agent Elevation of Privilege Vulnerability Important 7.3 No No EoP
CVE-2024-20667 Azure DevOps Server Remote Code Execution Vulnerability Important 7.5 No No RCE
CVE-2024-20679 Azure Stack Hub Spoofing Vulnerability Important 6.5 No No Spoofing
CVE-2024-21394 Dynamics 365 Field Service Spoofing Vulnerability Important 7.6 No No Spoofing
CVE-2024-21396 Dynamics 365 Sales Spoofing Vulnerability Important 7.6 No No Spoofing
CVE-2024-21328 Dynamics 365 Sales Spoofing Vulnerability Important 7.6 No No Spoofing
CVE-2024-21348 Internet Connection Sharing (ICS) Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2024-21349 Microsoft ActiveX Data Objects Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-21381 † Microsoft Azure Active Directory B2C Spoofing Vulnerability Important 6.8 No No Spoofing
CVE-2024-21397 Microsoft Azure File Sync Elevation of Privilege Vulnerability Important 5.3 No No EoP
CVE-2024-21403 † Microsoft Azure Kubernetes Service Confidential Container Elevation of Privilege Vulnerability Important 9 No No EoP
CVE-2024-21376 † Microsoft Azure Kubernetes Service Confidential Container Remote Code Execution Vulnerability Important 9 No No RCE
CVE-2024-21315 Microsoft Defender for Endpoint Protection Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-21395 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability Important 8.2 No No XSS
CVE-2024-21389 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability Important 7.6 No No XSS
CVE-2024-21393 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability Important 7.6 No No XSS
CVE-2024-21327 Microsoft Dynamics 365 Customer Engagement Cross-Site Scripting Vulnerability Important 7.6 No No XSS
CVE-2024-21401 † Microsoft Entra Jira Single-Sign-On Plugin Elevation of Privilege Vulnerability Important 9.8 No No EoP
CVE-2024-21354 Microsoft Message Queuing (MSMQ) Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-21355 Microsoft Message Queuing (MSMQ) Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2024-21405 Microsoft Message Queuing (MSMQ) Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2024-21363 Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2024-21347 Microsoft ODBC Driver Remote Code Execution Vulnerability Important 7.5 No No RCE
CVE-2024-21384 Microsoft Office OneNote Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2024-20673 † Microsoft Office Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2024-21402 Microsoft Outlook Elevation of Privilege Vulnerability Important 7.1 No No EoP
CVE-2024-21378 Microsoft Outlook Remote Code Execution Vulnerability Important 8 No No RCE
CVE-2024-21374 Microsoft Teams for Android Information Disclosure Important 5 No No Info
CVE-2024-21353 Microsoft WDAC ODBC Driver Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-21350 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-21352 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-21358 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-21360 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-21361 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-21366 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-21369 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-21375 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-21420 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-21359 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-21365 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-21367 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-21368 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-21370 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-21391 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-21379 Microsoft Word Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-50387 * MITRE: CVE-2023-50387 DNS RRSIGs and DNSKEYs validation can be abused to remotely consume DNS server resources Important N/A No No DoS
CVE-2024-20695 Skype for Business Information Disclosure Vulnerability Important 5.7 No No Info
CVE-2024-21304 Trusted Compute Base Security Feature Bypass Vulnerability Important 4.1 No No SFB
CVE-2024-21346 Win32k Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-21406 Windows Device Metadata Retrieval Client (DMRC) Spoofing Vulnerability Important 7.5 No No Spoofing
CVE-2024-21342 Windows DNS Client Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2024-21377 Windows DNS Information Disclosure Vulnerability Important 7.1 No No Info
CVE-2024-21345 Windows Kernel Elevation of Privilege Vulnerability Important 8.8 No No EoP
CVE-2024-21338 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-21371 Windows Kernel Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2024-21340 Windows Kernel Information Disclosure Vulnerability Important 4.6 No No Info
CVE-2024-21341 Windows Kernel Remote Code Execution Vulnerability Important 6.8 No No RCE
CVE-2024-21362 Windows Kernel Security Feature Bypass Vulnerability Important 5.5 No No SFB
CVE-2024-21356 Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability Important 6.5 No No DoS
CVE-2024-21343 Windows Network Address Translation (NAT) Denial of Service Vulnerability Important 5.9 No No DoS
CVE-2024-21344 Windows Network Address Translation (NAT) Denial of Service Vulnerability Important 5.9 No No DoS
CVE-2024-21372 Windows OLE Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-21339 Windows USB Generic Parent Driver Remote Code Execution Vulnerability Important 6.4 No No RCE
CVE-2024-21364 Microsoft Azure Site Recovery Elevation of Privilege Vulnerability Moderate 9.3 No No EoP
CVE-2024-21399 Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability Moderate 8.3 No No RCE
CVE-2024-1059 * Chromium: CVE-2024-1059 Use after free in WebRTC High N/A No No RCE
CVE-2024-1060 * Chromium: CVE-2024-1060 Use after free in Canvas High N/A No No RCE
CVE-2024-1077 * Chromium: CVE-2024-1077 Use after free in Network High N/A No No RCE
CVE-2024-1283 * Chromium: CVE-2024-1283: Heap buffer overflow in Skia High N/A No No RCE
CVE-2024-1284 * Chromium: CVE-2024-1284: Use after free in Mojo High N/A No No RCE

* Indicates this CVE had been released by a third party and is now being included in Microsoft releases.

† Indicates further administrative actions are required to fully address the vulnerability.

Looking at the remaining Critical-rated bugs, the fix for Dynamics Business Central stands out as it could lead to a threat actor accessing other tenants’ applications and content. The attacker must be authenticated, but successful exploitation would grant them read, write, and delete functionality. You don’t see Critical-rated DoS bugs often, but the patch for Hyper-V deserves the rating as a guest OS could impact the Hyper-V host. The vulnerability in Pragmatic General Multicast (PGM) is serious but less likely to be exploited as it requires the attacker to be network adjacent. Multicast messages aren’t routable beyond a single network segment.

Moving on to the other code execution bugs, SQL clients are having a moment with 18 different patches. Thankfully, each of these bugs requires an affected client to connect to a malicious SQL Server, so practical exploitation is unlikely without significant social engineering. It’s the same scenario for the bug in ActiveX, too. The more concerning bugs are in Word and Outlook and have the Preview Pane as an attack vector. Word bugs are typically open-and-own, but having one that hits in the Preview Pane is definitely a rarity. The other RCEs in Office components are more traditional, but CVE-2024-20673 also requires users of the 32- and 64-bit versions of Office 2016 to install multiple updates to be protected. Speaking of extra steps, there are additional actions required to address the bug in the Azure Kubernetes Service. As stated by Microsoft in the bulletin:

Customers who do not have az confcom installed can install the latest version by executing az extension add -n confcom. Customers who are running versions prior to 0.3.3 need to update by executing az extension update -n confcom. For more information, see and Confidential computing plugin for Confidential VMs.

The bug in Azure DevOps requires attackers to have Queue Build permissions. The bug in Microsoft Message Queuing (MSMQ) is written as an “open and own” style bug. This could mean opening an application that uses MSMQ could trigger the bug, but it’s not clear. It’s also not clear how an attacker would get RCE through the USB driver or Windows kernel. One can assume plugging in a malicious USB drive for the former, but the latter is definitely more opaque. Kernel bugs tend to either be privilege escalations or info disclosures. Maybe this is something through SMB?

There are a total of 14 different elevation of privilege (EoP) patches in this month’s release, and most simply result in an authenticated attacker executing code at SYSTEM on a target. There are some notable exceptions, starting with the CVSS 9.8 bug in Entra Jira SSO plugin. A remote, unauthenticated attacker could fully update Entra ID SAML metadata and info for the plugin. The attacker could then change the authentication of the application to their tenant as needed. Patching this requires the admin to download and install version 1.1.2 of the plugin either from the Microsoft Download Center or from Atlassian Marketplace. You also need to take the same steps to address the bug in the Azure Kubernetes Service as are listed above. The escalation in Azure File Sync allows attackers to create files in directories where they shouldn’t have access. They wouldn’t be able to modify or delete existing files. The Moderate-rated (yet somehow CVSS 9.3) bug in Azure Site Recovery could allow an attacker to obtain the MySQL root password – allowing even further compromise. Not sure how that ended up as “Moderate”, but I would treat it as critical if you are running Azure Site Recovery. Finally, the privilege escalation in Outlook simply yields code execution at the level of the user running the application.

There are only a few information disclosure bugs receiving fixes in this month’s release. The bugs in the Windows kernel and DNS server only result in info leaks consisting of unspecified memory contents. The vulnerability in Skype for Business (remember it?) would allow an attacker to view file contents. Microsoft doesn’t specify what information can be disclosed by the bug in Teams for Android, but they do note user interaction is required. You’ll also need to get the update directly from the Android Play Store to be protected from this vulnerability.

In addition to the two I’ve already mentioned, there are two additional SFB patches released this month. The SFB in the kernel allows attackers to bypass the Windows Code Integrity Guard (CIG). The final SFB in Trusted Compute Base could allow some to bypass – you guessed it – secure boot.

In addition to those already documented, the February release includes fixes for just over a half dozen denial-of-service (DoS) bugs. However, Microsoft provides no real information or details for them. If I were to guess, I would put the DNS and LDAP bugs at the top of my severity rankings due to their role in the enterprise.

This month’s release also includes six fixes for spoofing bugs. Three of these are in Dynamics 365 and would allow an attacker to modify the content of a link on an affected system to redirect the victim to a malicious site. There’s a fix for the Device Metadata Retrieval Client (DMRC) that fixes a vulnerability triggered when a remote attacker sends a specially crafted packet to an affected system. The final two spoofing bugs are both in Azure. The bug in Azure Stack Hub requires a user to click on a link. The bug in Azure Active Directory requires an attack to intercept traffic (MitM), but servicing goes beyond just installing a patch. Microsoft rolled out a fix already that includes Proof Key for Code Exchange (PKCE) as outlined here. However, not all customers may have received the update. If you were notified directly via Azure Service Health Alerts under Tracking ID: XXXXXX, you will need to take additional actions.

Finally, there are four cross-site scripting (XSS) bugs in Microsoft Dynamics receiving patches. No new advisories were released this month.

Looking Ahead

The next Patch Tuesday of 2024 will be on March 12, and I’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!

CVE-2023-46263: Ivanti Avalanche Arbitrary File Upload Vulnerability

In this excerpt of a Trend Micro Vulnerability Research Service vulnerability report, Lucas Miller and Dusan Stevanovic of the Trend Micro Research Team detail a recently patched remote code execution vulnerability in the Ivanti Avalanche enterprise mobility management program. Other Ivanti products have recently been under active exploitation, and the mobile device management system is an attractive target. This bug was originally reported to the ZDI program by an anonymous researcher and was also discovered by Lucas Miller of Trend Micro Research. Successful exploitation of this vulnerability would allow an authenticated attacker to execute code in the context of SYSTEM. The following is a portion of their write-up covering CVE-2023-46263, with a few minimal modifications.

An arbitrary file upload vulnerability has been reported for Ivanti Avalanche. This vulnerability is due to improper input validation in the FileStoreConfig app.

A remote, authenticated attacker could exploit this vulnerability by sending a crafted request to the target server. Successfully exploring this vulnerability could result in remote code execution as SYSTEM.

The Vulnerability

Ivanti Avalanche is a mobile device management system. The Central FileStore and the Central File Server in Avalanche are used to store and distribute files that are associated with payloads for mobile device configuration. For example, .apk files or OS update files could be stored in the Central FileStore. The Central FileStore is relevant to understanding this vulnerability.

The Avalanche web interface can be accessed over HTTP on TCP port 8080 as follows:

HTTP is a request/response protocol described in RFCs 7230 - 7237 and other RFCs. A request is sent by a client to a server, which in turn sends a response back to the client. An HTTP request consists of a request line, various headers, an empty line, and an optional message body:

where CRLF represents the new line sequence Carriage Return (CR) followed by Line Feed (LF). SP represents a space character. Parameters can be passed from the client to the server as name-value pairs in either the Request-URI, or in the message-body, depending on the Method used and Content-Type header. For example, a simple HTTP request passing a parameter named “param” with value “1”, using the GET method might look like:

A corresponding HTTP request using the POST method might look like:

If there is more than one parameter/value pair, they are encoded as &-delimited name=value pairs:

Avalanche allows users to change the location where the Central FileStore saves files by changing the FileStore path through the web interface. To change the FileStore path a request to AvalancheWeb/app/ FileStoreConfig.jsf is made and the request is handled by the com.wavelink.amc.web.view.FileStoreConfigBean class. The request includes a txtUncPath request parameter that contains the new path to store files. Before saving the new values the validateFileStoreUncPath method is called to verify the new path is allowed. The path is checked against a deny list of disallowed values and for directory traversal characters. If the path passes the checks the new path is saved. Future uploads to the FileStore will be stored in the new location.

An arbitrary file upload vulnerability exists in the Central FileStore. The vulnerability is due to insufficient sanitization of the txtUncPath field in the Central FileStore configuration settings. The validateFileStoreUncPath attempts to prevent the new path from containing the webroot folders for Avalanche servers in the path. However, the validateFileStoreUncPath method does not prevent the use of the parent folder of the RemoteControl server webroot folder at: “C:\ProgramData\Wavelink\Avalanche\RemoteControlServer\app\”. An attacker can set the txtUncPath value to “C:\ProgramData\Wavelink\Avalanche”, bypassing the disallowed path checks. Then an attacker can send a request to upload a malicious file to the “RemoteControlServer\app” subfolder. The RemoteControl server is typically used to control connected Windows Mobile/CE devices and can be accessed by sending an HTTP request to http://<hostname>:1900/. By default, the RemoteControl server executes Velocity macro code. By uploading a crafted file to the RemoteControl server webroot, an attacker could execute arbitrary commands on the system.

Source Code Walkthrough

The following code snippet was taken from Ivanti Avalanche version 6.4.1. Comments added by Trend Micro have been highlighted.

From app/FileStoreConfigSettings.xhtml in AvalancheWeb.jar.

From the decompiled CentralFileStoreDialog class in AvalancheWeb.jar.

Detection Guidance

To detect an attack exploiting this vulnerability, the detection device must monitor and parse traffic on TCP ports 8080 (HTTP) and 8443 (HTTPS). Note that the traffic may be SSL encrypted. The detection device may be required to decrypt the traffic before proceeding through the next steps.

The detection device must monitor all HTTP POST requests to a request-URI containing the following path:


If such a request is found, then the detection device must search the request body for the linkFileStoreConfigSave parameter. If the linkFileStoreConfigSave parameter value is “linkFileStoreConfigSave”, the value of the txtUncPath parameter must be inspected for the following string:


If found, the request should be considered suspicious as an attack exploiting this vulnerability is likely underway. Below is an example of a malicious request:


Ivanti patched this vulnerability and several others with the release of version 6.4.2. No other mitigations are listed, so it is recommended that users of Ivanti Avalanche test and deploy this patch to fully address this vulnerability.

Special thanks to Lucas Miller and Dusan Stevanovic of the Trend Micro Research Team for providing such a thorough analysis of this vulnerability. For an overview of Trend Micro Research services please visit

The threat research team will be back with other great vulnerability analysis reports in the future. Until then, follow the team on Twitter, Mastodon, LinkedIn, or Instagram for the latest in exploit techniques and security patches.

Pwn2Own Automotive 2024 - Day Three Results

26 January 2024 at 02:08

Welcome to the final day of the first ever Pwn2Own Automotive! We’re already over $1 million in prizes awarded, and today’s attempts will keep the wins going. We’ll be updating this blog as well as social media with results in real time. All times are in Japan Standard Time (GMT +9).

SUCCESS - Computest Sector 7 used a 2-bug chain to exploit the ChargePoint Home Flex. They earn $30,000 and 6 Master of Pwn Points.

FAILURE - Connor Ford was not able to get his exploit of the Phoenix Contact CHARX SEC-3100 working in the time allotted.

SUCCESS Synacktiv exploited the Sony XAV-AX5500. They earn $20,000 and 4 Master of Pwn Points.

FAILURE - Katsuhiko Sato was not able to get his exploit of the Pioneer DMH-WT7600NEX working in the time allotted.

SUCCESS - Sina Kheirkhah used a 2-bug chain to exploit the Ubiquiti Connect EV. He earns $30,000 and 6 Master of Pwn Points.

SUCCESS / BUG COLLISION - used a 2-bug chain to exploit the Phoenix Contact CHARX SEC-3100. However, one of the bugs was previously known. They still earn $22,500 and 4.5 Master of Pwn Points.

SUCCESS - Connor Ford of Nettitude used a stack-based buffer overflow in his exploit of the JuiceBox 40 Smart EV Charging Station. He earns $30,000 and 6 Master of Pwn Points.

SUCCESS / BUG COLLISION - Team Cluck used a 4-bug chain to exploit the Phoenix Contact CHARX SEC-3100. However, one of the bugs was previously known. They still earn $26,250 and 5.25 Master of Pwn Points.

SUCCESS - used a buffer overflow to exploit the EMPORIA EV Charger Level 2. They earn $60,000 and 6 Master of Pwn Points.

The first ever Pwn2Own Automotive is in the books! We awarded $1,323,750 throughout the event and discovered 49 unique zero-days. A special congratulations to Synacktiv, the Masters of Pwn! Stay with us here and across social media as we prepare for Pwn2Own Vancouver in March!

Pwn2Own Automotive 2024 - Day Two Results

25 January 2024 at 02:48

Welcome to Day Two of the first ever Pwn2Own Automotive. We awarded $722,500 yesterday for 24 unique 0-days. Today’s attempts promise to be just as exciting, with another Tesla attempt at 1300 Japan Standard Time (GMT +9). As always, we’ll be updating this blog with results as we have them.

-- Team Tortuga successfully used a 2-bug chain against the ChargePoint Home Flex. However, the exploit used was previously known. They still earn $15,000 and 3 Master of Pwn Points.

SUCCESS - The Midnight Blue / PHP Hooligans team used a 3-bug chain to exploit the Phoenix Contact CHARX SEC-3100. They earn $30,000 and 6 Master of Pwn Points.

BUG COLLISION - Computest Sector 7 successfully executed their attack against the JuiceBox 40 Smart EV Charging Station. However, the bug they used was previously known. They still earn $15,000 and 3 Master of Pwn Points.

FAILURE - Sina Kheirkhah was not able to get his exploit of the Autel MaxiCharger AC Wallbox Commercial working in the time allotted.

SUCCESS - The Synacktiv team used a 2-bug chain to attack the Tesla Infotainment System. They earn $100,000 and 10 Master of Pwn Points.

SUCCESS - NCC Group EDG successfully used a 2-bug chain against the Alpine Halo9 iLX-F509. They earn $20,000 and 4 Master of Pwn Points.

FAILURE - PCAutomotive’s attempt to exploit the JuiceBox 40 Smart EV Charging Station was unsuccessful.

BUG COLLISION - Katsuhiko Sato successfully executed his attack against the Sony XAV-AX5500. However, the bug he used was previously known. He still earns $10,000 and 2 Master of Pwn Points.

SUCCESS - Synacktiv used a 3-bug chain to exploit Automotive Grade Linux. They earn $35,000 and 5 Master of Pwn Points.

SUCCESS - Le Tran Hai Tung used a 2-bug chain against the Alpine Halo9 iLX-F509. He earns $20,000 and 4 Master of Pwn Points.

WITHDRAWN - Sina Kheirkhah withdrew his entry against the EMPORIA EV Charger Level 2. Penalty: -3 Master of Pwn Points.

WITHDRAWN - Team Cluck withdrew their entry against Automotive Grade Linux. Penalty: -2.5 Master of Pwn Points.

SUCCESS / BUG COLLISION - Computest Sector 7’s 2-bug chain against the Autel MaxiCharger AC Wallbox Commercial was a success. However, one of the bugs used was previously known. They still earn $22,500 and 4.5 Master of Pwn Points.

FAILURE - Sina Kheirkhah was not able to get his exploit of the Alpine Halo9 iLX-F509 working in the time allotted.

FAILURE - Alex Olson was not able to get his exploit of the Phoenix Contact CHARX SEC-3100 working in the time allotted.

SUCCESS - used a 2-bug chain to exploit the ChargePoint Home Flex. They earn $30,000 and 6 Master of Pwn Points.

SUCCESS - The Midnight Blue / PHP Hooligans team used a stack-based buffer overflow to exploit the Autel MaxiCharger AC Wallbox Commercial. They earn $30,000 and 6 Master of Pwn Points.

BUG COLLISION - used a 2-bug chain to successfully exploit the Alpine Halo9 iLX-F509. However, the exploits used were previously known. They still earn $10,000 and 2 Master of Pwn Points.

SUCCESS - RET2 Systems used a stack-based buffer overflow to exploit the JuiceBox 40 Smart EV Charging Station. They earn $30,000 and 6 Master of Pwn Points.

BUG COLLISION - used a 2-bug chain to attack the Autel MaxiCharger AC Wallbox Commercial. However, both bugs were previously known. They still earn $15,000 and 3 Master of Pwn Points.

That’s a wrap for Day 2 of Pwn2Own Automotive. We’ve already awarded over $1,000,000 in prizes this week (¥150 million!) Tune back in tomorrow here or across social media for the final day of the contest!

Pwn2Own Automotive 2024 - Day One Results

24 January 2024 at 03:00

Welcome to the first ever Pwn2Own Automotive: live from Tokyo January 24-26, 2024! We’ll be updating this blog in real time as results become available. We have a full schedule of attempts today, so stay tuned! All times are Japan Standard Time (GMT +9:00).

SUCCESS - Sina Kheirkhah was able to execute his attack against the ChargePoint Home Flex for $60,000 and 6 Master of Pwn Points.

COLLISION - Rob Blakely from Cromulence successfully executed his attack on Automotive Grade Linux. However, an n-day exploit was used in the attack. He still earns $47,500 and 3.75 Master of Pwn Points.

SUCCESS - The PCAutomotive Team successfully targeted the Alpine Halo9 iLX-F509 with a UAF exploit for $40,000 and 4 Master of Pwn Points.

SUCCESS - Tobias Scharnowski and Felix Buchmann of executed their attack against the Sony XAV-AX5500 for $40,000 and 4 Master of Pwn Points.

SUCCESS - The Synacktiv Team successfully executed their 3-bug chain against the Tesla Modem. They win $100,000 and 10 Master of Pwn Points.

SUCCESS - Katsuhiko Sato executed his command injection attack against the Alpine Halo9 iLX-F509. As this was a second round win, he wins $20,000 and 4 Master of Pwn Points.

FAILURE - Sina Kheirkhah was not able to get his exploit of the Sony XAV-AX5500 working in the time allotted.

SUCCESS - NCC Group EDG executed a 3-bug chain against the Pioneer DMH-WT7600NEX. They earn $40,000 and 4 Master of Pwn Points.

SUCCESS - The Synacktiv Team used a 2-bug chain against the Ubiquiti Connect EV Station. They earn $60,000 and 6 Master of Pwn Points.

SUCCESS - RET2 Systems executed a 2-bug chain against the Phoenix Contact CHARX SEC-3100. They earn $60,000 and 6 Master of Pwn Points.

SUCCESS - The Midnight Blue / PHP Hooligans team executed a stack-based buffer overflow against the Sony XAV-AX5500. They win $20,000 and 4 Master of Pwn Points.

SUCCESS - Vudq16 and Q5CA from u0K++ successfully executed a stack-based buffer overflow against the Alpine Halo9 iLX-F509. They earn $20,000 and 4 Master of Pwn Points.

BUG COLLISION - The Synacktiv Team used a two-bug chain against the ChargePoint Home Flex. However, the exploit they used was previously known. They still earn $16,000 and 3 Master of Pwn Points.

FAILURE - Sina Kheirkhah was not able to get his exploit of the Phoenix Contact CHARX SEC-3100 working in the time allotted.

SUCCESS - Gary Li Wang used a stack-based buffer overflow against the Sony XAV-AX5500. He wins $20,000 and 4 Master of Pwn Points.

SUCCESS - Synacktiv executed a 2-bug chain against the JuiceBox 40 Smart EV Charging Station. They earn $60,000 and 6 Master of Pwn Points.

BUG COLLISION - Connor Ford of Nettitude executed his attack against the ChargePoint Home Flex. However, his 2-bug chain was previously known. He still earns $16,000 and 3 Master of Pwn Points.

BUG COLLISION - Chris Anastasio and Fabius Watson of Team Cluck successfully attacked the ChargePoint Home Flex. However, the bug they used was previously known. They still earn $16,000 and 3 Master of Pwn Points.

SUCCESS - NCC Group EDG used an improper input validation against the Phoenix Contact CHARX SEC-3100. They earn $30,000 and 6 Master of Pwn Points.

SUCCESS - The Synacktiv team used a 2-bug chain to successfully exploit the Autel MaxiCharger AC Wallbox Commercial. In doing so, they earn $60,000 and 6 Master of Pwn points.

FAILURE - Sina Kheirkhah was not able to get his exploit of the JuiceBox 40 Smart EV Charging Station working in the time allotted.

FAILURE - Unfortunately, Sina Kheirkhah was not able to get his exploit of the Pioneer DMH-WT7600NEX working in the time allotted.

That concludes Day 1 of Pwn2Own Automotive 2024. Check back here and across social media tomorrow for our second day of attempts!

Pwn2Own Automotive 2024 - The Full Schedule

23 January 2024 at 09:20

Welcome to our very first Pwn2Own Automotive – coming to you live from Tokyo and the Automotive World conference. The number of entries has surpassed our expectations, so we expect to award more than $1,000,000 USD for the over 45 entries we have across all categories. As always, we began our contest with a random drawing to determine the order of attempts. If you missed it, you can watch the replay here.

The complete schedule for the contest is below (all times Japan Standard Time [GMT + 9:00]).

Note: All times subject to change

Wednesday, January 24 – 1100

Sina Kheirkhah (@SinSinology) targeting the ChargePoint Home Flex in the Electric Vehicle Chargers category

 Rob Blakely from Cromulence (@CromulenceLLC) targeting Automotive Grade Linux in the Operating System category

Wednesday, January 24 – 1130

 The PCAutomotive Team (@PC_Automotive) targeting the Alpine Halo9 iLX-F509 in the In-Vehicle Infotainment (IVI) category

Wednesday, January 24 – 1200

 Tobias Scharnowski (@ScepticCtf) and Felix Buchmann of targeting the Sony XAV-AX5500 in the In-Vehicle Infotainment (IVI) category

Wednesday, January 24 – 1300

 The Synacktiv Team (@synacktiv) targeting the Tesla Modem in the Tesla category

Wednesday, January 24 – 1330

 Katsuhiko Sato (@goroh_kun) targeting the Alpine Halo9 iLX-F509 in the In-Vehicle Infotainment (IVI) category

Wednesday, January 24 – 1400

 Sina Kheirkhah (@SinSinology) targeting the Sony XAV-AX5500 in the In-Vehicle Infotainment (IVI) category

 NCC Group EDG (@nccgroupinfosec, @_mccaulay, and @alexjplaskett) targeting the Pioneer DMH-WT7600NEX in the In-Vehicle Infotainment (IVI) category   

Wednesday, January 24 – 1500

 The Synacktiv Team (@synacktiv) targeting the Ubiquiti Connect EV Station in the Electric Vehicle Chargers category

RET2 Systems (@ret2systems) targeting the Phoenix Contact CHARX SEC-3100 in the Electric Vehicle Chargers category

Wednesday, January 24 – 1530

 Vudq16 (@vudq16) and Q5CA (@_q5ca) from u0K++ (@u0Kplusplus) targeting the Alpine Halo9 iLX-F509 in the In-Vehicle Infotainment (IVI) category 

Wednesday, January 24 – 1600

 The Midnight Blue (@midnightbluelab) / PHP Hooligans team targeting the Sony XAV-AX5500 in the In-Vehicle Infotainment (IVI) category                 

 Wednesday, January 24 – 1700

 The Synacktiv Team (@synacktiv) targeting the ChargePoint Home Flex in the Electric Vehicle Chargers category

 Sina Kheirkhah (@SinSinology) targeting the Phoenix Contact CHARX SEC-3100 in the Electric Vehicle Chargers category

Wednesday, January 24 – Pwn2Own After Dark

The following attempts will occur after the Automotive World venue has closed. Results will be posted online as they occur.

 The Synacktiv Team (@synacktiv) targeting the JuiceBox 40 Smart EV Charging Station Electric Vehicle Chargers category

Gary Li Wang targeting the Sony XAV-AX5500 in the In-Vehicle Infotainment (IVI) category

Connor Ford (@ByteInsight) of Nettitude targeting the ChargePoint Home Flex in the Electric Vehicle Chargers category  

NCC Group EDG (@nccgroupinfosec, @_mccaulay, and @alexjplaskett) targeting the Phoenix Contact CHARX SEC-3100 in the Electric Vehicle Chargers category    

Sina Kheirkhah (@SinSinology) targeting the JuiceBox 40 Smart EV Charging Station in the Electric Vehicle Chargers category      

The Synacktiv Team (@synacktiv) targeting the Autel MaxiCharger AC Wallbox Commercial in the Electric Vehicle Chargers category

Chris Anastasio (@mufinnnnnnn) and Fabius Watson of Team Cluck targeting the ChargePoint Home Flex in the Electric Vehicle Chargers category

Sina Kheirkhah (@SinSinology) targeting the Pioneer DMH-WT7600NEX in the In-Vehicle Infotainment (IVI) category


Thursday, January 25 – 1100

Team Tortuga targeting the ChargePoint Home Flex in the Electric Vehicle Chargers category

The Midnight Blue (@midnightbluelab) / PHP Hooligans team targeting the Phoenix Contact CHARX SEC-3100 in the Electric Vehicle Chargers category 

Thursday, January 25 – 1200

 Daan Keuper (@daankeuper), Thijs Alkemade (@xnyhps) and Khaled Nassar (@notkmhn)  from Computest Sector 7 (@sector7_nl) Sector 7 targeting the JuiceBox 40 Smart EV Charging Station in the Electric Vehicle Chargers category

Sina Kheirkhah (@SinSinology) targeting the Autel MaxiCharger AC Wallbox Commercial in the Electric Vehicle Chargers category

Thursday, January 25 – 1300

 The Synacktiv Team (@synacktiv) targeting the Tesla Infotainment system with a Sandbox Escape in the Tesla category

Thursday, January 25 – 1330

 NCC Group EDG (@nccgroupinfosec, @_mccaulay, and @alexjplaskett) targeting the Alpine Halo9 iLX-F509 in the In-Vehicle Infotainment (IVI) category

Thursday, January 25 – 1400

 The PCAutomotive Team (@PC_Automotive) targeting the JuiceBox 40 Smart EV Charging Station in the Electric Vehicle Chargers category

Katsuhiko Sato (@goroh_kun) targeting the Sony XAV-AX5500 in the In-Vehicle Infotainment (IVI) category

Thursday, January 25 – 1500

 Sina Kheirkhah (@SinSinology) targeting the EMPORIA EV Charger Level 2 in the Electric Vehicle Chargers category

 The Synacktiv Team (@synacktiv) targeting Automotive Grade Linux in the Operating System category

 Thursday, January 25 – 1530

 Le Tran Hai Tung (@tacbliw) targeting the Alpine Halo9 iLX-F509 in the In-Vehicle Infotainment (IVI) category

Thursday, January 25 – 1600

RET2 Systems (@ret2systems) targeting the JuiceBox 40 Smart EV Charging Station in the Electric Vehicle Chargers category

Daan Keuper (@daankeuper), Thijs Alkemade (@xnyhps) and Khaled Nassar (@notkmhn)  from Computest Sector 7 (@sector7_nl) Sector 7 targeting the Autel MaxiCharger AC Wallbox Commercial in the Electric Vehicle Chargers category 

Thursday, January 25 – 1700

 Tobias Scharnowski (@ScepticCtf) and Felix Buchmann of targeting the ChargePoint Home Flex in the Electric Vehicle Chargers category

Alex Olson (Ghada) targeting the Phoenix Contact CHARX SEC-3100 in the Electric Vehicle Chargers category

Thursday, January 25 – Pwn2Own After Dark

The following attempts will occur after the Automotive World venue has closed. Results will be posted online as they occur.

Sina Kheirkhah (@SinSinology) targeting the Alpine Halo9 iLX-F509 in the In-Vehicle Infotainment (IVI) category

The Midnight Blue (@midnightbluelab) / PHP Hooligans team targeting the Autel MaxiCharger AC Wallbox Commercial in the Electric Vehicle Chargers category

Chris Anastasio (@mufinnnnnnn) and Fabius Watson of Team Cluck targeting Automotive Grade Linux in the Operating Systems category

Tobias Scharnowski (@ScepticCtf) and Felix Buchmann of targeting the Autel MaxiCharger AC Wallbox Commercial in the Electric Vehicle Chargers category

Tobias Scharnowski (@ScepticCtf) and Felix Buchmann of targeting the Alpine Halo9 iLX-F509 in the In-Vehicle Infotainment (IVI) category

Friday, January 26 – 1100

 Daan Keuper (@daankeuper), Thijs Alkemade (@xnyhps) and Khaled Nassar (@notkmhn)  from Computest Sector 7 (@sector7_nl) Sector 7 targeting the ChargePoint Home Flex in the Electric Vehicle Chargers category

Connor Ford (@ByteInsight) of Nettitude targeting the Phoenix Contact CHARX SEC-3100 in the Electric Vehicle Chargers category         

Friday, January 26 – 1200

 Katsuhiko Sato (@goroh_kun) targeting the Pioneer DMH-WT7600NEX in the In-Vehicle Infotainment (IVI) system

The Synacktiv Team (@synacktiv) targeting the Sony XAV-AX5500 in the In-Vehicle Infotainment (IVI) category

Friday, January 26 – 1300

Sina Kheirkhah (@SinSinology) targeting the Ubiquiti Connect EV Station in the Electric Vehicle Chargers category

Tobias Scharnowski (@ScepticCtf) and Felix Buchmann of targeting the Phoenix Contact CHARX SEC-3100 in the Electric Vehicle Chargers category 

Friday, January 26 – 1400

Connor Ford (@ByteInsight) of Nettitude targeting the JuiceBox 40 Smart EV Charging Station in the Electric Vehicle Chargers category 

Friday, January 26 – 1500

 Tobias Scharnowski (@ScepticCtf) and Felix Buchmann of targeting the EMPORIA EV Charger Level 2 in the Electric Vehicle Chargers category

Chris Anastasio (@mufinnnnnnn) and Fabius Watson of Team Cluck targeting the Phoenix Contact CHARX SEC-3100 in the Electric Vehicle Chargers category

Friday, January 26 – 1600

Final ceremony and Awarding the Master of Pwn Trophy

Pwn2Own Vancouver 2024: Bringing Cloud-Native/Container Security to Pwn2Own

16 January 2024 at 14:52

If you just want to read the contest rules, click here. These rules have been updated as of March 1, 2024, to clarify the registration process and to further define the guest operating systems available in the Virtualization category.

Even though we’re a week out from our first ever Pwn2Own Automotive, it’s time to start thinking ahead to the original Pwn2Own event, which takes place at CanSecWest in Vancouver on March 20-22, 2024. We’re always excited to return to Vancouver for the event, but we are cognizant of the evolution of the event as well. The contest began with a single Mac Book, but over the years, it grew to include web browsers, enterprise applications, virtualization solutions, and an automotive category. Last year, we awarded over $1,000,000 in cash and prizes – including a Tesla Model 3. This year, we evolved again by simplifying the Automotive category and adding a Cloud-Native/Container category.

We introduced the Virtualization category back in 2016 because we wanted to see what the state-of-the-art in exploits targeting hypervisors looked like. Many cloud services rely on virtualization, and that was the beginning of bringing “The Cloud™” into Pwn2Own. Since that time, the industry has adopted other cloud-native technologies and made containers a central part of enterprise deployments. Of course, that just makes them a great choice to include in Pwn2Own, and we’re excited to see what exploits contestants bring for these targets.

Of course, we’re also thrilled to have Tesla return as a partner for this year’s event. They continue to innovate and increase the security of their vehicles, and I’m sure they will take the learnings from Pwn2Own Automotive forward to the Vancouver event. We simplified the Automotive category by eliminating the multiple tiers. For this event, we’re focused simply on impact and getting code execution in a target component on the vehicle. For some targets, that may mean you need to get code execution in multiple systems on the way. And no, the awards aren’t cumulative. For example, you may need to exploit the infotainment system on the way to the Autopilot, but you’ll only get the award for the Autopilot.

In addition to the new categories, we’ve added Slack as a target within the Enterprise Communications category. This, along with all the other returning categories, means that we’ll again be offering more than $1,000,000 USD in cash and prizes at this year’s event. All-in-all, it should be a wonderful event with some cutting-edge exploitation on display. Here is a full list of the categories for this year’s event:

-- Web Browser Category
-- Cloud-Native/Container Category
-- Virtualization Category
-- Enterprise Applications Category
-- Server Category
-- Local Escalation of Privilege Category
-- Enterprise Communications Category
-- Automotive Category

Of course, no Pwn2Own competition would be complete without us crowning a Master of Pwn. Since the order of the contest is decided by a random draw, contestants with an unlucky draw could still demonstrate fantastic research but receive less money since subsequent rounds go down in value. However, the points awarded for each unique, successful entry do not go down. Someone could have a bad draw and still accumulate the most points. The person or team with the most points at the end of the contest will be crowned Master of Pwn, receive 65,000 ZDI reward points (instant Platinum status), a killer trophy, and a pretty snazzy jacket to boot.

Let's look at the details of the rules for this year's event.

Web Browser Category

While browsers are the “traditional” Pwn2Own target, we’re continuously tweaking the targets in this category to ensure they remain relevant. We re-introduced renderer-only exploits a couple of years ago, and their reward remains at $60,000. However, if you have that Windows kernel privilege escalation or sandbox escape, that will earn you up to $100,000 or $150,000 respectively. If your exploit works on both Chrome and Edge, it will qualify for the “Double Tap” add-on of $25,000. The Windows-based targets will be running in a VMware Workstation virtual machine. Consequently, all browsers (except Safari) are eligible for a VMware escape add-on. If a contestant can compromise the browser in such a way that also executes code on the host operating system by escaping the VMware Workstation virtual machine, they will earn themselves an additional $80,000 and 8 more Master of Pwn points. Full exploits are still required for Apple Safari and Mozilla Firefox. Here’s a detailed look at the targets and available payouts:

Back to top

Cloud-Native/Container Category

We’re excited to have this new category for the contest, and we are hopeful our contestants bring their usual stellar research to the event. Of course, you can’t talk containers without mentioning Docker Desktop, and they’re the first target on the list. However, they aren’t alone. The containerd runtime is an industry standard and always popular. Firecracker is our third target as they are a common choice for creating and managing secure, multi-tenant container and function-based services.

For an attempt to be ruled a success against these three, the exploit must be launched from within the guest container/microVM and execute arbitrary code on the host operating system. The final target in this category is gRPC – a modern open-source high-performance Remote Procedure Call (RPC) framework that can run in any environment.  A success here must leverage a vulnerability in the gRPC code base to obtain arbitrary code execution. Here are the payouts for this category:

Back to top

Virtualization Category

Some of the highlights for each contest can be found in the Virtualization Category, and we’re thrilled to see what this year’s event could bring with it. As usual, VMware is the main highlight of this category as we’ll have VMware ESXi alongside VMware Workstation as a target with awards of $150,000 and $80,000 respectively. Microsoft also returns as a target and leads the virtualization category with a $250,000 award for a successful Hyper-V Client guest-to-host escalation. Oracle VirtualBox rounds out this category with a prize of $40,000.

There’s an add-on bonus in this category as well. If a contestant can escape the guest OS, then escalate privileges on the host OS through a Windows kernel vulnerability (excluding VMware ESXi), they can earn an additional $50,000 and 5 more Master of Pwn points. That could push the payout on a Hyper-V bug to $300,000. Here’s a detailed look at the targets and available payouts in the Virtualization category:

Back to top

Enterprise Applications Category

Enterprise applications also return as targets with Adobe Reader and various Office components on the target list once again. This year, we’re also allowing these applications to be run on an M-series MacBook. Prizes in this category run from $50,000 for a Reader exploit with a sandbox escape or a Reader exploit with a kernel privilege escalation and $100,000 for an Office 365 application. Word, Excel, and PowerPoint are all valid targets. Microsoft Office-based targets will have Protected View enabled where applicable. Adobe Reader will have Protected Mode enabled where applicable. Here’s a detailed view of the targets and payouts in the Enterprise Application category:

Back to top

Server Category

The Server Category for 2024 is trimmed down a bit to focus on the server components we’re most interested in. These servers are often targeted by everyone from ransomware crews to nation/state actors, so we know there are exploits out there for them. The only question is whether we’ll see any of the competitors bring one of those exploits to Pwn2Own. SharePoint was recently exploited in the wild, and part of that exploit chain was demonstrated at last year’s event. Microsoft Exchange has been a popular target for some time, and it returns as a target this year as well with a payout of $200,000. This category is rounded out by Microsoft Windows RDP/RDS, which also has a payout of $200,000. Here’s a detailed look at the targets and payouts in the Server category:

Back to top

Local Escalation of Privilege Category

This category is a classic for Pwn2Own and focuses on attacks that originate from a standard user and result in executing code as a high-privileged user. A successful entry in this category must leverage a kernel vulnerability to escalate privileges. Ubuntu Desktop, Apple macOS, and Microsoft Windows 11 are the OSes available as targets in this category. 

Back to top

Enterprise Communications Category

We introduced this category in 2021 to reflect the importance of these tools in our modern, remote workforce, and we were thrilled to see both targets compromised during the contest. This year, we’re expanding the category to include the ever-popular Slack productivity platform with a $25,000 payout. A successful attempt in this category must compromise the target application by communicating with the contestant. Some example communication requests could be audio calls, video conferences, or messages. Both Zoom and Microsoft Teams have a $60,000 award available, so we’re hoping to see more great research in this category.

Back to top

Automotive Category

Since adding the Automotive Category in 2019, we’ve seen some amazing and creative research displayed – so much so that we expanded to holding a Pwn2Own Automotive event. Still, Vancouver is where this category began, and we’re happy to have Tesla return as a target. As previously mentioned, we’ve streamlined the rules for this category this year, but that doesn’t mean it’s any easier to win. We’ll have both the Tesla Model 3 (Ryzen-based) and Tesla Model S (Ryzen-based) as target, and we’ll also have the equivalent bench-top unit ready should it be needed. Last year, we conducted all tests on the bench-top unit as attempting the exploits on the actual vehicle could prove hazardous to bystanders and other vehicles in the area. Here are this year awards for the Automotive Category:

Back to top


The complete rules for Pwn2Own 2024 are found here. They were updated as of March 1, 2024. As always, we encourage entrants to read the rules thoroughly if they choose to participate. If you are thinking about participating but have specific configuration or rule-related questions, email us. Questions asked over X (nee Twitter) or other means will not be answered. Registration is required to ensure we have sufficient resources on hand at the event. Please contact ZDI at [email protected] to begin the registration process. Registration for onsite participation closes at 5 p.m. Pacific Time on March 14, 2024. If you plan on participating remotely, the registration deadline is 5 p.m. Pacific Time on March 12, 2024.

Be sure to stay tuned to this blog and follow us on TwitterMastodonLinkedIn, or Instagram for the latest information and updates about the contest. We look forward to seeing everyone wherever they may be, and we hope someone has a new car to drive home from this year’s Pwn2Own competition.

With special thanks to our Pwn2Own 2024 Partner Tesla


©2024 Trend Micro Incorporated. All rights reserved. PWN2OWN, ZERO DAY INITIATIVE, ZDI, and Trend Micro are trademarks or registered trademarks of Trend Micro Incorporated. All other trademarks and trade names are the property of their respective owners.

The January 2024 Security Update Review

9 January 2024 at 18:32

Welcome to the first patch Tuesday of 2024. As expected, Microsoft and Adobe have released their latest security patches. Take a break from your other activities and join us as we review the details of their latest advisories. If you’d rather watch the video recap, you can check it out here:

Adobe Patches for January 2024

For January, Adobe released a single patch addressing six CVEs in Substance 3D Stager. All six bugs are rated Important with the most severe allowing arbitrary code execution.

None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Adobe categorizes these updates as a deployment priority rating of 3.

Microsoft Patches for January 2024

This month, Microsoft released 49 new patches addressing CVEs in Microsoft Windows and Windows Components; Office and Office Components; Azure; .NET Framework and Visual Studio; SQL Server; Windows Hyper-V; and Internet Explorer. In addition to the new CVEs, multiple Chromium bugs are being incorporated into the release, bringing the total number of CVEs to 53.

Of the new patches released today, two are rated Critical and 47 are rated Important in severity. This release is coincidentally the same number of CVEs addressed in both the January 2019 and January 2020 releases.

None of the CVEs released today are listed as publicly known or under active attack at the time of release. Let’s take a closer look at some of the more interesting updates for this month, starting with a security feature bypass in Kerberos:

-       CVE-2024-20674 – Windows Kerberos Security Feature Bypass Vulnerability
This is the highest-rated CVSS for this month and one of the two Critical-rated patches. The bug would allow an unauthenticated attacker to perform a machine-in-the-middle (MitM) that spoofs a Kerberos server. An affected client would receive what they believe to be authentic messages from the Kerberos authentication server. While this would certainly take some setting up, Microsoft does give the bug its highest exploitability index rating (1), which means they expect to see public exploit code within 30 days. Make sure to test and deploy this update quickly.

-       CVE-2024-20700 – Windows Hyper-V Remote Code Execution Vulnerability
This is the other Critical-rated patch for January, although “remote” in this case actually means network adjacent. Microsoft doesn’t provide much of a description beyond that, so it’s not clear how the code execution would occur. However, they do note that neither authentication nor user interaction is required, which makes this vulnerability quite juicy to exploit writers. Although winning a race condition is required for successful exploitation, we’ve seen plenty of Pwn2Own winners use race conditions in their exploits.

-       CVE-2024-0056 – Microsoft.Data.SqlClient and System.Data.SqlClient SQL Data Provider Security Feature Bypass Vulnerability
Besides being a mouthful of a title, this SFB bug could allow an MITM attacker to decrypt, read, or modify TLS traffic between an affected client and server. If you happen to be using these data providers, you’ll also need to take additional steps to be fully protected. The bulletin lists the additional NuGet packages you’ll need to load to completely resolve this vulnerability. Microsoft links to an article that claims to provide further information on the steps admins need to take to be protected, but as of now, that link leads nowhere. I’ll update the blog once they update the link to something relevant. Note: Microsoft has updated the link to point to the article here.

CVE Title Severity CVSS Public Exploited Type
CVE-2024-20700 Windows Hyper-V Remote Code Execution Vulnerability Critical 7.5 No No RCE
CVE-2024-20674 Windows Kerberos Security Feature Bypass Vulnerability Critical 9 No No SFB
CVE-2024-0057 .NET and Visual Studio Framework Security Feature Bypass Vulnerability Important 8.4 No No SFB
CVE-2024-20672 .NET Core and Visual Studio Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2024-21312 .NET Framework Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2024-21319 Microsoft Identity Denial of Service Vulnerability Important 6.8 No No DoS
CVE-2024-20676 Azure Storage Mover Remote Code Execution Vulnerability Important 8 No No RCE
CVE-2024-20666 BitLocker Security Feature Bypass Vulnerability Important 6.6 No No SFB
CVE-2024-21305 Hypervisor-Protected Code Integrity (HVCI) Security Feature Bypass Vulnerability Important 4.4 No No SFB
CVE-2024-20652 Internet Explorer Security Feature Bypass Vulnerability Important 7.5 No No SFB
CVE-2024-20687 Microsoft AllJoyn API Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2024-21306 Microsoft Bluetooth Driver Spoofing Vulnerability Important 5.7 No No Spoofing
CVE-2024-20653 Microsoft Common Log File System Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-20692 Microsoft Local Security Authority Subsystem Service Information Disclosure Vulnerability Important 5.7 No No Info
CVE-2024-20661 Microsoft Message Queuing Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2024-20660 Microsoft Message Queuing Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2024-20664 Microsoft Message Queuing Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2024-21314 Microsoft Message Queuing Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2024-20654 Microsoft ODBC Driver Remote Code Execution Vulnerability Important 8 No No RCE
CVE-2024-20677 Microsoft Office Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2024-20655 Microsoft Online Certificate Status Protocol (OCSP) Remote Code Execution Vulnerability Important 6.6 No No RCE
CVE-2024-21318 Microsoft SharePoint Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-20658 Microsoft Virtual Hard Disk Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-0056 † Microsoft.Data.SqlClient and System.Data.SqlClient SQL Data Provider Security Feature Bypass Vulnerability Important 8.7 No No SFB
CVE-2022-35737 * MITRE: CVE-2022-35737 SQLite allows an array-bounds overflow Important 7.5 No No RCE
CVE-2024-21307 Remote Desktop Client Remote Code Execution Vulnerability Important 7.5 No No RCE
CVE-2024-20656 Visual Studio Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-20683 Win32k Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-20686 Win32k Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-21310 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-20694 Windows CoreMessaging Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2024-21311 Windows Cryptographic Services Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2024-20682 Windows Cryptographic Services Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2024-20657 Windows Group Policy Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2024-20699 Windows Hyper-V Denial of Service Vulnerability Important 6.5 No No DoS
CVE-2024-20698 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-21309 Windows Kernel-Mode Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-20696 Windows Libarchive Remote Code Execution Vulnerability Important 7.3 No No RCE
CVE-2024-20697 Windows Libarchive Remote Code Execution Vulnerability Important 7.3 No No RCE
CVE-2024-20680 Windows Message Queuing Client (MSMQC) Information Disclosure Important 6.5 No No Info
CVE-2024-20663 Windows Message Queuing Client (MSMQC) Information Disclosure Important 6.5 No No Info
CVE-2024-20690 Windows Nearby Sharing Spoofing Vulnerability Important 6.5 No No Spoofing
CVE-2024-20662 Windows Online Certificate Status Protocol (OCSP) Information Disclosure Vulnerability Important 4.9 No No Info
CVE-2024-21316 Windows Server Key Distribution Service Security Feature Bypass Important 6.1 No No SFB
CVE-2024-20681 Windows Subsystem for Linux Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-21313 Windows TCP/IP Information Disclosure Vulnerability Important 5.3 No No Info
CVE-2024-20691 Windows Themes Information Disclosure Vulnerability Important 4.7 No No Info
CVE-2024-21325 Microsoft Printer Metadata Troubleshooter Tool Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2024-21320 Windows Themes Spoofing Vulnerability Important 6.5 No No Spoofing
CVE-2024-0222 * Chromium: CVE-2024-0222 Use after free in ANGLE High N/A No No RCE
CVE-2024-0223 * Chromium: CVE-2024-0223 Heap buffer overflow in ANGLE High N/A No No RCE
CVE-2024-0224 * Chromium: CVE-2024-0224 Use after free in WebAudio High N/A No No RCE
CVE-2024-0225 * Chromium: CVE-2024-0225 Use after free in WebGPU High N/A No No RCE

* Indicates this CVE had been released by a third party and is now being included in Microsoft releases.

† Indicates further administrative actions are required to fully address the vulnerability.


Moving on to the other code execution bugs, most are of the “open and own” variety, where an attacker must convince a user to open a malicious file or browse to a specially crafted site to get arbitrary code execution. However, there are a couple of fixes that stand out. The first is an RCE in Office through FBX files. Microsoft is taking the unusual step of disabling that file type from being embedded within Office documents. However, they note “3D models in Office documents that were previously inserted from a FBX file will continue to work as expected unless the Link to File option was chosen at insert time.” Here are some additional details about this change. According to Microsoft, you may not need the fix for the Printer Metadata Troubleshooter if you’ve already installed the tool listed in KB5034510. I would still apply the update to ensure the problem is fully addressed. There’s a fix for an RCE in RDP, but it’s in the client, not the server so that greatly reduces the threat of exploitation. The one Azure-related code execution bugs require specific privileges to be exploited. The SharePoint bug requires authentication, but anyone on the SharePoint site has the privileges needed to exploit this bug and take over the system. The bug in ODBC requires connecting to a malicious database. The bugs in Libarchive require the attacker to be authenticated as a guest user on the target system. The final RCE fix is found in OCSP. This bug requires an authenticated user to be assigned the “manage online responder” permission, which is typically reserved for privileged users. Still, now may be a good time to audit your domain to confirm which users have this permission.

There are only ten elevation of privilege (EoP) patches in this month’s release, and all but oneof them require an attacker to run a specially crafted program on an affected system and lead to executing code at SYSTEM level. These types of bugs are usually paired with a code execution bug in the wild to take over a system. The lone exception to this is the bug in the Virtual Hard Disk, which could allow an attack to escalate privileges when processing “.vhdx” files in the kernel.

Looking at the 11 different information disclosure bugs in this release, the majority of these merely result in info leaks consisting of unspecified memory contents. There are only two notable exceptions. The first is in Local Security Authority Subsystem Service (LSASS) and could allow an attacker to gain network secrets when an affected client connects to an AD Domain Controller. Microsoft notes this could be done by either sniffing traffic on a network or by running a malicious script. I don’t expect to see a lot of exploitation of this vulnerability, but it would be an interesting method of lateral movement after an initial compromise. The bug in TCP/IP requires an MITM attacker, but successful exploitation could lead to revealing unencrypted contents of IPsec packets from other sessions on a server.

In addition to the two I’ve already mentioned, there are five additional SFB patches released this month. The patch for .NET Framework and Visual Studio fixes a bug that could allow attackers to improperly validate X.509 certificates. That’s similar to the bug in the Windows Server Key Distribution Service. The bug in Hypervisor-Protected Code Integrity (HVCI) is specific to certain Microsoft Surface devices. The vulnerability incorrectly allows certain kernel-mode pages to be marked as Read, Write, Execute (RWX) even with HVCI enabled. As expected, the bypass for BitLocker allows an attacker to bypass BitLocker protections. And you may have thought it was completely gone, but there’s a patch for Internet Explorer that addresses a bug that could allow bypassing zone restrictions.

The January release includes six fixes for denial-of-service (DoS) bugs, but Microsoft does not provide any real information for most of them. The bug in Hyper-V could allow a guest OS to somehow impact other guest OSes on the same hypervisor. 

Lastly, there are four spoofing bugs receiving fixes this month. The bug in the Nearby Sharing feature could be triggered by an attacker with a similarly-named machine. I would love to see additional details on this one and find out how close the machine names need to be. The bug in the Azure Stack requires clicking a specially crafted URL. User interaction is also required for the Themes bug, but Microsoft notes you can disable NTLM as a mitigation. You’re not actually using NTLM, are you? You can also add a group policy to restrict outgoing NTLM traffic to remote servers. The bug in Bluetooth requires the attacker to both be in close proximity to a target and have a paired Bluetooth device.

No new advisories were released this month.

Looking Ahead

The next Patch Tuesday of 2024 will be on February 13, and I’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!

Looking Back at the ZDI Activities from 2023

4 January 2024 at 17:14

We’ve successfully orbited our star once more and are full throttle into the new year. Before we roll too fast into 2024, let’s pause for a moment and look back at some of the highlights of the past year.

A Year of Pwn2Own Competitions

Back in January, we announced our first-ever Pwn2Own Automotive competition in Tokyo, and now we’re just a couple of weeks from that event. We already have several registrations, so I can’t wait to see what exploits researchers put on display.

In February, we held Pwn2Own Miami, which focuses on industrial control systems (ICS) and SCADA targets. During that event, we saw the debut of ChatGPT in the competition. We also awarded over $150,000 for 27 unique 0-day vulnerabilities.

In March, we returned to Vancouver for the original edition of Pwn2Own. The highlight of the event saw the team from Synacktiv exploit the Tesla Model 3 head unit on their way to winning $350,000 (and the Tesla Model 3 itself). We used the head unit instead of the car itself because we were concerned the exploits may cause the vehicle to move uncontrollably. Safety first.  In total, we awarded $1,035,000 during the three-day contest.

In October, Pwn2Own Toronto turned its attention to devices commonly found in homes and small offices. We added wired and Wi-Fi cameras to the event this year to see what security problems they may have, and our contestants did not disappoint our curiosity. One team hacked a camera by showing it a QR code. Another was able to exploit any camera provided he knew the MAC address. Probably most impressively, the Synacktiv team returned to target the cameras with a remote attack over Wi-Fi that exploited a kernel buffer overflow. They just needed to be within range of a vulnerable camera to completely control it. We awarded $938,250 in total during the event.

Combine those events, and you’ll find we paid out $2,126,750 for Pwn2Own competitions during 2023. With the Automotive event looking like it will be an exciting show, we’ll likely pay out even more in 2024.

A Few Bugs of Renown

There were so many good bugs in 2023, that it’s hard to narrow it down to just a few. I would if I didn’t mention the Activation Context Cache Poisoning privilege escalation discovered by ZDI researcher Simon Zuckerbraun. It won a Pwnie Award for Most Under-Hyped Research. There was also ZDI-23-233/CVE-2023-27350. That PaperCut exploit showed why patch management is so important as it caused quite a bit of damage – after the patch was available. But perhaps my favorite bug of the year was found in the Schneider Electric APC Easy UPS Online. ZDI-23-444/CVE-2023-29411 is an authentication bypass. The “system” RMI interface exposes the method `updateManagerPassword(String managerPassword)` which allows an unauthenticated user to update the administrative password without requiring a password. Neat!

By the Numbers

In 2023, the ZDI published 1,913 advisories – the most ever in the history of the program. This is the fourth year in a row that eclipsed our previous record. While it’s unlikely we’ll keep up a record-breaking pace for a fifth year in a row, it does speak to the overall health of the program. Of course, I said that last year as well. While we do work with people from around the world, our own researchers had their busiest year ever, too. Just over 49.4% of all published advisories were reported by ZDI vulnerability analysts. Here’s how those numbers of advisories stack up year-over-year. 

Coordinated disclosure of vulnerabilities continues to be a priority for our program, and it continues to be a success as well. While 2020 saw our largest percentage of 0-day disclosures, the number declined over the next two years. However, this year saw an increase to 198 cases – just over 10% of the total disclosures.

Here’s a breakdown of advisories by vendor. The top vendors should not surprise many, but it is interesting to see Adobe that far ahead of everyone else. If you exclude the XSS bugs patched in December, our program is responsible for over 78% of Adobe bugs fixed last year. Not too shabby. Of course, Microsoft remains a popular target for our researchers as well. Just over 20% of the bugs patched by the Redmond giant came through the ZDI. D-Link stormed up the charts in 2023 with 176 advisories. And PDF parsing remains a security challenge for vendors beyond just Adobe. Foxit, Kofax, and PDF-XChange all had a significant number of file parsing bugs reported by ZDI.

We’re always looking to acquire impactful bugs and, looking at the CVSS scores for the advisories we published in 2023, we did just that. A total of 73% of these vulnerabilities were rated Critical or High severity.

When it comes to the types of bugs we’re buying, here’s a look at the top 10 Common Weakness Enumerations (CWEs) from 2023:

It’s interesting to see deserialization bugs crack the top 10. It’s also interesting to see stack-based buffer overflows rank above OOB Write bugs.

Looking Ahead

Moving into the new year, we anticipate staying just as busy – especially in the first quarter. We currently have more than 500 bugs reported to vendors awaiting disclosure. We have Pwn2Own Automotive and Pwn2Own Vancouver just on the horizon. Don’t worry if you can’t attend in person. We’ll be streaming and posting videos of the event to just about every brand of social media available.

We’re also looking to update our website and blog at some point this year. I know – I said that last year as well. When that occurs, I promise you’ll be able to choose between a light and dark theme. We’re aware our website doesn’t look the best on certain platforms. We’ll also be expanding our video offerings, too. I’ll continue offering the Patch Report on Patch Tuesdays and hope to tweak the format a bit in the coming year.

As always, we look forward to refining our outreach and acquisition efforts by further aligning with the risks our customers are facing to ensure the bugs we squash have the biggest impact on our customers and the broader ecosystem. In other words, 2024 is shaping up to be another exciting year with impactful research, great contests, and real information you can use. We hope you come along for the ride. Until then, be well, stay tuned to this blog, subscribe to our YouTube channel, and follow us on TwitterMastodonLinkedIn, or Instagram for the latest updates from the ZDI. 

The December 2023 Security Update Review

12 December 2023 at 18:27

It’s the final patch Tuesday of 2023, and Apple, Adobe, and Microsoft have released their latest security offerings. Take a break from your holiday hustle and join us as we review the details of their latest advisories. If you’d rather watch the video recap, you can check it out here:

Apple Patches for December 2023

Apple kicked off the December release cycle with patches for iOS and iPadOS with eight CVEs. Two of these CVEs in Webkit are reported as being under active attack on iOS versions 16.7.1 and older. If you’re using an older iPhone or iPad, you should definitely update your device immediately. If you’re using a device running iOS 17 and later, you should still update when possible.

Adobe Patches for December 2023

For December, Adobe released nine patches covering a whopping 212 CVEs in Adobe Prelude, Illustrator, InDesign, Dimension, Experience Manager, Substance3D Stager, Substance3D Sampler, Substance3D After Effects, and Substance3D Designer. Ten of these bugs came through the ZDI program. A total of 186 of these CVEs are in Experience Manager and are all Important-rate cross-site scripting (XSS) bugs. That definitely skews the numbers a bit for this month. Looking beyond that, the patch for After Effects stands out as it is Critical rated and could allow arbitrary code execution. The patches for Illustrator and Substance 3D Sampler are also rated Critical and could result in arbitrary code execution.

The remaining patches are rated Important or Moderate. The fix for InDesign addressed a denial of service and a memory leak. The Dimension update corrects four memory leaks, all reported by ZDI’s Mat Powell. The patch for Substance 3D Stager fixes two different out-of-bounds (OOB) Read bugs. The Substance 3D Designer update addresses a single Critical-rated OOB Write and three OOB Read bugs. The final Adobe patch for December is a fix for Prelude that corrects a single memory leak.

None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Adobe categorizes these updates as a deployment priority rating of 3.

Microsoft Patches for December 2023

This month, Microsoft released a scant 33 new patches addressing CVEs in Microsoft Windows and Windows Components; Office and Office Components; Azure, Microsoft Edge (Chromium-based); Windows Defender; Windows DNS and DHCP server; and Microsoft Dynamic. In addition to the new CVEs, multiple Chromium bugs are being incorporated into the release, bringing the total number of CVEs to 42.

Of the new patches released today, four are rated Critical and 29 are rated Important in severity. The December release is typically small, and this month is no exception. In fact, this is the lightest release since December 2017. Still, with over 900 CVEs addressed this year, 2023 has been one of the busiest years for Microsoft patches.

None of the CVEs released today are listed as publicly known or under active attack at the time of release. Let’s take a closer look at some of the more interesting updates for this month, starting with an impactful bug in the MSHTML engine:

-       CVE-2023-35628 – Windows MSHTML Platform Remote Code Execution Vulnerability
This patch corrects a bug that could allow a remote, unauthenticated attacker to execute arbitrary code on affected systems just by sending a specially crafted e-mail to the target. This usually means the Preview Pane is an attack vector, but that’s not the case here. Instead, the code execution occurs when Outlook retrieves and processes the mail, which occurs BEFORE the Preview Pane. No doubt ransomware gangs will attempt to create a reliable exploit for this vulnerability. They may run into some problems as exploitation does require memory-shaping techniques.

-       CVE-2023-36019 – Microsoft Power Platform Connector Spoofing Vulnerability
This is the highest-rated CVSS this month at 9.6 and acts more like a code execution bug than a spoofing bug. The vulnerability exists on the web server. However, if an affected system follows a specially crafted link, a malicious script will execute on the client’s browser. Microsoft also notified affected users of this bug via the Microsoft 365 Admin Center. If you’re running the Admin Center, be sure to read the bulletin for full details.

-       CVE-2023-35636 – Microsoft Outlook Information Disclosure Vulnerability
This Outlook bug does not have a Preview Pane attack vector. However, if exploited, the vulnerability allows the disclosure of NTLM hashes. These hashes could be used to spoof other users and gain further access within an enterprise. Earlier this year, Microsoft called a similar bug Elevation of Privilege (EoP) rather than Info Disclosure. Regardless of how you categorize it, threat actors find these types of bugs enticing and use them frequently.  

Here’s the full list of CVEs released by Microsoft for December 2023:

CVE Title Severity CVSS Public Exploited Type
CVE-2023-35641 Internet Connection Sharing (ICS) Remote Code Execution Vulnerability Critical 8.8 No No RCE
CVE-2023-35630 Internet Connection Sharing (ICS) Remote Code Execution Vulnerability Critical 8.8 No No RCE
CVE-2023-36019 † Microsoft Power Platform Connector Spoofing Vulnerability Critical 9.6 No No Spoofing
CVE-2023-35628 Windows MSHTML Platform Remote Code Execution Vulnerability Critical 8.1 No No RCE
CVE-2023-35624 Azure Connected Machine Agent Elevation of Privilege Vulnerability Important 7.3 No No EoP
CVE-2023-35625 Azure Machine Learning Compute Instance for SDK Users Information Disclosure Vulnerability Important 2.5 No No Info
CVE-2023-35638 DHCP Server Service Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2023-35643 DHCP Server Service Information Disclosure Vulnerability Important 7.5 No No Info
CVE-2023-36012 DHCP Server Service Information Disclosure Vulnerability Important 5.3 No No Info
CVE-2023-35642 Internet Connection Sharing (ICS) Denial of Service Vulnerability Important 6.5 No No DoS
CVE-2023-36391 Local Security Authority Subsystem Service Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-36010 Microsoft Defender Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2023-36020 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability Important 7.6 No No XSS
CVE-2023-35621 Microsoft Dynamics 365 Finance and Operations Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2023-35639 Microsoft ODBC Driver Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2023-35619 Microsoft Outlook for Mac Spoofing Vulnerability Important 5.3 No No Spoofing
CVE-2023-35636 Microsoft Outlook Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2023-35629 Microsoft USBHUB 3.0 Device Driver Remote Code Execution Vulnerability Important 6.8 No No RCE
CVE-2023-36006 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2023-36009 Microsoft Word Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2023-36011 Win32k Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-35631 Win32k Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-35632 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-35634 Windows Bluetooth Driver Remote Code Execution Vulnerability Important 8 No No RCE
CVE-2023-36696 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-35622 Windows DNS Spoofing Vulnerability Important 7.5 No No Spoofing
CVE-2023-36004 Windows DPAPI (Data Protection Application Programming Interface) Spoofing Vulnerability Important 7.5 No No Spoofing
CVE-2023-35635 Windows Kernel Denial of Service Vulnerability Important 5.5 No No DoS
CVE-2023-35633 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-21740 Windows Media Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-35644 Windows Sysmain Service Elevation of Privilege Important 7.8 No No EoP
CVE-2023-36005 Windows Telephony Server Elevation of Privilege Vulnerability Important 7.5 No No EoP
CVE-2023-36003 XAML Diagnostics Elevation of Privilege Vulnerability Important 6.7 No No EoP
CVE-2023-20588 * AMD: CVE-2023-20588 AMD Speculative Leaks Security Notice Important N/A Yes No Info
CVE-2023-6508 * Chromium: CVE-2023-6508 Use after free in Media Stream High N/A No No RCE
CVE-2023-6509 * Chromium: CVE-2023-6509 Use after free in Side Panel Search HIgh N/A No No RCE
CVE-2023-6510 * Chromium: CVE-2023-6510 Use after free in Media Capture Medium N/A No No RCE
CVE-2023-6511 * Chromium: CVE-2023-6511 Inappropriate implementation in Autofill Low N/A No No SFB
CVE-2023-6512 * Chromium: CVE-2023-6512 Inappropriate implementation in Web Browser UI Low N/A No No SFB
CVE-2023-35618 * Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability Moderate 9.6 No No EoP
CVE-2023-36880 * Microsoft Edge (Chromium-based) Information Disclosure Vulnerability Low 6.5 No No Info
CVE-2023-38174 * Microsoft Edge (Chromium-based) Information Disclosure Vulnerability Low 4.3 No No Info

* Indicates this CVE had been released by a third party and is now being included in Microsoft releases.

† Indicates further administrative actions are required to fully address the vulnerability.


There are only two other Critical-rated bugs to discuss, and both deal with the Internet Connection Sharing (ICS) service. This isn’t enabled by default and is rarely used, but if you are using it, code execution could occur when a network-adjacent attacker sends a specially crafted packet to an affected server.

Moving on to the other code execution bugs, two require connecting to a malicious SQL server to gain code execution. Two of the other RCE bugs are much more interesting. The bug in the USBHUB requires physical access, even though Microsoft lists this as a Remote Code Execution bug. It reads like plugging in a specially crafted USB driver could result in code execution. The vulnerability in the Bluetooth driver requires the attacker to be in close physical proximity but only requires the attacker to send and receive radio transmissions to exploit.

There are 10 EoP patches in this month’s release, and all but two of them require an attacker to run a specially crafted program on an affected system and lead to executing code at SYSTEM level. The bug in the Telephony server is only slightly different as it results in code execution at “NT AUTHORITY\Network Service” level. The vulnerability in the Azure Connected Machine Agent requires several preconditions – mainly a non-admin local user with the privileges to create symlinks. An attacker who exploits this bug could add symlinks and cause arbitrary file deletions as SYSTEM.

Looking at the information disclosure bugs in this release, the majority of these merely result in info leaks consisting of unspecified memory contents. The bug in the Azure Machine Learning Compute Instance is an exception as it discloses Azure Machine Learning (ML) training data associated with user accounts. The final information disclosure bug resides in Word and could allow an attacker to read data from the file system.

This month also brings three fixes for Spoofing bugs. The fix for Outlook for Mac addresses a bug that could allow a user to mistakenly trust a signed e-mail message as if it came from a legitimate user. The vulnerability in Windows DPAPI requires a machine-in-the-middle (MitM), between a domain controller and the target, but Microsoft doesn’t detail what sort of spoofing an attacker could do if they are in the correct position to intercept the transmission. Microsoft also provides no details about the spoofing vulnerability in the Windows DNS server, but considering the importance of DNS, I certainly wouldn’t ignore this fix.

There are only five DoS bugs in the release, and Microsoft provides no additional details about four of them. The DoS vulnerability in the Windows kernel will crash the OS if an authenticated user opens a specially crafted file or browses to that file on a network share while on an affected system.

Finally, the December release is rounded out by a single cross-site scripting (XSS) bug in Dynamics 365.

No new advisories were released this month.

Looking Ahead

The first Patch Tuesday of 2024 will be on January 9, and I’ll return with details and patch analysis then. Until then, merry christmahanakwanzika, stay safe, happy patching, and may all your reboots be smooth and clean!

Attack Surface of the Ubiquiti Connect EV Station

5 December 2023 at 17:58

Previously, we looked at the attack surface of the ChargePoint Home Flex EV charger – one of the targets in the upcoming Pwn2Own Automotive contest. In this post, we look at the attack surface of another EV Charger. The Ubiquiti Connect EV Station is a weatherproof Level 2 electric vehicle charging station designed for organizations. We cover the most obvious areas a threat actor would explore when attempting to compromise the device.

The Ubiquiti Connect EV Station is a Level 2 charging station for electric vehicles. The EV Station is meant to be managed by a Ubiquiti management platform running the UniFi OS Console, such as the Ubiquiti Dream Machine or Cloud Gateway. Users can also use the iOS or Android UniFi Connect mobile apps to configure the EV Station.

Attack Surface Summary

The Ubiquiti EV Station is an Android device. In this respect, it is unique amongst the electric vehicle chargers included as target devices in Pwn2Own Automotive 2024.

Trend Micro researchers observed the UART port of the device during power-up. The Ubiquiti EV Station employs a Qualcomm APQ8053 SoC as the primary CPU. The Android operating system boots and emits boot messages on the UART serial port located inside the device housing. The following areas are confirmed and represent a potential attack surface on the device:

·       Android OS
·       USB
o   Android USB debugging might be possible
·       Ubiquiti Connect mobile applications
·       Network attack surface
o   Wi-Fi, including Wi-Fi driver
o   Ethernet / Local IP networking
§  Realtek
o   Multicast IP networking
§  UDP port 10001
·       Bluetooth Low Energy (BLE) 4.2
·       Near Field Communication (NFC)

Ubiquiti EV Station Documentation

Documentation for the Ubiquiti EV Station provides only high-level information about the installation and operation of the device. Additional documentation can be found at:

·       Ubiquiti EV Station product page
·       Ubiquiti EV Station technical specifications
·       Ubiquiti EV Station installation guide
·       UniFi Connect iOS application
·       UniFi Connect Android application

Ubiquiti EV Station Hardware Analysis

Ubiquiti provides high-level technical specifications for the EV Station on their website. Trend Micro researchers have performed an analysis of the discrete hardware devices found in the EV Station. The following list summarizes the components Trend Micro research have identified as notable components and/or potential attack surface in the Ubiquiti EV Station.

•         Qualcomm APQ8053 SoC
•         Nuvoton M482LGCAE (ARM)
•         Samsung KMQX60013A-B419 DRAM / NAND
•         Realtek RTL8153-BI Ethernet controller
•         Qualcomm WCN3680B (Wi-Fi)
•         NXP PN71501 (NFC)
•         TI USB 4 Port Hub - TUSB2046BI
•         Qualcomm PMI8952 (PMIC)
•         Qualcomm PM8953 (PMIC)
•         UART DEBUG port
•         USB C port

Figure 1 below is an overview of the main CPU board of the Ubiquiti EV Station. The board has several collections of highly integrated components, each one isolated inside its own dedicated footprint on the board. Each of these areas of the PCB appears to be dedicated to discrete functionality, such as CPU with RAM and flash, Wi-Fi, NFC, Ethernet, USB, and display.

In the center of the board sits the Qualcomm APQ8053 and Samsung KMQX60013A-B419 combination DRAM and NAND controller. These represent the primary application processor for the device, along with the RAM and flash storage for the device. They are marked U5 on the PCB silkscreen.

Three connectors reside just beneath this section of the PCB. A connector marked JDB2 and UART DEBUG emits boot messages from the Ubiquiti EV Station upon startup. In the center is a USB-C connector marked J20. To the right is a two-pin connector marked J28. The functionality of this connector is not yet understood.

In the top center of the following image is an unpopulated component marked U20. It is possible this is an unpopulated footprint for a cellular communication module.

Figure 1 - Overview image of the main PCB of the Ubiquiti EV Station

The following image shows the Qualcomm CPU and associated RAM and NAND flash chip inside the Ubiquiti EV Station:

Figure 2 - Detail image of the EV Station Qualcomm APQ8053 SoC, Samsung KMQX60013A-B419 DRAM / NAND and UART Debug Port

In the following image, the PCB shows a stencil marked ‘J23.’ Trend Micro researchers endeavored to discover where this header is connected. They surmised it might be possible that the vias in J23 might be connected to a debug interface on the board. Upon further inspection, they determined the vias on J23 are connected to the unpopulated device marked U20.

Figure 3 - Detail image of the EV Station Realtek RTL8153-BI Ethernet controller

Network Analysis.

The device can connect to local networks over both Wi-Fi and Ethernet. Trend Micro researchers connected the EV Station to a test Ethernet network to investigate the network attack surface prior to associating the EV Station to a Ubiquiti UniFi Console.

In an unconfigured state, the EV Station does not listen on any TCP ports. The EV Station sends out regular probes looking for HTTP proxies on TCP port 8080.

Additionally, the Ubiquiti EV Station attempts to join an IGMP group using IP address The EV Station sends packets to this address on UDP port 10001. The EV Station communicates on this port using the protocol that has been called the ‘UBNT Discovery Protocol.’ This protocol identifies the device model, firmware, and other information.

The following hex data shows an Ethernet frame, IP packet, and UDP datagram that encapsulate the UBNT discovery packet. The UBNT discovery data begins at offset 0x2A.

Bluetooth LE Analysis

In the unconfigured state, the Ubiquiti EV Station Bluetooth LE interface acts as a BLE peripheral device. Using a BLE scanning tool, the Trend Micro researchers observed the following Bluetooth LE endpoints on the EV Station.

The device set its BLE name to QCOM-BTD, which appears to be a default Qualcomm configuration. There is a single BLE service defined. This service exports three characteristics: one characteristic is read-only, one is notify-only, and one allows read, write, and notify operations.

Further analysis of the EV Station file system shows native code libraries responsible for the observed behavior. Additional investigation into these libraries may prove fruitful for contestants.

Additional information about expected BLE functionality can also be understood via analysis of the mobile applications. Trend Micro researchers performed reverse engineering of the UniFi Connect Android app and found code meant to communicate with the device over BLE. However, the discovered BLE characteristics present in the Android application do not match those broadcast by the EV Station. It is possible that after fully setting up the EV Station, the BLE stack may be reconfigured to match the expected BLE endpoints.

Future potential analysis

To mount a successful attempt against the Ubiquiti EV Station at Pwn2Own Automotive in Tokyo, contestants will need to perform additional analysis of the device to determine potential weaknesses. Trend Micro research has analyzed the Samsung KMQX60013A-B419 DRAM / NAND device by extracting it from the EV Station. This combination DRAM and NAND flash device contains the storage that supports the functionality of the EV Station.

As previously mentioned, the Ubiquiti EV Station runs the Android operating system. The EV Station flash contains numerous partitions. Using standard Linux tools, Trend Micro researchers identified several potential partitions. Some of these are real partitions and some appear to be false-positive detections by various tools. Several partitions have been verified and investigated. The following list shows the output produced on a Linux system using the `parted` command listing the partitions on the NAND flash device.

Trend Micro researchers used several methods for identifying partition data and mounting the partitions on the NAND flash device. The following command shows one method for mounting the system_a partition. Once the partition is mounted, a typical Android OS system partition is discovered.

Extracting the data from flash storage is the first step to performing the analysis necessary to discover vulnerabilities that might be present in the Ubiquiti EV Station.


While these may not be the only attack surfaces available on the Ubiquiti EV Station, they represent the most likely avenues a threat actor may use to exploit the device. We’ve already heard from several researchers who intend to register in the EV Charger category, so we’re excited to see their findings displayed in Tokyo during the event. Stay tuned to the blog for attack surface reviews for other devices, and if you’re curious, you can see all the devices included in the contest. Until then, follow the team on Twitter, Mastodon, LinkedIn, or Instagram for the latest in exploit techniques and security patches.

A Detailed Look at Pwn2Own Automotive EV Charger Hardware

29 November 2023 at 17:29

In a previous blog, we took a look at the ChargePoint Home Flex EV charger – one of the targets in the upcoming Pwn2Own Automotive contest. In this post, dive in with even greater detail on all of the EV Chargers targeted in the upcoming Pwn2Own Automotive competition. This isn’t meant to be a detailed exploitation guide. However, we hope these high-resolution images will inspire some of the research we hope to see on display in Tokyo.

This post provides detailed imagery of the target EV chargers we are including in the upcoming Pwn2Own Automotive contest. Our intention is to help contestants understand the component hardware included in the EV chargers for the competition. But first, a safety reminder:

EV Chargers contain high voltages. Use extreme caution when working with them.  Never touch interior components when powered on.  If you are unable to determine the safe vs unsafe regions within the device, seek qualified assistance before proceeding.  An open enclosure can be a deadly enclosure. Modifications to charging devices should not be made if there is an intent to ever plug the device into a vehicle or use the charging cable power or signal conductors as part of the experimentation. If there is such an intent, the EV charger should not be modified, and the appropriate connections should be made per the manufacturer's instructions. 

With that out of the way, let’s move on to the images.

Autel Maxi EV Charger

The following list summarizes the components Trend Micro Research has identified as notable components and/or potential attack surfaces in the Autel Maxi EV Charger.

·       ST Micro STM32F407ZGT6
·       Renergy RN830(B)
·       Barrot BR8051A01 bluetooth radio
·       Quectel EC25-AFX
·       GigaDevices GD32F407
·       Espressif ESP32-WROOM-32D
·       Winbond 128Mbit Flash device
·       ISSI IS62WV10248EALL/BLL

The Autel Maxi comprises multiple boards. One board is dedicated to the display, one board is a metrology board for power measurement and distribution, one is a mobile communication module board, and, finally, there’s a CPU board.

Figure 1 - The Autel Maxi metrology board hosts the ST Micro STM32F407ZGT6 and Renergy RN830(B).

Figure 2 - The Autel Maxi mobile communication PCB hosts the Quectel EC25-AFX.

Figure 3 - The Autel Maxi CPU PCB hosts the GigaDevices GD32F407, an Espressif ESP32-WROOM, a Winbond flash storage chip, and a Barrot BR8051A01 Bluetooth radio.

Figure 4 -The reverse side of the Autel Maxi CPU board contains the Barrot BR8051A01 Bluetooth radio.

Figure 5 - A detailed look at the Barrot BR8051A01 Bluetooth radio.

ChargePoint Home Flex

The following list summarizes the components Trend Micro Research has identified as notable components and/or potential attack surfaces in the ChargePoint Home Flex EV charger.

·       Atmel AT91SAM9N12
·       Micron MT47H64M16NF-25E IT:M - 1GB DRAM
·       Micron MT29F4G08ABBDAH4-IT:D - 4GB NAND flash
·       Inventek ISM43340 Wi-Fi Bluetooth SIP Module

The ChargePoint Home Flex comprises two circuit boards within the device housing. Those boards are the metrology board and the CPU board. The CPU board hosts an Atmel ARM CPU, a Wi-Fi radio, and a Bluetooth LE radio. The CPU board is labeled CPH-50 CPU on the PCB silkscreen markings. Also, the unpopulated debug header labeled CN1 exposes the JTAG debugging interface of the Atmel AT91SAM9N12.

Figure 6 – ChargePoint Home Flex CPU board side 1, with Atmel ARM CPU, WiFi radio, and Bluetooth LE radio. P3 serial port labels have been added to the image.

Figure 7 – ChargePoint Home Flex CPU board, side 2.

The metrology board hosts an MSP430 microcontroller. It terminates the power connection from the power supply. It also terminates the charging cable that end users connect to the electric vehicle. The metrology board also provides power to the CPU board via a stacked PCB connector on the upper right of the metrology board. The metrology board is labeled with the identifier Panda AC 50 on the PCB silk screen markings.

Figure 8 – ChargePoint Home Flex metrology board side 1, with MSP430 microcontroller.

Figure 9 - ChargePoint Home Flex metrology board side 2.

Emporia Smart Home EV Charger

The following list summarizes the components Trend Micro Research has identified as notable components and/or potential attack surfaces in the Emporia Smart Home EV charger.

·       Espressif ESP32-WROVER-IB
·       TI MSP430F6736A

The device is built around the Espressif ESP32-WROVER-IB Wi-Fi and Bluetooth module. It is marked on the board as U1. The serial interface of the ESP32 is connected to the vias located directly next to the module labeled H3-H10. Identifying the pinout is an exercise for the reader.

Figure 10 - Emporia Smart Home EV Charger employs a single board design. The ESP32 module is to the left, and the MSP430 is in the center.

The Emporia Smart Home EV charger uses a TI MSP430F6736A microcontroller for the metrology function.

Figure 11 - Emporia Smart Home EV Charger detail image of the TI MSP430F6736A used for metrology.

Enel X Way Juicebox 40 EV Charger

The following list summarizes the components Trend Micro Research has identified as notable components and/or potential attack surfaces in the Enel X Way Juicebox EV charger.

·       Silicon Labs WGM160PX22KGA3
·       Silicon Labs MGM13S SiP Module
·       Atmel ATmega328P
·       Atmel M90E36A Metering IC

The following image shows an overview of most of the main PCB. The Silicon Labs WGM160PX22KGA3 is toward the top-left of the following image and is marked U3. The Silicon Labs MGM13S SiP Module is toward the lower left of the following image and is labeled U11. The Atmel ATmega328P is located left-of-center in the following image and is labeled U14.

Figure 12 - Enel X Way Juicebox 40 EV Charger main PCB hosts both application and metrology. The Silicon Labs WGM160PX22KGA3 is shown in the lower right of this figure, and the Atmel ATmega328P is shown in the middle.

The following image shows the right-hand side of the board. This is where the Atmel M90E36A Metering IC is located. It is located on the right-hand side of the board and is marked U25.

Figure 13 - Enel X Way Juicebox 40 EV Charger main PCB is shown with the Atmel M90E36A metrology processor shown to the right.

Figure 14 - Enel X Way Juicebox 40 EV Charger detail view of Silicon Labs WGM160PX22KGA3.

Phoenix Contact CHARX SEC 3100

The following list summarizes the components Trend Micro Research has identified as notable components and/or potential attack surfaces in the Phoenix Contact CHARX SEC 3100 EV charge controller.

·       NXP MCIMX6G2CVM05AB - i.MX 6UltraLite Processor
·       Infineon OPTIGATM TPM SLB 9670 TPM2.0
·       Micron MT41K256M16TW-107 IT:P - 4gb DDR3 memory module
·       Micron MTFC8GAKAJCN-4M IT - 64 Gbit MMC NAND flash
·       Sierra Wireless RC7620-1
·       STM32F303 Arm microcontroller

The Phoenix Contact CHARX SEC 3100 is an EV charging controller. The device is typically mounted on a DIN rail. The enclosure contains two PCBs interconnected via a bus at the rear of the enclosure. In this document, we refer to one PCB as the CPU Board, and the other as the Metrology Board.

The CPU Board hosts the NXP MCIMX6G2CVM05AB ARM Cortex A7 CPU along with its associated DDR3 and NAND flash components. Additionally, the CPU Board comprises two Ethernet interfaces, one USB C interface, a micro SD card reader, a micro SIM card slot, and a Sierra Wireless RC7620 cellular modem.

The Phoenix Contact CHARX SEC 3100 runs Linux, and the manufacturer provides access via a preexisting user account on the system.

Figure 15 - Phoenix Contact CPU Board Side 1. This CPU board contains the NXP MCIMX6G2CVM05AB - i.MX 6UltraLite Processor, the Micron MT41K256M16TW-107 IT:P - 4gb DDR3 memory module, and the Micron MTFC8GAKAJCN-4M IT - 64 Gbit MMC NAND flash.

Figure 16 - Phoenix Contact CPU Board Side 2. This side of the CPU board has two Ethernet controller chips and the Infineon OPTIGATM TPM SLB 9670 TPM2.0

The Metrology Board hosts the STM32F303 Arm microcontroller.

Figure 17 - Phoenix Contact Metrology Board Side 1. The metrology board hosts circuitry for power metering.

Figure 18 - Phoenix Contact Metrology Board Side 2. The metrology board hosts a STM32F303 Arm microcontroller and communicates with the CPU board over the inter-board bus connector shown on the left side of the board in this figure.

Ubiquity EV Station

The following list summarizes the components Trend Micro research has identified as notable components and/or potential attack surfaces in the Ubiquity EV Station.

·       Qualcomm APQ8053 SoC
·       Nuvoton M482LGCAE (ARM)
·       Samsung KMQX60013A-B419 DRAM / NAND
·       Realtek RTL8153-BI Ethernet controller
·       Qualcomm WCN3680B (Wi-Fi)
·       NXP PN71501 (NFC)
·       TI USB 4 Port Hub - TUSB2046BI
·       Qualcomm PMI8952 (PMIC)
·       Qualcomm PM8953 (PMIC)
·       UART DEBUG port
·       USB C port

The following is an overview image of the main CPU board of the Ubiquity EV Station. The board has several collections of highly integrated components, each isolated inside its own dedicated footprint on the board. Each of these areas of the PCB appears to be dedicated to discrete functionality, such as CPU with RAM and flash, Wi-Fi, NFC, Ethernet, USB, and display.

In the center of the board sits the Qualcom APQ8053 and Samsung KMQX60013A-B419 combination DRAM and NAND controller. These represent the primary application processor for the device, along with the RAM and flash storage for the device. They are marked U5 on the PCB silkscreen.

Just beneath this section of the PCB lie three connectors. A connector marked JDB2 and UART DEBUG emits boot messages from the Ubiquity EV Station upon boot. In the center is a USB C connector marked J20. To the right is a two-pin connector marked J28. The functionality of this connector is not yet understood.

In the top center of the following image is an unpopulated component marked U20. It’s possible this is an unpopulated footprint for a cellular communication module.

Figure 19 - Ubiquity EV Station CPU board. The Ubiquity EV Station is a highly integrated device based around a Qualcomm APQ8053 SoC.

The following image shows the Qualcomm CPU and associated RAM and NAND flash chip inside the Ubiquity EV Station:

Figure 20 - Ubiquity EV Station CPU board, showing details of the Qualcomm APQ8053 SoC and Samsung KMQX60013A-B419 combination flash storage and RAM device.

In the following image, the PCB shows a stencil marked “J23.” Trend Micro researchers endeavored to discover where this header is connected. They surmised it might be possible that the vias in J23 might be connected to a debug interface on the board. Upon further inspection, they determined the vias on J23 are connected to the unpopulated device marked U20.

Figure 21 - Ubiquity EV Station detail image of Realtek RTL8153-BI Ethernet controller.


We hope this imagery will inspire you to take a deeper look at the EV chargers to be targeted at Pwn2Own Automotive. Time is running out to register, with the deadline being January 18, 2024. As always, we recommend using basic electrical safety handling procedures whenever working with electrical devices. Potentially lethal voltages will be present within the unit, especially when powered from a 230VAC source. We hope to see both you and your exploits in Tokyo.

Until then, stay tuned to this blog for attack surface reviews and how-to guides for other devices, and if you’re curious, you can see all the devices included in the contest. Until then, follow the team on Twitter, Mastodon, LinkedIn, or Instagram for the latest in exploit techniques and security patches.

The November 2023 Security Update Review

14 November 2023 at 18:36

It’s the penultimate second Tuesday of 2023, and Microsoft and Adobe have released their latest security patches into the crisp, fall air. Take a break from your scheduled activities and join us as we review the details of their latest advisories. If you’d rather watch the video recap, you can check it out here:

Adobe Patches for November 2023

For November, Adobe released 14 bulletins addressing 76 CVEs in Adobe Acrobat and Reader, ColdFusion, Audition, Premiere Pro, After Effects, Media Encoder, Dimension, Animate, InCopy, InDesign, RoboHelp, FrameMaker Publishing Server, Bridge, and Photoshop. A total of 54 of these bugs came through the ZDI program, with most attributed to ZDI vulnerability researcher Mat Powell. The patch for Acrobat and Reader is the largest with 17 CVEs, and likely the most important since it is often targeted in phishing campaigns. The update for ColdFusion contains three Critical-rated CVEs and should also be at the top of your test and deployment list. The update for Audition is quite large, with nine total CVEs addressed. The After Effects is just behind it with eight CVEs receiving fixes.

The Photoshop patch should also be prioritized. It contains six fixes and could allow code execution when opening a specially crafted file. That’s also true for the Premiere Pro update. Both of those applications often rely on Media Encoder, and it gets five patches this month as well. The patch for InDesign includes seven CVEs, but the most severe is only rated Important. The update for RoboHelp includes five CVEs – four of which are rated Critical. If you use that tool to author your technical content, definitely test and deploy the patch quickly. The fix for Adobe Bridge contains three Moderate-rated CVEs. The fixes for InCopy and the FrameMaker Publishing Server both fix a single Critical-rated CVE, while the patches for Dimension and Animate both correct a single Important-rated CVE.

None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Adobe categorizes these updates as a deployment priority rating of 3.

Microsoft Patches for November 2023

This month, Microsoft released 63 new patches addressing CVEs in Microsoft Windows and Windows Components; Exchange Server; Office and Office Components; ASP.NET and .NET Framework; Azure; Mariner; Microsoft Edge (Chromium-based), Visual Studio, and Windows Hyper-V. A total of five of these CVEs were reported through the ZDI program. In addition to the new CVEs, multiple Chromium bugs and other externally reported CVEs are being incorporated into the release, bringing the total number of CVEs to 78.

Of the new patches released today, three are rated Critical, 56 are rated Important, and four are rated Moderate in severity. This is one of the smallest monthly releases Microsoft has done this year, although the total CVEs to date are right at 2021 levels with a month more to go. It will be interesting to see what patches come out of Microsoft in December.

Three of the CVEs released today are listed as under active attack at the time of release and a total of three CVEs are listed as publicly known. It seems the “Hot 0-day Summer” lasts into the fall. Let’s take a closer look at some of the more interesting updates for this month, starting with the bugs under active attack:

-       CVE-2023-36033 – Windows DWM Core Library Elevation of Privilege Vulnerability
This bug allows a privilege escalation through the Windows Desktop Manager (DWM) and is listed as being under active attack. Microsoft doesn’t provide any indication of how widespread the attacks are at this point, but these types of exploits typically begin with small outbreaks before spreading wider. An attacker who uses this can gain SYSTEM privileges, which is why these types of bugs are often paired with some form of code execution bug to compromise a system.

-       CVE-2023-36036 – Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
This is another privilege escalation bug under active attack, and just like the DWM bug, exploitation leads to SYSTEM privileges. This driver is used for managing and facilitating the operations of cloud-stored files. It’s loaded by default on just about every version of Windows, so it provides a broad attack surface. Again, this bug is likely being paired with a code execution bug in attacks. Definitely test and deploy this update quickly.

-       CVE-2023-36025 – Windows SmartScreen Security Feature Bypass Vulnerability
This is the final bug listed as under active attack this month, but this is a bypass rather than a privilege escalation. An attack that exploits this bug would be able to bypass Windows Defender SmartScreen checks and other prompts. That means this bug is likely being used in conjunction with an exploit that normally would be stopped by SmartScreen. I suspect this is being used by a phishing campaign to evade user prompts that would prevent – or at least warn about – opening a malicious document.

-       CVE-2023-36397 – Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability
With a CVSS of 9.8, this is the highest-rated bug for the month, and it deserves the rating. It would allow a remote, unauthenticated attacker to execute code with elevated privileges without user interaction. The good news here is that this is only true for systems where the Windows message queuing service is running in a PGM Server environment. There shouldn’t be a lot of those out there, but if you are one of them, definitely test and apply this update quickly.

Here’s the full list of CVEs released by Microsoft for November 2023:

CVE Title Severity CVSS Public Exploited Type
CVE-2023-36033 Windows DWM Core Library Elevation of Privilege Vulnerability Important 7.8 Yes Yes EoP
CVE-2023-36036 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability Important 7.8 No Yes EoP
CVE-2023-36025 Windows SmartScreen Security Feature Bypass Vulnerability Important 8.8 No Yes SFB
CVE-2023-36038 ASP.NET Core Denial of Service Vulnerability Important 8.2 Yes No DoS
CVE-2023-36413 Microsoft Office Security Feature Bypass Vulnerability Important 6.5 Yes No SFB
CVE-2023-36052 Azure CLI REST Command Information Disclosure Vulnerability Critical 8.6 No No Info
CVE-2023-36400 Windows HMAC Key Derivation Elevation of Privilege Vulnerability Critical 8.8 No No EoP
CVE-2023-36397 Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability Critical 9.8 No No RCE
CVE-2023-36049 .NET, .NET Framework, and Visual Studio Elevation of Privilege Vulnerability Important 7.6 No No EoP
CVE-2023-36558 ASP.NET Core - Security Feature Bypass Vulnerability Important 6.2 No No SFB
CVE-2023-36560 ASP.NET Security Feature Bypass Vulnerability Important 8.8 No No SFB
CVE-2023-36437 Azure DevOps Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2023-36392 DHCP Server Service Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2023-36031 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability Important 7.6 No No XSS
CVE-2023-36410 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability Important 7.6 No No XSS
CVE-2023-36016 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability Important 6.2 No No XSS
CVE-2023-36030 Microsoft Dynamics 365 Sales Spoofing Vulnerability Important 6.1 No No Spoofing
CVE-2023-36024 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability Important 7.1 No No EoP
CVE-2023-36027 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability Important 7.1 No No EoP
CVE-2023-36041 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-36037 Microsoft Excel Security Feature Bypass Vulnerability Important 7.8 No No SFB
CVE-2023-36439 † Microsoft Exchange Server Remote Code Execution Vulnerability Important 8 No No RCE
CVE-2023-36035 Microsoft Exchange Server Spoofing Vulnerability Important 8 No No Spoofing
CVE-2023-36039 Microsoft Exchange Server Spoofing Vulnerability Important 8 No No Spoofing
CVE-2023-36050 Microsoft Exchange Server Spoofing Vulnerability Important 8 No No Spoofing
CVE-2023-38151 Microsoft Host Integration Server 2020 Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2023-36428 Microsoft Local Security Authority Subsystem Service Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2023-36045 Microsoft Office Graphics Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-36021 Microsoft On-Prem Data Gateway Security Feature Bypass Vulnerability Important 8 No No SFB
CVE-2023-36028 Microsoft Protected Extensible Authentication Protocol (PEAP) Remote Code Execution Vulnerability Important 9.8 No No RCE
CVE-2023-36401 Microsoft Remote Registry Service Remote Code Execution Vulnerability Important 7.2 No No RCE
CVE-2023-36423 Microsoft Remote Registry Service Remote Code Execution Vulnerability Important 7.2 No No RCE
CVE-2023-36007 Microsoft Send Customer Voice survey from Dynamics 365 Spoofing Vulnerability Important 7.6 No No Spoofing
CVE-2023-38177 Microsoft SharePoint Server Remote Code Execution Vulnerability Important 6.1 No No RCE
CVE-2023-36719 Microsoft Speech Application Programming Interface (SAPI) Elevation of Privilege Vulnerability Important 8.4 No No EoP
CVE-2023-36402 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2023-36422 Microsoft Windows Defender Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-24023 * Mitre: CVE-2023-24023 Bluetooth Vulnerability Important Unknown No No Spoofing
CVE-2023-36043 † Open Management Infrastructure Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2023-36018 Visual Studio Code Jupyter Extension Spoofing Vulnerability Important 7.8 No No Spoofing
CVE-2023-36042 Visual Studio Denial of Service Vulnerability Important 6.2 No No DoS
CVE-2023-36046 Windows Authentication Denial of Service Vulnerability Important 7.1 No No DoS
CVE-2023-36047 Windows Authentication Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-36424 Windows Common Log File System Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-36396 Windows Compressed Folder Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-36395 Windows Deployment Services Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2023-36425 Windows Distributed File System (DFS) Remote Code Execution Vulnerability Important 8 No No RCE
CVE-2023-36407 Windows Hyper-V Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-36408 Windows Hyper-V Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-36427 Windows Hyper-V Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2023-36406 Windows Hyper-V Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2023-36705 Windows Installer Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-36403 Windows Kernel Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2023-36405 Windows Kernel Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2023-36404 Windows Kernel Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2023-36398 Windows NTFS Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2023-36017 Windows Scripting Engine Memory Corruption Vulnerability Important 8.8 No No RCE
CVE-2023-36394 Windows Search Service Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2023-36399 Windows Storage Elevation of Privilege Vulnerability Important 7.1 No No EoP
CVE-2023-36393 Windows User Interface Application Core Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-36014 Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability Moderate 7.3 No No RCE
CVE-2023-36034 Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability Moderate 7.3 No No RCE
CVE-2023-36022 Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability Moderate 6.6 No No RCE
CVE-2023-36029 Microsoft Edge (Chromium-based) Spoofing Vulnerability Moderate 4.3 No No Spoofing
CVE-2023-5480 * Chromium: CVE-2023-5480 Inappropriate implementation in Payments High N/A No No RCE
CVE-2023-5482 * Chromium: CVE-2023-5482 Insufficient data validation in USB High N/A No No RCE
CVE-2023-5849 * Chromium: CVE-2023-5849 Integer overflow in USB High N/A No No RCE
CVE-2023-5996 * Chromium: CVE-2023-5996 Use after free in WebAudio High N/A No No RCE
CVE-2023-5850 * Chromium: CVE-2023-5850 Incorrect security UI in Downloads Medium N/A No No SFB
CVE-2023-5851 * Chromium: CVE-2023-5851 Inappropriate implementation in Downloads Medium N/A No No RCE
CVE-2023-5852 * Chromium: CVE-2023-5852 Use after free in Printing Medium N/A No No RCE
CVE-2023-5853 * Chromium: CVE-2023-5853 Incorrect security UI in Downloads Medium N/A No No SFB
CVE-2023-5854 * Chromium: CVE-2023-5854 Use after free in Profiles Medium N/A No No RCE
CVE-2023-5855 * Chromium: CVE-2023-5855 Use after free in Reading Mode Medium N/A No No RCE
CVE-2023-5856 * Chromium: CVE-2023-5856 Use after free in Side Panel Medium N/A No No RCE
CVE-2023-5857 * Chromium: CVE-2023-5857 Inappropriate implementation in Downloads Medium N/A No No RCE
CVE-2023-5858 * Chromium: CVE-2023-5858 Inappropriate implementation in WebApp Provider Low N/A No No SFB
CVE-2023-5859 * Chromium: CVE-2023-5859 Incorrect security UI in Picture In Picture Low N/A No No SFB

* Indicates this CVE had been released by a third party and is now being included in Microsoft releases.

† Indicates post-installation actions are required to fully address the vulnerability.

There are only two other Critical-rated bugs to discuss, and the first is an information disclosure in the Azure Command-Line Interface (CLI). Info disclosure vulnerabilities rarely get a Critical rating, but this one could reveal plaintext passwords and usernames from log files, so it seems appropriate. The other Critical-rated patch is a privilege escalation in the Windows Hash-based Message Authentication Code (HMAC) that could allow a guest on Hyper-V to execute code on the underlying host OS. Fortunately, this is a local-only attack. However, if one guest can take over the host, they could do anything they wanted to other guest OSes on that server.

Looking at the remaining code execution bugs, the glaring one we all dread is sitting right there – a patch for Exchange Server. The good news here is that an attacker would need to be network adjacent and authenticated. The bad news is that simply installing the patch isn’t enough to be protected from this vulnerability. You will need to follow the post-install steps listed here to enable the Serialized Data Signing feature to be fully protected. Most of the remaining RCE bugs are mostly the typical open-and-own sort in Office and other Windows components. The bug in Azure DevOps reads more like an EoP since it requires an attacker to be authenticated. That’s also the same for the Registry Service, DFS, and SharePoint bugs. The bugs in the Host Integration Server and WDAC require connecting to a malicious database. The bug in Protected Extensible Authentication Protocol (PEAP) is nearly as bad as the PGM bug, but again, it requires a non-default setting. Fortunately, PEAP isn’t used too much these days, but if you have a legacy enterprise, you should not skip this patch.

Moving on to the privilege escalation bugs, most require an attacker to run a specially crafted program on an affected system. In most cases, this leads to either administrator privileges or running code at SYSTEM level. This is even true for the bugs in Hyper-V, although it’s not entirely clear they could all be launched from a guest OS.

There are several spoofing bugs getting addressed this month, and for obvious reasons, the Exchange bugs stand out the most. These were reported by ZDI vulnerability researcher Piotr Bazydlo and act as NTLM relay bugs. One (CVE-2023-36035) results from a failed patch. These bugs do require authentication, but an insider could exploit these to relay NTLM credentials and gain further access. The bugs in Dynamics 365 both occur in the webserver. However, they allow malicious scripts to execute in the victim’s browser. The final spoofing bug in Visual Studio reads more like a privilege escalation as Microsoft states it could allow an attacker to gain high privileges, which include read, write, and delete functionality.

In addition to the one under active attack, there are five other security feature bypass (SFB) bugs getting patches this month. The bug in ASP.NET Core allows attackers to bypass validations on Blazor Server forms. There’s another bug in ASP.NET that would allow the bypass of certain checks designed to prevent an attacker from accessing internal applications on a website. The SFB in Office allows attackers to evade the Office Protected View, while the one in Excel could bypass the Microsoft Office Trust Center external links check. The final SFB for November is in the On-Prem Data Gateway. An attacker could exploit this bug to bypass certificate validation mechanisms and provide arbitrary certificates that do not have proper signatures.

There are just a few information disclosure bugs to discuss, and the majority of these merely result in info leaks consisting of unspecified memory contents. There are two exceptions to this. The bug in Open Management Infrastructure could allow an attacker to access the credentials of privileged accounts stored in trace logs on the machine being monitored by SCOM. Microsoft recommends resetting the passwords of privileged accounts after applying the update. The kernel information disclosure bug would allow attackers to view registry keys they would normally be able to access.

This month’s release includes a handful of fixes for denial-of-service (DoS) bugs. The most intriguing is the bug in the DHCP Server. This could certainly cause quite a disruption to most enterprises. Unfortunately, Microsoft provides no additional information about the bug. The Windows Authentication could also cause a disruption as it would prevent normal authentication actions from occurring. No substantial information regarding the other DoS bugs is provided by Microsoft.

Lastly, the November release is rounded out by three cross-site scripting (XSS) bugs in Dynamics 365.

No new advisories were released this month.

Looking Ahead

The final Patch Tuesday of 2023 will be on December 12, and I’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!

How To: Modifying EV Chargers for Benchtop Experiments

Previously, we looked at the ChargePoint Home Flex EV charger – one of the targets in the upcoming Pwn2Own Automotive contest. In this post, we look at how to safely modify an EV charger to perform research through benchtop experiments. This isn’t meant to be a comprehensive guide, but it should provide you with a solid base to start your own research into these devices.

In some of our previous blogs, we’ve looked at the attack surface of devices included in the Pwn2Own Automotive competition. In this post, we provide some information on hardware modifications that can be made to most electric vehicle (EV) chargers to assist in benchtop experimentation. But first, a safety reminder:

 EV Chargers contain high voltages, use extreme caution when working with them.  Never touch interior components when powered on.  If you are unable to determine the safe vs unsafe regions within the device, seek qualified assistance before proceeding.  An open enclosure can be a deadly enclosure. These modifications should not be made if there is an intent to ever plug into a vehicle or use the charging cable power or signal conductors as part of the experimentation. If there is such an intent, the EV charger should not be modified, and the appropriate connections should be made per the manufacturer's instructions.  Additionally, these suggested modifications do not reduce the danger or the need to exercise caution and appropriate high-voltage safety precautions.

Most residential EV chargers arrive out of the box with both the input and output power cables attached to the unit. The power input will generally be a household appliance-type plug, and the charger output will likely be a cable with an SAE J1772 connector that plugs into the vehicle. The input power is typically high current and high voltage (230VAC). However, most researchers do not need a high current connection to power up the device when looking for bugs. You can use a cheap, pre-built power cable that can be sacrificed to avoid the cost of setting up a high current and voltage infrastructure by a licensed electrician just to power up the device under test.

Here’s a look at a typical input cable plug:

Figure 1 - Typical EV charger residential input cable plug

And here’s a typical output cable plug (SAE J1772)

Figure 2 - Typical EV charger output cable plug

These connectors and voltages cannot be easily or safely handled at an electronics bench, so the following modification steps aim to simplify some of this infrastructure for experimentation. As a reminder, these modifications should only be done on EV chargers meant for research. If you intend to plug a vehicle into the charger, we do not recommend making any modifications whatsoever. Instead, follow the manufacturer’s instructions on the proper installation and use of the charger.

With that out of the way, let’s look at the steps needed to modify the EV charger for benchtop experimentation. 

1)     Remove the unit from any power source.

2)     Disconnect the output cable. Since the goal is to experiment on the device only as a stand-alone unit, the output cable can be removed. This involves opening the enclosure and unscrewing the terminals that hold the wires for the SAE J1772 cable. This will typically consist of 3 heavy gauge wires and 1 light gauge communication wire.   Here are some examples:

Figure 3 - Output cable terminals found on the Ubiquity charger

Figure 4 - Output cable terminals found on the Juicebox charger

Figure 5 - Output cable terminals found on the Autel charger

3)     Remove the now loosened output cable from the enclosure. This may also involve removing cable clamps and bulkhead connectors.

4)     Disconnect the input cable. This cable will have 3 large gauge wires attached to the inside of the enclosure. The terminals may or may not be in the same space as the output terminals. Some of the EV chargers place all terminals on the same PCB while others isolate them in different compartments inside the enclosure. It’s best practice to take a photograph of the terminals before disconnecting for future reference. You will be using these terminals to provide power with a smaller cable.

5)     Remove the now loosened input cable from the enclosure. This may involve removing cable clamps and bulkhead connectors.

6)     Identify your region’s voltage. The EV chargers typically run on higher voltages (230VAC) per the manufacturer’s installation documents. If your region has a higher voltage, then no step-up transformer is required. If your region has lower voltages (100VAC – 120VAC), it is recommended that you use a step-up transformer. However, some EV chargers will initialize to some extent with lower voltages so it is possible that, depending on your EV Charger model and the type of exploit you are experimenting with, a step-up transformer may not be necessary. If one is required for you, one suggestion is something like an LVYUAN DT-500VA device that accepts 110VAC input and produces 230VAC output.

Figure 6 - Example of an AC to AC step-up/step-down transformer

7)     You can now install an input cable inside the enclosure. The cable can be lighter gauge since only the electronics are being powered up. On one end will be 3 bare wires and on the other can be a typical 3-prong residential plug. An example is a standard PC power cord with the PC side cut off.  With the insulation removed, there will be 3 wires that can be stripped and the ends tinned (see picture below). Route the cable through the enclosure opening that the previous cable was in. Using the locations where you removed the large input cable, connect the bare wires to those terminals. The ground wire (green) is the first connection. Attach it to where the previous green wire was connected. The other two wires will be energized, so it does not matter which color connects to which of the remaining input power terminals. The picture below is an example of the cable end relative to the terminals.

Figure 7 -  Example of a new input cable prepared for attachment

Figure 8 - Input cable attachment terminals in an Autel charger

8)     With the wiring is complete, you can re-assemble the enclosure.

9)     You can now plug the new input power cable into the 230V receptacle on the step-up transformer. We recommend securing the cable with zip ties to prevent accidental removal of the input cable.

Figure 9 - Input cable attached to the 230V port on the transformer


This shows you how to wire an EV charger for benchtop experimentation. The intent is to use an easy to get, cheap, pre-built cable that can be sacrificed to avoid having a researcher working with a limited budget attempt to build the high current and voltage infrastructure to their bench if they only intend to power up the electronics.  If a researcher already has a 230VAC plug right next to their testbench, they will not need this modification. However, we suspect that most researchers just getting into the automotive space will not have these resources. That’s why we’re offering this work-around for those who don’t intend to connect to a vehicle and thus don’t need a high-current connection.

As always, we recommend using basic electrical safety handling procedures whenever working with electrical devices. Potentially lethal voltages will be present within the unit, especially when powered from a 230VAC source.

The modifications shown in this article should assist you in conveniently conducting your research into potential vulnerabilities in EV chargers. Our research has uncovered some already, and we continue looking into the attack surface of such devices. We hope you’re successful with your research, and if you discover a vulnerability, we hope you demonstrate it during the upcoming Pwn2Own Automotive contest.

Stay tuned to the blog for attack surface reviews and how-to guides for other devices, and if you’re curious, you can see all the devices included in the contest. Until then, follow the team on Twitter, Mastodon, LinkedIn, or Instagram for the latest in exploit techniques and security patches.

Unpatched Powerful SSRF in Exchange OWA – Getting Response Through Attachments

2 November 2023 at 16:18

Server Side Request Forgery (SSRF). This vulnerability class triggers a wide range of emotions and reactions, ranging from complete ignorance to panic. Though it is included in the OWASP Top 10 list of web application security risks, at times vendors tend to downplay it and not treat it seriously.

As usual, the truth lies somewhere in between. What appears to be SSRF may sometimes in fact be intended functionality. Even so, an attacker may be able to abuse that functionality to improperly disclose sensitive information, either from the application containing the SSRF or from unrelated internal systems.

You may have noticed battles between researchers and vendors where an SSRF vulnerability was at the center of the disagreement. The fun part starts when a single vendor responds to different SSRF vulnerabilities in different ways and you are not able to reverse engineer their decision-making algorithm.

Whenever I find an SSRF vulnerability, my personal approach is to divide the assessment into four main categories. 

a)     Internal vs. external application

Ideally, we want to find SSRF vulnerabilities in applications that are widely exposed to the internet. Such a vulnerability may allow you to interact with an internal network to which you would not have direct access.

This isn’t to say that SSRF vulnerabilities in internal applications are without value. Sometimes, internal applications may be placed in the DMZ or another restricted area of the network. When you are an internal attacker (an attacker who is already in the internal network), you may find an SSRF useful for reaching some inaccessible networks or machines. Still, it’s typically a much less attractive case than an internet-reachable SSRF.

 b)     Does the product expose services on the loopback interface?

Some products expose services that are reachable only through a loopback interface. If we can interact with such a service through the SSRF, it allows us to extend the attack surface and to potentially chain it with other vulnerabilities. It makes the SSRF potentially more interesting and useful.

c)     Privileges required

As always, the strongest vulnerabilities are those that do not require authentication.

After that come vulnerabilities requiring low privileges. Though less powerful, they can still be very dangerous. Consider an externally exposed application with 50,000 users. An authenticated SSRF in such a case may be very dangerous, as we all know that threat actors have multiple ways of obtaining credentials.

Last and least, there are SSRFs that require administrative privileges. Typically, I almost immediately drop those. Seeing a vendor that fixes admin-level SSRF is a rarity.

d)     What can we achieve with the SSRF

This is a crucial category, and we can divide it into two subparts.

1 - Request shaping:

— What protocols can we use? HTTP, HTTPS, FTP, any other?
— How much do we control the request? In case of HTTP:

o   Can we pick the HTTP method? GET, POST or any other? If not, which method is being used for the request?
o   Can we fully control the URL? Are some query string parameters hardcoded, or do we have full control?
o   Can we specify arbitrary HTTP headers?
o   Can we insert arbitrary data into the request body?
o   And so forth.

2 - Response handling:

— Does the SSRF sink follow redirects? If so, does it allow switching protocols?
— Does it return a response to the attacker?

I find this last question particularly important. If the attacker can use the SSRF to receive a response, the information leak risk is real. I’ve done hundreds of penetration tests and believe me – SSRF that allows you to make GET requests to the internal network and receive the response will give you a ton of sensitive information.

That was long, I’m sorry. But this shows that the evaluation of SSRF vulnerabilities is in fact complex and it depends on many factors. When you find an SSRF vulnerability, you will need to do a similar evaluation by yourself. Afterward, you might find that when the vendor performs their own evaluation, they may have a completely different definition of a “potentially harmful SSRF”.

To illustrate, I once reported an SSRF vulnerability in Microsoft SharePoint, CVE-2023-28288. This vulnerability could be exploited by any authenticated user and allowed the attacker to make any HTTP GET request but did not return the response. Microsoft treated this vulnerability seriously and provided a quick fix. MSRC even assigned a higher CVSS score than we originally had. This may be because the vulnerability additionally allowed disclosure of the contents of local files with the xsl extension. I did not find that especially interesting, but perhaps Microsoft did.

On the other hand, the researcher known as Frycos found a pre-auth SSRF in Skype for Business, and more than a year passed waiting for the fix. It was not treated as an immediate threat. Quoting from that blog post:

Since the MSRC rejected my submission for this vulnerability with a “not meeting the bar” argument, I told them to publish a blog post instead.

I am doing something similar right now. Not so long ago, I had 4 hours to spare, and I decided to look at Exchange OWA. I quickly identified 3 SSRF issues, one of which seemed to be particularly dangerous:

— Exchange OWA is frequently exposed to the internet.
— The vulnerability could be exploited by any authenticated user (any user with a mailbox). Even though this means that authentication is required, the number of mailboxes deployed in some organizations can run into the hundreds of thousands.
— It allows performing any HTTP GET request, with full control over the URL and query string parameters.
It retrieves the content of the response.

As the attacker can abuse this SSRF to retrieve the content of the response, I thought it was a good finding. However, Microsoft did not agree:

MSRC has investigated this issue and concluded that this does not require immediate servicing. We have shared your report with the team responsible for maintaining the product or service and they will consider a potential future fix, taking the appropriate action as needed to help keep customers protected.

We do not have a timeline for when this review will occur, and will not be able to provide status for this issue moving forward.

In short: this may get fixed or it may not. If they decide to fix it, the patch may appear in 1 year or in 3 years. In general, we know nothing.

Accordingly, we informed Microsoft of our intention to publish this vulnerability as a 0-day advisory and a blog post. As we consider this issue potentially dangerous, we want organizations to be aware of the threat. For this reason, we are providing a PoC HTTP Request to be used for filtering and/or monitoring.

ZDI-CAN-22101 – CreateAttachmentFromURI Server-Side Request Forgery

When a user wants to attach a file to a message through Exchange OWA, he can use the “clip” button. It allows the selection of any file from the local file system.

Figure 1 — Inserting an attachment through the GUI

Quite an obvious thing, right? On the other hand, when I was going through the methods defined in the Exchange OWAService, I found an interesting one called CreateAttachmentFromUri.

At [1], the CreateAttachmentFromUri is initialized and then its Execute method is called.

At [1], the Uri object is instantiated on the basis of the attacker-controlled string.

The Execute method will finally lead us to CreateAttachmentFromUri.InternalExecute:

At [1], CreateAttachmentFromUri.DownloadAndAttachFileFromUri is called. The name of the method says everything that we need to know.

It leads to an asynchronous task. I am including a fragment of this task:

At [1], an HttpClient is created.

At [2], a request is made.

At [3], an attachment is created on the basis of the retrieved response.

According to that, this method allows performing an HTTP GET SSRF. The attacker can target any endpoint and can specify any query string parameters.

One may notice that this SSRF has an additional feature that makes it even more dangerous. It creates the attachment on the basis of the response. There are also bonus points for the fact that this SSRF sink handles redirects – they are supported by default by HttpClient, and the AllowAutoRedirect property is not modified by the code.

My guess is that this is some obsolete Exchange OWA feature, which has been deprecated and removed from the GUI. However, it has not been removed from the server-side code. This is only a guess though, as I have never been a serious user of OWA.

To sum up, the following attack scenario is possible:
• The attacker authenticates to OWA.
• The attacker creates a new draft message.
• The attacker invokes CreateAttachmentFromUri, triggering the SSRF.
• The response of the SSRF gets added to the mail message as an attachment.
• The attacker downloads the attachment and retrieves the response content.

I implemented this attack scenario in my exploit. The following screenshot presents a sample exploitation, where the http://internaltomcat.zdi.local:8080 URL was targeted.

Figure 2 — SSRF Exploit – retrieving the response from internal Tomcat server

The response content also can be retrieved easily through the GUI. You need to access your message and open the attachment.

Figure 3 — SSRF response stored in the attachment

Proof of Concept

In general, this SSRF can be exploited with a single HTTP Request to the OWA service:

Such a request produces SSRF. It will not allow you to retrieve the response content, though. If you want to retrieve the content, you must provide a valid message’s ChangeKey and Id in the respective JSON keys (here, they were set to poc). If a proper ChangeKey and Id are provided, the response will be attached to the specified message.

The JSON payload can be also delivered through the X-Owa-Urlpostdata HTTP header. The following snippet presents an example of such a request:

The following video presents this vulnerability in action.


Assessment of Server Side Request Forgery issues may be hard and lead to disagreements. Such vulnerabilities often do not impact the same product in which they exist, which is an argument frequently heard from vendors. However, they can be used as an access path for external attackers to reach the restricted areas of networks, thereby causing an impact on other systems in the corporate environment. Accordingly, I would recommend that vendors take SSRF seriously, and reassess functionality that involves forwarding arbitrary requests.

I hope you liked this writeup. Until my next post, you can follow me @chudypb and follow the team on Twitter, Mastodon, LinkedIn, or Instagram for the latest in exploit techniques and security patches.


Pwn2Own Toronto 2023 - Day Four Results

27 October 2023 at 13:31

The contest has wrapped, and we awarded $1,038,500 during the event for 58 unique 0-days. These bugs have been disclosed to the vendors, who now have 90 days to produce a patch. Congratulations to Team Viettel for winning Master of Pwn with $180,000 and 30 points. Our thanks goes out to the contestants and vendors for participating, and special thanks to Google and Synology for co-sponsoring the contest.

Welcome to the final day of Pwn2Own Toronto 2023! We’ll be updating this blog in real time as results become available. All times are Eastern (GMT -4:00).

FAILURE - Foundry Zero was unable to get their exploit of the Lexmark CX331adwe working within the time allotted.

BUG COLLISION - ANHTUD was able to execute a 2-bug chain of stack-based buffer overflows against the TP-Link Omada Gigabit Router and the Canon imageCLASS MF753Cdw for the SOHO Smashup. However, one of the bugs he used was previously known. He still earns $31,250 and 6.25 Master of Pwn points.

BUG COLLISION - Interrupt Labs was able to execute a 2-bug chain including a UAF and integer underflow against the Sonos Era 100. However, one of the bugs they used was previously known. They still earn $18,750 and 3.75 Master of Pwn points.

SUCCESS - Team Viettel was able to execute a heap-based buffer overflow and a stack-based buffer overflow against the TP-Link Omada Gigabit Router and the Canon imageCLASS MF753Cdw for the SOHO Smashup. They earn $50,000 and 10 Master of Pwn points.
