Microsoft 4K Wireless Display Adapter Remote Code Execution Vulnerability

CVE-2021-43899

Microsoft Office app Remote Code Execution Vulnerability

CVE-2021-43905

Microsoft PowerShell Spoofing Vulnerability

CVE-2021-43896

Microsoft Office Graphics Remote Code Execution Vulnerability

CVE-2021-43875

Microsoft Office Trust Center Spoofing Vulnerability

CVE-2021-43255

Microsoft Excel Remote Code Execution Vulnerability

CVE-2021-43256

Microsoft BizTalk ESB Toolkit Spoofing Vulnerability

CVE-2021-43892

Sofico Miles RIA 2020.2 Build 127964T is affected by Stored Cross Site Scripting (XSS). An attacker with access to a user account of the RIA IT or the Fleet role can create a crafted work order in the damage reports section (or change existing work orders). The XSS payload is in the work order number.

**You want to stay ahead of the curve?**

Miles enables rather than restrict you. Bring innovative new product offerings to market, automate steps in your business processes to increase your efficiency, gain insight through Miles held data ...   
Discover how Miles can support your business.

Discover Miles

**Total focus, absolute control**

How can we help people in the vehicle leasing business to manage complex administrative processes more efficiently and enable them to give better service to their customers and end users? During the 30 years that we have been into vehicle leasing management, we have focused all of our know-how and skills to answering this one question.

About us

![](https://www.sofico.global/files/cache/content_block/files/2021-23-nadiaboudewijn2-60c32b03948bd.jpg)

**Paperless automation for the automotive finance industry**

Acting as a digital signature and automated document management service, Miles eDocs offers customers instantaneous approvals in just a couple of clicks. With no paperwork, automated verification and less chance for error, you can reduce your overheads, while offering customers the efficient, mobile-first service they expect.

Discover Miles eDocs

![](https://www.sofico.global/files/cache/content_block/files/microsoftteams-image-6-6177e6ad10d32.png)

**Join Sofico and add some mileage to your career**

Do you want to be part of a dynamic dedicated team and work closely with talented individuals in different fields of expertise? Join an industry leader with offices in Ghent, Utrecht, Avignon, Munich, Sydney, Tokyo and Puebla (Mex).

![](https://www.sofico.global/files/cache/content_block/layout/frontend/img/jpg/job-widget.jpg)

**Take the first step today**

Use the flexibility of a modern ERP to surpass your customers' expectations.  
Rely on our expertise to make a difference in your market. 

Get in touch

Continuous product innovation helps you to stay competitive in an evolving market.

Local offices and local partnerships to serve our customers in over 20 countries.

30 years of Sofico expertise: both broad and deep understanding of business and technical topics.

80+ successful implementations through an optimised project approach.

CVE-2021-41557: Software for automotive leasing, financing and mobility management

A minor version update (from 7.9 to 7.10) is now available for Red Hat Fuse. The purpose of this text-only errata is to inform you about the security issues fixed in this release.
Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:
* CVE-2019-10744: nodejs-lodash: prototype pollution in defaultsDeep function leading to modifying properties
* CVE-2019-12415: poi: a specially crafted Microsoft Excel document allows attacker to read files from the local filesystem
* CVE-2020-2875: mysql-connector-java: allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors which could result in unauthorized update, insert or delete
* CVE-2020-2934: mysql-connector-java: allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors which could result in unauthorized update, insert or delete
* CVE-2020-9488: log4j: improper validation of certificate with host mismatch in SMTP appender
* CVE-2020-11987: batik: SSRF due to improper input validation by the NodePickerPanel
* CVE-2020-11988: xmlgraphics-commons: SSRF due to improper input validation by the XMPParser
* CVE-2020-13943: tomcat: Apache Tomcat HTTP/2 Request mix-up
* CVE-2020-13949: libthrift: potential DoS when processing untrusted payloads
* CVE-2020-15522: bouncycastle: Timing issue within the EC math library
* CVE-2020-17521: groovy: OS temporary directory leads to information disclosure
* CVE-2020-17527: tomcat: HTTP/2 request header mix-up
* CVE-2020-26217: XStream: remote code execution due to insecure XML deserialization when relying on blocklists
* CVE-2020-26259: XStream: arbitrary file deletion on the local host when unmarshalling
* CVE-2020-27218: jetty: buffer not correctly recycled in Gzip Request inflation
* CVE-2020-27223: jetty: request containing multiple Accept headers with a large number of "quality" parameters may lead to DoS
* CVE-2020-27782: undertow: special character in query results in server errors
* CVE-2020-28491: jackson-dataformat-cbor:  Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception
* CVE-2020-35510: jboss-remoting: Threads hold up forever in the EJB server by suppressing the ack from an EJB client
* CVE-2021-3536: wildfly: XSS via admin console when creating roles in domain mode
* CVE-2021-3597: undertow: HTTP2SourceChannel fails to write final frame under some circumstances may lead to DoS
* CVE-2021-3629: undertow: potential security issue in flow control over HTTP/2 may lead to DOS
* CVE-2021-3690: undertow: buffer leak on incoming websocket PONG message may lead to DoS
* CVE-2021-20218: fabric8-kubernetes-client: vulnerable to a path traversal leading to integrity and availability compromise
* CVE-2021-21290: netty: Information disclosure via the local system temporary directory
* CVE-2021-21295: netty: possible request smuggling in HTTP/2 due missing validation
* CVE-2021-21341: XStream: allow a remote attacker to cause DoS only by manipulating the processed input stream
* CVE-2021-21342: XStream: SSRF via crafted input stream
* CVE-2021-21343: XStream: arbitrary file deletion on the local host via crafted input stream
* CVE-2021-21344: XStream: Unsafe deserizaliation of javax.sql.rowset.BaseRowSet
* CVE-2021-21345: XStream: Unsafe deserizaliation of com.sun.corba.se.impl.activation.ServerTableEntry
* CVE-2021-21346: XStream: Unsafe deserizaliation of sun.swing.SwingLazyValue
* CVE-2021-21347: XStream: Unsafe deserizaliation of com.sun.tools.javac.processing.JavacProcessingEnvironment NameProcessIterator
* CVE-2021-21348: XStream: ReDoS vulnerability
* CVE-2021-21349: XStream: SSRF can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host
* CVE-2021-21350: XStream: Unsafe deserizaliation of com.sun.org.apache.bcel.internal.util.ClassLoader
* CVE-2021-21351: XStream: allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream
* CVE-2021-21409: netty: Request smuggling via content-length header
* CVE-2021-22118: spring-web: (re)creating the temporary storage directory could result in  a privilege escalation within WebFlux application
* CVE-2021-22696: cxf: OAuth 2 authorization service vulnerable to DDos attacks
* CVE-2021-23926: xmlbeans: allowed malicious XML input may lead to XML Entity Expansion attack
* CVE-2021-27568: json-smart: uncaught exception may lead to crash or information disclosure
* CVE-2021-28163: jetty: Symlink directory exposes webapp directory contents
* CVE-2021-28164: jetty: Ambiguous paths can access WEB-INF
* CVE-2021-28169: jetty: requests to the ConcatServlet and WelcomeFilter are able to access protected resources within the WEB-INF directory
* CVE-2021-28170: jakarta-el: ELParserTokenManager enables invalid EL expressions to be evaluate
* CVE-2021-29425: apache-commons-io: Limited path traversal in Apache Commons IO 2.2 to 2.6
* CVE-2021-30129: mina-sshd-core: Memory leak denial of service in Apache Mina SSHD Server
* CVE-2021-30468: CXF: Denial of service vulnerability in parsing JSON via JsonMapObjectReaderWriter
* CVE-2021-34428: jetty: SessionListener can prevent a session from being invalidated breaking logout
* CVE-2021-37136: netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data
* CVE-2021-37137: netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way
* CVE-2021-37714: jsoup: Crafted input may cause the jsoup HTML and XML parser to get stuck
* CVE-2021-44228: log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value


Issued:

2021-12-14

Updated:

2021-12-14

**RHSA-2021:5134 - Security Advisory**

*   Overview
*   Updated Packages

**Synopsis**

Critical: Red Hat Fuse 7.10.0 release and security update

**Type/Severity**

Security Advisory: Critical

**Topic**

A minor version update (from 7.9 to 7.10) is now available for Red Hat Fuse. The purpose of this text-only errata is to inform you about the security issues fixed in this release.  

Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

**Description**

This release of Red Hat Fuse 7.10.0 serves as a replacement for Red Hat Fuse 7.9, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.  

Security Fix(es):  

*   log4j-core (CVE-2020-9488, CVE-2021-44228)
*   nodejs-lodash (CVE-2019-10744)
*   libthrift (CVE-2020-13949)
*   xstream (CVE-2020-26217, CVE-2020-26259, CVE-2021-21341, CVE-2021-21342, CVE-2021-21343, CVE-2021-21344, CVE-2021-21345, CVE-2021-21346, CVE-2021-21347, CVE-2021-21348, CVE-2021-21349, CVE-2021-21350, CVE-2021-21351)
*   undertow (CVE-2020-27782, CVE-2021-3597, CVE-2021-3629, CVE-2021-3690)
*   xmlbeans (CVE-2021-23926)
*   batik (CVE-2020-11987)
*   xmlgraphics-commons (CVE-2020-11988)
*   tomcat (CVE-2020-13943)
*   bouncycastle (CVE-2020-15522, CVE-2020-15522)
*   groovy (CVE-2020-17521)
*   tomcat (CVE-2020-17527)
*   jetty (CVE-2020-27218, CVE-2020-27223, CVE-2021-28163, CVE-2021-28164, CVE-2021-28169, CVE-2021-34428)
*   jackson-dataformat-cbor (CVE-2020-28491)
*   jboss-remoting (CVE-2020-35510)
*   kubernetes-client (CVE-2021-20218)
*   netty (CVE-2021-21290, CVE-2021-21295, CVE-2021-21409)
*   spring-web (CVE-2021-22118)
*   cxf-core (CVE-2021-22696)
*   json-smart (CVE-2021-27568)
*   jakarta.el (CVE-2021-28170)
*   commons-io (CVE-2021-29425)
*   sshd-core (CVE-2021-30129)
*   cxf-rt-rs-json-basic (CVE-2021-30468)
*   netty-codec (CVE-2021-37136, CVE-2021-37137)
*   jsoup (CVE-2021-37714)
*   poi (CVE-2019-12415)
*   mysql-connector-java (CVE-2020-2875, CVE-2020-2934)
*   wildfly (CVE-2021-3536)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

**Affected Products**

*   Red Hat Fuse 1 x86\_64

**Fixes**

*   BZ - 1739497 - CVE-2019-10744 nodejs-lodash: prototype pollution in defaultsDeep function leading to modifying properties
*   BZ - 1802531 - CVE-2019-12415 poi: a specially crafted Microsoft Excel document allows attacker to read files from the local filesystem
*   BZ - 1831139 - CVE-2020-9488 log4j: improper validation of certificate with host mismatch in SMTP appender
*   BZ - 1851014 - CVE-2020-2934 mysql-connector-java: allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors which could result in unauthorized update, insert or delete
*   BZ - 1851019 - CVE-2020-2875 mysql-connector-java: allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors which could result in unauthorized update, insert or delete
*   BZ - 1887648 - CVE-2020-13943 tomcat: Apache Tomcat HTTP/2 Request mix-up
*   BZ - 1898907 - CVE-2020-26217 XStream: remote code execution due to insecure XML deserialization when relying on blocklists
*   BZ - 1901304 - CVE-2020-27782 undertow: special character in query results in server errors
*   BZ - 1902826 - CVE-2020-27218 jetty: buffer not correctly recycled in Gzip Request inflation
*   BZ - 1904221 - CVE-2020-17527 tomcat: HTTP/2 request header mix-up
*   BZ - 1905796 - CVE-2020-35510 jboss-remoting: Threads hold up forever in the EJB server by suppressing the ack from an EJB client
*   BZ - 1908837 - CVE-2020-26259 XStream: arbitrary file deletion on the local host when unmarshalling
*   BZ - 1922102 - CVE-2021-23926 xmlbeans: allowed malicious XML input may lead to XML Entity Expansion attack
*   BZ - 1922123 - CVE-2020-17521 groovy: OS temporary directory leads to information disclosure
*   BZ - 1923405 - CVE-2021-20218 fabric8-kubernetes-client: vulnerable to a path traversal leading to integrity and availability compromise
*   BZ - 1927028 - CVE-2021-21290 netty: Information disclosure via the local system temporary directory
*   BZ - 1928172 - CVE-2020-13949 libthrift: potential DoS when processing untrusted payloads
*   BZ - 1930423 - CVE-2020-28491 jackson-dataformat-cbor: Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception
*   BZ - 1933808 - CVE-2020-11987 batik: SSRF due to improper input validation by the NodePickerPanel
*   BZ - 1933816 - CVE-2020-11988 xmlgraphics-commons: SSRF due to improper input validation by the XMPParser
*   BZ - 1934116 - CVE-2020-27223 jetty: request containing multiple Accept headers with a large number of "quality" parameters may lead to DoS
*   BZ - 1937364 - CVE-2021-21295 netty: possible request smuggling in HTTP/2 due missing validation
*   BZ - 1939839 - CVE-2021-27568 json-smart: uncaught exception may lead to crash or information disclosure
*   BZ - 1942539 - CVE-2021-21341 XStream: allow a remote attacker to cause DoS only by manipulating the processed input stream
*   BZ - 1942545 - CVE-2021-21342 XStream: SSRF via crafted input stream
*   BZ - 1942550 - CVE-2021-21343 XStream: arbitrary file deletion on the local host via crafted input stream
*   BZ - 1942554 - CVE-2021-21344 XStream: Unsafe deserizaliation of javax.sql.rowset.BaseRowSet
*   BZ - 1942558 - CVE-2021-21345 XStream: Unsafe deserizaliation of com.sun.corba.se.impl.activation.ServerTableEntry
*   BZ - 1942578 - CVE-2021-21346 XStream: Unsafe deserizaliation of sun.swing.SwingLazyValue
*   BZ - 1942629 - CVE-2021-21347 XStream: Unsafe deserizaliation of com.sun.tools.javac.processing.JavacProcessingEnvironment NameProcessIterator
*   BZ - 1942633 - CVE-2021-21348 XStream: ReDoS vulnerability
*   BZ - 1942635 - CVE-2021-21349 XStream: SSRF can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host
*   BZ - 1942637 - CVE-2021-21350 XStream: Unsafe deserizaliation of com.sun.org.apache.bcel.internal.util.ClassLoader
*   BZ - 1942642 - CVE-2021-21351 XStream: allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream
*   BZ - 1944888 - CVE-2021-21409 netty: Request smuggling via content-length header
*   BZ - 1945710 - CVE-2021-28163 jetty: Symlink directory exposes webapp directory contents
*   BZ - 1945712 - CVE-2021-28164 jetty: Ambiguous paths can access WEB-INF
*   BZ - 1946341 - CVE-2021-22696 cxf: OAuth 2 authorization service vulnerable to DDos attacks
*   BZ - 1948001 - CVE-2021-3536 wildfly: XSS via admin console when creating roles in domain mode
*   BZ - 1948752 - CVE-2021-29425 apache-commons-io: Limited path traversal in Apache Commons IO 2.2 to 2.6
*   BZ - 1962879 - CVE-2020-15522 bouncycastle: Timing issue within the EC math library
*   BZ - 1965497 - CVE-2021-28170 jakarta-el: ELParserTokenManager enables invalid EL expressions to be evaluate
*   BZ - 1970930 - CVE-2021-3597 undertow: HTTP2SourceChannel fails to write final frame under some circumstances may lead to DoS
*   BZ - 1971016 - CVE-2021-28169 jetty: requests to the ConcatServlet and WelcomeFilter are able to access protected resources within the WEB-INF directory
*   BZ - 1973392 - CVE-2021-30468 CXF: Denial of service vulnerability in parsing JSON via JsonMapObjectReaderWriter
*   BZ - 1974854 - CVE-2021-22118 spring-web: (re)creating the temporary storage directory could result in a privilege escalation within WebFlux application
*   BZ - 1974891 - CVE-2021-34428 jetty: SessionListener can prevent a session from being invalidated breaking logout
*   BZ - 1977362 - CVE-2021-3629 undertow: potential security issue in flow control over HTTP/2 may lead to DOS
*   BZ - 1981527 - CVE-2021-30129 mina-sshd-core: Memory leak denial of service in Apache Mina SSHD Server
*   BZ - 1991299 - CVE-2021-3690 undertow: buffer leak on incoming websocket PONG message may lead to DoS
*   BZ - 1995259 - CVE-2021-37714 jsoup: Crafted input may cause the jsoup HTML and XML parser to get stuck
*   BZ - 2004133 - CVE-2021-37136 netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data
*   BZ - 2004135 - CVE-2021-37137 netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way
*   BZ - 2030932 - CVE-2021-44228 log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value

**CVEs**

*   CVE-2019-10744
*   CVE-2019-12415
*   CVE-2020-2875
*   CVE-2020-2934
*   CVE-2020-9488
*   CVE-2020-11987
*   CVE-2020-11988
*   CVE-2020-13943
*   CVE-2020-13949
*   CVE-2020-15522
*   CVE-2020-17521
*   CVE-2020-17527
*   CVE-2020-26217
*   CVE-2020-26259
*   CVE-2020-27218
*   CVE-2020-27223
*   CVE-2020-27782
*   CVE-2020-28491
*   CVE-2020-35510
*   CVE-2021-3536
*   CVE-2021-3597
*   CVE-2021-3629
*   CVE-2021-3690
*   CVE-2021-20218
*   CVE-2021-21290
*   CVE-2021-21295
*   CVE-2021-21341
*   CVE-2021-21342
*   CVE-2021-21343
*   CVE-2021-21344
*   CVE-2021-21345
*   CVE-2021-21346
*   CVE-2021-21347
*   CVE-2021-21348
*   CVE-2021-21349
*   CVE-2021-21350
*   CVE-2021-21351
*   CVE-2021-21409
*   CVE-2021-22118
*   CVE-2021-22696
*   CVE-2021-23926
*   CVE-2021-27568
*   CVE-2021-28163
*   CVE-2021-28164
*   CVE-2021-28169
*   CVE-2021-28170
*   CVE-2021-29425
*   CVE-2021-30129
*   CVE-2021-30468
*   CVE-2021-34428
*   CVE-2021-37136
*   CVE-2021-37137
*   CVE-2021-37714
*   CVE-2021-44228

**References**

*   https://access.redhat.com/security/updates/classification/#critical
*   https://access.redhat.com/documentation/en-us/red\_hat\_fuse/7.10/
*   https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=jboss.fuse&version=7.10.0
*   https://access.redhat.com/security/vulnerabilities/RHSB-2021-009

**Red Hat Fuse 1**

SRPM

x86\_64

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

RHSA-2021:5134: Red Hat Security Advisory: Red Hat Fuse 7.10.0 release and security update

An issue was discovered in Listary through 6. Improper implementation of the update process leads to the download of software updates with a /check-update HTTP-based connection. This can be exploited with MITM techniques. Together with the lack of package validation, it can lead to manipulation of update packages that can cause an installation of malicious content.

![Tomer Peled](https://miro.medium.com/fit/c/56/56/1*GOFjb5W_nuSIIiZ_R5715w.jpeg)

**Background:**

While working on another research relating to DLL hijacking, I stumbled upon Listary. Listary is a known file-system search application used to index and quickly locate files.

![](https://miro.medium.com/max/1400/1*s5yFmbxBc7-ousxK4RaQGA.png)

First, I tried to find a DLL hijacking location. After restarting listary, Using Procmon with the appropriate filters, I could spot a few locations for hijacking from Admin->SYSTEM:

![](https://miro.medium.com/max/1206/1*35JmVwO8NPAL1iG7DESuQg.png)

![](https://miro.medium.com/max/1400/1*MXWyJ02xAUOjxvlg_p5z_g.png)

After discovering these locations, I decided to search for ways to get admin privileges in order to capitalize on this hijacking.

****Malicious update (MITM attack):****

By default, Listary will search for updates automatically

![](https://miro.medium.com/max/440/1*-dZTlsSM5FxoOsEpklKAPQ.png)

The Listary update process consists of the following steps:

1\. Download the content of the following URL:

http://listray.com/check-update (HTTP communication!)

2\. After downloading from the page (a simple html page with only a JSON string available publicly), the update process will parse the version number and the download URL from the json object without any validation!

3\. The user will be prompted to download the new version of Listary from the parsed location

If an attacker has MITM capabilities, the attacker can manipulate the HTML response and plant a specially crafted JSON payload. The JSON payload can refer the user to download a malicious file instead of a legitimate update:

![](https://miro.medium.com/max/1400/1*LtV6T0Op5bdXZgcvVtNqhQ.png)

![](https://miro.medium.com/max/890/1*yP561m4qH6KTn96qSZh7wg.png)

![](https://miro.medium.com/max/556/1*zp7h_5LD98zqOUeAVJ2x2g.png)

If the user that executed Listary has admin privileges, then the malicious update file can be configured to plant a malicious DLL in Listary’s folder that will be executed with SYSTEM privileges by using the above DLL hijacking location, Or just do other malicious actions with admin privileges…

Note that user would have to run the downloaded file, mistakenly treating it as a legitimate update file.

**UAC Bypass:**

Let’s say you don’t have a MITM but gained a foothold on an endpoint that has Listary installed to gain high integrity you just have to use the built-in option Listary provides to gain admin privileges through it:

![](https://miro.medium.com/max/474/1*BS5NLbBNWqV84Z5TKaqB3g.png)

Listary will use its service to create a task that will execute listary’s client with highest possible privileges

![](https://miro.medium.com/max/566/1*l8i3-QIaA2DkKbmRsH7G5A.png)

![](https://miro.medium.com/max/712/1*L1HugpNDfXahcjoeQECGxA.png)

If a medium integrity user tries to click the “run with highest” button in task scheduler a UAC window will appear or a password prompt will appear:

![](https://miro.medium.com/max/1400/1*PDK4POLXCt17ggzzCvGtnA.png)

![](https://miro.medium.com/max/636/1*WZ3c9kuZ3eeih0fg16be3Q.png)

The upside of using this option is its evasiveness because it’s a legitimate program using its components and the downside is as mentioned above the requirement of some sort if interactive session with the victim’s endpoint.

The downside here is that you need an interactive session on the victim or an AutoIt script (or other script that will simulate mouse movement) to enable this option but once you do just restart the machine and Listary will run with the highest possible privileges for the “infected” account

After bypassing the UAC, you can plant a malicious DLL in Listary’s directory and gain SYSTEM privileges.

**Named Pipes (Lateral Movement):**

Pipes in OS’s are a way to allow inter process communication (IPC). By using pipes, one can direct a stream of data in his program to a waiting listener in another program.  
There are two types of pipes in windows — named pipes and anonymous pipes.  
Since Listary is using named pipes, we will focus on this type. Named pipes can be easily created by using the CreateNamedPipe WinApi call, specifying the pipe name in the format “\\\\\\\\.\\\\pipe\\\\mynamedpipe”

![](https://miro.medium.com/max/930/1*vLrj0H3ak-3O417Qvnk1cA.png)

Named pipes can also be created using PowerShell in the following way:

![](https://miro.medium.com/max/1400/1*uApdQ4P868qU8gNoDrbGjA.png)

Named pipes can be accessed like normal files on a computer and therefore can be accessed with the normal WinAPI calls to ReadFile and WriteFile. More importantly, since named pipes are designed for servers to parse user input and act on it, Microsoft has provided programmers the WinAPI ImpersonateNamedPipeClient () — This function will allow a server to assume the security identity (Security Token) of the client’s thread and execute commands as the client.

This command has the same functionality as RpcImpersonateClient () (which we will elaborate on in a future post).

This technique was used widely by attackers to duplicate and impersonate genuine programs and perform privilege escalation and lateral movement attacks (like meterpreter’s GetSystem).

This impersonation can be done using PowerShell like so\[7\]:

![](https://miro.medium.com/max/1084/1*ECjF2J7Iz8gWDbtyqNMV2g.png)

Listary’s Service uses the named pipe \\\\.\\pipe\\Listary.ListaryService

![](https://miro.medium.com/max/742/1*8XQqO7C2fkvc53HSERVALg.png)

Because of that and the fact that Listary starts with windows by default we can use the information above about ImpersonateNamedPipeClient() and open a named pipe with CreateNamedPipe() and specify “\\\\.\\pipe\\Listary.ListaryService” as the name for the pipe.

For this example, let’s assume the attacker is a local admin since he needs to have “`SeImpersonatePrivilege`” for this to work.

The attacker just needs to wait for a domain admin (or any other user) to login, and once the user logged in into the endpoint the attacker can steal his privileges for lateral movement.

This will work since Listary client is configured to run on startup by default and will try to connect to the pipe server using a misconfigured CreateFile call:

![](https://miro.medium.com/max/1218/1*h5XEbFoOCO_77IZ53XjKYA.png)

Notice that the security description is set to 0 and the flags are set to 0x40110000

Which translates to `FILE_FLAG_OVERLAPPED | FILE_ATTRIBUTE_VIRTUAL | FILE_FLAG_OPEN_NO_RECALL` no SQOS was specified therefore the default will be used which is

![](https://miro.medium.com/max/1400/1*Fv0NMJ6Dh5HtzgCB9-4OUQ.png)

the attacker can leverage this connection as described to impersonate the Listary client’s thread.

This technique was addressed by Microsoft with the addition of security flags for CreateFile namely a programmer needs to specify the flags “`SECURITY_SQOS_PRESENT| SECURITY_IDENTIFICATION”` which will prevent impersonation or execution of code on behalf of the client \[8\]\[3\]

![](https://miro.medium.com/max/1400/1*6D16gGIDuRkU1UTft3irIA.png)

![](https://miro.medium.com/max/1400/1*v9uDopq2es1cxpwupitebw.png)

Conclusion:

Listary’s vulnerabilities present a problem for SOC/blue teams since they can be triggered as regular program activities.

In the best case; attackers can use Listary “only” for lateral movement but under the right circumstances’ attackers can use Listary for privilege escalation and remote code execution

Responsible disclosure:

29/08/2021 — vulnerabilities disclosed to Bopsoft/Listary team — No response

13/09/2021 — Vulnerabilities disclosed to MITRE — CVE numbers assigned CVE-2021–41065, CVE-2021–41066, CVE-2021–41067

19/09/2021 — Attempt to communicate with Bopsoft/Listary again — No response

09/12/2021 — Article published

References:

\[1\] https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createnamedpipea

\[2\] https://docs.microsoft.com/en-us/windows/win32/api/namedpipeapi/nf-namedpipeapi-impersonatenamedpipeclient

\[3\] https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/

\[4\] https://itm4n.github.io/windows-dll-hijacking-clarified/

\[5\] https://en.wikipedia.org/wiki/Man-in-the-middle\_attack

\[6\] https://pentestlab.blog/2017/05/03/uac-bypass-task-scheduler/

\[7\] https://decoder.cloud/2019/03/06/windows-named-pipes-impersonation/

\[8\] https://docs.microsoft.com/en-us/archive/msdn-magazine/2004/november/protect-your-apps-and-user-info-with-defensive-coding-techniques

\[9\] https://docs.microsoft.com/en-us/windows/win32/secauthz/impersonation-levels

Tag

#microsoft