Tienda Wifi

Tienda Wifi
CiudadWireless es la tienda Wifi recomendada por elhacker.NET

Entradas Mensuales

Síguenos en:

Canal Oficial Telegram de elhacker.NET Grupo Facebook elhacker.NET Twitter elhacker.NET Canal Youtube elhacker.NET Comunidad Steam: Grupo elhacker.NET Mastodon

Entradas populares

PostHeaderIcon Las 10 vulnerabilidades más explotadas y las más graves en 2020


 vFeed ha publicado una lista en la que recopila y clasifica, en base a varios aspectos, las diez vulnerabilidades que fueron más explotadas a lo largo del año pasado. Una información que puede no coincidir al 100% con los datos de otras empresas de ciberseguridad, pero que si que coinciden en líneas generales y nos ayudan a saber por qué tipo de exploits tienen preferencia los ciberdelincuentes.






  1. CVE-2020-0796 (SMBGhost): Encabeza la lista de vulnerabilidades de 2020 esté problema de seguridad de SMB 3.1.1 detectada el mes de marzo. Según Microsoft, que publicó una guía sobre cómo evitar el problema, un atacante podía explotar esta vulnerabilidad para ejecutar código de forma arbitraria del lado del servidor SMB o del cliente SMB.
  2. CVE-2020-5902: La segunda de las vulnerabilidades más explotadas de 2020 fue ésta, que afectaba TMUI (ffic Management User Interface), la utilidad de configuración de las soluciones de red de F5 Network, y que permitía la ejecución remota de código en las mismas.
  3. CVE-2020-1472 (Zerologon): Poco queda por decir de esta vulnerabilidad, que parecía que iba a ser la última gran noticia de ciberseguridad del año (hasta que llegó SolarWinds, claro). Un problema en la implementación del cifrado de Netlogon que obligó a revisar a la carrera la seguridad de servidores con Windows Server.
  4. CVE-2020-0601 (CurveBall): Si despedimos 2020 con Zerologon, también hay que recordar que prácticamente lo empezamos con CurveBall, una vulnerabilidad crítica que afectaba a la API CryptoAPI, descubierta por la NSA y que fue rápidamente parcheada, a mitades de enero, por Microsoft.
  5. CVE-2020-14882: Si eres administrador de Oracle WebLogic Server seguro que esta CVE te es familiar, ¿verdad? Detectada en octubre, meses después hemos visto como seguía siendo activamente explotada, y como bastantes responsables de infraestructuras, pese a contar con actualizaciones para erradicar el riesgo, todavía se mantenían en versiones inseguras de este software.
  6. CVE-2020-1938 (GhostCat): Detectada en febrero de 2020, esta vulnerabilidad ocasiona que Apache Tomcat conceda un alto nivel de confianza a las conexiones AJP (Apache JServ Protocol), a diferencia de lo que hace con otros protocolos. En consecuencia, y sin necesidad de autenticarse, un atacante podía descargar y subir archivos a la aplicación web, así como ejecutar código arbitrario.
  7. CVE-2020-3452: Afecta la interfaz de servicios web del software Cisco ASA (Adaptive Security Appliance) y Cisco FTD (Firepower Threat Defense), y puede ser aprovechada por atacantes remotos no autenticados para leer archivos confidenciales dentro del sistema de archivos de servicios web en el dispositivo atacado.
  8. CVE-2020-0688: Un problema en el proceso de creación de claves criptográficas únicas durante la instalación de Microsoft Exchange, tuvo como resultado una de las vulnerabilidades más atractivas del año para ciberdelincuentes especializados en ransomware. Afortunadamente, Mictosoft lo identificó y solucionó rápidamente a finales de febrero.
  9. CVE-2020-16898 (Bad Neighbor): Afecta a la pila TCP/IP de Windows cuando ésta gestiona paquetes ICMPv6 elaborados para aprovechar esta vulnerabilidad, y permite la ejecución de código de forma remota. Los investigadores de McAfee la denominaron «Mal vecino» porque se puede emplear para detectar sistemas cercanos mediante ICMPv6 y emplear esta función para actuar como un gusano.
  10. CVE-2020-1350 (SIGRed): Solucionada en el patch tuesday de julio, su peligrosidad fue calificada con un 10 sobre 10. Afecta al servidor DNS de Windows Server y, al ser explotada, esta vulnerabilidad permite la ejecución de código malicioso de forma remota, simplemente enviando una solicitud especialmente generada para el servidor DNS.

Repaso a las vulnerabilidades más graves del 2020


1. vBulletin Remote Code Execution Vulnerability

We captured malicious sessions related to vBulletin Remote Code Execution Vulnerability. The vendor is widely used and the severity is critical. We published research on CVE-2020-17496 in September 2020.

2. WordPress File Manager Plugin Remote Code Execution Vulnerability

WordPress has a remote code execution vulnerability in the wp-file-manager plugin, which can write arbitrary PHP code into a specific directory.

3. Nette Code Injection Vulnerability

Nette is a PHP/Composer MVC framework. It is vulnerable to code injection attacks with specific URL parameters. This vulnerability is critical, which will lead to remote code execution.

4. Artica Web Proxy SQL Injection Vulnerability

Artica Web Proxy is a firewall software that is vulnerable to a SQL injection of the api key parameter in fw.login.php. The vulnerability can be used to bypass Artica and gain administrator privileges through SQL injection vulnerability.

5. Oracle WebLogic Server Remote Code Execution Vulnerability

Oracle WebLogic Server has a remote code execution vulnerability, which could lead to critical security issues. This flaw has a low attack complexity and is highlighted as “easily exploitable.”


1. PHPUnit Remote Code Execution Vulnerability

  • CVE-2017-9841

Exposure of the /vendor endpoint allows remote attackers to gain arbitrary PHP code execution on the target. This vulnerability affects all 4.x versions before 4.8.28 and 5.x versions before 5.6.3.

2. ThinkPHP Remote Code Execution Vulnerability

  • CVE-2019-9082

There’s a remote code execution vulnerability in the ThinkPHP framework due to the lack of validation of the input. The ThinkPHP framework with versions < 3.2.4 suffers from a remote command execution vulnerability due to insufficient check of the controller name in the URL.

3. Zeroshell Remote Command Execution Vulnerability

  • CVE-2019-12725

There’s a remote code execution vulnerability in ZeroShell version 3.9.0. By wrapping the payload in new-line characters and placing the resulting payload in the x590type HTTP parameter, the attacker can achieve arbitrary code execution on the victim’s machine.

4. vBulletin Remote Code Execution Vulnerability

  • CVE-2019-16759

vBulletin version 5.0.0 through 5.5.4 is susceptible to remote command execution due to lack of validation of the HTTP parameter widgetConfig[code].

5. D-Link Remote Command Execution Vulnerability

  • CVE-2018-19986

Both D-Link DIR-818LW Rev.A 2.05.B03 and DIR-822 B1 202KRb06 devices are susceptible to a command injection vulnerability due to insufficient validation of the HTTP parameter RemotePort. An attacker can inject shell metacharacters and achieve arbitrary command execution.

  • CVE-2019-19597

There’s a remote command execution vulnerability in D-Link DAP-1860 devices due to insufficient input sanitization in the HNAP_Auth HTTP header value. An attack can inject shell metacharacters and achieve arbitrary code execution.

6. GPON Home Routers Remote Code Execution Vulnerability

  • CVE-2018-10561

The vulnerable versions of Dasan GPON routers are susceptible to authentication bypass because they don’t properly handle the URL. This vulnerability is often used in conjunction with CVE-2018-10562 to maximize the impact.

  • CVE-2018-10562

There is a command injection vulnerability in Dasan GPON routers. The vulnerable versions don’t sanitize the dest_host parameter, resulting in dire consequences. The router saves ping results in /tmp and lurks the user to revisit it.

7. vBulletin Remote Code Execution Vulnerability

  • CVE-2020-17496

There is a remote command execution vulnerability in vBulletin 5.5.4 through 5.6.2 via crafted subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request.

NOTE: This issue exists because of an incomplete fix for CVE-2019-16759.

8. ThinkPHP Remote Code Execution Vulnerability

  • CVE-2018-20062

A specifically crafted value in the filter HTTP parameter can result in arbitrary code execution in the ThinkPHP framework. This bug affects versions <= 5.0.23.

9. Drupal Core Remote Code Execution Vulnerability

  • CVE-2018-7600

Drupal allows remote attackers to execute arbitrary code due to an issue that affects multiple subsystems. It is caused by module misconfigurations.

10. DrayTek Vigor Remote Command Injection Vulnerability

  • CVE-2020-15415

On DrayTek Vigor3900, Vigor2960 and Vigor300B devices before 1.5.1, shell metacharacters via cgi-bin/mainfunction.cgi/cvmcfgupload allow remote command execution in a filename when the text/x-python-script content type is used.

  • CVE-2020-14472

There are some command injection vulnerabilities in the mainfunction.cgi file on Draytek Vigor3900, Vigor2960 and Vigor 300B devices before 1.5.1.1.

  • CVE-2020-8515

DrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta, Vigor300B 1.3.3_Beta, 1.4.2.1_Beta and 1.4.4_Beta allow remote code execution as root via shell metacharacters to the cgi-bin/mainfunction.cgi URI without authentication.

In addition to vulnerabilities with specific CVE numbers assigned, we also capture other vulnerabilities that occur with high frequency. Below are the top five:

  • ThinkCMF local file inclusion vulnerability.

There’s a file inclusion vulnerability in ThinkCMF that can also result in remote code execution. This bug affects ThinkCMF with versions <= 2.2.3.

  • D-Link DSL-2750B OS command injection vulnerability.

D-Link DSL-2750B router is susceptible to a command injection vulnerability, which Mirai and its variants often abuse for infection and propagation.

  • MVPower DVR unauthenticated command execution vulnerability.

Mirai and its variants are found to exploit this command execution vulnerability in MVPower DVR devices for the purpose of infection.

  • Zyxel EMG2926 router command injection vulnerability.

A lack of parameter validation in Zyxel EMG2926 routers results in a remote command vulnerability. It’s also one of the vulnerabilities being exploited by Mirai malware.

  • Netgear DGN Device remote command execution.

It’s an unauthenticated remote command execution resulting from the lack of input sanitization in syscmd function of setup.cgi. This vulnerability exists in Netgear DGN devices DGN1000 (for those with firmware version < 1.1.00.48) and DGN2200 v1.


Bonus: Top 25 RCE Bug Bounty Reports

Los informes se divulgaron a través de la plataforma HackerOne y se seleccionaron de acuerdo con sus votos positivos, recompensa, nivel de gravedad, complejidad y singularidad.

#1

Title: Potential pre-auth RCE on Twitter VPN

Company: Twitter

Bounty: $20,160

Link: https://hackerone.com/reports/591295

#2

Title: RCE on Steam Client via buffer overflow in Server Info

Company: Valve

Bounty: $18,000

Link: https://hackerone.com/reports/470520

#3

Title: Struct type confusion RCE

Company: Shopify

Bounty: $18,000

Link: https://hackerone.com/reports/181879

#4

Title: Malformed .BSP Access Violation in CS:GO can lead to Remote Code Execution

Company: Valve

Bounty: $12,500

Link: https://hackerone.com/reports/351014

#5

Title: Git flag injection — local file overwrite to remote code execution

Company: GitLab

Bounty: $12,000

Link: https://hackerone.com/reports/658013

#6

Title: Remote Code Execution on www.semrush.com/my_reports on Logo upload

Company: SEMrush

Bounty: $10,000

Link: https://hackerone.com/reports/403417

#7

Title: Panorama UI XSS leads to Remote Code Execution via Kick/Disconnect Message

Company: Valve

Bounty: $9,000

Link: https://hackerone.com/reports/631956

#8

Title: RCE using bash command injection on /system/images (toimitilat.lahitapiola.fi)

Company: LocalTapiola

Bounty: $6,800

Link: https://hackerone.com/reports/303061

#9

Title: Remote Code Execution at http://tw.corp.ubnt.com

Company: Ubiquiti Inc.

Bounty: $5,000

Link: https://hackerone.com/reports/269066

#10

Title: Adobe Flash Player Regular Expression UAF Remote Code Execution Vulnerability

Company: Flash (IBB)

Bounty: $5,000

Link: https://hackerone.com/reports/139879

#11

Title: RCE by command line argument injection to `gm convert` in `/edit/process?a=crop`

Company: Imgur

Bounty: $5,000

Link: https://hackerone.com/reports/212696

#12

Title: RCE and Complete Server Takeover of http://www.█████.starbucks.com.sg/

Company: Starbucks

Bounty: $4,000

Link: https://hackerone.com/reports/502758

#13

Title: [ RCE ] Through stopping the redirect in /admin/* the attacker able to bypass Authentication And Upload Malicious File

Company: Mail.ru

Bounty: $4,000

Link: https://hackerone.com/reports/683957

#14

Title: Blind SQLi leading to RCE, from Unauthenticated access to a test API Webservice

Company: Starbucks

Bounty: $4,000

Link: https://hackerone.com/reports/592400

#15

Title: Attention! Remote Code Execution at http://wpt.ec2.shopify.com/

Company: Shopify

Bounty: $3,000

Link: https://hackerone.com/reports/73567

#16

Title: Unchecked weapon id in WeaponList message parser on client leads to RCE

Company: Valve

Bounty: $3,000

Link: https://hackerone.com/reports/513154

#17

Title: Drupal 7 pre auth sql injection and remote code execution

Company: The Internet Bug Bounty Program

Bounty: $3,000

Link: https://hackerone.com/reports/31756

#18

Title: RCE via ssh:// URIs in multiple VCS

Company: The Internet Bug Bounty Program

Bounty: $3,000

Link: https://hackerone.com/reports/260005

#19

Title: Remote Code Execution on Git.imgur-dev.com

Company: Imgur

Bounty: $2,500

Link: https://hackerone.com/reports/206227

#20

Title: GMP Deserialization Type Confusion Vulnerability [MyBB <= 1.8.3 RCE Vulnerability]

Company: PHP (IBB)

Bounty: $1,500

Link: https://hackerone.com/reports/198734

#21

Title: Old WebKit HTML agent in Template Preview function has multiple known vulnerabilities leading to RCE

Company: Lob

Bounty: $1,500

Link: https://hackerone.com/reports/520717

#22

Title: Remote code execution using render :inline

Company: Ruby on Rails

Bounty: $1,500

Link: https://hackerone.com/reports/113928

#23

Title: RCE which may occur due to `ActiveSupport::MessageVerifier` or `ActiveSupport::MessageEncryptor` (especially Active storage)

Company: Ruby on Rails

Bounty: $1,500

Link: https://hackerone.com/reports/473888

#24

Title: Remote code execution on rubygems.org

Company: RubyGems

Bounty: $1,500

Link: https://hackerone.com/reports/274990

#25

Title: WordPress SOME bug in plupload.flash.swf leading to RCE

Company: Automattic

Bounty: $1,337

Link: https://hackerone.com/reports/134738

#1 Bonus

Title: Read files on application server, leads to RCE

Company: GitLab

Bounty: $0

Link: https://hackerone.com/reports/178152

#2 Bonus

Title: XXE in DoD website that may lead to RCE

Company: U.S. D.o.D.

Bounty: $0

Link: https://hackerone.com/reports/227880

#3 Bonus

Title: Remote Code Execution (RCE) in a DoD website

Company: U.S. D.o.D.

Bounty: $0

Link: https://hackerone.com/reports/248116

#4 Bonus

Title: Remote Unrestricted file Creation/Deletion and Possible RCE.

Company: Twitter

Bounty: $0

Link: https://hackerone.com/reports/191884

#5 Bonus

Title: RCE on █████ via CVE-2017–10271

Company: U.S. D.o.D.

Bounty: $0

Link: https://hackerone.com/reports/576887

#6 Bonus

Title: Ability to access all user authentication tokens, leads to RCE

Company: GitLab

Bounty: $0

Link: https://hackerone.com/reports/158330

#7 Bonus

Title: Remote Code Execution via Extract App Plugin

Company: Nextcloud

Bounty: $0

Link: https://hackerone.com/reports/546753

#8 Bonus

Title: Arbitrary File Reading leads to RCE in the Pulse Secure SSL VPN on the https://███

Company: U.S. D.o.D.

Bounty: $0

Link: https://hackerone.com/reports/678496

#9 Bonus

Title: Remote Code Execution in Rocket.Chat Desktop

Company: Rocket.chat

Bounty: $0

Link: https://hackerone.com/reports/276031

#10 Bonus

Title: [npm-git-publish] RCE via insecure command formatting

Company: Node.js third-party modules

Bounty: $0

Link: https://hackerone.com/reports/730121

I hope this article was helpful and I would like to thank you for your attention!

Fuentes:

0 comentarios :

Publicar un comentario

Los comentarios pueden ser revisados en cualquier momento por los moderadores.

Serán publicados aquellos que cumplan las siguientes condiciones:
- Comentario acorde al contenido del post.
- Prohibido mensajes de tipo SPAM.
- Evite incluir links innecesarios en su comentario.
- Contenidos ofensivos, amenazas e insultos no serán permitidos.

Debe saber que los comentarios de los lectores no reflejan necesariamente la opinión del STAFF.