Core Impact
August 2024
Version: 21.6
August 12, 2024
New Features
- NTLM Connections Store. Leverage relayed connections at will to trigger attack modules based in connections' properties.
- New entities' Quick Information panel.
Enhancements
- Allow more customization when setting Agent Connection parameters in the Attack & Penetration wizard.
- Standardized and aligned services detection in Information Gathering phase allowing a better integration with exploits when triggerin Attack & Penetration.
- Revamped exploits module output showing a results table with information on each step done in the module execution.
- Active Directory Reconnaissance improvements.
- Added module to request Kerberos TGT from certificate.
- Web Apps Fuzzer addition to discover hidden directories and pages in web servers.
- Redesign reports better showing summarized information.
- Enhanced Phishing URLs generation to remove easily detectable hardcoded values.
- Avoid GUI process elevation requirement.
- Dependencies Update: Nmap, zlib, boost, XtremeToolkitPro, Impacket.
Fixes
- Tenable Security Center & Tenable Vulnerability Management integration.
- Fixed an issue when editing workspaces' tags.
January 2024
Version: 21.5
January 9, 2024
New Features
-
NTLMRelayX has been incorporated into Impact, introducing various coercion techniques, and integrating with additional attack modules as well.
-
New Overview dashboard.
Enhancements
-
Support CVSS v3 and CVSS v3.1.
-
Update integration with WiFi Pineapple Mark VII.
-
Update dependencies: OpenSSL, cryptopp, lxml, jpeg.
Fixes
-
WebApps crawling certificate issue honoring subjectAltName requirement.
-
Fix an issue by which the "Custom Install" with default configuration was not the same as "Default Install".
-
Remove not needed dependency on the Microsoft Visual C++ redistributable package.
-
Fixing an issue in the "Network Vulnerability Report" generation process.
July 2023
Version: 21.4
July 24, 2023
New Features
-
BloodHound integration: discover users and paths to high value targets and import users as Identities.
-
IBM i pentesting: added IBM i as a supported platform to run tests against. Development of InformationGathering modules as well as attack and privilege escalation ones.
-
Add ability to create ServiceNow incidents for discovered vulnerabilities.
Enhancements
-
Updated dependencies.
-
Updated Web browser engine of UI frames.
Fixes
-
Fixed error "Failed to validate Impact license" when upgrading system.
January 2023
Version: 21.3
January 8, 2023
New Features
- New Modules:
- Post exploitation module to execute .NET assemblies
- Post exploitation module to simulate a Ransomware attack
- Support Beacon Object File (BOF) execution from any Windows agent. Core Impact can now leverage from the extensive BOF library created by the community as well as enabling execution of any custom BOF.
- Added capability to tunnel traffic through a SOCKSProxy Server, thus enabling exploit execution through a Cobalt Strike beacon for example.
Enhancements
- Added support to UNICODE environments. Expanding systems that Core Impact can pentest and hosts where it can be installed as well.
- Dependencies updated:
- OpenSSL
- mimikatz
- Updated support to OWASP Top10 2021 in WebApps RPT.
- Allow triggering one-shot-exploits (modules that could leave the exploited service unavailable) when running a Vulnerability Scanner Validation.
- Added option to trigger Metasploit exploits when running a Vulnerability Scanner Validation. In order to do so Metasploit integration has to be setup within Core Impact.
Fixes
-
Core Impact agent through HTTP / HTTPS channel can be deployed in Ubuntu 22.04.
-
Enlarged length of commands that could be executed in shells.
-
Showing full output of commands in Powerhsell shell.
-
Enhanced exception handling in Attack Map View.
-
Customer reported issues when importing scan result from Acunetix / Burp / Nexpose / Nessus.
-
DNS Channel now responds to NS requests, allowing usage with OpenDNS.
November 2021
Version: 21.2
November 29, 2021
New Features
-
Core Impact can now map and categorize every engagement in MITRE. Impact modules can be filtered by MITRE ATT&CK Framework Tactits, Techniques and Subtechniques. Two new reports that utilize the MITRE ATT&CK Navigator layer output can be generated:
-
MITRE ATT&CK Navigator report
-
NIST 800 Navigator report
-
-
Integration with two new vulnerability scanners have been added:
-
FrontlineVM scanner
-
beSecure scanner
-
Enhancements
-
The Attack Map view is completely interactive and can be used as the primary working space for testers who prefer a fully visualized engagement experience.
-
A remote SQLServer engine can be configured to be used as Impact database.
-
Dependencies updates:
-
OpenSSL 1.1.1l
-
.NET Framework v4.8
-
psqlODBC 13.02
-
-
Agents’ display name has been enhanced to show the process, pid and user name running it in the remote system.
-
Ability to set EHLO/HELO in SMTP Server configuration to explicitly set Impact's host name when sending hello commands (HELO/EHLO) to the SMTP server.
Fixes
-
Automatic Impact Updates are being enabled by default.
-
Internal workspaces are not shown in the “Workspace Import/Export” wizard.
-
A module to run after deploying an agent can be selected in ClientSide exploits.
July 2021
Version: 21.1
July 13, 2021
New Features
- Network Map View. This view provides you with a real-time overview of attack chains, pivoting and any other activities completed during testing. This increased insight allows security teams to better determine the best path forward in the testing engagement.
- Automated Updates. Minor updates to Core Impact and new exploits can now be automatically installed, allowing you to enjoy new features as soon as they are available. This new feature is available through Tools -> Options -> Software Updates section.
Enhancements
- Searching within Core Impact modules has been enhanced, with search results now featuring additional context making it easier to find what you’re looking for.
- Modules search keep the folder's structure while displaying the results.
- Reorganized some sections in the Tools -> Options menu to make them easier to understand and find.
- Dependencies updates:
- OpenSSL 1.1.1k
- NMap 7.90
- Impacket
- mimikatz 2.2.0-20210512
Fixes
- Added ability to run Remediation Validation on work spaces created in previous versions.
- Added ability to install an agent using SSH on modern Linux distros.
- Identities Verifier can now run without limitations on the number of lines of the password file.
- Nessus vulnerability scanner integration is now working with the latest version.
- WMI modules have been updated to work with the latest Windows 10 versions.
- PCAP Plugin has been updated to support the latest Debian and Red Hat 64 bits versions.
- Enumerate User Accounts with SPNs module has been updated to support the latest Windows 2019 Server versions.
March 2021
Version: 20.4
March 8, 2021
Enhancements
-
Background images for different wizards inside the tool to make it more consistent with the brand.
New Features
-
Support for different Impact Editions:
-
Enterprise: Ideal for businesses of all sizes working on building a robust security profile.
-
Pro: Ideal for infrastructure protection departments of all sizes working on building a robust network security profile.
-
Basic: Perfect for a small IT infrastructure or organizations new to security monitoring.
-
December 2020
Version: 20.3
December 15, 2020
Enhancements
-
Loading workspaces, hosts and identities is now 5x faster.
-
Impoved performance in the hostname resolution process while running Information Gathering over a network.
New Features
-
Added database maintenance tasks scheduled to run every day to maintain its performance.
-
Deploy to drives other than C:\
-
Use the custom path installation option to select another drive or directory where to install the product.
-
-
Added module "Run Shellcode in Temporary Process" to allow users to deploy Cobalt Strike beacons or their own custom code from an Impact agent.
-
The "Package and Register Agent" module can be used to deploy Impact agents through the Cobalt Strike attack chain.
Fixes
-
WebApplications Attack & Penetration was not comitting vulnerabilities in "A6-Detect Known Security Misconfiguration Issues".
-
The Module Output of ClientSide Phishing didn't load all rows in the events table.
-
Network Information Gathering was misidentifying services behind RDP port and rollbacking OS fingerprinting.
-
SMB credentials were not commited when running ClientSide Phishing attacks.
November 2020
Version: 20.2.2
November 30, 2020
Enhancements
-
New Exploits
-
Oracle Weblogic Server MBeanUtilsInitSingleFileServlet service Vulnerability Remote Code Execution Exploit: Oracle WebLogic Server is prone to a remote vulnerability that allows unauthenticated attackers to execute system commands. By exploiting known methods, it is possible to remotely instantiate several java classes that allows to execute system commands. (CVE-2020-14882)
-
Microsoft SharePoint Server WebParts Deserialization TypeConverters Vulnerability Exploit: A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the SharePoint application pool and the SharePoint server farm account. Exploitation of this vulnerability requires that a user uploads a specially crafted SharePoint application package to an affected version of SharePoint. (CVE-2020-0932)
-
Microsoft Windows Bad Neighbor DoS Exploit: A remote code execution vulnerability exists when the Windows TCP/IP stack improperly handles ICMPv6 Router Advertisement packets, aka 'Windows TCP/IP Remote Code Execution Vulnerability'. (CVE-2020-16898)
-
Microsoft Windows WalletService Elevation of Privilege Vulnerability Exploit: An elevation of privilege vulnerability exists in the way that the Windows WalletService handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1362)
-
New Features
-
Custom shellcode runner from Impact agent - Spawn Cobalt Strike beacon: This update introduces a module named Run shellcode in temporary process. This module allows to execute Windows position independent shellcode in a new process using the Process Hollowing technique (without writing any file). It can be used to spawn Cobalt Strike Beacon from Windows Impact agent.
Fixes
-
Oracle Weblogic Server MBeanUtilsInitSingleFileServlet service Vulnerability Remote Code Execution Exploit Update: Oracle WebLogic Server is prone to a remote vulnerability that allows unauthenticated attackers to execute system commands. By exploiting known methods, it is possible to remotely instantiate several java classes that allows to execute system commands. This update improves code readability and adds a bypass for CVE-2020-14750. (CVE-2020-14882)
-
Microsoft Windows Netlogon CVE-2020-1472 Vulnerability Checker update: A new update was created in order to eliminate the necessity of passing a NetBIOS name as parameter instead of an IP address. (CVE-2020-1472)
October 2020
Version: 20.2.1
October 30, 2020
Enhancements
- New Exploits
Microsoft SharePoint Server WikiContentWebpart Web Part Remote OS Command Injection Exploit: A remote code execution vulnerability exists in Microsoft SharePoint Server when it fails to properly identify and filter unsafe ASP.Net web controls, aka 'Microsoft SharePoint Server Remote Code Execution Vulnerability'. (CVE-2020-1181)
Microsoft SharePoint Server CreateChildControls Server Side Include Vulnerability Exploit: A server-side include in Microsoft SharePoint via CreateChildControls in DataFormWebPart class allows an authenticated user to leak the web.config file and forge a malicious ViewState with the extracted validation key. The user credentials requires user with page creation privileges, a standard permission. (CVE-2020-16952)
New Features
-
OpenVAS integration: OpenVAS importer bug fix and integration with Vulnerability Scanner Validator RPT.
Fixes
-
Microsoft Windows DNS Server SIGRed Local Privilege Escalation Exploit Update: This update adds support for Windows Server 2008 Enterprise Edition SP2 - x86-64. (CVE-2020-1350)
September 2020
Version: 20.2
September 29, 2020
Enhancements
-
New Exploits
- Microsoft SharePoint Server DataSet Deserialization Remote OS Command Injection Exploit: A remote code execution vulnerability exists in .NET Framework, Microsoft SharePoint, and Visual Studio when the software fails to check the source markup of XML file input. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the process responsible for deserialization of the XML content. (CVE-2020-1147)
-
Docker Desktop Local Privilege Escalation Exploit: Docker Desktop allows local privilege escalation to NT AUTHORITY\SYSTEM because it mishandles the collection of diagnostics with Administrator privileges, leading to arbitrary DACL permissions overwrites and arbitrary file writes. This affects Docker Desktop Enterprise before 2.1.0.9, Docker Desktop for Windows Stable before 2.2.0.4, and Docker Desktop for Windows Edge before 2.2.2.0 (CVE-2020-10665)
-
Microsoft Windows DNS Server SIGRed Local Privilege Escalation Exploit: An elevation of privilege vulnerability exists in Windows when the DNS server fails to properly handle SIG responses. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-1350)
-
EVGA Precision X1 WinRing Local Privilege Escalation Exploit: The driver in EVGA Precision X1 (aka WinRing0x64.sys) allows any user to read and write to arbitrary memory. (CVE-2020-14979)
New Features
- Enable the configuration of WebServer parameters (source agent and port) when running Network RPT AP.
Fixes
-
AMSI Bypass Implementation for Exploits and Agents: This update implements a new technique to avoid or reduce detection of remoteCommandExecution attack methods and commands executed on powershell consoles that are monitored by AMSI (Anti-Malware Scan Interface).
-
Microsoft Windows Netlogon CVE-2020-1472 Vulnerability Checker: An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC), aka 'Netlogon Elevation of Privilege Vulnerability'. This module tries to determine remotely, if the target host is either vulnerable to CVE-2020-1472 or not.
-
Exploits Maintenance CVE Numbers 23: This update add CVE numbers to 42 Exploits that were released prior to a CVE number being assigned (typically noted as NOCVE) with the correct CVE number as well as updating modules with invalid CVE numbers.
-
Assorted Improvements for Exploits: This update contains minor improvements and fixes to several exploit modules.
-
Update Metasploit Framework Integration: This update makes Metasploit Framework v6.0.7 the new recommended and tested version to integrate with Impact.
August 2020
Version: 19.1.13 and 20.1.1
August 31, 2020
v20.1.1
Enhancements
- New Exploits
Oracle Coherence T3 ExtractorComparator Deserialization Vulnerability Remote Code Execution Exploit: Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Caching,CacheStore,Invocation). Supported versions that are affected are 3.7.1.17, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle Coherence. Successful attacks of this vulnerability can result in takeover of Oracle Coherence. (CVE-2020-2883)
Oracle Weblogic Server T3 UniversalExtractor JNDI injection getDatabaseMetaData Remote Code Execution Exploit: An unauthenticated java deserialization vulnerability via T3 protocol in Oracle Weblogic Server allows an attacker to upload and execute a java class file to gain arbitrary code execution on the affected system. (CVE-2020-14645)
MSI Ambient Link Local Privilege Escalation Exploit: Multiple stack buffer overflows were found in the MSI AmbientLink MsIo64 driver when processing IoControlCode (IOCTL) 0x80102040, 0x80102044, 0x80102050, 0x80102054. Local attackers, including low integrity processes, can exploit these vulnerabilities and consequently gain NT AUTHORITY\SYSTEM privileges. (CVE-2020-17382)
Fixes
- Oracle Weblogic Server T3 UniversalExtractor JNDI injection getDatabaseMetaData Remote Code Execution Exploit Update: An unauthenticated java deserialization vulnerability via T3 protocol in Oracle Weblogic Server allows an attacker to upload and execute a java class file to gain arbitrary code execution on the affected system. This update adds xml tags to prevent pivoting. (CVE-2020-14645)
- Exploit Modules Maintenance: This update includes small metadata improvements for some exploit modules.
- RPT module output performance enhancements: Performance enhacements for the RPT modules output.
- ETW Bypass Implementation for Exploits: This update implements a new technique that disables Event Tracing for Windows (ETW), powershell commands events generated by IMPACT agents now has improved their stealthiness.
v19.1.13
Enhancements
- New Exploits
Oracle Coherence T3 ExtractorComparator Deserialization Vulnerability Remote Code Execution Exploit: Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Caching,CacheStore,Invocation). Supported versions that are affected are 3.7.1.17, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle Coherence. Successful attacks of this vulnerability can result in takeover of Oracle Coherence. (CVE-2020-2883)
Oracle Weblogic Server T3 UniversalExtractor JNDI injection getDatabaseMetaData Remote Code Execution Exploit: An unauthenticated java deserialization vulnerability via T3 protocol in Oracle Weblogic Server allows an attacker to upload and execute a java class file to gain arbitrary code execution on the affected system. (CVE-2020-14645)
MSI Ambient Link Local Privilege Escalation Exploit: Multiple stack buffer overflows were found in the MSI AmbientLink MsIo64 driver when processing IoControlCode (IOCTL) 0x80102040, 0x80102044, 0x80102050, 0x80102054. Local attackers, including low integrity processes, can exploit these vulnerabilities and consequently gain NT AUTHORITY\SYSTEM privileges. (CVE-2020-17382)
Fixes
- Oracle Weblogic Server T3 UniversalExtractor JNDI injection getDatabaseMetaData Remote Code Execution Exploit Update: An unauthenticated java deserialization vulnerability via T3 protocol in Oracle Weblogic Server allows an attacker to upload and execute a java class file to gain arbitrary code execution on the affected system. This update adds xml tags to prevent pivoting. (CVE-2020-14645)
Version: 20.1
August 4, 2020
Enhancements
-
Common installer file. All users and distributions will download the same Core Impact installation files with a unique user license key delivered to users to enforce security controls.
- Core Impact can now be upgraded over the top of an existing installation. For example a user with Core Impact 19.1 can upgrade to Core impact 20.1 without uninstalling or deactivating while preserving data and settings.
-
Flexible licensing. Users may activate Core Impact on up to three systems concurrently, for example a test system, virtual machine and a forward deployed jump box.
New Features
-
Web based interface allows users to optionally connect to Core Impact over HTTPS to utilize the product.
-
Users may optionally choose their own SQL Server Standard / Enterprise to contain the Core Impact data instead of the included SQL Server Express datastore.
-
New exploits packs are now available for IoT Devices, Medical Devices & Software systems and SCADA/ICS Professional version.
-
New global settings for phishing campaigns can be used across multiple exercises, additional credential forms capturing in JSON and POST formatted web pages.
-
Integrations added with support for OpenVAS, Plextrac and Tenable’s API method.
-
Added friendly reports destination folder naming.
July 2020
Version: 19.1.12
July 31, 2020
Enhancements
- New Exploits
Pydio Cells Mailer Configuration Remote OS Command Injection Exploit: The administrative console in Pydio Cells allows a user with administrator role to set the path for the sendmail binary executable, when the "sendmail" option is selected in the mailer configuration. Due to lack of sanitization in the given parameter, an administrator user can set the path to an arbitrary binary. (CVE-2020-12847)
F5 BIG-IP TMUI Directory Traversal Remote Code Execution Vulnerability Exploit: A directory traversal vulnerability in F5 BIG-IP Traffic Management User Interface (TMUI) allows unauthenticated attackers to run remote code on the underlying operating system as root. (CVE-2020-5902)
Microsoft Windows Win32k DrawIcon OOB Local Privilege Escalation Exploit: An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses this vulnerability by correcting how the Windows kernel-mode driver handles objects in memory. (CVE-2020-1054)
Microsoft Windows Win32k xxxPaintSwitchWindow Vulnerability Exploit: An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1458)
Fixes
- AMSI Bypass Implementation for Exploits and Agents: This update implements a new technique to avoid or reduce detection of remoteCommandExecution attack methods and commands executed on powershell consoles that are monitored by AMSI (Anti-Malware Scan Interface).
June 2020
Version: 19.1.11
June 29, 2020
Enhancements
- New Exploits:
- ATI Technologies Driver atillk64 Kernel Arbitrary Read Write Local Privilege Escalation Exploit: AMD ATI atillk64 allows low-privileged users to interact directly with physical memory by calling one of several driver routines that map physical memory into the virtual address space of the calling process. This could enable low-privileged users to achieve NT AUTHORITY\SYSTEM privileges via a DeviceIoControl call associated with MmMapIoSpace, IoAllocateMdl, MmBuildMdlForNonPagedPool, or MmMapLockedPages. (CVE-2020-12138)
- Eaton HMiSoft VU3 File Parsing Buffer Overflow Exploit: The specific flaw exists within the parsing of wTextLen information within VU3 files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. (CVE-2020-10639)
- Cisco AnyConnect Secure Mobility Client Uncontrolled Search Path Privilege Escalation Exploit: A vulnerability in the installer component of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated local attacker to copy user-supplied files to system level directories with system level privileges. The vulnerability is due to the incorrect handling of directory paths. An attacker could exploit this vulnerability by creating a malicious file and copying the file to a system directory. An exploit could allow the attacker to copy malicious files to arbitrary locations with system level privileges. This could include DLL pre-loading, DLL hijacking, and other related attacks. (CVE-2020-3153)
- Artica Pandora FMS Events Remote OS Command Injection Exploit: The target parameter in events.php in Pandora FMS 7.0NG 742, 743 and 744 allows remote authenticated users to execute arbitrary OS commands. (CVE-2020-13851)
- OpenAudit Remote Code Execution: An issue was discovered in Open-AudIT 3.3.1. There is shell metacharacter injection via attributes to an open-audit/configuration/ URI. An attacker can exploit this by adding an excluded IP address to the global discovery settings (internally called exclude_ip). This exclude_ip value is passed to the exec function in the discoveries_helper.php file (inside the all_ip_list function) without being filtered, which means that the attacker can provide a payload instead of a valid IP address. (CVE-2020-12078)
- Trident Z Lighting Control Driver Local Privilege Escalation Exploit: The ene.sys driver in Trident Z Lighting Control before v1.00.17 allow local non-privileged users (including low-integrity level processes) to read and write to arbitrary physical memory locations, and consequently gain NT AUTHORITY\SYSTEM privileges. (CVE-2020-12446)
- Advantech WebAccess SCADA DATACORE IOCTL 0x523e Buffer Overflow Exploit: The specific flaw exists within DATACORE server. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of Administrator. (CVE-2020-12002)
- Microsoft .NET Framework Elevation of Privilege Vulnerability Exploit: An elevation of privilege vulnerability exists in .NET Framework which could allow an attacker to elevate their privilege level. (CVE-2020-1066)
Fixes
- Microsoft Windows Diagnostic Tracking Service Arbitrary File Read: An information vulnerability exists when Windows Connected User Experiences and Telemetry Service improperly discloses file information. Successful exploitation of the vulnerability could allow the attacker to read any file on the file system. To exploit the vulnerability, an attacker would have to log onto an affected system and run a specially crafted application. The update addresses the vulnerability by changing the way Windows Connected User Experiences and Telemetry Service discloses file information. (CVE-2020-0863)
- Fix WebApps fingerprinting heuristics that were leading to wrong Framework identification: This update fixes some border cases where the website's Application Framework or Web Application was being wrong identified.
- Fix Nessus report not fully imported: Nessus scanner import was not adding every open port to the entity created in Impact. Unknown services running on those ports were were skipped. Now they are added to the entity as open ports, but specifying that it's an "unknown" service.
May 2020
Version: 19.1.10
May 29, 2020
Enhancements
-
Microsoft Exchange Validation Key Remote OS Command Injection Exploit Update: .NET deserialization vulnerability in the Microsoft Exchange Control Panel web page allows authenticated attackers to execute OS commands with SYSTEM privileges. The lack of randomization in the validationKey and decryptionKey values at installation allows an attacker to create a crafted viewstate to execute OS commands via .NET deserialization. This update adds payload generation error detection and dependencies documentation. (CVE-2020-0688)
- New Exploits:
Windows Search Indexer get_RootURL Race Condition Privilege Escalation Exploit: A race condition exists in Windows Search Indexer, when the put_RootURL function wrote a user-controlled data in the memory of CSearchRoot+0x14.AT the same time, the get_RootURL function read the data located in the memory of CSearchRoot+0x14. The vulnerability was caused by the access to a shared variable between two different methods of the same instance. (CVE-2020-0735)
WECON LeviStudioU MulStatus szFilename Exploit: The specific flaw exists within the handling of XML files. When parsing the szFilename attribute of the MulStatus element. (CVE-2019-6537)
Oracle Coherence T3 ReflectionExtractor Deserialization Vulnerability Remote Code Execution: Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Caching,CacheStore,Invocation). Supported versions that are affected are 3.7.1.17, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle Coherence. Successful attacks of this vulnerability can result in takeover of Oracle Coherence. (CVE-2020-2555)
Liferay Portal JSONWS Java Deserialization Vulnerability Remote Code Execution Exploit: Deserialization of Untrusted Data in Liferay Portal prior to 7.2.1 CE GA2 allows remote attackers to execute arbitrary code via JSON web services (JSONWS). (CVE-2020-7961)
Advantech WebAccess SCADA DATACORE IOCTL 0x5227 Buffer Overflow Exploit: This vulnerability allows remote attackers to execute arbitrary code on affected installations of Advantech WebAccess/SCADA. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of IOCTL 0x00005227 in DATACORE.exe. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of Administrator. (CVE-2020-12002)
TeamViewer post-exploitation IG: This update adds a new post-exploitation module, Password Dump from TeamViewer, which leverages reverse-engineered encryption keys to decrypt TeamViewer password data from the registry on a compromised Windows host.
Other Updates
- WebApps Web Proxy Certificate Update
April 2020
Version: 19.1.9
Apl 30, 2020
Enhancements
- Assorted Improvements for Exploits: This update contains minor improvements and fixes to several exploit modules.
- Import Output XML Report from OpenVAS: This update add support to import the output from OpenVAS to Core Impact
- Exploits Maintenance CVE Numbers 22: This update provides modules that were released prior to a CVE number being assigned (typically noted as NOCVE) with the correct CVE number as well as updating modules with invalid CVE numbers.
- New Exploits:
Microsoft Windows Ws2ifsl UaF Local Privilege Escalation Exploit: An elevation of privilege vulnerability exists in the way that ws2ifsl.sys (Winsock) handles objects in memory, aka 'Windows Elevation of Privilege Vulnerability'. (CVE-2019-1215)
Microsoft Windows SMBv3 SMBGhost Elevation of Privilege Vulnerability Exploit: An unauthenticated attacker can connect to the target system using SMBv3 and sends specially crafted requests to exploit the vulnerability. This module exploits this vulnerability in the local system in order to achieve an elevation of privilege. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0796)
Kinetica Admin getLogs Function Remote OS Command Injection Exploit: The Kinetica Admin web application did not properly sanitise the input for the function getLogs. This lack of sanitisation could be exploited to allow an authenticated attacker to run remote code on the underlying operating system. (CVE-2020-8429)
Microsoft Windows Background Intelligent Transfer Service Elevation of Privilege Vulnerability Exploit: An elevation of privilege vulnerability exists when the Windows Background Intelligent Transfer Service (BITS) improperly handles symbolic links. An attacker who successfully exploited this vulnerability could overwrite a targeted file leading to an elevated status and take control of an affected system. (CVE-2020-0787)
Fuji Electric V-Server Lite VPR File Parsing Overflow Exploit: The specific flaw exists within the processing of VPR files. (CVE-2020-10646)
Open-AudIT m_devices.php Remote PHP File Upload Vulnerability Exploit: The sub_resource_create function of class M_devices in m_devices.php of Open-AudIT 3.2.2 allows remote authenticated users to upload arbitrary PHP files, allowing the execution of arbitrary php code in the system. (CVE-2020-11942)
Fixes
-
Microsoft Windows SMBv3 CoronaBlue Vulnerability DoS Update: An unauthenticated attacker can connect to the target system using SMBv3 and sends specially crafted requests to exploit the vulnerability. The module exploits this vulnerability in order to generate a Denial of Service This update contains minor fixes to it. (CVE-2020-0796)
March 2020
Version: 19.1.8
March 31, 2020
Enhancements
- New Command Injection Library Method: A new command injection method was added to the library using certutil.exe to achieve code execution. -Some CI and Remote exploits were updated to use the new technique. -A library method using Powershell was updated to be more stealthy.
-
Microsoft Exchange Validation Key Remote OS Command Injection Exploit Update Improvements: .NET deserialization vulnerability in the Microsoft Exchange Control Panel web page allows authenticated attackers to execute OS commands with SYSTEM privileges. The lack of randomization in the validationKey and decryptionKey values at installation allows an attacker to create a crafted viewstate to execute OS commands via .NET deserialization. (CVE-2020-0688)
-
Microsoft Exchange Validation Key Remote OS Command Injection Exploit Update: .NET deserialization vulnerability in the Microsoft Exchange Control Panel web page allows authenticated attackers to execute OS commands with SYSTEM privileges. The lack of randomization in the validationKey and decryptionKey values at installation allows an attacker to create a crafted viewstate to execute OS commands via .NET deserialization. (CVE-2020-0688)
- New Exploits:
CORSAIR iCUE Driver Local Privilege Escalation Exploit: The CorsairLLAccess64.sys and CorsairLLAccess32.sys drivers in CORSAIR iCUE before 3.25.60 allow local non-privileged users (including low-integrity level processes) to read and write to arbitrary physical memory locations, and consequently gain NT AUTHORITY\SYSTEM privileges, via a function call such as MmMapIoSpace. (CVE-2020-8808)
Microsoft SQL Server Reporting Services Remote OS Command Injection Exploit: A deserialization vulnerability in Microsoft SQL Server Reporting Services allows an authenticated attacker to execute arbitrary commands in the context of the Report Server service account. (CVE-2020-0618)
Integard Pro NoJs Parameter Buffer Overflow Exploit: Integard Pro is prone to a buffer overflow when handling a specially crafted HTTP POST request. (CVE-2019-16702)
Microsoft Exchange Validation Key Remote OS Command Injection Exploit: .NET deserialization vulnerability in the Microsoft Exchange Control Panel web page allows authenticated attackers to execute OS commands with SYSTEM privileges. The lack of randomization in the validationKey and decryptionKey values at installation allows an attacker to create a crafted viewstate to execute OS commands via .NET deserialization. (CVE-2020-0688)
Microsoft Windows Service Tracing Privilege Escalation Exploit: An arbitrary privileged file move operation exists in Microsoft Windows Service Tracing. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the Windows Kernel properly handles objects in memory. (CVE-2020-0668)
Delta Industrial Automation CNCSoft ScreenEditor DPB File Parsing Buffer Overflow Exploit: This vulnerability allows remote attackers to execute arbitrary code on affected installations of Delta Industrial Automation CNCSoft ScreenEditor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DPB files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length buffer. An attacker can leverage this vulnerability to execute code in the context of Administrator. (CVE-2020-7002)
Microsoft Windows SMBv3 CoronaBlue Vulnerability DoS: An unauthenticated attacker can connect to the target system using SMBv3 and sends specially crafted requests to exploit the vulnerability. This module exploits this vulnerability in order to generate a Denial of Service. (CVE-2020-0796)
OpenSMTPD Remote Code Execution Exploit: smtp_mailaddr in smtp_session.c in OpenSMTPD 6.6, as used in OpenBSD 6.6 and other products, allows remote attackers to execute arbitrary commands as root via a crafted SMTP session, as demonstrated by shell metacharacters in a MAIL FROM field. This affects the "uncommented" default configuration. The issue exists because of an incorrect return value upon failure of input validation. (CVE-2020-7247)
Microsoft Windows Installer Elevation of Privilege Vulnerability Exploit: An elevation of privilege vulnerability exists in the Windows Installer when MSI packages process symbolic links. An attacker who successfully exploited this vulnerability could bypass access restrictions to add or remove files. (CVE-2020-0683)
Fixes
-
Viper RGB Driver Read Write IO Ports DoS Update: This update adds the CVE number. (CVE-2020-9756)
February 2020
Version: 19.1.7
February 29, 2020
Enhancements
-
Assorted Improvements for Exploits: This update contains minor improvements and fixes to several exploit modules. (CVE-2019-11581)
- AV Evasion Improvements V13: HTTP connections started to get detected, this update is an improvement for those connections to be stealthier.
- New Exploits:
Microsoft Windows Remote Desktop DejaBlue DoS: A denial of service vulnerability exists in Remote Desktop Services -formerly known as Terminal Services- when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. (CVE-2019-1181)
Microsoft Windows CoreShellComServerRegistrar Open Process Local Privilege Escalation Exploit: An elevation of privilege vulnerability exists when Windows Core Shell COM Server Registrar improperly handles COM calls. An attacker who successfully exploited this vulnerability could potentially set certain items to run at a higher level and thereby elevate permissions. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses this vulnerability by correcting unprotected COM calls. (CVE-2019-1184)
Viper RGB Driver Read Write IO Ports DoS: The IOCTL Codes 0x80102050 and 0x80102054 allow a low privileges user to read/write 1/2/4 bytes from/to an IO port. This could be leveraged in a number of ways to ultimately run code with elevated privileges. (NOCVE-9999-127139)
Viper RGB Driver Kernel Buffer Overflow Local Privilege Escalation Exploit: This module exploits a buffer overflow vulnerability in Viper RGB MsIo64.sys vulnerability allows unprivileged local users to execute code with SYSTEM privileges. (CVE-2019-19452)
Fixes
- WebApps Vulnerability Test Module Output fixes:
-
Cisco Data Center Network Manager HostEnclHandler getVmHostData SQL Injection Vulnerability Exploit Update: This module uses an authentication bypass and a SQL injection vulnerability in order to upload and execute a JSP file in the Wildfly virtual file system webapps directory. This update fixes OS detection when detecting DCNM version. (CVE-2019-15976)
January 2020
Version: 19.1.6
January 31, 2020
Enhancements
- New Exploits:
Linux PTRACE_TRACEME Local Privilege Escalation Exploit: In the Linux kernel before 5.1.17, ptrace_link in kernel/ptrace.c mishandles the recording of the credentials of a process that wants to create a ptrace relationship, which allows local users to obtain root access by leveraging certain scenarios with a parent-child process relationship, where a parent drops privileges and calls execve (potentially allowing control by an attacker). (CVE-2019-13272)
Microsoft Windows Win32k xxxMNFindWindowFromPoint Vulnerability Exploit: An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-0808)
Windows Error Reporting Manager Arbitrary File Move Elevation of Privilege Exploit: An elevation of privilege vulnerability exists when Windows Error Reporting manager improperly handles hard links. An attacker who successfully exploited this vulnerability could overwrite a targeted file leading to an elevated status. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The security update addresses the vulnerability by correcting how Windows Error Reporting manager handles hard links. (CVE-2019-1315)
Citrix ADC and Gateway Directory Traversal Vulnerability Exploit: Citrix Application Delivery Controller (ADC) and Citrix Gateway are prone to a directory traversal vulnerability that allows attackers to upload an XML file via newbm.pl and execute system commands. (CVE-2019-19781)
Cisco Data Center Network Manager HostEnclHandler getVmHostData SQL Injection Vulnerability Exploit: This module uses an authentication bypass and a SQL injection vulnerability in order to upload and execute a JSP file in the Wildfly virtual file system webapps directory.(CVE-2019-15976)
MSI Afterburner RTCore64 Privilege Escalation Exploit: The driver in Micro-Star MSI Afterburner 4.6.2.15658 (aka RTCore64.sys and RTCore32.sys) allows any authenticated user to read and write to arbitrary memory, I/O ports, and MSRs. (CVE-2019-16098)
December 2019
Version: 19.1.5
December 31, 2019
Enhancements
- Assorted Improvements for Exploits: This update contains minor improvements and fixes to several exploit modules. Two fixes were made to RemoteCommandExecution and WebappRemoteCodeExecution Exploits which prevented them to execute all the configured attack methods Two more fixes were made to ComplexXorEgg which was failing to generate a valid stub when certain starting conditions were met
- AV Evasion Improvements V12: The 32-bit agent wrappers were changed to be more evasive. The decoder stub now has a metamorphic functionality.
- New Exploits:
Microsoft Internet Explorer Scripting Engine Memory Corruption Exploit: A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs, view, change, or delete data, or create new accounts with full user rights. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website. An attacker could also embed an ActiveX control marked safe for initialization in an application or Microsoft Office document that hosts the IE rendering engine. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability. (CVE-2019-0752)
Robot Attack Vulnerability Analyzer: This module will send various malformed messages over ssl to the target service in order to detect a discrepancy between the server's responses, if this is the case, it will mark said target as vulnerable to this kind of attacks (ROBOT attack) (NOCVE-9999-127128)
Microsoft Windows UPnP Device Host Local Privilege Escalation Exploit: This module exploits two vulnerabilities (CVE-2019-1405 & CVE-2019-1322) in order to get SYSTEM privileges. The first one "UPnP Device Host" allows us to get SERVICE privileges. The second one "Update Orchestrator Service" allows us to escalate from SERVICE to SYSTEM. (CVE-2019-1405)
File Sharing Wizard POST Method Exploit: File Sharing Wizard is prone to a buffer-overflow when handling a specially crafted HTTP POST parameter. (CVE-2019-16724)
Viper RGB Driver Kernel Arbitrary Read Write Local Privilege Escalation Exploit: The MsIo64.sys and MsIo32.sys drivers in Patriot Viper RGB allow local users (including low integrity processes) to read and write to arbitrary memory locations, and consequently gain NT AUTHORITY\SYSTEM privileges, by mapping \Device\PhysicalMemory into the calling process via ZwOpenSection and ZwMapViewOfSection. (CVE-2019-18845)
Fixes
-
Microsoft Windows Remote Desktop Protocol BlueKeep DoS Update: A Denial of Service exists in Remote Desktop Services formerly known as Terminal Services when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This update corrects wrong category specification. (CVE-2019-0708)
November 2019
Version: 19.1.4
November 30, 2019
Enhancements
-
Linux Kernel libfutex Privilege Escalation Exploit Update: This module has improvements for the Linux Kernel libfutex exploit. (CVE-2014-3153)
-
Apache Solr Velocity Template Remote OS Command Injection Exploit Update: A vulnerability in the Apache Solr Velocity template allows unauthenticated attackers to execute arbitrary OS commands. This update adds automatic core name detection and newer supported versions. (NOCVE-9999-127120)
-
Microsoft Windows Remote Desktop Protocol BlueKeep Use After Free Exploit Update 2: This update adds support for Windows 7 SP1 x64. (CVE-2019-0708)
- New Exploits:
Kibana Timelion Visualizer Remote Javascript OS Command Injection Exploit: An arbitrary code execution vulnerability in the Kibana Timelion visualizer allows an attacker with access to the application to send a request that will attempt to execute javascript code with permissions of the Kibana process on the host system. (CVE-2019-7609)
Apache Solr Velocity Template Remote OS Command Injection Exploit: A vulnerability in the Apache Solr Velocity template allows unauthenticated attackers to execute arbitrary OS commands. (NOCVE-9999-127120)
SolarWinds Dameware Mini Remote Control Unauthenticated RCE Exploit: The Solarwinds Dameware Mini Remote Client agent supports smart card authentication by default which allows a user to upload an executable to be executed on the DWRCS.exe host. An unauthenticated, remote attacker can request smart card login and upload and execute an arbitrary executable. (CVE-2019-3980)
rConfig ajaxServerSettingsChk and search_crud Remote OS Command Injection Exploit: An unauthenticated OS command injection vulnerability in rConfig using the rootUname parameter present in ajaxServerSettingsChk.php allows an attacker to send a request that will attempt to execute OS commands with permissions of the rConfig process on the host system. Also, an authenticated OS command injection vulnerability using the catCommand parameter present in search.crud.php allows an attackers to do the same as previous, but credentials are required. (CVE-2019-16662)
AVEVA InduSoft Web Studio Remote Command Injection Exploit: Unauthenticated remote command injection vulnerability in Indusoft Web Studio 8.1 SP2. The vulnerability is exercised via the custom remote agent protocol that is typically found on port 1234 or 51234. An attacker can issue a specially crafted command 66 which causes IWS to load a DB connection file off of a network share using SMB. The DB file can contain OS commands that will be executed at the privilege level used by IWS. (CVE-2019-6545)
WECON LeviStudioU SMtext Buffer Overflow Exploit: The specific flaw exists within the handling of XML files. When parsing the ShortMessage SMtext element, the process does not properly validate the length of user-supplied data prior to copying it to a buffer. (NOCVE-9999-127119)
Apache Solr ENABLE_REMOTE_JMX_OPTS JMX-RMI Remote Code Execution Exploit: Apache Solr is prone to a remote vulnerability that allows attackers to take advantage of an insecure deployment of the JMX/RMI service used to manage and monitor the Java Virtual Machine. By exploiting known methods, it is possible to remotely load an MLet file from an attacker controlled web server that points at a jar file. (CVE-2019-12409)
October 2019
Version: 19.1.3
October 31, 2019
Enhancements
- Atlassian Confluence Widget Connector Macro Vulnerability Exploit Improvements: This update adds several mechanisms in order for this exploit to work while pivoting on unix family systems (Linux, OpenBSD/FreeBSD, and macOS) (CVE-2019-3396)
- Samba Pipe dlopen Remote Code Execution Exploit Update: This update makes this exploit also work on 32 bit targets (CVE-2017-7494)
- Client Side email templates processing improvements
- New Exploits:
Check Point Endpoint Security Initial Client Privilege Escalation Exploit: Check Point Endpoint Security includes data security, network security, advanced threat prevention, forensics, and remote access VPN solutions. Some parts of the software run as a Windows service executed as ''NT AUTHORITY\SYSTEM,'' which provides it with very powerful permissions, this vulnerability can be exploited to achieve privilege escalation, gaining access with NT AUTHORITY\SYSTEM level privileges. (CVE-2019-8461)
LibreOffice LibreLogo Python Global Event Scripting Vulnerability Exploit: By abusing document's event feature in LibreOffice and the LibreLogo script, an attacker can execute arbitrary python code from within a malicious document silently, without user warning. This module performs a bypass of CVE-2019-9848 by using global script events. (CVE-2019-9851)
FreeBSD IOCTL CDIOCREADSUBCHANNELSYSSPACE Local Privilege Escalation Exploit: A bug in the cdrom driver allows users with read access to the cdrom device to arbitrarily overwrite kernel memory when media is present thereby allowing a malicious user in the operator group to gain root privileges. (CVE-2019-5602)
Sudo Root With User ID Local Privilege Escalation Exploit: This module exploits a flaw in the way sudo implemented running commands with arbitrary user ID. If a sudoers entry is written to allow the attacker to run a command as any user except root, this flaw can be used by the attacker to bypass that restriction. (CVE-2019-14287)
Advantech WebAccess SCADA GetUserPasswd BwPAlarm Buffer Overflow Exploit: The flaw exists in the GetUserPasswd function in BwPAlarm.dll due to improper validation of user-supplied data before copying the data to a fixed size stack-based buffer when processing an IOCTL 70603 RPC message. (CVE-2018-18999)
Disk Pulse Enterprise Import Command Local Buffer Overflow Exploit: A Buffer Overflow exists when parsing .XML files by Command Import. The vulnerability is caused due to a boundary error when handling a crafted .XML files. (CVE-2017-7310)
Fixes
- Av Evasion Specific Modules: This update adds 3 new modules related to the AV evasion component. Two of them allow to deploy a network agent either by leveraging Powershell fileless or MSHTA tactics. The other one implements a office attack trhough Microsoft Excel DDE, allowing to deploy a network agent through the client side vector.
- Network RPT Wizards Update: This update has some minor fixes for the Network RPT Wizards
September 2019
Version: 19.1.2
September 30, 2019
Enhancements
- Stability improvements in agent channel: This update improves Impact stability when disconnecting agents which were deployed with 'Install Agent using ssh' and the 'reuse connection' channel (default channel for this module).
- Retry option for the TCP port scanner: We have added an option to the module "Port Scanner - Fast SYN". So that, it can retry probes that didn't generate a response, improving accuracy. By default the retry value is 6, meaning that a probe that didn't respond will be resend up to 6 times or until a response is found.
- New Exploits:
- Adobe ColdFusion JNBridge Remote Code Execution Exploit: Adobe ColdFusion is prone to a remote vulnerability that allows attackers to take advantage of an insecure deployment of the JNBridge protocol. (CVE-2019-7839)
- Fuji Electric Alpha5 Smart Loader Exploit: Fuji Electric Alpha5 Smart Loader is prone to a buffer overflow when handling a specially crafted csp file. (CVE-2018-14788)
Microsoft Internet Explorer VBScript UAF Exploit (2019): A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. (NOCVE-9999-127115)
Microsoft Windows Win32k Elevation Of Privilege Exploit: An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. (CVE-2019-0803)
Microsoft Windows Win32k xxxMNOpenHierarchy Vulnerability Exploit v1: An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1132)
August 2019
Version: 19.1.1
August 31, 2019
Enhancements
- New Exploits:
LibreOffice LibreLogo Python Scripting Vulnerability Exploit v19_1.: By abusing document's event feature in LibreOffice and the LibreLogo script, an attacker can execute arbitrary python code from within a malicious document silently, without user warning. (CVE-2019-9848)
MAPLE Computer SNMP Administrator Exploit v19_1.: Maple Computer SNMP Administrator is prone to a buffer-overflow by sending a specially crafted packet with an overly long string on port 987. (CVE-2019-13577)
Fixes
-
Exploits Catchup Update for impact 19.1: This update includes 15 exploits that were released for 18.2 but didn't make it into 19.1 plus some exploit and AV evasion improvements.
- Vulnerability Checker Modules not executed to test vulnerabilities imported with Network Vulnerability Scanner Validator.
- Network modules from ''Information Gathering/Vulnerability checkers'' category are not launched in the context of Vulnerability Scanner Validator to test imported vulnerabilities. These modules were moved from RPT AP to RPT IG execution in the context of IMPACT 18.2 release. In the context of this changes, they were excluded from the Vulnerability Scanner Validator execution.
Version 19.1
August 1, 2019
Enhancements
- Updated Local Information Gathering (LIG) modules (password dump & cookie retrievers) to show the before in the customer deliverable.
- Enhanced support for SQLi Database Injections for Network SQL Agent and SQL Injection Analyzer/SQL Agents for the following:
- SQL Server 2017
- SQL Server 2016
- SQL Server 2014
- SQL Server 2012
- SQL Server 2008 R2
- MySQL 8.0
- MySQL 5.7
- MariaDB 10.2
- PostgreSQL 10.5
- Easily identify compromised hosts from Network RPTs with a Vulnerable Hosts search folder.
-
Updated list of supported and certified platforms for v2019a:
Certified: Windows 10 Enterprise 64 bit (April 2018 Update - Version: 1803), Windows 10 Pro 64 bit (April 2018 Update - Version: 1803), Windows 10 Enterprise 64 bit (May 2019 Update - Version: 1903), Windows 10 Pro 64 bit (May 2019 Update - Version: 1903).
Supported: Windows Server 2016 Standard, Windows Server 2019 Standard.
No longer Supported: Windows 7 Ultimate SP1 64 bit, Windows 7 Enterprise SP1 64 bit, Windows 7 Professional SP1 64 bit, Windows 8.1 Enterprise 64 bit, Windows Server 2008 R2 SP1, Windows Server 2012, Windows Server 2012 R2.
- Refreshed WebApps IG RPT module output.
- Refreshed WebApps AP RPT module output.
- Implemented AS-REPs roasting attack.
- Updated Network SQL Agent & Database Identity Verifiers to support the latest versions of db engines.
- Show all web pages with vulnerabilities when selecting 'Vulnerable pages'.
- Show a visual indicator of privilege level of the agents.
- Create built-in search folder for connected OS Agents.
- Extended webapps's vulnerability search folder criteria to look for pages with *any* vulnerability.
- Updated Impacket library for Impact v2019a.
- Support added for macOS 10.12/10.13/10.14 versions.
- Run vulnerability checkers as part of RPTs.
- Added new mechanism to integrate third party Python libraries.
- Improved Wizard Workflow for Network IG/AP.
- Added Impact Network pentest REST Automation API for specific vulnerabilities/exploits.
- Updated mimikatz to latest version for Impact v2019a.
- Updated Nmap database files for Impact v2019a.
- Updated support to current version of Metasploit for Impact v2019a.
- Updated Nikto database for Impact v2019a.
- Updated Identity Manager dictionaries for Impact v2019a.
Deprecated Features
In an effort to maintain and support up to date features and components Core Impact 19.1 deprecated the following features:
- Removed obsolete mobile devices functionality.
- Removed support for Surveillance camera testing.
- Removed PatchLink VMS / STAT Guardian importers.
- Removed modules related to Insight Enterprise from Impact.
- Removed WiFi modules that use AirPcap devices in favor of WiFi Pineapple.