Archive for August, 2018

Rewterz Threat Advisory – Microsoft Windows ‘SchRpcSetSecurity()’ Privilege Escalation Vulnerability

 A vulnerability in Microsoft Windows Task Scheduler can be exploited to gain escalated privileges.


PUBLISH DATE: 28-08-2018


Elevated SYSTEM privileges can be gained by exploiting an error in the Microsoft Windows task scheduler. The error occurs while handling the ALPC calls related to the “SchRpcSetSecurity()” function.



In the handling of ALPC calls, the Microsoft Windows task scheduler contains a vulnerability which can permit a local user to gain System privileges, without needing authentication.


The public exploit code works on 64-bit Windows 10 and Windows Server 2016 systems. The publicly-available exploit source code can be modified to make it compatible to other systems.


_SchRpcSetSecurity, a part of the task scheduler ALPC endpoint, allows us to set an arbitrary DACL. It will Set the security of a file in c:\windows\tasks. Even a Guest can write here without impersonating. Before the task scheduler writes the DACL we can create a hard link to any file we have read access over. This will result in an arbitrary DACL write. This PoC will overwrite a printer related dll and use it as a hijacking vector. This is just one of the many options to abuse this.


The error in the Task Scheduler is that the API function SchRpcSetSecurity fails to check permissions, allowing even a guest to call it and set file permissions on anything.The vulnerability was discovered by SandboxEscaper and needs prior code execution to exploit.



Exploit currently only works on 64-bit OSes (likely Win 10 and Server 2016).



There is currently no practical solution to address the vulnerability. Therefore, extra vigilance is required in monitoring a network user’s behavior. Network traffic analytics should be used to detect unusual behavior from traffic going across the network.


Rewterz Threat Advisory – Red Hat Update for postgresql

Red Hat has issued an update for postgresql. This fixes a vulnerability in which certain host connection parameters defeat client-side security defenses



PUBLISH DATE: 24-08-2018



Libpq, the default PostgreSQL client library, was found to be vulnerable as libpq failed to properly reset its internal state between connections. If an affected version of libpq was used with “host” or “hostaddr” connection parameters from untrusted input, attackers could bypass client-side connection security features, which enables them to acquire access to higher privileged connections or potentially cause other impacts through SQL injection, by causing the PQescape() functions to malfunction.



An attacker can only exploit this vulnerability by providing or influencing connection parameters to a PostgreSQL client application using libpq. Contrib modules “dblink” and “postgres_fdw” are examples of applications affected by this flaw.Red Hat Virtualization includes vulnerable versions of postgresql.

However, this flaw is not known to be exploitable under any supported configuration of Red Hat Virtualization. A future update may address this issue.Red Hat has issued updates for fixing the said vulnerability.



Postgresql versions before 10.5, 9.6.10, 9.5.14, 9.4.19, and 9.3.24 are affected in:

  • Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.5 x86_64
  • Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.4 x86_64
  • Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.3 x86_64
  • Red Hat Software Collections (for RHEL Server) 1 for RHEL 7 x86_64
  • Red Hat Software Collections (for RHEL Server) 1 for RHEL 6.7 x86_64
  • Red Hat Software Collections (for RHEL Server) 1 for RHEL 6 x86_64
  • Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 7 x86_64
  • Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 6 x86_64
  • Red Hat Virtualization Manager 4.2 x86_64



  • BZ 1508820 – CVE-2017-15098 postgresql: Memory disclosure in JSON functions
  • BZ 1508823 – CVE-2017-15099 postgresql: INSERT … ON CONFLICT DO UPDATE fails to enforce SELECT privileges
  • BZ 1539619 – CVE-2018-1053 postgresql: pg_upgrade creates file of sensitive metadata under prevailing umask
  • BZ 1547044 – CVE-2018-1058 postgresql: Uncontrolled search path element in pg_dump and other client applications
  • BZ 1609891 – CVE-2018-10915 postgresql: Certain host connection parameters defeat client-side security defenses
  • BZ 1612619 – CVE-2018-10925 postgresql: Missing authorization and memory disclosure in INSERT … ON CONFLICT DO UPDATE statements

Follow the link for further guidance on how to apply updates:

Rewterz Threat Advisory – CVE -2018-11776 Apache Struts Remote Code Execution Vulnerability

A remote code execution vulnerability exists in various versions of Apache Struts which may take over the control of a system in case a successful attack.


PUBLISH DATE:  23-08-2018


An independent security research group Semmle has released a finding confirmed by the Apache Foundation that a critical remote code execution flaw exists in the popular Struts 2 open source framework. This vulnerability is located in the core of Apache Struts 2 and impacts all supported versions of Struts 2.

The vulnerability originates from the insufficient validation of user-provided untrusted inputs in the core of the Struts  framework under certain configurations. The exploit can be triggered just by visiting a specially crafted URL on the affected web server. It enables the attackers to execute malicious code and eventually take complete control over the targeted server on which the vulnerable application is running.



The vulnerability involves the injection of a payload as unvalidated input into a Struts application which is then evaluated and used to cause a remote code execution.

The exploit uses an obscure expression language called OGNL, used by only a few Java based frameworks such as Struts and Spring Web Flow. The OGNL expression payload results in a remote code execution that affects Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16.

The vulnerability exists because the affected software insufficiently validates user-supplied input, allowing the use of results  with no namespace value and the use of URL tags with no value or action. In cases where upper actions or configurations also have no namespace or a wildcard namespace, an attacker could exploit this vulnerability by sending a request that submits malicious input to the affected application for processing.

Successful exploitation leads to execution of an arbitrary code in the security context of the targeted system or the affected application.



Apache Struts versions:

  • 2.3 to 2.3.342.5 to 2.5.16


All applications that use Apache Struts supported versions (Struts 2.3 to Struts 2.3.34, and Struts 2.5 to Struts 2.5.16) are potentially vulnerable to this flaw, even without enabling any additional plugins.

The following conditions indicate that Apache Struts is vulnerable to the Remote Code Execution flaw:

  • The “alwaysSelectFullNamespace” flag is set to true in the Struts configuration.
  • Struts configuration file contains an “action” or “URL” tag that does not specify the optional namespace attribute or specifies a wildcard namespace.


Apache Struts has fixed the vulnerability with the release of Struts versions 2.3.35 and 2.5.17. Both of these versions contain the security fixes only, and no backward incompatibility issues are expected. All clients using vulnerable versions of the Apache Struts are advised to upgrade to the patched versions as soon as possible.


Disturbing Secrets Of The Deep And Dark Web


The billions of accessible websites on the internet today seem to be overwhelming for a common man. What’s more surprising is that these surface websites are about 7-10% of the entire internet. They make up the surface web. The bulk of the internet is hidden in what’s called the deep web, or in more depth, the dark web.


The visible World Wide Web with its billions of publicly accessible websites are those which appear on the search engines when searched through some keywords. These are accessed through web crawler, the meta search engine responsible for merging, interlinking and ranking search results of searching platforms on the surface web. It keeps track of all the websites and links to their webpages, found on the surface web and ranks them according to their content, hence organizing them into an index.



One step deeper into the ocean of internet lies the deep web. Websites on the deep web prevent indexing by search engines. Web crawlers are not allowed to access these websites or gather public links from them. These sites are either intentionally made inaccessible or are hidden due to their nature. Several methods are used to prevent their indexing. The linking of their webpages on surface websites or search engines is disabled by the owners, so they cannot be found through search engines. Access to them can also be denied technically, limiting access using captcha. These websites require a user to log in for accessing any page.


For example, large amount of content on PasteBin or GitHub with no links connecting to the source of information, are only accessed through specific search tools. Some other portals created for only specific people and accessed by their credentials only, are also examples of the deep web.



Just like the ocean hides mysteries in its depth, the internet hides hideous tales in the depths of the dark web. The dark web is entirely a mystery with every user being anonymous.



Coming to the actual definition, the Dark Web or Dark nets are highly encrypted networks built on top of the internet and can only be accessed by specialized software. The websites on the Dark web cannot be accessed by common people surfing the surface web.


These unindexed sites are called dark because all of their users are anonymous. This dark web is the most popular platform for supporting illegal activities.


The most well-known example of illegal activity in the dark web is that of the creation of Silk Road by Ross William Ulbricht, known as dread pirate Roberts. Silk road generated $1.2 billion in 2 years and 9 months, mostly by selling illegal drugs along with other illegal activity. It was later dismantled by the federal government of USA in sept. 2013. In the same year, the usership of The Onion Router, the most common network on the dark web, reached 4 million people worldwide.



These websites are either present on the private networks like Tor (The onion router) or on the peer-to-peer networks like the Invisible Internet Project (I2P) which can be accessed in web browsers as well. The dark web routes traffic over the network with layers of encryption to preserve anonymity of its users.


The dark web is not accessible for a common man. It requires access to a private network to access the dark web. The dark web enforces many restrictions to maintain privacy of its users.


The Onion Router browser first created by the US Navy is one of the most popular browsers used on the dark web to browse anonymously.


How Does Tor Maintain User Privacy?

This highly secure, easy to use, free software is installed in minutes and routes the network traffic through various Tor servers located globally. This means that if any information packet is intercepted during transmission, it’ll only show sender and receiver as random nodes.


Therefore, the dark web looks like a highly charged galaxy of mobile nodes. This routing node mechanism makes it impossible to trace a user’s activity on the dark web.



Many sites from the dark web have a top-level domain (TLD), ending at ‘.onion’ rather than the surface web domains like ‘.com’, ‘.org’ or ‘.gov’. These top-level domains can only be accessed with browsers or apps running on the Tor network, like Orbot or Orfox mobile apps.



Darknets allow access or penetration in different ways, based on the purpose of their use, like communication or anonymous browsing. They’re also differentiated by their level of security, depending on the encryption protocols and the routing they use.



Friend-to-friend is a form of peer-to-peer service, which is accessible by a specific ring of IP addresses. Other IPs can be blocked by the owners to hide their presence on the network.


F2F network has enhanced security, having every exchange on the network encrypted with extra preventive layers of coding.



Internet is a flow of information, a huge amount of which is personal information. The surface internet is evolving swiftly. Compared to the size of surface web, the deep web is huge.


  • In July 2016, 46% world was found to be connected to the internet.
  • Feb 2017 revealed that there were 1.154 billion websites on the surface net.
  • The Deep web is 4000 times bigger than the surface web and is growing at a rate which cannot be quantized.



The information flowing through the surface web is often attacked, stolen and sold. Medical Records, IDs, photographs, passports, credit cards Credentials, subscription accounts, browsing history, bank account details, everything is being sold in the dark web.


Who buys this information? Umm, it’s hard to tell. Hackers, scammers, marketers, competitors. Anyone.


Darknet serves as host to this black market of information. Stolen information is sold and bought there anonymously. Dark web serves as the Easy marketplace to find the right customers for any kind of information.


This is one of the reasons why Cryptocurrencies were readily adopted for illegal transactions, because they hide identities.



Many researchers dived into the depths to seek information regarding the activities going on in the dark web. 6,608 dark websites were crawled in January 2018, including all types of webpages from entertaining to horrifying, and this is what they found.



The dark web deals with all kinds of scams and illicit content. From credit card cloning products to genius bitcoin scams, everything is available for purchase on the dark web, every passing second. Highly disturbing number of child abuse sites and extreme immoral websites were found on the dark web selling private photos and sexual content.


  • There are 50,000 extremist terrorist groups operating in the dark web.
  • Moreover, the 60 largest sites on the dark web have a combined data of 750 TB. Surprisingly, this data alone is 40 times larger than the data of the entire surface web combined.


Did You Know?

  • A Medical record is sold for $50
  • $20-100 are being earned for selling a credit card information
  • Your Social security number is worth $1 on the dark web
  • Your bank account details can be sold for $1000
  • $50 are earned for 500,000 emails
  • Mobile malware is sold for $150
  • Commercial malware is sold for $2500
  • Exploits can be as expensive as $150,000 to millions of dollars



The Dark web has the monopoly of breaching private information of organizations. Therefore, organizations have been paying large amounts of money to safeguard their leaked information found on the dark web. The number of breaches has gone down whereas the damages caused by each data breach have significantly gone up. In 2017, organizations paid up to $140 for saving each record from violation and misuse.


However, the information sold on dark web is not guaranteed to be legitimate. So, it can be falsely crafted to ruin reputations of organizations. Vendors of the information are rated by buyers to establish some level of credibility regarding what they bring to the table for selling.



The usage of The Onion Router for accessing the Dark Web cannot be marked with a geography. No country can be singled out as being responsible for the existence of the Dark web. However, as per the statistics of 2017:


  • The largest percentage of Tor users comes from the USA with a 19.2% usership.
  • The Russians make up 11.9% of the Tor users.
  • 9% of the Tor traffic comes from Germany.
  • Tor entertains 9.2% of the traffic coming from UAE.
  • A report by Visual Capitalist claims that 80% of Tor is funded by the US Government.



The commonly known websites available through search engines on the internet are called the surface web. These sites make up only 7% of the entire World Wide Web. The rest of the Internet is a highly encrypted world unavailable for general browsing, called the deep web. A concrete part of this web is used for illegal activities and is thus called the Dark web. The Dark web offers absolute anonymity to all of its users. All kinds of sensitive information, malicious software, and illegal content is sold and bought on the dark web.  While crafting security strategies, most organizations are unaware of the existence of the dark net. It’s important to consider this huge internet world as a threat factor while strategizing for mitigation of threat factors.

Latest Favorite Platform for Zero-Day Exploits: Microsoft Office

Cybercriminals turn to Microsoft Office documents for conducting their zero-day exploits, using office files to execute remotely hosted malware.

Cyberattacks are being launched using the most common tool of office work i.e. Emails. Microsoft Office documents  are usually attached to a number of emails for file transfer and data sharing. Targeting this mode of communication,  hackers use email attachments to perform remote code execution on systems. These remotely hosted malicious  components are easily transferred to a system via emails.


Almost all zero-day exploits from late 2017 and early 2018 have used office documents like Word files and Excel sheets. These documents aren’t suspected by common people and their malicious components are hard to detect.


Evolution in Techniques

MS Office has begun to have quite a linkage with cybercrimes. Researchers reveal that e-mail phishing has evolved and matured with time. Attackers have found new modes of exploiting office documents. Instead of attaching files with embedded malicious macros, they use the office files to grab remotely hosted malicious components, which launch exploits in the browser. Getting the users to ‘enable macros’ has been a common trend in the past. But with evolution of advanced security measures and an emerging tech-savvy audience, this trend has seen a decline, producing little results in favor of the attacker. Owing to the constant battle of attack and defense, advanced strategies are evolving at both ends to exploit the endpoint and to save it.


Down the memory lane; trouble begins with CVE-2017-0199

Word documents have never been immune to vulnerabilities. One of these loopholes, CVE-2017-0199, the MS Office/WordPad remote code execution vulnerability makes use of a logic flaw in MS Word. It popped up in 2016 when  an attack was launched using word files as carriers. Something embedded in the files was able to fetch remote  malware from the web.


The Object Linking and Embedding (OLE) Technology

The Object Linking and Embedding (OLE) technology is used to deliver malware to a system through which attackers  can execute codes on the compromised system.


The trend of remotely hosted cyberthreats has grown ever since this vulnerability was exploited. The recent “CVE-2018- 8174 Windows VBScript Engine Remote Code Execution Vulnerability” is an evidence of the emerging trend.  Exploiting the library used by Internet Explorer, this “Double Kill” bug could let an attacker execute code with the current user’s privileges.


A malicious RTF file attached to an email contains an OLE object, which downloads and renders a HTML page when activated. VBScript on the page uses the exploit to grab a remote payload to the endpoint.


Even though Microsoft has patched both CVE-2017-0199 and CVE-2018-8174; some individuals and organizations may still be vulnerable due to procrastinating with their patching.


Why Office Documents?

Office Documents are convenient because they can be used with applications that are targeted in the browser. Links sent in malicious emails will open in Internet Explorer. Since most systems do not have IE as their default browser, they could be having outdated and vulnerable versions of IE which will automatically be used to open the links received in emails. Hence, an Internet Explorer zero-day embedded in a word file can be used to target a system that doesn’t use IE as default browser.


The remotely hosted malware attacks are trending because they tend to evade the security systems. When differentiating between ‘good’ and ‘bad’ content, a security system can let a document slip if it only contains a link, whereas a document containing the malware itself can easily be scanned and detected by antiviruses.


If you think you are a victim of a cyber-security attack. Immediately send an email to for a rapid response.

Rewterz Threat Advisory – CVE-2018-8414 Microsoft Windows Shell Remote Code Execution Vulnerability

A remote code execution vulnerability exists in Microsoft Windows that can provide user privileges to an attacker



PUBLISH DATE:  16-08-2018


Microsoft Windows is prone to a remote code-execution vulnerability. An attacker can leverage this issue to execute arbitrary code in the context of the currently logged-in user. Failed exploit attempts will likely result in denial of service conditions.


A remote user can create a specially crafted file that, when clicked/opened by the target user, will trigger a file path validation flaw and execute arbitrary code on the target system. The code will run with the privileges of the target user.



A remote code execution vulnerability exists when the Windows Shell does not properly validate file paths, aka “Windows Shell Remote Code Execution Vulnerability.” This affects Windows 10 Servers, Windows 10.


If current user at the time of exploit is logged in with administrative privileges, the attacker could take control of the affected system, installing programs; viewing, changing, or deleting data; or creating new accounts with elevated privileges. Therefore, users with fewer privileges are less dangerous when affected, as compared to targeting of users having administrative privileges.


An attacker could either exploit the vulnerability by sending a specially crafted file to the user and then convincing the user to open it, or they could host a website that contains a specially crafted file designed to exploit the vulnerability.


However, there’s no forceful obligations by the attacker to open the file. They have to convince a user to click a link and open the specially crafted file.



This vulnerability in the Windows shell refers to the use of SettingContent-ms files —aka Windows 10 control panel shortcuts— for malware distribution. All SettingContent-ms files are nothing more than XML documents, which contain a < DeepLink > tag that specifies the on-disk location of the Windows setting page that it will open when users double-click shortcuts.


The problem lies when DeepLink tag is used with any other executables from the local system, including links to binaries such

as cmd.exe or PowerShell.exe. [two apps that allow shell command execution]




Tricking users via phishing emails using social engineering tactics proves to be an easy task. Researchers say they hosted a SettingContent-ms shortcut on a web server, and were able to download and run it without Windows 10 or Windows Defender alerting the user at all.



Furthermore, malware authors can also embed a SettingContent-ms shortcut inside Office documents with the help of an Office feature named Object Linking and Embedding (OLE). This feature allows Office users to embed other files in Office documents. It has been one of the simplest methods of running malicious code on users’ PCs.


Microsoft has counteracted this trend by disallowing the embedding of certain dangerous file types inside OLE objects. Since SettingContent-ms is a new file type, it is not included in Office’s OLE file format blacklist and malware authors can reliably use SettingContent-ms file types Office documents to execute malicious operations on users’ systems.




All end-hosts or servers under analysis, running the following OS versions are affected:

  • Microsoft Windows 10 Version 1803 for 32-bit Systems
  • Microsoft Windows 10 Version 1803 for x64-based Systems
  • Microsoft Windows 10 version 1703 for 32-bit Systems
  • Microsoft Windows 10 version 1703 for x64-based Systems
  • Microsoft Windows 10 version 1709 for 32-bit Systems
  • Microsoft Windows 10 version 1709 for x64-based Systems
  • Windows Server, version 1709 (Server Core Installation)
  • Windows Server, version 1803 (Server Core Installation)



The security updates address the vulnerability by ensuring the Windows Shell properly validates file paths.

Apply following updates with respect to OS versions.

  • Windows 10 for 32-bit Systems (KB4343892):

  • Windows 10 Version 1703 for 32-bit Systems (KB4343885):

  • Windows 10 Version 1709 for 32-bit Systems (KB4343897):

  • Windows 10 Version 1803 for 32-bit Systems (KB4343909):

  • Windows 10 Version 1709 for x64-based Systems (KB4343897):
  • Windows Server, version 1709 (Server Core Installation) (KB4343897):

  • Windows 10 Version 1803 for x64-based Systems (KB4343909):
  • Windows Server, version 1803 (Server Core Installation) (KB4343909):

  • Windows Server 2016 (KB4343887):
  • Windows 10 Version 1607 for x64-based Systems (KB4343887):
  • Windows Server 2016 (Server Core installation) (KB4343887):

  • Windows 10 Version 1607 for 32-bit Systems (KB4343887):

  • Windows 10 Version 1703 for x64-based Systems (KB4343885):

  • Windows 10 for x64-based Systems (KB4343892):

Furthermore, if you think you are a victim of a cyber-security attack. Immediately send an email to for a rapid response.

Copyright © Rewterz. All rights reserved.