Skip to content

Instantly share code, notes, and snippets.

Avatar
🎯
Focusing

SwitHak SwitHak

🎯
Focusing
View GitHub Profile
@SwitHak
SwitHak / 20200730-TLP-WHITE_BootHole_CVE-2020-10713.md
Last active Sep 29, 2020
BlueTeam CheatSheet * BootHole * | Last updated: 2020-08-13 1957 UTC
View 20200730-TLP-WHITE_BootHole_CVE-2020-10713.md

CVE-2020-10713 AKA BootHole

  • Logo
  • Cool Name : BootHole

General

  • GRUB2 -> GRand Unified Bootloader version 2 -Don't hurry up on the patches, RedHat have some bug within and also test before production. -It's a cool vuln, cool name, cool logo, but take your time to test the patches, boot isn't something you patching every month, take care !
  • TBD
@SwitHak
SwitHak / 20200716_TLP-WHITE_July-Patch-Priorities.md
Last active Sep 29, 2020
BlueTeam CheatSheet * July Patch Priorities * TW2LWIML | Last updated: 2020-07-31 0013 UTC
View 20200716_TLP-WHITE_July-Patch-Priorities.md

July Patch Priorities

Patching priority:

P1

  • SHITRIX-II (Critical, Exploited)
  • F5 BigIP (Critical, Exploited)
  • SAPRecon (Critical, Exploited)
  • ASA & FTD CVE-2020-3452 (High, Exploited)
  • SIGRed CVE-2020-1350 (Critical, Exploit available (DoS))
@SwitHak
SwitHak / 20200618-TLP-WHITE_Ripple20.md
Last active Sep 29, 2020
BlueTeam CheatSheet * Ripple20 * | Last updated: 2020-06-26 2121 UTC
View 20200618-TLP-WHITE_Ripple20.md

Ripple20, set of vulnerabilities inside Treck / KASAGO IP Stacks

General

  • Ripple20 is the codename to a set of 19 vulnerabilities discovered by the cybersecurity team JSOF.
  • These vulnerabilities are inside an IP stack, selled under two different names (Treck TCP/IP for U.S market Kasago TCP/IP, for Asia market. -These two stacks were bought and used under privated-labeled by several softwares companies, some known names are: GHnetv2, Kwiknet, Quadnet.
  • But there's more, these stacks were also integrated, sometimes with modifications, inside several RTOS (real-time operating system).
  • Last, some of the vulnerabilities, depending the device operating system, configuration or location can have greater or lower CVSS score.
  • My advice is for companies to ask their suppliers if they use one of this stack and assess the risk following their company risk policy.
  • This will not be an easy set of vulnerabilities to patch, sadly.
@SwitHak
SwitHak / 20200504-TLP-WHITE_SaltStack_CVE-2020-11651.md
Last active Sep 29, 2020
BlueTeam CheatSheet * CVE-2020-11651 * SaltStack | Last updated: 2020-06-03 0938 UTC
View 20200504-TLP-WHITE_SaltStack_CVE-2020-11651.md

CVE-2020-11651 AKA SaltStack RCE

  • Currently no cool name, what are you doing @GossiTheDog ? ;)

General

  • A critical vulnerability have been discovered by FSECURE Labs team in the SaltStack product.
  • The vulnerability is a Remote Code Execution with the higher CVSS number possible 10/10 and the CVE number is CVE-2020-11651.
  • there's also another vulnerability referenced under the CVE-2020-11652, discovered in the same time also per FSECURE.
  • The vulnerability is actively exploited (Some says since Saturday morning 2020-05-02) and several exploits are in the wild.
  • We currently knows at least 5 victims, even big names are concerned.
  • This is not a drill or something you can patch later, act now.
@SwitHak
SwitHak / 20200329_TLP:WHITE_SANA-Video-subtitles_translation_RU->EN.md
Created Mar 29, 2020
Translation for the demo video of SANA, Russian project aiming to monitor Social Networks like Facebook, Twitter, VK, etc...
View 20200329_TLP:WHITE_SANA-Video-subtitles_translation_RU->EN.md

General

  • This is the translation for the demo video of SANA, Russian project aiming to monitor Social Networks like Facebook, Twitter, VK, etc...

Translation

00:02 Основные объекты системы находятся в меню слева
	The main system objects are in the menu on the left.
  
00:05 Инфоповоды отслеживают возникновение необходимых сообщений
@SwitHak
SwitHak / 20200318-TLP-WHITE-IOC-RECORDEDFUTURE-20200318.csv
Last active Mar 22, 2020
.:Recorded Future:. | Source: https://go.recordedfuture.com/hubfs/reports/cta-2020-0312-2.pdf | Curated: Removed duplicates, extract domains and subject to CSV format to be exploited
View 20200318-TLP-WHITE-IOC-RECORDEDFUTURE-20200318.csv
We can make this file beautiful and searchable if this error is corrected: It looks like row 2 should actually have 1 column, instead of 2. in line 1.
20200318-IOC-RECORDEDFUTURE-20200318
Separator: single comma [,]
|DOMAINS|
cdc-gov.org,Cdcgov.org,insiderppe.cloudapp.net,cloud-security.ggpht.ml,cloud-security.ggpht.ml
|EMAILS@|
Postmaster[@]mallinckrodt.xyz,brentpaul403[@]yandex.ru
@SwitHak
SwitHak / 20200318-TLP-WHITE-IOC-RISKIQ-20200317-REPORT_CURATED.csv
Created Mar 18, 2020
.:RISKIQ REPORT:. | Source: https://cdn.riskiq.com/wp-content/uploads/2020/03/COVID-19-Daily-Update-RiskIQ-i3_17-03-2020.pdf |Curated: Removed duplicates, extract domains and subject to CSV format to be exploited
View 20200318-TLP-WHITE-IOC-RISKIQ-20200317-REPORT_CURATED.csv
We can make this file beautiful and searchable if this error is corrected: Illegal quoting in line 2.
20200318-IOC-RISKIQ-20200317-REPORT_CURATED
Separator: single comma [,], except for subjects ["]
|URLs|
http://coronavirus-guidelines.online,http://coronavirus0012.000webhostapp.com/,http://coronavirus2020covid-19.000webhostapp.com/,http://coronaviruscovid19-information.com/en/corona.apk,http://coronaviruscovid19-information.com/it/corona.apk,http://coronavirusnepal10.000webhostapp.com:443/,http://coronavirusnepal16.000webhostapp.com/,http://coronavirusnepal7.000webhostapp.com/,http://coronavirustest.ru/,http://drunkwhitekids.com/wordpress/wp-includes/theme-compat/coronavirus/,http://nepalcoronavirus2.000webhostapp.com/,http://raymondne.buzz:443/COVID-19PRECAUTIONS/toda/office.php,http://toyswithpizzazz.com.au/service/coronavirus,http://zep0de.com/COVID-19.zip,https://advancedaesthetics.ch/fkja/coronavirusutm.sourceutm.mediumcampaigncoronaemailUniquea51c1d067cfe4e6696ca8147bb3c5d90.26sourceImagePreview.html,https://advancedaesthetics.ch/fkja/coronavirusutm.sourceutm.mediumcampaigncoronaemailuniquea51c1d067cf
@SwitHak
SwitHak / 20200318-TLP-WHITE-IOC-AVAST-20200318_FT_202003181642.csv
Last active Mar 18, 2020
.:AVAST TELEMETRY:. | Source: https://www.apklab.io/covid19 | Curated:Removed duplicates, extract domains to CSV format to be exploited
View 20200318-TLP-WHITE-IOC-AVAST-20200318_FT_202003181642.csv
We can make this file beautiful and searchable if this error is corrected: It looks like row 2 should actually have 1 column, instead of 2. in line 1.
20200318-IOC-AVAST-20200318_FT_202003181642
Separator: single comma [,]
|DOMAINS|
finland-coronavirus-map.netlify.com,coronavirus-traker.en.aptoide.com,coronavirus.marinhhs.org,www.info-coronavirus.be,coronavirus.utah.gov,coronavirus.dc.gov,coronavir.ru,covid19.min-saude.pt,getcoronavirusalert.com,coronavirus-status.s3.eu-central-1.amazonaws.com,coronavirus-daily-status.firebaseio.com,covid19japan.com,coronavirus.epidemixs.org,covid19.egreen.io,covid-19-lk-dev.firebaseio.com,coronaviruss.ir,coronavirus-d9a66.firebaseio.com,flutter-covid19.firebaseio.com,coronavirus-mask.com,coronavirus-tracker-api.herokuapp.com,coronavirus-a600f.firebaseio.com,coronavirusmap-eb48d.firebaseio.com,covid19.tfone.ir,covid-19-e9057.firebaseio.com,covid19-dd7f7.firebaseio.com,covid-19-healthlynked.firebaseio.com,coronavirus-statistics-710b6.firebaseio.com,covid-19-6538f.firebaseio.com,coronavirus-3ffb2.firebaseio.com,coronavirus-alert.firebaseio.com,micronekcovid19.blob.core.windows.net,covid-19-live-news-statistics.firebaseio.com
@SwitHak
SwitHak / 20200312-TLP-WHITE_CVE-2020-0796.md
Last active Sep 29, 2020
BlueTeam CheatSheet * CVE-2020-0796 * SMBGhost | Last updated: 2020-03-18 1238 UTC
View 20200312-TLP-WHITE_CVE-2020-0796.md

CVE-2020-0796 AKA SMBGhost

General

  • A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests.
  • An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server or client.
  • To exploit the vulnerability against a server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 server. To exploit the vulnerability against a client, an unauthenticated attacker would need to configure a malicious SMBv3 server and convince a user to connect to it.
  • The security update addresses the vulnerability by correcting how the SMBv3 protocol handles these specially crafted requests.
  • Vulnerability was discovered by Microsoft Platform Security Assurance & Vulnerability Research team.

Affected products:

@SwitHak
SwitHak / 20200114-TLP-WHITE_CVE-2020-0601.md
Last active Oct 12, 2020
BlueTeam CheatSheet * CVE-2020-0601 * crypt32.dll | Last updated: 2020-01-21 1817 UTC
View 20200114-TLP-WHITE_CVE-2020-0601.md

CVE-2020-0601 AKA ChainOfFools OR CurveBall

General

  • Microsoft disclosed a vulnerability in their monthly Patch Tuesday referenced under CVE-2020-0601.
  • The vulnerability was discovered by the U.S. National Security Agency, anounced today (2020-01-14) in their press conference, followed by a blog post and an official security advisory.
  • The flaw is located in the "CRYPT32.DLL" file under the C:\Windows\System32\ directory.

Vulnerability explanation

  • NSA description:
  • NSA has discovered a critical vulnerability (CVE-2020-0601) affecting Microsoft Windows® cryptographic functionality.
You can’t perform that action at this time.