Top 10 Remote Exploits of 2018

With 2018 over, I thought it would be useful to look back at the most notable exploits to come out in the last year and provide a brief review for each. My criteria here is to provide a list of the most notable remote exploits (in my opinion…) affecting the most systems with the highest impact and released in 2018 only. This is by no means a complete list and I may have missed some. If so, let me know via Twitter (@xer0dayz) or leave a comment. Also, if there’s any remote exploits you think I should add to Sn1per (https://github.com/1N3/Sn1per), let me know!

OpenSSH User Enum Exploit CVE-2018-15473

OpenSSH through 7.7 is prone to a user enumeration vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c.

Exploit Link: https://github.com/Rhynorater/CVE-2018-15473-Exploit

* Autopwn module added to Sn1per v6.0 (https://github.com/1N3/Sn1per)

libSSH Auth Bypass Exploit CVE-2018-10933

A vulnerability was found in libssh’s server-side state machine before versions 0.7.6 and 0.8.4. A malicious client could create channels without first performing authentication, resulting in unauthorized access.

Exploit Link: https://github.com/leapsecurity/libssh-scanner

* Autopwn module added to Sn1per v6.0 (https://github.com/1N3/Sn1per)

Drupal v7.x + v8.x Remote Code Execution (Drupalgeddon 2 / CVE-2018-7600 / SA-CORE-2018-002)

 

A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability is related to Drupal core – Highly critical – Remote Code Execution – SA-CORE-2018-002. Both SA-CORE-2018-002 and this vulnerability are being exploited in the wild.

Exploit Link: https://github.com/dreadlocked/Drupalgeddon2

* Autopwn module added to Sn1per v6.0 (https://github.com/1N3/Sn1per)

Apache Struts 2 Remote Code Execution CVE-2018-11776

Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same time, its upper package have no or wildcard namespace and similar to results, same possibility when using url tag which doesn’t have value and action set and in same time, its upper package have no or wildcard namespace.

Exploit Link: https://github.com/mazen160/struts-pwn_CVE-2018-11776

* Autopwn module added to Sn1per v6.0 (https://github.com/1N3/Sn1per)

WebLogic Unrestricted File Upload Remote Code Execution CVE-2018-2894

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS – Web Services). Supported versions that are affected are 12.1.3.0, 12.2.1.2 and 12.2.1.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Exploit Link: https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/CVE%20Exploits/WebLogic%20CVE-2018-2894.py

Cisco ASA Directory Traversal CVE-2018-0296

A vulnerability in the web interface of the Cisco Adaptive Security Appliance (ASA) could allow an unauthenticated, remote attacker to cause an affected device to reload unexpectedly, resulting in a denial of service (DoS) condition. It is also possible on certain software releases that the ASA will not reload, but an attacker could view sensitive system information without authentication by using directory traversal techniques. The vulnerability is due to lack of proper input validation of the HTTP URL. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. An exploit could allow the attacker to cause a DoS condition or unauthenticated disclosure of information. This vulnerability applies to IPv4 and IPv6 HTTP traffic. This vulnerability affects Cisco ASA Software and Cisco Firepower Threat Defense (FTD) Software that is running on the following Cisco products: 3000 Series Industrial Security Appliance (ISA), ASA 1000V Cloud Firewall, ASA 5500 Series Adaptive Security Appliances, ASA 5500-X Series Next-Generation Firewalls, ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers, Adaptive Security Virtual Appliance (ASAv), Firepower 2100 Series Security Appliance, Firepower 4100 Series Security Appliance, Firepower 9300 ASA Security Module, FTD Virtual (FTDv). Cisco Bug IDs: CSCvi16029.

Exploit Link: https://github.com/yassineaboukir/CVE-2018-0296

* Autopwn module added to Sn1per v6.0 (https://github.com/1N3/Sn1per)

Exim < 4.90.1 Remote Code Execution CVE-2018-6789

An issue was discovered in the base64d function in the SMTP listener in Exim before 4.90.1. By sending a handcrafted message, a buffer overflow may happen. This can be used to execute code remotely.

Exploit Link: https://www.exploit-db.com/exploits/44571

* To be added to Sn1per v6.1 at a future date.

DHCP Client Command Injection (DynoRoot) CVE-2018-1111

DHCP packages in Red Hat Enterprise Linux 6 and 7, Fedora 28, and earlier are vulnerable to a command injection flaw in the NetworkManager integration script included in the DHCP client. A malicious DHCP server, or an attacker on the local network able to spoof DHCP responses, could use this flaw to execute arbitrary commands with root privileges on systems using NetworkManager and configured to obtain network configuration using the DHCP protocol.

Exploit Link: https://github.com/kkirsche/CVE-2018-1111

osCommerce 2.3.4.1 Installer Unauthenticated Code Execution

If the /install/ directory was not removed, it is possible for an unauthenticated attacker to run the “install_4.php” script, which will create the configuration file for the installation. This allows the attacker to inject PHP code into the configuration file and execute it.

Exploit Link: https://www.rapid7.com/db/modules/exploit/multi/http/oscommerce_installer_unauth_code_exec

* To be added to Sn1per v6.1 at a future date.

Oracle Weblogic Server Deserialization RCE CVE-2018-2628

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Core Components). Supported versions that are affected are 10.3.6.0, 12.1.3.0, 12.2.1.2 and 12.2.1.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Exploit Link: https://www.rapid7.com/db/modules/exploit/multi/misc/weblogic_deserialize

* Autopwn module added to Sn1per v6.0 (https://github.com/1N3/Sn1per)