Innogen security


Posted in Blog post

Microsofts patch Tuesday reveals a patch for a shocking privilege escalation vulnerability, discovered by Preempt researchers.

The vulnerability exposes a flaw where LDAP fails to protect against NTLM relay attacks regardless of LDAP signing being enabled? LDAP signing was created to prevent this type of “Man in the middle” attack from forwarding credentials to a target server.

Currently the vulnerability allows an attacker with SYSTEM privileges to target incoming NTLM sessions to trigger LDAP operations such as updating domain objects in the context of the NTLM user.

An excellent video outlining the attack and how the same flaw can be combined with an rdpy to create a domain admin via “RDP Restricted admin mode”, this mode should protect against this type of attack however when rdpy is combined with the ldap relay vulnerability the video shows a domain admin account is created by downgrading the RDP restricted mode to NTLM.
However Microsoft have dismissed the RDPY issue as a bug by stating this is a known issue?

The following CVE has been assigned to this issue: CVE-2017-8563

Microsofts advice to this is:
Consider disabling NT Lan Manager or digitally sign all LDAP and SMB traffic.

Preempt NTLM Relay Demonstration:


Innogen security


Exploiting Sudo 1.8.27 The following brief is a quick demonstration of the issue faced by cve-2019-14287. This issue is presented when the user is allowed to run a specified command as any user other than the root user account, specified …

17 Oct 2019

SMB LFI Exploitation The following outlines a very short overview of LFI using SMB in form of a crib sheet. Install Samba: apt-get install samba Remove default Samba config: rm -f /etc/samba/smb.conf Create New smb.conf: vi /etc/samba/smb.conf The following config …

13 Oct 2019

Linux reverse shell without python. During a recent application exploit into an interactive shell the typical path to spawn a reverse shell and upgrade it to tty was sought. It was found that the go to technologies such as python, …

19 Sep 2019