15 vulnerability details, FireEye stolen network weapon arsenal analysis

On December 8, the top US security company FireEye issued a notice stating that its internal network was breached by a “country with first-class cyber attack capabilities”. This attack led to FireEye’s red team security tool Stolen .

The difference between this attack and the past is that after invading FireEye, the attacker did not perform routine operations such as blackmail or data leakage, but directly stole the security toolkit . And such an attack will have a more serious impact, and the damage will affect FireEye’s customers and downstream manufacturers, which is already in the scope of supply chain attacks .

Here we boldly speculate that FireEye’s security incident may have affected its customers or downstream . The entire incident may be: FireEye’s customer first discovered that it was attacked by FireEye’s tools, and it was speculated that the suspected tool was leaked. Then feedback to FireEye, FireEye then urgently investigated and responded, and finally announced the defense strategy (including firewall strategy).

Know that Chuangyu 404 Lab followed up on this security incident in time and analyzed some of the vulnerabilities contained in the FireEye Red Team Toolkit, as follows:


Vulnerability Name: Microsoft Windows Group Policy Preference Password Elevation of Privilege Vulnerability

CVE Number: CVE-2014-1812

Vulnerability description: An elevation of privilege vulnerability exists in the way that Windows Active Directory distributes passwords configured using Group Policy preferences. An authenticated attacker could use this vulnerability to decrypt passwords and use them to elevate privileges on the domain. Windows Vista SP2, Windows Server 2008 SP2 and R2SP1, Windows7 SP1, Windows8, Windows8.1, Windows Server 2012Gold and R2 are affected.


Vulnerability name: Windows RDP remote code execution high-risk vulnerability (BlueKeep)

CVE Number: CVE-2019-0708

Vulnerability description: BlueKeep (CVE-2019-0708) is a high-risk remote code execution vulnerability in Microsoft’s Remote Desktop Protocol (RDP). This vulnerability has already been published in Metasploit scripts.


Vulnerability name: Microsoft security function bypass vulnerability

CVE Number: CVE-2017-11774

Vulnerability description: When Microsoft incorrectly handles objects in memory, a security function bypass vulnerability exists. An attacker who successfully exploited this vulnerability could execute arbitrary commands. In a file sharing attack scenario, the attacker may provide a specially designed document file designed to exploit this vulnerability, and then trick the user to open the document file and interact with the document.

Note: This vulnerability can be used as a phishing attack.


Vulnerability name: Adobe ColdFusion file upload leads to arbitrary code execution

CVE number: CVE-2018-15961

Vulnerability description: This vulnerability is an arbitrary file upload vulnerability. Attackers can upload jsp files to achieve code execution.


Vulnerability name: Citrix Application Delivery Controller and Citrix Gateway remote code execution vulnerability

CVE Number: CVE-2019-19781

Vulnerability description: This vulnerability allows remote attackers to easily send directory traversal requests to read sensitive information from system configuration files without requiring user authentication and remote execution of arbitrary code.


Vulnerability name: Confluence path traversal vulnerability

CVE number: CVE-2019-3398

Vulnerability description: Confluence Server and Data Center products have a path traversal vulnerability in downloadallattachments resources. An attacker with one of the following permissions can upload files to any directory on the server to achieve remote code execution:

  • Add attachments to pages or blogs
  • Able to create new space (space)
  • Have Admin permission for a space 


Vulnerability name: Atlassian Crowd unauthorized file upload vulnerability

CVE Number: CVE-2019-11580

Vulnerability description: The vulnerability is caused by the Crowd pdkinstall plugin allowing unauthorized uploads. Attackers can upload malicious plugins and execute commands through the plugins.


Vulnerability name: Fortigate SSL unauthorized RCE and other vulnerabilities

CVE Number: CVE-2018-13379

Vulnerability description: On blackhat2019, Orange and Meh Chang of the Security Research Institute disclosed multiple vulnerabilities in Fortinet’s SSL VPN, including CVE-2018-13379. Attackers can use this vulnerability to read arbitrary files.


Vulnerability name: Microsoft Exchange Server remote command execution vulnerability

CVE Number: CVE-2020-0688

Vulnerability description: An attacker can deceive the target server to generate malicious serialized ViewState data after logging in, thereby exploiting the features of .net deserialization to execute arbitrary .net code on the Exchange Control Panel web application.


Vulnerability name: Pulse Secure SSL unauthorized arbitrary file reading vulnerability

CVE Number: CVE-2019-11510

Vulnerability description: On blackhat2019, Orange and Meh Chang of the Security Research Institute disclosed multiple SSL vulnerabilities, including multiple vulnerabilities in Pulse Secure. CVE-2019-11510 is an arbitrary file reading vulnerability.


Vulnerability name: Microsoft SharePoint remote code execution vulnerability

CVE Number: CVE-2019-0604

Vulnerability description: This vulnerability can cause remote command execution of the windows system server, which may completely control the server. The attacker can pass the carefully constructed request through the ItemPickerWebForm control into the back-end EntityInstanceIdEncoder.DecodeEntityInstanceId(encodedId) method, because the method does not perform any processing on the encodedId passed in, nor does it perform any processing on the type parameter of the XmlSerializer constructor Restrictions, can be directly deserialized through XmlSerializer, causing command execution.


Vulnerability name: Zoho ManageEngine Desktop Central remote code execution vulnerability

CVE Number: CVE-2020-10189

Vulnerability description: Zoho ManageEngine Desktop Central deserializes malicious data when processing the getChartImage function of the FileStorage class, leading to remote code execution.


Vulnerability name: Zoho ManageEngine ServiceDesk Plus arbitrary file upload vulnerability

CVE Number: CVE-2019-8394

Vulnerability description: Before the 10.0 build 10012 version of Zoho ManageEngine ServiceDesk Plus, there is an arbitrary file upload vulnerability. Attackers can upload jsp files to implement code execution.


Vulnerability name: Windows Netlogon remote protocol privilege escalation vulnerability

CVE Number: CVE-2020-1472

Vulnerability description: On September 11, 2020, thirty days after Microsoft released the patch, Secura security researchers published a blog called “Zerologon: instantlybecomedomainadminbysubvertingNetlogoncryptography”. The blog gives a white paper that details the exploitation process of the CVE-2020-1472 vulnerability. Using this vulnerability, an unauthenticated attacker can connect to the domain control server through the Netlogon remote protocol (MS-NRPC) to obtain domain administrator rights.


Vulnerability Name: Microsoft Exchange Server Elevation of Privilege Vulnerability

CVE Number: CVE-2018-8581

Vulnerability description: An elevation of privilege vulnerability exists in Microsoft Exchange Server. An attacker who successfully exploited this vulnerability could try to impersonate any other user of the Exchange server. It can complete the entrusted takeover of the mailbox inbox of other users (including domain administrators) after having a common authority mailbox account password.

Note: This is a horizontal penetration and privilege escalation vulnerability at the mailbox level.