Microsoft Outlook Vulnerability CVE-2018-8587 – How likely is exploitation?

I found an interesting blog post A Deep Analysis of the Microsoft Outlook Vulnerability CVE-2018-8587 about Microsoft Outlook heap buffer overflow vulnerability where is described how Microsoft Outlook can be exploited by using specially crafted mail classification rules file (RWZ).

To reproduce this vulnerability, we need to run Microsoft Outlook, then click “Rules => Manage Rules&Alerts => Options => Import Rules” and select the PoC file which causes Outlook to crash.

enter image description here

In the end they are writing:

Applying this patch is critical since an attacker who successfully exploits this vulnerability could use a specially crafted file to perform actions in the security context of the current user.

But how likely is that someone could exploit this vulnerability? I mean an attacker needs to send this malicious file to a user who needs to actively import this file which exploits this heap buffer overflow bug. It seems to me completely different from such attacks where an attacker sends a malicious PDF document which exploits some vulnerability in Adobe Reader. Here you need to actively hack yourself (similar to self-XSS in web security).

Even Microsoft states:

To exploit the vulnerability, a user must open a specially crafted file with an affected version of Microsoft Outlook software. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is designed to exploit the vulnerability. However, an attacker would have no way to force the user to visit the website. Instead, an attacker would have to convince the user to click a link, typically by way of an enticement in an email or Instant Messenger message, and then convince the user to open the specially crafted file.

So this bug seems to be somewhat useless and very unlikely to exploit?

Excessive Vulnerability Count in Yeoman SharePoint Generator

When I run

yo @microsoft/sharepoint

and pick standard options for a SharePoint Online WebPart with No JavaScript framework, NPM shows 1956 vulnerabilities with 140 of them being high priority.

I don’t understand why a fresh out of the box project would contain this many “issues”.

I searched the internet and a few of the blogs I ran across seemed to imply these “vulnerabilities” were actually just with the build environment and would not be deployed to the server or client machines [1][2]. Indeed, I think many people have been ignoring these vulnerabilities for quite some time since today’s vulnerability count seems much higher than the counts the authors were getting back when they originally published their posts.

To make matters even more confusing, while I think [2] does seem to indicate the problems are not going to be deployed, it still seems to indicate the “vulnerabilities” should be addressed. Also, [2] appears to be selling something so the author may be a little biased.

Running “npm audit” and checking the “Dependency Of” flag per [1] does seem imply that the vast majority of these vulnerabilities are specific to the development environment. It does in fact, seem to me that these problems will never make it into the SharePoint Online server or onto the machines of our end users.

Given the above, what should I do about this massive list of “vulnerabilities”?

[1] – http://www.andrewconnell.com/blog/don-t-be-alarmed-by-vulnerabilities-after-running-npm-install
[2] – https://rencore.com/blog/250-vulnerabilities-sharepoint-framework/

is it a vulnerability to redirect to any subdomain? similar to Open Redirect

i found a website that has the parameter post_login_redirect= i can change to any existing and non-exisiting subdomains, but there is no posibility to redirect to another domain. The redirect occurs after the user logs in.

For example:

we have sub.domain.com and we can change to anything if we respect the domain.com. so we can redirect to a.b.c.b.domain.com even if that subdomain doesn’t exist, it will redirect anyway. But we can’t redirect to a.hello.com

This is not an open redirect issue, because we can only redirect to subdomains that we don’t own.

Is there any possibility to chain this or make this a real vulnerability?

If a vulnerability has no relevant attack vectors, is monitoring still legitimate for a company?

Today while reviewing vulnerability scan results with a colleague, we had a debate about what vulnerabilities can be considered “true or legitimate” and hence worthwhile to spend resources in monitoring. We had a differing opinion on whether vulnerabilities without a relevant attack vector can be considered “true” vulnerabilities for our company

My opinion was that even if a vulnerability discovered today has no applicable attack vectors because conditions needed to exploit it does not exist, the vulnerability is still worthy of monitoring as its future behavior may evolve. As more information is known about it, more attack vectors may become known. In addition, our company is moving in the direction of the Cloud, where I see faster detection and stronger monitoring of vulnerabilities in becoming more important, due to there being more “distance” between a company and its digital assets. I.e: Assets become less physically tangible.

However, I also understand my college’s point of monitoring and researching having a opportunity cost. If the probability of successful exploit is unlikely, then the time spent researching, monitoring, and reporting results may be better spent on another activity, similar to not how all security risks have equal criticality.

Given our company’s direction, that we work with highly sensitive customer data such as health information (HIPPA), and we are in the regulated financial services industry, I tend to feel more comfortable by taking the more conservative approach of my own viewpoint.

In general, are vulnerabilities with non applicable attack vectors considered “true” vulnerabilities?

How should the degree of monitoring and resource commitment to remediation be determined general speaking at a high level, particularly for regulated industries?

I can’t read GET request in netcat with XSS vulnerability

I try to intercept cookie session from DVWA with XSS vulnerability. So, I send GET to netcat but in terminal i can’t read it.

I try to update kali, netcat, verify in few browsers, I set UNICODE and ISO-8859-1 in terminal

Now GET looks like:

Ncat: Version 7.70 ( https://nmap.org/ncat ) Ncat: Listening on :::8888 Ncat: Listening on 0.0.0.0:8888 Ncat: Connection from 10.0.2.4. Ncat: Connection from 10.0.2.4:41332. “R���m���n(s�@e(�5��bmp�� { 7*L�i/�����h>~� � ��bҴu��+�/̨̩�,�0��/5 ��

# T�߾f���).13ki �τH)y����Oq.�nS=�.Q�W��N�;�Tk{A���W)f���

I want to looks like:

GET /?cookie=username=someuser;%20uid=1 HTTP/1.1 Host: localhost:8888 User-Agent: Mozilla/5.0 …. Accept: image/png,image/;q=0.8,/*;q=0.5 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/cookie.php Cookie: username=someuser; uid=1 Connection: keep-alive

I don’t know why don’t work :/

Simply communication to ip’s in 1 network nc to nc on the same ports works good, without any problems.

How to export edgescan vulnerability report with port and protocol listed

I’m trying to gather a report from info on live.edgescan.com

I notice that I can export a csv report of the vulnerabilities found on the page https://live.edgescan.com/app#/vulnerabilities. This does not include the port and protocol of each vulnerability along with the host info. There is a dropdown tab under each item within the vulnerabilities page, but these do not appear as columns in the report or the page.

How can I access these and add them into a report?

How can vulnerability researchers find flaws in OSes / Embedded Systems?

Operating Systems and Embedded Systems usually don’t come with source code or binaries that one can review.

How can a vulnerability researcher look for flaws in a system (Architecture, Protocols, etc.) without any access to source code?

Obviously, black box research will not produce good enough results.