How to Break Out of Hyper-V and Compromise Your Admins
PowerShell Remoting and Direct have vulnerabilities due to untrusted CLIXML deserialization, allowing attackers to compromise admin systems. Microsoft acknowledged the issues, but concerns persist. Recommendations include using dedicated workstations and reviewing modules.
Read original article
The blog post from Truesec discusses vulnerabilities associated with PowerShell Remoting and PowerShell Direct, which are commonly used for managing IT environments. These protocols utilize a serialization format called CLIXML, which can be exploited due to a trust issue with remote systems providing legitimate data. The article highlights how an attacker can compromise an administrator's computer by manipulating the data returned when an admin connects to a compromised server or virtual machine. This can lead to privilege escalation and lateral movement within a network, allowing attackers to steal sensitive information, such as password hashes. The post also details the timeline of reporting these vulnerabilities to Microsoft and the subsequent acknowledgment of the issue. Although Microsoft has stated that the issue has been fixed, the author expresses concerns that the vulnerabilities may still be exploitable. Recommendations for mitigating these risks include ensuring systems are fully patched, using dedicated workstations for administrative tasks, and being cautious with third-party PowerShell modules. The article emphasizes the importance of maintaining a secure environment when using PowerShell Remoting and Direct.
- PowerShell Remoting and Direct are vulnerable to exploitation through untrusted CLIXML deserialization.
- Attackers can compromise admin systems by manipulating data during remote connections.
- Microsoft acknowledged the vulnerabilities but concerns remain about their resolution.
- Recommendations include using dedicated workstations and reviewing PowerShell modules for security.
- Organizations should remain vigilant and implement security measures to mitigate risks.
Related
Windows: Insecure by Design
The article discusses ongoing security issues with Microsoft Windows, including recent vulnerabilities exploited by a Chinese hacking group, criticism of continuous patch releases, concerns about privacy invasion with Recall feature, and frustrations with Windows 11 practices. It advocates for considering more secure alternatives like Linux.
Local Networks Go Global When Domain Names Collide
Namespace collision from new top-level domains poses security risks for organizations using outdated domain names. Philippe Caturegli identified over 9,000 vulnerable domains, highlighting the need for improved cybersecurity practices.
Keyhole – Forge own Windows Store licenses
A newly discovered exploit named "Keyhole" allows bypassing Microsoft's Client Licensing Platform, enabling unauthorized license creation for Microsoft products. Researchers shared their findings after Cisco TALOS reported the vulnerability.
About that Windows Installer 'make me admin' security hole. How it's exploited
Microsoft patched a critical Windows Installer vulnerability, CVE-2024-38014, allowing privilege escalation. SEC Consult released a tool to identify vulnerable files, urging users to apply the patch promptly.
Attacking PowerShell Clixml Deserialization
PowerShell's CLIXML deserialization presents security risks, including remote code execution. The article discusses vulnerabilities, gadget chains, and offers recommendations for IT operations and developers to mitigate these risks.
0 commentsRelated
Windows: Insecure by Design
The article discusses ongoing security issues with Microsoft Windows, including recent vulnerabilities exploited by a Chinese hacking group, criticism of continuous patch releases, concerns about privacy invasion with Recall feature, and frustrations with Windows 11 practices. It advocates for considering more secure alternatives like Linux.
Local Networks Go Global When Domain Names Collide
Namespace collision from new top-level domains poses security risks for organizations using outdated domain names. Philippe Caturegli identified over 9,000 vulnerable domains, highlighting the need for improved cybersecurity practices.
Keyhole – Forge own Windows Store licenses
A newly discovered exploit named "Keyhole" allows bypassing Microsoft's Client Licensing Platform, enabling unauthorized license creation for Microsoft products. Researchers shared their findings after Cisco TALOS reported the vulnerability.
About that Windows Installer 'make me admin' security hole. How it's exploited
Microsoft patched a critical Windows Installer vulnerability, CVE-2024-38014, allowing privilege escalation. SEC Consult released a tool to identify vulnerable files, urging users to apply the patch promptly.
Attacking PowerShell Clixml Deserialization
PowerShell's CLIXML deserialization presents security risks, including remote code execution. The article discusses vulnerabilities, gadget chains, and offers recommendations for IT operations and developers to mitigate these risks.