2023.10
Major Features / Enhancements
- Auto-Injected Credentials: Added ability to auto-inject credentials into a regularly scheduled pentest using a NodeZero Runner.
- Remote Access Tool Improvements: NodeZero's Remote Access Tool (RAT) has been updated with new techniques to evade some EDRs.
New Attack Content
- Cisco IOS XE Web UI Exploit (CVE-2023-20198): Devices with the Web UI enabled are exposed to a vulnerability letting remote attackers establish a high-privileged account, potentially achieving full device control. This flaw is known to be exploited actively.
- JetBrains TeamCity RCE: NodeZero detects and exploits an authentication bypass vulnerability (CVE-2023-42793) leading to unauthenticated remote code execution in JetBrains TeamCity.
- H2 Console RCE: Exploitation of a vulnerability (CVE-2022-23221) in H2 Console versions up to 2.1.210 is now supported, enabling remote code execution.
- Confluence Auth Bypass/ Priv Esc: Vulnerabilities in Confluence Data Center and Confluence Server versions (8.x before 8.3.3, 8.4.3, and 8.5.2) have been addressed. These versions had an unauthenticated RCE through a Broken Access Control Vulnerability. Successful exploitation allowed for the addition of a new admin user who could then upload and execute a Confluence plugin, achieving RCE as the Confluence user.
- Apache Solr File Read (H3-2023-0023): Added support for exploitation on both Windows and Unix systems.
- Azure Authentication Improvement: NodeZero now supports authentication using both Azure Refresh and Azure Access Tokens, enhancing the Azure attack flow.
- Shodan External Host Discovery: Integrated Shodan's top 100 ports into the external host discovery TCP scan. Optimized the timing profile of these scans to increase precision and reduce potential network congestion.
- WS_FTP Server RCE (CVE-2023-40044): NodeZero can now exploit a .NET deserialization vulnerability in WS_FTP Server versions (before 8.7.4 and 8.8.2). This flaw in the Ad Hoc Transfer module lets pre-authenticated attackers execute remote commands on the WS_FTP Server's underlying OS.
Bug Fixes
- Fixed a regression bug which affected host discovery when using Zmap. This affected Internal Operations and NodeZero’s ability to discover hosts outside of its network.