Autonomous IT

Ryan Braunstein (00:00)
Happy Patch Tuesday, everybody! uh, yeah, it's Valentine's Day week, you know, all that good stuff is coming up here, but more importantly, we've got some real interesting and spicy, um, vulnerabilities for you today. Some nice CVEs, you know?

Tom Bowyer (00:19)
Absolutely. We made it to February, which is, you know, crazy to think about how quick January went. But yeah, we're deep in it now, deep into the year, basically.

Henry Smith (00:34)
Yep.

Ryan Braunstein (00:34)
We're kind of like, I don't know, it's kind like the outer end of the year. We're just grazing the year, you know, but you know.

Henry Smith (00:40)
Wait, Ryan,

what did you say earlier about the roller coaster, the bars are down and they're not going up now?

Tom Bowyer (00:46)
Yeah.

Ryan Braunstein (00:47)
yeah, we're strapped in, the bars are down, you can cry, you can vomit, but it's all gonna be caught on camera on this podcast.

Tom Bowyer (00:54)
Hahahaha

Henry Smith (00:56)
Perfect.

Tom Bowyer (00:58)
That's very true.

Ryan Braunstein (00:59)
And

that is the year that we are on and I'm sure things are just gonna pop off. It'll be fun or not.

Ryan Braunstein (01:30)
But Henry, why don't you kick us off with your spicy ones?

Henry Smith (01:33)
Alrighty, let's see. So we're going to switch it up a bit. I'm actually going to go back in time and bring up a CVE from last month. So CVE-2025-21293. And that's an Active Directory Domain Services Elevation of Privilege vulnerability. So the main reason we're bringing it up again is because an exploit POC has been released.

and is live on the interwebs now. This vulnerability was interesting because it allows attackers, of course, to gain system level privileges within an Active Directory domain due to a lesser known, like I didn't know about this security group until now, but there's a lesser known built-in security group called Network Configuration Operators. And from what I've read is this group is supposed to grant limited network

configuration privileges to users without giving them full admin. But of course, it was found to have excessive permissions over some sensitive registry keys. So exploiting permissions of this group could allow an attacker to register, get this, a malicious performance counter.

Yes, a performance counter. So, yeah, so once they register the malicious performance counter, they can then that will be executed with system level privileges. And actually, the proof of concept includes a skeleton of a performance counter DLL with all the necessary parts already included, making the bar of entry on this one pretty low. So you probably already

Tom Bowyer (02:50)
What?

But for educational

purposes only though, right? For educational purposes.

Ryan Braunstein (03:17)
Yeah.

Henry Smith (03:19)
Yes, exactly. No

bad people will use it.

Ryan Braunstein (03:23)
Definitely.

Tom Bowyer (03:23)
Good. Good. I'm

glad they added that in there because it's important when you're releasing your POCs on GitHub that are fully fleshed out and may or may not contain Cobalt Strike beacons already built in that you put that disclaimer on there so our friends on the other side can not use those ones. They know which ones not.

Ryan Braunstein (03:26)
Yeah.

Yeah, you gotta test it out in your own environment, right?

Tom Bowyer (03:50)
Yeah,

exactly. Yeah, it...

Henry Smith (03:54)
But if you can't patch

for this one, there are some registry keys that I mentioned earlier that you can register or that you can monitor for unauthorized modifications.

Alright, this month so CVE-2025-21418. This is the Windows Ancillary Function Driver for WinSock, Elevation of Privilege vulnerability. What a mouthful. So the Ancillary Function Driver is that afd.sys file. And all we can see at the moment about this one.

is that it's another one where an attacker can exploit it for system privileges and the complexity is pretty low. Along with that, this one stood out because the exploitability assessment shows that while an exploit isn't public, the vuln is actively being exploited. And this one affects Windows 10, 11, and even back to Server 2008 and all the other server iterations.

And, you know, I like to try and talk about these vulnerabilities the best I can. Being completely transparent here. I've heard of WinSock before. Like I know it has something to do with network communications with Windows, but I had to do some extra digging on this one, which led me to a previous CVE, CVE-2023-21768 that affected the same driver. And the too long didn't read there is the issue arises from my favorite thing of all time.

improper handling of user mode input, which allows every time I'm on here, I swear. It allows an attacker to send a malicious input output control request to the AFD driver.

Ryan Braunstein (05:27)
I knew it was gonna be that. I knew it. I knew it.

Tom Bowyer (05:29)
haha

Henry Smith (05:38)
And in fact, someone crafted an exploit around this where a low privilege user would just run like an executable and provide a process ID of the process that they want to elevate. And boom, they have system privileges just like that. So definitely patch for that.

Ryan Braunstein (05:55)
Yeah.

Tom Bowyer (05:56)
Yeah. That one to me

is another one of those spicy ones where it'll be in your favorite CTF one day, right? Like it just, it's exactly what it is. You know, just one, just one like that where, download this CXE and you just put in the PID and you're good to go. Boom system. where it's focused on, you know, enumeration and those, similar type vulnerabilities. But yeah, definitely.

Henry Smith (06:03)
Exactly.

Ryan Braunstein (06:15)
Yeah

Tom Bowyer (06:24)
I agree with Henry and a lot of these, very, I feel like the bar of entry is so low a lot of the times nowadays with a lot of these vulnerabilities that you just go on GitHub and you get what you need. You don't even need to go anywhere else. Like, and it, it, you know, I might go on a little rant here and it's funny too, cause a lot of the news recently is the FBI took down a couple of forums, right? Like nulled and a couple of other hacking forums. And it's like, you know, I get it.

Ryan Braunstein (06:37)
Yeah.

Tom Bowyer (06:52)
a lot of exploits and stuff and data is sold there, but you really don't need to go to those places anymore. In the modern age, you can just go to GitHub and get any POC you need for a ton of vulnerabilities and build those into your toolkits. Right. So it's the ebb and flows of our industry. Right.

Ryan Braunstein (07:12)
Yeah, I mean, I guess the difference is the forums are for, you know, malicious activities, whereas GitHub is for the proof of concepts, you know, like it's educational purposes only, you know. That should be like the title of most of those forums for educational purposes only, you know.

Henry Smith (07:23)
educational.

Tom Bowyer (07:24)
Yeah.

Yeah, exactly.

Speaking of the

user, when was the last time any of us used the Windows Disk Cleanup Tool?

Ryan Braunstein (07:42)
The last time I used a rotational drive.

Tom Bowyer (07:45)
But this, this month, February, we have a elevation of privilege in the Windows DIsk Cleanup Tool, CVE-2025-21420, which to me is just both funny and kind of sad at the same time that there is a elevation of privilege vulnerability in this specific tool and that it's

is still very prevalent in Microsoft, given that I think I used it all the way back in the early 2000s. You know, it just it's just funny to me that I don't ever it's just one of those where I don't think I've seen something like this in a long time. And it feels like and maybe this is just my, you know, big paranoid hat. But it feels like people are poking at these systems that they know will impact

servers that are reaching end of life, right? Server 2008, Server 2012 that are very heavily prevalent in the enterprise still. And they're looking for vulnerabilities and ways to exploit these things that may or may not get patched in the future as Microsoft, you know, deprecates these OS's. So when I see this one, this to me feels like that somebody poking at things and looking at things that

most people have skipped over the last 10 years and it, you know, I think it'll be an interesting five to 10 years, right? As we all know, it took people, what, 7 to 10 years to get off XP and there's still stuff that's driven by XP nowadays, right? Yeah.

Ryan Braunstein (09:21)
Yeah.

Are you sure that people- I was gonna say, are you sure that people actually got off that? Cause like, I have seen

some things.

Tom Bowyer (09:37)
I know.

Henry Smith (09:37)
Should we take bets

when POC is gonna be out for this one? Tomorrow?

Ryan Braunstein (09:42)
more curious

on your thoughts on how this is being leveraged. Is it because it's interacting with lot of temporary directories and it's navigating something like that that's allowing them to get system level privileges and then move laterally? What are your all's vibes? We're just talking vibes.

Tom Bowyer (10:03)
Yeah.

I mean, the details are pretty limited that Microsoft provided, but to me that's, it feels like something like that, right? There's a lot of moving parts when you're defragging a hard drive. So maybe there's some race condition, right? What's that?

Henry Smith (10:20)
What's that?

Ryan Braunstein (10:23)
You're too young for that,

Henry. No.

Tom Bowyer (10:28)
Maybe there's... She's got him.

Henry Smith (10:28)
Hey, what?

clean

up tool has been around since Windows 98. So I was alive.

Ryan Braunstein (10:31)
Got

All I know.

Henry Smith (10:39)
I very, for one.

Ryan Braunstein (10:39)
for four years.

Tom Bowyer (10:39)
true. Yeah,

Ryan.

Ryan Braunstein (10:44)
I'm the oldest one in this car.

Henry Smith (10:46)
But yeah,

kind of to Ryan's point earlier, you because you got to think it's probably something to do with something the user can control, right? Some kind of user input. And, you know, maybe it's like you got to craft like a malicious file that the disk cleanup utility like goes over. Yeah, something like that. I'm really, yeah, yeah, I'm really excited to see what comes out for this one.

Tom Bowyer (10:58)
You

Ryan Braunstein (11:04)
Look at D- yeah. Look at DLL. Yeah.

Tom Bowyer (11:09)
Yeah, yeah, yeah,

Yeah, exactly. It feels like, you know, who's done a deep dive into a Windows disk cleanup? I don't think I, has there ever been a writeup around like the inner workings of how to defrag using Windows cleanup? It feels very,

Ryan Braunstein (11:13)
Yeah.

Henry Smith (11:22)
I don't think.

Tom Bowyer (11:30)
It's really cool.

Ryan Braunstein (11:32)
It feels like trying... It's probably one of those things where it's like... It'll be ridiculous if it's not this, but it feels like diving off of a high dive into a shot glass kind of thing. But if the bar is much lower, this will be a really spicy one. So, yeah. But yeah, we also have a nice little third party patching one.

Tom Bowyer (11:42)
You

Exactly. Absolutely.

Henry Smith (11:51)
Good times.

Ryan Braunstein (11:59)
7-Zip, pretty much anything prior to 24.09 could potentially be exploited around this. And it basically allows the attacker to use some arbitrary code execution on it by passing... What's that system called that it bypasses? Yeah, mark of the web, yeah. Yeah, it's...

Tom Bowyer (12:21)
the marker of the web system.

Ryan Braunstein (12:28)
Really interesting. This, this one kind of like speaks to me just because, you know, we deal with like pipelines all the time. And so I always think of things that can be, you know, executed without user interaction in some way, besides just like downloading it and getting on your device and unzipping it. Like, I always think of that kind of stuff, like in Jenkins pipelines, GitHub actions pipelines, like how, how does that kind of thing possibly break free from that? And like, how does it affect like the, you know, overall?

systems that are attached to it.

Tom Bowyer (13:00)
Yeah,

absolutely. I do feel, you know, there's kind of inbuilt trust to zip files nowadays and you know, people will download things and then like if it's an EXE, there's kind of a little bit of paranoia running it right. Like maybe not this one specifically, but a 7zip

Ryan Braunstein (13:19)
Yeah.

Tom Bowyer (13:23)
You know, there's that trust built in where, well, it's just an archive. I can unarchive it and I'm still safe because I'm not running the executable. And for vulnerabilities like this, that's not necessarily the case, right? It will, there are some protections that are bypassed and just on archiving and archive, could accidentally execute arbitrary code on your local system, which to me is just, you know, don't trust anything you download, I guess.

Ryan Braunstein (13:50)
Yeah.

Henry Smith (13:51)
Seriously though,

yeah.

Ryan Braunstein (13:53)
Yeah, or at least have like some proper file scanning like in place like in like your pipelines or on your computers as a whole, you know, hopefully your EDRs are rocking and rolling on that one. you know, other than that, patch it.

Tom Bowyer (13:53)
Yeah.

Yeah, absolutely. Yeah.

Henry Smith (14:10)
And

just to kind of circle back, you know, mark of the web for anyone who's unfamiliar. I think that's just like a Windows, a Windows way of like indicating that a file originated from the internet. it kind of helps like Defender kind of perform some additional inspection of that. So I think this vulnerability in question, it bypasses that. Is that right, Ryan?

Ryan Braunstein (14:32)
Yeah, it completely bypasses it. So I'm assuming that probably maybe that's possibly bypasses the scanning on Defender as a whole, like you said, but I wonder how other EDRs would react to it. Like if something like a CrowdStrike or SentinelOne or something like that would react differently, kind of thing, like doesn't care if it has Mark of the Web or not.

Henry Smith (14:34)
Yeah, so.

Right.

Tom Bowyer (14:52)
Yeah.

Yeah. Good call. Right. Like a lot of that is behavioral when those EDRs, right? Like they, they detect that stuff behaviorally when it's doing, when some things do weird stuff like that. I would, yeah, that's a, that's like an interesting, interesting call out on how non windows based EDRs would do specifically for this attack method.

Ryan Braunstein (15:19)
Yeah. I was just getting ready to say, I think it's something we might be able to play with internally here. Yeah. Yeah.

Henry Smith (15:20)
Maybe we'll have to test it out ourselves.

Tom Bowyer (15:22)
Yeah.

Henry Smith (15:25)
Wow, sounds like fun.

Tom Bowyer (15:26)
Yeah, absolutely. And I think

a lot of this just, you know, it erodes the trust. You know, I think about these ones and I think about, right, like a lot of the remote code execution vulnerabilities that come and go in like Chrome, where all you got to do is navigate to a malicious website and you accidentally, you know, download some kind of.

keylogger or something like this is just kind of it's eroding trust in a lot of these completely trusted systems we have as security practitioners these days.

Ryan Braunstein (15:59)
Yeah. I mean, I feel like we've experienced a lot of this over the last year alone with all these different like, you know, third party systems, even open source systems have had some major issues over the last year. And, know, obviously calling out the XZ Vuln is the easy one. um, I don't know. It's just one of those things where it keeps you on your toes and trust, trust no one. but you know, just what's that?

Tom Bowyer (16:17)
Mm-hmm. Yeah, absolutely.

Henry Smith (16:27)
I said

Tom Bowyer (16:29)
Yeah.

Henry Smith (16:30)
layer up, defense and depth. I think that's another thing to talk about every time is like defense and depth.

Ryan Braunstein (16:32)
yes.

yeah, absolutely. Having just any good processes in place or controls to just... Yeah, it's good call. But... One of the...

Tom Bowyer (16:37)
Yeah.

Speaking of eroding trust, Apple released 15 dot,

what is it? 15.3. And there's a, there's a really good one in here for everyone going to hacker summer camp later this year that I think will please update your device before you go out there because this one is a, a good one. CVE-2025-24126, which is a vulnerability and AirPlay

An attacker on the local network may be able to cause unexpected system termination or corrupt process memory. So you're just walking around and you you joined the DEF CON WiFi and there's someone on there doing something they ain't supposed to be doing and crashing Macs, know, crashing phones. This is just, it just reminds me of like the Bluetooth one.

Henry Smith (17:31)
I wouldn't do that.

Tom Bowyer (17:45)
and you know, pair with this TV and all those troll vulnerabilities. Yeah, all those troll vulnerabilities that happen when you're when you're at a DEF CON when you have your Bluetooth on, right? Like this one is specifically targeting local network, WiFi, et cetera. But yeah, just.

Ryan Braunstein (17:48)
Yeah.

Henry Smith (17:51)
It all works.

Ryan Braunstein (18:03)
Yeah.

I wonder how that works on a hotel WiFi that is separated a bit. I just think about these things. You don't need a pineapple to do any of this stuff. It's just network access.

Tom Bowyer (18:10)
yeah!

No.

Yeah, like are they allowing devices to communicate with each other? Like I don't know if I've ever seen a device at a hotel like join this TV's airplay, but maybe, you know, like.

Ryan Braunstein (18:39)
I think I've seen

it, but I can't tell if it was over Bluetooth. I got to think about that. if it was the network or just because, you know, like you'll be in a hotel room and you'll get like if you pack a Chromecast or something with you and you go to like pair it with it, you'll see like every IOT. Then you'll see like a few phones scattered in there and you're like, can I talk between this network to like these other people or is that just the Bluetooth like and I'm just close enough through the walls like.

Tom Bowyer (18:44)
Yeah.

Yeah.

huh.

No.

Yeah,

exactly. There's because they usually want you to sign in on on like the TV itself. You know, if you want to watch Netflix or something, a lot of them are doing that now where they make you sign into the TV and that, know, that's a good call. Can I hit other Apple devices on a local network at a WiFi and cause some havoc with this one specifically? So update.

Ryan Braunstein (19:09)
Yeah.

Henry Smith (19:15)
Right.

Ryan Braunstein (19:15)
Yeah.

Yeah, you brought up DEFCON.

That's why I immediately thought hotel. Everyone, all these people are at a hotel or they're smart, like an Airbnb separate from a Yeah. Yeah. But yeah, that's that's our spicy, spicy February here. I think those are a lot of like really fun and interesting ones. Fun, depending on who you are. Interesting for sure.

Tom Bowyer (19:35)
Yeah, right.

Yeah, absolutely. That's a good one for Mac, think. Right.

Henry Smith (19:59)
Right?

Tom Bowyer (20:00)
Yeah.

Henry Smith (20:01)
Not so fun if you're defending against all these, but

Ryan Braunstein (20:05)
Yeah, patch your stuff everybody. Keep up to date and read the patch notes.

Tom Bowyer (20:13)
Happy Tuesday, everybody.

Ryan Braunstein (20:15)
Happy Tuesday.