Both technical details and proof-of-concept exploits are available for the two vulnerabilities ConnectWise disclosed earlier this week for ScreenConnect, its remote desktop and access software.
A day after the vendor published the security issues, attackers started leveraging them in attacks.
Threat actors have compromised multiple ScreenConnect accounts, as confirmed by the company in an update to its advisory, based on incident response investigations.
Cybersecurity company Huntress has analyzed the vulnerabilities and is warning that developing an exploit is a trivial task.
The company also stated that on Monday the Censys platform was showing more than 8,800 vulnerable ScreenConnect servers exposed. An assessment from The ShadowServer Foundation noted that yesterday the number was around 3,800.
The first working exploits emerged quickly after ConnectWise announced the two vulnerabilities and more continue to be published. This prompted Huntress to share its detailed analysis and show how easy it is to create an exploit, in the hope that companies would move faster with remediation steps.
Easy to spot and exploit
Huntress located the two flaws by looking at the code changes the vendor introduced with the patch.
For the first flaw, they found a new check in a text file indicating that authentication process wasn’t secured against all access paths, including the setup wizard (‘SetupWizard.aspx’).
This pointed to the possibility that in the vulnerable versions a specially crafted request could let users use the setup wizard even when ScreenConnect had already been set up.
Leveraging the path traversal bug is possible with the help of another specially crafted request that allows accessing or modifying files outside the intended restricted directory.
The updates from ConnectWise introduce stricter path validation when extracting ZIP file contents, specifically to prevent file writing outside designated subdirectories within ScreenConnect’s folder.
With administrative access from the previous exploit, it is possible to access or manipulate the User.xml file and other sensitive files by crafting requests that include directory traversal sequences to navigate the file system beyond the intended limits.
Eventually, the attacker can upload a payload, such as a malicious script or executable, outside the ScreenConnect subdirectory.
Huntress shared indicators of compromise (IoCs) and analytical detection guidance based on the artifacts created when the above flaws are exploited.