The process from initial IR call to discovering the 0-day later called 2021-26857. Brief discussion of the submission process with Microsoft and a technical look on the actual exploit. No longer fully NDA'd, so I can share the exploit, slightly redacted. Will have a working demo, might have produced a full PoC by August.
CVE-2021-26857 is an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gave HAFNIUM the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.
*Customer in the IR case have requested that as little as possbile is shared, so I would prefer not to have it recorded.
Speakers for Hafnium from the inside:
Metadata for Hafnium from the insideTo be recorded: No
URLs for Hafnium from the inside
No URLs found.
Schedule for Hafnium from the inside
- Sunday, Aug 22nd, 2021, 15:00 (CEST) - Sunday, Aug 22nd, 2021, 16:00 (CEST) at Speakers Tent