Last Week in Security (LWiS) - 2023-05-22
From DA to EA (@_wald0), CS OPSEC (@joehowwolf), CS BOFs in BRC4 (@NVISOsecurity), Avast LPE (@Denis_Skvortcov), LOLBINs in AV (@nas_bench), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2023-05-09 to 2023-05-22.
- Recapping Developer Week. Cloudflare continues to release new products and make (good) changes to existing products. And yes, they did release an AI product.
- infosec company owned completely by 4chan user. Ouch.
- New ZIP domains spark debate among cybersecurity experts. I don't think there is debate, I think there are people claiming .zip will be a threat, but the only case I can see that being true is with programs that have interpreted .zip as a file since forever and may be fooled now that it can resolve as a URL. The "it looks like a file" argument strikes me as silly, since the anchor tag has been used to "disguise" URLs since the existence of the HTML standard. Oh look here's one now: legit.zip
- Microsoft will take nearly a year to finish patching new 0-day Secure Boot bug. Is this the first case of a disabled by default mitigation being shipped in response to an active, in the wild exploit?
- RFC: Override HTTP response headers locally with DevTools. Now one of the most common use cases for Burp Suite is part of Chrome! For how see: How to Override Response Headers with Chrome DevTools.
- DEF CON 31 Badge Update - SAO support!. This year's DEF CON badges will support an add on "thing" shaped like a cyber punk wedge.
- First Look: Ghidra 10.3 Emulator. Everyone is pumped about native dark mode, but the emulator is pretty sweet.
Techniques and Write-ups
- From DA to EA with ESC5. "There's a new, practical way to escalate from Domain Admin to Enterprise Admin." Sign me up. Another banger from Andy Robbins.
- C2 and the Docker Dance: Mythic 3.0's Marvelous Microservice Moves. I can't say I love the extreme microservice-y architecture of Mythic, but it's the easiest open source C2 to write a totally custom agent for at this point. Perhaps SpecterOps can use some of that Series A to contract a web UI pro to help with the front end. I say this out of love, as I actually use Mythic C2 for production operations.
- The printer goes brrrrr, again!. 2 bytes is all it takes to RCE a Cannon printer.
- Nighthawk 0.2.4 - Taking Out The Trash. The new version supports .NET memory sleep encryption, using a custom allocator to protect and encrypt not only the executed .NET assembly but also any of its allocations during runtime. It also adds reverse port forwards, improvements to hidden desktop, "extra life" exception hooking, and other minor improvements.
- PwnAssistant - Controlling /home's via a Home Assistant RCE. Awesome write up from recon to RCE against the popular home automation software.
- Bypass IIS Authorisation with this One Weird Trick - Three RCEs and Two Auth Bypasses in Sitecore 9.3. Another recon to RCE web app hacking write up.
- Malicious code in PDF Toolbox extension. Browsers are the new OS, but there is zero visibility or "anti-virus" for them. It's like the Windows 98 wild west days.
- Cobalt Strike and YARA: Can I Have Your Signature?. Probably the best article on Cobalt Strike OPSEC that exists. Advanced teams have known about the satic loader signatures and other things for a while, but this post spells it all out and even gives examples of how to get around static detections. We're at a point where to be truly successful as an adversary you need to know assembly pretty well. Seems like the offensive security community has made the defenses better and raised the barrier to entry. Almost like the goal was to... @ImposeCost...
- NixImports a .NET loader using HInvoke. API Hashing in C# makes the dnSpy output a mess. Neat loader!
- CVE-2023-26818 - Bypass TCC with Telegram in macOS. While this is a write up on dylib injection in Telegram, many apps are vulnerable to a similar technique, especially third party apps.
- Introducing CS2BR pt. I - How we enabled Brute Ratel Badgers to run Cobalt Strike BOFs. If you've used BRC4 you know the pain of BOF conversion. Nviso teases a tool to automate it, hopefully it's released soon!
- SQLi - WAF Detection & Bypass Techniques That Still Work in 2023. For the web app assessors out there.
- Avast Anti-Virus privileged arbitrary file create on virus restore (CVE-2023-1586). More Avast privescs!
- CS:GO: From Zero to 0-day. Sure it's a video game exploit, but the writeup is top tier.
- Walking the Tightrope: Maximizing Information Gathering while Avoiding Detection for Red Teams. Finally, a blog on red teaming, not just penetration testing! For anyone looking to get into adversary simulation, this is a good intro.
- FriendlyName Buffer Overflow Vulnerability in Wemo Smart Plug V2. Some solid hardware hacking.
- LOLBINed — Finding “LOLBINs” In AV Uninstallers. AV makes the best traitorware.
Tools and Exploits
- CypherDog - PoSh BloodHound Dog Whisperer.
- buzzer is a fuzzer toolchain that allows to write eBPF fuzzing strategies.
- keepass-password-dumper - Original PoC for CVE-2023-32784 (keepass master password disclosure).
- PPLFaultDumpBOF - Takes the original PPLFault and the original included DumpShellcode and combines it all into a BOF targeting cobalt strike.
- PPEnum - Simple BOF to read the protection level of a process.
- ADCSKiller - An ADCS Exploitation Automation Tool Weaponizing Certipy and Coercer.
- Chimera - Automated DLL Sideloading Tool With EDR Evasion Capabilities.
- chromecookiestealer - Steal/Inject Chrome cookies over the DevTools (--remote-debugging-port) protocol.
- GoBelt - Golang programmatically invoking the SwiftBelt-JXA macOS system enumerator project (Golang running SwiftBelt-JXA via cgo).
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
- avred - Analyse your malware to chirurgicaly obfuscate it.
- smbcrawler is no-nonsense tool that takes credentials and a list of hosts and 'crawls' (or 'spiders') through those shares.
- Goshawk is a static analyze tool to detect memory corruption bugs in C source codes. It utilizes NLP to infer custom memory management functions and uses data flow analysis to abstract their behaviors and then adopts these summaries to enhance bug detection.
- dumpulator - An easy-to-use library for emulating memory dumps. Useful for malware analysis (config extraction, unpacking) and dynamic analysis in general (sandboxing).
- EC2StepShell is an AWS post-exploitation tool for getting high privileges reverse shells in public or private EC2 instances. It works by sending commands to EC2 instances using ssm:SendCommand and then retrieves the output using ssm:ListCommandInvocations or ssm:GetCommandInvocation.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.