Last Week in Security (LWiS) - 2024-11-18
Arc browser RCE (@RenwaX23), more Fortinet woes (@SinSinology), PowerHuntShares v2 (@_nullbind), make_token_cert (@freefirex2), BOFs without DFR (@netbiosX), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-11-12 to 2024-11-18.
News
- CVE-2024-9474 PAN-OS: Privilege Escalation (PE) Vulnerability in the Web Management Interface - The alert from last week is a full blown CVE this week.
- Inside Intelligence Center: Financially Motivated Chinese Threat Actor SilkSpecter Targeting Black Friday Shoppers - Double check the URL before committing to that deal!
- Joint statement by the Foreign Ministers of Finland and Germany on the severed undersea cable in the Baltic Sea - A reminder that the digital world is not immune to physical attacks. "The fact that such an incident immediately raises suspicions of intentional damage speaks volumes about the volatility of our times."
- US lawyers will reportedly try to force Google to sell Chrome and unbundle Android - This feels very United States of America v. Microsoft Corporation (Feb-Jun 2001). It would be ironic if this ends up killing Firefox, as Google is their only real source of income ($510 of $593 million in revenue in 2022 was from Google search payments).
- Phobos Ransomware Administrator Extradited from South Korea to Face Cybercrime Charges - The Justice Department unsealed criminal charges against Evgenii Ptitsyn, 42, a Russian national, for allegedly administering the sale, distribution, and operation of Phobos ransomware.
Techniques and Write-ups
- Reverse Engineering iOS 18 Inactivity Reboot - Last week we reported that iOS 18.1 devices were rebooting when left idle. This week we have some good data on how this inactivity reboot works. TLDR: The secure enclave tracks time since last unlock, and if it's been more than 3 days, it will reboot the device.
- Hop-Skip-FortiJump-FortiJump-Higher - Fortinet FortiManager CVE-2024-47575 - "Itβs been a tricky time for Fortinet (and their customers) lately - arguably, even more so than usual. Adding to the steady flow of vulnerabilities in appliances recently was a nasty CVSS 9.8 vulnerability in FortiManager, their tool for central management of FortiGate appliances." Once Sina Kheirkhah (@SinSinology) locks onto your products, you better hope you're security posture is up to par. Fortinet has been on the receiving end of a lot of attention/exploitation lately.
- Arc Browser UXSS, Local File Read, Arbitrary File Creation and Path Traversal to RCE - Looks like some unused functionality in Arc shipped and could be used for remote code execution (RCE).
- Phishing by Design: Two-Step Attacks Using Microsoft Visio Files - As defenses get better, threats evolve to use trusted sites and multi-step execution. In this case the often overlooked Microsoft Visio (installed as part of the Office suite usually) is used to deliver a two-step phishing attack.
- [PDF] New Zero-Day Vulnerability Detected: CVE-2024-43451 - This is a unique Windows initial access vulnerability that is being actively exploited, as it only requires a single right click, deleting the file, or dragging the file to another folder to execute.
- ModeLeak: Privilege Escalation to LLM Model Exfiltration in Vertex AI - While AI is the current buzzword, it's not immune to security issues. This post details how running a malicious model in Vertex AI could compromise the entire AI environment.
- Hunting SMB Shares, Again! Charts, Graphs, Passwords & LLM Magic for PowerHuntShares 2.0 - Like it or not, credentials on SMB shares are a common win for attackers. This tool's v2 update is a great way to automate finding shares configured with excessive privileges, including interesting ile discovery, automated secret extraction, risk scoring, and of course, LLM-based share fingerprinting.
- Local Admin + Disconnected RDP Sessions - A demo to show the dangers of disconnected RDP sessions by privileged accounts (Domain Admins). If the computer they are disconnected from is compromised (Local admin), the domain admin session can be used by the attacker.
- The Definitive Guide to Linux Process Injection - While Windows gets most of the attention, Linux has lots of techniques for process injection. This is a great overview post that showcases many of them. Note that the code is actually in the repo Linux-Process-Injection, not the one linked throughout the post (github.com/guardicode) that 404s.
- Pirates in the Data Sea: AI Enhancing Your Adversarial Emulation - Many of the use cases presented in the article feel a little basic (i.e. could be implemented in a short script), but this is only the beginning...
- Local Admin In Less Than 60 Seconds (Part 1) - By default, Domain Controllers have an insecure LDAP signing and channel binding configuration, this does change in server 2025 but you still have time to abuse this.
- Writing Beacon Object Files Without DFR - Some good tips on how to clean up BOF code to make it more general and thus easier to test outside of a C2.
Tools and Exploits
- KexecDDPlus - is a Windows tool that relies on Server Silos to access the KsecDD driver directly, without having to inject code into LSASS. This capability therefore allows it to operate even on systems on which LSA Protection is enabled. For more details see Exploiting KsecDD through Server Silos .
- tpm_sniffing_pin is a simple Python PoC to retrieve the VMK through TPM Sniffing by knowing the user's PIN.
- TokenCert is a C# tool that will create a network token (LogonType 9) using a provided certificate via PKINIT. This way, we can have a make-token functionality using certificates instead of passwords.
- make_token_cert - A new BOF from Trusted Sec to authenticate using only a .pfx file.
- Moodle-Scanner - A Moodle Scanner to check for the version and associated vulns.
- Exploit-Street - Complete list of LPE exploits for Windows (starting from 2023).
- linux_bof - ELF BOFs! This fork has a few more examples than the parent repo from Outflank.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
- CVE-2024-30090 - Microsoft Streaming Service Elevation of Privilege Vulnerability PoC.
- sequin is a small utility that can help you debug your CLIs and TUIs. It's also great for describing escape sequences you might not understand, and exploring what TUIs are doing under the hood.
- up - Troubleshoot problems with your Internet connection based on different protocols and well-known public servers.
- multi-agent-orchestrator - Flexible and powerful framework for managing multiple AI agents and handling complex conversations.
- zizmor - A tool for finding security issues in GitHub Actions setups.
- graphinder - πΈοΈ Blazing fast GraphQL endpoints finder using subdomain enumeration, scripts analysis and bruteforce. πΈοΈ.
- neohtop - πͺπ» htop on steroids.
- Tech Note - Okta Verify Bypass - Similar to Adam Chesters recent Okta research, the Gitlab red team documents some of their experience with Okta.
- TermHound - A comprehensive Active Directory security analysis tool that integrates with Neo4j to detect vulnerabilities, analyze attack paths, and identify security misconfigurations.
- WebVM 2.0: A complete Linux Desktop Environment in the browser via WebAssembly - WebVM is a full Linux environment running in the browser, client-side. It has support for persistent data storage, networking, Xorg, and a complete desktop environment.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.