Last Week in Security (LWiS) - 2022-04-25

Acrobat extension issues (@WPalant), ECDSA signature in Java vuln (@neilmaddog), GPO LPE (@decoder_it), SSN resolution from process structs (@modexpblog), AWS container escape (@yuvalavra), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2022-04-18 to 2022-04-25.

News

Techniques and Write-ups

Tools and Exploits

  • KrbRelayUp is a universal no-fix local privilege escalation in windows domain environments where LDAP signing is not enforced (the default settings).
  • memray is a memory profiler for Python. Not specifically security related, but very cool.
  • Issue 2274: Linux: watch_queue filter OOB write (and other bugs). Google Project Zero found another Linux LPE. This one affects kernel from 5.8 to 2022-03-11 (5.16.15, 5.15.29, 5.10.106). PoC exploit is included, but may be unstable.
  • C2-Tool-Collection is a collection of tools which integrate with Cobalt Strike (and possibly other C2 frameworks) through BOF and reflective DLL loading techniques. This is from Outflank so you know its going to be good.
  • cdnstrip is a tool for striping CDN IPs from a list of IP Addresses.
  • elfpack does ELF Binary Section Docking for Stageless Payload Delivery.
  • HalosUnhooker is a Halos Gate-based NTAPI Unhooker.

New to Me

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • htmlq is like jq, but for HTML. Uses CSS selectors to extract bits of content from HTML files.
  • KDStab is a BOF combination of KillDefender and Backstab.
  • ADReaper is a fast enumeration tool for Windows Active Directory Pentesting written in Go.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.