Last Week in Security (LWiS) - 2022-05-02
GitHub OAuth token hack, security.txt RFC (@EdOverflow), channel binding bypass for LDAP (@lowercase_drm), #ExtraReplica (@sagitz_, @shirtamari, @nirohfeld, @ronenshh), Windows kernel driver fun (@_xpn_), prefetch on Apple Silicon (@jose_vicarte and team), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2022-04-25 to 2022-05-02.
News
- RFC 9116: A File Format to Aid in Security Vulnerability Disclosure. The security.txt file for security disclosure is an official RFC!
- Security alert: Attack campaign involving stolen OAuth user tokens issued to two third-party integrators. A breach is bad, but having GitHub have to tell you about your breach is even worse. Good on GitHub for identifying the malicious use of "legitimate" OAuth tokens from a Heroku and Travis CI.
- Azure Database for PostgreSQL Flexible Server Privilege Escalation and Remote Code Execution. AWS last week, Azure this week. This one is much worse as you could gain access to other customer's databases. Full details here.
- $90 million stolen from DeFi platforms over the weekend. The early adopter phase has a really steep entrance fee.
Techniques and Write-ups
- Introduction to VirtualBox security research. "This article introduces VirtualBox research and explains how to build a coverage-based fuzzer, focusing on the emulated network device drivers."
- Bypassing LDAP Channel Binding with StartTLS. Even if you have "LDAP server channel binding token requirements: Always" set as a GPO, if authentication is started unencrypted and then upgrade via StartTLS, channel binding is bypassed!
- Access Token Manipulation Part 0x02. Build a token vault in memory to store stolen tokens!
- Learning Machine Learning Part 2: Attacking White Box Models. A very detailed look at attacking ML models.
- Augury: Using Data Memory-Dependent Prefetchers to Leak Data at Rest. Prefetch vulnerabilities arrive on Apple Silicon. No one is immune to this vulnerability class it seems.
- Microsoft finds new elevation of privilege Linux vulnerability, Nimbuspwn. Directory traversal (CVE-2022-29799) and a time-of-check-time-of-use (TOCTOU) race condition (CVE-2022-29800) in networkd-dispatcher lead to LPE.
- g_CiOptions in a Virtualized World. This post explores some ways to get your code running in the Windows kernel with Virtualization Based Security (VBS) enable but no Hypervisor Code Integrity (HVCI).
- Evasive Phishing Techniques Threat Actors Use to Circumvent Defense Mechanisms. If phishing is part of your assessment procedures, it's good to read up on what the real adversaries are up to. To that end, VSTO files are in right now.
- Shellcode: Linux on RISC-V 64-Bit. One day you will b only be popping shells on ARM and RISC-V machines, mark my words. You can use rars to get started.
- Trello From the Other Side: Tracking APT29 Phishing Campaigns. Hosting your own payloads and C2 is so 2020.
Tools and Exploits
- BeaconDownloadSync is a fine-tuned control mechanism for syncing files from the Cobalt Strike Downloads entries in the data model.
- minbeacon is a work in progress of constructing a minimal http(s) beacon for Cobalt Strike.
- CS-Remote-OPs-BOF is an addition to TrustedSec's CS-Situational-Awareness-BOFs that modify systems (injection, persistence, etc).
- Dylib_Runner is Swift code to run a dylib on disk.
- okta-sprayer is a Python3 Script to perform a password spray against an okta instance.
- nimc2 is a c2 fully written in nim.
New to Me
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
- pyscript. Python directly in HTML (via a WASM shim).
- O365-Doppelganger is a quick handy script to harvest credentials off of a user during a Red Team and get execution of a file from the user.
- ecapture can capture SSL/TLS text content without CA cert using eBPF.
- howdy is Windows Helloâ„¢ style facial authentication for Linux.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.