Last Week in Security (LWiS) - 2022-05-31

Follina Word RCE (@_JohnHammond + @BillDemirkapi), PyPI CTX and PHPass compromise (@aydinnyunuss), Gargoyle w/ROP (@thefLinkk), Fuchsia OS kernel hacking (@a13xp0p0v), custom Cypher (@simondotsh), code audit process (@frycos), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-05-23 to 2022-05-31.

News

  • Rapid Response: Microsoft Office RCE - “Follina” MSDT Attack. Follina aka CVE-2022-30190 is an RCE vector that uses the Microsoft Support Diagnostic Tool via a URL handler in a Word document (no macro) to execute code. There is more analysis here as well as official guidance. follina.py is the PoC.
  • Welcome to the next generation of ngrok. The popular tunneling utility used to exposed local ports to the public internet released version 3 with some cool new features. Oauth and OpenID support with a few command line switches make authentication easy. Ngrok has been used to host short lived phishing pages by threat actors in the past.
  • Broadcom to Acquire VMware for Approximately $61 Billion in Cash and Stock. If anyone witnessed the Symantec acquisition br Broadcom this is scary if you use any VMware products (vCenter, Carbon Black, etc). For what it's worth I've been using Proxmox at home and in production for a while and it's pretty great.
  • How I hacked CTX and PHPass Modules. This is a great example of how NOT to conduct "security research." By deploying malicious packages that actively harvested sensitive environment variables, this crosses the line and I would not consider it "good faith" research. However, the automated techniques used to target package registries are relatively low effort for an extremely high impact. The next attacker will not claim "research" and will use this access for ransomware or worse.
  • FTC fines Twitter $150M for using 2FA info for targeted advertising. Twitter used its 2FA phone numbers for advertising and got caught. I suppose when you loose 221 million USD a year you get desperate and every piece of data is up for sale.
  • Serious security vulnerability in Tails 5.0. Tor Browser in Tails 5.0 and earlier is unsafe to use for sensitive information. 5.1 will be released 2022-05-31.

Techniques and Write-ups

Tools and Exploits

  • DeepSleep is a variant of Gargoyle for x64 to hide memory artifacts using ROP only and PIC.
  • VLANPWN is a VLAN attack toolkit (double tagging and DTP hijacking).
  • mempeek is a command line tool that resembles a debugger as well as Cheat Engine, to search for values in memory.
  • KaynStrike is a User Defined Reflective Loader for Cobalt Strike Beacon that spoofs the thread start address and frees itself after entry point was executed.
  • freeBokuLoader is a simple BOF that tries to free the memory region where the User Defined Reflective Loader is stored.
  • Shelltropy - A technique of hiding malicious shellcode via Shannon encoding.
  • MachoBins is designed to provide information on Mac lolbins, similar to https://gtfobins.github.io/ or https://lolbas-project.github.io/, but specifically for Mac!
  • NimlineWhispers3 - A tool for converting SysWhispers3 syscalls for use with Nim projects.
  • CdpSvcLPE - Windows Local Privilege Escalation via CdpSvc service (Writeable SYSTEM path Dll Hijacking).

New to Me

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • BofRoast - Beacon Object Files for roasting Active Directory.
  • BatchGuard - Batch file AV evasion and obfuscation solution.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.