Last Week in Security (LWiS) - 2022-06-14
RE an iOS app (@inversecos), More Azure Managed Identity attacks (@_wald0), excellent hardware hacking (@matthiasdeeg), printer pwnage (@Nikaiw, @JRomainG, @_trou_), BloodHound false positive reduction (@simondotsh), Ghostwriter 3.0 (@cmaddalena), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-06-06 to 2022-06-14.
News
- There's Another New Deputy in Town. SOCKS5 support may finally be coming to Cobalt Strike.
- KrebsOnSecurity in New Netflix Series on Cybercrime. Might be worth a watch but I always worry these shows will be too much drama and not enough technical detail for my taste.
- ANOTHER Guy Has Leaked Classified Military Documents On The SAME TANK GAME'S forums. Not all that relevant, but goes to show that useful information can be fond in the strangest places.
- [PDF] clickstudios Passwordstate Incident Management Advisory #03. A digital signing certificate published online for 2 days was enough for it to be scooped up and used by a malware crew. No one is safe from the scrapers.
- Logo'd bugs
- PACMAN Attacking ARM Pointer Authentication with Speculative Execution. I'd put this in the same camp as spectre, if you already have privilieged code execution, this may be useful, otherwise its a fun academic exercise but has a very narrow useful window.
- Hertzbleed Attack. This one may be slightly more useful, with the potential to extract key material from "constant time" cryptographic routines, even remotely. Intel and AMD are affected, with the potential for ARM chips to be vulnerable as well. Code here.
- Google suspends engineer who claims its AI is sentient. You can read the editied chat transcripts here and decide for yourself. Either way this is 10/10 marketing for Google.
Techniques and Write-ups
- How to Reverse Engineer and Patch an iOS Application for Beginners: Part I. There is a need for these kinds of write ups that introduce a complex topic from first principles. Unfortunately, by the time people learn the skills, they don't write the posts! You'll need a mac and a jailbroken iOS device to follow along at home.
- Managed Identity Attack Paths, Part 2 and 3. Two more posts in the series started last week.
- Hacking Some More Secure USB Flash Drives (Part I). Some very in-depth hardware hacking against "secure" USB drives.
- Covenant In 2022. This post has some ideas on how to wrap or modify grunts to bypass some EDR solutions.
- CVE-2022-26937: Microsoft Windows Network File System NLM Portmap Stack Buffer Overflow. RCE as SYSTEM but careful, "unsuccessful exploitation results in a crash of the target system." No PoC available yet.
- Avoiding B.A.D. behaviour: The difficult relationship between nihilism, cybersecurity professionals and Being-A-Dick behaviour. Not technical, but potentially useful.
- Pwn2Own 2021 Canon ImageCLASS MF644Cdw writeup. An unbound base64 decode leads to RCE in a printer. Great post that goes from firmware extraction to RCE.
- Gone in 130 seconds: New Tesla hack gives thieves their own personal key. This feels like something a basic internal security audit would have found?
- Beware of BloodHound's Contains Edge. AD relationships are complex, and mapping them is tricky which leads to some false positives. This post contains a potential "fix" for a Contains false positive situation.
- Introducing Ghostwriter v3.0. The report and domain management tool turns 3.0! It can be managed with a new CLI tool and has support for CVSS scoring among other fixes and additions.
- AMFI Launch Constraints - First Quick Look. New security restrictions on system binaries in macOS Ventura will kill a whole exploit class!
- ProcEnvInjection - Remote code injection by abusing process environment strings. Another unique injection technique from x86matthew.
- Zimbra Email - Stealing Clear-Text Credentials via Memcache injection. Very cool bug and exploit!
Tools and Exploits
- CVE-2022-23222 - Linux Kernel eBPF Local Privilege Escalation.
- CVE-2022-30075 - Tp-Link Archer AX50 Authenticated RCE (CVE-2022-30075).
- apk-instrumentation Some tools to rewrite code of release APK packages.
- dot The Deepfake Offensive Toolkit.
- VX-API Malware rapid development framework. "We've released the vx-underground "VX-API", a Windows malware rapid application development framework written in C/C++. It is a compilation of code written by @smelly__vx & @am0nsec. A lot of work needs to be done (including a ReadMe file). More to come."
- Dogwalk-rce-poc š¾Dogwalk PoC (using diagcab file to obtain RCE on windows).
- sourcegraph-scripts Scripts for Sourcegraph search results. Useful for static analysis.
- kcthijacklib - A Small Library For a Cleaner Execution.
- collector - Utility to analyse, ingest and push out credentials from common data sources during an internal penetration test.
- FirmLoader is an IDA plugin that allows to automatically identify parts of the memory for the firmware images extracted from microcontrollers.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
- np - A tool to parse, deduplicate, and query multiple port scans.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.