Last Week in Security (LWiS) - 2022-07-18
Oauth hijacks (@fransrosen), Macros are back, but also not (@serghei), AD magic (@_dirkjan), Altiris for lateral movement (@__invictus_), next level token stealing (@harmj0y), xss to cread stealing (@hoodoer), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-07-05 to 2022-07-18.
News
- Microsoft rolls back decision to block Office macros by default. If you are a big enough Microsoft customer you can escalate your trouble ticket all the way up to rolling back a security feature? VBA macros will continue to be a popular initial access vector it seems.
- PyPI 2FA Security Key Giveaway
- PQC Standardization Process: Announcing Four Candidates to be Standardized, Plus Fourth Round Candidates
- Apple expands industry-leading commitment to protect users from highly targeted mercenary spyware. Apple does not expand any ability to look at basic system logs from the phone though...
- Facebook has started to encrypt links to counter privacy-improving URL Stripping.
- [PDF] RETBLEED: Arbitrary Speculative Code Execution with Return Instructions
Techniques and Write-ups
- Rediscovering Epic Games 0-Days (Forever Unpatched?). Installers are rich hunting ground for file overwrite/file delete vulnerabilities.
- Account hijacking using "dirty dancing" in sign-in OAuth-flows. Oauth flows can be complicated, and thus vulnerable to strange edge cases. Excellent work here to explore some interesting ways to leak data and exploit login flows.
- Maelstrom: Working with AMSI and ETW for Red and Blue
- Maelstrom: EDR Kernel Callbacks, Hooks, and Call Stacks
- CVE-2022-30136: Microsoft Windows Network File System v4 Remote Code Execution Vulnerability
- Abusing forgotten permissions on computer objects in Active Directory
- Altiris Methods for Lateral Movement
- Heap Overflows on iOS ARM64: Heap Grooming, Use-After-Free (Part 3)
- DirSync: Leveraging Replication Get-Changes and Get-Changes-In-Filtered-Set
- Lord Of The Ring0 - Part 1 | Introduction
- Uncovering a macOS App Sandbox escape vulnerability: A deep dive into CVE-2022-26706
- Recreating an ISO Payload for Fun and No Profit
Tools and Exploits
- Issue 2278: Windows: LSA Service LsapGetClientInfo Impersonation Level Check EoP
- Rolling Pwn Attack. Honda keyless entry hack.
- Koh: The Token Stealer
- Affinis Recurrent Neural Network SubDomain Discovery Tool
- stealCredsPayload.js from Scraping Login Credentials With XSS.
- crux A proof-of-concept malicious Chrome extension
- Chisel-Strike A .NET XOR encrypted cobalt strike aggressor implementation for chisel to utilize faster proxy and advanced socks5 capabilities.
- RDPHijack-BOF Cobalt Strike Beacon Object File (BOF) that uses WinStationConnect API to perform local/remote RDP session hijacking.
- iscsicpl_bypassUAC UAC bypass for x64 Windows 7 - 11
- persistence-info.github.io tries to gather an information about Windows persistence mechanisms to make the protection/detection more efficient. Most of the information is well known for years, being actively used within various scenarios.
- OneDriveUpdaterSideloading Payload for DLL sideloading of the OneDriveUpdater.exe, based on the PaloAltoNetwork Unit42's blog post.
- CoffeeLdr Beacon Object File Loader.
- pretender Your MitM sidekick for relaying attacks featuring DHCPv6 DNS takeover as well as mDNS, LLMNR and NetBIOS-NS spoofing.
- powerview.py PowerView alternative.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
- Raycast is a blazingly fast, totally extendable launcher. It lets you complete tasks, calculate, share common links, and much more.
- cervantes is an opensource collaborative platform for pentesters or red teams who want to save time to manage their projects, clients, vulnerabilities and reports in one place.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.