Jul 25 2022 Last Week in Security (LWiS) - 2022-07-25

The end of PPLdump (@itm4n), beacon detection (@domchell), 30k Wordpress XXS+SQLi (@MrTuxracer), string encryption in c++ (@mcbroom_evan), create a DLL hijack (@x86matthew), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-07-18 to 2022-07-25.

News

Questions For Confluence Security Advisory 2022-07-20. "A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access any pages the confluence-users group has access to." What year is it again?
Zyxel security advisory for local privilege escalation and authenticated directory traversal vulnerabilities of firewalls. At least they are authenticated vulnerabilities?
DNS-over-HTTP/3 in Android. This is going to make DNS over HTTP/3 tunneling harder to pick out due to the volume of legitimate requests.
The Return of Candiru: Zero-days in the Middle East. A sophisticated campaign that used a compromised site to host a WebRTC 0day (affecting at least Chrome, possibly other browsers) isn't your every day drive by compromise.
Continued cyber activity in Eastern Europe observed by TAG. Fake mobile DDoS app to "help stop Russian aggression against Ukraine," actually sent all your information to Russia. At least the "number of installs was miniscule."

Techniques and Write-ups

The End of PPLdump. The July 2022 update changes how PPL processes to no longer rely on Known DLLs, a critical step in the PPLdump bypass. Check the post for the full RE teardown of NTDLL.dll.
Technical Advisory - Multiple vulnerabilities in Nuki smart locks. As the saying goes: "The 'S' in IoT stands for security."
How I Met Your Beacon. This currently 2 part series takes a look at the behavioral tells of popular C2 frameworks, highlighting common anomalies that make beacons of all types stand out. The implicit message is that Nighthawk, MDSec's own commercial C2 doesn't display these anomalies. Part 2 includes new network based detections for Cobalt Strike Team Servers.
WordPress Transposh: Exploiting a Blind SQL Injection via XSS. This little manuever netted Julien $30,000 in bounties and forced WordPress's removal of the plugin from its directory.
Encrypting Strings at Compile Time. A single header file can encrypt your C++ strings at compile time, but be aware that tweaks will be needed to defat FLARE Obfuscated String Solver.
AddExeImport - Add a hardcoded DLL dependency to any EXE. No DLL hijack convenient for your use? Create one! Another cool, creative technique from x86matthew. Be aware, signatures will no longer be valid.
Browser Exploitation: Firefox Integer Overflow - CVE-2011-2371. An older vulnerability, but a great introduction to heap vulnerabilities in browsers.
ProtectMyTooling - Don't detect tools, detect techniques. A suite of tools to rid yourself of static signatures and force Blue teams to detect techniques instead.
Phishing: Better Proxy than Story details a "modern" phishing stack.
Red Team? Or EDR Bypass Team. An interesting post on where value is derived from a red team assessment.
Gitlab Project Import RCE Analysis (CVE-2022-2185). This was a nasty vulnerability (CVSS 9.9) in Gitlab where a crafted project import resulted in RCE. How you ask? this post breaks it down in detail.

Tools and Exploits

DiagTrackEoP - another way to abuse SeImpersonate privilege.
terry-the-terraformer A Python CLI tool for deploying red team infrastructure across multiple cloud providers, all integrated with a virtual Nebula network.
IAM-Deescalate IAM-Deescalate helps mitigate privilege escalation risk in AWS identity and access management (IAM). More info here.
RIPPL is a tool that abuses a usermode only exploit to manipulate PPL processes on Windows (patched in the July 2022 patch).
AlanFramework - A C2 post-exploitation framework. This framework has been around for a while, but last week became open source (Attribution-NonCommercial-NoDerivatives 4.0 International).
Lastenzug - Socks4a proxy leveraging PIC, Websockets and static obfuscation on assembly level.
CVE-2022-34918-LPE-PoC - This exploit has been written for the kernel Linux ubuntu 5.15.0-39-generic. More details here.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

ropr - A blazing fast™ multithreaded ROP Gadget finder. ropper / ropgadget alternative.
RedGuard "is a derivative work of the C2 facility pre-flow control technology." Looks a lot like RedWarden?

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.