Last Week in Security (LWiS) - 2022-09-26
AttachMe Oracle Cloud vuln (@eladgabay_), JuicyPotatoNG service to SYSTEM privesc (@decoder_it + @splinter_code), personal phishing (@Direct_Defense), AD CS pwnage (@theluemmel), Kerberos FAST protection (@4ndr3w6S), service exploitation via pipes (@x86matthew), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-09-19 to 2022-09-26.
News
- Out Of Band Update: Cobalt Strike 4.7.1. Cobalt Strike gets a rare out of band update after HTML injection in the victim controlled username was discovered. Other fixes for DoS prevention and a sleep mask bug were fixed as well.
- Resolved RCE in Sophos Firewall (CVE-2022-3236). RCE in your firewall has got to hurt.
- Antivirus Used by Millions Blocked All Google Sites by Mistake, Sowing Chaos. "Sowing Chaos" seems a bit much for an hour of outage. "For around an hour on Wednesday morning, some people who had Malwarebytes antivirus installed on their computers could not visit any Google site or use services like Gmail or the Google Play Store."
- The Mystery of Metador | An Unattributed Threat Hiding in Telcos, ISPs, and Universities. I skip most of these "APT" teardown blogs, because the "APTs" getting caught are using powershell and certutil, asking to be caught. This one however, shows a bit more sophistication.
Techniques and Write-ups
- AttachMe: critical OCI vulnerability allows unauthorized access to customer cloud storage volumes. This has to be one of the worst cloud vulnerabilities. Arbitrary access to any storage volume by just knowing the identifier. Its a classic IDOR vulnerability, except it gets you cloud storage volumes! Wiz again proves their dominance in the cloud security space.
- Giving JuicyPotato a second chance: JuicyPotatoNG. The potatoes are the Windows privesc class that seems to never die. This one will take you from a service account to SYSTEM. I have 16 unique potato tools in my collection, and the authors hint they have yet another on the way!
- Part 2: Target Phishing — It's Gotten Personal. This kind of drawn out phishing is extremely effective.
- Tool Release - Project Kubescout: Adding Kubernetes Support to Scout Suite. Now you can use the familiar Scout Suite with your k8s clusters too!
- Skidaddle Skideldi - I just pwnd your PKI. This post is a one stop shop for AD CS pwnage walkthroughs.
- I don't know how to solve prompt injection. This is an interesting attack vector in "AI" powered bots. By feeding them input that looks like a back and forth, you can leak the original prompt. Who knew that natural language processing would lead to exploits in plain english.
- I Wanna Go Fast, Really Fast, like (Kerberos) FAST. The new protections in Kerberos (Flexible Authentication Secure Tunneling [FAST]) provide good protection against "offline" kerberoasting attacks, but are ineffective against attacks that leverage lsass to generate requests (certain Rubeus commands) and are difficult to implement correctly. From the MS docs: "This policy setting is affected by another setting. When a domain does not support Kerberos armoring by enabling KDC support claims, compound authentication, and Kerberos armoring, all authentication attempts for all its users will fail from computers that have this policy enabled."
- Exploiting a Seagate service to create a SYSTEM shell (CVE-2022-40286). From driver download to LPE. Excellent write up!
- Bypassing Intel CET with Counterfeit Objects. Some great low level exploit dev content here. Control Enforcement Technology (CET) was supposed to stop ROP at the hardware level, until Counterfeit Object-Oriented Programming (COOP) showed up to take its place. This post shows COOP working on modern Windows with CET enabled.
- Sapphire tickets. These might be the best precious-metal themed tickets yet. By not only requesting a ticket before modifying the PAC (Diamon Ticket), Sapphire tickets also request a ticket that contains a legitimate elevated privilege PAC to use with the previously requested ticket. This way, the information in the ticket matches exactly with whats in AD, making detection very difficult.
- Spoofing Calendar Invites Using .ics Files. I'm a bit sad this was posted as this technique has been extremely effective.
Tools and Exploits
- AutoHoneyPoC. Automatically generate "HoneyPoC" scripts to catch people running things without understanding them.
- SandboxSpy. Code for profiling sandboxes - Initially an idea to profile sandboxes, the code is written to take enviromental variables and send them back in a Base32 string over HTTP to an endpoint.
- githubC2 - Abusing Github API to host our C2 traffic, useful for bypassing blocking firewall rules if github is in the target white list , and in case you don't have C2 infrastructure, now you have a free one.
- monomorph- MD5-Monomorphic Shellcode Packer - all payloads have the same MD5 hash.
- FilelessRemotePE - Loading Fileless Remote PE from URI to memory with argument passing and ETW patching and NTDLL unhooking and No New Thread technique.
- mordor-rs - Rusty Hell's Gate / Halo's Gate / Tartarus' Gate and FreshyCalls / Syswhispers2 Library.
- GwisinMsi - PoC MSI payload based on ASEC/AhnLab's blog post.
- BloodHound.py-Kerberos - A Python based ingestor for BloodHound, now with kerberos support on Linux.
- DLLirant is a tool to automatize the DLL Hijacking researches on a specified binary.
- CVE-2022-2588 This linux LPE effects 3.17 to 5.19 (Ubuntu 17-22).
- Cronos PoC for a new sleep obfuscation technique leveraging waitable timers to evade memory scanners.
- spycast A crossplatform mDNS enumeration tool.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
- bbot - OSINT automation for hackers.
- NetCoreServer - Ultra fast and low latency asynchronous socket server & client C# .NET Core library with support TCP, SSL, UDP, HTTP, HTTPS, WebSocket protocols and 10K connections problem solution.
- A Free Pen Testing Learning Platform. Spin up your own cloud scenarios using these free templates.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.