Oct 10 2022 Last Week in Security (LWiS) - 2022-10-10

Intel Alder Lake src leak (@vxunderground ), PHP payloads in PNGs (@ROLANDQuentin2), Zimbra RCE via email, macOS Gatekeeper bypass (@JamfSoftware), ShadowSpray (@dec0ne), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-10-03 to 2022-10-10.

News

The source code to the Intel Alder Lake has been leaked online. Critically, this seems to include the KetManifest signing key needed to sign BootPolicy and therefore bypass SecureBoot. A boon to CoreBoot and bootkits alike.
Attacker managed to upload files into Web Client directory. CPIO unpacking in the AV engine used by Zimbra lead to arbitrary file writes (webshell) and RCE. You hate to see the AV used as an attack vector but it does happen.
OnionPoison: infected Tor Browser installer distributed through popular YouTube channel. Always check the hash from the official source.
WebVM: Linux Virtualization in WebAssembly with Full Networking via Tailscale. The x86 VM running in javascript in your browser window now has a networking stack. This must be a sign of the end times.
Bofloader - Windows Meterpreter Gets Beacon Object File Loader Support. BOFs are the atomic element of offensive tools now.

Techniques and Write-ups

The Follower - Using open cameras and AI to find how an Instagram photo is taken.. Imagine what governments/surveillance companies are doing...
Jamf Threat Labs identifies macOS Archive Utility vulnerability allowing for Gatekeeper bypass. Very thorough research into a sneaky bug in the archive utility on macOS.
Persistent php payloads in PNGs: how to inject php code in an image - and keep it there!. Some nice tricks to stashing PHP payloads in PNGs.
How To Implement The Exchange Split Permissions Model?. If you still have on-prem exchange, this is for you. Also, seek help.
Common conditional access misconfigurations and bypasses in Azure. Your target may required MFA, except if certain conditions are met.
Evil Twin Enterprise WiFi Network using Hostapd-Mana. A good one for your next on-site or physical assessment.

Tools and Exploits

VMware vCenter Server Platform Services Controller Unsafe Deserialization vulnerability. "A post-authentication java deserialization vulnerability exists in the data handler of the psc (Platform Services Controller) service."
ObfLoader - MAC, IPv4, UUID shellcode Loaders and Obfuscators to obfuscate the shellcode and using some native API to converts it to it binary format and loads it.
aftermath is a free macOS IR framework from Jamf.
GooFuzz is a tool to perform fuzzing with an OSINT approach, managing to enumerate directories, files, subdomains or parameters without leaving evidence on the target's server and by means of advanced Google searches (Google Dorking).
GitFive - 🐙 Track down GitHub users.
eviltree - A python3 remake of the classic "tree" command with the additional feature of searching for user provided keywords/regex in files, highlighting those that contain matches.
Caught somewhere in time: Hunting for timer-queue timers. Timers are the "default" method rats use to sleep in memory. If you can detect suspect timers, you can probably find some interesting things. Code here.
Added simple command to test CVE_2022_33679.. Now you can run 'askrc4' and exploit CVE-2022-33679 (KDC allows an interposing attacker to downgrade to RC4 MD4 encryption in compromising the user's TGT session key resulting in EoP). See this tweet <https://twitter.com/m3g9tr0n/status/1577783061919457281> and this project zero post.
vba2clr - Running .NET from VBA.
LockSmith - ObjectiveC CLI tool for interacting with macOS Keychain. I was just struggling with this a few weeks ago! Be sure to check out the slides in the repo.
palera1n - iOS 15.0-15.3.1 tethered checkm8 "jailbreak" (rootless is 15.0-15.7 semi-tethered, no tweaks),
ShadowSpray - A tool to spray Shadow Credentials across an entire domain in hopes of abusing long forgotten GenericWrite/GenericAll DACLs over other objects in the domain.
RITM - Roast in the Middle.
dissect - This project is a meta package, it will install all other Dissect modules with the right combination of versions.
SharpNTLMRawUnHide - C# version of NTLMRawUnHide.
NimShellcodeFluctuation - ShellcodeFluctuation PoC ported to Nim.
MinHook.NET - A C# port of the MinHook API hooking library (now with D/Invoke).
HavocNotion - A simple ExternalC2 POC for Havoc C2. Communicates over Notion using a custom python agent, handler and extc2 channel.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

AoratosWin - A tool that removes traces of executed applications on Windows OS.
wodat - Windows Oracle Database Attack Toolkit.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.