Last Week in Security (LWiS) - 2022-10-10

Intel Alder Lake src leak (@vxunderground ), PHP payloads in PNGs (@ROLANDQuentin2), Zimbra RCE via email, macOS Gatekeeper bypass (@JamfSoftware), ShadowSpray (@dec0ne), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-10-03 to 2022-10-10.

News

Techniques and Write-ups

Tools and Exploits

  • VMware vCenter Server Platform Services Controller Unsafe Deserialization vulnerability. "A post-authentication java deserialization vulnerability exists in the data handler of the psc (Platform Services Controller) service."
  • ObfLoader - MAC, IPv4, UUID shellcode Loaders and Obfuscators to obfuscate the shellcode and using some native API to converts it to it binary format and loads it.
  • aftermath is a free macOS IR framework from Jamf.
  • GooFuzz is a tool to perform fuzzing with an OSINT approach, managing to enumerate directories, files, subdomains or parameters without leaving evidence on the target's server and by means of advanced Google searches (Google Dorking).
  • GitFive - 🐙 Track down GitHub users.
  • eviltree - A python3 remake of the classic "tree" command with the additional feature of searching for user provided keywords/regex in files, highlighting those that contain matches.
  • Caught somewhere in time: Hunting for timer-queue timers. Timers are the "default" method rats use to sleep in memory. If you can detect suspect timers, you can probably find some interesting things. Code here.
  • Added simple command to test CVE_2022_33679.. Now you can run 'askrc4' and exploit CVE-2022-33679 (KDC allows an interposing attacker to downgrade to RC4 MD4 encryption in compromising the user's TGT session key resulting in EoP). See this tweet <https://twitter.com/m3g9tr0n/status/1577783061919457281> and this project zero post.
  • vba2clr - Running .NET from VBA.
  • LockSmith - ObjectiveC CLI tool for interacting with macOS Keychain. I was just struggling with this a few weeks ago! Be sure to check out the slides in the repo.
  • palera1n - iOS 15.0-15.3.1 tethered checkm8 "jailbreak" (rootless is 15.0-15.7 semi-tethered, no tweaks),
  • ShadowSpray - A tool to spray Shadow Credentials across an entire domain in hopes of abusing long forgotten GenericWrite/GenericAll DACLs over other objects in the domain.
  • RITM - Roast in the Middle.
  • dissect - This project is a meta package, it will install all other Dissect modules with the right combination of versions.
  • SharpNTLMRawUnHide - C# version of NTLMRawUnHide.
  • NimShellcodeFluctuation - ShellcodeFluctuation PoC ported to Nim.
  • MinHook.NET - A C# port of the MinHook API hooking library (now with D/Invoke).
  • HavocNotion - A simple ExternalC2 POC for Havoc C2. Communicates over Notion using a custom python agent, handler and extc2 channel.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • AoratosWin - A tool that removes traces of executed applications on Windows OS.
  • wodat - Windows Oracle Database Attack Toolkit.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.