Last Week in Security (LWiS) - 2022-10-24
Untangling Azure Permissions (@0xcsandker), V8 and JS internals of Chrome (@jack_halon), MS Office Online Server RCE chain (@IndiShell1046), ManageEngine Decryptor (@W9HAX), SharedMemUtils (@x86matthew), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-10-17 to 2022-10-24.
This week I reviewed 372 blog posts and 2144 tweets to find only the best and most relevant items to include here.
News
- Investigation Regarding Misconfigured Microsoft Storage Location. SOCRadar put Microsoft on blast with their post Sensitive Data of 65,000+ Entities in 111 Countries Leaked due to a Single Misconfigured Data Bucket. 6 Azure buckets holding some sensitive items like statements of work were misconfigured and publicly accessible.
- Ghostwriter v3.1 Now Available. Now with deconfliction support!
- TikTok Parent ByteDance Planned To Use TikTok To Monitor The Physical Location Of Specific American Citizens. Is anyone surprised?
- IDA Pro Owner Hex-Rays Acquired by European VC Firm. With more competition VC firms are getting into the game.
- Iran's atomic energy organization says e-mail was hacked. I think "has been hacked by multiple parties" would probably be more accurate here...
- GitHub Copilot investigation. Surely the Microsoft lawyers signed off on Copilot?
- DEF CON 30 Videos Released. Enjoy!
Techniques and Write-ups
- Legitimate Rats: A Comprehensive Forensic Analysis of the Usual Suspects. Good to see people taking traitorware seriously.
- I'm in your hypervisor, collecting your evidence. Fox-IT adds ESXi live acquisition to its dissect tool suite.
- Chrome Browser Exploitation, Part 1: Introduction to V8 and JavaScript Internals. Most people use their OS as a loader for Chrome, so Chrome has become a target for all kinds of adversaries. However, actually understanding and exploiting Chrome is very difficult. This intro post shows some of the complexity involved.
- Microsoft Office Online Server Remote Code Execution. Web based authentication coercion that Microsoft claims it's a feature!
- PHP Filters Chain: What Is It and How to Use It. "Searching for new gadget chains to exploit deserialization vulnerabilities can be tedious. In this article we will explain how to combine a recently discovered technique called PHP filters [LOKNOP-GIST], to transform file inclusion primitives in PHP applications to remote code execution. To support our explanations we will rely on a Laravel file inclusion gadget chains that was discovered during this research."
- The Curious Case of the Password Database. Yes, passwords can be encrypted by a product, but unless they require user input to decrypt passwords there must be a way the software decrypts them. I've seen this is multiple products so Manage Engine is not unique. It's usually just a mater of finding the static key and encryption parameters.
- Dameware Mini: The Sleeper Hit of 2019?. More traitorware!
- SharedMemUtils - A simple tool to automatically find vulnerabilities in shared memory objects. Sometimes you can write to shared memory objects of high-privileged services on Windows. A fun primitive to explore potential privescs.
- Microsoft Office 365 Message Encryption Insecure Mode of Operation. ECB mode, not even once.
- osquery-defense-kit - Production-ready detection & response queries for osquery.
- Changing memory protection using APC. Not brand new, but a deeper drive into it.
Tools and Exploits
- Azure-AccessPermissions - Easy to use PowerShell script to enumerate access permissions in an Azure Active Directory environment. Check out the blog post for details.
- cypherhound - Python3 terminal application that contains 200+ Neo4j cyphers for BloodHound data sets
- ScreenshotBOF - An alternative screenshot capability for Cobalt Strike that uses WinAPI and does not perform a fork & run. Screenshot saved to disk as a file.
- SharpEfsPotato - Local privilege escalation from SeImpersonatePrivilege using EfsRpc.
- PatchThatAMSI - This repo contains 6 AMSI patches, both force the triggering of a conditional jump inside AmsiOpenSession() that close the Amsi scanning session. The 1st patch by corrupting the Amsi context header and the 2nd patch by changing the string "AMSI" that will be compared to the Amsi context header to "D1RK". The other just set ZF to 1.
- ScubaGear - Automation to assess the state of your M365 tenant against CISA's baselines.
- Bitmancer - Nim Library for Offensive Security Development.
- GetFGPP - Get Fine Grained Password Policy.
- syser - syser debugger x32/x64 ring3 with source level debugging/watch view/struct view.
- webpty - A secure webshell. Built for legitimate access, I could see it adopted for red team uses.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
- linen.dev - Google-searchable Slack alternative for Communities.
- usbsas - Tool and framework for securely reading untrusted USB mass storage devices.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.