Last Week in Security (LWiS) - 2022-10-31

🎃 Spooky (forthcoming) OpenSSL 3 critical vuln, RC4 fun (@tiraniddo), Autodial DLL techniques (@TheXC3LL), token leak abuse via webshell (@_Kudaes_), Open-Obfuscator (@rh0main), more exchange pwnage from 🍊 (@orange_8361), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-10-17 to 2022-10-31.

This week I reviewed 368 blog posts and 2213 tweets to find only the best and most relevant items to include here.

News

  • Forthcoming OpenSSL Releases. Behind this simple title is a spooky Halloween statement: "OpenSSL 3.0.7 is a security-fix release. The highest severity issue fixed in this release is CRITICAL." OpenSSL 3+ isn't that widespread yet, but this might be an interesting bug.
  • Privacy Gateway: a privacy preserving proxy built on Internet standards. Domain fronting/hiding just went legit. Currently the relay domains are unique to the applications (and thus not useful for censor evasion) but there is no technical reason that has to remain the case. Check out the first implementation here. Keep in mind with this Cloudflare positions itself to collect that delicious metadata (although they seem to be actively trying to actually "don't be evil" - hopefully that continues).
  • Check out our new Microcorruption challenges!. Excellent embedded security CTF!
  • Stable Channel Update for Desktop. A good reminder to stay on top of your Chrome updates. Or use Firefox developer edition to break all the ROP gadgets.
  • Apple clarifies security update policy: Only the latest OSes are fully patched. Apple going full opposite of the "still supports 16 bit DOS applications from 1993" stance of Microsoft and only fully patching the latest OS they release. Enterprises that use macOS can't be pleased by this, as even with developer betas there may be issues with production workflows on the latest OS version for some time after release. Hardware than can't be upgrade is now forever vulnerable? 2017 MacBook Pros are unable to be updated and aren't that old...
  • It's here: Dark Mode Process Explorer!

Techniques and Write-ups

Tools and Exploits

  • guac aggregates software security metadata into a high fidelity graph database.
  • Open-Obfuscator: A free and open-source obfuscator for mobile applications. A free and open-source solution for obfuscating mobile applications. Also some of the best looking docs I've seen in a long time.
  • Free: Dastardly from Burp Suite is a free, lightweight web application security scanner for your CI/CD pipeline, from the makers of Burp Suite.
  • TerraLdr - Payload Loader Designed With Advanced Evasion Features.
  • BOF-herpaderping - Beacon Object File partial implementation of process herpaderping technique.
  • Spartacus - DLL Hijacking Discovery Tool.
  • siphon ⚗️ Intercept stdin/stdout/stderr for any process.
  • SharpC2. This looks to be a rewrite/less featured version of Rastamouse's collab with xpn that was also called SharpC2 (now pulled from GitHub)?

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • caOptics - Azure AD Conditional Access gap analyzer
  • Sandman is a NTP based backdoor for red team engagements in hardened networks.
  • potto A minimum cross-platform implementation of COM (Component Object Model), DI/IOC framework.
  • vhs Your CLI home video recorder 📼

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.