Oct 31 2022 Last Week in Security (LWiS) - 2022-10-31

🎃 Spooky (forthcoming) OpenSSL 3 critical vuln, RC4 fun (@tiraniddo), Autodial DLL techniques (@TheXC3LL), token leak abuse via webshell (@_Kudaes_), Open-Obfuscator (@rh0main), more exchange pwnage from 🍊 (@orange_8361), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-10-17 to 2022-10-31.

This week I reviewed 368 blog posts and 2213 tweets to find only the best and most relevant items to include here.

News

Forthcoming OpenSSL Releases. Behind this simple title is a spooky Halloween statement: "OpenSSL 3.0.7 is a security-fix release. The highest severity issue fixed in this release is CRITICAL." OpenSSL 3+ isn't that widespread yet, but this might be an interesting bug.
Privacy Gateway: a privacy preserving proxy built on Internet standards. Domain fronting/hiding just went legit. Currently the relay domains are unique to the applications (and thus not useful for censor evasion) but there is no technical reason that has to remain the case. Check out the first implementation here. Keep in mind with this Cloudflare positions itself to collect that delicious metadata (although they seem to be actively trying to actually "don't be evil" - hopefully that continues).
Check out our new Microcorruption challenges!. Excellent embedded security CTF!
Stable Channel Update for Desktop. A good reminder to stay on top of your Chrome updates. Or use Firefox developer edition to break all the ROP gadgets.
Apple clarifies security update policy: Only the latest OSes are fully patched. Apple going full opposite of the "still supports 16 bit DOS applications from 1993" stance of Microsoft and only fully patching the latest OS they release. Enterprises that use macOS can't be pleased by this, as even with developer betas there may be issues with production workflows on the latest OS version for some time after release. Hardware than can't be upgrade is now forever vulnerable? 2017 MacBook Pros are unable to be updated and aren't that old...
It's here: Dark Mode Process Explorer!

Techniques and Write-ups

Binary File Write via Microsoft Speech API. It's tricky to write files from macros in 2022 without Defender or other AV getting unhappy. This lesser known API has the ability to write binaries, which is a very useful primitive for a maldoc.
RC4 Is Still Considered Harmful. Kerberos continues to be an issue for enterprises, and "just turn off X" is never that simple. Consider turning on FAST though (and disable RC4 if you can).
Autodial(DLL)ing Your Way. The Winsock2 registry is used by anything that makes a network connection and thus is a good spot for persistence, lateral movement, and even credential dumping via SSP loads. Code here.
From Self-Hosted GitHub Runner to Self-Hosted Backdoor. CI/CD compromise is scary because it not only affects your organization but potentially everyone who uses the product being build by that CI/CD pipeline.
One shell to HANDLE them all. A webshell that can abuse leaked user token handles? Sign me up.
Juniper SSLVPN / JunOS RCE and Multiple Vulnerabilities. Can we please go more than a week without an unauth RCE in a major SSL VPN? Zero trust can't come fast enough. Or things like Pre-authenticated Remote Code Execution in VMWare NSX Manager?
PAWNYABLE UAF Walkthrough (Holstein v3). Some good technical binary exploitation content.
The dangers of trust policies in AWS. The cloud is built on trust, so understanding best policies for trust policies is critical.
A New Attack Surface on MS Exchange Part 4 - ProxyRelay!. If you're still running on-prem exchange... stop it. If you email is too sensitive to trust to a cloud provider, it certainly shouldn't be in the swiss cheese that is Exchange.
Technical Analysis of Windows CLFS Zero-Day Vulnerability CVE-2022-37969 - Part 2: Exploit Analysis. More details on the Windows local privilege escalation vulnerability.
GetDomain vs GetComputerDomain vs GetCurrentDomain. If you're in a network with complicated trust relationships or multiple forests, its a good idea to test your tools to make sure they are acting on the objects you expect!

Tools and Exploits

guac aggregates software security metadata into a high fidelity graph database.
Open-Obfuscator: A free and open-source obfuscator for mobile applications. A free and open-source solution for obfuscating mobile applications. Also some of the best looking docs I've seen in a long time.
Free: Dastardly from Burp Suite is a free, lightweight web application security scanner for your CI/CD pipeline, from the makers of Burp Suite.
TerraLdr - Payload Loader Designed With Advanced Evasion Features.
BOF-herpaderping - Beacon Object File partial implementation of process herpaderping technique.
Spartacus - DLL Hijacking Discovery Tool.
siphon ⚗️ Intercept stdin/stdout/stderr for any process.
SharpC2. This looks to be a rewrite/less featured version of Rastamouse's collab with xpn that was also called SharpC2 (now pulled from GitHub)?

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

caOptics - Azure AD Conditional Access gap analyzer
Sandman is a NTP based backdoor for red team engagements in hardened networks.
potto A minimum cross-platform implementation of COM (Component Object Model), DI/IOC framework.
vhs Your CLI home video recorder 📼

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.