Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-10-31 to 2022-11-08.
- CVE-2022-3786 and CVE-2022-3602: X.509 Email Address Buffer Overflows. Sometimes the hype is just hype. This looks extremely hard to exploit with modern mitigations and a limited userbase.
- [PDF] How security professionals are being attacked: A study of malicious CVE proof of concept exploits in GitHub. Over 10% of PoCs were malicious! There is a reason there is a disclaimer at the end of each of these posts.
- LinkedIn Adds Verified Emails, Profile Creation Dates. Your favorite profile backstop just got a little harder to fake.
- Nighthawk 0.2.1 - Haunting Blue. Some cool features in the latest release of this commercial red team tool.
- Meet Fortra™ The new face of HelpSystems. HelpSystems (Cobalt Strike/Outflank's buyers) have rebranded - now with more generic corporate stock photos.
- [SimpleX] Security assessment by Trail of Bits. I've been playing with this new messenger app for a while and I think it has the potential to unseat Signal in a few versions. No shady CIA money, "open source" (but not really), blockchain silliness, etc. The pace of development is also impressive. They list their Monero address above their Bitcoin address - legit.
- urlscan.io's SOAR spot: Chatty security tools leaking private data. Careful what you auto-submit to external vendors.
- [PDF] VX-Underground's Black Mass. Tmp.out and vx-underground keep the zine scene alive.
Techniques and Write-ups
- Exploiting Static Site Generators: When Static Is Not Actually Static. File this under "Serverless and other myths."
- A Very Powerful Clipboard: Analysis of a Samsung in-the-wild exploit chain. Mobile exploit chains are always a trip. This one look surprisingly easy to understand compared to most.
- Lessons Learned from Cloning Windows Binaries and Code Signing Implants. Some good lessons here. Another option is to just used signed binaries for other purposes ...
- How one misconfiguration in ADCS can lead to full AD Forest compromise. ADCS is the gift that keeps on giving.
- CVE-2022-26730 | ColorSync | Hoyt LLC. macOS memory corruption in the processing of image ICC profiles can lead to RCE. Comes with the shorted PoC I have seen in a while (now patched).
- BYODC - Bring Your Own Domain Controller. This meme makes a comeback. This is some great traitorware - why fake a DCSync, if you can just do an actual DCSync? DCShadow is a previously discovered/implemented version of this.
- Checkmk: Remote Code Execution by Chaining Multiple Bugs (1/3). Quite a chain for unauth RCE across different tech/lanugages.
Tools and Exploits
- Volumiser is a command line tool and interactive console GUI for listing, browsing and extracting files from common virtual machine hard disk image formats.
- katana - A next-generation crawling and spidering framework from projectdiscovery.
- KeeFarceReborn - A standalone DLL that exports databases in cleartext once injected in the KeePass process.
- CVE-2022-33679 One day based on RC4 is still considered harmfrul.
- stager_libpeconv A basic meterpreter protocol stager using the libpeconv library by hasherezade for reflective loading.
- CVE-2022-40146_Exploit_Jar. Apache Batik SSRF to RCE Jar Exploit.
- awsrecon - Tool for reconnaissance of AWS cloud environments.
- exe_who - Executables on Disk? Bleh 🤮.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
- The Information Security Kardashev Scale. Interesting way to tier out cybersecurity.
- PowerHuntShares is an audit script designed in inventory, analyze, and report excessive privileges configured on Active Directory domains.
- Kernelhub 🌴Kernel privilege escalation vulnerability collection, with compilation environment, demo GIF map, vulnerability details, executable file (Windows only).
- grace It's strace, with colors.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.