Nov 28 2022 Last Week in Security (LWiS) - 2022-11-28

AWS AppSync exploit (@Frichette_n), F5 unauth RCE, Meta's new VCS, Chrome exploitation (@jack_halon), Kerberoasting customization (@Ben0xA), macOS sandbox escape (@_r3ggi), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-11-14 to 2022-11-28.

News

A Confused Deputy Vulnerability in AWS AppSync. The cloud is just someone else's computer. And sometimes it has vulnerabilities too. This one is particularly bad; case insensitivity led to the ability to access resources in other AWS accounts - aka the worst thing possible in a cloud provider. There is a reason some workloads should stay on prem - but only if your on prem security is better than AWS's ability to prevent cross account access (unlikely).
Stable Diffusion 2.0 Release. AI is shaping up to be a major disruptor. Play with it locally with DiffusionBee. Want to be more awed by the power of AI? Read this.
Researchers Quietly Cracked Zeppelin Ransomware Keys. Score one for the good guys.
CVE-2022-41622 and CVE-2022-41800 (FIXED): F5 BIG-IP and iControl REST Vulnerabilities and Exposures. Another border device manufacturer with RCE...

Techniques and Write-ups

Nighthawk: An Up-and-Coming Pentest Tool Likely to Gain Threat Actor Notice. This post digs into some of the technical details of the Nighthawk commercial C2 agent. MDSec claims the same was collected as part of legitimate red team activity and posted their own rebuttal: Nighthawk: With Great Power Comes Great Responsibility.
Mind the Gap. TLDR: The patch gap is real, take advantage of it.
A dive into Microsoft Defender for Identity. Some good ideas for detecting MDI after you land a phish or start an internal assessment with low privileges.
Microsoft Defender for Identity Encrypted Password. More MDI fun, along with a tool release: Microsoft-Defender-for-Identity-Encrypted-Password.
An End to KASLR Bypasses?. The new THREATINT_PROCESS_SYSCALL_USAGE ETW event coming to Windows 11 23H2 might make API based kernel address leaks, VM detection, and hardware persistence more difficult to get away with undetected.
CVE-2022-40300: SQL Injection in ManageEngine Privileged Access Management. "A remote authenticated attacker can exploit the vulnerability by sending a crafted request to the target server. Successful exploitation could lead to arbitrary SQL code execution in the security context of the database service, which runs with SYSTEM privileges."
Chrome Browser Exploitation, Part 2: Introduction to Ignition, Sparkplug and JIT Compilation via TurboFan. Another meaty post on Chrome internals and exploitation - the best browser exploit series since Connor McGarr's posts on Edge exploitation.
Analysing Misconfigured Firebase Apps: A Tale of Unearthing Data Breaches (Wave 10). Back in the day I worked on an app with a firebase backend and the permission model was non-trivial. Not surprised this research showed that 20% of tested firebase instances exposed data. Want to try your hand at it? Check out firebaseExploiter.
Tips and Tricks: Debugging .NET Malware in a Multi-Stage Malware Deployment. .NET may be easy to decompile but it can still be tricky to trace a mutli-stage dropper all the way back.
The Art of Bypassing Kerberoast Detections with Orpheus. Kerberoasting becomes fully customizable with the orpheus tool. Beware of honeySPNs, but otherwise, targeted-roast away!
macOS Sandbox Escape vulnerability via Terminal. One ENV variable could be set to escape the sandbox on macOS!
Yet Another Azure VM Persistence Using Bastion Shareable Links. Convenient.

Tools and Exploits

Sapling: A Scalable, User-Friendly Source Control System. Meta open sourced their in house version control system. Don't worry, it's written in Rust.
BrokenFlow A simple PoC to invoke an encrypted shellcode by using an hidden call.
nanorobeus COFF file (BOF) for managing Kerberos tickets.
GCTI CobaltStrike rules. 165 yara rules for CobaltStrike. More info here.
ReverseSock5Proxy A tiny Reverse Sock5 Proxy written in C.
psmsi Create MSIs using PowerShell.
MemoryEvasion A Cobalt Strike memory evasion loader for redteamers.
geacon_pro A cross-platform Cobalt Strike Beacon written in Go, supports 4.1+.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

nuvola is a tool to dump and perform automatic and manual security analysis on AWS environments configurations and services using predefined, extensible and custom rules created using a simple Yaml syntax.
ofrak is a binary analysis and modification platform that combines the ability to unpack, analyze, modify, and repack binaries.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.