Last Week in Security (LWiS) - 2022-12-05
ChatGPT (@OpenAI), Huawei hypervisor research (@lyte__ + @NeatMonster_), Tailscale DNS rebiding attacks (@JJJollyjim), Using CodeQL to find RCE (@frycos), PPLcontrol (@itm4n), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-11-28 to 2022-12-05.
News
- ChatGPT: Optimizing Language Models for Dialogue. Well, this exploded last week. If you haven't tried it, it's worth some specific technical queries. You can even jailbreak it or run a 'virtual machine' in it.
- Anker's Eufy Cameras Caught Uploading Content to the Cloud Without User Consent. While it was only thumbnail images being uploaded, still a bad look for a brand that is heavy on "local only" branding. Compared to Ring cameras that will find their own wifi to steam video to the cloud, this seems minor. Put your cameras on a VLAN without egress, and VPN in to view them - trust no one.
- Web browsers drop mysterious company with ties to U.S. military contractor. Props to The Washington Post for exposing the root CA and finally getting enough pressure to have it removed from browsers (12 years too late?).
- The FreeBSD Project - Stack overflow in ping(8). Despite the scary title, it only applies to ping responses, and the ping process "runs in a capability mode sandbox on all affected versions of FreeBSD and is thus very constrained in how it can interact with the rest of the system at the point where the bug can occur." I doubt this will yield remote shells any time soon. LPE however...
- Memory Safe Languages in Android 13. No memory safety related bugs in the Rust code added to Android (yet). It's not a magic bullet, but the evidence shows it really does help prevent memory safety bugs.
- We recently found a vulnerability affecting Hyundai and Genesis vehicles where we could remotely control the locks, engine, horn, headlights, and trunk of vehicles made after 2012. Control character injection lets you register emails that "matched" actual users, and thereby take over their car via the internet. What a time to be alive. Not broad enough? What about taking over multiple brands of cars via SiriusXM?.
- Hell's Keychain: Supply-chain vulnerability in IBM Cloud Databases for PostgreSQL allows potential unauthorized database access. Potential access to the CI of the IBM cloud. Yikes!
Techniques and Write-ups
- Shedding Light on Huawei's Security Hypervisor. This post tears apart the encrypted security hypervisor used in Huawei devices and nets a CVE: CVE-2021-39979 OOB Accesses Using the Logging System.
- CVE-2022-41924 - RCE in Tailscale, DNS Rebinding, and You. The rebinding attacks are neat (if a bit hard to pull off in the real world), but the vendor response is downright amazing, and in a good way this time!
- Pre-Auth RCE with CodeQL in Under 20 Minutes. CodeQL is a force multiplier, I've said it before and I'll say it again.
- Debugging Protected Processes. Debugging protected processes on Windows can be tricky, so what if you made your debugger have the same level of protection instead? Now you can with PPLcontrol.
- Stalking inside of your Chromium Browser. Browsers are where lots of important information is accessed. If you don't have good access methods to leverage endpoint access to dump browser information, or better yet live inside the browser, you should prioritize development.
- How to mimic Kerberos protocol transition using reflective RBCD. Kerberos contains more foot-guns than any authentication protocol I've seen.
- Making unphishable 2FA phishable. Thanks to non-input enabled devices, even the best 2FA can be phished (sometimes).
Tools and Exploits
- SysmonEoP - Proof of Concept for arbitrary file delete/write in Sysmon (CVE-2022-41120).
- Visual Studio Code: Remote Code Execution. Jypiter notebook links could have led to RCE in vscode when clicked.
- SilentMoonwalk is a PoC implementation of a true call stack spoofer, implementing a technique to remove the original caller from the call stack, using ROP to desynchronize unwinding from control flow. Want it in rust? Try Unwinder.
- PrintNotifyPotato - Another potato, using PrintNotify COM service for lifting rights.
- BumbleCrypt - A Bumblebee-inspired Crypter.
- google_lure.py - Generate phishing lures that exploit open-redirects from www.google.com using Google Docs.
- NimDllSideload allows you to easily generate Nim DLLs you can use sideloading/proxy loading. If you're unfamiliar with what DLL sideloading is, take a gander at this blog post.
- Defender_Exclusions-BOF - A BOF to determine Windows Defender exclusions.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
- Neton is a tool for getting information from Internet connected sandboxes.
- kubeshark , the API Traffic Viewer for kubernetes, provides deep visibility and monitoring of all API traffic and payloads going in, out and across containers and pods inside a Kubernetes cluster. Think of a combination of Chrome Dev Tools, TCPDump and Wireshark, re-invented for Kubernetes.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.