Last Week in Security (LWiS) - 2022-12-05

ChatGPT (@OpenAI), Huawei hypervisor research (@lyte__ + @NeatMonster_), Tailscale DNS rebiding attacks (@JJJollyjim), Using CodeQL to find RCE (@frycos), PPLcontrol (@itm4n), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-11-28 to 2022-12-05.

News

Techniques and Write-ups

Tools and Exploits

  • SysmonEoP - Proof of Concept for arbitrary file delete/write in Sysmon (CVE-2022-41120).
  • Visual Studio Code: Remote Code Execution. Jypiter notebook links could have led to RCE in vscode when clicked.
  • SilentMoonwalk is a PoC implementation of a true call stack spoofer, implementing a technique to remove the original caller from the call stack, using ROP to desynchronize unwinding from control flow. Want it in rust? Try Unwinder.
  • PrintNotifyPotato - Another potato, using PrintNotify COM service for lifting rights.
  • BumbleCrypt - A Bumblebee-inspired Crypter.
  • google_lure.py - Generate phishing lures that exploit open-redirects from www.google.com using Google Docs.
  • NimDllSideload allows you to easily generate Nim DLLs you can use sideloading/proxy loading. If you're unfamiliar with what DLL sideloading is, take a gander at this blog post.
  • Defender_Exclusions-BOF - A BOF to determine Windows Defender exclusions.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • Neton is a tool for getting information from Internet connected sandboxes.
  • kubeshark , the API Traffic Viewer for kubernetes, provides deep visibility and monitoring of all API traffic and payloads going in, out and across containers and pods inside a Kubernetes cluster. Think of a combination of Chrome Dev Tools, TCPDump and Wireshark, re-invented for Kubernetes.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.