Jan 02 2023 Last Week in Security (LWiS) - 2023-01-02

x64dbg scripts and plugins (@_n1ghtw0lf), ShellcodeMutator (@m0rv4i), Dirty-Vanity (@eliran_nissan), Windows Kernel dev 101 (@V3ded), detailed Chrome exploitation (@jack_halon), PassTheChallenge (@ly4k_) and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-12-12 to 2023-01-02.

News

[LastPass] Notice of Recent Security Incident. The breach from August is worse than initially reported, with encrypted password vaults stolen. Despite their encryption, weak master passwords or perhaps other issues could lead to passwords and other information leaking to the perpetrators. If you use a password manager (cloud based or not), the loss of your vault has to be part of your threat model. Other services have been quick to capitalize on LastPass' failure.
Announcing OSV-Scanner: Vulnerability Scanner for Open Source. Google launches an open source dependency vulnerability scanner based on their OSV database.
OWASSRF, a new exploit for Exchange vulnerabilities, exploited in the wild: everything you need to know. At this point, self-hosting Microsoft Exchange is an extremely risky proposition. Unless it's behind a VPN or Zero Trust Network Access (making it hard to use with Outlook/etc), you're asking for compromise.
2022 Adversary Infrastructure Report. Cobalt Strike still dominates.
Linux Kernel ksmbd Use-After-Free Remote Code Execution Vulnerability. In the unlikely case you are running SMB using the new kernel module and not samba, update now or face unauthenticated RCE.
Cyber Criminals Impersonating Brands Using Search Engine Advertisement Services to Defraud Users. The title is a bit bland, but this is official FBI communication encouraging the use of ad blockers. I've heard stories of companies that force uBlock Origin as part of their managed Chrome install to great effect.
Sunsetting DetectionLab. One of the best automated lab tools is ending development. The scene is set for an open source, modular, lab infrastructure system to be released...
Crack the ELF RE challenges - "Here are some reverse-engineering challenges I've made on my spare time."

Techniques and Write-ups

Linux Kernel: Exploiting a Netfilter Use-after-Free in kmalloc-cg. Some great technical Linux exploitation detail in this write up.
Spice up your persistence: loading PHP extensions from memory. This technique is neat as your backdoor lives in the PHP process with only some suspect memory maps to give it away after loading from disk (and unloading the disk backed copy of the backdoor).
Writing x64dbg scripts and Writing x64dbg plugins will help you level up your x64dbg game.
Puckungfu: A NETGEAR WAN Command Injection. This command injection requires control of DNS on the WAN side of the router.
MeshyJSON: A TP-Link tdpServer JSON Stack Overflow. In contrast to the relatively simple command injection exploit in Puckungfu, this exploit is a address leak and heap spray to bypass KASLR to execute a ROP gadget. Impressive stuff.
CVE-2021-43444 to 43449: Exploiting ONLYOFFICE Web Sockets for Unauthenticated Remote Code Execution. This is a great read for any web app pentesters. The inital bug doesn't look so bad, but the chain to RCE is impressive.
Red Team Tactics: Writing Windows Kernel Drivers for Advanced Persistence (Part 1). This post is all lab/dev setup and a Hello World, but the series could get interesting quickly. For a finished series, check out Lord Of The Ring0.
LABScon Replay | Breaking Firmware Trust From The Other Side: Exploiting Early Boot Phases (Pre-Efi). You've heard of bootkits, but what about pre-bootkits?
Trend Micro drops 2x macOS LPE posts: Diving into an Old Exploit Chain and Discovering 3 new SIP-Bypass Vulnerabilities and A Technical Analysis of CVE-2022-22583 and CVE-2022-32800.
Navigating the Vast Ocean of Sandbox Evasions. Palo Alto's sandbox is custom and has fixes for many common sandbox detections. Would your detections get caught in this sandbox?
Chrome Browser Exploitation, Part 3: Analyzing and Exploiting CVE-2018-17463. Part 3 of the amazingly detailed browser exploitation series is here!
Gatekeeper's Achilles heel: Unearthing a macOS vulnerability. Microsoft digs into a strange "AppleDouble" file format and finds a Gatekeeper bypass.
.NET Startup Hooks. If you can set environment variables for .NET programs, you can inject arbitrary code. Could be a useful persistence technique as there are built in .NET binaries in Windows.

Tools and Exploits

Avoiding Detection with Shellcode Mutator. By randomly adding nops or nop equivalent instructions, ShellcodeMutator can break yara rules that look for specific assembly sequences in shellcode.
Dirty-Vanity - A POC for the new injection technique, abusing windows fork API to evade EDRs. See the slides from BlackHat EU here.
DirCreate2System - Weaponizing to get NT SYSTEM for Privileged Directory Creation Bugs with Windows Error Reporting.
CVE-2022-2602-Kernel-Exploit and CVE-2022-2602 are Linux LPEs for Linux kernel upstream stable 5.4.x, 5.15.x, and later versions. 5.10.x may be vulnerable as well.
Cohab_Processes - A small Aggressor script to help Red Teams identify foreign processes on a host machine.
CaFeBiBa - COFF parser - a COFF parser for binaries compiled with MSVC.
Offensive-Rust - Various offensive techniques in Rust.
ASRenum-BOF - Cobalt Strike BOF that identifies Attack Surface Reduction (ASR) rules, actions, and exclusion locations.
CVE-2022-42046 - CVE-2022-42046 Proof of Concept of wfshbr64.sys local privilege escalation via DKOM.
linux_injector - A simple ptrace-less shared library injector for x64 Linux.
Venom is a library that meant to perform evasive communication using stolen browser socket.
wanderer - An open-source process injection enumeration tool written in C#.
Invoke-Retractor - Build a Seatbelt executable containing only commands you specify.
WTSRM2 - Writing Tiny Small Reliable Malware 2. This has a ton of cool features, worth a look.
PassTheChallenge - Recovering NTLM hashes from Credential Guard. See the blog post for more details.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

pike is a tool for determining the permissions or policy required for IAC code.
policies - Security policies for Tailscale.
A Visual Guide to SSH Tunnels: Local and Remote Port Forwarding. I use SSH tunnels on a daily basis, and this is a great visual guide to anyone new to the concept (or as a reference if you forget!).
portable-secret - Better privacy without special software.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.