Last Week in Security (LWiS) - 2023-01-09
Korea's browser-ex problem (@WPalant), Prox-Ez (@b1two_ + @YofBalibump), car hacks (@samwcyo), Azure privesc (@_wald0), tons of direct syscall techniques, and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2023-01-02 to 2023-01-09.
News
- CircleCI security alert: Rotate any secrets stored in CircleCI (Updated Jan 7). Ouch. If you use any kind of secrets in CI (not bad by itself, depending on your threat model etc), please use canary tokens so you know when you need to drop everything and rotate secrets and take a hard look at your logs.
- Researchers Could Track the GPS Location of All of California's New Digital License Plates. Because of course they can. File this under "shockingly bad idea is still bad for all the reasons we thought." For all the car hacks of 2022 check out Web Hackers vs. The Auto Industry: Critical Vulnerabilities in Ferrari, BMW, Rolls Royce, Porsche, and More.
- Security Update Guide Improvement - Representing Hotpatch Updates. You can now easily identify hotpatches for Windows Server VMs in Azure which can be applied without a reboot (feature introduced last year). Linux users heard saying "what took so long?"
- [PDF] Factoring integers with sublinear resources on a superconducting quantum processor. Researchers out of China claim to have a system where "traditional" lattice-reduction math is used to dramatically reduce the number of qbits a quantum computer needs to factor numbers (the basis of RSA). If correct, they could theoretically break 2048-bit RSA with 372 qbits (which IBM already has). However, "this destroys the RSA cryptosystem" is a statement other papers have made, and so far, failed to deliver.
- U.S. Targets Non-Compete Clauses That Block Workers From Better Jobs. A staple of any tech employment contract, the non-compete could be coming to an end.
- Making an SSH client the hard way. Your weekly reminder that the modern browser is the OS of tomorrow.
Techniques and Write-ups
- TouchEn nxKey: The keylogging anti-keylogger solution. Every article I read by Wladimir makes me more and more scared of any browser extension. In this case, an all-but-required extension for Korean banking can be repurposed as a keylogger easily among other scarry things.
- Escaping from bhyve. A sesonsed VM escaper (QEMU previously) tries their hand at bhyve, FreeBSD's hypervisor, and comes away with a new VM escape. It's impressive to witness people who can point their attention at something and have impressive bugs fall out.
- A study on Windows HTTP authentication (Part II). Kerberos over HTTP? Windows authentication options are impressive in their vastness. This is a great post for any Windows network assessor, and the Prox-Ez tool will certainly come in handy once inside your next corporate network.
- Bypass firewalls with of-CORs and typo-squatting. The dangers of "just clicking a link" are real in 2023, but not because your computer will get compromised (excluding browser 0day+SBX) but because your company's internal web apps are YOLOing their CORS and authentication, allowing any browser on the network to pull data. This is really neat attack that is only possible because of overpermissive internal web apps. Use of-CORS to pull off your own sweet CORS hacks.
- CVE-2022-27510, CVE-2022-27518 - Measuring Citrix ADC & Gateway version adoption on the Internet. The cool part of this post isn't the Citrix exploits, its the method of getting your hands on different versions of Citrix ADC images and fingerprinting the versions.
- Microsoft Defender for Identity JSON API. The inner workings of the Microsoft Defender for Identity and its API can hold some secrets if you compromise a machine running a sensor. Use Microsoft-Defender-for-Identity-API-Fiddler to play with it.
- CVE-2022-25026 & CVE-2022-25027: Vulnerabilities in Rocket TRUfusion Enterprise. Some classic web app vulnerabilities in this post.
- DeTT&CT: Automate your detection coverage with dettectinator . This post introduces a new tool, dettectinator, which is a framework that helps blue teams in using MITRE ATT&CK to score and compare data log source quality, visibility coverage, detection coverage and threat actor behaviors.
- Passwordless Persistence and Privilege Escalation in Azure. TIL that Azure comes with its own privesc to Global Admin. Neat.
- Lateral movement risks in the cloud and how to prevent them - Part 2: from compromised container to cloud takeover. What can you do once you land in a prod pod? Depends on the cloud, but probably a lot.
Tools and Exploits
- iCDump. A Modern Objective-C Class Dump. Blog here.
- UnhookingPatch - Bypass EDR Hooks by patching NT API stub, and resolving SSNs and syscall instructions at runtime.
- HellHall is a combination of HellsGate and indirect syscalls.
- WalkerGate is a method to take syscall with memory parsing of ntdll.
- zsyscall is an implementation of the Hell's Gate VX technique. The main difference with the original implementation is the use of the zsyscall procedure instead of HellsGate and HellDescent for using syscalls.
- SOC-Multitool - A free and open source tool to aid in SOC investigations!
- Alcatraz is a x64 binary obfuscator that is able to obfuscate various different pe formats.
- sub-scout is a simple bash script to automate your inital recon and extend your attack surface using popular tools made by infosec community.
- MITRE_ATTACK_CLI - CLI Search for Security Operators of MITRE ATT&CK URLs.
- nuclearpond is a utility leveraging Nuclei to perform internet wide scans for the cost of a cup of coffee.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
- A New PyRDP Release: The Rudolph Desktop Protocol!. The gosecure RSS feed was slow on this one?
- KubeStalk discovers Kubernetes and related infrastructure based attack surface from a black-box perspective.
- NTLMRecon - A tool for performing light brute-forcing of HTTP servers to identify commonly accessible NTLM authentication endpoints.
- smudge - Passive OS detection based on SYN packets without Transmitting any Data
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.