Last Week in Security (LWiS) - 2023-01-23
No Fly List leak (@_nyancrimew), LogSlash (@4A4133), Okta issues (@varonis), ARM bug pwns Pixel (@mmolgtm), golddigger (@ustayready), APCLdr (@NUL0x4C), build your own SANS760 (@Void_Sec), SOCKS4a shellcode, and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2023-01-16 to 2023-01-23.
News
- how to completely own an airline in 3 easy steps. The US "No fly list" was found on an exposed jenkins server belonging to CommuteAir. 80MB of NOFLY.CSV. Classic.
- Introducing LogSlash and The End of Traditional Logging. An interesting idea so save the "meaning" of a series of logs without all the raw data. I think large firms will still be saving all the raw data as all their detections are built on it, but I like the idea.
- HC-tree. A very non-descriptive title for a really cool feature. HC-tree is a high performance backend for SQLite that enables concurrency, replication, and massive size SQLite DBs. There aren't many small applications that shouldn't be using SQLite today as their DB, but with HC-tree, there will be almost none that need anything but SQLite.
- Visual Studio Spell Checker Preview Now Available. Misspellers of the world, untie! (it won't help in this case... oh well.)
- Pirate Bay Proxy Portal Taken Down by Github. Opinions of The Pirate Bay aside, GitHub took down a page that was hosting links to proxies, not even The Pirate Bay itself. The Tor Project is still on GitHub. Strange to see where the line is drawn sometimes.
Techniques and Write-ups
- CVE-2022-35690: Unauthenticated RCE in Adobe ColdFusion. ColdFusion is not only still a thing, but it's also still full of holes.
- Pwning the all Google phone with a non-Google bug. The bug here is cool, and the patch gap between ARM and Android on a hardware controlled by it's OS maker (Pixel 6) is worrying.
- CVE from 2018 Strikes Again. I've said it before and I'll say it again, just because a vulnerability is patched, doesn't mean its fixed. This is a one such case, albeit a simple one.
- Bitwarden design flaw: Server side iterations. With LastPass's recent issue, many have been searching for a new password manager, and researchers have been taking a look too. Positive change has already taken place because of this, and the open source BitWarden is getting more secure. However, you may want to manually increase your PBKDF2 iteration setting (Vaultwarden is also set at 100,000 by default as of 2023-01-23). The use of a secret key like 1Password has is a feature many would like to see implemented in other password managers. Need more password manager (patched) flaws? Unsandboxed Password Manager has them.
- Client-Side SSRF to Google Cloud Project Takeover [Google VRP]. A combo of Google properties (FeedBurner + VertexAI) combined for a nice Google Cloud takeover. It's not just Google, as Microsoft resolves four SSRF vulnerabilities in Azure cloud services.
- AWS CloudTrail vulnerability: Undocumented API allows CloudTrail bypass. Why is a CloudTrail bypass a big deal? When you are looking for ways to validate AWS keys without falling victim to a Canary Token finding a method to use them without showing up in CloudTrail is the only way. Speaking of canary tokens they just released new credit card tokens.
- ManageEngine CVE-2022-47966 Technical Deep Dive. A quick run through of the RCE starting with the patch.
- [PDF] Sudoedit bypass in Sudo <= 1.9.12p1 CVE-2023-22809. A simple command injection-style bug in the EDITOR environement variable allowed a user with sudoedit permissions on a single file to write to arbitray files as root. Perhaps not a common setup to have sudoedit enabled, but an easy LPE if it is!
- CrossTalk and Secret Agent: Two Attack Vectors on Okta's Identity Suite. Some excelent creative hacking that will become more important as more things move to SaaS.
- Exploiting null-dereferences in the Linux kernel. Not crashing the kernel and instead "oops"-ing is better, but can have unintended consequences.
- making malware #0. Not sure a public "API" is the best for tooling's long term evasion, but it might help in some cases.
Tools and Exploits
- CVE-2022-42864 - Proof-of-concept for the CVE-2022-42864 IOHIDFamily race condition that was fixed in iOS 16.2 / macOS Ventura 13.1. Read more at Diabolical Cookies.
- Credmaster2. Your favorite credential spraying tool is back with more plugins.
- pdtm - ProjectDiscovery's Open Source Tool Manager.
- Caido - A lightweight web security auditing toolkit. Built from the ground up in Rust, Caido aims to help security professionals and enthusiasts audit web applications with efficiency and ease.
- Silhouette is a POC that mitigates the use of physical memory to dump credentials from LSASS.
- git-sim: Visually simulate Git operations in your own repos. Complex git operations can be scary. They're less scary if you can see a pretty picture of what is happening.
- a.socks.proxy.shellcode is SOCKS4 server in shellcode for armv5, armv7, mipseb, and x64.
- SeeProxy - Golang reverse proxy with CobaltStrike malleable profile validation.
- golddigger is a simple tool used to help quickly discover sensitive information in files recursively.
- APCLdr - Payload Loader With Evasion Features.
- CVE-2023-0179-PoC. This is the Linux CVE from last week where the PoC was pulled. It's out now!
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
- git-cliff - A highly customizable Changelog Generator that follows Conventional Commit specifications ⛰️
- sh4d0wup - Signing-key abuse and update exploitation framework. This thing is fully featured and scary!
- ulexecve is a userland execve() implementation which helps you execute arbitrary ELF binaries on Linux from userland without the binaries ever having to touch storage. This is useful for red-teaming and anti-forensics purposes.
- SANS SEC760: Advanced Exploit Development for Penetration Testers - Review. The review isn't the interesting part here, its section 3: Recommendations that are gold.
- infisical ♾ Infisical is an open-source, end-to-end encrypted tool to sync secrets and configs across your team and infrastructure.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.