Last Week in Security (LWiS) - 2023-01-23

No Fly List leak (@_nyancrimew), LogSlash (@4A4133), Okta issues (@varonis), ARM bug pwns Pixel (@mmolgtm), golddigger (@ustayready), APCLdr (@NUL0x4C), build your own SANS760 (@Void_Sec), SOCKS4a shellcode, and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2023-01-16 to 2023-01-23.

News

  • how to completely own an airline in 3 easy steps. The US "No fly list" was found on an exposed jenkins server belonging to CommuteAir. 80MB of NOFLY.CSV. Classic.
  • Introducing LogSlash and The End of Traditional Logging. An interesting idea so save the "meaning" of a series of logs without all the raw data. I think large firms will still be saving all the raw data as all their detections are built on it, but I like the idea.
  • HC-tree. A very non-descriptive title for a really cool feature. HC-tree is a high performance backend for SQLite that enables concurrency, replication, and massive size SQLite DBs. There aren't many small applications that shouldn't be using SQLite today as their DB, but with HC-tree, there will be almost none that need anything but SQLite.
  • Visual Studio Spell Checker Preview Now Available. Misspellers of the world, untie! (it won't help in this case... oh well.)
  • Pirate Bay Proxy Portal Taken Down by Github. Opinions of The Pirate Bay aside, GitHub took down a page that was hosting links to proxies, not even The Pirate Bay itself. The Tor Project is still on GitHub. Strange to see where the line is drawn sometimes.

Techniques and Write-ups

Tools and Exploits

  • CVE-2022-42864 - Proof-of-concept for the CVE-2022-42864 IOHIDFamily race condition that was fixed in iOS 16.2 / macOS Ventura 13.1. Read more at Diabolical Cookies.
  • Credmaster2. Your favorite credential spraying tool is back with more plugins.
  • pdtm - ProjectDiscovery's Open Source Tool Manager.
  • Caido - A lightweight web security auditing toolkit. Built from the ground up in Rust, Caido aims to help security professionals and enthusiasts audit web applications with efficiency and ease.
  • Silhouette is a POC that mitigates the use of physical memory to dump credentials from LSASS.
  • git-sim: Visually simulate Git operations in your own repos. Complex git operations can be scary. They're less scary if you can see a pretty picture of what is happening.
  • a.socks.proxy.shellcode is SOCKS4 server in shellcode for armv5, armv7, mipseb, and x64.
  • SeeProxy - Golang reverse proxy with CobaltStrike malleable profile validation.
  • golddigger is a simple tool used to help quickly discover sensitive information in files recursively.
  • APCLdr - Payload Loader With Evasion Features.
  • CVE-2023-0179-PoC. This is the Linux CVE from last week where the PoC was pulled. It's out now!

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • git-cliff - A highly customizable Changelog Generator that follows Conventional Commit specifications ⛰️
  • sh4d0wup - Signing-key abuse and update exploitation framework. This thing is fully featured and scary!
  • ulexecve is a userland execve() implementation which helps you execute arbitrary ELF binaries on Linux from userland without the binaries ever having to touch storage. This is useful for red-teaming and anti-forensics purposes.
  • SANS SEC760: Advanced Exploit Development for Penetration Testers - Review. The review isn't the interesting part here, its section 3: Recommendations that are gold.
  • infisical ♾ Infisical is an open-source, end-to-end encrypted tool to sync secrets and configs across your team and infrastructure.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.