Last Week in Security (LWiS) - 2023-01-30
HIVE takedown, Yandex leak, modern SEH hijacking (@BillDemirkapi), extending PersistAssist (@Gr1mmie ), Docmosis Tornado horror show (@frycos), RODC to DA (@elad_shamir), rendering Chrome to a terminal, and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2023-01-23 to 2023-01-30.
News
- Hackers Demand $10M From Riot Games to Stop Leak of 'League of Legends' Source Code. "It is alarming to know that you can be hacked within a matter of hours by an amateur-level hack." Is it?
- Protecting Against Malicious Use of Remote Monitoring and Management Software. Someone at CISA finally watched my talk on Traitorware?
- U.S. Department of Justice Disrupts Hive Ransomware Variant. Don't do crimes.
- Yandex Services Source Code Leak. No git history, no ML models, but lots of source code.
- The Microsoft Edge team no longer offers VM image downloads for the testing of Microsoft Edge and Internet Explorer.. The go-to source for quick, legitimate test VMs is gone. This on the back of the news that detection lab is not being maintained has opened a hole in the test VM/lab/management area... (stay tuned).
Techniques and Write-ups
- At the Edge of Tier Zero: The Curious Case of the RODC. Just because its read-only doesn't mean it can't lead to domain dominance.
- Operator's Guide to the Meterpreter BOFLoader. BOFs come to Meterpreter - they are truly the cross-C2 primitive of modern red teaming. You can run them from Python3 now with pybof. Hell, I even put them in osquery.
- Exploiting Hardcoded Keys to achieve RCE in Yellowfin BI. Hardcode a private key == hardcode a bad time.
- Password strength explained. This is a good explainer. Dice-chosen word-based passwords are the way to go.
- Abusing Exceptions for Code Execution, Part 2. This one is meaty and really cool. If you though SEH exploitation died in 2008, buckle up.
- Extending PersistAssist: Act I. How to add your own modules and stick around even after a reboot.
- Web Hacking
- Using 0days to Protect the United Nations. Some web apps are frighteningly bad at security - this is one of them.
- Froxlor v2.0.6 Remote Command Execution (CVE-2023-0315). A nice authenticated RCE chain.
- MyBB <= 1.8.31: Remote Code Execution Chain. This is just quality web app hacking.
- Insomni'hack 2023 CTF Teaser - InsoBug. CTF writeups don't usually make the blog, but this one is particularly interesting and Windows based which is extremely rare.
- gaylord M FOCker - ready to pwn your MIFARE tags. If you're getting started in the RFID card space, this post will give you a quick overview of the various attacks.
- Microsoft Defender Vulnerability Management Authenticated Scan Security Risks. Authenticated scans can give attackers hashes when 'Negotiate' is enabled.
- CVE-2023-23504: XNU Heap Underwrite in dlil.c. "This can be triggered by a root user creating 65536 total network interfaces." Seems pretty far fetched, but a physical attack (malicious USB) is a potential vector.
- How to access data secured with BitLocker? Do a system update. BitLocker effectively disables itself during updates.
- Give me a browser, I'll give you a Shell. The javascript to create a browse button was neat.
- Fun with macOS's SIP. A nify trick to "bypass" (but not really) System Integrity Protection on macOS.
- Hiding In PlainSight - Indirect Syscall is Dead! Long Live Custom Call Stacks. Loader/AV bypassers take note.
Tools and Exploits
- gato GitHub Self-Hosted Runner Enumeration and Attack Tool. More information in this post.
- starhound-importer - Import data from SharpHound and AzureHound using CLI instead of GUI BloodHound using "BloodHound's code". Detail here.
- azbelt - AAD related enumeration in Nim.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
- yaralyzer Visually inspect and force decode YARA and regex matches found in both binary and text data. With Colors.
- Forking Chrome to render in a terminal. Simply amazing.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.