Last Week in Security (LWiS) - 2023-02-06
Pre-Auth RCE (@infosec_au + @TheGrandPew), IP phone pwnage (Dylan Pindur), GoAnywhere RCE (@frycos), Toyota supplier network hack (@XeEaton), PipeViewer (@g3rzi), reverse socks5 (@aceb0nd), certsync, and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2023-01-30 to 2023-02-06.
- Taking the next step: OSS-Fuzz in 2023. Increased bounties for integrating projects into OSS-Fuzz. Nice!
- Dutch Police Read Messages of Encrypted Messenger 'Exclu'. If you messenger is not open source and the server is not self-hosted, someone could be reading your messages. Yes, this includes Signal (what is actually running on the servers?).
- CVE-2023-0045. Speculative execution bugs are going to be with us for a while. "The current implementation of the prctl syscall for speculative control fails to protect the user against attackers executing before the mitigation. The seccomp mitigation also fails in this scenario."
- An important next step on our AI journey. Google's response to ChatGPT is... a blog post and no working product? Meanwhile, I'm out here having GPT-3 write my commit messages.
- Checksum mismatches on .tar.gz files. GitHub temporarily broke a lot of deployments after changing the default compression algorithm for releases. The change has been reverted, but showed how fragile the some software release ecosystems are and how reliant they are on a single third party.
Techniques and Write-ups
- Pre-Auth RCE in Aspera Faspex: Case Guide for Auditing Ruby on Rails. The first of two great posts from Assetnote this week.
- RCE in Avaya Aura Device Services. This is the second post. They're pwning your phone system too...
- 2023-02-05: Solving a VM-based CTF challenge without solving it properly. A neat solve of a hard challenge with using side channels to not "actually" solve it. Hey, a flag is a flag.
- Onenote Malware: Classification and Personal Notes. '.one' based droppers are on the rise. Grab yourself OneNoteAnalyzer, a C# based tool for analyzing malicious OneNote documents, and dig in.
- Rustproofing Linux (Part 1/4 Leaking Addresses). While Rust provides some very nice memory safety, it also has to exist in the real world, where programmers will use 'unsafe' blocks to interact with raw memory and hardware. This series aims to show what can go wrong with 'unsafe' rust. Rust is pretty awesome though, as it can regex search 45 million repos in seconds.
- Hacking into Toyota's global supplier management network. I like these "real world" hacks that don't stop at "oh I can get access," but build on that to show how bad the combination of flaws can be. Bravo. The $0 bounty is rough.
Tools and Exploits
- Spoofy: An Email Domain Spoofing Tool. This is the new gold standard of "can I spoof this domain?" tools.
- GoAnywhere MFT - A Forgotten Bug. Some serious Java web app code review leads to - you guessed it - hard coded keys and a deserialization vulnerability.
- sh1mmer chromebook jailbreak. This is a cool "jailbreak" for Chromebooks that uses a modified Google signed RMA shim to boot into an environment that allows unenrolling Chromebooks from their parent organization.
- PipeViewer - A tool that shows detailed information about named pipes in Windows. For why, read Breaking Docker Named Pipes SYSTEMatically: Docker Desktop Privilege Escalation - Part 1.
- RasmanPotato - Abuse Impersonate Privilege from Service to SYSTEM like other potatoes do.
- BypassAV This map lists the essential techniques to bypass anti-virus and EDR.
- AMSI-patches-learned-till-now - all of the AMSI patches that I learned till now.
- AMSI_patch - Patching AmsiOpenSession by forcing an error branching.
- Bloodhound python from @_dirkjan is now integrated to CrackMapExec as a core feature.
- Ghostwriter. Automate those reports!
- ReverseSocks5 - Single executable reverse socks5 proxy written in Golang.
- certsync - Dump NTDS with golden certificates and UnPAC the hash.
- D1rkLrd - Shellcode Loader with Indirect Dynamic syscall Implementation , shellcode in MAC format, API resolving from PEB, Syscall calll and syscall instruction address resolving at run time.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
- FirmAE - Towards Large-Scale Emulation of IoT Firmware for Dynamic Analysis.
- wa-tunnel -Tunneling Internet traffic over Whatsapp.
- RToolZ - A Stealthy Lsass Dumper - can abuse ProcExp152.sys driver to dump PPL Lsass, no dbghelp.lib calls.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.