Last Week in Security (LWiS) - 2023-02-06

Pre-Auth RCE (@infosec_au + @TheGrandPew), IP phone pwnage (Dylan Pindur), GoAnywhere RCE (@frycos), Toyota supplier network hack (@XeEaton), PipeViewer (@g3rzi), reverse socks5 (@aceb0nd), certsync, and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2023-01-30 to 2023-02-06.

News

  • Taking the next step: OSS-Fuzz in 2023. Increased bounties for integrating projects into OSS-Fuzz. Nice!
  • Dutch Police Read Messages of Encrypted Messenger 'Exclu'. If you messenger is not open source and the server is not self-hosted, someone could be reading your messages. Yes, this includes Signal (what is actually running on the servers?).
  • CVE-2023-0045. Speculative execution bugs are going to be with us for a while. "The current implementation of the prctl syscall for speculative control fails to protect the user against attackers executing before the mitigation. The seccomp mitigation also fails in this scenario."
  • An important next step on our AI journey. Google's response to ChatGPT is... a blog post and no working product? Meanwhile, I'm out here having GPT-3 write my commit messages.
  • Checksum mismatches on .tar.gz files. GitHub temporarily broke a lot of deployments after changing the default compression algorithm for releases. The change has been reverted, but showed how fragile the some software release ecosystems are and how reliant they are on a single third party.

Techniques and Write-ups

Tools and Exploits

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • FirmAE - Towards Large-Scale Emulation of IoT Firmware for Dynamic Analysis.
  • wa-tunnel -Tunneling Internet traffic over Whatsapp.
  • RToolZ - A Stealthy Lsass Dumper - can abuse ProcExp152.sys driver to dump PPL Lsass, no dbghelp.lib calls.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.