Last Week in Security (LWiS) - 2023-02-13
Phishing in 2023 (@0xcsandker), SaltStack A-Salt (Alex Hill - @SkylightCyber), LocalPotato (@decoder_it + @elad_shamir), install4j XXE (@frycos), LPE in Avast (@Denis_Skvortcov), learning Semgrep (@jrozner), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2023-02-06 to 2023-02-13.
- VALL-E - Neural Codec Language Models are Zero-Shot Text to Speech Synthesizers. New research from Mircosoft shows how the new model can clone a voice to a high degree of accuracy with only 3 seconds of sample audio from the target. Previous techniques required at least 30 minutes of audio and had worse results. Think how easy it will soon be to call some, record their voice, and then have "them" say things generated in real time. This will be used for vishing, and it will be extremely effective.
- Truffle Security revealed data collection in XSS Hunster. Infosec Twitter was quick to denounce the data collection and suggest running your own instance.
- About the security content of iOS 16.3.1 and iPadOS 16.3.1. WebKit exploit and "Apple is aware of a report that this issue may have been actively exploited."
- Namcheap/Namecheap's SendGrid account compromised to send phishing emails. Namecheap says its SendGrid, SendGrid hasn't said anything (that I can find).
- Canarytokens.org welcomes Azure Login Certificate Token. Canarytokens are still the best free security tool you aren't using.
- We had a security incident. Here's what we know.. Phish to cloned internal gateway gives an attacker valid credentials and second-factor token. FIDO2/U2F would have made this impossible. Props to the user for self-reporting.
- Announcing Nuclei Cloud. The undisputed champions of the open source attack surface management tooling game are here with their hosted solution. This is not one to dismiss given their incredible history of high quality tool releases.
- Reinventing search with a new AI-powered Microsoft Bing and Edge, your copilot for the web. ChatGPT++ comes to Bing. This actually made me create a Microsoft account and sign up for the waitlist. Well done Microsoft.
Techniques and Write-ups
- Behind the Mask: Spoofing Call Stacks Dynamically with Timers. The Cobalt Strike team is hard at work pushing the boundries of call stack spoofing.
- LocalPotato - When Swapping The Context Leads You To SYSTEM. The Potatos never die! This is the 21st potato in my collection. Patching in 2023-01 (as CVE-2023-21746 ), this potato allows for local privilege escaltion through some tricky SPN manipulation.
- Fearless CORS: a design philosophy for CORS middleware libraries (and a Go implementation). This is the best post on CORS on the internet. DM me anything better. I dare you.
- Offphish - Phishing revisited in 2023. This is a great rundown of modern phishing techniques. Keep in mind the ISO MOTW bypass was patched by Microsoft in November.
- [PDF] POPKORN: Popping Windows Kernel Drivers At Scale. Some interesting work on "large scale" (212 unique singed Windows kernel drivers) driver fuzzing. Unlike seemingly every other interesting paper, they actually published the code!.
- A-Salt: attacking SaltStack. SaltStack is a desired state configruation platform and less popular member of the Ansible, Puppet, SaltStack triad. Unlike Ansible, which is agentless, SaltStack uses an agent-server model and is basically a remote access tool (and potential traitorware!).
- Security Code Review With ChatGPT. The ChatGPT craze is still with us. Stop feeding it your code. I almost daily have it write me things in languages I'm not fully familair with and it does a decent job at getting me started.
- XXE with Auto-Update in install4j. Update attacks are great since they are usually 0-click. This is a great walkthrough of a Java installer XML External Entity (XXE) attack that reads arbitrary file contents in the PoC.
- CVE-2022-22655 - TCC - Location Services Bypass. I had no idea that location access wasn't part of TCC directly, but rather locationd's responsibility.
- Binance Smart Chain Token Bridge Hack. Ever wanted to steal ~$500,000,000 from the comfort of your own home? Thanks to the magic of smart contracts, you can!
- Exploiting a remote heap overflow with a custom TCP stack. "The funkiest part was undoubtedly implementing a custom TCP stack to trigger the bug. This is quite uncommon for an user land and real life (as not in a CTF) exploit, and we hope that was entertaining for the reader." It was!
- Elevation of privileges from Everyone through Avast Sandbox to System AmPPL (CVE-2021-45335, CVE-2021-45336 and CVE-2021-45337). Someting about a local privilege escaltion via an anti-virus sandbox just warms my heart. It's red teaming schadenfreude.
- Azure AD Kerberos Tickets: Pivoting to the Cloud. Domain Admin is cool, but impersonation of any non-MFA account via Azure SSO is cooler.
- How your messenger used for internal communication might compromise your company. Skype for business. Teams. Lync. Take your pick, get your access.
- Learning Semgrep. You've seen the power of Semgrep on this blog before, so why not learn it?
Tools and Exploits
- TeamFiltration V3.5.0 - Improve All the Things!. Lots of new features and improvements to this cross-platform framework for enumerating, spraying, exfiltrating, and backdooring Office 365 Azure AD accounts.
- ThreadlessInject - Threadless Process Injection using remote function hooking.
- LPE via StorSvc - Windows Local Privilege Escalation via StorSvc service (writable SYSTEM path DLL Hijacking).
- FilelessPELoader - Loading Remote AES Encrypted PE in memory, decrypt and run it.
- D1rkSleep - Improved version of EKKO by @5pider that Encrypts only Image Sections.
- HWSyscalls is a new method to execute indirect syscalls using HWBP, HalosGate and a synthetic trampoline on kernel32 with HWBP.
- firefly is an advanced black-box fuzzer and not just a standard asset discovery tool. Firefly provides the advantage of testing a target with a large number of built-in checks to detect behaviors in the target.
- UnhookingPatch - Bypass EDR Hooks by patching NT API stub, and resolving SSNs and syscall instructions at runtime.
- OperatorsKit - Collection of Beacon Object Files (BOF) for Cobalt Strike.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
- wildebeest is an ActivityPub and Mastodon-compatible server.
- grepmarx - A source code static analysis platform for AppSec enthusiasts.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.