Last Week in Security (LWiS) - 2023-02-21
FortiNAC RCE, NimPlant (@chvancooten), LPE via GPO (@decoder_it), bypassing Okta MFA (@n00py1), injection with NtQueueApcThreadEx (@LloydLabs), DKOM attacks on ETW providers (@FuzzySec), PCIe on Windows (@4lpine), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2023-02-13 to 2023-02-21.
- New legal framework for reporting IT vulnerabilities. Belgium's CSIRT can give researchers legal protection granted they meet some conditions when reporting (ethics stuff like acting without intent to harm, no public disclosure without consent, etc). To see this codified in law is awesome. Hack the planet!
- ClamAV 0.103.8, 0.105.2 and 1.0.1 patch versions published. HFS+ file parsing could lead to remote code execution. As ClamAV is used in many mail gateways, the potential to get code execution by emailing an HFS+ file is exiting/terrifying.
- telnet-client. The Google Chrome team put a telnet client into Chrome. Your scientists were so preoccupied with whether or not they could, they didn't stop to think if they should.
- [Twitter] Activision was breached December 4th, 2022.. How'd they do it? SMS phishing, and you can see the screenshots in the tweet. All it takes is one, however, the attackers appear to have their access from a different location (i.e. no code running on the user's system). Would your systems catch this (impossible travel, etc)?
- GoDaddy says a multi-year breach hijacked customer websites and accounts. Ever since GoDaddy bought and then tried to resell me a domain I searched for on their site in 2012 I have sworn to never touch them. Intuition was right on.
Techniques and Write-ups
- Disabling ClamAV as an Unprivileged User. Socketfile permissions claim another victim. With write access to kick off scans comes the ability to shut down the AV altogether.
- EoP via Arbitrary File Write/Overwite in Group Policy Client “gpsvc” - CVE-2022-37955. Symbolic links on Windows have led to lots of LPEs over the past few years. This one uses a GPO's "Files" windows setting to write arbitrary files as SYSTEM.
- Bypassing Okta MFA Credential Provider for Windows. A little walkthrough on how to flip off MFA for RDP once you have admin on the machine.
- Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers. Attackers in your kernel is a certified "bad thing." How bad? This post shows a few ways to blind ETW from the kernel. Not just theory, there is an example from Lazarus in the post as well.
- What the Vuln: Zimbra. This new post series looks fun! First up: a web app with a path traversal vulnerability.
- Fortinet FortiNAC CVE-2022-39952 Deep-Dive and IOCs. How did this get past the internal security team, static analysis, and external audits? Amazing. Are you kidding me?
- A Practical Tutorial on PCIe for Total Beginners on Windows (Part 1). The amount of high quality free learning on the internet is amazing, and the people that put it together are awesome.
- Abusing Azure App Service Managed Identity Assignments. Azure is a scary place, and fully understanding the connections of services, apps, principles, etc is a constant struggle.
- New headless Chrome has been released and has a near-perfect browser fingerprint. TLDR: --headless=new will make your headless browser look nearly the same as regular chrome.
Tools and Exploits
- CVE-2022-44666 - Write-up for another forgotten Windows vulnerability (0day): Microsoft Windows Contacts (VCF/Contact/LDAP) syslink control href attribute escape, which was not fully fixed as CVE-2022-44666 in the patches released on December, 2022.
- ntqueueapcthreadex-ntdll-gadget-injection - This novel way of using NtQueueApcThreadEx by abusing the ApcRoutine and SystemArgument[0-3] parameters by passing a random pop r32; ret gadget can be used for stealthy code injection.
- Split - Apply a divide and conquer approach to bypass EDRs.
- COFF_With_Exception_handler.c. Make your BOFs safer.
- LsaParser - A shitty (and old) lsass parser. [authors original description]
- NimPlant - A light-weight first-stage C2 implant written in Nim.
- ThreadlessInject-BOF - BOF implementation of @_EthicalChaos_'s ThreadlessInject project. A novel process injection technique with no thread creation, released at BSides Cymru 2023.
- graphcat - Generate graphs and charts based on password cracking result.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
- OpenSSL Ported to the web browser with WebAssembly. WebAssembly is coming for everything. Chrome/Firefox/Safari are the OSs of the future.
- heap_detective - The simple way to detect heap memory pitfalls in C++ and C. Beta.
- Open Software Supply Chain Attack Reference (OSC&R). Its ATT&CK for releasing software.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.