Last Week in Security (LWiS) - 2023-02-21

FortiNAC RCE, NimPlant (@chvancooten), LPE via GPO (@decoder_it), bypassing Okta MFA (@n00py1), injection with NtQueueApcThreadEx (@LloydLabs), DKOM attacks on ETW providers (@FuzzySec), PCIe on Windows (@4lpine), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2023-02-13 to 2023-02-21.

News

  • New legal framework for reporting IT vulnerabilities. Belgium's CSIRT can give researchers legal protection granted they meet some conditions when reporting (ethics stuff like acting without intent to harm, no public disclosure without consent, etc). To see this codified in law is awesome. Hack the planet!
  • ClamAV 0.103.8, 0.105.2 and 1.0.1 patch versions published. HFS+ file parsing could lead to remote code execution. As ClamAV is used in many mail gateways, the potential to get code execution by emailing an HFS+ file is exiting/terrifying.
  • telnet-client. The Google Chrome team put a telnet client into Chrome. Your scientists were so preoccupied with whether or not they could, they didn't stop to think if they should.
  • [Twitter] Activision was breached December 4th, 2022.. How'd they do it? SMS phishing, and you can see the screenshots in the tweet. All it takes is one, however, the attackers appear to have their access from a different location (i.e. no code running on the user's system). Would your systems catch this (impossible travel, etc)?
  • GoDaddy says a multi-year breach hijacked customer websites and accounts. Ever since GoDaddy bought and then tried to resell me a domain I searched for on their site in 2012 I have sworn to never touch them. Intuition was right on.

Techniques and Write-ups

Tools and Exploits

  • CVE-2022-44666 - Write-up for another forgotten Windows vulnerability (0day): Microsoft Windows Contacts (VCF/Contact/LDAP) syslink control href attribute escape, which was not fully fixed as CVE-2022-44666 in the patches released on December, 2022.
  • ntqueueapcthreadex-ntdll-gadget-injection - This novel way of using NtQueueApcThreadEx by abusing the ApcRoutine and SystemArgument[0-3] parameters by passing a random pop r32; ret gadget can be used for stealthy code injection.
  • Split - Apply a divide and conquer approach to bypass EDRs.
  • COFF_With_Exception_handler.c. Make your BOFs safer.
  • LsaParser - A shitty (and old) lsass parser. [authors original description]
  • NimPlant - A light-weight first-stage C2 implant written in Nim.
  • ThreadlessInject-BOF - BOF implementation of @_EthicalChaos_'s ThreadlessInject project. A novel process injection technique with no thread creation, released at BSides Cymru 2023.
  • graphcat - Generate graphs and charts based on password cracking result.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.