Last Week in Security (LWiS) - 2023-03-20
RCE any Samsung phone (@itswillis), Parallels escape (@the_impalabs), AD trust issues (@exploitph), glitching past all ESP32 defenses (@raelizecom), PPL defeated again (@itm4n), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2023-03-07 to 2023-03-20.
News
Multiple Internet to Baseband Remote Code Execution Vulnerabilities in Exynos Modems. RCE with no user interaction to basically any modern Samsung phone. All you need is the phone number, no user interaction. Wild. Turn off Wifi Calling and VoLTE until you are sure this one is patched.
AI news
- LLM + Clean Room: Will LLMs be the death of code copyrights?. Find code you want to use, but isn't licensed right, and just have GPT4 re-write it for you.
- GPT-4 Hired Unwitting TaskRabbit Worker By Pretending to Be 'Vision-Impaired' Human. Remember, at its core GPT-4 is just a model that predicts what should come next in a sequence. It's just scarily good at that task. If you feed it bad instructions it will do bad things. The "novel" part of the article is that GPT-4 "lied" on purpose. But all it really did was predict (correctly) what it should say next based on the context. What's really going to bake your noodle later on is wondering - are you doing anything different? Daniel Miessler thinks GPT-4 understands.
- GPT_Vuln-analyzer - Uses ChatGPT API and Python-Nmap module to use the GPT3 model to create vulnerability reports based on Nmap scan data.
- Dalai - Run LLaMA and Alpaca on your computer.. The the 7B and 13B models are quick and easy to install. Models up to 64B parameters are available.
The privacy loophole in your doorbell. Ring, like every cloud connected camera/smart speaker is trading security for convenience. People pull out slippery slope arguments about government overreach because governments have a history of collecting as much data as possible and sorting it out later. Plus Ring maybe got hacked recently.
Kali Purple. The Offensive Security team is taking on defense with the release of Kali Purple.
Thousands scammed by AI voices mimicking loved ones in emergencies. I called this years ago (LWiS 2021-06-21). Next up: your IT guy or boss telling you to click the link and run the exe.
Techniques and Write-ups
- Parallels Desktop Toolgate Vulnerability. A guest with Parallels tools installed can write crash dumps to the host, and there existed a path traversal vulnerability that allowed an escape and code execution via the shell login script.
- Bypassing PPL in Userland (again). The PPL master delivers yet again: PPLmedic - Dump the memory of any PPL with a Userland exploit chain.
- Exploiting CVE-2023-23397: Microsoft Outlook Elevation of Privilege Vulnerability. Leak NTLM hashes from targets as soon as the Outlook thick client processes an email (they don't even have to open it!). The patch does not prevent UNC paths without dots, so internal assessors can still make use of this on fully patched Outlook clients. PoC here.
- VBA: resolving exports in runtime without NtQueryInformationProcess or GetProcAddress. I once coded an entire personnel intake validation pipeline in Access and VBA. It was painful. Low level programming in VBA is insane.
- Revisiting the User-Defined Reflective Loader Part 1: Simplifying Development. UDRL developmet just got a bit easier.
- External Trusts Are Evil. There is no such thing - in reality - as non-transitive trust. Any domain in a forrest can authenticate and create machine accounts in any other domain in the forrest unless special precautions are taken. Microsoft Active Directory is the ultimate job security for cybersecurity professionals.
- Microsoft Defender for Identity Sensor Identification. Defender for Identity seemingly always opens two uniquely named pipes that can be remotely enumerated.
- Making New Connections - Leveraging Cisco AnyConnect Client to Drop and Run Payloads. This tool was in last LWiS, but this walks thorough it in detail.
- A Race to Report a TOCTOU: Analysis of a Bug Collision in Intel SMM. Intel BIOS bug!
- CVE-2023-26604. Get root on a systemd Linux machine with... less?! Yes.
- Espressif ESP32: Glitching The OTP Data Transfer. Very cool glitching hacks. Hundreds of thousands of trials to find just the right location and power and time!
- Producing a POC for CVE-2022-42475 (Fortinet RCE). A great start to finish walk through of a vulnerability.
- Uncovering Windows Events. How does ETW work? Find out in this post.
- Red vs. Blue: Kerberos Ticket Times, Checksums, and You!. Up your kerberos opsec or detection skills with this post.
Tools and Exploits
- MacOSThreatTrack - Bash tool used for proactive detection of malicious activity on macOS systems.
- Updates to C2-Tool-Collection - Psm: BOF to show detailed information on a specific process ID; ReconAD: BOF that uses ADSI to query Active Directory (AD and GC) objects and attributes.
- Azure-App-Tools - Collection of tools to use with Azure Applications. Just updated with an IPFS dropper.
- ekko-rs - Rusty Ekko - Sleep Obfuscation in Rust.
- PSBits - Windows 10 offline admin creation? 😈 Why not?! Everything happens through built-in offlinelsa and offlinesam DLLs. Official, but not very documented.
- Elevate-System-Trusted-BOF - This BOF can be used to elevate the current beacon to SYSTEM and obtain the TrustedInstaller group privilege. The impersonation is done through the SetThreadToken API.
- Black-Angel-Rootkit - Black Angel is a Windows 11/10 x64 kernel mode rootkit. Rootkit can be loaded with enabled DSE while maintaining its full functionality.
- bootdoor - An initial proof of concept of a bootkit based on Cr4sh's DMABackdoorBoot.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
- ScrapPY is a Python utility for scraping manuals, documents, and other sensitive PDFs to generate wordlists that can be utilized by offensive security tools to perform brute force, forced browsing, and dictionary attacks against targets. The tool dives deep to discover keywords and phrases leading to potential passwords or hidden directories.
- Demystifying Security Research - Part 1. This resonated with me, with a heavy emphasis on blog posts and tweets.
- UPnProxyChain - A tool to create a SOCKS proxy server out of UPnProxy vulnerable device(s).
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.