Last Week in Security (LWiS) - 2023-04-17
PDF RCE (@sigabrt9), more PersistAssist (@FortyNorthSec), 5x SMM vulns (@uffeux), PRTG XSS 0day (@SkylightCyber), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2023-04-10 to 2023-04-17.
News
- Announcing the deps.dev API: critical dependency data for secure supply chains. 5 million packages and more than 50 million versions from the Go, Maven, PyPI, npm, and Cargo ecosystems have been documented by Google and are available via an API for you.
- Much-Hyped Water Plant Hack Wasn't a Hack, Was Actually User Error, Official Says. In this edition of "attribution is hard..." (alternative theory: the attackers were so good the FBI couldn't find any trace, but ya know, Occam's razor).
- Amazon CodeWhisperer. GitHub Copilot X price got you down? Feed your code into a different megacorp Amazon for free and get code completion suggestions from an AI. At least this one tells you the license of the code you're stealing it got inspiration from.
- Birds at (Tail)scale. Now you can one-click deploy a honeypot to your tailscale network. I have yet to see a better signal to noise ratio for any detection technology.
- Are Internet Macros Dead or Alive?. Betteridge never fails. Some good lure/prompt images to borrow for red teaming in this article. The template location lure would work against up to date Word installs.
- Rizin Silhouette Server. The Rizin team is running a public symbol server!
- Rooting a Common-Criteria Certified Printer to Improve OPSEC. Some serious dedication to privacy. But why print the reports in the first place?
Techniques and Write-ups
- Shell in the Ghost: Ghostscript CVE-2023-28879 writeup. "This write-up details how CVE-2023-28879 - an RCE in Ghostscript - was found and exploited. Due to the prevalence of Ghostscript in PostScript processing, this vulnerability may be reachable in many applications that process images or PDF files (e.g. ImageMagick, PIL, etc.), making this an important one to patch and look out for."
- Java Exploitation Restrictions in Modern JDK Times. With lots of enterprise software still being written in Java, the exploitation isn't slowing down, just adapting.
- Extending (and Detecting) PersistAssist: Act II. Write some C# to persist with WMI event subscriptions.
- Introducing AutoFunkt: Automated Cloud Redirector Generation. Cloud functions are very useful for redirecting C2 traffic through high reputation domains, but they can be a pain to set up - until now!
- On self-healing code and the obvious issue. It's like command injection, but you get to write it in plain english.
- Butting Heads with a Threat Actor on an Engagement. Now ask what would happen if the actor cleaned up properly, and then patched the vulnerability (or at least mitigated it). Detection must have layers!
- Stepping Insyde System Management Mode. It's a bit wild that as a result of a code leak Insyde got a free audit and 5 vulnerabilities found.
- D/Invoke v1.0.5. A few new functions to make your C# tooling a bit more ergonomic.
- Multiple vulnerabilities in Aten PE8108 power distribution unit. Even your PDU is trying to get you pwned.
- Simple PHP webshell with php filter chains. In memory PHP webshell!?
- Losing control over Schneider's EcoStruxure Control Expert. Unauthenticated RCE, this time in your SCADA workstation.
- CAN Injection: keyless car theft. Woah. You wouldn't download a car exploit?
- Popping Tags: Exploiting Template Injections in PRTG Network Monitor. Currently an 0day. Careful what links your PRTG admin is clicking.
- Hacking Your Cloud: Tokens Edition 2.0. A great post on Azure/Office tokens and how to pivot them to more access.
- GCP Pentesting Guide. Some Google specific cloud hacking.
- Bypassing Windows Defender (10 Ways). Nothing novel here but a nice collection of techniques.
Tools and Exploits
- PatchlessCLRLoader - .NET assembly loader with patchless AMSI and ETW bypass. Also comes in BOF form: PatchlessInlineExecute-Assembly.
- KillerVuln2 - Files for PoC of vulnerability in Intel Killer Performance Suite
- PowerShell-Obfuscation-Bible - A collection of techniques, examples and a little bit of theory for manually obfuscating PowerShell scripts to achieve AV evasion, compiled for educational purposes. The contents of this repository are the result of personal research, including reading materials online and conducting trial-and-error attempts in labs and pentests.
- 2D-Injector - Hiding unsigned DLL inside a signed DLL.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
- scriptkiddi3 - Streamline your recon and vulnerability detection process with SCRIPTKIDDI3, A recon and initial vulnerability detection tool built using shell script and open source tools.
- BackupOperatorToolkit - contains different techniques allowing you to escalate from Backup Operator to Domain Admin
- homebox - Homebox is the inventory and organization system built for the Home User.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.