Last Week in Security (LWiS) - 2023-05-09
Windows DHCPv6 RCE (@thezdi), hashcat rule process (@JakeWnuk@infosec.exchange), 🐍 FSB implant (@NSACyber), x64dbg XFG plugin (@m417z), Freeze.rs (@Tyl0us), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2023-05-01 to 2023-05-09.
- So long passwords, thanks for all the phish. The passwordless future is much like the year of the Linux desktop - long promised, yet to be delivered. Google's adoption of passkeys is a huge step however, and this kind of authentication "raw material" is much more scoped and secure than the name of your dog your mom uses as a password for every online account.
- Apple Fails to Revive Copyright Case Over iPhone iOS Simulator. "The US Court of Appeals for the Eleventh Circuit on Monday ruled that Corellium's CORSEC simulator is protected by copyright law's fair use doctrine, which allows the duplication of copyrighted work under certain circumstances." With this, the 2019 case should finally be fully settled.
- Senator Asks Big Banks How They're Going to Stop AI Cloned Voices From Breaking Into Accounts. How voice as authentication was ever greenlight will continue to amaze me.
- Mojo🔥. Mojo is a new programming language that bridges the gap between research and production by combining the best of Python syntax with systems programming and metaprogramming. With Mojo, you can write portable code that's faster than C and seamlessly inter-op with the Python ecosystem. Mojo is currently in closed beta.
- FYI: Intel BootGuard OEM private keys leak from MSI cyber heist. BootGuard isn't so secure any more. Check the impacted devices.
- Russian-Linked Malware Targets U.S. Critical Infrastructure. "Since being discovered in March 2022, no known disruptive or destructive attacks leveraging PIPEDREAM have been carried out on ICSs in the U.S."
- The DOJ Detected the SolarWinds Hack 6 Months Earlier Than First Disclosed. Sophisticated attacks are hard to put together from the blue side.
- Palantir AIP | Defense and Military. "Alexa, destroy that enemy tank for me using the best available asset."
Techniques and Write-ups
- [PDF] Hunting Russian Intelligence “Snake” Malware. A very detailed write up from American intelligence on the FSB's "Snake" Windows implant.
- Privilege Escalations through Integrations. Some good "modern" web app testing. And by that I mean YOLOing between auth providers that don't do proper session handoff.
- CVE-2023-28231: RCE in the Microsoft Windows DHCPv6 Service. Good news is that DHCP is limited to a broadcast domain?
- Brewing Hash Cracking Rules with The Twin Cats. Some great hashcat rule analysis and generation. Lots of good tools linked in the post as well.
- A smorgasbord of a bug chain: postMessage, JSONP, WAF bypass, DOM-based XSS, CORS, CSRF…. Quite the web app bug chain, which did require user interaction, but is impressive none the less.
- Leveraging XFG to help with reverse engineering. If you reverse engineer on Windows with extended flow guard, this x64dbg plugin is a must!
- ETWHash - “He who listens, shall receive”. Extract NetNTLMv2 hashes of incoming authentications via SMB, by consuming ETW events from the Microsoft-Windows-SMBServer provider.
- Apache Solr 8.3.1 RCE from exposed administration interface. A good write up on exploring a web app to find RCE.
- Exploring Impersonation through the Named Pipe Filesystem Driver. This post covers file system drivers, specifically the named pipe driver (npfs.sys), as well as shows a proof of concept for calling NtFsControlFile directly to perform named pipe impersonation instead of calling the Win32 API, ImpersonateNamedPipeClient.
- Building a Red Team Infrastructure in 2023. The phishing setup is interesting - specifically the use of postfix to clean mail headers.
- Fantastic Rootkits and Where to Find Them (Part 2). Not much is written about rootkits these days, especially for Windows.
- CVE-2023-25394 - VideoStream Local Privilege Escalation. A great writeup about finding a privesc in a common 3rd party macOS app. The process is well documented from start to finish.
Tools and Exploits
- sccmhunter is a post-ex tool built to streamline identifying, profiling, and attacking SCCM related assets in an Active Directory domain. The basic function of the tool is to query LDAP with the find module for potential SCCM related assets.
- exec2shell - Extracts TEXT section of a PE, ELF, or Mach-O executable to shellcode.
- chophound - Some scripts to support with importing large datasets into BloodHound.
- HASH - HASH (HTTP Agnostic Software Honeypot).
- cloudtoolkit - Cloud Penetration Testing Toolkit.
- CVE-2023-0386 - Privilege escalation exploit for Ubuntu 22.04.
- PECheck - A tool to verify and create PE Checksums for Portable Executable (PE) files.
- CustomEntryPoint - Select any exported function in a dll as the new dll's entry point.
- resocks - mTLS-Encrypted Back-Connect SOCKS5 Proxy.
- stealthscraper - A social media scraper that attempts to be stealthy by simulating a user using gui automation.
- Freeze.rs - Freeze.rs is a payload toolkit for bypassing EDRs using suspended processes, direct syscalls written in RUST.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
- The best laptop deal I have ever seen. If you need a DEF CON burner, this is it ($279 and free shipping at the time of publishing).
- backgroundremover - Background Remover lets you Remove Background from images and video using AI with a simple command line interface that is free and open source.
- Course Review: "Practical Web Application Security and Testing". The course is $1 during May if you are interested.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.