Jul 10 2023 Last Week in Security (LWiS) - 2023-07-10

LPEs for Windows and Linux, Mastodon TooRoot, tons of web app hacking, and a bunch of new tools, and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2023-06-26 to 2023-07-10.

News

Gmail client-side encryption: A deep dive. People continue to glue on things to a protocol (email) that was never intended to be secure or private. This implementation looks pretty seamless (unlike PGP) actually.
CVE-2023-27997 Is Exploitable, and 69% of FortiGate Firewalls Are Vulnerable. Firewall, you had one job...
SEC Targets SolarWinds' CISO for Rare Legal Action Over Russian Hack. 🌶️🌶️🌶️
About the security content of Rapid Security Responses for macOS Ventura 13.4.1. I believe this is the second deployment of the "Rapid Security Response" from Apple.
Mastodon fixes critical “TootRoot” vulnerability allowing node hijacking. The attention from the social media wars is a good thing for Mastodon. More eyes make shallow bugs.

Techniques and Write-ups

Windows Installer arbitrary content manipulation Elevation of Privilege (CVE-2020-0911). While the CVE is a bit aged, the write up is high quality.
AWS CodeBuild + S3 == Privilege Escalation. The cloud is just someone else's computer foot guns.
Reversing Citrix Gateway for XSS. These gateways are everywhere in enterprise, I wonder how many are still vulnerable... Check the vulnerable versions in the advisory.
Debugging with gdb - Fixing a NULL Pointer Dereference in dhcpcd. Some good basic gdb triage.
CVE-2023-26258 - Remote Code Execution in ArcServe UDP Backup. "Within minutes of analysing the code, a critical authentication bypass was discovered." 😬 The disclosure timeline is also... interesting.
Sowing Chaos and Reaping Rewards in Confluence and Jira. Comes with a new tool: AtlasReaper - A command-line tool for reconnaissance and targeted write operations on Confluence and Jira instances.
Chaining Vulnerabilities to Exploit POST Based Reflected XSS. Comes with its own learning lab!
Developing Winsock Communication in Malware. Tired: named pipes. Inspired: Winsock over TCP.
Mockingjay Memory Allocation Primitive. Some good code examples linked.
Linux rootkits explained - Part 1: Dynamic linker hijacking. Covers the first of the three major types of rootkits: LD_PRELOAD (the others being kernel modules and eBPF).
Executing Arbitrary Code & Executables in Read-Only FileSystems. As everything moves to k8s as a service, its only a matter of time before you land in a read-only file system.
Encrypted Doesn't Mean Authenticated: ShareFile RCE (CVE-2023-24489). Another great writeup from assetnote.
Patch Diffing CVE-2023-28121 to Compromise a WooCommerce. Lots of web app hacking this week!

Tools and Exploits

ShellGhost - A memory-based evasion technique which makes shellcode invisible from process start to end.
StackRot - CVE-2023-3269: Linux kernel privilege escalation vulnerability.
CVE-2023-28252 - Common Log File System (CLFS) LPE for Windows patched in April 2023.
evilgophish - evilginx + gophish. Bow with evilginx3 support!
shortscan - An IIS short filename enumeration tool.
BOFMask is a proof-of-concept for masking Cobalt Strike's Beacon payload while executing a Beacon Object File (BOF).
BounceBack - ↕️🤫 Stealth redirector for your red team operation security.
TeamsPhisher - Send phishing messages and attachments to Microsoft Teams users.
clauneck - A tool for scraping emails, social media accounts, and much more information from websites using Google Search Results.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

Artemis - A modular web reconnaissance tool and vulnerability scanner.
golddigger is a simple tool used to help quickly discover sensitive information in files recursively. Originally written to assist in rapidly searching files obtained during a penetration test.
mailpit - An email and SMTP testing tool with API for developers.
multitail - Tail on steroids.
kbtls - Establishes mutually trusted TLS connections based on a pre-shared connection key.
skyhook - A round-trip obfuscated HTTP file transfer setup built to bypass IDS detections.
webhook is a lightweight incoming webhook server to run shell commands.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.