Jul 31 2023 Last Week in Security (LWiS) - 2023-07-31

Citrix ADC RCE (@assetnote + @bishopfox), Zenbleed (@taviso), coolest hack of the year [CVE-2023-38408] (@qualys), AWS CNI for k8s abuse (@BerneCampbell), WebKit exploitation (@typeconfuser + @sherl0ck__), CS2BR (@MoritzLThomas), Mockingjay PoC (@dottor_morte), LPE via installers (@AndrewOliveau), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2023-07-17 to 2023-07-31.

News

Citrix ADC and NetScaler Gateway RCE (CVE-2023-3519)
- Analysis of CVE-2023-3519 in Citrix ADC and NetScaler Gateway and Part 2.
- 53% of them are unpatched. Bishop Fox has the best breakdown of the vulnerability landscape.
Cobalt Strike and Outflank Security Tooling: Friends in Evasive Places. I like the idea of a base, stable tool and then a service to make it more useful (i.e. less detectable). However, if this service is as popular as Cobalt Strike itself, won't it be a target for EDR? I wonder if OST subscriptions will be more limited than Cobalt Strike licenses.
Researchers Find 'Backdoor' in Encrypted Police and Military Radios. Who would have thought a closed source encryption scheme from the 90's was vulnerable?
JumpCloud Intrusion | Attacker Infrastructure Links Compromise to North Korean APT Activity. Bad day when your SSO/Identity provider is hacked. As we move to the cloud the companies are usually more secure then on-prem, but the blast radius of a succssful hack is huge.
Russia Sends Cybersecurity CEO to Jail for 14 Years. In Soviet Russia, anti-crime sends you to jail. Not the first case of defenders being jailed in Russia with no public evidence either.
Threat Actor Targeting Developers via Trojanized MS Visual Studio. Reminds me of XcodeGhost.
The Legacy of Stagefright. Not often do we look back at the legacy of a bug.

Techniques and Write-ups

Abusing Amazon VPC CNI plugin for Kubernetes. "By abusing the privileges of the Amazon VPC CNI plugin, it's possible for workloads to manipulate the networking of other unrelated EC2 instances. This can be leveraged by an attacker with a foothold in an EKS cluster to access and attack other instances living in other VPCs."
Shifting boundaries: Exploiting an Integer Overflow in Apple Safari. A detailed look at a 2020 WebKit vulnerability and exploitation.
#FuckStalkerware pt. 2 - SpyHide couldnt hide forever. It's not often people write about their actual hacks (not bug bounty). Makes me miss Phineas Fisher.
Introducing CS2BR pt. II - One tool to port them all. I still don't get why you would create a C2 that doesn't just have BOF compatibility out of the box, but here we are.
Zenbleed. You should get nervous if Tavis hasn't posted anything in a while, because you know he's cooking up a banger. Use-after-free in a CPU, pretty awesome research.
CVE-2023-38408: Remote Code Execution in OpenSSH's forwarded ssh-agent. A very "meh" bug but an epic exploit. From cannot "control anything except the order in which we load (and immediately unload) shared libraries from /usr/lib* in ssh-agent" to RCE is just the kind of creative hacking that gets me excited. This has my vote for coolest hack of the year so far.
Chaining our way to Pre-Auth RCE in Metabase (CVE-2023-38646). The assetnote guys really know how to pwn a webapp.
An Approach to A9. Did you know hashcat had an -a9 attach mode?
Escaping the Google kCTF Container with a Data-Only Exploit. Some great Linux kernel exploitation content.
Mockingjay - What is old is new again. "Riding the hype train to see if we can get something useful out of it." That's like 90% of what I do.
On (Structured) Data. Yes. Please someone with authority (CISA? MITRE?) or commonly used tools (Forta? Specter Ops?) define the schema that all C2 and post-ex tools can use so we can standardize all this mess! In the meantime people will write adaptors (think Extract, transform, and load [ETL] pipelines) for tools that lag behind. If there is a good enough aggregator, people will be compelled to conform.
Prefetch: The Little Snitch That Tells on You. Make sure to clean up after yourself.
GameOver(lay): Easy-to-exploit local privilege escalation vulnerabilities in Ubuntu Linux affect 40% of Ubuntu cloud workloads. Ubuntu moves fast, and sometimes breaks things.
[PDF] Andrew_Charlie_Ive_Got_A_Forged_Twinkle_In_My_Eye.pdf. Some creative, unique slides on ticket forging attacks and detections.
Automated Testing Handbook. When some of the masters of app testing (Trail of Bits) write a book, you might want to give it a read.
Playing with Bubbles: An Introduction to DLL-Sideloading. A good intro, and uses my favorite DLL sideloading tool: Spartacus.
Advanced Module Stomping & Heap/Stack Encryption. These days you best be doing some type of heap/stack encryption or any advanced EDR will detect all your unobfuscated strings in memory. Grab the code here .

Tools and Exploits

Introducing BucketLoot - An Automated Cloud Bucket Inspector.
KRBUACBypass - UAC Bypass By Abusing Kerberos Tickets.
CVE-2023-35078-Exploit-POC - Remote Unauthenticated API Access vulnerability has been discovered in Ivanti Endpoint Manager Mobile (EPMM), formerly known as MobileIron Core. This vulnerability impacts all supported versions - Version 11.4 releases 11.10, 11.9 and 11.8.
dcomhijack - Lateral Movement Using DCOM and DLL Hijacking.
AADInternals OSINT. This web based tool will extract openly available information for the given tenant.
LdrFunctionEx - "should evade EAF and maybe (haven't tested it) EATGuard"
DarkWidow - Indirect Dynamic Syscall, SSN + Syscall address sorting via Modified TartarusGate approach + Remote Process Injection via APC Early Bird + Spawns a sacrificial Process as target process + (ACG+BlockDll) mitigation policy on spawned process + PPID spoofing + Api resolving from TIB + API hashing.
StackRot - CVE-2023-3269: Linux kernel privilege escalation vulnerability. [First published in 2023-07-10 LWiS - Now includes an exploit]
TGSThief - My implementation of the GIUDA project (Ask a TGS on behalf of another user without password) in C++.
msi-search - This tool simplifies the task for red team operators and security teams to identify which MSI files correspond to which software and enables them to download the relevant file to investigate local privilege escalation vulnerabilities through MSI repairs. Read more about MSI repair vulnerabilities at Escalating Privileges via Third-Party Windows Installers.
S4UTomato - Escalate Service Account To LocalSystem via Kerberos.
WSPCoerce - PoC to coerce authentication from Windows hosts using MS-WSP.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

canTot - quick and dirty canbus h4xing framework.
chrome-sbx-db - A Collection of Chrome Sandbox Escape POCs/Exploits for learning.
GIUDA - Ask a TGS on behalf of another user without password.
Frack - Keep and Maintain your breach data.
exe_to_dll - Converts a EXE into DLL.
dploot - DPAPI looting remotely in Python.
sysplant - Your syscall factory.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.