Last Week in Security (LWiS) - 2023-07-31

Citrix ADC RCE (@assetnote + @bishopfox), Zenbleed (@taviso), coolest hack of the year [CVE-2023-38408] (@qualys), AWS CNI for k8s abuse (@BerneCampbell), WebKit exploitation (@typeconfuser + @sherl0ck__), CS2BR (@MoritzLThomas), Mockingjay PoC (@dottor_morte), LPE via installers (@AndrewOliveau), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2023-07-17 to 2023-07-31.

News

Techniques and Write-ups

Tools and Exploits

  • Introducing BucketLoot - An Automated Cloud Bucket Inspector.
  • KRBUACBypass - UAC Bypass By Abusing Kerberos Tickets.
  • CVE-2023-35078-Exploit-POC - Remote Unauthenticated API Access vulnerability has been discovered in Ivanti Endpoint Manager Mobile (EPMM), formerly known as MobileIron Core. This vulnerability impacts all supported versions - Version 11.4 releases 11.10, 11.9 and 11.8.
  • dcomhijack - Lateral Movement Using DCOM and DLL Hijacking.
  • AADInternals OSINT. This web based tool will extract openly available information for the given tenant.
  • LdrFunctionEx - "should evade EAF and maybe (haven't tested it) EATGuard"
  • DarkWidow - Indirect Dynamic Syscall, SSN + Syscall address sorting via Modified TartarusGate approach + Remote Process Injection via APC Early Bird + Spawns a sacrificial Process as target process + (ACG+BlockDll) mitigation policy on spawned process + PPID spoofing + Api resolving from TIB + API hashing.
  • StackRot - CVE-2023-3269: Linux kernel privilege escalation vulnerability. [First published in 2023-07-10 LWiS - Now includes an exploit]
  • TGSThief - My implementation of the GIUDA project (Ask a TGS on behalf of another user without password) in C++.
  • msi-search - This tool simplifies the task for red team operators and security teams to identify which MSI files correspond to which software and enables them to download the relevant file to investigate local privilege escalation vulnerabilities through MSI repairs. Read more about MSI repair vulnerabilities at Escalating Privileges via Third-Party Windows Installers.
  • S4UTomato - Escalate Service Account To LocalSystem via Kerberos.
  • WSPCoerce - PoC to coerce authentication from Windows hosts using MS-WSP.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • canTot - quick and dirty canbus h4xing framework.
  • chrome-sbx-db - A Collection of Chrome Sandbox Escape POCs/Exploits for learning.
  • GIUDA - Ask a TGS on behalf of another user without password.
  • Frack - Keep and Maintain your breach data.
  • exe_to_dll - Converts a EXE into DLL.
  • dploot - DPAPI looting remotely in Python.
  • sysplant - Your syscall factory.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.