Last Week in Security (LWiS) - 2023-10-09
Looney Tunables Linux LPE (@qualys), Impending curl issue (@bagder), macOS gatekeeper bypass 0day (@_xpn_), firewall unauth RCE (@watchtowrcyber), sccmhunter update (@garrfoster), loaders (@mcbroom_evan), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2023-10-02 to 2023-10-09.
News
- Impacket Updates: We Love Playing With Tickets - Impacket is starting to crank out some kerberos improvements. You can create a Sapphire Ticket a bit easier now with Impacket without having to use a fork.
- Defending new vectors: Threat actors attempt SQL Server to cloud lateral movement - The instance metadata service (IMDS) was the target. The cloud metadata service has been a popular target for AWS attacks in the past, and Azure is no different now.
- 90s Vulns In 90s Software (Exim) - Is the Sky Falling? - "So, our advice is the usual - patch when you can, once patches are available (Exim have stated they will release patches at 12:00 UTC today, Monday 2nd October). But in the meantime, don't panic - this one is more of a damp squib than a world-ending catastrophe." Unless you have a Sophos Firewall, in which case you should patch ASAP.
- Expanding our exploit reward program to Chrome and Cloud - It's neat they pay for n-day PoCs not just 0days.
- Severity HIGH security problem to be announced with curl 8.4.0 on Oct 11 - This is drectly from the curl author, unlike other reported "high severity" curl issues in the past that turned out to be nothing.
- Russia plans to try to block VPN services in 2024 - Good luck!
Techniques and Write-ups
- Looney Tunables: Local Privilege Escalation in the glibc's ld.so (CVE-2023-4911) - Is this the Dirty COW of 2023? Perhaps not quite as ubiquitous as it relies on a range of glibc versions (glibc 2.34+). Props to Qualys for keeping the old school phrack-esqe disclosures alive. PoC 1. PoC 2. [Direct Download] PoC 3. PoC 4.
- MacOS "DirtyNIB" Vulnerability - It's possible to hijack the entitlements of Apple apps by swapping out the interface (NIB) file. This is currently unpatched, even on macOS 14.0. Weaponize this for camera/mic/keychain/file access once you get code execution. Or maybe even bundle it in with your dropper.
- Launch and Environment Constraints Deep Dive. A great companion to the previous post that details what Launch and Environment Constraints are and what kind of bugs they hamper.
- Solving The “Unhooking” Problem - Unhooking gets complicated when the user can run arbitrary code (BOF/C#) that may load libraries without the protection of the C2 agent. Outflank presents their solution to this issue - visibility, automation, and on-demand unhooking.
- Reflective call stack detections and evasions - An updated BokuLoader has some new methods to avoid call stack spoofing detection.
- Sliver and Cursed Chrome for Post Exploitation - With sensitive information moving to SaaS and other browser based apps, being able to operate as a compromised user in the context of their browser is essential for modern red teams.
- Yet More Unauth Remote Command Execution Vulns in Firewalls - Sangfor Edition. I will always be impressed with unauth RCE on a firewall. 🤦
- Behind the Shield: Unmasking Scudo's Defenses - Scudo is LLVM's hardened allocator. This post is a dense exploration of how exploitation of scudo may be possible.
Exploring the STSAFE-A110 Analysing I2C communications between host and the secure element - Some physical device hacking with a logic analyzer to read I2C of a secure element.
- Cobalt Strike Aggressor Callbacks - Shows how to use the new callbacks feature of Cobalt Strike 4.9. Much better than setting global flags and parsing all beacon output in a timer function which is what we had to do before.
- Trends From the Trenches: Social Engineering - Some really solid examples in this post. I've used similar pretexts to great effect.
- Perfect Loader Implementations - Some good Linux and Windows loader work, see fuse-loader and perfect-loader for PoCs. These are great raw material for custom C2s.
- Coordinated Disclosure: 1-Click RCE on GNOME (CVE-2023-43641) - Lots of protections bypassed to get RCE - excited for the follow up post.
- Using Cloudflare to bypass Cloudflare - Defaults can be dangerous. Be sure to validate the host headers!
- Binarly REsearch Uncovers Major Vulnerabilities in Supermicro BMCs - Authenticated command injection and a slew of XSS. Theoretically you could chain these to be unauth remote RCE, but you'd need a click from a logged in admin.
Tools and Exploits
- linWinPwn - Bash script that automates a number of Active Directory Enumeration and Vulnerability checks. Will be interesting if they keep up with this project. Interesting new project since it's using the new NetExec . Will other tools do the same?
- LatLoader - PoC module to demonstrate automated lateral movement with the Havoc C2 framework.
- sccmhunter v.0.0.2 - Updated Admin Module - SCCM is the gift that keeps on giving. This is a new easy way to execute commands on managed machines (Administration Service API).
- archive_pwn - A Python-based tool to create zip, tar and cpio archives to exploit common archive library issues and developer mistakes. Blog Post.
- SmmBackdoorNg - Updated version of System Management Mode backdoor for UEFI based platforms: old dog, new tricks.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
- Browser cache smuggling - Interesting payload delivery technique.
- Registry Attack Vectors(RTC0018) - A big list of interesting reg keys.
- Kerberos 102 - Overview Three part blog series on kerberos, delegation, and cross-realm. You can never read enough about kerberos.
- ted_api - TED is a limited general purpose reverse engineering API, and hybrid debugger, that allows for inspection and modification of a program's inner workings. TED carries out its functionality by being injected into a target process and starting a gRPC server, which clients can then connect to.
- agent - SSH Session Monitoring Daemon.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.