Oct 24 2023 Last Week in Security (LWiS) - 2023-10-24

Windows LPE (@chompie1337), TPM Bitlocker deepdive (@itm4n@infosec.exchange), unhooking effects (@dazzyddos), CastGuard (@gsuberland@chaos.social), Apple OTA -> kernel hack (@patch1t), FalconHound (@olafhartong), GraphRunner (@dafthack), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2023-10-09 to 2023-10-23.

News

Tracking Unauthorized Access to Okta's Support System. Okta had another compromise.
- BeyondTrust Discovers Breach of Okta Support Unit. Bad when your customers tell you that you're pwned.
- How Cloudflare mitigated yet another Okta compromise. Worse when its multiple customers.
- [PDF] Security Incident report [Internal Report]. "[the suspected compromised endpoint] was scanned with the free version of Malwarebytes, which reported no findings." I'm not sure what I'm more concerned about: the IR process at 1Password is to run free AV against the endpoint or that the CTO happily published that fact.
The Sky Has Not Yet Fallen - Curl (CVE-2023-38545). With the hype from the curl author himself ("Buckle up.") I was expecting more out of this bug. It's a pretty niche use case that is exploitable (client using a malicious proxy with curl). Here is the hackerone report.
Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature. A CVSS 10.0 - yikes. Please stop putting admin interfaces for these critical network devices on the internet. I haven't found a legitimate public PoC yet (probably for the best).

Techniques and Write-ups

Critically close to zero(day): Exploiting Microsoft Kernel streaming service. A nice new attack surface in Window. PoC here.
Attacking AWS Cognito with Pacu . Don't miss part 2. More good cloud assessment content from Rhino security labs.
An analysis of an in-the-wild iOS Safari WebContent to GPU Process exploit. Some very hardcore analysis of a complicated bug chain with a simple buffer overflow to kick it off - with a nice bit of shade toward Apple in the conclusion.
A Deep Dive into TPM-based BitLocker Drive Encryption. I always love an itm4n post - the right amount of depth and screenshots.
CVE-2023-33466 - Exploiting Healthcare Servers with Polyglot Files. A good real-world example of a polygot file exploit.
(Un)Hooking, COWs and Meow Meow. When you modify ntdll in memory (i.e. hooking/unhooking), you really load a second copy into your process memory space.
Phishing for Primary Refresh Tokens and Windows Hello keys. A nice method to go from device code phish to persistent in Entra ID. Check the deviceCode2WinHello script as well.
Preventing Type Confusion with CastGuard. A new yet-undocumented Windows exploit mitigation feature is coming.
The Nightmare of Apple's OTA Update: Bypassing the Signature Verification and Pwning the Kernel. A nice bug chain that led to kernel compromise (even with SIP enabled). Great work.
Ghost In The Wire, Sonic In The Wall - Adventures With SonicWall. End result is a few DoS bugs, but the process is nicely documented.

Tools and Exploits

legba - A multiprotocol credentials bruteforcer / password sprayer and enumerator.
pico_dma - Autonomous pre-boot DMA attack hardware implant for M.2 slot based on PicoEVB development board.
Kernel Driver Utility v1.4.0 - 4 new providers and a dump command!
Proxy-DLL-Loads - A proof of concept demonstrating the DLL-load proxying using undocumented Syscalls.
Jomungand - Shellcode Loader with memory evasion.
NovaLdr - Threadless Module Stomping In Rust with some features.
WolfPack - WolfPack combines the capabilities of Terraform and Packer to streamline the deployment of red team redirectors on a large scale.
FalconHound - FalconHound is a blue team multi-tool. It allows you to utilize and enhance the power of BloodHound in a more automated fashion. It is designed to be used in conjunction with a SIEM or other log aggregation tool.
GraphRunner - A Post-exploitation Toolset for Interacting with the Microsoft Graph API.
EvilSln - A New Exploitation Technique for Visual Studio Projects.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

GATOR - GCP Attack Toolkit for Offensive Research, a tool designed to aid in research and exploiting Google Cloud Environments.
CVE-2023-36723 - PoC for arbitrary directory creation bug in Windows Container Manager service.
tinyproxy - a light-weight HTTP/HTTPS proxy daemon for POSIX operating systems.
SMBLibrary - Free, Open Source, User-Mode SMB 1.0/CIFS, SMB 2.0, SMB 2.1 and SMB 3.0 server and client library.
Shaco - Shaco is a linux agent for havoc.
realm - Realm is a cross platform Red Team engagement platform with a focus on automation and reliability.
CoercedPotato - From Patate (LOCAL/NETWORK SERVICE) to SYSTEM by abusing SeImpersonatePrivilege on Windows 10, Windows 11 and Server 2022.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.