Last Week in Security (LWiS) - 2023-11-29
2x macOS TCC bypasses (@gergely_kalman), Okta 🥷 (@nickvangilder), pcap analysis helper (@bartavelle), Mythic and Merlin C2 updates (@its_a_feature_ + @Ne0nd0g) and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2023-11-13 to 2023-11-29.
News
- Diamond Sleet supply chain compromise distributes a modified CyberLink installer - Supply chain attack by North Korea-based group. Thus far, the malicious activity has impacted over 100 devices in multiple countries, including Japan, Taiwan, Canada, and the United States.
- State of Cloud Security - Datadog summarizes what cloud security looks like in 2023. Nothing groundbreaking.
- Secretive White House Surveillance Program Gives Cops Access to Trillions of US Phone Records. Signal calls are free.
- Mythic v3.2 Highlights: Interactive Tasking, Push C2, and Dynamic File Browser. The most flexible open source C2 gets some new features.
- Merlin's Evolution: Multi-Operator CLI and Peer-to-Peer Magic. Merlin also gets an update!
- Disclosure of sensitive credentials and configuration in containerized deployments. A 10.0 CVSS vulnerability. A bit awkward as the same day ownCloud becomes part of Kiteworks.
- Introducing Eclipse ThreadX. Azure RTOS becomes part of Eclipse ThreadX
Techniques and Write-ups
- lateralus (CVE-2023-32407) - a macOS TCC bypass - A macOS TCC bypass by exploiting a bug in the Metal framework's handling of the MTL_DUMP_PIPELINES_TO_JSON_FILE environment variable, allowing attackers to control file paths and potentially overwrite sensitive files, leading to a $30,500 bounty from Apple, who promptly addressed the issue and removed the problematic environment variable. POC. Want more TCC bypasses? sqlol (CVE-2023-32422) - a macOS TCC bypass also dropped last week.
- Executing from Memory Using ActiveMQ CVE-2023-46604 - Bypass current detections of existing PoCs. This post discusses the exploitation of the ActiveMQ CVE-2023-46604 by executing Nashorn JavaScript from memory.
- Low-Level Process Hunting on macos - This post discusses low-level process hunting on macOS, emphasizing the importance of understanding parent/child relationships and the nuances of process creation using fork, exec, and their combination. Decent read for those starting out macOS development.
- Okta for Red Teamers — Perimeter Edition - Identifying Okta portals, phishing infrastructure, hosting considerations, Evilginx phishlet setup, distributing phishing links, replaying captured session cookies, and evading Okta's behavioral detection policies. So much fuego in this one 🔥
- Mockingjay revisited - Process stomping and loading beacon with sRDI - "...a variation of hasherezade's Process Overwriting and it has the advantage of writing a shellcode payload on a targeted section instead of writing a whole PE payload over the hosting process address space."
- A “deep dive” in Cert Publishers Group - Members of Cert Publishers can add a malicious Certification Authority, potentially leading to trusted certificates for various malicious activities.
- A Touch of Pwn - Part I - Vulnerabilities in the fingerprint sensors of Dell Inspiron 15, Lenovo ThinkPad T14, and Microsoft Surface Pro X/8 leading to auth bypass. Surprisingly, the Microsoft Surface was the worst of the bunch, despite the research being funded by Microsoft!
- Fun with another PG-compliant Hook - The article describes a technique for hooking SYSCALL in a PG-compliant manner using Event Tracing for Windows (ETW) and the HalPrivateDispatchTable. Useful for your next Windows rootkit.
- Stealth operations: The evolution of GitLab's Red Team - Solid write-up about building an internal red team. Some good content here about what a Red Team's goals should be and how to handle "deconfliction."
- That's FAR-out, Man. A detailed look into finding a Linux kernel infoleak.
- How to voltage fault injection. Some very detailed physical hacking content. Need something a little more beginner friendly? Start with Hardware Hacking - Dumping Flash Memory of a TrendNet-731BRv1 Router also released last week.
- Nemesis: Zero to Hero. The only thing better would have been an Ansible role.
- Really Useful Logging and Event Repository (RULER) Project. Good places to look during incident response, or post-compromise 😈.
- Creating an OPSEC safe loader for Red Team Operations. Everyone could use a better loader.
- Process Injection - Avoiding Kernel Triggered Memory Scans. Speaking of better loaders...
Tools and Exploits
- Kerbeus-BOF - BOF for Kerberos abuse (an implementation of some important features of the Rubeus).
- LocklessBof - A Beacon Object File (BOF) implementation of Lockless by HarmJ0y, designed to enumerate open file handles and facilitate the fileless download of locked files.
- LyinEagle - BETA C2 server that uses the legitimate FIN7 Griffon JScript as its implant.
- badgerDAPS - Brute Ratel LDAP filtering and sorting tool. Easily take BR log output and pull hostnames for ease of use with other red team tooling. Supports OU filtering and removes disabled hosts.
- AI Exploits - A collection of real world AI/ML exploits for responsibly disclosed vulnerabilities.
- ProcessStomping - A variation of ProcessOverwriting to execute shellcode on an executable's section.
- DumpS1.ps1 - Uses a CoSetProxyBlanket to call the dump function in SentinelAgent.exe to dump a PID to disk. Requires local admin. Love the traitorware aspect here.
- Proof of concept exploit for CVE-2023-46214 - Authenticated RCE. Comes with a blog.
- CoercedPotatoRDLL - Reflective DLL to privesc from NT Service to SYSTEM using SeImpersonateToken privilege
- Pcapan: a PCAP analysis helper - Filter out known good and find suspicious connections in pcaps.
- waveterm - An open-source, cross-platform terminal for seamless workflows. Reminds me of an open source warp.
- genpatch - genpatch is IDA plugin that generates a python script for patching binary.
- faction - Pen Test Report Generation and Assessment Collaboration.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
- Home-Grown-Red-Team - Some cool tradecraft write-ups.
- Best EDR Of The Market (BEOTM) 🐲 - AV/EDR bypassing lab for training & learning purposes.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.