Last Week in Security (LWiS) - 2023-12-04
O365 Phishing infra (@pfiatde), EvilSlackbot (@infosec_drewze), Sonos jailbreak (@alexjplaskett), DNS attacks (@timolongin), DNS rebinding attack (@_danielthatcher), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2023-11-27 to 2023-12-04.
News
- About the security content of iOS 17.1.2 and iPadOS 17.1.2. Two webkit vulnerabilities may have been exploited in the wild. Not to be outdone, Chrome patched their sixth 0day this year. Browsers are where the data is and the most frequent way users execute untrusted code, so its where the high value exploitation is as well.
Techniques and Write-ups
- TRAP; RESET; POISON; - Taking over a country Kaminsky style. A CGNAT device allows for "Kaminsky style" DNS attacks.
- Securing our home labs: Home Assistant code review. A detailed write up of a few nice bugs in Home Assistant.
- O365 Phishing infrastructure. "Last year, mails sent by Dev Tenants got immediately flagged, but something changed." Oh boy. If there isn't a fix for this soon it will be abused.
- Owncloud: details about CVE-2023-49103 and CVE-2023-49105. Full details on the owncloud vulnerabilities from last week.
- Shooting Yourself in the .flags - Jailbreaking the Sonos Era 100. Some U-boot and hardware hacking of a smart speaker.
- We Hacked Ourselves With DNS Rebinding. A very neat usecase for DNS rebinding which is often a theoretical attack. I also like that the author didn't stop investigating when the change to IMDSv2 was made which prevented the outcome, but didn't solve the original "vulnerability."
- DeleFriend: Severe design flaw in Domain Wide Delegation could leave Google Workspace vulnerable for takeover. Juciy potential privesc for Google Workspace. They even included a nice tool: DeleFriend.
- stuxnet - Public open-source code of malware Stuxnet (aka MyRTUs).
- Tricard - Malware sandboxes fingerprinting. Create binaries that ship back system fingerprints to find sandboxes!
- Decompilation Debugging. Amazing post about how to debug complex code without source (they use the Windows RPC server as a target) using Ghidra.
Tools and Exploits
- EvilSlackbot - A Slack bot phishing framework for Red Teaming exercises. There is a blog post about its use as well.
- GhostDriver - yet another AV killer tool using BYOVD.
- ADOKit - Azure DevOps Services Attack Toolkit.
- standardlib - A complete standardlib for c for once.
- ClickOnce-AppDomain-Manager-Injection - ClickOnce + AppDomain Manager Injection.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
- windiff - Web-based tool that allows comparing symbol, type and syscall information of Microsoft Windows binaries across different versions of the OS.
- PySQLRecon - Offensive MSSQL toolkit written in Python, based off SQLRecon.
- Kerberos.NET - A Kerberos implementation built entirely in managed code.
- Scudo is a C++ class that encrypts and dynamically executes functions. This open-source repository offers a concise solution for securing and executing encrypted functions in your codebase.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.