Last Week in Security (LWiS) - 2024-01-01
Ghidriff (@clearbluejar), Linux exploitation (@kevin_backhouse), win32 keylogger (@_ixty_), BLUFFS bluetooth exploit (@francozappa), sleep lexer and parser (@mcbroom_evan), ring0 from VBA (@0xDISREL), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week(s). This post covers 2023-12-04 to 2024-01-01.
News
- Operation Triangulation: What You Get When Attack iPhones of Researchers. The most complex double-exploitation chain I have seen in a long time. Ask yourself - if the actor that deployed this is willing to burn and entire 1-click chain just to package it with a 0-click, what do they have on the shelf or are using very sparingly?
- BlackCat Ransomware Raises Ante After FBI Disruption. If you poke the bear, you best be prepared to wrestle it.
- Microsoft addresses App Installer abuse. This is actually the second time Microsoft has had to disable ms-appinstaller URI scheme. This time it's because Financially motivated threat actors misusing App Installer.
- Artificial intelligence can find your location in photos, worrying privacy experts. OSINT experts have been doing this for decades, AI just makes it avaialable to the masses, and easy.
- Google will no longer hold onto people's location data in Google Maps — meaning it can't turn that info over to the police. A rare privacy win out of Google.
- Ubiquiti users report having access to others' UniFi routers, cameras. When you connect your core infrastructure to the internet, you had better trust the security of whatever you connect it to.
Techniques and Write-ups
- CVE-2023-36033: Windows DWM Core Library Elevation of Privilege Vulnerability. This is an in-the-wild 0day Windows LPE that uses a two stage execution to get SYSTEM.
- Securing our home labs: Frigate code review. CodeQL finds some CVEs yet again.
- SonicWall WXA - Authentication Bypass and Remote Code Execution Vulnerability. A nice walkthrough of image download to RCE in a few hours.
- Finding that one weird endpoint, with Bambdas. Bambdas are a fun new feature of Burp Suite to quickly test for things in your project files directly inside the proxy. This post has some nice examples of how they can be used.
- Cueing up a calculator: an introduction to exploit development on Linux. A great intro to modern Linux exploit development that addresses mitigations found on modern Linux operating systems.
- Blind CSS Exfiltration: exfiltrate unknown web pages. The new :has selector can be used to exfiltrate data from sites that have a blind HTML injection vulnerability.
- Safari, Hold Still for NaN Minutes!. Some browser exploitation content from the team at Exodus.
- [PDF] Paged Out Volume 3. Hacker zines are making a comeback and I'm here for it.
- Silly EDR Bypasses and Where To Find Them. Bypass EDR detections with "forced exceptions." Code here. Confused by what user mode hooks are? Check out An Introduction to Bypassing User Mode EDR Hooks.
- Writing A Decent WIN32 Keylogger. This three part series covers the ins and outs of writing a keylogger for Windows that handles unicode and other edge cases. The tool is called keebcap.
- The Far-Reaching Consequences of LogoFAIL. That cool boot logo in UEFI is probably a vulnerability.
- BLUFFS: Bluetooth Forward and Future Secrecy Attacks and Defenses. This 10+ year old flaw in Bluetooth forces devices to negoitate a short session key which can be brute forced.
- RISC-Y Business: Raging against the reduced machine. Protect your "intelectual property" by writing your own RISC virtual machine in your binary. Code is at riscy-business.
- Browser Extension Pentesting Methodology. New detailed writeup on how to approach a Browser Extension.
- Rust Binary Analysis, Feature by Feature. An extreamly thurough break down of Rust binary analysis.
- Internal All The Things - Active Directory and Internal Pentest Cheatsheets. An impressive collection of Active Directory techniques.
- Ring0VBA - Getting Ring0 Using a Goddamn Word Document. Absolute madness.
- Introducing YARA-Forge. If you deal with yara rules (defense or testing your offensive tools), this project will likely help you organize and optimize all your rules.
Tools and Exploits
- sleepy - A lexer and parser for Sleep. Read more here.
- A (beta) Canarytoken for Active Directory Credentials. Perhaps one of the most effective canary tokens yet. Slightly more complicated than just dropping a file, but it will be extremely effective in catching red teams and adversaries.
- frinet - Frida-based tracer for easier reverse-engineering on Android, iOS, Linux, Windows and most related architectures.
- Christmas - By splitting up the injection actions across different spawned processes, none of the spawned processes generate enough signal to trip EDR (in theory).
- sj - A tool for auditing endpoints defined in exposed (Swagger/OpenAPI) definition files. See this post for more info.
- Ghidriff: Ghidra Binary Diffing Engine. Back in my day, BinDiff was paid software. This is a great addition to your reverse engineering/diffing toolbox, and fully open source!
- bbs - bbs is a router for SOCKS and HTTP proxies. It exposes a SOCKS5 (or HTTP CONNECT) service and forwards incoming requests to proxies or chains of proxies based on the request's target. Routing can be configured with a PAC script (if built with PAC support), or through a JSON file.
- SignToolEx - Patching "signtool.exe" to accept expired certificates for code-signing.
- WMIProcessWatcher - A CIA tradecraft technique to asynchronously detect when a process is created using WMI.
- Marble - The CIA's Marble Framework is designed to allow for flexible and easy-to-use obfuscation when developing tools.
- Def1nit3lyN0tAJa1lbr3akTool - A jailbreak tool for all arm64 devices on iOS 16.0 to iOS 16.5.
- Amnesiac - Amnesiac is a post-exploitation framework entirely written in PowerShell and designed to assist with lateral movement within Active Directory environments.
- SharePoint Pre-Auth Code Injection RCE chain CVE-2023-29357 & CVE-2023-24955 PoC - Sharepoint RCE.
- EDRSilencer - A tool uses Windows Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents from reporting security events to the server. This is similar to shutter (shoutout to @naksyn).
- Ghidra 11.0. 11.0 brings the "Bsim" binary similarity tool, better Go binary support, and initial Rust binary support.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
- Linpmem is a linux memory acquisition tool.
- tailspin - 🌀 A log file highlighter.
- CLR_Heap_encryption. This is a POC for a CLR sleep obfuscation attempt. It use IHostMemoryManager interface to control the memory allocated by the CLR. Turns out you can use both ICorRuntimeHost and ICLRRuntimeHost at the same time, so we can still use ICorRuntimeHost to run an assembly from memory while having all the benefits from ICLRRuntimeHost.
- sheye - Opensource assets and vulnerability scanning tool.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.