Jan 15 2024 Last Week in Security (LWiS) - 2024-01-15

SSPI in Python (@snovvcrash), executing shellcode from VBA (@TheXC3LL), Mirth Connect pre-auth RCE (@Horizon3Attack), Visual Studio LPE (@filip_dragovic), DLL injection LPE (@m417z), Android ARM64 reversing (@Dauntless), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-01-08 to 2024-01-15.

News

Welcome To 2024, The SSLVPN Chaos Continues - Ivanti CVE-2023-46805 & CVE-2024-21887. At this point, if you have an SSL VPN, just throw it away. Use WireGuard and sleep better at night.
It's 2024 and Over 178,000 SonicWall Firewalls are Publicly Exploitable. No one took my advice from the previous story. These vulnerabilities are over two years old.
Keeping Up With the Pwnses. A cybersecurity news aggregator? Wait, but thats what I am!?
GitLab Critical Security Release: 16.7.2, 16.6.4, 16.5.6. A vulnerability so bad it fits in a tweet.
Seems like someone pushed a bunch of iBoot symbols to Hexrays's Lumina server. This is either an Apple employee or a researcher who (accidentally?) pushed their iBoot symbols to a public symbol server. A nice gift for iOS researchers.
Airdrop doesn't use cryptographic salts, and rainbow tables are easily able to de-anonymize users. Due to the design of AirDrop, with a little pre-computing and hard drive space it is trivial to de-anonymize users with AirDrop enabled (at least get their phone number). Read more: [PDF] DEMO: AirCollect: Efficiently Recovering Hashed Phone Numbers Leaked via Apple AirDrop. This has been a known issue to Apple since 2019...

Techniques and Write-ups

Python ❤️ SSPI: Teaching Impacket to Respect Windows SSO. With a little bring your own interpreter (i.e. Pyramid), impacket can now use the tickets already cached on the box you have access to without needing to know any plain text credentials.
VBA: having fun with macros, overwritten pointers & R/W/X memory. The things that have been done with VBA that VBA was never supposed to do are impressive.
Teams external participant splash screen bypass # 2. Phish where the users are. And if Microsoft "patches" a bypass of the external user warning, just... bypass it again!
Writeup for CVE-2023-43208: NextGen Mirth Connect Pre-Auth RCE . Another entry in "a patch is not always the end of a vulnerability," one of my favorite series.
CVE-2024-20656 - Local Privilege Escalation in the VSStandardCollectorService150 Service. Bind mounts strike again. Great find and write up. PoC: CVE-2024-20656.
Privilege escalation using the XAML diagnostics API (CVE-2023-36003). Another Windows LPE! PoC: CVE-2023-36003-POC.
Deobfuscating Android ARM64 strings with Ghidra: Emulating, Patching, and Automating. Some hardcore Android ARM64 reversing and debugging content.
CICD-Goat Setup and Easy Challenge walkthrough (WhiteRabbit, MadHatter, Duchess). The fact you can deploy your own CTFd and multiple vulnerable CI systems with a single docker compose is awesome! There is a part 2 as well, but try to solve them on your own first!
writeup_factorio - Writeup of a remote code execution in Factorio by supplying a modified save file.
CVE-2023-49291 and More – A Potential Actions Nightmare - Loving all these github action attacks. The developer workflow is becoming more and more of an attack surface.
The Covert Hardware Implant: Part 1 - "...we use our hardware implants in real-world Red Team operations while constantly evolving the form factor to align with the most effective solution for the mission"
Deep Dive: http.favicon - Favicons have been making a come back the past few years. Don't sleep on this recon data point.
ASLRn't: How memory alignment broke library ASLR . Oof. I guess that's why you do defense in depth.
Bypassing Payments in Apple for Free Trails for Lifetime. The ability to create unlimited AppleIDs without a phone number or credit card may be responsible for the uptick in iMessage spam seen recently.

Tools and Exploits

Kiosk Tooling. Next time you only have a browser and need to break out, browse to this site for some potential quick wins.
CS-Aggressor-Scripts - Aggressor Scripts for Cobalt Strike (that post data to a Slack Channel).
OpenVoice - Instant voice cloning by MyShell. I have warned of this, and now it is here and easy to use. Vishing will never be the same.
BobTheSmuggler - "Bob the Smuggler": A tool that leverages HTML Smuggling Attack and allows you to create HTML files with embedded 7z/zip archives. The tool would compress your binary (EXE/DLL) into 7z/zip file format, then XOR encrypt the archive and then hides inside PNG/GIF image file format (Image Polyglots).
SuperSharpShares - SuperSharpShares is a tool designed to automate enumerating domain shares, allowing for quick verification of accessible shares by your associated domain account.
pinvoke.dev - Code-generated P/Invoke signatures.
DFSCoerce-exe-2 - DFSCoerce exe revisited version with custom authentication.
raddebugger - A native, user-mode, multi-process, graphical debugger.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

FlowMate - a BurpSuite extension that brings taint analysis to web applications, by tracking all parameters send to a target application and matches their occurrences in the responses.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.