Last Week in Security (LWiS) - 2024-02-19
ESC13 (@Jonas_B_K), Sandboxing syscalls (@h0mbre_), Cross Window Forgery (@PaulosYibelo), new Windows callback method (@daaximus), dangerous EntraID role (@_wald0), github-secrets (Tobias Madl of @Neodyme), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-02-12 to 2024-02-19.
News
- Free Nginx - It seems the maintainer of nginx is forking. Limited details at announcing freenginx.org - This seems to have stemmed over F5/Nginx issuing CVEs for experiemental QUIC code and Maxim not liking that. Here is the advisory, you be the judge.
- Snap Trap: The Hidden Dangers Within Ubuntu's Package Suggestion System - "We've examined the command-not-found package that is installed by default in Ubuntu, which suggests packages to install for unrecognized commands. Our findings reveal that besides searching for apt packages, it also queries the Snap Store for snap packages. Given that any user can upload to the Snap Store, an attacker could potentially manipulate the command-not-found package to recommend their own malicious package. This blog discusses the suggestion mechanism, how an attacker might exploit it, the risks associated with installing a malicious snap package, and our discovery that an attacker could impersonate 26% of the commands from apt packages."
- [UNVERIFIED] someone just leaked a bunch of internal Chinese government documents on GitHub - This could be spicy. No code, but lots of docs.
- Backdoors that let cops decrypt messages violate human rights, EU court says - The "confidentiality of communications is an essential element of the right to respect for private life and correspondence," and requiring messages to be decrypted by law enforcement "cannot be regarded as necessary in a democratic society."
- CVE Crowd - Picks up where cvetrends left off (killed by twitter API limits). CVE trends uses the "fediverse" (mastodon) for its data.
Techniques and Write-ups
- Bypassing EDRs With EDR-Preloading - A nice technique to block EDR DLL loading. No good if your EDR is using a kernel driver however... Code here.
- ADCS ESC13 Abuse Technique - ADCS is now up to 13 different attack paths!
- Azure Devops Zero-Click CI/CD Vulnerability - Pipeline triggers confused Azure to think that the pipeline was run from the project and not a fork, allowing access to secrets.
- Fuzzer Development: Sandboxing Syscalls - The fuzzer/emulator being built in this blog is interesting and its fun to watch its progress. This installment is all about sandboxing the Bochs emulator to prevent it from accessing anything outside of its environment.
- Delegated NT DLL - "Like the WOW64 table, the NT delegate table provides a simple way to intercept a variety of callbacks in 32-bit mode without the need to overwrite code with inline hooking." Code here.
- Cross Window Forgery: A Web Attack Vector - I'd say this isn't a vulnerability but certianly a neat hack. Convincing a user to agree to a SSO prompt without them realizing it is classic social engineering. This paired with a phish could be an interesting intial access method to online services.
- Beyond Process And Object Callbacks: An Unconventional Method. A technical post on a previously undocumented method for creating callbacks without registering with the object manager in Windows.
- The Most Dangerous Entra Role You've (Probably) Never Heard Of - TLDR: "Entra ID has a built-in role called “Partner Tier2 Support” that enables escalation to Global Admin, but this role is hidden from view in the Azure portal GUI." I'm not a hacker, I'm an "unathorized remote partner tier2 support engineer."
- SmartScreen Vulnerability: CVE-2024-21412 Facts and Fixes - The post text is light on details, but it looks like an ms-application handler and then an SMB hosted LNK. See this YouTube Video.
- Hello Lucee! Let us hack Apple again? - The PD team find some critical vulnerabilities within Lucee, a CFML server, with RCE capabilities. Decent payout $$$.
- Exploiting Empire C2 Framework - RCE in Empire C2 framework <5.9.3!
Tools and Exploits
- Microsoft Exchange Server Elevation of Privilege Vulnerability - "An attacker who successfully exploited this vulnerability could relay a user's leaked Net-NTLMv2 hash against a vulnerable Exchange Server and authenticate as the user." Sounds like fun.
- Zoom Desktop Client for Windows, Zoom VDI Client for Windows, and Zoom Meeting SDK for Windows - Improper Input Validation "Improper input validation in Zoom... may allow an unauthenticated user to conduct an escalation of privilege via network access." Via network access!?
- github-secrets - This tool analyzes a given Github repository and searches for dangling or force-pushed commits containing potential secret or interesting information. Check out the blog post: Hidden GitHub Commits and How to Reveal Them.
- CVE-2023-50387 - KeyTrap (DNSSEC) [DoS]. See: KeyTrap: Serious Vulnerability in the Internet Infrastructure.
- FullBypass - A tool which bypasses AMSI (AntiMalware Scan Interface) and PowerShell CLM (Constrained Language Mode) and gives you a FullLanguage PowerShell reverse shell.
- InflativeLoading - Dynamically convert a native EXE to PIC shellcode by appending a shellcode stub.
- CVE-2024-21413-Microsoft-Outlook-Remote-Code-Execution-Vulnerability - PoC for the NTLM leak from last week. Another one.
- UAC-BOF-Bonanza - Collection of UAC Bypass Techniques Weaponized as BOFs.
- SDD1 and SSD2 - Self delete DLLs PoCs.
- Announcing MITRE Caldera™ v5! - Cool update! Purple teamers will appreciate this.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
- NullSection - NullSection is an Anti-Reversing tool that applies a technique that overwrites the section header with nullbytes.
- sessionless - TokenSigner is a Burp Suite extension for editing, signing, verifying various signed web tokens.
- Forgejo forks its own path forward - Forgejo was a soft-fork of Gitea, but is now a fully independent hard-fork.
- sicat - The useful exploit finder.
- A final Kubernetes census - Cool data analysis of exposed kubernetes nodes has come to an end.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.