Last Week in Security (LWiS) - 2024-02-19

ESC13 (@Jonas_B_K), Sandboxing syscalls (@h0mbre_), Cross Window Forgery (@PaulosYibelo), new Windows callback method (@daaximus), dangerous EntraID role (@_wald0), github-secrets (Tobias Madl of @Neodyme), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-02-12 to 2024-02-19.

News

  • Free Nginx - It seems the maintainer of nginx is forking. Limited details at announcing freenginx.org - This seems to have stemmed over F5/Nginx issuing CVEs for experiemental QUIC code and Maxim not liking that. Here is the advisory, you be the judge.
  • Snap Trap: The Hidden Dangers Within Ubuntu's Package Suggestion System - "We've examined the command-not-found package that is installed by default in Ubuntu, which suggests packages to install for unrecognized commands. Our findings reveal that besides searching for apt packages, it also queries the Snap Store for snap packages. Given that any user can upload to the Snap Store, an attacker could potentially manipulate the command-not-found package to recommend their own malicious package. This blog discusses the suggestion mechanism, how an attacker might exploit it, the risks associated with installing a malicious snap package, and our discovery that an attacker could impersonate 26% of the commands from apt packages."
  • [UNVERIFIED] someone just leaked a bunch of internal Chinese government documents on GitHub - This could be spicy. No code, but lots of docs.
  • Backdoors that let cops decrypt messages violate human rights, EU court says - The "confidentiality of communications is an essential element of the right to respect for private life and correspondence," and requiring messages to be decrypted by law enforcement "cannot be regarded as necessary in a democratic society."
  • CVE Crowd - Picks up where cvetrends left off (killed by twitter API limits). CVE trends uses the "fediverse" (mastodon) for its data.

Techniques and Write-ups

Tools and Exploits

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • NullSection - NullSection is an Anti-Reversing tool that applies a technique that overwrites the section header with nullbytes.
  • sessionless - TokenSigner is a Burp Suite extension for editing, signing, verifying various signed web tokens.
  • Forgejo forks its own path forward - Forgejo was a soft-fork of Gitea, but is now a fully independent hard-fork.
  • sicat - The useful exploit finder.
  • A final Kubernetes census - Cool data analysis of exposed kubernetes nodes has come to an end.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.