Apr 01 2024 Last Week in Security (LWiS) - 2024-04-01

XZ backdoor (@fr0gger_ + @amlweems), best LPE since DirtyCOW (@notselwyn), SCCM pwnage (@AndrewOliveau + @__Mastadon), kernel fuzzing (@R00tkitSMM), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-03-25 to 2024-04-01.

News

XZ Backdoor
- Our (viral?!) breakdown thread - This thread took off on friday as it was posted pretty quickly after the news broke.
- xzbot - notes, honeypot, and exploit demo for the xz backdoor (CVE-2024-3094).
- XZ backdoor infographic - A nice one page summary of the backdoor
- More potential malicious commits from Jia Tan.
[PDF] Court documents show Facebook owned VPN was using HTTPS interception to decrypt Snapchat, YouTube, and Amazon traffic - See the bottom of page 2 and top of page 3. At least they paid the VPN "users?" Remember, this from they "trust me" Zuck. Just as Meta was gaining reputation back with their open LLMs...

Techniques and Write-ups

Flipping Pages: An analysis of a new Linux vulnerability in nf_tables and hardened exploitation techniques - This got overshadowed by the xz backdoor but it's epic. A tale about exploiting KernelCTF Mitigation, Debian, and Ubuntu instances with a double-free in nf_tables in the Linux kernel, using novel techniques like Dirty Pagedirectory. All without even having to recompile the exploit for different kernel targets once.
Mind the Patch Gap: Exploiting an io_uring Vulnerability in Ubuntu - More great Linux exploitation content.
SCCM
- SCCM Exploitation: Account Compromise Through Automatic Client Push & AD System Discovery - The SCCM train continues! A way to go from low priv user -> SCCM client push account and SCCM machine account. Great work Marshall!
- SeeSeeYouExec: Windows Session Hijacking via CcmExec - A blog on how the CcmExec service can be utilized for session hijacking. Came with a tool drop: CcmPwn . A tool designed to facilitate this technique.
- SCCM / MECM LAB - Part 0x1 - Recon and PXE - A walkthrough of the new SCCM lab in GOAD.
In-the-Wild Windows LPE 0-days: Insights & Detection Strategies - Detection methods for Windows local privilege escalation techniques based on dynamic behaviors analysis. Not really 0-days since they're older vulns but still cool read.
Structure-Aware linux kernel Fuzzing with libFuzzer - Enhancing Linux kernel fuzzing by integrating KCOV with libFuzzer, aiming to boot the kernel efficiently without a complex root filesystem setup.
ShadowRay: First Known Attack Campaign Targeting AI Workloads Actively Exploited In The Wild - I thought AI was supposed to replace security, not add to it!
Satori Threat Intelligence Alert: PROXYLIB and LumiApps Transform Mobile Devices into Proxy Nodes - Have you used residential proxies for your red teams yet? Threat actors are using them...
Azure Redirect URI Takeover Vulnerability - A vulnerability in Azure's OAuth 2.0 flow where unregistered subdomains in application redirect URIs could be exploited by TAs to steal authorization codes and impersonate users.
The Power of UI Automation - UI Automation provides a tree of UI automation elements representing various aspects of a user interface. Could be useful to automate certain testing or other tasks.
Kerberos II - Credential Access Part two of the series.
Improving port scans against API servers - Friendly reminder to explore new tools because you might end up liking them. Like replacing your ESXi host with Ludus 😜! This blog discusses some of the reasons they moved away from Nmap and into naabu (from the projectdiscovery team).

Tools and Exploits

TeamsNTLMLeak - Leak NTLM via Website tab in teams via MS Office.
Atexec-pro - Fileless atexec, no more need for port 445.
SharpConflux - SharpConflux is a .NET application built to facilitate Confluence exploration. It allows Red Team operators to easily investigate Confluence instances with the goal of finding credential material and documentation relating to objectives without having to rely on SOCKS proxying. Here is the related blog.
SQL-BOF - A library of beacon object files to interact with remote SQL servers and data.
CspReconGo - It automates the extraction and analysis of domains from Content Security Policy (CSP) headers and JavaScript files on websites.
CVE-2024-1086 - Universal local privilege escalation Proof-of-Concept exploit for CVE-2024-1086, working on most Linux kernels between v5.14 and v6.6, including Debian, Ubuntu, and KernelCTF. The success rate is 99.4% in KernelCTF images.
CcmPwn - Lateral movement script that leverages the CcmExec service to remotely hijack user sessions.
ChaiLdr - AV bypass while you sip your Chai!.
curlrevshell - Kooky cURL-powered replacement for reverse shell via /dev/tcp.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

Cookie dumper for Chrome and Edge - Dump cookies directly from Chrome process memory
RustRedOps - 🦀 | RustRedOps is a repository dedicated to gathering and sharing advanced techniques and offensive malware for Red Team, with a specific focus on the Rust programming language.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.