Last Week in Security (LWiS) - 2024-04-22

LSA Whisperer (@mcbroom_evan), VirtualBox LPE (@mansk1es), Android Intent exploitation (@suidpit), MagicDot "rootkit" (@oryair1999), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-04-16 to 2024-04-22.


Techniques and Write-ups

Tools and Exploits

  • CVE-2024-21111 - Oracle VirtualBox Elevation of Privilege (Local Privilege Escalation) Vulnerability.
  • lsa-whisperer - Tools for interacting with authentication packages using their individual message protocols.
  • KExecDD - Admin to Kernel code execution using the KSecDD driver.
  • CloudConsoleCartographer - Released at Black Hat Asia on April 18, 2024, Cloud Console Cartographer is a framework for condensing groupings of cloud events (e.g. CloudTrail logs) and mapping them to the original user input actions in the management console UI for simplified analysis and explainability.
  • PasteBomb - PasteBomb C2-less RAT. The creator of this project is only 13 years old. Impressive! Great work.
  • poutine - poutine is a security scanner that detects misconfigurations and vulnerabilities in the build pipelines of a repository. It supports parsing CI workflows from GitHub Actions and Gitlab CI/CD.
  • panos-scanner - Determine the Palo Alto PAN-OS software version of a remote GlobalProtect portal or management interface.
  • LetMeowIn - A sophisticated, covert Windows-based credential dumper using C++ and MASM x64.
  • MagicDot - A set of rootkit-like abilities for unprivileged users, and vulnerabilities based on the DOT-to-NT path conversion known issue.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.