Last Week in Security (LWiS) - 2024-04-22
LSA Whisperer (@mcbroom_evan), VirtualBox LPE (@mansk1es), Android Intent exploitation (@suidpit), MagicDot "rootkit" (@oryair1999), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-04-16 to 2024-04-22.
News
- VASA-1: Lifelike Audio-Driven Talking Faces Generated in Real Time - Just when you thought you could trust the CFO ordering you to transfer all that money via Zoom...
- Build the future of AI with Meta Llama 3 - The best "open source" (sort of) model yet. Local AI just got a big boost.
- How we built the new Find My Device network with user security and privacy in mind - Google enters the "Find My" crowdsourced device-locating network game with the similarly named "Find My Device" network. It support the standard which allows trackers to be detected by iOS devices (and vice-versa) so unwanted trackers will alert users.
- GitHub comments abused to push malware via Microsoft repo URLs - The fact that GitHub will upload a file to a publically accessable URL during comment editing, actors don't need to publish comments to get files hosted under trusted projects URLs. If you're ok with giving your payload to Microsoft (GitHub), this is a pretty sneaky way to host it.
- Open Source Security (OpenSSF) and OpenJS Foundations Issue Alert for Social Engineering Takeovers of Open Source Projects - Echos of the XZ backdoor are still being felt.
- SSO tax, cut - Tailscale is the best VPN solution there is (unsponsored opinion). Between this change and Tailnet lock, they have eliminated all issues I had with their service. If you're a self-hosting true purist, there is still headscale.
- MITRE Response to Cyber Attack in One of Its R&D Networks - MITRE was hit with the Ivanti 0day. Good transparency on what took place. Additional details here.
- An Introduction to the Canadian Program for Cyber Security Certification (CPCSC) - Starting at the end of 2024, Canadian defense industry suppliers will need to be certified under the Canadian Program for Cyber Security Certification (CPCSC) to bid on certain government contracts, an initiative designed to enhance security measures within the nation's federal contracting processes.
- What We Learned Inside a North Korean Internet Server: How Well Do You Know Your Partners? - A misconfigured North Korean internet server exposes the nation's outsourcing of animation work. Is your "IT partner" North Korea?
Techniques and Write-ups
- ouned.py: Exploiting Hidden Organizational Units Acl Attack Vectors in Active Directory - You know "GenericAll" but what other OU permissions can be abused in Active Directory? Read this post to learn about gPLink poisoning. OUned is the tool.
- CVE-2023-6345: Integer overflow in Skia MeshOp::onCombineIfPossible - An intiger overflow in the Skia graphics library has been used to exploit Chrome. The fact that it would not appear in debug builds due to assert calls that are not compiled with release builds is interesting. Make sure you are fuzzing release binaries!
- Element Android CVE-2024-26131, CVE-2024-26132 - Never Take Intents From Strangers - A very in-depth post on Android app Intents and how they can be exploited, especially in "high security" apps like chat or cyptocurrency apps.
- CVE-2024-20356: Jailbreaking a Cisco appliance to run DOOM - The out-of-band management chips on enterprise servers are nutorious for being vulnerable. Cisco's is no exception.
- LSA Whisperer - Some seriously indepth research into the local security authority (LSA) of Windows which leads to all kinds of functionality. My favorite is the possible use of CacheLogon to cache a specific NT hash into an active logon session which will allow for stable Pass-the-hash without having to patch LSASS memory (but will require injection into LSASS). I can only imagine the amount of reverse-engineering it took to get to the lsa-whisperer.
- A Crash Course in Hardware Hacking Methodology: The Ones and Zeros - A good primer on IoT hacking.
- Passbolt: a bold use of HaveIBeenPwned - Passbolt is a password manager that uses the HaveIBeenPwned API to check if a password has been compromised. This post goes into the details of how they implemented it.
- Patch Diffing CVE-2024-3400 from a Palo Alto NGFW Marketplace AMI - Saving some of the commands here for future use. Those AWS AMIs can certainly come in handy.
- ROPGadget: Writing a ROPDecoder - This post discusses creating a ROPDecoder from scratch, detailing the selection and use of ROP gadgets to encode and decode shellcode, and automating the process to handle bad characters effectively in exploit dev.
- The Windows Registry Adventure #1: Introduction and research results - Wild. Mateusz Jurczyk of Google Project Zero audited the Windows Registry for local privilege escalation bugs over 20 months, identifying multiple vulnerabilities now fixed as 44 CVEs by Microsoft, utilizing methods from fuzzing to manual review in an extensive security research effort.
- State of DevSecOps - Datadog's State of DevSecOps report is out. TLDR - Java/JS account for tons of issues, automated security scanners are just noise, the industry sucks at prioritizing what to fix, manual cloud deployments (no IaC) is still very common, and more.
Tools and Exploits
- CVE-2024-21111 - Oracle VirtualBox Elevation of Privilege (Local Privilege Escalation) Vulnerability.
- lsa-whisperer - Tools for interacting with authentication packages using their individual message protocols.
- KExecDD - Admin to Kernel code execution using the KSecDD driver.
- CloudConsoleCartographer - Released at Black Hat Asia on April 18, 2024, Cloud Console Cartographer is a framework for condensing groupings of cloud events (e.g. CloudTrail logs) and mapping them to the original user input actions in the management console UI for simplified analysis and explainability.
- PasteBomb - PasteBomb C2-less RAT. The creator of this project is only 13 years old. Impressive! Great work.
- poutine - poutine is a security scanner that detects misconfigurations and vulnerabilities in the build pipelines of a repository. It supports parsing CI workflows from GitHub Actions and Gitlab CI/CD.
- panos-scanner - Determine the Palo Alto PAN-OS software version of a remote GlobalProtect portal or management interface.
- LetMeowIn - A sophisticated, covert Windows-based credential dumper using C++ and MASM x64.
- MagicDot - A set of rootkit-like abilities for unprivileged users, and vulnerabilities based on the DOT-to-NT path conversion known issue.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
- smugglefuzz - A rapid HTTP downgrade smuggling scanner written in Go.
- netz - Discover internet-wide misconfigurations while drinking coffee.
- cognito-scanner - A simple script which implements different Cognito attacks such as Account Oracle or Privilege Escalation.
- Amplified exposure: How AWS flaws made Amplify IAM roles vulnerable to takeover - A deep dive into AWS Amplify and how it can be abused.
- Elastic Universal Profiling agent, a continuous profiling solution, is now open source - Elastic has open sourced their profiling agent.
- Active Directory Hardening Series - Part 4 - Enforcing AES for Kerberos - Part 4 of the Active Directory Hardening Series.
- The Ultimate Guide for BloodHound Community Edition (BHCE) - A guide to BloodHound Community Edition. Also gives the background of the project for those that are new to Bloodhound in general.
- Living Off the Pipeline - "....to inventory how development tools (typically CLIs), commonly used in CI/CD pipelines, have lesser-known RCE-By-Design features ("foot guns"), or more generally, can be used to achieve arbitrary code execution by running on untrusted code changes or following a workflow injection. "
- BAADTokenBroker post-exploitation tool designed to leverage device-stored keys (Device key, Transport key etc..) to authenticate to Microsoft Entra ID.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.