Last Week in Security (LWiS) - 2024-06-17
Nighthawk 0.3 (@MDSecLabs), Musl heap exploit (@NCCsecurityUS), Copilot chat 💉 (@wunderwuzzi23), allowPrivilegeEscalation in K8s (@christophetd), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-06-10 to 2024-06-17.
News
- Private Cloud Compute: A new frontier for AI privacy in the cloud - Apple has entered the AI arena, but unlike others is focused on user privacy. While "private cloud compute" isn't perfect (they are open sourcing "a subset of the security-critical PCC source code," not everything), it's clear they spent a lot of time considering how to do cloud compute in the most private way possible.
- Process Monitor v4.0 and Sysmon 1.3.3 for Linux - ProcMon 4.0 is here and has dark mode!
- [PDF] Mandiant Threat Hunting Guide: Snowflake - 64 pages. Threat hunting guidance and queries for detecting abnormal and malicious activity across Snowflake customer database instances.
- Time to challenge yourself in the 2024 Google CTF - Google's annual CTF runs this weekend.
- Windows Wi-Fi Driver Remote Code Execution Vulnerability: CVE-2024-30078 - "An unauthenticated attacker could send a malicious networking packet to an adjacent system that is employing a Wi-Fi networking adapter, which could enable remote code execution." We have yet to see any legitimate PoCs.
- Microsoft Chose Profit Over Security and Left U.S. Government Vulnerable to Russian Hack, Whistleblower Says - An account of a SAML flaw in Active Directory Federation Services that was used by the SolarWinds hackers, and the response (or lack there of) from Microsoft. Interesting insider perspective in light of the US government moving nearly everything into Microsoft's cloud.
Techniques and Write-ups
- Nighthawk 0.3 - Automate All the Things - The MDSec team has basically rewritten the Nighthawk C2 framework with a focus on automation and interoperability. We haven't gotten our hands on Nighthawk yet, but it looks like a serious C2 for high level red teams without the development resources to create and maintain their own C2.
- Pumping Iron on the Musl Heap - Real World CVE-2022-24834 Exploitation on an Alpine mallocng Heap - You may not need to exploit Redis with an integer overflow with 350MiB of data, but this write up goes in depth about the exploitation of the musl heap, which is used in Apline Linux - the basis of many Docker containers.
- GitHub Copilot Chat: From Prompt Injection to Data Exfiltration - Careful what code you are running your AI assistants on, and what capabilities (i.e. web browsing) the assistants have.
- Stop worrying about 'allowPrivilegeEscalation' - This Kubernetes option is unfortunately named, but this post explains what it actually does.
- Progressive Web Apps (PWAs) Phishing - The usual social engineering wizardry from @mrd0x. This time phishing with Progressive Web Apps and UI manipulation.
- Introduction to Azure Cloud Token Theft MindMap V1 - Who doesn't love a good mindmap?
- Code Execution in Chromium's V8 Heap Sandbox - A JSArray builtin allows you to change the length of an array to any arbitrary value which provides you with out-of-bounds access to that array.
- ROPing Routers from scratch: Step-by-step Tenda Ac8v4 Mips 0day Flow-control ROP -> RCE - Even if this Tenda router is not a current target, the MIPS emulation/exploitation is well done.
- ScriptBlock Smuggling: Spoofing PowerShell Security Logs and Bypassing AMSI Without Reflection or Patching - Still using PowerShell in your ops? "...This issue was disclosed to Microsoft but was closed with no further action."
- AES-GCM and breaking it on nonce reuse - This is an extremely technical cryptography blog post. The interactive components are really neat - you can change the examples live on the site!
- Lateral Movement with the .NET Profiler - The common language runtime is full of neat tricks that can be abused. Example code is in the tools and exploits section.
- CVE-2024-20693: Windows cached code signature manipulation - Manipulating the cached signature signing level of an executable or DLL could lead to a local privilege escalation. In this case they created a PoC that elevates from a low privilege user to SYSTEM.
Tools and Exploits
- Voidgate - A technique that can be used to bypass AV/EDR memory scanners. This can be used to hide well-known and detected shellcodes (such as msfvenom) by performing on-the-fly decryption of individual encrypted assembly instructions, thus rendering memory scanners useless for that specific memory page.
- Hunt-Sleeping-Beacons - Aims to identify sleeping beacons.
- Invoke-ADEnum - Automate Active Directory Enumeration.
- QRucible - Python utility that generates "imageless" QR codes in various formats.
- RdpStrike - Positional Independent Code to extract clear text password from mstsc.exe using API Hooking via HWBP.
- Deobfuscar - A simple commandline application to automatically decrypt strings from Obfuscator protected binaries.
- gcpwn - Enumeration/exploit/analysis/download/etc pentesting framework for GCP; modeled like Pacu for AWS; a product of numerous hours via @WebbinRoot.
- honeyzure - HoneyZure is a honeypot tool specifically designed for Azure environments, fully provisioned through Terraform. It leverages a Log Analytics Workspace to ingest logs from various Azure resources, generating alerts whenever the deceptive Azure resources are accessed.
- SteppingStones - A Red Team Activity Hub.
- CVE-2024-26229 - CWE-781: Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code.
- CVE-2024-26229-BOF - BOF implementations of CVE-2024-26229 for Cobalt Strike and BruteRatel.
- profiler-lateral-movement - Lateral Movement via the .NET Profiler.
- SlackEnum - A user enumeration tool for Slack.
- ScriptBlock-Smuggling - Example code samples from our ScriptBlock Smuggling Blog post.
- NativeDump - Dump lsass using only Native APIs by hand-crafting Minidump files (without MinidumpWriteDump!).
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
- nowafpls - Burp Plugin to Bypass WAFs through the insertion of Junk Data.
- lazyegg - LazyEgg is a powerful tool for extracting various types of data from a target URL. It can extract links, images, cookies, forms, JavaScript URLs, localStorage, Host, IP, and leaked credentials.
- KeyCluCask - Simple and handy overview of applications shortcuts.
- security-hub-compliance-analyzer - A compliance analysis tool which enables organizations to more quickly articulate their compliance posture and also generate supporting evidence artifacts.
- Nemesis-Ansible - Automatically deploy Nemesis.
- Packer_Development - Slides & Code snippets for a workshop held @ x33fcon 2024.
- InsightEngineering - Hardcore Debugging.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.