Jul 01 2024 Last Week in Security (LWiS) - 2024-07-01

News

• regreSSHion (CVE-2024-6387)

  • regreSSHion: RCE in OpenSSH's server, on glibc-based Linux systems (CVE-2024-6387) - The Qualys team drops an unauthenticated remote code execution vulerability in OpenSSH, possibly the most audited software project ever. It's a race condition that takes ~10,000 attempts on x86 to exploit, so any type of fail2ban, SSHGuard, or similar protection will likely mitigate the vulnerability, but everyone should update ASAP. This one will have a long tail of exposure - SSH is everywhere. The OpenSSH project recently announced support for built in rate limiting: PerSourcePenalties and PerSourcePenaltyExemptList and the dates line up 🤔.
  • Notes on regreSSHion on musl - "OpenSSH sshd on musl-based systems is not vulnerable to RCE via CVE-2024-6387 (regreSSHion)." However, it could still deadlock the sshd process.
  • cve-2024-6387-poc - UNVERIFIED! Do your own code review and testing. 32-bit PoC for CVE-2024-6387 — mirror of the original 7etsuo/cve-2024-6387-poc (Deleted).

• Polyfill supply chain attack hits 100K+ sites - Polyfill[.]io was bought by a Chinese company ~6 months ago, but this attack looks more widespread: Polyfill.io, BootCDN, Bootcss, Staticfile attack traced to 1 operator. Cloudflare stepped in and autoamtically replaced polyfill.io links with Cloudflare's mirror for a safer Internet.

• PortSwigger, the company behind the Burp Suite of security testing tools, swallows $112M - What does this mean against the Caido vs BurpSuite Pro debate? Congrats to PortSwigger nonetheless.

• TeamViewer's corporate network was breached in alleged APT hack - A very popular remote monitoring and management tool vendor breached. You can follow the security update here. Ouch.

• Sustaining Digital Certificate Security - Entrust Certificate Distrust - Google Chrome will stop trusting Entrust root certificates in October. Why? See for yourself: Entrust on Bugzilla. The process to trust certificate authorites is one of those critical processes that underpins the entire system but almost no one acknowledges or understands (it's the Federal Reserve of cybersecurity).

• Introducing the Microsoft Entra PowerShell module - Time to update your Azure/Entra tooling!

Techniques and Write-ups

• Evading Event Tracing for Windows (ETW)-Based Detections - This post explores Event Tracing for Windows (ETW), its components, and various techniques to evade ETW-based detections, including tampering with ETW trace sessions, hijacking sessions, and patching ETW functions to bypass endpoint detection and response systems. Good read!
• Commonly Abused Linux Initial Access Techniques and Detection Strategies - Bring back linux tradecraft!
• Attack of the clones: Getting RCE in Chrome's renderer with duplicate object properties - Browsers are some of the most complex yet security critical peices of software available today. This post shows the details of an exploit that had to be re-worked due to code hardening, but still led to RCE from a single page visit.
• Exploiting Steam: Usual and Unusual Ways in the CEF Framework - Sometimes instead of attacking the browser itself, it's easier to attack the plumbing that connects it to the rest of the system.
• Why nested deserialization is harmful: Magento XXE (CVE-2024-34102) - Another high impact CVE against Magento discovered by Assetnote.
• Creating an Emux Environment With Ludus - Great walkthrough for those looking to get started with embedded hacking!
• The State of Data Breaches - Troy Hunt, owner of haveibeenpwned writes about what he's seeing across the industry.
• Putting the C2 in C2loudflare - How to bring up an entire C2 infrastructure with all your tooling and their corresponding redirectors using Azure Snapshots, Cloudflare and Tmux Resurrect.
• Github Actions Exploitation: Introduction - A basic introduction into Github action exploitation. Note: Github has an enterprise offering that can be hosted on-prem by large customers. Look for it on your next red team.
• The Windows Registry Adventure #3: Learning resources - If you ever read a write-up and think "how in the world did they figure this out?" perhaps the answer is lots and lots of research. This post is a good example of how exploitation usually involves knowing a system better than most of its authors.
• Inside Xerox WorkCentre: Two Unauthenticated RCEs - 2x RCEs and an LPE against a big Xerox multifunction machine.
• Auth. Bypass In (Un)Limited Scenarios - Progress MOVEit Transfer (CVE-2024-5806) - "Editors note: This blog post is everything - a beautiful vulnerability and a masterclass in fun exploitation chains." Agree.

Tools and Exploits

• ApexLdr - ApexLdr is a DLL Payload Loader written in C.
• RemoteKrbRelay - Remote Kerberos Relay made easy! Advanced Kerberos Relay Framework.
• SharpIncrease - A Tool that aims to evade av with binary padding.
• CVE-2024-30088 - A Windows LPE that stems from a Time-of-Check to Time-of-Use (TOCTOU) vulnerability within the function NtQueryInformationToken, particularly in the handling of the AuthzBasepCopyoutInternalSecurityAttributes function.
• CVE-2023-24871 - POCs & exploit for CVE-2023-24871 (Windows RCE + LPE).

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• parseusbs - Parses USB connection artifacts from offline Registry hives.
• Becoming a Red Teamer - Recent changes in red team tooling has sparked a debate. Here is a quick take on the topic of what it takes to become a red teamer.
• The BIRT Project - "Our goal is to support incident responders by providing them with effective tools that exceed their needs. As a 100% bootstrapped project, we are motivated by our extensive experience in cybersecurity and a deep understanding of the challenges faced in incident response. We recognize the need for quick and accurate responses in the face of today's changing threats. "
• Why I attack - An perspective on why to do research and make your research public. Controversial topic but always good to stay informed and have these conversations.
• winutil - Chris Titus Tech's Windows Utility - Install Programs, Tweaks, Fixes, and Updates.
• Win11Debloat - A simple, easy to use powershell script to remove bloatware apps from windows, disable telemetry, bing in windows search aswell as perform various other changes to declutter and improve your windows experience. This script works for both windows 10 and windows 11.
• poc-cve-2024-38396 - PoC for iTerm2 CVEs CVE-2024-38396 and CVE-2024-38395 which allow code execution.
• themida-unmutate - Static deobfuscator for Themida/WinLicense/Code Virtualizer's mutation-based obfuscation.
• Queueing - An interactive study of queueing strategies - Neat interactive site to learn about queueing strategies.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.