Jul 15 2024 Last Week in Security (LWiS) - 2024-07-15

News

• Application Security report: 2024 update - Some interesting data in this report, especially that Cloudflare saw exploitation attempts for the JetBrains TeamCity authentication bypass just 22 minutes after proof-of-concept code was published. Perhaps the threat actors had an automated lab and could quickly test/modify the PoC, but more likely they just YOLO'd it.
• Google is closing in on its biggest deal: a New York startup that's less than 4 years old - 4 years to (a rumored) $23 billion acquisition has to be a record for unicorn startup success. Congratulations to the Wiz team (assuming the rumors are true).

• Crooks Steal Phone, SMS Records for Nearly All AT&T Customers - Another day, another breach. And another reason not to use SMS for multifactor authentication unless it is the only choice.
• Apple warns iPhone users in 98 countries of spyware attacks - This is the second round of notifications to go out. If you may be a target, turn on lockdown mode, and reboot your phone often.
• Mythic 3.3 Beta: Rise of the Events - Mythic, the popular open source C2, is getting some great new features. The new eventing system looks awesome.

Techniques and Write-ups

• RADIUS/UDP vulnerable to improved MD5 collision attack - A MiTM attack is possible against RADIUS servers that use UDP in Password Authentication Protocol (PAP) mode. The RADIUS authors in the 90's likely did not anticipate that an MD5 collision would be practical to execute in under 30 seconds - the default timeout for many devices. However, with some fancy cryptography and a pile of GPUs, it's possible in 2024. Full PDF here: RADIUS/UDP Considered Harmful.
• CVE-2024-29511 - Abusing Ghostscript's OCR device - More Ghostscript exploitation from @thomasrinsma at Codean Labs that allows file read and write outside the sandbox.
• Fickle PDFs: exploiting browser rendering discrepancies - This could be useful for phishing if you knew the browsers used by different users, or if an email security gateway used a specific browser to render PDFs and the users a different browser.
• Resurrecting Internet Explorer: Threat Actors Using Zero-Day Tricks in Internet Shortcut File to Lure Victims (CVE-2024-38112) - Some nifty tricks to obscure HTA execution on Windows 10/11. Patched in the 2024-07 patch tuesday.
• How insecure is Avast Secure Browser? - Spoiler: its just chrome wrapped in ads and data collection.
• Sorry, ChatGPT Is Under Maintenance: Persistent Denial of Service through Prompt Injection and Memory Attacks - This could be used to disrupt ChatGPT once it scrapes your site. Would imbedding the "DoS" prompt in html comments be enough to do it I wonder.
• Dynamics 365 Business Central - A Journey With Ups and Downs - A lesser known on-prem Microsoft product, "Dynamics 365 Business Central" is a .NET application with (now patched) unauthenticated file write vulnerability. Good .NET code audit content.
• Firmware Security: Alcatel-Lucent ALE-DeskPhone - From firmware download to shell and two vulnerabilities, this is solid walkthrough of embedded device hacking.
• Getting Started with Exploit Development - A great resource for anyone looking to get started in binary exploitation.
• Unauthenticated SSRF on Havoc C2 teamserver via spoofed demon agent - There is something extra awesome about an exploit against a command and control framework. This was no simple exploit, and the walkthrough is great.
• One Proxy to Rule Them All - A powerful tool to help you bypass Web Application Firewalls (WAFs) during external penetration tests and bug bounty programs, you're in the right place.
• Silently Install Chrome Extension For Persistence - Attack surface moves to the browser more and more each day!
• CISA Red Team's Operations Against a Federal Civilian Executive Branch Organization Highlights the Necessity of Defense-in-Depth - CISA's "SILENTSHIELD" team rekt a Federal Civilian Executive Branch (FCEB) organization. Good read to understand how an APT would get into and move laterally though a large organization.
• Remote Session Enumeration via Undocumented Windows APIs - This article details how to implement remote session enumeration on Windows systems using undocumented WinStation APIs, replicating qwinsta functionality through custom C++ code.
• Introducing a New Vulnerability Class: False File Immutability - "Previously-unnamed" class of Windows vulnerabilities? 🧐

Tools and Exploits

• SSD Advisory - Sonicwall Sma100 Stored XSS to RCE - This one is particularly bad as the stored XSS can be added with a failed logon and triggered when an admin browsers to the Log / View page. After that a command injection gets remote code execution.
• CVE-2024-22274 - Authenticated Remote Code Execution in VMware vCenter Server.
• MS-SharePoint-July-Patch-RCE-PoC PoCs for CVE-2024-38094, CVE-2024-38024, and CVE-2024-38023.
• mailgoose - A web application that allows the users to check whether their SPF, DMARC and DKIM configuration is set up correctly.
• collateral-damage - Kernel exploit for Xbox SystemOS using CVE-2024-30088.
• pdf-exploit - pdf exploit integration.
• gigaproxy - One proxy to rule them all.
• IHxExec - Process injection alternative.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• pumpbin - 🎃 PumpBin is an Implant Generation Platform.
• defguard - Enterprise, fast, secure VPN & SSO platform with hardware keys, 2FA/MFA.
• Linux when? Linux now. - Zed (a code editor) is now available for Linux.
• World's most complete UUID database. - World's most complete UUID database.
• Exclusive: Tour riders are inhaling carbon monoxide to optimise altitude training - Cycling is a sport famous for its "hacks" (cheating, doping, etc) second only to Formula 1. Riders may be purposely inhaling precisely dosed carbon monoxide to get "super altitude" training. Sounds dangerous.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.