Aug 19 2024 Last Week in Security (LWiS) - 2024-08-19

News

• NIST Releases First 3 Finalized Post-Quantum Encryption Standards -- One encryption and two signature algorithms have been standardized with one more signature algorithm on the way. This is good news as quantum computing slowly builds up steam.
• Unicoin Inc. - Nightmare scenario? "...threat actor had gained access to the Company's Google G-Suite account and changed passwords of all users of the Company's G-Suite products". The question is, should red teams emulate these scenarios, or how should they prove that level of access non-destructively?
• Advancing Threat Intelligence: JA4 fingerprints and inter-request signals - Cloudflare clients are getting some improved detection capabilities.
• Justice Department Disrupts North Korean Remote IT Worker Fraud Schemes Through Charges and Arrest of Nashville Facilitator - Have you added this to your threat profile? Insider threat has become more of a reality over time. Assumed breach engagements should almost be a requirement at this point. Also, if someone wants to host a laptop farm in your house, just say no.
• [X] Closer look at CVE-2024-38063 (Windows TCPIP RCE). - There was lots of chatter about a 9.8 CVSS unauthenticated, pre-firewall, RCE vulnerability in Windows TCP/IP driver. It looks like it may not be as bad as it sounds.
• Phrak 71 - The legendary zine is still going strong 40 years later.
• [X] PSA: don't share workout pics on Instagram, otherwise a big nerd (me) might use them to learn things about your nuclear weapons. - Never underestimate the power of OSINT.
• NationalPublicData.com Hack Exposes a Nation's Data - If you live in the US, your social security number, address, and more is likely exposed. Freeze your credit. Welcome to the boring dystopia. How did this happen? Well, National Public Data Published Its Own Passwords. 🤦‍♂️

Techniques and Write-ups

• [EN] Confusion Attacks: Exploiting Hidden Semantic Ambiguity in Apache HTTP Server! - Orange Tsai with their annual wizardry. The talk can be found here [PDF].
• Hacking Beyond .com — Enumerating Private TLDs - Add TLDs to your recon checklist. Tool now available.
• Unauthenticated remote code execution on BYOB via spoofed file exfiltration+command injection - Working code released as well. This exploit in BYOB (Build Your Own Botnet) [an open-source post-exploitation framework for students, researchers and developers] works by spoofing an agent exfiltrating a file to overwrite the sqlite database and bypass authentication. After authentication is bypassed, a command injection vulnerability is exploited in the payload builder page.
• Introducing the httpx dashboard - Get your httpx results in the PD dashboard now!
• Catching Shells Without Infrastructure Using "Open" Tor Relays. - By leveraging "open" Tor relays as entry points and Tor hidden services as listeners, attackers could potentially run small, stealthy implants that connect back through the Tor network. I'd bet most enterprise FW would block this outbound traffic though? Maybe a good measurable event to have as part of your red/purple teams.
• The “Fake” Potato - There are never enough potatoes!
• GhostWrite - The GhostWrite vulnerability affects the T-Head XuanTie C910 and C920 RISC-V CPUs. This vulnerability allows unprivileged attackers, even those with limited access, to read and write any part of the computer's memory and to control peripheral devices like network cards. Worst part? It's a hardware bug that can't be patched.
• The quarantine! Infecting .NET-assembly as a real APT - This article is a deep dive into how hackers can mess with .NET assemblies in Windows to sneak in malicious code, with examples of different techniques they might use. Google translate is your friend.
• Beyond the Limit: Expanding single-packet race condition with a first sequence sync for breaking the 65,535 byte limit - To overcome the limitation of a single packet attack, use IP fragmentation and TCP sequence number reordering.
• KnowBe4 RCE and LPE - Couple vulns from KnowBe4 applications. Good write-ups!
• Oops I UDL'd it Again - New phishing technique! Universal Data Link Configuration (UDL) files to leak NTLM or even plaintext creds (if the user enters them).
• Double Agent: Exploiting Pass-through Authentication Credential Validation in Azure AD - Remember your Entra Connect servers are Tier 0 assets. "...the issue is not an immediate threat and is of moderate severity."
• The Hidden Treasures of Crash Reports - This post discusses how crash reports can reveal malware, bugs, and system vulnerabilities, providing examples from major security incidents. I like the idea of using crash reports as recon as well.
• Addressed AWS defaults risks: OIDC, Terraform and Anonymous to AdministratorAccess - If you know the AWS account ID and the name of a role that doesn't have the "subject" condition, then you can compromise that AWS account from the internet. These types of flaws are wild. Like likely affects other OIDC-based roles.
• SCCMSecrets.py: exploiting SCCM policies distribution for credentials harvesting, initial access and lateral movement - The team at Synacktiv was also scoping out the SSCM DP HTTP service for looting. They gave us a shoutout in the footnote as well. Great work guys!
• SSH Tunnelling to Punch Through Corporate Firewalls - Updated take on one of the oldest LOLBINs - Some tradecraft on using the SSH client in windows environments. More talked about the past year or so but it's been around windows by default for a few years (2017)
• Kernel Symbolication - The article explains how the symbolication process works, describes the signature format, and discusses the importance of this capability for reverse engineers and security researchers analyzing Apple's kernel internals.
• Git-Syncing into Trouble: Exploring Command Injection Flaws in Kubernetes - DEF CON talk: Akamai researcher Tomer Peled found a design flaw in Kubernetes' sidecar project git-sync that allows for potential command injection. This vulnerability can be exploited on default installations of Kubernetes on all platforms (including Amazon Elastic Kubernetes Service (EKS), Azure Kubernetes Service (AKS), and Google Kubernetes Engine (GKE), and Linode) and is no considered a vulnerability by the Kubernetes team.
• Hacking a Secure Industrial Remote Access Gateway - XSS + command injection as root in the Cosy+ gateway allow unauthenticated attackers to gain root access to the device. Syss went deep on this device, and its a great post on how you can tear apart an embedded system.
• UnOAuthorized: Privilege Elevation Through Microsoft Applications - Cloud based (Entra ID) privilege escalation. Already patched but cool read. Detection for prior abuse is provided.
• Persisting on Entra ID applications and User Managed Identities with Federated Credentials - More Entra ID based work. Dirk-jan shows an alternative approach attackers can use to configure credentials on Entra ID applications and Azure User Managed Identities. It can help them persist in environments or even elevate privileges if they can compromise a service principal with high privileges.
• My Methodology to AWS Detection Engineering (Part 1: Object Selection) - The start of a detection engineering series in AWS using Splunk.
• Racing Round and Round: The Little Bug That Could - The write-up of CVE-2024-30089 which is an use-after-free vuln in Windows 11 Kernel streaming service. Valentina also outlines her approach to bug hunting - "picking a target and sticking to it might be one of the most difficult steps of the research process."
• Will the real #GrimResource please stand up? - Abusing the MSC file format - There was some chatter about MSC files for phishing not too long ago. Turns out elastic caught a sample from a red team that was an Outflank customer. A real ouroboros situation. Outflank just added cross-platform support to Outflank C2 as well.

Tools and Exploits

• sccm-http-looter - Find interesting files stored on (System Center) Configuration Manager (SCCM/CM) shares via HTTP(s).
• tldfinder - A streamlined tool for discovering TLDs, associated domains, and related domain names.
• Tempest - A command and control framework written in rust.
• cloudgrep - cloudgrep is grep for cloud storage.
• DriverJack - Hijacking valid driver services to load arbitrary (signed) drivers abusing native symbolic links and NT paths.
• RpcProxyInvoke - Simple POC library to execute arbitrary calls proxying them via NdrServerCall2 or similar.
• Deep-Live-Cam - real time face swap and one-click video deepfake with only a single image.
• tryharder - C++ Staged Shellcode Loader with Evasion capabilities.
• 4n6pi - 4n6pi is a forensic imager for disks, designed to run on a Raspberry Pi powered by libewf. It provides a simple and portable solution for creating disk images in forensic investigations.
• QuickShell - A library and a set of tools for exploiting and communicating with Google's Quick Share devices.
• certainly - Certainly is a offensive security toolkit to capture large amounts of traffic in various network protocols in bitflip and typosquat scenarios.
• PyRIT - The Python Risk Identification Tool for generative AI (PyRIT) is an open access automation framework to empower security professionals and machine learning engineers to proactively find risks in their generative AI systems.
• Shwmae - Shwmae (shuh-my) is a Windows Hello abuse tool that was released during DEF CON 32 as part of the Abusing Windows Hello Without a Severed Hand talk. The purpose of the tool is to abuse Windows Hello from a privileged user context.
• CVE-2024-38077 - MadLicense Windows RCE CVE-2024-38077: A Simple Heap Overflow Vulnerability for the terminal licensing server. [As always verify the code before use.]
• ShimMe - Tools from the DEFCON 32 talk "SHIM me what you got - Manipulating Shim and Office for Code Injection". "Office Injector" and "Shim Injector"
• koppeling-p - Adaptive DLL hijacking / dynamic export forwarding - EAT preserve.
• httpxui - HTTP flyover tool based on the httpx library by ProjectDiscovery.
• .NET_PROFILER_DLL_LOADING - .NET profiler DLL loading can be abused to make a legit .NET application load a malicious DLL using environment variables. This exploit is loading a malicious DLL using Task Scheduler (MMC) to bypass UAC and getting admin privileges.
• DockerSpy - DockerSpy searches for images on Docker Hub and extracts sensitive information such as authentication secrets, private keys, and more.
• LocalKdc - Info on how to use Kerberos KDC on a non-domain joined host.
• CVE-2024-36401 - GeoServer Remote Code Execution.
• smbtakeover - BOF and Python3 implementation of technique to unbind 445/tcp on Windows via SCM interactions.
• LeakedWallpaper - Leak of any user's NetNTLM hash. Fixed in KB5040434.
• DeadPotato - DeadPotato is a windows privilege escalation utility from the Potato family of exploits, leveraging the SeImpersonate right to obtain SYSTEM privileges. This script has been customized from the original GodPotato source code by BeichenDream.
• SCCMSecrets - SCCMSecrets.py aims at exploiting SCCM policies distribution for credentials harvesting, initial access and lateral movement.
• BOF_NativeAPI_Definitions-VSCode - A VSCode plugin to assist with BOF development.
• rogueapps - When good OAuth apps go rogue. Documents observed OAuth application tradecraft.
• sshamble - SSHamble: Unexpected Exposures in SSH.
• Maestro - Maestro is a post-exploitation tool designed to interact with Intune/EntraID from a C2 agent on a user's workstation without requiring knowledge of the user's password or Azure authentication flows, token manipulation, and web-based administration console.
• Invoke-Maldaptive - MaLDAPtive is a framework for LDAP SearchFilter parsing, obfuscation, deobfuscation and detection.
• hookchain - HookChain: A new perspective for Bypassing EDR Solutions.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• azure-tiering - Azure administrative tiering based on known attack paths.
• ASRepCatcher - Make everyone in your VLAN ASRep roastable.
• TrickDump - Dump lsass using only NTAPIS running 3 programs to create 3 JSON and 1 ZIP file... and generate the Minidump later!.
• neuvik-terraform-workshop - Neuviks Terraform Red Team Workshop.
• SafeLine - serve as a reverse proxy to protect your web services from attacks and exploits.
• RemoteSessionEnum - Remotely Enumerate sessions using undocumented Windows Station APIs.
• SpoofDPI - A simple and fast anti-censorship tool written in Go.
• repopack - 📦 Repopack is a powerful tool that packs your entire repository into a single, AI-friendly file. Perfect for when you need to feed your codebase to Large Language Models (LLMs) or other AI tools like Claude, ChatGPT, and Gemini.
• Gato-X - GitHub Attack Toolkit - Extreme Edition.
• apeman - AWS Attack Path Management Tool - Walking on the Moon.
• Cloudflare Workers as an API gateway - From the sofware engineering community but infosec can learn from some of this 🙂.
• Advanced_Initial_access_in_2024_OffensiveX - Resources linked to my presentation at OffensiveX in Athens in June 2024 on the topic "Breach the Gat, Advanced Initial Access in 2024".
• An Opinionated Ramp Up Guide to AWS Pentesting - Hot takes on cloud pentesting. Does this resonate with anyone?
• MsRdpEx - Microsoft RDP Client Extensions.
• NetAlertX - 🔍 WIFI / LAN intruder detector. Scans for devices connected to your network and alerts you if new and unknown devices are found.
• timelinize - Store your data from all your accounts and devices in a single cohesive timeline on your own computer.
• TONY HAWK'S PRO STRCPY - Exploit game consoles with a bad strcpy in the custom park load function of Tony Hawk's Pro Skater.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.