Last Week in Security (LWiS) - 2024-09-03
argv[0] tampering (@Wietze), Moodle eval() misuse (@RedTeamPT), ntoskrnl.exe PoC (@b1thvn_), 4x wappd exploits (@hyprdude), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-08-26 to 2024-09-03.
News
- Windows App general availability coming soon - The Remote Desktop app on macOS/iOS is being renamed to "Windows App." I'm sure no one will find that confusing.
- [PDF] The EV Code Signature Market for eCrime - Criminals are getting "extended validation" (EV) certificates for $2,000 to $6,000 to bypass antivirus. Are you assessors emulating this threat?
- State-backed attackers and commercial surveillance vendors repeatedly use the same exploits - The question is: did they buy the exploits, steal them, or find them in the wild and repurpose them?
- [X] Lets breakdown this Intel SGX (TEE) breach. - Researchers have managed to leak Intel's Software Guard Extensions (SGX) Fuse Key0 from some older processors. This key was supposed to remain unknown to everyone (even Intel) to maintain the security of SGX. Odds that a similar attack is possible on modern chips?
- Is Telegram really an encrypted messaging app? - After the Telegram CEO Pavel Durov was arrested in France and charged with failing to sufficiently moderate content on Telegram, many have described Telegram as an "encrypted messaging app." This post breaks down the limited, and strange use of encryption in Telegram. And that is to say nothing of the metadata. For comparison review the search warrant for Signal user data and what they were able to provide.
- YubiKeys are vulnerable to cloning attacks thanks to newly discovered side channel - Yubikeys sold before 2024-05-6 are vulnerable to a side-channel attack that can clone the key. The attack requires physical access to the key, partial disassembly, and an oscilloscope. They firmware of the Yubikey cannot be updated, so add a PIN to your keys or replace them if physical access is in your threat model, but note that physical access is always root access - it's just a matter of how difficult it is.
- Mythic 3.3 — Out of Beta - New Mythic is out with new features like file previews, a new file browser, interactive mode task output tracking, and host/bridge Docker networking options.
Techniques and Write-ups
- CVE-2024-37079: Vmware vCenter Server Integer Underflow Code Execution Vulnerability - This vCenter heap overflow was patched in June, but this post delievers the details.
- Why bother with argv[0]? - "The first argument of a program's command line, typically reflecting the program's name/path and often referred to as argv[0], can in most cases be set to an arbitrary value without affecting the process' flow. Making the case against argv[0], this post demonstrates how it can be used to deceive security analysts, bypass detections and break defensive software, across all main operating systems."
- Breaking Down Barriers: Exploiting Pre-Auth SQL Injection In WhatsUp Gold: CVE-2024-6670 - Some .NET reversing and a little SQL injection result in remote code execution. Full PoC provided.
- Back to School - Exploiting a Remote Code Execution Vulnerability in Moodle - "If eval() is the answer, you're almost certainly asking the wrong question."
- Key and E: A Pentester's Tale on How a Photo Opened Real Doors - Keys are the physical codes that open doors. Pictures of them are usually enough to clone them.
- Dissecting the CVE-2024-38106 Fix - Quick breakdown and PoC for the ntoskrnl.exe bug patched on August 14.
- 4 exploits, 1 bug: exploiting cve-2024-20017 4 different ways - My favorite post of the week. Love the in depth walk through as the mitigations ramp up. PoCs are here.
- Ghost in the PPL Part 3: LSASS Memory Dump - Perhaps the most complicated way to dump lsass memory, but an interesting read. PPLSystem is the current go-to technique for PPL bypass or TrickDump or NativeDump if PPL is not enabled.
- What's the worst place to leave your secrets? - Research into what happens to AWS credentials that are left in public places - Less than 60 seconds for a secret in an NPM package to be used is impressively fast.
Tools and Exploits
- Red-Infra-Craft automates the deployment of powerful red team infrastructures! It streamlines the setup of C2s, makes it easy to create advanced phishing & payload infrastructure.
- CVE-2024-43044-jenkins - Exploit for the vulnerability CVE-2024-43044 in Jenkins.
- enumhandles_BOF - This BOF can be used to identify processes that hold handles to a given file. This can be useful to identify which process is locking a file on disk.
- CVE-2024-5274 - PoC for the type confusion in V8 in Google Chrome prior to 125.0.6422.112 that allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.
- limoncello - Yet another LLVM-based obfuscator.
- hackshell - Make BASH stealthy and hacker friendly with lots of bash functions.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
- 5 Years of InfoSec Focused Homelabbing - Start a homelab, start a blog, achieve great things.
- wush - simplest & fastest way to transfer files between computers via WireGuard.
- VerifierDLL - Example of building an application verifier DLL.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.