Sep 09 2024 Last Week in Security (LWiS) - 2024-09-09

Windows heap overflow (@esj4y), Linux TCP UAF (@v4bel), Goffloader (@BouncyHat), Intune lat-movement (@h4wkst3r), browser attack detection (@mega_spl0it), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-09-03 to 2024-09-09.

News

$10 million for information about malicious cyber activities against U.S. critical infrastructure - Get $10 million for snitching on the GRU. What's the price of looking over your shoulder for the rest of your life?
Ransomware hackers threaten Montana branch of Planned Parenthood - It seems nothing is off limits anymore. 93 GB of data allegedly. They're looking to leak all of it if not paid.
Revival Hijack - PyPI hijack technique exploited in the wild, puts 22K packages at risk - Another week, another PyPI hijack. Are your developers protected from this threat?
Deploying Rust in Existing Firmware Codebases - Rust in firmware, Android, and Chrome. Memory unsafety vulnerabilities are going to be harder to find in the future.

Techniques and Write-ups

Building a Hardware Hacking Arsenal: The Right Bits for Every Byte - An overview of some tool recommendations if you're looking to get into IoT testing.
The Art of Exploiting Active Directory from Linux - A lot of impacket and proxychains. Worth noting some red teams are also moving away from dropping tooling on target and proxying everything over.
Veeam Backup & Response - RCE With Auth, But Mostly Without Auth (CVE-2024-40711) - Watchtowr shows restraint and breaks tradition by not releasing the full exploit code. This post is a good walkthrough of .NET patch diffing.
(Re)Building the Ultimate Homelab NUC Cluster - Part 1 - A few Intel NUCs make for a great homelab. Excited to read part two where Ludus is set up!
Windows Kernel Pool Exploitation CVE-2021-31956 - Part 1 - The first in a series about exploiting a Windows kernel heap overflow from low integrity.
CVE-2024-5274: A Minor Flaw in V8 Parser Leading to Catastrophes - A Chrome V8 vulnerability in the javascript parser led to an out of bounds read/write. The interplay between javascript and C++ in browsers and the exploitation of the later from the former is always impressive to me.
Deep Dive into RCU Race Condition: Analysis of TCP-AO UAF (CVE-2024–27394) - This Linux use-after-free (UAF) vulnerability was patched in April of 2024, but the detailed walk through and PoC are available in this post.
When on Workstation, Do as the Local Browsers Do! - As host-based solutions get better, attackers move to the path of least resistance. Those browsers are looking good! Creds, cookies, access tokens, etc.
Getting “in tune” with an enterprise: Detecting Intune lateral movement - How Microsoft Intune, a cloud-based device management solution, can be abused for lateral movement in hybrid identity environments.
Revisiting the UDRL Part 3: Beacon User Data - The CobaltStrike team explains how Beacon User Data (BUD) can track memory allocations to improve masking of Beacon and additional components like External C2 DLLs. Their example demonstrates loading and masking both Beacon and an External C2 DLL simultaneously using these methods.
PhysMem(e): When Kernel Drivers Peek into Memory CVE-2024-41498 - A Windows vulnerability in the IOMap64.sys driver allows unauthorized read/write access to physical memory. Daniele explains the driver's structure, the vulnerable functions that use MmMapIoSpace to map physical addresses, and how these can be exploited. Proof of concept and yara rule in the post as well.
Cracking OneDrive's Personal Vault - "Personal Vault" uses a BitLocker-encrypted VHDX file stored locally. By unlocking the vault through OneDrive and using administrative access, one can extract the BitLocker External Key (BEK) file. This BEK file can then unlock the VHDX, allowing access to the vault's contents even when locked. The process requires admin privileges and the vault to be unlocked once. Personal-Vault-BEK is the script to automate it all.
When Certificates Fail: A Story of Bypassed MFA in Remote Access - mTLS in a custom setup for Citrix would effectively disable MFA. Any valid mTLS certificate for the company would allow single factor authentication for any user.
Chinese APT Abuses VSCode to Target Government in Asia - Credit to @pfiatde for writing this up last year.

Tools and Exploits

NtDumpBOF - BOF port of the tool NativeDump by @RicardoJoseRF.
GhostStrike - A basic XOR and process hollowing loader.
COMThanasia - A set of programs for analyzing common vulnerabilities in COM.
goffloader - A Go implementation of Cobalt Strike style BOF/COFF loaders. Full blog post introduction here.
Frida 16.5.0 Released - New hardware breakpoint and watchpoint APIs, Windows ARM support, and other goodies.
remote_wrapper - Extensible Mythic Wrapper that allows payload wrapping to occur on a remote host.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

impacket-zsh-integration - ZSH integration for Impacket.
NamedPipeMaster - a tool used to analyze and monitor in named pipes.
SeamlessPass - A tool leveraging Kerberos tickets to get Microsoft 365 access tokens using Seamless SSO.
CVE Hunting Made Easy - How mass downloading of Wordpress Plugins + running a SAST on those led to 14 CVEs. Can along with wordpress-audit-automation - which are the scripts to download every Wordpress plugin (updated in the last 2 years) and run Semgrep over the lot of it while storing output in a database.
Evil MSI. A story about vulnerabilities in MSI Files - Detailed blog post on MSI abuse and the file format itself.
GitHub Users Targeted by New Wave of Spambots Promoting Malicious Downloads - Attackers are targetting your developers and your CICD pipelines!
angr for real-world use cases - Angr is a binary analysis platform with features like symbolic execution. It's popular in the CTF and crackme scene, but this post focuses on how it can be used against real targets.
edr-artifacts - This repository is meant to catalog network and host artifacts associated with various EDR products "shell" and response functionalities.
Exploiting Misconfigured GitLab OIDC AWS IAM Roles - This would be sick to exploit on a red team.
libcimbar - Optimized implementation for color-icon-matrix barcodes.
Windows DWM Core Library Elevation of Privilege Vulnerability (CVE-2024-30051) - "In this blog post, I will explain a vulnerability in the Microsoft Windows DWM Core library that I analyzed when the exploit for Core Impact was being developed. Allows an unprivileged attacker to execute code as a DWM user with Integrity System privileges (CVE-2024-30051)."
phnt-single-header - Single header version of System Informer's phnt library.
CVE-2020-27786 - Exploit for a a use-after-free vulnerability due to a race condition in MIDI devices in Linux Kernel 5.6.13. Check out the full blog post as well.
CVE-2024-26230 - Windows LPE in tapisrv.dll - CVE-2024-26230.
Building a Purple Teaming Test Environment with Ludus - Always cool to see folks blogging about Ludus!

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.