Last Week in Security (LWiS) - 2024-09-23
0-click macOS RCE (@Turmio_), sudo iptables LPE (@suidpit + @smaury92), SkeletonCookie ☠️🍪 (@buffaloverflow), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-09-16 to 2024-09-23.
News
- Meet Dave: Discord's New End-to-End Encryption for Audio & Video - Notably absent: text chat encryption.
- [PDF] People's Republic of China-Linked Actors Compromise Routers and IoT Devices for Botnet Operations - 🇨🇳 was rocking a botnet of 1.2 million compromises (385,000 unique in 🇺🇸 alone).
- D-Link WiFi router - Hidden Functionality - At what point does "hidden functionality" become a backdoor? Sure feels like "sending specific packets" is the same as "triggering the backdoor."
- Is Tor still safe to use? - The Tor project responds to the recent news about de-anonymizing Tor "Ricochet" users. The Tor project says the attack is not possible when using modern Tor services ("vanguards-lite" or the vanguards addon).
- Exposing The Flaw In Our Phone System - SS7 attacks have been known in the security community for a long time, but this is probably the biggest stage they have been shown on (Veritasium + Linus Tech Tips).
Techniques and Write-ups
- An Offer You Can Refuse: UNC2970 Backdoor Deployment Using Trojanized PDF Reader - The use of a legitimate PDF reader with a DLL side-load is a clever way to deploy a backdoor. Getting the user to use the PDF reader feels a little clunky, but I'm sure with the right pretext many users will happily run it.
- Zero-Click Calendar invite — Critical zero-click vulnerability chain in macOS - This has to be one of the more complex vulnerability chains I've seen in a while. Zero click to get iCloud photos (or generic RCE) is impressive given the sandboxing and security features in macOS.
- AutoIt Credential Flusher - Forcing users to enter credentials so they can be stolen - "Stealer" malware (i.e. keyloggers with builtin exfiltration) are now opening browsers in kiosk mode and navigating to google to get users to enter their credentials (which are then stolen). As most users have never seen kiosk mode, they likely don't know how to get out of it which leaves them the option to input their credentials.
- The delayed import-table phantomDLL opportunities - While the post itself is interesting, I like it more because it doesn't work, but educates the reader throughout the process. A good reminder that we usually only read about successes, and its ok to publish dead ends.
- NTLM Relaying - Making the Old New Again - No new techniques, but a good referesher using modern tools for older attacks.
- Binary Ninja Plugin: fix-stomped-imports - When malware stomps their own PE header, it can make it difficult to reverse engineer, but the crew at Nettitude made a Binary Ninja plugin to reconstruct teh Import Address Table to see what API calls are being made. The tool is binja-fix-stomped-imports.
- A Journey From sudo iptables To Local Privilege Escalation - There are Windows LPEs and Linux kernel LPEs often, but this is a good old fashion Linux userland LPE.
- Hidden in Plain Sight: Abusing Entra ID Administrative Units for Sticky Persistence - Hidden membership Administrative Units (AUs) allow attackers to maintain concealed privileges of Entra ID objects and protect their accounts with restricted management AUs. Support for these attacks has been added to stratus-red-team.
- Shellcode: Windows on ARM64/AArch64 - A good primer on Windows on ARM64 shellcode.
- Skeleton Cookie: Breaking into Safeguard with CVE-2024-45488 - "In this post, we crack open an authentication bypass vulnerability we discovered in the Safeguard for Privileged Passwords product. This vulnerability, assigned CVE-2024-45488, is internally known as “Skeleton Cookie”. We'll demonstrate how this vulnerability can be exploited to gain full administrative access to the virtual appliance. From there, an attacker can extract passwords and achieve Remote Code Execution."
- Using YouTube to steal your files - "a one-click clickjacking attack that chains a Google Slides YouTube embed path traversal to three separate redirects to gain editor access on a Drive file/folder."
- Exploiting Chamilo during a Red Team engagement - Exploiting an open-source app your client is running for initial access. Now that's a red team doing a real red team vs a pentest.
Tools and Exploits
- CVE-2024-7965 - This repository contains PoC for CVE-2024-7965. This is the vulnerability in the Chrome V8 that occurs only within ARM64.
- CVE-2024-40431-CVE-2022-25479-EOP-CHAIN - Local privilege Escalation for Windows that exploits the Realtek driver RtsPer.sys.
- Aggressor-NTFY - Cobalt Strike notifications via NTFY.
- gowitness 3.0 - A golang, web screenshot utility using Chrome Headless. The 3.0 update is a big one, with a new UI, new API, library support, reworked CLI, and more!
- CloudShovel - A tool for scanning public or private AMIs for sensitive files and secrets. The tool follows the research made on AWS CloudQuarry where we scanned 20k+ public AMIs.
- undocumented-aws-api-hunter - A tool to uncover undocumented APIs from the AWS Console.
- NyxInvoke - NyxInvoke is a Rust CLI tool for running .NET assemblies, PowerShell, and BOFs with Patchless AMSI and ETW bypass features. with Dual-build support.
- Announcing the Security Exceptions program pack 1.0 - "Every company establishes processes to identify security vulnerabilities, prioritize them, develop solutions, and, in some cases, strategically accept risk either temporarily or permanently. Security exceptions are closely tied to vulnerability management and involve escalating risks to the appropriate decision-makers, who determine whether delaying a fix or accepting the risk without addressing it is the right strategic decision. This release provides a simplified, repeatable process for managing exceptions."
- winacl - A Go library for working with Windows access control lists, security descriptors, and more.
- PPLrevenant - Bypass LSA protection using the BYODLL technique.
- c2-vulnerabilities - A few CVEs from open-source C2 frameworks. Don't expose your C2? Covenant, Havoc, Ninja, Shad0w, and sliver affected. Full writeup here.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
- remotechrome - dump Chrome cookies remotely with atexec and CDP.
- BYOSI - Evade EDR's the simple way, by not touching any of the API's they hook.
- file-unpumper - Tool that can be used to trim useless things from a PE file such as the things a file pumper would add.
- atuin - ✨ Magical shell history.
- There - Track timezones 🌍.
- uff - unleashed ffuf.
- Simplifying XSS Detection with Nuclei - A New Approach - Nulcie with a new XSS detection engine!
- PolyDrop - A BYOSI (Bring-Your-Own-Script-Interpreter) Rapid Payload Deployment Toolkit.
- Damn-Vulnerable-Drone - Damn Vulnerable Drone is an intentionally vulnerable drone hacking simulator based on the popular ArduPilot/MAVLink architecture, providing a realistic environment for hands-on drone hacking.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.