Sep 30 2024 Last Week in Security (LWiS) - 2024-09-30

News

• Hurricane Helene barreled through a crucial chip mining area in North Carolina - If you want to make small die chips, it takes ultra-pure quartz, and that primarily comes from just two mines in western North Carolina that were hit hard by Hurricane Helene. Time will tell if the supply chain for quartz is disrupted. The storm also led to BSides Augusta being cancelled.
• Eliminating Memory Safety Vulnerabilities at the Source - Google says memory-safe languages prevent vulnerabilities, and now they have the data to prove it. Better start learning Rust!
• NIST's second draft of "SP 800-63-4" - "Verifiers and CSPs SHALL NOT require users to change passwords periodically. However, verifiers SHALL force a change if there is evidence of compromise of the authenticator." 🥳

Techniques and Write-ups

• Attacking UNIX Systems via CUPS, Part I - A CVSS 9.9 caused quite a stir last week. Impressive that this service that listens globally hasn't gotten more attention before now. As it stands the many PoCs require the user to print from a malicious printer, but there may be ways to exploit this without user interaction. Ubuntu EC2 instances are affected thanks to snap.. There is a Nuclei template for it as well. The CUPS CVSS 9.9 story is not over yet.
• Breaking Boundaries: Investigating Vulnerable Drivers and Mitigating Risks - Using YARA and VirusTotal's Retrohunt feature, Check Point Research found 1,900 unique signed Windows drivers that probably have a local privilege escalation vulnerability. They checked one by hand an PoC'd the exploit. If you're in need of a CVE, it would seem there are 1,899 drivers just waiting to be exploited.
• Fuzzing confused dependencies with Depfuzzer - "This article explores package registries, the CLI tools used to interact with them, and their underlying mechanisms. We will then introduce DepFuzzer, a tool designed to automate the detection of dependency confusion vulnerabilities in package files."
• Secrets and Shadows: Leveraging Big Data for Vulnerability Discovery at Scale - Dangling DNS records and hardcoded secrets are the results of fast-moving cloud service providers and, perhaps, a lack of accountability by the cloud service providers. This post also uses VirusTotal's Rerohunt feature to find secrets over the course of a few years. An impressive amount of domains and secrets were found.
• Broken Hill: A Productionized Greedy Coordinate Gradient Attack Tool for Use Against Large Language Models - More attacks on LLMs from Bishop Fox.
• Instrumenting an Apple Vision Pro Library with QBDI - Some advanced VisionOS reversing to get a library from the hedset to work on an M-series mac.
• Linux kernel Netfilter Use-After-Free leads to LPE - A Use-After-Free (UAF) in the netfilter component of Linux leads to a privilage escalation. PoC is here.
• [ROOTCON 18] Seeing is Not Believing: Bypassing Facial Liveness Detection by Fooling the Sensor - Most facial liveness detection is easily bypassed. With AI on the rise, this will only get easier.
• Kerberos IV - Delegations - Fourth part of a Kerberos series. This time, Lares touches on some delegation attacks.
• Detecting and Mitigating Active Directory Compromises - A list of some common exploitation vectors, how to detect them, and how to prevent them. Good write up!
• Xintra - .NET Crash Dump Analysis - Good walkthrough on DFIR analysis on a .NET crash dump. This is a write-up from Xintra.org training.
• 10 Years of DLL Hijacking, and What We Can Do to Prevent 10 More - References of threat actors abusing DLL hijacks from products of the following vendors: NVIDIA, Microsoft, Oracle, and Citrix. Who's still abusing DLL hijacks on ops?
• Red Teaming in the age of EDR: Evasion of Endpoint Detection Through Malware Virtualisation - Some say it's the near future of maldev - using a virtualization layer that executes encrypted bytecode sequentially.
• Probing Slack Workspaces for Authentication Information and other Treats - Some cool slack tradecraft. Check out the information leaked via unauthenticated means.
• CVE-2024-6769: Poisoning the Activation Cache to Elevate From Medium to High Integrity - Very detailed write-up on a local privilege escalation in Windows in two parts, from medium integrity to limited high integrity, and then from limited high to full Administrator. CVE-2024-6769 is the PoC.

Tools and Exploits

• CVE-2024-38200 - CVE-2024-38200 - Microsoft Office NTLMv2 Disclosure Vulnerability.
• Recursive-Loader - Code that was written about a year for a project for vx-underground. However, due to various reasons, the code is being publicly released. tl;dr recursive loader, painful to reverse engineer.
• FaceDancer - FaceDancer is an exploitation tool aimed at creating hijackable, proxy-based DLLs by taking advantage of COM-based system DLL image loading.
• IllusiveFog - Windows Administrator level Implant. (Code looks rough and in PoC format so careful)
• NamelessC2 - A C2 with all its components written in Rust.
• Ghostwriter v4.3: SSO, JSON Fields, and Reporting with BloodHound - Always nice to see updates to a solid tool.
• elevator_decrypt_key.cpp - Unprotect the App-Bound Encryption Key via an RPC call to Google Chrome Elevation Service (PoC).
• Living Off The Land ESXi - List of binaries/scripts natively available in VMware ESXi that adversaries have utilized in their operations.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• Binder Internals - Solid primer. The post discusses the inner workings of Android's Binder IPC system.
• Hacking Kia: Remotely Controlling Cars With Just a License Plate - "...allowed remote control over key functions using only a license plate." 🤯

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.