Last Week in Security (LWiS) - 2024-10-07

I-XRAY doxxing 🕶️ (@AnhPhuNguyen1 + @CaineArdayfio), TeamViewer LPE (@PedroGabaldon), C# source generators (@DragoQcc), ⏲️-based user enum (@nyxgeek), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-09-30 to 2024-10-07.

News

Techniques and Write-ups

  • StealC Malware Analysis - A three part series on reverse engineering a Windows malware sample from the StealC family, starting with the packed sample all the way to the recovery of all stages of the C2.
  • Finding TeamViewer 0days - Another three part series on finding a local priviledge escalation vulnerability in TeamView for Windows. Part II, Part III, and the PoC, are up as well.
  • A Monocle On Chronicles - Using Talkback Chronicles, and introducing a new Newsletter. - If you're reading LWiS you might enjoy this infosec news aggregator. While LWiS is 100% human curated and written, talkback is fully automated.
  • The PrintNightmare is not Over Yet - Many "mitigations" to PrintNightmare are not enough to stop attackers who can use techniques like DNS spoofing to accomplish attacks. “There is no combination of mitigations that is equivalent to setting Restrict Driver Installation To Administrators to 1.”
  • Dotnet Source Generators in 2024 Part 1: Getting Started - "Source generators in .NET enable you to inspect user code and generate additional code on the fly based on that analysis. [...] you can generate hundreds of lines of code, helping to reduce boilerplate and repetitive code across your projects.""
  • Global Threat Report - Elastic security labs gives their take and visibility into modern attacks. A lot of linux tradecraft explained which isn't very common in similar reports. Pretty cool.
  • Kicking it Old-School with Time-Based Enumeration in Azure - @nyxgeek is rolling back the clock with this one. Another user-enumeration method via the Basic Authentication time-based abuse.
  • When AI Gets Hijacked: Exploiting Hosted Models for Dark Roleplaying - It's always the fundamentals. How hijacked access keys can lead to the demise of your fancy AI application.
  • Hunting for M365 Password Spraying - For the defenders, this is almost a baseline tier detection at this point. Using AWS API Gateway, Github, and other third-parties is becoming standard password spraying tradecraft. Once you identify it, what are your next steps?
  • Axis Camera APP takeover - The r-tec team saw this on a pentest and the PoC was no bueno so they decided to make it better and showcase impact to the client. Love to see it. Persisting in cameras/printers could be fruitful in most environments.
  • PARAnoia - How physical compromise can lead to compromising a domain-joined machine. Not 100% sure the conditions are easy to replicate but you decide as the reader. "Physical Access is Root Access".
  • Ruby-SAML / GitLab Authentication Bypass (CVE-2024-45409) - PD with the Nuclei template for this 10.0. An unauthenticated attacker with access to any signed saml document (by the IdP) can thus forge a SAML Response/Assertion with arbitrary contents.

Tools and Exploits

  • fs_usage_ng - An attempt to make the fs_usage tool from Apple work better for my filesystem research.
  • CVE-2024-44193 - Hacking Windows through iTunes - Local Privilege Escalation 0-day.
  • Halberd - Halberd : Multi-Cloud Security Testing Tool to execute a comprehensive array of attack techniques across multiple surfaces via a simple web interface.
  • ax - AXIOM is out. AX is in. Control Your Infrastructure, Scale Your Scanning—On Your Terms. Easily distribute arbitrary binaries and scripts using any of our seven supported cloud providers.
  • SockFuzzer - SockFuzzer, originally designed as a networking-focused fuzzer for the XNU kernel (used in macOS and iOS), has evolved into a comprehensive kernel fuzzing framework.
  • RustiveDump - LSASS memory dumper using only NTAPIs, creating a minimal minidump, built in Rust with no_std and independent of the C runtime (CRT). It supports XOR encryption and remote file transmission.
  • SharpExclusionFinder - Tool designed to find folder exclusions using Windows Defender using command line utility MpCmdRun.exe as a low privileged user, without relying on event logs.
  • EDRenum-BOF - Identify common EDR processes, directories, and services. Simple BOF of Invoke-EDRChecker.
  • KrbRelay-SMBServer - This krbrelay version acts as an SMB server (instead of DCOM) to relay Kerberos AP-REQ to CIFS or HTTP. It's 90% based on @cube0x0's KrbRelay
  • cred1py - A Python POC for CRED1 over SOCKS5. Test it out in your Ludus SCCM Lab.
  • WhoYouCalling - Records an executable's network activity into a Full Packet Capture file (.pcap) and much more.
  • noldr - Dynamically resolve API function addresses at runtime in a secure manner.
  • Netexec gain NFS support - A whole new world of share enumeration and looting just opened up.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • AADOutsider-py - Python3 rewrite of AsOutsider features of AADInternals.
  • activate-linux - The "Activate Windows" watermark ported to Linux.
  • dangerzone - Take potentially dangerous PDFs, office documents, or images and convert them to safe PDFs.
  • Merklemap - Subdomain Search Engine: Uncover and Explore Subdomains with Ease.
  • MemProcFS-Analyzer - MemProcFS-Analyzer - Automated Forensic Analysis of Windows Memory Dumps for DFIR.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.