Last Week in Security (LWiS) - 2024-11-18

Arc browser RCE (@RenwaX23), more Fortinet woes (@SinSinology), PowerHuntShares v2 (@_nullbind), make_token_cert (@freefirex2), BOFs without DFR (@netbiosX), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-11-12 to 2024-11-18.

News

Techniques and Write-ups

Tools and Exploits

  • KexecDDPlus - is a Windows tool that relies on Server Silos to access the KsecDD driver directly, without having to inject code into LSASS. This capability therefore allows it to operate even on systems on which LSA Protection is enabled. For more details see Exploiting KsecDD through Server Silos .
  • tpm_sniffing_pin is a simple Python PoC to retrieve the VMK through TPM Sniffing by knowing the user's PIN.
  • TokenCert is a C# tool that will create a network token (LogonType 9) using a provided certificate via PKINIT. This way, we can have a make-token functionality using certificates instead of passwords.
  • make_token_cert - A new BOF from Trusted Sec to authenticate using only a .pfx file.
  • Moodle-Scanner - A Moodle Scanner to check for the version and associated vulns.
  • Exploit-Street - Complete list of LPE exploits for Windows (starting from 2023).
  • linux_bof - ELF BOFs! This fork has a few more examples than the parent repo from Outflank.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • CVE-2024-30090 - Microsoft Streaming Service Elevation of Privilege Vulnerability PoC.
  • sequin is a small utility that can help you debug your CLIs and TUIs. It's also great for describing escape sequences you might not understand, and exploring what TUIs are doing under the hood.
  • up - Troubleshoot problems with your Internet connection based on different protocols and well-known public servers.
  • multi-agent-orchestrator - Flexible and powerful framework for managing multiple AI agents and handling complex conversations.
  • zizmor - A tool for finding security issues in GitHub Actions setups.
  • graphinder - 🕸️ Blazing fast GraphQL endpoints finder using subdomain enumeration, scripts analysis and bruteforce. 🕸️.
  • neohtop - 💪🏻 htop on steroids.
  • Tech Note - Okta Verify Bypass - Similar to Adam Chesters recent Okta research, the Gitlab red team documents some of their experience with Okta.
  • TermHound - A comprehensive Active Directory security analysis tool that integrates with Neo4j to detect vulnerabilities, analyze attack paths, and identify security misconfigurations.
  • WebVM 2.0: A complete Linux Desktop Environment in the browser via WebAssembly - WebVM is a full Linux environment running in the browser, client-side. It has support for persistent data storage, networking, Xorg, and a complete desktop environment.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.