Last Week in Security (LWiS) - 2024-11-25
Sitecore Exploit (@assetnote + @plopz0r), CI/CD CTF (@MagisterQuis), new Mythic agent (@silentwarble), cmake based win32 shellcode template (@ilove2pwn_), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-11-18 to 2024-11-25.
News
- Phishing-Resistant Multi-Factor Authentication (MFA) Success Story: USDA’s Fast IDentity Online (FIDO) Implementation - A big win! If USDA can roll out FIDO multi-factor authentication that is phishing resistant, so can you!
- [PDF] Paged Out #5 - Your favorite new zine has a fresh issue out!
- 'FYI. A Warrant Isn’t Needed': Secret Service Says You Agreed To Be Tracked With Location Data - Your weekly reminder that the US still does not have a comprehensive data privacy law. At least in the EU they have to deploy spyware instead of just harvesting ad data.
- [PDF] Fortune 1000 at Risk: How we discovered 30,000 exposed APIs & 100,000 API issues in the world’s largest organizations - "Exposed" APIs aren't necessarily bad (how else would use use them?) but over 1,800 critical vulnerabilities including criticals, exposed dev instances, and secrets being leaked is bad.
Techniques and Write-ups
- LPEs in needrestart (CVE-2024-48990, CVE-2024-48991, CVE-2024-48992, CVE-2024-10224, and CVE-2024-11003) - These old school Qualys reports are always amazing. From the technical analysis to the song lyrics, it's the must read post of the week. I hope Qualys leadership continues to allow this kind of work, and to allow it to be published as a text file. Never change.
- Enhancing Cyber Resilience: Insights from CISA Red Team Assessment of a US Critical Infrastructure Sector Organization - These reports from CISA are always a great read. The CISA red team is doing real adversary emulation (90 day+ assessements) with no advanced notice to defenders (only "Trusted Agents" know about the assessment).
- Pots and Pans, AKA an SSLVPN - Palo Alto PAN-OS CVE-2024-0012 and CVE-2024-9474 - This is hopefully the last of the Palo Alto CVE news for a while, but these were the bugs discussed over the last two weeks and boy are they bad. The first allows you disable auth by sending a header asking auth to be disabled (yes, seriously). The second is basic command injection.
- Extracting Plaintext Credentials from Palo Alto Global Protect - Dump some potentially useful credentials out of memory on Windows with PanGP_Extractor.
- Relaying Kerberos Over SMB Using Krbrelayx - Without signing enabled, and with the ability to set DNS entries in an environment, you can in fact relay kerberos over SMB. Consider an environment where a vulnerable service only allows authentication via kerberos, and you have your use case.
- When Guardians Become Predators: How Malware Corrupts the Protectors - Another example of traitorware in action.
- From Guardian to Gateway: The Hidden Risks of EDR Vulnerabilities - More traitorware, this time with two exploits for the popular open source endpoint detection and response (EDR) Wazuh.
- Leveling Up Fuzzing: Finding more vulnerabilities with AI - Google uses LLMs to find real bugs. AI in cybersecurity isn't 100% hype.
- Azure Key Vault Tradecraft with BARK - As users move to the cloud, so will the attackers. BARK recently added some new functions to help attack the Azure Key Vault service.
- The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access - You may think your WiFi or other systems are only vulnerable to physical proximity attacks when an adversary visits in person, but Russia was attacking targets via compromised neighboring WiFi networks. Physical proximity attacks without the "physically being there" part.
- Lateral Movement on macOS: Unique and Popular Techniques and In-the-Wild Examples - The Remote Apple Events (RAE) lateral movement technique was a new one to me.
- Finding vulnerabilities in ClipSp, the driver at the core of Windows’ Client License Platform - Windows licensing is done in the kernel, and there were flaws!
Tools and Exploits
Hannibal is a x64 Windows Agent written in fully position independent C (plus a tiny bit of C++). Details in Making Monsters - Part 1.
7-Zip Zstandard Decompression Integer Underflow Remote Code Execution Vulnerability - New initial access exploit?
Sitecore Exploit
- Leveraging An Order of Operations Bug to Achieve RCE in Sitecore 8.x - 10.x - Sitecore is a content management system/site builder; think WordPress or Adobe Experience Manager. It's used by some large companies for quick marketing sites (among other uses). It had some remote code execution vulnerabilities that were patched in August and disclosed last week.
- Arbitrary web root file read in Sitecore before v10.4.0 rev. 010422 - It's interesting to compare this with the previous as, "our analysis and attack vectors are actually slightly different [than Assetnote's]."
shellcode-template - A cmkr based win32 shellcode template for a unified build platform and more production friendly structure/testing.
wtrtdtmlb "Kinda realisticish CI/CD server" but without pointing fingers that trades realism for illustration. Use this to demonstrate/practice linux hacking. See the slides here.
WinDepends is a rewrite of the Dependency Walker utility which for a long time was a "must have" tool when it comes to Windows PE files analysis and building hierarchical tree diagram of all dependent modules.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
- The Elusive GoblinRAT - The Story Behind the Most Secretive and Mysterious Linux Backdoor Found in Government Infrastructures - Some pretty well done Linux tradecraft in Russia.
- patchright-python - Patchright is a patched and undetected version of the Playwright Testing and Automation Framework. It can be used as a drop-in replacement for Playwright.
- DefenderYara - Extracted Yara rules from Windows Defender mpavbase and mpasbase
- vmplex-ws - A modern, tabbed UI for Hyper-V.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.