Dec 09 2024 Last Week in Security (LWiS) - 2024-12-09

News

• U.S. officials urge Americans to use encrypted apps amid unprecedented cyberattack - "Encryption is your friend, whether it’s on text messaging or if you have the capacity to use encrypted voice communication" is not a sentence I would expect from the notoriously encryption unfriendly FBI. To be fair the quote is from Jeff Green, executive assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency, but the article said that Jeff and, "a senior FBI official who asked not to be named" recommend using encryption.
• Beacon Object File (BOF) Development Course - The first on-demand course from Trusted Sec, this course looks like a good one stop shop for BOF knowledge.
• LLMail-Inject: Adaptive Prompt Injection Challenge - Microsoft invites you to try your hand at prompt injecting a simulated LLM-integrated email client. The goal is to get the email client to execute commands the email client "user" did not intend.
• Mitigating NTLM Relay Attacks by Default - Microsoft is enabling Extended Protection for Authentication (EPA) by default for Active Directory Certificate Services (AD CS) as well as the Light-Weight Directory Access Protocol (LDAP) service. NTLM is viewed as a legacy protocol, and is being phased out. Get those relay attacks in while you can!
• Library of Leaks - Distributed Denial of Secrets (DDoSecrets), a non-profit whistleblower organization, is commemorating its sixth anniversary with the unveiling of a search engine: the Library of Leaks. This searchable database provides access to millions of documents from numerous leaks, with an new entries being added daily.

Techniques and Write-ups

• Where There’s Smoke, There’s Fire - Mitel MiCollab CVE-2024-35286, CVE-2024-41713 And An 0day - A fun journey from CVE description to arbitrary file read (fresh 0day). Since its watchtowr, of course there is a nice PoC: Mitel-MiCollab-Auth-Bypass_CVE-2024-41713.
• CSPT the Eval Villain Way! - Client side path traversal (CSPT) can lead to cross site request forgery (CSRF) (here is a referesher if you need it), and now there is a playground and browser extension to play around with a vulnerable app.
• Extracting Account Connectivity Credentials (ACCs) from Symantec Management Agent (aka Altiris) - This kind of deep dive is what separates a real red team from a penetration test. When faced with a hardened client, the team at MDSec dug into software on the endpoint, challenged assumptions, and ended up with a sweet privilege escalation. They even shared the tool: evilaltiris.
• [PDF] Pwn2Own IoT 2024 -Lorex 2K Indoor Wi-FiSecurityCamera - A very in-depth exploit development whitepaper for an IoT device. Exploit: LorexExploit.
• Discovering a Deserialization Vulnerability in LINQPad - While the exploit itself is standard fare, the discovery method is novel. Mapping function calls into a graph database and using it to find callers is a novel approach to vulnerability identification.
• New dog, old tricks: DaMAgeCard attack targets memory directly thru SD card reader - A great history of direct memory attacks and a new method using the SD card.
• Cobalt Strike Postex Kit - Another post from Rasta about a newer feature in Cobalt Strike, the Postex kit that allows you to create your own reflective DLLs and communicate with them via pipes.
• Compromising OpenWrt Supply Chain via Truncated SHA-256 Collision and Command Injection - Using just the first 8 characters of a SHA256 hash allowed for the build cache to be poisoned and potentially malicious builds to be delivered to users requesting upgrades. This was patched and no malicious requests were found in build logs.

Tools and Exploits

• snapinject_rs - A process injection using process snapshotting based on SnapLoader, in rust.
• NativeBypassCredGuard - Bypass Credential Guard by patching WDigest.dll using only NTAPI functions. More info in the blog post.
• CryptDecryptMemory - A proof of concept that encrypts memory using CryptProtectMemory with the CRYPTPROTECTMEMORY_SAME_PROCESS flag, and then decrypts it without calling the API again. Must be run with SeDebugPrivilege. See the blog post for more details.
• superdeye - Indirect Syscall with TartarusGate Approach in Go
• QoL-BOFs - Curated list of public Beacon Object Files(BOFs) build in as submodules for easy cloning
• Rusty-Telephone - Exfiltrate data over audio output from remote desktop sessions - Covert channel PoC
• LexiCrypt - Shellcode encryptor using a substitution cipher with a randomly generated key.
• BootExecuteEDR - Boot Execute allows native applications—executables with the NtProcessStartup entry point and dependencies solely on ntdll.dll—to run prior to the complete initialization of the Windows operating system. This occurs even before Windows services are launched. Historically, attackers have exploited this mechanism as a rudimentary persistence method. However, utilizing this feature requires administrative privileges, both to modify the corresponding registry key and to place the executable within the %SystemRoot%System32 directory.
• Malimite - iOS Decompiler.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• SnafflerParser - Parses Snaffler output file and generate beautified outputs.
• c_syscalls - Single stub direct and indirect syscalling with runtime SSN resolving for windows.
• EntraTokenAid - A pure PowerShell solution for Entra OAuth authentication, enabling easy retrieval of access and refresh tokens
• PANIX - Customizable Linux Persistence Tool for Security Research and Detection Engineering.
• TJ-OPT - This repo contains a pentesting template used in PWK and for current assessments. The template has been formatted to be used in Obsidian.
• crxaminer - Examine Chrome extensions for security issues.
• WinDepends - Windows Dependencies.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.