Dec 16 2024 Last Week in Security (LWiS) - 2024-12-16

News

• A Partial Win for AI Red-Teaming from the Copyright Office - "Common AI research techniques do not violate DMCA Section 1201," where common techniques are: prompt injection, creating accounts to bypass bans, and bypassing rate limits. But don't worry, there's still the Computer Fraud and Abuse Act (CFAA) that will be thrown at researchers.
• BlackBerry sells Cylance for $160M, a fraction of the $1.4B it paid in 2018 - Cylance was one of the first "AI" powered endpoint detection vendors, but has struggled to stay relevant under BlackBerry. For their efforts, BlackBerry is taking a $1.24 billion hit on the deal vs the acquisition price in 2018.
• Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability NewRecently updated - CVE-2024-49112 - We don't usually post a CVE without a blog post or proof of concept, but unauthenticated remote code execution on a Domain Controller is pretty wild. CVSS 9.8 tells you how serious it is. Someone even built a poc_monitor.
• 6 Day TLS Certificates coming from Let's Encrypt next year - Get those clocks in sync, and certificate systems automated! 90 day certificates will still be supported.

Techniques and Write-ups

• Forget PSEXEC: DCOM Upload & Execute Backdoor -- This novel lateral movement technique uses only DCOM to write a DLL and execute it on a remote machine. There are limited requirements (both machines in the same domain/forest, etc), and I suspect this will go undetected for quite some time.
• Security ProbLLMs in xAI's Grok: A Deep Dive - AI security research is heating up, and Johann Rehberger keeps cranking out solid posts with detailed methodology.
• The Kernel Hacker's Guide to the Galaxy - Automating Exploit Engineering Workflows - Beyond the great case studies from two of the best researchers in the game, this is one of the best looking decks I've seen.
• The Qualcomm DSP Driver - Unexpectedly Excavating an Exploit - From just crash logs to 6 exploits is impressive, especially when it was a third party driver to blame. I wonder how much of the move for Apple to launch its own modems in 2025, is security vs licensing/cost.
• Cleo Harmony, VLTrader, and LexiCom - RCE via Arbitrary File Write (CVE-2024-50623) - These "managed file transfer" (MFT) programs are in use by the biggest enterprises, but have shockingly little security research done against them, likely because they are hard to get your hands on (no trials, free versions, and very expensive). As this exploit is still unpatched and the details are out, if you even recognize the name Cleo you should start incident response.
• Getting a taste of your own medicine: Threat actor MUT-1244 targets offensive actors, leaking hundreds of thousands of credentials - If you're testing tools off GitHub and not using a sandbox like Ludus, you're putting your customers at risk.
• Oasis Security Research Team Discovers Microsoft Azure MFA Bypass - Azure allowed time based tokens to be valid for 3 minutes, not the 30 seconds they claimed. Add in the fact that there were no rate limits for guessing, with 24 token requests, that gives a roughly 50% of a correct guess. Microsoft now blocks attempts after a number of failures for around half a day.
• Snowy Days & The Malware Packing Ways - A post on packers/crypters. Plenty of theory, code snippets, and resources.
• From Informational to Critical: Chaining & Elevating Web Vulnerabilities - Some nice escalation of a lower threat vulnerabilities into a serious finding in web apps hosted on the same domain.
• Unveiling Hidden Transformers in Windows ANSI! - Awesome research by Orange Tsai & Spitline Huang which also came with a list of all executables vulnerable to the WorstFit Attack!

Tools and Exploits

• KrakenMask - Sleep obfuscation.
• RustSoliloquy - A Rust implementation of Internal-Monologue — retrieving NetNTLM hashes without touching LSASS, leveraging SSPI for NTLM negotiation and indirect NTAPIs for core operations.
• Shrike - Hunting and injecting RWX 'mockingjay' DLLs in pure nim
• Sickle - Payload development framework.
• burpference - A research project to add some brrrrrr to Burp.
• DCOMUploadExec - DCOM Lateral movement POC abusing the IMsiServer interface - uploads and executes a payload remotely.
• delepwn - DelePwn is a security assessment tool designed to identify and demonstrate the risks associated with Google Workspace Domain-Wide Delegation (DWD) misconfigurations in Google Cloud Platform (GCP) environments. This tool helps security professionals and administrators evaluate their organization's exposure to potential DWD-based attacks.
• Svartalfheim - Stage 0 Shellcode to Download a Remote Payload and Execute it in Memory.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• apache-vulnerability-testing - Apache HTTP Server Vulnerability Testing Tool | PoC for CVE-2024-38472 , CVE-2024-39573 , CVE-2024-38477 , CVE-2024-38476 , CVE-2024-38475 , CVE-2024-38474 , CVE-2024-38473 , CVE-2023-38709.
• rustlualoader - Shellcode loader that executes embedded Lua from Rust.
• SmmInfect - The project aims to bring the capabilities of SMM x86-64(System Management Mode) to usermode through a backdoor.
• cinelog - Comprehensive logging of all terminal input and output for each session based on Asciinema and wild zsh + Python scripting.
• saladcat - A distributed hashcat implementation using Salad Cloud and Hashtopolis
• markitdown - Python tool for converting files and office documents to Markdown.
• pytune - Pytune is a post-exploitation tool for enrolling a fake device into Intune with mulitple platform support.
• Evil-M5Core2 - Evil-M5Project is an innovative tool developed for ethical testing and exploration of WiFi networks. It's compatible with Cardputer, Atoms3, Fire, core2. You can scan, monitor, and interact with WiFi networks in a controlled environment. This project is designed for educational purposes, aiding in understanding network security and vulnerabilities.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.