Jan 27 2025 Last Week in Security (LWiS) - 2025-01-27

News

• DHS Disbands Cyber Safety Review Board, Ending One of CISA's Few Bright Spots - Their Review of the Summer 2023 Microsoft Exchange Online Intrusion was not only thorough but also pretty scathing and led to real change. This disbanding comes as the board was in the middle of the Salt Typhoon telecom hack investigation.
• Announcing The Stargate Project - $500B promised and $100B "deploying immediately" for building new AI infrastructure for OpenAI in the United States. If only OpenAI was actually Open. A world where Oracle, whose founder said "omnipresent AI cameras will ensure good behavior", controls artificial general intelligence is a nightmare. Oracle's old headquarters were even used as Cyberdyne's headquarters (the creators of Skynet) in Terminator Genisys.

Techniques and Write-ups

• Hacking Subaru: Tracking and Controlling Cars via the STARLINK Admin Panel - A must read this week. The 2FA bypass was particularly egregious (just delete the popup 🤣). Really makes you want to by a 2006-vintage vehicle with none of this remote-management. Note that STARLINK is the Subaru internet connected car service, and is in no way related to the SpaceX satellite internet service.
• Get FortiRekt, I Am The Super_Admin Now - Fortinet FortiOS Authentication Bypass CVE-2024-55591 - I mean, at this point, shame on you if you're still running an SSL VPN? Just tear it out and use Tailscale? The risk of keeping an SSL VPN isn't worth that CISO salary (and will cause it to abruptly end). Another slam dunk by watchTowr, that comes with a PoC: fortios-auth-bypass-poc-CVE-2024-55591.
• Debugging An Undebuggable App - How to use lldb and a dissassembler to get around some debug protections, including a force crash, in an iOS app. The video walkthrough is expertly done and worth a watch even if you don't have much interest in iOS.
• Stealing HttpOnly cookies with the cookie sandwich technique - A combination of vulnerabilties (including XSS) allows Zakhar to leak the PHPSESSID of any visitor to a site.
• The J-Magic Show: Magic Packets And Where To Find Them - The addition of a challenge-response to the cd00r backdoor is interesting, but the self-signed certificates and lack of replay-protection indicates it's use by a mid tier threat actor.
• Unique 0-click deanonymization attack targeting Signal, Discord and hundreds of platform - Using a global CDN's cache to narrow down a user's physical location as they load content is brilliant.
• MasterCard DNS Error Went Unnoticed for Years - A one-letter mistake (akam.ne vs akam.net) could have led to serious issues. The Bugcrowd response was strange, as this wasn't even reported via Bugcrowd.
• Entra Connect Attacker Tradecraft: Part 2 - Hybrid environments (on-prem AD + Entra AD) present a lot of complicated connections, ripe for exploitation. This post explores how to add credentials to a user in another domain within the same Entra tenant given a sync account.
• CVE-2024-26230: Windows Telephony Service - It's Got Some Call-ing Issues (Elevation of Privilege) - While the vulnerabilies were patched in April and November of 2024, the post walks through exploitation and provides a PoC.
• SUSCTL (CVE-2024-54507) - "This bug is a neat example of how difficult kernel programming can be. Even the most seemingly innocuous loads can be deadly. Even though the authors were careful to prevent integer overflows, information leakage was still possible due to the initial 4-byte load." PoC: CVE-2024-54507 - An integer type confusion in XNU.
• Offensive CGO - An ELF Loader - A mostly working ELF loader for Go (fails to capture output).
• Abusing Multicast Poisoning for Pre-Authenticated Kerberos Relay Over HTTP With Responder and Krbrelayx - If you in the multicast domain of a target that does not support signing and sealing for Kerberos authentication over HTTP (i.e. ADCS Web Enrollment, SCCM Management Point, or SCCM Distribution Point), you can now spoof an LLMNR response to achieve Kerberos relaying via HTTP. This was discovered by James Forshaw and reported in LWiS 2021-10-27, but @croco_byte has add supported to Responder and Krbrelayx.
• Clone2Leak: Your Git Credentials Belong To Us - A number of issues with Git and Git tools related to text parsing and newline injection.

Tools and Exploits

• WinVisor - WinVisor - A hypervisor-based emulator for Windows x64 user-mode executables using Windows Hypervisor Platform API. Full here WinVisor.
• 7-Zip-CVE-2025-0411-POC - This repository contains POC scenarios as part of CVE-2025-0411 MotW bypass.
• Draugr - BOF with Synthetic Stackframe.
• gitC2 is a simple C2 POC that leverages a GitHub repository for executing commands through issues.
• OdinLdr - Cobaltstrike Reflective Loader with Synthetic Stackframe.
• speedloader - Rust template/library for implementing your own COFF loader.
• slinger - An impacket-lite cli tool that combines many useful impacket functions using a single session.
• rpeloader - use python on windows with full submodule support without installation.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• Reversing, Discovering, And Exploiting A TP-Link Router Vulnerability — CVE-2024-54887 - A nice MIPS buffer overflow with ROP.
• So You Want To Work in Cyber Security? - The most complete write-up on how to get into cybersecurity I've seen in a long time.
• AuthStager is a proof-of-concept tool that generates a custom stager shellcode that authenticates to the stager server using an authentication token. The server validates client requests before sending the second stage, enhancing security in the staging process. The detailed information regarding this project is explained in this blog post: Stage, But Verify.
• APEX - Azure Post Exploitation Framework.
• CS-Aggressor-Kit - Homemade Aggressor scripts kit for Cobalt Strike.
• Changes to SMB Signing Enforcement Defaults in Windows 24H2 - Are you still profiting from NTLM-based attacks? Yeah same here. But apparently things will change? Eventually?

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.