Mar 03 2025 Last Week in Security (LWiS) - 2025-03-03

News

• (Not So) Safe{Wallet}: GitHub Actions Risks Impacting Safe’s Frontend - The record setting cryptocurrency theft from last week may come down to a complex continuous integration/continuous deployment abuse from a compromised developer's workstation.
• UK Demanded Apple Add a Backdoor to iCloud - A good argument against the UK backdoor of iCloud.
• Tech Note - Malicious browser extensions impacting at least 3.2 million users - The browser is the new OS, and it's getting attacked.

Techniques and Write-ups

• Ligolo-MP 2.0: automagic & GUI - New ligolo-NG alternative with a GUI. The "Effortless multiplayer setup" looks pretty cool.
• Understanding Deferred Procedure Calls (DPCs) for Windows Vulnerability Research & Exploit Development - When listening to podcast leads to interesting windows internals research. Deferred Procedure Calls (DPCs) are not a common topic for the common infosec community. Good read.
• Taking the Relaying Capabilities of Multicast Poisoning to the Next Level: Tricking Windows SMB Clients Into Falling Back to Webdav - With more and more organizations using SMB signing which prevents relaying, being able to get a client to fallback to Webdav opens up new possibilities for relaying attacks in Windows networks.
• The Key to COMpromise - Writing to the Registry (again), Part 4 - The final installment of this excellent series focuses on getting SYSTEM from Bitdefender Total Security and how to use COM for denial of service attacks against security software.
• Bypassing AMSI and Evading AV Detection with SpecterInsight - Padding with legitimate scripts a technique not often discussed but quite effective.
• Wallbleed: A Memory Disclosure Vulnerability in the Great Firewall of China - "We present Wallbleed, a buffer over-read vulnerability that existed in the DNS injection subsystem of the Great Firewall of China. Wallbleed caused certain nation-wide censorship middleboxes to reveal up to 125 bytes of their memory when censoring a crafted DNS query. It afforded a rare insight into one of the Great Firewall’s well-known network attacks, namely DNS injection, in terms of its internal architecture and the censor’s operational behaviors." A rare look behind the curtain.
• Bypass AMSI in 2025 - This post will shed some light on what's behind AMSI and how you can still effectively bypass it - more than four years later.
• How to gain code execution on millions of people and hundreds of popular apps - Firebase permissions strike again. When a product is so hard to get right, perhaps it's the products fault.

Tools and Exploits

• Clio - Logging tool intended for red team usage.
• penflow - 🎯 Visualize Your Security Testing & Analysis Journey.
• baby-naptime - A very simple open source implementation of Google's Project Naptime.
• WhatsAppKeyBOF - A BOF to retrieve decryption keys for WhatsApp Desktop and a utility script to decrypt the databases.
• PowerShell-Hunter - PowerShell tools to help defenders hunt smarter, hunt harder.
• ComDotNetExploit - A C++ proof of concept demonstrating the exploitation of Windows Protected Process Light (PPL) by leveraging COM-to-.NET redirection and reflection techniques for code injection. This PoC showcases bypassing code integrity checks and loading malicious payloads in highly protected processes such as LSASS. Based on research from James Forshaw.
• k8s_spoofilizer - Creates Kubernetes Golden Tickets through ServiceAccount token forging and user certificate forging. Read more at: Kubernetes Golden Tickets
• titryes - Run Dockerized web browsers from other operating systems on Linux.
• webcap - An ultra lightweight web screenshot tool with advanced DOM analysis features.
• FindGPPPasswords - A cross-platform tool to find and decrypt Group Policy Preferences passwords from the SYSVOL share using low-privileged domain accounts.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• yProbe - Kubernetes YAML Manifest Sanity Checker
• Mitogen for Ansible - Mitogen for Ansible is a completely redesigned UNIX connection layer and module runtime for Ansible.
• Interview Coder is an invisible AI to solve any coding problem.
• How do Graphics Cards Work? Exploring GPU Architecture - Very well done video breaking down what a graphics card is at the physical level.
• WebSocketChecker - Burp suite extension to find sensitive information by checking incoming text OR binary websocket messages.
• mmar - mmar is a zero-dependency, self-hostable, cross-platform HTTP tunnel that exposes your localhost to the world on a public URL. Written in Go.
• Conversational voice demo - This demo is worth giving microphone access for. AI is getting really close to "Her" levels. Imagine this but backed by GPT4.5.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.