Last Week in Security - 2024-07-01
We're Hiring!
Immediate Open Positions:
Maryland Applicants:
Virginia Applicants:
Available opportunities: Land and Expeditionary Warfare Specialist, Cyber Warfare Threat Analyst, and Cyber Network Operator.
For more open positions visit: https://www.sixgen.io/careers
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools, and exploits from the past week. This post covers 2024-06-24 to 2024-07-01.
News
Chemical facilities warned of possible data theft in CISA CSAT breach - Chemical facilities have been warned of possible data theft in a breach of CISA's Chemical Security Assessment Tool (CSAT). Hackers deployed a webshell on CISA's Ivanti device, potentially exposing sensitive security assessments.
High-severity vulnerabilities affect a wide range of Asus router models - Asus has released patches for high-severity vulnerabilities affecting a wide range of router models that allow hackers to remotely take control without authentication. The most critical vulnerability allows remote attackers to log in without authentication, while a second vulnerability allows hackers with administrative access to execute commands. A third vulnerability affects various Asus router models, including some that are no longer supported, prompting the Taiwan Computer Emergency Response Team to advise owners to replace them. ASUS recommends users regularly update firmware, set strong passwords, and disable services that can be accessed from the internet to prevent exploitation of these vulnerabilities.
Polyfill supply chain attack hits 100K+ sites - A Polyfill supply chain attack has affected over 100,000 websites, with a Chinese owner injecting malware into the popular Polyfill JS project. Updates have been made to mitigate the attack, and users are urged to remove any references to polyfill.io in their code. The malicious code redirects mobile users to a sports betting site and has specific protections against reverse engineering. Sansec recommends not using Polyfill anymore and offers alternatives. This incident highlights the dangers of supply chain attacks in the digital supply chain.
Stop Using cdn.polyfill.io Now - Recent security concerns have arisen with the use of cdn.polyfill.io, as the domain was sold to a Chinese company, potentially leading to tampered JavaScript files being served. Users may unknowingly include malicious code on their websites by continuing to use this service. To defend against such supply chain attacks, it is recommended to host your own version of polyfills or avoid using third-party packages altogether. Including the integrity attribute in script tags can provide some defense, but for dynamic content like polyfills, it may not be sufficient.
Snowflake isn’t an outlier, it’s the canary in the coal mine - The article discusses how stolen credentials for the Snowflake cloud data platform were used by attackers to infiltrate accounts and steal sensitive information, highlighting the larger shift in the threat landscape focusing on identity. Infostealers are identified as a major source of compromised credentials, with criminals organizing widely distributed campaigns to sell thousands of credentials to the highest bidder. The importance of protecting data with multi-factor authentication and acting quickly to remediate infostealer infections is emphasized as defenders need to secure critical data housed in SaaS applications.
Google disrupted over 10,000 instances of DRAGONBRIDGE activity in Q1 2024 - Google's Threat Analysis Group (TAG) has disrupted over 10,000 instances of DRAGONBRIDGE spam activity linked to the People's Republic of China in Q1 2024. Despite low engagement on platforms like YouTube and Blogger, DRAGONBRIDGE continues to produce a high volume of content targeting Chinese speakers and occasionally featuring pro-PRC views on current events. The group uses AI-generated content and social media platforms to push narratives critical of the US, Taiwan, and other major news events. Google is actively monitoring and disrupting DRAGONBRIDGE's activity to prevent the spread of inauthentic information.
LockBit lied: Stolen data is from a bank, not US Federal Reserve - LockBit falsely claimed to have stolen data from the US Federal Reserve when it actually targeted an individual bank, Evolve Bank & Trust. The ransomware group leaked the stolen data and demanded a ransom, but law enforcement has taken action against them earlier this year. Evolve Bank & Trust confirmed the breach and is providing affected customers with credit monitoring and identity theft protection services. The ransomware operator's misleading claims are seen as a desperate attempt to stay relevant, as they have faced difficulties after law enforcement actions.
Supply Chain Attack on WordPress.org Plugins Leads to 5 Maliciously Compromised WordPress Plugins - A supply chain attack on WordPress.org plugins resulted in five maliciously compromised WordPress plugins. The malware injected into the plugins attempts to create new administrative user accounts and sends details back to an attacker-controlled server. While the plugins have been delisted, users are advised to update to the patched versions or remove the plugins immediately. The Wordfence Threat Intelligence team is actively working on malware signatures to provide detection for the compromised plugins and recommends conducting a thorough investigation and clean if any infected plugins were installed on a site.
TeamViewer says Russia broke into its corp IT network - TeamViewer confirmed that Russian intelligence infiltrated its corporate IT network using a worker's login. The attack was attributed to the Cozy Bear cyber-spies, also known as APT29 and Midnight Blizzard, who have previously targeted Microsoft and SolarWinds. TeamViewer reassured customers that the breach was limited to their internal corporate IT environment and did not affect customer data or their product environment.
Driving licences and other official documents leaked by authentication service used by Uber, TikTok, X, and more - An Israeli authentication company, AU10TIX, had administration credentials exposed online, potentially allowing access to user identity documents like driving licenses. Major customers of AU10TIX include Uber, TikTok, and others. The exposed credentials led to a platform containing personal data of individuals who uploaded documents to prove their identity. The company stated they are no longer using the system and have not found evidence of data exploitation.
Google cuts ties with Entrust in Chrome over trust issues - Google is ending its trust in Entrust due to compliance and improvement failures, leading to Entrust's certificates no longer being trusted by default in the Chrome browser starting in November. This decision follows a series of incident reports concerning Entrust's behavior. Website owners using Entrust certificates will need to find a new Certificate Authority before the November cutoff to avoid Chrome displaying a warning page designating their site as unsafe.
U.S. indicts Russian GRU hacker, offers $10 million reward - The U.S. indicted a Russian GRU hacker, Amin Timovich Stigal, for cyberattacks on Ukrainian government networks. Stigal used a U.S.-based company to distribute ransomware that destroyed data, exfiltrated sensitive information, and instilled fear in Ukraine. The Department of Justice announced a $10 million reward for information leading to Stigal's arrest.
Techniques and Write-ups
XZ backdoor: Hook analysis - The XZ backdoor behavior inside OpenSSH is analyzed, focusing on its functionality in version 9.7p1. The backdoor has features such as anti-replay to avoid detection, custom steganography to hide the public key, log hiding capabilities, and the ability to bypass SSH authentication and execute remote commands. The attacker must generate a specific RSA key to interact with the backdoored server, with the key being used to execute commands.
Prototype Pollution: A Deep-Dive - NetSPI has acquired Hubble to enhance asset visibility and attack surface management. The Ultimate Guide to Prototype Pollution explains how attackers can control unexpected variables in JavaScript to exploit vulnerabilities. This vulnerability can lead to Cross-Site Scripting and Remote Code Execution. The guide also provides information on identifying and exploiting prototype pollution sources and gadgets, along with dynamic approaches for finding and exploiting these vulnerabilities.
plORMbing your Django ORM - The article discusses vulnerabilities in Object Relational Mappers (ORMs) with a focus on attacking the Django ORM to leak sensitive data. It covers the introduction to ORM Leak vulnerabilities, conditions required for exploitation, and examples of attacks using relational filtering. Various attack methodologies, including exploiting many-to-many relationships and using Django's built-in models, are discussed. Additionally, the article demonstrates error-based leaking via ReDoS payloads. The conclusion emphasizes the importance of validating user inputs to prevent ORM leaks and hints at upcoming articles focusing on different ORMs and new attack methods.
My iOS Web Hacking Setup - Surge, Termius, and Caido - The author, a part-time bug bounty hunter, has developed an efficient workflow for web hacking on iOS devices using Surge, Termius, and Caido. They proxy traffic from iOS devices using Surge and upstream to Caido through an SSH tunnel with Termius. They recommend setting up Caido on a VPS, such as an AWS EC2 instance, for efficient traffic monitoring and modification. The setup involves downloading and configuring the necessary tools on both the VPS and iOS devices to enable seamless testing and analysis of web traffic.
Probllama: Ollama Remote Code Execution Vulnerability (CVE-2024-37032) – Overview and Mitigations - Wiz Research discovered a Remote Code Execution vulnerability in the Ollama AI Infrastructure project, dubbed Probllama (CVE-2024-37032), which allows attackers to take over self-hosted AI inference servers. The vulnerability was responsibly disclosed to Ollama's maintainers, who released a patched version (0.1.34) for users to upgrade. It is advised not to expose Ollama to the internet without proper authentication mechanisms, such as a reverse proxy. The responsible disclosure timeline shows Ollama's prompt response to fixing the issue.
Tracking QILIN Ransomware Group - The blog discusses the Qilin Ransomware-as-a-Service, a Russian cybercriminal threat group that has been active since May 2022. They use domain-wide encryption of servers and workstations and engage in double extortion, demanding ransom for decryption keys and to prevent the publication of stolen data. Affiliates can receive up to 80-85% of the ransom paid by victims, with targets globally dispersed and including notable organizations like BMW and the UK National Health Service. The post also highlights overlaps with other ransomware groups and the potential for Qilin to fill the void left by other shutdown RaaS.
Auth Bypass In (Un)Limited Scenarios - Progress MOVEit Transfer (CVE-2024-5806) - The vulnerability CVE-2024-5806 allows for an authentication bypass and impersonation of arbitrary users in Progress MOVEit Transfer. An attacker can upload a public key to the server using a file path, bypass authentication, and access sensitive data. The vulnerability was discovered through code review and can be mitigated by patching the system. Progress has been reaching out to customers to ensure patching of affected systems. Continuous security testing and monitoring are recommended to prevent exploitation of such critical vulnerabilities.
Looking for vulnerabilities in Strapi (CVE-2024-34065) - Two vulnerabilities were discovered in Strapi, an open source content management system, during a black-box audit. These vulnerabilities allowed authentication to be bypassed by chaining them together. The first bug was an Open Redirect and the second vulnerability involved transmitting authentication secrets in the URL. The vulnerabilities were reported to the Strapi team and have been fixed.
I Will Make you Phishers of Men - The article discusses how to be successful in phishing campaigns by targeting quality over quantity, using highly targeted pretexts, and appealing to curiosity, fear, altruism, hunger, greed, and internal trust. It provides examples of effective phishing techniques, such as spoofing messages from trusted sources and bypassing warning banners. The author emphasizes the importance of personalizing and customizing phishing emails to achieve high click-through rates.
JpGraph Professional Version - Pre-Authenticated Remote Code Execution - The JpGraph Professional Version includes a demo application that allows unauthenticated users to write arbitrary data to files with arbitrary extensions, leading to remote code execution. This vulnerability is exploited through the QR Code feature in the demo application. An attacker can use a specially crafted request to execute arbitrary code on the server. There is currently no official patch available, and users are advised to delete the demo application folder in the JpGraph tree to mitigate the risk.
Attack(ing) Surface Reduction – Part 1 - In this article, the concept of Attack Surface Reduction (ASR) is explored, focusing on the use of PsExec tool to bypass ASR rules. PsExec is a legitimate tool that can be misused by attackers for malicious activities. ASR operates using Lua scripts to block processes originating from PsExec and WMI commands. By changing the name and location of the service dropped by PsExec, attackers can bypass ASR rules and gain SYSTEM access without triggering the block rule. This demonstrates how attackers can innovate to circumvent defensive techniques despite ASR protections.
Explorations into Wi-Fi6/E - The article discusses the new Wi-Fi standards, particularly Wi-Fi 6 and Wi-Fi 6E, which introduce the 6 GHz band. It explains the importance of using proper equipment, such as the Alfa AWUS036AXML adapter, to work with Wi-Fi 6E networks. The article also provides instructions on setting up and using the adapter in monitor mode to capture and analyze packets. Additionally, it covers aspects such as robust security networks, management frame protection, and the High-Efficiency PHY of Wi-Fi 6/E. The author hints at upcoming topics like wardriving and configuring tools to monitor wireless networks.
Inside Xerox WorkCentre: Two Unauthenticated RCEs - The article discusses two unauthenticated Remote Code Execution (RCE) vulnerabilities found in Xerox WorkCentre printers. The first vulnerability was patched in 2016 but was rediscovered in 2020, while the second vulnerability was identified in 2023 and promptly reported to Xerox. The article also highlights the importance of updating firmware, securing devices with strong passwords, and isolating printers in local networks to prevent potential attacks. Additionally, the article mentions privilege escalation and accessing external USB devices on Xerox WorkCentre.
Putting the C2 in C2loudflare - The article discusses how to set up a C2 infrastructure using Azure Snapshots, Cloudflare, and Tmux Resurrect within 5 minutes. The process involves creating a VM from a saved snapshot, using Cloudflare workers, apps, and tunnels, and setting up a Cloudflare worker to redirect requests to the desired location on a cloud VM. The article provides detailed instructions and screenshots on configuring Cloudflare, setting up worker code, adding zero trust policies, and securing tunnel entrances with Cloudflare applications. The setup aims to streamline red team infrastructure creation and enhance efficiency.
Zip Slip meets Artifactory: A Bug Bounty Story - The blog post discusses a Zip Slip vulnerability discovered in JFrog Artifactory, a software repository manager, and reported through a Bug Bounty Program. The vulnerability could be exploited to write arbitrary files on the remote web server, potentially leading to Remote Code Execution attacks. The post provides details on the vulnerability, steps to exploit it, and the Proof of Concept. The author received a bounty for reporting the vulnerability and also presented the story at a public event. The post emphasizes the importance of addressing security vulnerabilities like Zip Slip to prevent unauthorized access and attacks.
Why nested deserialization is harmful: Magento XXE (CVE-2024-34102) - Magento XXE (CVE-2024-34102) highlighted a critical XML entity injection issue, showcasing the dangers of nested deserialization. This vulnerability allowed for exfiltration of sensitive files, RCE exploits, and broader impacts of XXE. The exploitability was demonstrated by the security research team, emphasizing the importance of understanding and mitigating such vulnerabilities. It underlines the significance of peer review in emergency hotfixes and the need for disclosing technical details for industry-wide security improvement.
IDOR: A complete guide to exploiting advanced IDOR vulnerabilities - IDOR vulnerabilities, or insecure direct object reference vulnerabilities, are common in web applications and APIs and can lead to the exposure of sensitive data or unauthorized modifications. This guide covers how to identify and exploit different types of IDOR vulnerabilities, including basic IDORs, parameter pollution, JSON globbing, method-based IDORs, content-type-based IDORs, depreciated API versions, static keywords, unpredictable IDs, and second-order IDOR vulnerabilities. By understanding these techniques, bug bounty hunters can effectively search for and exploit IDOR vulnerabilities to potentially earn higher bounties.
The Windows Registry Adventure #3: Learning resources - In this blog post, Mateusz Jurczyk from the Project Zero team at Google discusses his approach to gathering information and learning about new vulnerability research targets, specifically focusing on the Windows Registry. He emphasizes the importance of exploring various resources such as official documentation, academic papers, debug builds of Windows, and tools like ProcMon and WinDbg for in-depth analysis. The post provides detailed examples of how these tools can be used to investigate the inner workings of the Windows Registry and understand its components. Overall, the post serves as a comprehensive guide for researchers looking to delve into the intricacies of the Windows Registry for security research purposes.
Introducing SlackEnum: A User Enumeration Tool for Slack - SlackEnum is a user enumeration tool for Slack developed by Black Hills Information Security. It allows attackers to identify Slack users within an organization, even if they do not have an official Slack subscription. The tool bypasses Slack's rate-limiting controls by using multiple Slack accounts to spread out requests. Users can create multiple Slack accounts using a domain and email forwarding service, and the tool automates the user enumeration process by using user-configured settings and Slack IDs. The tool runs in a loop, cycling through Slack IDs to find valid Slack accounts linked to email addresses.
Attack of the clones: Getting RCE in Chrome’s renderer with duplicate object properties - The blog post discusses how an object corruption bug in v8, the JavaScript engine of Chrome, allows remote code execution (RCE) in the renderer sandbox of Chrome by visiting a malicious site. The post explores two specific bugs (CVE-2024-3833 and CVE-2024-3832) that were fixed in Chrome. It demonstrates how the bug allows for the creation of duplicate properties in a v8 object, leading to exploitable security issues. Through a detailed technical explanation, the post outlines steps to take advantage of the bug and achieve code execution by manipulating object properties and memory access. The post also mentions a sandbox escape technique using WebAssembly imported functions to gain code execution.
Hacking for Defenders: approaches to DARPA’s AI Cyber Challenge - Google's online security blog discusses approaches to DARPA's AI Cyber Challenge, which focuses on designing new AI systems to secure open source projects crucial to infrastructure. Google's OSS-Fuzz and Security Engineering teams are assisting in designing challenges and playtesting a Cyber Reasoning System (CRS) for the competition. The blog highlights the potential of using AI to improve fuzz testing and vulnerability patching, pointing out areas for competitors to explore. The post concludes by emphasizing the importance of collaboration to advance security using AI tools and integrating innovations into OSS-Fuzz for the benefit of the open source ecosystem.
Perma-Vuln: D-Link DIR-859, CVE-2024-0769 - GreyNoise Labs discovered a vulnerability, CVE-2024-0769, affecting D-Link DIR-859 WiFi routers that allows for information disclosure. The product is End-of-Life (EOL) and will not receive a patch. A payload exploiting this vulnerability was found in the wild, collecting account information from users of the device.
GitHub Actions exploitation - CI/CD systems like GitHub Actions are popular for automating tasks in software development. However, vulnerabilities in GitHub Actions can be exploited by attackers to execute arbitrary code and access sensitive data. This series of articles will explore the mechanics of GitHub Actions and highlight critical misconfigurations that can lead to security issues. These vulnerabilities can be exploited by external attackers, even without being contributors to the targeted project, and can result in serious consequences such as data leaks or supply chain attacks. It is important for developers to be aware of these vulnerabilities and secure their CI/CD environments to prevent exploitation.
WWDMD – What Would Dade Murphy Do? – Reconnaissance & Intelligence Collection for External Penetration Tests - The passage discusses the significance of storytelling in building connections and relationships among people. It emphasizes the role of storytelling in creating empathy, understanding, and mutual respect. The author suggests that sharing personal stories can help bridge differences and foster a sense of community and belonging among individuals.
Reverse Engineering a Smartwatch - The author reverse engineered a smartwatch with geolocating capabilities that were being mothballed after a trial, sharing the process in detail. The smartwatch had a main IC, WiFi chip, and cellular IC, which allowed for urban triangulation. By accessing the exposed programming pins on the watch's face and patching the firmware to change the IP address and port, the author was able to repurpose the watch successfully.
Dissecting Real World Help Desk Social Engineering Attacks - Obsidian Security discusses the growing threat of help desk social engineering attacks, which exploit human vulnerability to gain unauthorized access to systems. These attacks target high-profile users and involve tactics such as password resets and MFA device updates. Organizations can defend against these attacks by providing regular training, implementing stringent verification procedures, encouraging incident reporting, monitoring for suspicious activities, and ensuring secure configurations of SaaS applications. Obsidian Security offers solutions to detect, prevent, and respond to help desk social engineering threats and other SaaS threats.
Malware development trick 41: Stealing data via legit VirusTotal API. Simple C example. - This post discusses a malware development trick involving stealing data using the legitimate VirusTotal API with a simple C example. The concept involves sending system information as a comment to a file on VirusTotal. The post includes the source code for implementing this functionality and demonstrates how it can be used to steal information from a victim's computer.
Multiple vulnerabilities in TP-Link Omada system could lead to root access - Cisco Talos researchers have discovered multiple vulnerabilities in the TP-Link Omada system, including buffer overflows and command execution flaws, which could allow attackers to gain root access. The vulnerabilities affect wireless access points and routers in the Omada ecosystem. Additionally, TDDP, a debugging protocol on TP-Link devices, can be exploited to reset devices or gain root access. The vulnerabilities in the Omada system have been responsibly disclosed to the vendor for patching.
Publicly Exposed AWS SSM Command Documents - . The blog post discusses the risks associated with publicly exposed AWS SSM Command Documents, which can lead to security breaches. The author conducted research and found that thousands of Command documents were shared publicly, some containing leaked credentials. The post suggests that AWS should improve its security measures to prevent such incidents in the future, such as implementing basic secret scanning for AWS credentials in publicly exposed resources.
Hacking a $100K Gas Chromatograph without Owning One - Team82 conducted research on hacking an Emerson Rosemount 370XA gas chromatograph, a $100K device commonly used in industries like chemical, environmental, and healthcare. They were unable to acquire the physical device, so they emulated it to identify vulnerabilities in the proprietary communication protocol. Several vulnerabilities were found, including command injection flaws and authentication bypass issues. Emerson promptly addressed the vulnerabilities after disclosure by Team82. The research showcased the importance of securing industrial devices to prevent potential attacks and disruptions in critical industries.
Attackers Exploiting Public Cobalt Strike Profiles - Unit 42 researchers have identified attackers exploiting public Cobalt Strike profiles to conduct malicious activities, using cracked versions of the software framework. These attackers modify Malleable C2 profiles to evade detection and sustain their malicious activities, posing a significant security threat to organizations. Palo Alto Networks offers advanced threat prevention measures to protect customers from Cobalt Strike attacks, including Next-Generation Firewalls and Advanced URL Filtering. Machine-learning based solutions like ATP are recommended for effective defense against evolving cyber threats. Overall, the article emphasizes the importance of adaptive and forward-thinking defense mechanisms in cybersecurity.
Crack Faster, Hack Smarter: Custom Hashcat Module for Apache Shiro - In this blog post, the author describes how they created a custom Hashcat module to crack Apache Shiro 1 SHA-512 password hashes. They discovered vulnerabilities in a server running Nexus Repository 3, allowing them to extract the password hashes. The post details the steps taken to identify the hashing algorithm and create a custom module for Hashcat to crack the hashes efficiently. The author also explains the process of creating the module, testing it using Hashcat's Test Suite, and achieving faster cracking performance compared to a standalone C implementation.
An AWS Administrator Identity Crisis: Part 1 - The article discusses the challenges of defining an AWS administrator and proposes a new approach based on identifying resources or principals of interest. The author introduces the concept of a Permission Matrix to determine who can access specific resources, such as a domain controller. By creating specific permission sets, the author aims to build precise attack paths in AWS environments. The article concludes with a teaser for an upcoming tool demonstration and a promise to discuss indirect privileges in the next post.
Who polices your policies? Azure policy abuse for privileges escalation and persistence - Azure Policy is a service within Microsoft Azure that helps enforce compliance rules and best practices for configuring cloud services securely. However, it can also be abused by attackers to deploy and modify Azure resources for nefarious purposes like privilege escalation and persistence. Attackers can exploit Azure Policy to perform actions like turning off logging on VMs, adding their own SSH keys, and even gaining a reverse shell on machines. The permissions and roles associated with Azure Policy can be abused to escalate privileges and modify existing policies, highlighting the need for caution and monitoring when using this service.
Mitigating Skeleton Key, a new type of generative AI jailbreak technique - Microsoft has discovered a new type of generative AI jailbreak technique called Skeleton Key, which allows attackers to bypass AI model guardrails. This technique can cause AI models to produce harmful or unsanctioned content by exploiting multi-turn strategies. Microsoft has implemented mitigation measures in Azure AI-managed models to address this threat and shared its findings with other AI providers. Customers developing AI applications on Azure are advised to consider how Skeleton Key attacks could impact their systems and implement safeguards such as Azure AI Content Safety and prompt engineering to protect against this vulnerability.
When Prompts Go Rogue: Analyzing a Prompt Injection Code Execution in Vanna.AI - This article discusses a prompt injection code execution vulnerability discovered in the Vanna.AI library, which uses large language models for text-to-SQL interfaces. The vulnerability allows for remote code execution by manipulating prompts. The article describes the technical details of the vulnerability.
Bytecode Breakdown: Unraveling Factorio's Lua Security Flaws - The post details how to unravel security flaws in the Lua implementation of Factorio, with a focus on memory corruptions using bytecode manipulation. It covers concepts like fake objects, controlling the instruction pointer, and executing commands, ultimately achieving remote code execution on Linux systems.
Novel Technique Combination Used In IDATLOADER Distribution - In the article, Kroll's Managed Detection and Response (MDR) team responded to an incident involving suspected malware exhibiting strange download behavior. The investigation uncovered a complex infection chain used to distribute IDATLOADER, involving novel techniques and heavy obfuscation.
Supposed Grasshopper: operators impersonate Israeli government and private companies to deploy open-source malware - Researchers at HarfangLab discovered a malicious campaign where operators impersonate Israeli government entities to deploy open-source malware. The attack involves a VHD file containing a downloader that retrieves a second-stage malware, Donut & Sliver, which grants full control of the victim's machine to the attacker.
40 vulnerabilities in Toshiba Multi-Function Printers - Pierre IT Security Research identified 40 vulnerabilities in Toshiba Multi-Function Printers, affecting 103 different models. These vulnerabilities include pre-authenticated XXE injection, remote code execution, lack of privileges separation, and insecure permissions for various programs.
An unexpected journey into Microsoft Defender's signature World - The analysis in this blog post delves into the signature database, loading process, and types of signatures in Microsoft Defender Antivirus. The post also explores the structure of threat signatures in the system, particularly focusing on the PEHSTR and PEHSTR_EXT signature types. By understanding these aspects, offensive teams can better replicate threat actor activities and enhance their adversary emulation practices.
Multiple TCC bypasses via SQLite environment variables - Multiple TCC bypasses via SQLite environment variables were disclosed at Black Hat Europe 2022 in a talk on bypassing MacOS privacy mechanisms. The technique involved setting an SQLite environment variable to log SQL queries, potentially exposing sensitive user data in apps like Contacts, Mail, Notes, and iMessage.
Tools and Exploits
CVE-2023-24871 - LPE - CVE-2023-24871 is a Local Privilege Escalation (LPE) vulnerability that allows unprivileged applications to trigger a vulnerability in the Bluetooth Support Service, leading to elevated privileges. The exploit involves creating a BluetoothLEAdvertisementPublisherTrigger object in an unprivileged application and registering it under a background task. By sending appropriate advertisement data, the vulnerability can be triggered. Unlike a Remote Code Execution (RCE) scenario, the LPE exploit requires Bluetooth to be enabled on the system. An exploit has been developed that overwrites heap memory to escalate privileges and load a malicious DLL. More details can be found on a GitHub page.
CVE-2023-23388 - This post discusses CVE-2023-23388, a bug related to a Local Privilege Escalation (LPE) vector that does not involve Bluetooth. The bug arises from inadequate validation of input data, allowing attackers to exploit the vulnerability. The bug was in the RPC layer code, which was flexible and used dictionary-like structures to handle BLE requests. An exploit for the bug involves manipulating the event type parameter to bypass validation checks and gain control over function pointers. The issue was likely fixed by adding explicit validation conditions in the code. A proof of concept (PoC) exploit was uploaded to demonstrate the vulnerability.
Remote Kerberos Relay made easy! Advanced Kerberos Relay Framework - The GitHub repository "RemoteKrbRelay" offers an Advanced Kerberos Relay Framework that allows for remote manipulation of Kerberos authentication. It provides various attacks such as setting up RBCD, changing user passwords, adding users to groups, and extracting LAPS passwords. The framework also includes tools for detecting vulnerable DCOM objects, finding vulnerable applications, and exploiting sessions.
MSC Dropper - The GitHub repository ZERODETECTION/MSC_Dropper consists of a Python script tool that automates the creation of MSC files with customizable payloads for arbitrary execution within the Microsoft Management Console environment. The tool leverages a method discovered by Samir from Elastic Security Labs, termed #GrimResource, for initial access and evasion. Users can generate MSC files with specified commands or scripts, customize the payload, and easily create them via a simple command-line interface. Contributions to the project are welcome, and it is licensed under the MIT License. The tool is useful for security research and testing environments.
Gimmick - The GitHub repository "pygrum/gimmick" contains a section-based payload obfuscation technique for x64 systems. This technique allows for safe, on-demand access to encrypted global variables and functions at runtime in a thread-safe manner. The project is a Proof of Concept and not recommended for production use, as it may have bugs and should be used responsibly and in accordance with laws and regulations. Instructions are provided on how to use the technique, including assigning objects to sections, initializing the context, compiling the code, and running the executable.
FetchPayloadFromDummyFile - The GitHub repository "FetchPayloadFromDummyFile" provides a technique to construct a payload at runtime using an array of offsets, which can help obfuscate the payload while lowering its entropy. The program creates an array of values representing the offsets of a payload's bytes in a specified dummy file. The proof of concept (PoC) reads the dummy file, matches the bytes with the payload, and saves the indexes of the matches in an array. This approach eliminates the need to store the payload itself, reducing storage requirements and enhancing security.
CVE-2024-29943 - This GitHub repository, titled "CVE-2024-29943: A Pwn2Own SpiderMonkey JIT Bug," discusses a bug in SpiderMonkey JIT that leads to a chain of vulnerabilities from integer range inconsistency to bound check elimination and remote code execution (RCE). The repository contains a Proof of Concept (PoC), exploit, and analysis slides for this CVE. The bug can be found by running specific command line arguments on Ubuntu 22.04.
Kdrill - Kdrill is a Python tool designed to analyze the kernel land of Windows 64b systems to check for rootkits. It can assess if the kernel is compromised by a rootkit without the need for Microsoft symbols or Internet connectivity. Kdrill performs various checks, such as loaded modules list, drivers in memory code, callbacks of kernel objects, PlugAndPlay tree, and more. It can also analyze Full crash dumps and Kernel crash dumps. The tool retrieves kernel structures offsets automatically and builds a specific mapping at each execution.
Introducing Nyxstone: An LLVM-based (Dis)assembly Framework - Emproof has introduced Nyxstone, an LLVM-based (Dis)assembly Framework, to enhance the security and integrity of embedded systems through innovative binary rewriting techniques. Nyxstone offers static binary instrumentation for protection measures against reverse engineering and exploitation. It is built on LLVM's robust internal assembler and disassembler capabilities, supporting various architectures and features like label support in the assembler. Nyxstone can be used as a standalone tool or integrated as a library in C++, Rust, and Python, providing comprehensive (dis)assembly capabilities with flexible CPU and architecture configuration options.
Certiception - Certiception is an ADCS honeypot developed by the Red Team to trap attackers in your internal network by creating a vulnerable-looking certificate template in ADCS. It aims to improve detection of threats that bypass initial defenses by triggering alerts on malicious activity. The tool sets up a new CA in the environment, configures vulnerabilities, and supports effective alerting to catch attackers. Certiception is designed to be low cost, have high relevance alerts, and a low false positive rate. Companion blogpost can be found here.
CVE-2024-34102 - This GitHub repository contains a proof of concept (POC) for CVE-2024-34102, which is a pre-authentication XML entity injection issue in Magento / Adobe Commerce. The POC is designed to exploit this vulnerability by attempting to read files from vulnerable target hosts.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
Mobile OAuth Attacks - iOS URL Scheme Hijacking Revamped - The blog post discusses a vulnerability in iOS apps that allows for an account takeover through OAuth authentication. The vulnerability exploits Custom URL Schemes and Safari browser sessions to steal authentication codes. The attackers need to prompt the victim to open an authentication endpoint in Safari and allow the redirect, making the attack scenario fairly complex. Apple's ASWebAuthenticationSession feature plays a significant role in this vulnerability, and developers are urged to mitigate this issue by using universal links or requiring a consent step in the authentication process.
RCE in Cradlepoint's Cloud Management Platform - The author discovered a Remote Code Execution (RCE) bug in Cradlepoint's Cloud Management Platform by analyzing network traffic. They were able to intercept and manipulate TLS-encrypted communications with a rooted Cradlepoint router, leading to the discovery of vulnerabilities that were later patched by the company. By injecting malicious pickle data, they were able to achieve RCE on the router and potentially on the NetCloud servers.
Abusing ESC13 From Linux - The Tech Talk article discusses how the ESC13 technique can be abused in Linux to escalate privileges within a domain, highlighting the importance of access control settings and the need for thorough security measures.
Azure Attack Paths - The article discusses various attack paths in Microsoft Azure environments, including delegated administrative privileges, Azure AD roles, elevating Azure subscription access, Azure VM run command execution, and more. The author provides insights on how different services and permissions can lead to vulnerabilities in an Azure environment. The article also includes helpful links, tools, and information for maintaining a secure environment in Azure. The author emphasizes the importance of staying informed about bad practices to avoid and different attack scenarios in the cloud environment.
An App Domain Manager Injection DLL PoC on steroids - This GitHub repository contains an App Domain Manager Injection DLL PoC on steroids, developed with the support of Shielder to discover new ways to blend into legitimate applications and raise awareness about sophisticated attack venues. The project involves clean Thread Call Stack and no direct WinAPI calls. It also includes a msfvenom messagebox payload and instructions on creating and encrypting raw format shellcode.
Easy files and payloads delivery over DNS - GitHub repository DNSlivery allows for easy file and payload delivery over DNS without the need for a dedicated client on the target system. The tool uses TXT records to store file content in base64 representation and does not require a full-fledged DNS server. It provides one-way communication from the server to the target and can be used in restricted environments where web delivery is not possible. The tool is currently only compatible with PowerShell targets, but future updates may include support for additional targets like bash or python.
Dumpy - The GitHub project "Dumpy" allows users to reuse open handles to dynamically dump LSASS memory content without being detected as malicious. The tool uses NTFS Transactions to xor the memory dump before storing it on disk or sending it through HTTP. It can be compiled for both x86 and x64 systems and has options to dump LSASS, decrypt previously generated dump files, and force the leakage of a handle through a race condition. The tool is designed to mimic the behavior of tools like Mimikatz for security testing purposes.
Google: Stop Burning Counterterrorism Operations - The author Michael Coppola criticizes Google for exposing and shutting down a counterterrorism operation conducted by a U.S.-allied Western government. He argues that such actions by Google's Project Zero and TAG can have serious consequences and risks human lives involved in these operations. Coppola highlights the importance of cyber operations in counterterrorism efforts to gather intelligence without risking human lives, and criticizes Google's decision to prioritize commercial interests over national security. He calls for a more nuanced approach to handling such sensitive operations and stresses the importance of considering the potential consequences of exposing them.
Fuzzer Development 4: Snapshots, Code-Coverage, and Fuzzing - This blog post discusses the development of a snapshot fuzzer that uses Bochs as a target execution engine. The fuzzer now includes features such as snapshots, code-coverage feedback, and Linux emulation logic for fuzzing. The author details the implementation of these features, including capturing and resetting Bochs' state, hashing edge pairs for code coverage feedback, and setting up a custom kernel and harness for fuzzing in Bochs. Future plans include improving mutators, managing the corpus, parallelization, implementing Redqueen, and integrating with LibAFL.
Exploiting GCP Cloud Build for Privilege Escalation - This blog post discusses how to exploit GCP Cloud Build for privilege escalation and achieve lateral movement in a cloud environment. It explains the process of creating a malicious cloudbuild.yaml file to steal the OAuth token of service accounts linked to Cloud Build. The post also delves into leveraging Cloud Build service accounts for further escalation and highlights the importance of implementing proper security measures to prevent such attacks. The author reports the issue to Google, who responds that it is a by-design feature.
RedFlag - RedFlag is a tool that uses AI to identify high-risk code changes. It can be run in batch mode for release candidate testing or in CI pipelines to flag PRs and add reviewers. The tool's flexible configuration makes it valuable for any team, allowing for easy integration into different workflows.
Picarta - Picarta AI offers a service where you can upload a photo to find out where it was taken in the world using AI technology. By agreeing to their terms and conditions, you can access full result details. Users can join their Discord community to share feedback and recharge their wallet for more searches. The company aims to provide accurate and reliable image geolocalization solutions for individuals and businesses to unlock new possibilities for exploration and research.
LogHunter - GitHub repository for an opsec tool called LogHunter, which analyzes event log files through RPC (MS-EVEN) to find user sessions. The tool extracts specific events related to user logins and privileges, allowing the user to detect the target user's computer and take control. The tool requires the installation of the impacket module and can be used by passing credentials to start receiving events from the target computer. The tool also provides a demo video and instructions on how to search for specific events in the log files.
ELFie-Scanner - ELFieScanner is a C++ tool designed to scan process memory in order to detect malicious techniques used by threat actors, including those found in open-source user-mode rootkits. The tool inspects running processes and loaded libraries to identify suspicious activities such as shared object injection, entry point manipulation, and shellcode injection. It generates telemetry output in NDJSON format and offers various scanner capabilities that can be customized through a configuration file. Additionally, the tool can be built using Holy Build box for portability and has been tested on multiple Linux distributions.
Sei Big Report - In April 2024, two critical bugs were discovered and reported in the Sei Foundation's layer-1 blockchain, one impacting availability and the other integrity. The Sei Foundation awarded $75,000 and $2,000,000 for the reports. The bugs, if exploited, could have caused the chain to halt and allowed attackers to transfer funds freely. The vulnerabilities were fixed promptly by the Sei team, showcasing their commitment to security. Further exploitation could have led to control of the chain by manipulating stake balances.
Automated LLM Bugfinders - The blog post discusses the potential of using automated LLM bugfinders to replace vulnerability development teams. Project Zero details their efforts in this area, with Google/DeepMind showing promising results in using LLMs to find vulnerabilities. The post also outlines a different architecture called CATALYST-AI Reasoning Module for Finding Vulns, highlighting its specialized agents and tools for better results in bug finding. Ultimately, the post emphasizes the importance of choosing the right tools and prompts for LLMs to improve their performance.
SSH as a sudo replacement - The author experimented with using SSH as a replacement for sudo, allowing authorized users to run commands as root without using privilege escalation. This involved setting up a dedicated SSH key and running an SSH server instance bound to a unix domain socket.
Pivot Atlas - Pivot Atlas is an educational handbook for cyber threat intelligence analysts that provides reference material on how to effectively use various threat activity observables. The goal is to help analysts map out the relationships between different artifacts encountered during investigations. The project includes diagrams and examples of pivot methods that analysts can use to uncover potentially related malicious infrastructure or tooling.
Execute commands by sending JSON? Learn how unsafe deserialization vulnerabilities work in Ruby projects - This blog post discusses how unsafe deserialization vulnerabilities work in Ruby projects, specifically using the Oj JSON serialization library. It explains how attackers can execute arbitrary code on a remote server by exploiting these vulnerabilities, and provides a step-by-step guide on building a detection gadget chain using Oj. The post also delves into creating a gadget chain for remote code execution and detecting unsafe deserialization when source code is available.
The Unauditable, Unmanageable HMAC Keys in Google Cloud - The article by Kat Traxler discusses the unauditable and unmanageable HMAC keys in Google Cloud, highlighting three key vulnerabilities associated with their handling by Google. These vulnerabilities include insufficient logging, unmanageable long-term credentials, and unauditable long-term credentials, leading to security risks and challenges in managing and monitoring these keys. Despite reporting these issues to Google, the company has closed the reported bug without providing a fix. The article suggests various recommendations to enhance GCP HMAC key management, logging, and lifecycle to address these security risks effectively.
Fuzz Map - Fuzz Map is a GUI fuzzer that automatically identifies states using code coverage and creates a visual map. The map is useful for identifying bugs and unexpected states in applications. Fuzz Map uses compile-time instrumentation to record branch coverage and simplify the state graph.
Web-Check - The GitHub repository "web-check" is an all-in-one OSINT tool for analyzing any website. It provides comprehensive open source intelligence on website details such as IP information, SSL certificates, DNS records, cookies, headers, and more. The tool aims to help users understand, optimize, and secure their websites. Additional features include checking server information, Whois records, TLS configuration, security headers, malware detection, and more.
Comments