Last Week in Security - 2024-09-09
We're Hiring!
Immediate Open Positions:
Maryland Applicants:
We have openings for a Technical Writer, Red Team Operator, Red Team Operator Infrastructure Engineer, Red Team Operator Tool Developer, Systems Engineer, HPC Software Engineer, Information Systems Security Engineer, Cyber Operator Developer Analyst (CODA), Senior Data Analyst and Earned Value Management Specialist.
Virginia Applicants:
Available opportunities: Land and Expeditionary Warfare Specialist, Cyber Warfare Threat Analyst, and Cyber Network Operator.
For more open positions visit: https://www.sixgen.io/careers
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools, and exploits from the past week. This post covers 2024-09-02 to 2024-09-09.
News
Owners of 1-Time Passcode Theft Service Plead Guilty - Three men in the United Kingdom pleaded guilty to running OTP Agency, a service that helped attackers intercept one-time passcodes needed for website logins. The service worked by initiating automated calls to targets, prompting them to enter a passcode that was then relayed to scammers. The service was shut down after a story was published about it, but briefly revived before the operators were arrested. The three men targeted over 12,500 people with this service over 18 months. Despite OTP Agency being shut down, similar services are still in operation.
YubiKeys are vulnerable to cloning attacks thanks to newly discovered side channel attack - YubiKeys are vulnerable to cloning attacks due to a cryptographic flaw in the microcontroller used in the devices. This flaw allows attackers to clone the YubiKeys, potentially compromising the security of the device. Yubico issued a security advisory and disclosure report, but updating firmware to fix the vulnerability is not possible, leaving affected devices permanently vulnerable. The vulnerability has existed for over 14 years and affects other devices using the same microcontroller and cryptographic library.
Hacking blind spot: States struggle to vet coders of election software - A Politico investigation revealed that U.S. election software faces significant vulnerabilities due to minimal oversight of the supply chain. An example from New Hampshire highlighted risks from offshored code development, which included connections to servers in Russia and open-source software managed by a convicted Russian coder. Although issues were resolved before the software was used, the incident underscores broader concerns about election security, especially regarding the use of overseas subcontractors and the lack of federal regulations in this critical area.
3.7 Million Fake GitHub Stars: A Growing Threat Linked to Scams and Malware - A recent investigation uncovered that over 3.7 million fake GitHub stars are being used to inflate the popularity of malicious and scam projects on the platform. This growing threat is linked to fraudulent activities, including scams and malware distribution, undermining trust in the open-source community. The fake stars make malicious projects appear more trustworthy, leading to potential widespread exploitation. Developers are urged to remain vigilant and thoroughly vet the projects they use.
Threat Intel and Defense
North Korean threat actor Citrine Sleet exploiting Chromium zero-day - Microsoft has identified a North Korean threat actor, Citrine Sleet, exploiting a zero-day vulnerability in Chromium to gain remote code execution. The observed exploitation can be attributed to a North Korean threat actor targeting the cryptocurrency sector. The threat actor uses social engineering tactics to distribute malicious software and target individuals managing cryptocurrency. The FudModule rootkit, used in the attack, employs direct kernel object manipulation techniques to disrupt kernel security mechanisms.
DeFied Expectations — Examining Web3 Heists - The rapid growth of Web3 has led to an increase in heists, particularly in the decentralized finance sector. Threat actors, including North Korean cyber criminals, have stolen billions of dollars in digital assets through various methods such as social engineering, supply chain attacks, and smart contract exploits. Examples include crypto exchange heists, smart contract exploits like the Curve Finance hack, and governance attacks targeting projects like Tornado Cash.
Threat actors using MacroPack to deploy Brute Ratel, Havoc and PhantomCore payloads - Cisco Talos recently found that threat actors are using MacroPack to deploy malicious payloads, including the Brute Ratel, Havoc, and PhantomCore payloads. The malicious files were uploaded to VirusTotal between May and July 2024 from different sources and countries. Despite similarities in tactics, techniques, and procedures (TTPs), Talos was unable to attribute the activities to a single actor. The VBA macros used in these attacks exploit vulnerabilities in Microsoft Office documents and may still affect users who are not using up-to-date Office versions.
Interesting 2023 Incident Response Cases - In 2023, interesting Incident Response cases included an insider fraud attack within a government organization, a Flax Typhoon/SLIME13 APT attack using legitimate software for malicious purposes, a spear-phishing attack targeting a financial company's critical employees, and a ToddyCat-like APT attack with an ICMP backdoor.
Advanced Cyberchef Techniques - This article explores advanced techniques using Cyberchef to deobfuscate a .vbs loader for Nanocore malware. The obfuscation involves mathematical operations and flow control to reveal the hidden code. By isolating and normalizing the obfuscated content, the analyst can recreate the logic in Cyberchef to decode the malware. The process involves identifying and separating lines with division and addition operators, converting them into ASCII characters, and finally obtaining the deobfuscated script.
Checkpoint Threat Intelligence Report - On September 2, 2024, Check Point Research released a Threat Intelligence Report highlighting several cyber attacks and breaches, attacks related to Patelco Credit Union, Young Consulting, Toronto District School Board, Seattle-Tacoma International Airport, Park'N Fly, Dick's Sporting Goods, and Fota Wildlife Park.
Spoofed GlobalProtect Used to Deliver Unique WikiLoader Variant - Unit 42 has discovered a new variant of WikiLoader being delivered via SEO poisoning and spoofing GlobalProtect.
Nihilism: Access Layer Security - The article discusses the importance of access layer security in network infrastructure to prevent unauthorized connections and insider attacks. It provides information on techniques for network security at the access layer, such as port security, STP protection, DHCP Snooping, ARP inspection, storm control, and protection against discovery protocol attacks.
AZORult Malware - This article provides a technical analysis of the AZORult malware, a sophisticated credential and payment card information stealer that has evolved over time.
Mallox ransomware: in-depth analysis and evolution - Mallox is a ransomware strain that has evolved from private ransomware to a RaaS program, with over 700 samples discovered by 2023. The ransomware actively targets companies and organizations, with different names used in the past. The evolution of Mallox versions includes changes in encryption schemes, communication with C&C servers, and the negotiation portal for victims. Affiliates of the Mallox RaaS program seek wealthy victim companies in various countries, with a focus on Brazil, Vietnam, and China.
Tropic Trooper spies on government entities in the Middle East - A new malicious web shell attributed to the Tropic Trooper group was found targeting a government entity in the Middle East. The group, known for targeting sectors such as government, healthcare, and high-tech industries, has historically operated in Taiwan, the Philippines, and Hong Kong. The recent campaign in 2024 marks a shift in their tactics, focusing on human rights studies in the Middle East. The attack involved China Chopper web shell variants, post-exploitation tools, and DLL search-order hijacking implants, indicating a motive of cyber espionage.
Technical Curiosities of Akira Ransomware - Akira Ransomware is a relatively new group that uses dual extortion tactics and has targeted over 300 organizations since April 2023. They demand high ransom amounts and threaten to publish confidential information. The ransomware encrypts files and erases volume shadow copies, utilizes the Restart Manager API, and creates and deletes temporary files with a unique naming pattern. Security software should have no difficulty detecting Akira ransomware due to its predictable patterns of behavior. Hunt & Hackett has developed a forensic tool called Restart Manager Artifacts to capture the state of the Restart Manager database on Windows systems.
Techniques and Write-ups
4 exploits, 1 bug: exploiting cve-2024-20017 4 different ways - In the blog post, the author discusses a vulnerability in MediaTek's network daemon that allows for a buffer overflow attack. The post explores four different exploit strategies that leverage this vulnerability, including exploiting corrupted return addresses, arbitrary write via pointer corruption, and return address corruption. The exploits target different mitigations, such as stack canaries, ASLR, and full RELRO.
Abusing Arbitrary File Deletes to Escalate Privilege and Other Great Tricks - This archived blog post discusses exploiting arbitrary file deletes to escalate privilege on Windows systems. It explains how to leverage vulnerabilities in the Windows Installer service to achieve system privilege escalation.
Basic HTTP Authentication Risk: Uncovering pyspider Vulnerabilities -The platform identifies vulnerabilities in projects like pyspider, which was found to have security risks due to basic HTTP authentication. By leveraging SonarCloud's static analysis, developers can uncover and fix security weaknesses in their code, ensuring clean and secure applications. Unmaintained projects like pyspider can pose significant risks, highlighting the importance of code maintenance and security.
Introducing the URL validation bypass cheat sheet - The URL validation bypass cheat sheet by PortSwigger Research aims to address vulnerabilities caused by ambiguous URLs triggering parsing discrepancies. The cheat sheet provides various payload wordlists and encoding options to bypass URL validation.
When on Workstation, Do as the Local Browsers Do! - TrustedSec discusses the importance of monitoring and detecting browser-related attacks on workstations, which are common targets for APTs. The post provides detailed steps on configuring auditing and SACLs to detect browser extension installations and sensitive data extraction, along with sample Splunk queries for high-fidelity detections.
Exploiting Misconfigured GitLab OIDC AWS IAM Roles - This article explores the exploitation of misconfigured GitLab OIDC AWS IAM roles, which can allow unauthorized individuals to assume vulnerable roles. The article demonstrates how to exploit these misconfigurations step-by-step, and explains how the AWS Console can lead to this misconfiguration by default.
From a GLPI patch bypass to RCE - The article discusses how a security researcher found a patch bypass to exploit a SQL injection vulnerability in the popular software GLPI, leading to achieving Remote Code Execution (RCE) on a vulnerable GLPI instance.
CVE-2024-37084: Spring Cloud Remote Code Execution - CVE-2024-37084 is a critical security vulnerability in Spring Cloud Skipper that allows for remote code execution due to deserialization of arbitrary objects. A patch was introduced to address this vulnerability by replacing the standard constructors with safe constructors and implementing custom constructors and enhanced test coverage.
Learning Rust for fun and backdoo-rs - The author also shares their experience creating a custom Meterpreter stager in Rust, which they caution is just a toy implant and not recommended for actual red teaming operations due to detection by antivirus software.
Why bother with argv[0]? - The post discusses the significance of argv[0], the first argument of a program's command line, which often represents the program's name/path. It explains how argv[0] can be manipulated to deceive security analysts, bypass detections, break defensive software, and cause security issues across various operating systems.
Axis Shift: Pivoting using ZeroTier - This article discusses the concept of pivoting in post-exploitation, specifically using ZeroTier to expand an attacker's presence in a network. ZeroTier is a software that creates virtual private networks on top of existing Internet infrastructure, allowing for easy connectivity between devices regardless of physical location.
Analysing Windows protection mechanisms with the antivirus avast and no-defender tools - The article explores Windows protection mechanisms, focusing on Windows Defender and the antivirus software Avast. It discusses the challenges of disabling Defender and introduces the open-source tool no-defender, which leverages Avast to achieve the shutdown of Defender.
A Pentester's Tale on How a Photo Opened Real Doors - The blog post discusses how a simple picture of a key can lead to a security breach. It explains the process of finding, decoding, cutting, and intruding using a key copied from a photo.
Dissecting the CVE-2024-38106 Fix - In August, Microsoft released security patches that included a fix for CVE-2024-38106, which was being exploited in the wild.
Ghost in the PPL Part 3: LSASS Memory Dump - The author attempted to dump the memory of the LSASS process to extract credentials stored in memory. They explored different methods to invoke MiniDumpWriteDump, eventually finding a function that met their criteria. By using the Autodial feature of the WinSock2 API and SSPI, they were able to load an arbitrary DLL into LSASS and enumerate the modules loaded in the protected process. They also resolved addresses dynamically to create a final exploit that coerced LSASS to load the DLL and perform various actions. However, the exploit chain was deemed unstable and unreliable due to the chosen use-after-free bug.
Revisiting the UDRL Part 3: Beacon User Data - Cobalt Strike has historically struggled with the interaction between the UDRL and Sleepmask components. However, in CS 4.10, improvements were made to the Beacon User Data (BUD) to accurately pass memory information from UDRLs to the Sleepmask at runtime. This enables correct masking of Beacon and eliminates the need for static calculations. Additionally, BUD facilitates the tracking of arbitrary memory allocations for enhanced capabilities like BOFs/Sleepmasks/postex. The blog post also demonstrates how to use BUD to track an additional memory allocation, such as loading an External C2 DLL alongside Beacon and masking them both at runtime with Sleepmask-VS. The integration of UDRL and Sleepmask showcases their importance in Cobalt Strike's evasion strategy and their ability to work together to create advanced capabilities.
Windows Wi-Fi Driver RCE Vulnerability – CVE-2024-30078 - A Windows Wi-Fi driver vulnerability, identified as CVE-2024-30078, was patched by Microsoft in June during "Patch Tuesday". The vulnerability allowed for Remote Code Execution (RCE) by sending a malicious packet to an adjacent system. Analysis revealed that the vulnerability was present in the Wi-Fi driver, with a patch applied in the function named "PatchInterceptor". The exploit required the attacker to be on the same Wi-Fi network as the target, and while the vulnerability seemed interesting, its impact was found to be less critical than anticipated by Microsoft.
Race conditions in Linux Kernel perf events - A vulnerability in Linux Kernel perf events was disclosed responsibly to the kernel security team. The vulnerability is fully exploitable and technical details are available, although no CVE number has been assigned yet. The vulnerability involves race conditions in creating ring buffers for perf events, which can be exploited to gain control over kernel objects. However, the exploit strategy outlined in the blog post does not work on major distributions due to additional sanity checks performed by the kernel.
Exploiting Exchange PowerShell After ProxyNotShell: Part 1 - MultiValuedProperty - In this blog post, the author discusses the exploitation of Exchange PowerShell after the ProxyNotShell vulnerability, focusing on the MultiValuedProperty. The post covers the bypassing of Microsoft's first patch for this vulnerability and explores the CVE-2022-41082 RCE vulnerability. The author also delves into the allowed and deny lists in Exchange, showcasing how they can be abused to achieve remote code execution. The post provides technical details on the exploitation process and hints at future blog posts on related vulnerabilities.
Building a Hardware Hacking Arsenal: The Right Bits for Every Byte - The passage discusses budget friendly hardware hacking tooling and considerations.
Pwn2Own Automotive 2024: Hacking the Autel MaxiCharger - During Pwn2Own Automotive 2024, researchers presented exploits against three different EV chargers, including the Autel MaxiCharger. They found multiple bugs (CVE-2024-23958, CVE-2024-23959, and CVE-2024-23967) in the charger and developed exploits to execute arbitrary code via Bluetooth.
Let's Get Stacking! (Part 3) - In this blog post by Pavel Yosifovich, the process of creating a new kernel object type called DataStack is detailed, focusing on the implementation of the stack functionality - push, pop, and clear.
Revival Hijack – PyPI hijack technique exploited in the wild, puts 22K packages at risk - The "Revival Hijack" technique, discovered by JFrog's security research team, allows attackers to hijack removed PyPI packages, potentially leading to malicious package downloads. The team reserved and replaced abandoned packages to protect the PyPI community. This attack method was seen in the wild with the "pingdomv3" package but was quickly addressed. While PyPI has some mitigations in place, JFrog advocates for stricter policies to prevent package reuse and advises users to be vigilant. The team's proactive measures prevented significant damage in this instance.
More on EXT4 Timestamps and Timestomping - The article discusses the timestamp system used by the EXT4 file system, which added 32-bit nanosecond resolution fractional seconds fields to its extended inode. This allows EXT4 to avoid the Y2K-like problem that normal 32-bit epoch timestamps face in the year 2038. The developers used the extra two bits in the fractional seconds fields to extend the seconds portion of the timestamp, allowing EXT4 to cover a date range from 1901 to 2446. A script called extstomp is provided to easily set timestamps in EXT4 file systems.
CVE-2020-27786 ( Race Condition + Use-After-Free ) - The blog post describes how a use-after-free vulnerability due to a race condition in MIDI devices in Linux Kernel 5.6.13 can be exploited, identified as CVE-2020-27786. By manipulating IOCTL commands and memory allocation in the kernel, an attacker can gain control and escalate privileges to execute arbitrary code. The exploit involves bypassing KASLR, leaking kernel base address, and spraying ROP chain and fake function table on the kernel heap to achieve root access. The exploit allows an attacker to obtain a shell with root privileges on the system.
CVE-2024-5274: A Minor Flaw in V8 Parser Leading to Catastrophes - CVE-2024-5274 is a minor flaw in the V8 parser that was fixed by Chrome in May 2024. The vulnerability was caused by a bug in the Parser module, specifically involving the handling of function contexts. By exploiting this vulnerability, attackers could potentially trigger unexpected behaviors and bytecode inconsistencies in the V8 engine. Further research revealed that by manipulating objects within the NativeContext, particularly Maps, attackers could create powerful exploitation primitives like type confusion, leading to potential exploits in the JavaScript engine.
A Deep Dive into the CoSoSys EndPoint Protector Exploit: Remote Code Execution - During an APT simulation project, Theori Security Assessment uncovered four critical Remote Code Execution (RCE) vulnerabilities in the CoSoSys Endpoint Protector (EPP) solution, allowing them to compromise the server and clients. They reported the vulnerabilities to Netwrix promptly and provided exploit codes. The vulnerabilities have since been patched. The team leveraged these vulnerabilities to take control of the server and clients, gaining access to sensitive information. The post also discusses the importance of regularly applying security patches and implementing security measures to prevent attacks.
Deep Dive into RCU Race Condition: Analysis of TCP-AO UAF (CVE-2024–27394) - The blog post discusses a deep dive into a Race Condition vulnerability caused by the incorrect use of an RCU API, focusing on the TCP-AO UAF vulnerability. It explains RCU synchronization technique, relevant APIs, and provides examples. The post also introduces a technique to trigger the vulnerability reliably using ExpRace. The CVE-2024-27394 vulnerability in TCP-AO is analyzed, along with a PoC code to trigger the vulnerability and a patch to prevent UAF in the RCU Read-side Critical Section.
CVE-2024-45195: Apache OFBiz Unauthenticated Remote Code Execution (Fixed) - Apache OFBiz below version 18.12.16 had an unauthenticated remote code execution vulnerability on both Linux and Windows systems. An attacker without valid credentials could exploit this vulnerability to execute arbitrary code on the server by exploiting missing view authorization checks in the web application. Several vulnerabilities in 2024 related to Apache OFBiz have been published, with one, CVE-2024-45195, being fixed. The Rapid7 team discovered and reported this vulnerability to the Apache OFBiz team, who promptly patched the issue in version 18.12.16 to prevent further exploitation.
“Unstripping” binaries: Restoring debugging information in GDB with Pwndbg - In this blog post, the author discusses the limitations of debugging stripped binaries in GDB and introduces new features in Pwndbg to restore debugging information. The author integrated Pwndbg with Binary Ninja to improve intelligence during debugging by syncing symbols, function signatures, and stack variable names. Additionally, the author implemented a feature for dumping Go structures to improve Go binary debugging. The author also discusses future possibilities for enhancing the debugging experience, such as adding support for other decompilers and improving Go debugging features.
Hacking misconfigured AWS S3 buckets: A complete guide - This guide provides a comprehensive overview of how to hack misconfigured AWS S3 buckets, highlighting common security misconfigurations and testing methods. It covers identifying S3 buckets, testing for list, read, download, and write permissions, as well as access control lists (ACLs) and file type restrictions. The article also includes tools for automating these checks and emphasizes the importance of proper S3 bucket configuration to prevent data leaks and security risks.
Improving Kernel Object Type Implementation (Part 4) - In this blog post, Pavel Yosifovich discusses the implementation of a DataStack object with push, pop, and clear operations. He also explains the use of callback functions for object cleanup and the creation of a query API for retrieving information about DataStack objects. Additionally, he explores the concept of DataStack objects as dispatcher objects, detailing the necessary steps to make them work as such. The post concludes with a demonstration of how to use the DataStack object in a test application.
Reverse TCP Shellcode (Linux Shellcoding) - The blog discusses reverse TCP shellcode for Linux shellcoding, including creating a socket, connecting to a specified IP and port, redirecting stdin, stdout, and stderr, and launching a shell using execve. The code snippet provided demonstrates the assembly language conversion of these operations. The shellcode allows for remote execution of shell commands over the network. The author also announces the launch of the Malforge Group for malware development learning and a Maldev Hackathon event with prizes and opportunities to join the group.
Exploring Deserialization Attacks and Their Effects - The blog post explores deserialization attacks and their effects, discussing how deserialization can lead to remote code execution, privilege escalation, and other vulnerabilities in applications. The author provides a challenge from the Plaid CTF 2014 called the kPOP challenge to better understand this vulnerability. The post covers the importance of safely unserializing data in PHP applications and provides tips on identifying potential vulnerabilities. Visual tools like UML diagrams and online editors are also recommended for analysis.
The Art of Exploiting Active Directory from Linux - The author discusses their experience with attacking Active Directory environments from both Windows and Linux, highlighting the benefits of using Linux for debugging and troubleshooting issues. They provide examples of how to perform attacks from Linux, such as using Sliver as a Command & Control framework and porting tickets between Windows and Linux. The author emphasizes the importance of debugging tools on Linux and shares their opinions on the efficiency of attacking from Linux for lab work and exams. The post is licensed under CC BY 4.0.
Windows Kernel Pool Exploitation CVE-2021-31956 - Part 1 - The blog post discusses Windows Kernel Paged Pool Overflow CVE-2021-31956 and how to exploit it from a reverse engineering point of view. The author talks about the process of identifying and exploiting the vulnerability, including failures and lessons learned along the way. The post includes code snippets, debugger outputs, and explanations of the exploitation process, leading up to a successful demonstration of a four-byte overflow into an adjacent chunk. The author plans to cover the exploitation technique in more detail in a follow-up post.
Violence: Pivoting using Nebula - This article discusses the use of pivoting in post-exploitation, specifically focusing on using Nebula, a virtual private network (VPN) solution, to expand the attacker's presence in a network. Nebula combines peer-to-peer routing and VPN principles to enable secure data transfer between hosts regardless of location. The article details how to set up Nebula, create certificates, configure the network, and establish connections between the attacker and compromised machines. By utilizing Nebula, attackers can access internal network segments that were previously inaccessible due to network isolation or firewall restrictions, ultimately allowing for post-exploitation activities such as user enumeration and network scanning.
Cracking an old ZIP file to help open source the ANC's "Operation Vula" secret crypto code - John Graham-Cumming discovered and decrypted a 30-year-old PKZIP file containing the secret crypto code used by the African National Congress (ANC) in "Operation Vula" to secure communications during the fight against apartheid. The code was originally zipped with a forgotten password by Tim Jenkin, a key figure in the encryption system. With the help of known plaintext attacks against ZipCrypto, the password was cracked, allowing for the open-sourcing of the original code. The decrypted source code was used to set up secure communications for the ANC, showcasing the power of retro computing methods in uncovering historical encryption systems.
Hypervisor Development in Rust for Security Researchers (Part 1) - In the first part of a series on hypervisor development in Rust, the focus is on enabling VMX operation on Intel processors, with details on setting up the VMXON region, configuring control registers, and adjusting MSRs. The code is designed to facilitate hypervisor research and experimentation, potentially leading to advanced topics like hypervisor-assisted hooking and memory virtualization using EPT. References and acknowledgments are provided for further exploration in the realm of hypervisor development and security research. Trustwave, a cybersecurity leader, offers a range of offensive and defensive solutions to mitigate cybersecurity risks and strengthen organizations against cyber threats.
Dark Web Scraping 101: Tools, Techniques, and Challenges - The article discusses the challenges and techniques involved in scraping the dark web using Python and Selenium. It covers setting up Firefox for dark web scraping, automating the login process, extracting data, and navigating multiple pages. The article also highlights the difficulties of scraping dark web forums with CAPTCHAs and anti-scraping measures, suggesting the need for innovative solutions to bypass these challenges. Overall, it provides valuable insights for those interested in dark web scraping.
Windows DWM Core Library Elevation of Privilege Vulnerability (CVE-2024-30051) - The vulnerability in the Windows DWM Core library allows an unprivileged attacker to execute code with Integrity System privileges. The exploit involves heap-based buffer overflow and heap spray to elevate privileges. Extensive reversing and analysis were required to develop a functional PoC to exploit the vulnerability, which can lead to executing code as a DWM user with Integrity System privileges. The process involves hooking system functions, creating windows, devices, and surfaces, and modifying memory to trigger the vulnerability and elevate privileges.
Tools and Exploits
ICSrank - ICSrank is an open-source tool used for collecting information on Industrial Control Systems (ICS) and Operational Technology (OT) devices. It focuses on collecting data related to ICS/OT device configurations. The tool is copyrighted under the name ICSrank.
Backdoo-rs - This GitHub repository contains a simple Meterpreter stager written in Rust, implementing staging protocols used by the Metasploit Framework. It provides instructions on how to set up and run the stager on both the attack and target Windows systems.
Introducing Goffloader: A Pure Go Implementation of an In-Memory COFFLoader and PE Loader - Goffloader is a pure Go implementation of an in-memory COFFLoader and PE loader that allows for the easy execution of Cobalt Strike BOFs and unmanaged PE files without writing to disk.
CVE-2024-43044-jenkins - This is an exploit for the vulnerability CVE-2024-43044 in Jenkins that allows an agent to fetch files from the controller and gain access to the Jenkins scripting engine. The exploit can forge a remember-me cookie for an admin account. Instructions on how to build and run the exploit are provided, along with a way to test it using a vulnerable version of Jenkins in a docker container.
enumhandles_BOF - The GitHub repository "enumhandles_BOF" contains a tool that can be used to identify processes that hold handles to a given file, helping to determine which process is locking a file on disk.
Limoncello - The GitHub repository "jonpalmisc/limoncello" is described as "Yet another LLVM-based obfuscator." The project is incomplete, with the last commit made in 2023, and the developer has decided to release it for others to browse but will not provide support or continue working on it publicly.
hackshell - Hackshell is a tool on GitHub that aims to make BASH more stealthy and hacker-friendly by providing various bash functions.
wush - The GitHub repository "wush" offers a command line tool for transferring files between computers using WireGuard peer-to-peer connections.
BrowserSnatch - The project BrowserSnatch is a tool designed to steal important data from chromium and gecko browsers and store it in a database for extraction. It is intended for legal, ethical penetration testing and educational purposes only. The tool can extract saved passwords and cookies from various browsers and is continuously updated with new capabilities. Users must comply with all laws and obtain proper authorization before using the tool.
gofuzz - The GitHub repository nullenc0de/gofuzz contains a tool called gofuzz.py, which recursively processes JavaScript files to extract URLs and secrets using JSluice and Nuclei. The tool can be used to hunt for endpoints, secrets, or both, and outputs a list of unique URLs and sorted secrets by severity. Users need to have Python 3.6+, JSluice, Nuclei, and aiohttp installed to use the tool. It is recommended to use caution when processing JavaScript from untrusted sources. Contributions to improve the tool are welcome, and it should only be used for educational and ethical testing purposes.
Frida 16.5.0 Released - Frida 16.5.0 has been released with new features such as support for hardware breakpoints and watchpoints, which allow users to pinpoint the code responsible for specific data in memory. This release also includes support for Windows on ARM, allowing Frida to inject into native arm64 processes. Other updates include bug fixes and enhancements, making it an exciting release for Frida users.
KCM dumper - The GitHub repository "synacktiv/kcmdump" contains a script to dump Kerberos tickets from the KCM database of SSSD and recover them in CCACHE format. The script is used to convert SSSD's custom storage format for Kerberos tickets to standard CCACHE files. Users can follow the provided commands to use the script and manipulate Kerberos tickets.
Windows DWM Core Library Elevation of Privilege Vulnerability (CVE-2024-30051) (Published August 15 of 2024) - The GitHub repository for the Windows DWM Core Library Elevation of Privilege Vulnerability (CVE-2024-30051) contains information on a vulnerability in the Microsoft Windows DWM Core library that allows an unprivileged attacker to execute code with Integrity System privileges. The vulnerability is caused by a size miscalculation error in an integer division within the library. The exploit involves performing a Heap Spray to prepare memory and then triggering a Heap Overflow to elevate privileges. The PoC for the exploit involves hooking system functions, creating windows, and using Direct2D to exploit the vulnerability.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
5 Years of InfoSec Focused Homelabbing - Arch Cloud Labs has been focusing on InfoSec homelabbing for the past five years, documenting various projects in Reverse Engineering, Malware Analysis, and other InfoSec disciplines. The blog started as a way to build a resume, but it led to opportunities to teach, speak at conferences, land a new job, and contribute to various security projects. The blog encourages others to start their own homelab projects for learning and skill development. The author emphasizes the importance of engaging with the CTF community, reviewing old CTF challenges, and exploring CVEs as ways to enhance skills in InfoSec. Additionally, the value of aging technical books is highlighted, as they can still provide relevant and valuable information that can be adapted to modern tools and technology. Ultimately, the blog stresses the importance of having fun and enjoying the learning process in the homelab environment.
The secret inside One Million Checkboxes - The author created a website called One Million Checkboxes where users could check or uncheck boxes that would be visible to everyone on the site. After noticing strange data in the database, the author realized that a group of teens were writing a secret message in binary code using the checkboxes. This led to the author joining the teens' discord group where they were collaborating on creating intricate drawings and animations on the site, despite some controversy around botting activities.
What’s the worst place to leave your secrets? – Research into what happens to AWS credentials that are left in public places - The research conducted by Cybenari focused on the consequences of leaving AWS credentials in public places, using canary tokens as tripwires to detect unauthorized access attempts.
Deploying Rust in Existing Firmware Codebases - This blog post from the Google Online Security Blog discusses the deployment of Rust in existing firmware codebases for improved security. The Android team is prioritizing new and security-critical code to introduce Rust gradually, showing how it can boost security effectively. The post addresses challenges and considerations of introducing Rust, including porting std crates and setting up the toolchain. It also provides guidance on choosing components to replace, selecting pre-existing Rust libraries, and creating drop-in Rust shims to replace C/C++ functions. The ultimate goal is to enhance memory safety in firmware codebases and reduce vulnerabilities.
Reverse Engineering For Everyone! - This tutorial set covers reverse engineering for x86, x64, 32-bit ARM, and 64-bit architectures, aiming to make the complex process of deconstructing artificial objects into simpler concepts. It covers topics such as number systems, general architecture, assembly programming, and hacking techniques. Whether you are a beginner wanting to learn about reversing or someone looking to refresh their knowledge, these tutorials provide a comprehensive guide to understanding the basics of reverse engineering, a crucial skill in cybersecurity. The tutorials are also available in PDF or MOBI format for easy access and updates.
Your queues, your responsibility - In this blog post, the author discusses the risks of publicly exposing Amazon SQS queues and how attackers can exploit them. They explain how queues can become public, how to identify publicly exposed queues, and provide recommendations for securing SQS queues. The author also shares their research findings, where they discovered 209 publicly accessible SQS queues out of 1.75 billion URLs tested. They highlight the importance of maintaining cloud security and following AWS best practices to prevent unintentional exposure of resources.
Security Research Threats - This project documents legal threats made against security researchers who engage in good faith research, including cease & desist letters and over-reactions. It highlights incidents where companies have responded negatively to vulnerability reports, with examples ranging from students arrested for reporting software vulnerabilities to researchers being threatened with legal action for disclosing security flaws. The importance of encouraging collaboration between security researchers and companies, as well as promoting responsible disclosure, is emphasized to ensure a more secure technology ecosystem.
AI’ll Be Watching You - HiddenLayer Research conducted security research on Wyze's Edge AI enabled cameras, focusing on the V3 Pro and V4 models to explore vulnerabilities and attacks on AI systems. The team gained root access to the devices, analyzed the firmware, and manipulated the Edge AI model and detection thresholds. They found that overlapping objects from different classes could influence detection outcomes but noted that physical patches for attacks were inconsistent. The research emphasized the importance of secure Edge AI implementation and the need for innovative approaches to bypass AI defenses.
The art of overDLLoading - The author of the article explores the idea of creating an executable that statically links to multiple system libraries in the Windows directory as a programming exercise. They found that using assembly language compilers, like fasm, made it easier to generate customized import tables for the executable. The purpose of the exercise includes learning about the PE file format, potentially serving as a guardrail technique, and potentially causing issues for tools like decompilers. The complexity of the import tables can even cause programs like Ida to freeze when attempting to copy function names.
Comments