News

• Apple advances user security with powerful new data protections. This is a great step forward for a company who has marketed "privacy" but technically had some work to do. While iMessage has always been end-to-end encrypted, iCloud backups, which contain all your iMessages conveniently have not been. Thus, with a simple court order, all your iPhone contents are available to any legally valid request. With this change, everything except Email, Contacts, and Calendar are encrypted on iCloud, rendering those data requests useless. iMessage Contact Key Verification feels a lot like Signal, and security key support for iCloud accounts is long overdue. While none of these steps are groundbreaking, Apple is pushing the boundaries for "mainstream" tech privacy.
• ChatGPT bid for bogus bug bounty is thwarted. It was inevitable. Perhaps bugs will be triaged by AI soon, and the AIs can fight it out amongst themselves.
• Anker's Eufy lied to us about the security of its security cameras. Last week's story was only about the notification image, but it appears that you could get an unencrypted stream URL from Eufy cameras that worked over the internet until recently. So much for local only. I repeat: Put your cameras on a VLAN without egress, and VPN in to view them - trust no one.
• Releasing Semgrep 1.0. Now you have no excuse for not using it to find vulns.

Techniques and Write-ups

• Precious Gemstones: The New Generation of Kerberos Attacks. This is a great refresher if you have missed the last few Kerberos attack releases and need to catch up.
• Hooking System Calls in Windows 11 22H2 like Avast Antivirus. Research, analysis and bypass. It boils down to an undocumented Windows kernel method and structure to implement syscall hooks. "This is a very brave and cool feature." This post contains good general investigative process documentation that will be applicable to kernel hackers and other low level devs.
• GOAD - part 11 - ACL. The latest in a series that walks through the excellent GOAD vulnerable active directory environment.
• Cool vulns don't live long - Netgear and Pwn2Own. Having two vulnerabilities patched the day before a competition is heartbreaking. Perhaps parallel discovery?
• Exploiting CVE-2022-42703 - Bringing back the stack attack "This exploit demonstrates a highly reliable and agnostic technique that can allow a broad spectrum of uncontrolled arbitrary write primitives to achieve kernel code execution on x86 platforms.""
• Part 3: I Hope This Vishing Call Finds You Well…. Vishing can be that extra push to get a phishing campaign across the line. It is being used by adversaries to great effect already; consider adding it to your next service offering.
• Replicating CVEs with KLEE. Symbolic execution engines for bug hunting aren't new, but KLEE is new to me.
• An open source SMS gateway for pentest projects. smsgate holds the code.
• Issue 2346: Windows: HTTP.SYS Kerberos PAC Verification Bypass EoP. A tasty LPE (now patched).
• Assessing Standalone Managed Service Accounts. Managed Service Accounts (MSA) have automatic password management, but that doesn't mean the passwords can't be dumped, hashes reused, and account privileges abused.
• StealthHook - A method for hooking a function without modifying memory protection. "This post describes a method for stealthily hooking a function without modifying memory protection. By overwriting a global pointer or virtual table entry that is nested within the target function, it is possible to hook the function without raising suspicion because many of these memory regions already have write permissions enabled."
• Unauthenticated Command Injection (Cacti). An authentication bypass and a command injection combine for a deadly bug.
• [PDF] Knockout win against TCC, a.k.a. 20+ NEW ways to bypass your macOS privacy mechanisms. Two of the best macOS security researchers team up to take down TCC.

Tools and Exploits

• RedditC2 - Abusing Reddit API to host the C2 traffic, since most of the blue-team members use Reddit, it might be a great way to make the traffic look legit.
• emailGPT - a quick and easy interface to generate emails with ChatGPT.
• noseyparker is a command-line program that finds secrets and sensitive information in textual data and Git history.
• CVE-2022-44721 Crowdstrike Falcon Uninstaller.
• DCOMPotato - Exploit collection for some Service DCOM Object local privilege escalation vulnerabilities (SeImpersonatePrivilege abuse).
• WindowSpy is a Cobalt Strike Beacon Object File meant for targetted user surveillance. The goal of this project was to trigger surveillance capabilities only on certain targets, e.g. browser login pages, confidential documents, vpn logins etc.
• Wiretap is a transparent, VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• BlueMap helps penetration testers and red teamers to perform Azure auditing, discovery & enumeration, and exploitation in interactive mode that saves complex opsec and overhead that usually exists in Azure penetration testing engagements.
• TProxy is an interception proxy for TCP traffic. It can be used to monitor, drop, modify or inject packets in an existing TCP connection. For monitoring purposes, TProxy has the ability to decrypt incoming TLS traffic and re-encrypt outgoing packets. It also leverages Wireshark dissectors to build a dissection tree of each intercepted packet.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.