More Fortinet RCE (@frycos), alloc-less injection (@bohops), embedded system hacking (@levaronsky), miniDLNA head exploitation (@hyprdude), dump creds from sshd (@jm33_m0), MS Teams phishing (@CorbridgeMax + @tde_sec), ThreatCheck + Ghidra (@_RastaMouse), driver dev for red team (@V3ded), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2023-06-12 to 2023-06-26.
News
- Google Cloud Awards $313,337 in 2022 VRP Prizes. This is how you incentivize bug bounty hunters.
- Donning a MASQUE: building a new protocol into Cloudflare WARP. Lookout WireGuard, there is a new standard in town.
- 2023 Breaches and Incidents: Personal Notes. Stolen credentials are up, phishing is down. Use a good password manager appropriately.
- Proxmox VE 8.0 released!. Proxmox is a free and open source hypervisor that will feel familiar to VMWare ESXi users. I switched years ago and have been quite happy.
Techniques and Write-ups
- LibreOffice Arbitrary File Write (CVE-2023-1883). Did you know that LibreOffice has an MS Access competitor? Did you know you it can do arbitrary file writes?
- The Old, The New and The Bypass - One-click/Open-redirect to own Samsung S22 at Pwn2Own 2022. An open redirect doesn't sound exciting, but it can turn a tap into a shell.
- Why is it so hot here? Hacking Electra Smart air conditioners for fun and profit. Some great embedded systems hacking here. If you want to talk embedded systems hacking, or try your had hacking some devices be sure to stop by the @EmbeddedVillage at DEF CON.
- CVE-2023-27997 Vulnerability Scanner for FortiGate Firewalls. A vulnerability scanner sounds boring, but the technique to validate this heap overflow without crashing the firewall is pretty unique.
- No Alloc, No Problem: Leveraging Program Entry Points for Process Injection. Up your process injection game with some lesser known techniques.
- FortiNAC - Just a few more RCEs. "Shortly after the first CVE-2022-39952 disclosures I thought, why not looking at this product in the patched version 9.4.1 to find some more vulnerabilities?" Love it.
- AWS WAF Clients Left Vulnerable to SQL Injection Due to Unorthodox MSSQL Design Choice. SQL is tricky and WAFs can get tripped up by "unique" query syntax.
- chonked pt.2: exploiting cve-2023-33476 for remote code execution. This is some hardcore exploit development content.
- Exploring Android Heap allocations in jemalloc 'new'. If you like the previous post, you'll love this deep dive into heap allocation in Android.
- Advisory: IDOR in Microsoft Teams Allows for External Tenants to Introduce Malware. This was reported and "did not meet the bar for immediate servicing." "When this vulnerability is combined with social engineering via Teams it becomes very easy to start a back-and-forth conversation, jump on a call, share screens, and more. By comparison, it makes social engineering via email feel very stagnant, and stop-start." Guess what I am trying out tomorrow?
- Potential Risk of Privilege Escalation in Azure AD Applications. Email claims for authorization can lead to easy privilege escalation. Don't use it!
- Bypassing Defender with ThreatCheck & Ghidra. A good short tutorial on finding signature bytes, translating them back to source code, and making modifications as appropriate.
- Exploiting a Video Camera's Rolling Shutter to Recover Secret Keys from Devices Using Video Footage of Their Power LED. Camera has to be at 6ft or less and record constant signing activity for a period of minutes but still, very cool side channel.
- Automating String Decryption and Other Reverse Engineering Tasks in radare2 With r2pipe. Automate some tedious RE work with radare2.
- Red Team Tactics: Writing Windows Kernel Drivers for Advanced Persistence (Part 2). This is turning into some interesting work. The skeleton of an ICMP rootkit is taking shape.
- What is Tier Zero — Part 1. Good discussion of AD design principles for security, what really needs protecting, and how to think about it.
Tools and Exploits
- SSH-Harvester - Harvest passwords automatically from OpenSSH server. More details here.
- CVE-2023-29343 - LPE in Sysmon version 14.14.
- CVE-2023-20178 - PoC for Arbitrary File Delete vulnerability in Cisco Secure Client (tested on 5.0.01242) and Cisco AnyConnect (tested on 4.10.06079).
- Jormungandr is a kernel implementation of a COFF loader, allowing kernel developers to load and execute their COFFs in the kernel.
- NimExec - Fileless Command Execution for Lateral Movement in Nim.
- CS_COFFLoader - a COFF loader written in C#.
- Spartacus-v2.0.0. Not a new tool but a big release for the DLL/COM Hijacking Toolkit (2.0 added COM hijacking).
- bof-launcher - Beacon Object File (BOF) launcher - library for executing BOF files in C/C++/Zig applications.
- GhostFart - Unhook NTDLL without triggering "PspCreateProcessNotifyRoutine".
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
- msLDAPDump - LDAP enumeration tool implemented in Python3.
- SharpToken - Windows Token Stealing Expert.
- docker-swarm-proxy - What if you wanted a docker exec, but for Docker swarm? - Control any node in the swarm from your CLI.
- PageSplit - Splitting and executing shellcode across multiple pages.
- ropci - So, you think you have MFA? AAD/ROPC/MFA bypass testing tool.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.