News

• Welcome To 2024, The SSLVPN Chaos Continues - Ivanti CVE-2023-46805 & CVE-2024-21887. At this point, if you have an SSL VPN, just throw it away. Use WireGuard and sleep better at night.
• It's 2024 and Over 178,000 SonicWall Firewalls are Publicly Exploitable. No one took my advice from the previous story. These vulnerabilities are over two years old.
• Keeping Up With the Pwnses. A cybersecurity news aggregator? Wait, but thats what I am!?
• GitLab Critical Security Release: 16.7.2, 16.6.4, 16.5.6. A vulnerability so bad it fits in a tweet.
• Seems like someone pushed a bunch of iBoot symbols to Hexrays's Lumina server. This is either an Apple employee or a researcher who (accidentally?) pushed their iBoot symbols to a public symbol server. A nice gift for iOS researchers.
• Airdrop doesn't use cryptographic salts, and rainbow tables are easily able to de-anonymize users. Due to the design of AirDrop, with a little pre-computing and hard drive space it is trivial to de-anonymize users with AirDrop enabled (at least get their phone number). Read more: [PDF] DEMO: AirCollect: Efficiently Recovering Hashed Phone Numbers Leaked via Apple AirDrop. This has been a known issue to Apple since 2019...

Techniques and Write-ups

• Python ❤️ SSPI: Teaching Impacket to Respect Windows SSO. With a little bring your own interpreter (i.e. Pyramid), impacket can now use the tickets already cached on the box you have access to without needing to know any plain text credentials.
• VBA: having fun with macros, overwritten pointers & R/W/X memory. The things that have been done with VBA that VBA was never supposed to do are impressive.
• Teams external participant splash screen bypass # 2. Phish where the users are. And if Microsoft "patches" a bypass of the external user warning, just... bypass it again!
• Writeup for CVE-2023-43208: NextGen Mirth Connect Pre-Auth RCE . Another entry in "a patch is not always the end of a vulnerability," one of my favorite series.
• CVE-2024-20656 - Local Privilege Escalation in the VSStandardCollectorService150 Service. Bind mounts strike again. Great find and write up. PoC: CVE-2024-20656.
• Privilege escalation using the XAML diagnostics API (CVE-2023-36003). Another Windows LPE! PoC: CVE-2023-36003-POC.
• Deobfuscating Android ARM64 strings with Ghidra: Emulating, Patching, and Automating. Some hardcore Android ARM64 reversing and debugging content.
• CICD-Goat Setup and Easy Challenge walkthrough (WhiteRabbit, MadHatter, Duchess). The fact you can deploy your own CTFd and multiple vulnerable CI systems with a single docker compose is awesome! There is a part 2 as well, but try to solve them on your own first!
• writeup_factorio - Writeup of a remote code execution in Factorio by supplying a modified save file.
• CVE-2023-49291 and More – A Potential Actions Nightmare - Loving all these github action attacks. The developer workflow is becoming more and more of an attack surface.
• The Covert Hardware Implant: Part 1 - "...we use our hardware implants in real-world Red Team operations while constantly evolving the form factor to align with the most effective solution for the mission"
• Deep Dive: http.favicon - Favicons have been making a come back the past few years. Don't sleep on this recon data point.
• ASLRn't: How memory alignment broke library ASLR . Oof. I guess that's why you do defense in depth.
• Bypassing Payments in Apple for Free Trails for Lifetime. The ability to create unlimited AppleIDs without a phone number or credit card may be responsible for the uptick in iMessage spam seen recently.

Tools and Exploits

• Kiosk Tooling. Next time you only have a browser and need to break out, browse to this site for some potential quick wins.
• CS-Aggressor-Scripts - Aggressor Scripts for Cobalt Strike (that post data to a Slack Channel).
• OpenVoice - Instant voice cloning by MyShell. I have warned of this, and now it is here and easy to use. Vishing will never be the same.
• BobTheSmuggler - "Bob the Smuggler": A tool that leverages HTML Smuggling Attack and allows you to create HTML files with embedded 7z/zip archives. The tool would compress your binary (EXE/DLL) into 7z/zip file format, then XOR encrypt the archive and then hides inside PNG/GIF image file format (Image Polyglots).
• SuperSharpShares - SuperSharpShares is a tool designed to automate enumerating domain shares, allowing for quick verification of accessible shares by your associated domain account.
• pinvoke.dev - Code-generated P/Invoke signatures.
• DFSCoerce-exe-2 - DFSCoerce exe revisited version with custom authentication.
• raddebugger - A native, user-mode, multi-process, graphical debugger.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• FlowMate - a BurpSuite extension that brings taint analysis to web applications, by tracking all parameters send to a target application and matches their occurrences in the responses.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.