Confluence RCE, Open Redirect -> RCE (@ByQwert), U-Boot vulns (@NCCGroupInfosec), Azure Managed Identity attacks (@_wald0), Deep Learning password extraction (@harmj0y), LSASS cryptography (@SkelSec), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-05-30 to 2022-06-06.
News
- Announcing PSP's cryptographic hardware offload at scale is now open source. What happens when the NSA draws a smiley face on your network map? You spend a decade perfecting encryption that you can offload to smart NICs so that all traffic is encrypted in transit. I wonder where the next smiley face will be drawn...
- Confluence Server and Data Center - CVE-2022-26134 - Critical severity unauthenticated remote code execution vulnerability. "Atlassian has been made aware of current active exploitation of a critical severity unauthenticated remote code execution vulnerability in Confluence Data Center and Server. The OGNL injection vulnerability allows an unauthenticated user to execute arbitrary code on a Confluence Server or Data Center instance."
- Information Security Controls: Cybersecurity Items. The US joins Europe with its own "Wassenaar Arrangement" rule by the Industry and Security Bureau. TLDR don't sell cyber capabilities to Country Group D.
Techniques and Write-ups
- Abusing CVE-2022-26923 Through SOCKS5 on a Mythic C2 Agent. This post explores the AD CS vulnerability but uses Mythic an an Apollo agent with SOCKS forwarding to pull it off. Nice practical usage example!
- From open redirect to RCE in one week. This is a wild ride through a series of strange small bugs that result in full RCE. Web app hackers take note.
- Technical Advisory - Multiple Vulnerabilities in U-Boot (CVE-2022-30790, CVE-2022-30552). This one is for the embedded device hackers (and chromebook hackers).
- Managed Identity Attack Paths, Part 1: Automation Accounts. Azure Automation Accounts, Logic Apps, and Function Apps all use "Managed Identity assignments" which allows scripts to authenticate as a specific Service Principle. These services can be used by an attacker to leak their JWT which can be used to authenticate outside the context of the Authentication Account.
- DeepPass — Finding Passwords With Deep Learning. It's starting to feel like Will is lining up a career change into data science, but as long as he keeps the red team angle I'm here for it. Here he trains a model (DeepPass) to recognize passwords in arbitrary documents. How long before this is repackaged and sold as "AI/ML deep learning information disclosure hunter 9000" at RSA?
- LSASS needs an IV. Spoiler: It doesn't really need an IV if you can guess a few characters of a password. Interesting deep dive into the (poor?) cryptographic decisions in LSASS.
- Enumeration and lateral movement in GCP environments. Lateral movement is more fun in the cloud.
Tools and Exploits
- COM-Hunter - COM Hijacking voodoo.
- VoightKampff - Beating Google ReCaptcha and the funCaptcha using AWS Rekognition.
- Nidhogg Nidhogg is an all-in-one simple to use rootkit for red teams.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
- The Surreal Case of a C.I.A. Hacker's Revenge. I haven't read this one yet but its on my list.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.