News

• CVE-2022-3786 and CVE-2022-3602: X.509 Email Address Buffer Overflows. Sometimes the hype is just hype. This looks extremely hard to exploit with modern mitigations and a limited userbase.
• [PDF] How security professionals are being attacked: A study of malicious CVE proof of concept exploits in GitHub. Over 10% of PoCs were malicious! There is a reason there is a disclaimer at the end of each of these posts.
• LinkedIn Adds Verified Emails, Profile Creation Dates. Your favorite profile backstop just got a little harder to fake.
• Nighthawk 0.2.1 - Haunting Blue. Some cool features in the latest release of this commercial red team tool.
• Meet Fortra™ The new face of HelpSystems. HelpSystems (Cobalt Strike/Outflank's buyers) have rebranded - now with more generic corporate stock photos.
• [SimpleX] Security assessment by Trail of Bits. I've been playing with this new messenger app for a while and I think it has the potential to unseat Signal in a few versions. No shady CIA money, "open source" (but not really), blockchain silliness, etc. The pace of development is also impressive. They list their Monero address above their Bitcoin address - legit.
• urlscan.io's SOAR spot: Chatty security tools leaking private data. Careful what you auto-submit to external vendors.
• radare2.online. Your OS is just a bootloader for your browser. HTML/CSS/Javascript won the language war and will be the universal language of the future. Scary.
• [PDF] VX-Underground's Black Mass. Tmp.out and vx-underground keep the zine scene alive.

Techniques and Write-ups

• Exploiting Static Site Generators: When Static Is Not Actually Static. File this under "Serverless and other myths."
• A Very Powerful Clipboard: Analysis of a Samsung in-the-wild exploit chain. Mobile exploit chains are always a trip. This one look surprisingly easy to understand compared to most.
• Lessons Learned from Cloning Windows Binaries and Code Signing Implants. Some good lessons here. Another option is to just used signed binaries for other purposes ...
• How one misconfiguration in ADCS can lead to full AD Forest compromise. ADCS is the gift that keeps on giving.
• CVE-2022-26730 | ColorSync | Hoyt LLC. macOS memory corruption in the processing of image ICC profiles can lead to RCE. Comes with the shorted PoC I have seen in a while (now patched).
• BYODC - Bring Your Own Domain Controller. This meme makes a comeback. This is some great traitorware - why fake a DCSync, if you can just do an actual DCSync? DCShadow is a previously discovered/implemented version of this.
• Checkmk: Remote Code Execution by Chaining Multiple Bugs (1/3). Quite a chain for unauth RCE across different tech/lanugages.

Tools and Exploits

• Volumiser is a command line tool and interactive console GUI for listing, browsing and extracting files from common virtual machine hard disk image formats.
• katana - A next-generation crawling and spidering framework from projectdiscovery.
• KeeFarceReborn - A standalone DLL that exports databases in cleartext once injected in the KeePass process.
• CVE-2022-33679 One day based on RC4 is still considered harmfrul.
• stager_libpeconv A basic meterpreter protocol stager using the libpeconv library by hasherezade for reflective loading.
• CVE-2022-40146_Exploit_Jar. Apache Batik SSRF to RCE Jar Exploit.
• awsrecon - Tool for reconnaissance of AWS cloud environments.
• exe_who - Executables on Disk? Bleh 🤮.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• The Information Security Kardashev Scale. Interesting way to tier out cybersecurity.
• PowerHuntShares is an audit script designed in inventory, analyze, and report excessive privileges configured on Active Directory domains.
• Kernelhub 🌴Kernel privilege escalation vulnerability collection, with compilation environment, demo GIF map, vulnerability details, executable file (Windows only).
• grace It's strace, with colors.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.