News

• Impacket Updates: We Love Playing With Tickets - Impacket is starting to crank out some kerberos improvements. You can create a Sapphire Ticket a bit easier now with Impacket without having to use a fork.
• Defending new vectors: Threat actors attempt SQL Server to cloud lateral movement - The instance metadata service (IMDS) was the target. The cloud metadata service has been a popular target for AWS attacks in the past, and Azure is no different now.
• 90s Vulns In 90s Software (Exim) - Is the Sky Falling? - "So, our advice is the usual - patch when you can, once patches are available (Exim have stated they will release patches at 12:00 UTC today, Monday 2nd October). But in the meantime, don't panic - this one is more of a damp squib than a world-ending catastrophe." Unless you have a Sophos Firewall, in which case you should patch ASAP.
• Expanding our exploit reward program to Chrome and Cloud - It's neat they pay for n-day PoCs not just 0days.
• Severity HIGH security problem to be announced with curl 8.4.0 on Oct 11 - This is drectly from the curl author, unlike other reported "high severity" curl issues in the past that turned out to be nothing.
• Russia plans to try to block VPN services in 2024 - Good luck!

Techniques and Write-ups

• Looney Tunables: Local Privilege Escalation in the glibc's ld.so (CVE-2023-4911) - Is this the Dirty COW of 2023? Perhaps not quite as ubiquitous as it relies on a range of glibc versions (glibc 2.34+). Props to Qualys for keeping the old school phrack-esqe disclosures alive. PoC 1. PoC 2. [Direct Download] PoC 3. PoC 4.
• MacOS "DirtyNIB" Vulnerability - It's possible to hijack the entitlements of Apple apps by swapping out the interface (NIB) file. This is currently unpatched, even on macOS 14.0. Weaponize this for camera/mic/keychain/file access once you get code execution. Or maybe even bundle it in with your dropper.
• Launch and Environment Constraints Deep Dive. A great companion to the previous post that details what Launch and Environment Constraints are and what kind of bugs they hamper.
• Solving The “Unhooking” Problem - Unhooking gets complicated when the user can run arbitrary code (BOF/C#) that may load libraries without the protection of the C2 agent. Outflank presents their solution to this issue - visibility, automation, and on-demand unhooking.
• Reflective call stack detections and evasions - An updated BokuLoader has some new methods to avoid call stack spoofing detection.
• Sliver and Cursed Chrome for Post Exploitation - With sensitive information moving to SaaS and other browser based apps, being able to operate as a compromised user in the context of their browser is essential for modern red teams.
• Yet More Unauth Remote Command Execution Vulns in Firewalls - Sangfor Edition. I will always be impressed with unauth RCE on a firewall. 🤦
• Behind the Shield: Unmasking Scudo's Defenses - Scudo is LLVM's hardened allocator. This post is a dense exploration of how exploitation of scudo may be possible.

Exploring the STSAFE-A110 Analysing I2C communications between host and the secure element - Some physical device hacking with a logic analyzer to read I2C of a secure element.

• Cobalt Strike Aggressor Callbacks - Shows how to use the new callbacks feature of Cobalt Strike 4.9. Much better than setting global flags and parsing all beacon output in a timer function which is what we had to do before.
• Trends From the Trenches: Social Engineering - Some really solid examples in this post. I've used similar pretexts to great effect.
• Perfect Loader Implementations - Some good Linux and Windows loader work, see fuse-loader and perfect-loader for PoCs. These are great raw material for custom C2s.
• Coordinated Disclosure: 1-Click RCE on GNOME (CVE-2023-43641) - Lots of protections bypassed to get RCE - excited for the follow up post.
• Using Cloudflare to bypass Cloudflare - Defaults can be dangerous. Be sure to validate the host headers!
• Binarly REsearch Uncovers Major Vulnerabilities in Supermicro BMCs - Authenticated command injection and a slew of XSS. Theoretically you could chain these to be unauth remote RCE, but you'd need a click from a logged in admin.

Tools and Exploits

• linWinPwn - Bash script that automates a number of Active Directory Enumeration and Vulnerability checks. Will be interesting if they keep up with this project. Interesting new project since it's using the new NetExec . Will other tools do the same?
• LatLoader - PoC module to demonstrate automated lateral movement with the Havoc C2 framework.
• sccmhunter v.0.0.2 - Updated Admin Module - SCCM is the gift that keeps on giving. This is a new easy way to execute commands on managed machines (Administration Service API).
• archive_pwn - A Python-based tool to create zip, tar and cpio archives to exploit common archive library issues and developer mistakes. Blog Post.
• SmmBackdoorNg - Updated version of System Management Mode backdoor for UEFI based platforms: old dog, new tricks.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• Browser cache smuggling - Interesting payload delivery technique.
• Registry Attack Vectors(RTC0018) - A big list of interesting reg keys.
• Kerberos 102 - Overview Three part blog series on kerberos, delegation, and cross-realm. You can never read enough about kerberos.
• ted_api - TED is a limited general purpose reverse engineering API, and hybrid debugger, that allows for inspection and modification of a program's inner workings. TED carries out its functionality by being injected into a target process and starting a gRPC server, which clients can then connect to.
• agent - SSH Session Monitoring Daemon.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.