Last Week in Security – 2024-10-08

Iconv, set the charset to RCE: Exploiting the glibc to hack the PHP engine (part 3) – The article discusses exploiting a 24-year-old buffer overflow in the glibc library through the PHP engine. It explains the process of converting a file read into remote code execution and showcases an exploit that can be used to hack the PHP engine blind without any output. The exploit involves manipulating PHP’s heap to leak memory and eventually gain code execution. The article provides detailed steps on how to exploit the vulnerability and highlights the technical challenges involved in the process. It also emphasizes the importance of understanding PHP’s engine and the possibilities of remote binary exploitation.

Over Permissions in Salesforce Einstein and Unexpected Consequences – Salesforce announced Agentforce, their customizable AI agent builder, highlighting their AI products like Einstein Copilot. However, Salesforce’s permissions management allows potential security risks, as non-admin users with flow editing permissions can manipulate Einstein’s functionality and harm the entire organization. A real scenario demonstrates how a bad actor can exploit this loophole to send phishing emails from a user’s email account, showcasing the potential consequences of over permissions in Salesforce Einstein. Zenity Labs warns organizations to prioritize security when adopting AI technologies.

Obfuscating API Patches to Bypass New Windows Defender Behavior Signatures – The post discusses the author’s discovery of Windows Defender implementing new behavioral signatures to prevent patching of the amsi.dll::AmsiScanBuffer method, crucial for red team plans. The author experiments by modifying the patch to bypass the signature successfully initially, but later finds the new patch triggering the signature, indicating that Windows Defender is collecting data from patch events to generate new signatures. The author concludes that a new dynamic solution for patching AMSI will be needed to stay ahead of Windows Defender. Future experiments will focus on patch obfuscation and threat hunting techniques.

Malware development trick 43: Shuffle malicious payload. Simple C example. – This blog post discusses a malware development trick of shuffling the malicious payload to make it unrecognizable, while retaining the same entropy. The author provides a simple C code example demonstrating how to shuffle and deshuffle the bytes of a file, as well as run the shuffled payload. The post emphasizes the importance of understanding this technique for malware researchers and red teamers, while raising awareness for blue teamers. The example includes calculations of Shannon entropy to show that the shuffled, deshuffled, and original payloads have the same entropy values.

Airbus Navblue Flysmart LPC-NG issues – Airbus Navblue’s Flysmart LPC-NG electronic flight bag (EFB) app had a security vulnerability that allowed attackers to modify important flight data files, potentially leading to safety risks such as runway excursions or tailstrikes. Despite being reported to Airbus, the company initially refused to fix the issue, framing it as a product improvement. After a long discourse, EASA, the European aviation safety regulator, stepped in and the vulnerability was finally fixed. The incident highlights the importance of data integrity in aviation security and the need for collaboration among stakeholders to address vulnerabilities.

A Practical Analysis of Cyber-Physical Attacks Against Nuclear Reactors – A year ago, the author purchased new Teleperm XS components on eBay, which are used in safety systems in Nuclear power plants. This led to a research paper titled “A Practical Analysis of Cyber-Physical Attacks Against Nuclear Reactors” aimed at analyzing hypothetical cyber-physical attacks on safety systems of nuclear reactors. The paper provides technical analysis accessible to readers with varying levels of expertise and aims to dispel myths and increase public understanding of nuclear energy. It also discusses the importance of being prepared to deal with potential nuclear-related incidents.

Cobalt Strike: A Cyber Assessment Challenge – The article discusses the importance of assessing cyber tools used by red teams, specifically focusing on Cobalt Strike versions 4.8+ in DoD red team operations. It highlights the challenges faced by red teams in evaluating tools for functionality and operational security. The authors developed a Python script, named EXSCAPE, to extract Beacon configurations from stageless Beacons generated with Cobalt Strike 4.8+. The research emphasizes the need for red teams to enhance their OPSEC practices and protect their tooling to prevent potential exposure of sensitive information. The article also outlines the findings and recommendations to assist red teams in making informed risk decisions about their tooling.

COM Cross-Session Activation – The blog post discusses the concept of COM Cross-Session Activation, which involves using Microsoft Component Object Model (COM) to update software in the user context by communicating with a service running as SYSTEM. The post explains the technical details of how COM classes work and how they can be abused for cross-session privilege escalation. The author also highlights some CVEs related to this issue and shares their discovery of a vulnerability in the Google Update Service through COM cross-session activation. The post concludes with a reminder to update Chrome Updater and emphasizes the importance of auditing COM applications for potential privilege escalation issues.

Exploiting AMD atdcm64a.sys arbitrary pointer dereference – Part 2 – HN Security has identified and confirmed vulnerabilities in the AMD atdcm64a.sys driver, including arbitrary MSR read and arbitrary pointer dereference. The team has created a proof of concept code to exploit these vulnerabilities, leaking the base address of ntoskrnl.exe and hijacking the execution flow. They have also demonstrated how to debug the driver using IDA Pro and plan to exploit the vulnerabilities for local privilege escalation in the next part of the series.

Getting a Havoc agent past Windows Defender (2024) – The article explains a method for getting a Havoc agent past Windows Defender in September 2024 using offensive PowerShell techniques. The process involves generating a Havoc agent shellcode, converting it into shellcode, and bypassing the AMSI to execute it in memory. The author also emphasizes the need to allocate enough space to run the shellcode and discusses using a recent AMSI bypass tool to successfully execute the runner. In the end, the Havoc agent is successfully executed, and additional actions such as executing .NET binaries or dumping lsass are also demonstrated.

Exploiting trust: Weaponizing permissive CORS configurations – Outpost24 offers a comprehensive Exposure Management Platform to remediate critical vulnerabilities, provides External Attack Surface Management, Web Application Security Testing, Cyber Threat Intelligence, Risk-based Vulnerability Management, and more. The article “Exploiting trust: Weaponizing permissive CORS configurations” delves into the vulnerabilities of Cross-Origin Resource Sharing (CORS) misconfigurations, providing case studies and best practices for detecting and exploiting these vulnerabilities. It emphasizes the importance of thorough scanning, considering all trusted domains, and not giving up when SameSite is not “None” to ensure proper security measures are in place.

Class Pollution in Ruby: A Deep Dive into Exploiting Recursive Merges – In the blog post “Class Pollution in Ruby: A Deep Dive into Exploiting Recursive Merges” by Raúl Miján, the concept of class pollution in Ruby is explored through recursive merges that allow for the injection or modification of object attributes or methods. Three main cases of class pollution in Ruby are discussed, including scenarios like poisoning the object itself or escaping the object context to impact parent or unrelated classes. The post also delves into how popular libraries like ActiveSupport and Hashie in Ruby can be vulnerable to class pollution, highlighting the risks associated with these vulnerabilities and the potential impact on application security. The research conducted emphasizes the importance of understanding recursive merges and carefully managing data merges to mitigate the risk of class pollution in Ruby applications.

Satellite Hacking – Satellite hacking has been around since the launch of the first satellite in 1957. Advances in satellite technology have led to security advancements such as quantum communication and space-based solar power. Recent attacks on satellites have shown vulnerabilities but also highlighted ethical hacking to improve security. Training courses like Introduction to Cybersecurity in Space Systems demonstrate how satellite hacking can occur and the potential impacts of attacks on satellite systems. Security measures need to be improved to protect satellites from cyberattacks.

Kicking it Old-School with Time-Based Enumeration in Azure – TrustedSec has identified a time-based user enumeration flaw in Azure that allows attackers to identify valid users based on response times. This method was originally discovered in Microsoft Exchange back in 2014 and has since been used in various penetration tests. By measuring response times for login attempts with valid and invalid usernames, attackers can determine which usernames are valid, even though Basic Authentication has been disabled. This method, while not foolproof due to network congestion, can be a useful tool for enumerating users in Azure without being detected.

Reverse Engineering and Dismantling Kekz Headphones – The author reverse engineers and dismantles Kekz headphones, focusing on the inner workings of the device and the encryption methods used. By analyzing the chips and encrypted files, they were able to clone cookies and decrypt content. They also discovered user data collection practices and privacy concerns related to geolocation data. Despite reaching out to the company regarding security concerns, they received no response. The author raises questions about the functionality of the Jieli chips, HID commands, and PII data stored in the Azure Cosmos database, suggesting further research is needed.

Analysis of CVE-2024-43044 — From file read to RCE in Jenkins through agents – The article analyzes CVE-2024-43044, a vulnerability in Jenkins that allows for arbitrary file read leading to remote code execution. The vulnerability involves the communication between Jenkins controller and agents, allowing an attacker to read files from the controller. The post details the vulnerability, the patch introduced to address it, and provides information on how attackers can exploit the vulnerability to achieve remote code execution. The exploit involves crafting a remember-me cookie for an administrator account to gain access to the Script Console and execute commands. The exploit code is available for further analysis.

SMTP Downgrade Attacks and MTA-STS – SMTP Downgrade Attacks can compromise email encryption during transmission by tricking senders into using cleartext instead of TLS. MTA-STS provides a solution by allowing mail servers to indicate support for encryption using trusted TLS certificates. However, adoption of MTA-STS by major providers is low, leaving password reset emails vulnerable to attacks. To encourage adoption, users can enable MTA-STS for their own domains and push for transactional email providers to support it. Google provides timely user feedback for messages delayed or failed due to MTA-STS, enhancing the user experience.

The PrintNightmare is not Over Yet – The author discovered a way to bypass Point and Print (PnP) restrictions to protect against exploitation of PnP configurations. By spoofing the name of an approved print server, DNS spoofing could circumvent this protection. The author explored various solutions, including UNC Hardened Access and Print Driver exclusion list, to prevent attacks but found them to be insufficient or flawed. The key takeaway is that low-privileged users should not be allowed to install printer drivers to secure a Point and Print configuration. The author is curious about how the new Windows Protected Print (WPP) mode will address this issue.

Streaming vulnerabilities from Windows Kernel – Proxying to Kernel – Part II – DEVCORE conducts Red Team Assessments, simulations of real-world attacks to identify vulnerabilities in enterprise systems and provide consultation on defensive strategies. They have uncovered critical vulnerabilities in leading products and services, contributed to international cybersecurity conferences, and offer services like Penetration Testing and Security Consulting. The series on Windows Kernel Streaming vulnerabilities explores exploitation techniques and highlights the importance of updating Windows systems to prevent attacks. DEVCORE emphasizes responsible disclosure, corporate social responsibility, and continual research into new vulnerability classes.

Exploiting Visual Studio via dump files – CVE-2024-30052 – This blog post discusses a vulnerability (CVE-2024-30052) in Visual Studio that allows for arbitrary code execution when debugging dump files. The issue was reported to Microsoft in 2023 and a fix was provided in June 2024. By crafting a specially designed dump file with embedded source files, an attacker could potentially execute malicious code when opened by a developer in Visual Studio. The exploit involved using non-printable file extensions such as CHM, HTA, and PY to trigger code execution. Microsoft released a fix in Visual Studio 17.8.11 to address this vulnerability.

Ruby-SAML / GitLab Authentication Bypass (CVE-2024-45409) – The blog post discusses a critical vulnerability in the Ruby-SAML and OmniAuth-SAML libraries, which allows attackers to bypass SAML authentication mechanisms and gain unauthorized access by manipulating SAML responses. The vulnerability arises due to weaknesses in the verification of digital signatures used to protect SAML assertions. A patch has been made to address this vulnerability, emphasizing the importance of strict validation procedures in security protocols like SAML. Organizations using these libraries for authentication should ensure they are up to date to prevent potential attacks.

Pwning LLaMA.cpp RPC Server – The author developed an RCE exploit for the LLaMA.cpp RPC Server, leveraging arbitrary read capabilities. The bugs were documented in a GitHub advisory and were fun to exploit. By overwriting a callback function, the author achieved RCE. The full exploit code is provided, allowing for remote shell access.

PARAnoia – The concept of PARAnoia involves a full takeover of domain-joined computers by using a rogue domain controller to authenticate and gain access. The process involves extracting domain details, creating a rogue DC, exploiting the workstation, and performing various tests to gain administrative access. Ultimately, the attack demonstrates how a stolen or physically accessible computer can be fully compromised and backdoored, emphasizing the importance of safeguarding against NTLM hash capture to prevent such attacks in Active Directory/Windows-based enterprises.

Exploring Integer Overflow — The realm of exploiting binaries – Integer overflow occurs when an arithmetic operation exceeds the storage capacity of a data type, leading to unexpected results. It has been a common issue in computing, especially in security-critical software, and has been exploited for memory corruption and buffer overflows. Vulnerabilities related to integer overflow have been frequently found in various software products, leading to memory errors and potential code execution. Applications vulnerable to integer overflow often involve fixed-size data types, inadequate input validation, lack of bounds checking, and dynamic memory allocation. These vulnerabilities can have severe consequences, such as denial of service, arbitrary code execution, and bypassing security checks. Real-world examples of integer overflow vulnerabilities include Adobe Flash Player, OpenSSL, Mozilla Firefox, and others.

Low-Level Development on Retail Android Hardware – Reconnaissance and Prototyping a Bootloader – In the blog post, Tim discusses his attempt to port mainline Linux to a 2013 Samsung Galaxy Core Plus phone with an obscure Broadcom SoC. He focuses on developing a bootloader for the device, communicating via UART, loading S-BOOT into Ghidra, and enabling logging output. Tim also explores examining the boot flow, creating the first executable, and implementing a poor man’s flow control for data transfer. He concludes with plans for future improvements, such as migrating to a reasonable build process and direct interfacing with hardware.

Vesta Admin Takeover: Exploiting Reduced Seed Entropy in bash $RANDOM – The research on the Vesta control panel vulnerability highlights how reduced seed entropy in Bash’s random number generator can be exploited to gain administrative access. Attackers can predict the random password reset token due to insufficient entropy, leading to complete takeover of the VestaCP. The article provides a detailed breakdown of how this flaw affects the security of web hosting environments and recommends actions for patching or mitigating the vulnerability to prevent exploitation by malicious actors.