🛡Akamai’s Perspective on December’s Patch Tuesday 2022
In this report, we’ll assess how critical the vulnerabilities really are and how commonplace the affected applications and services are, and we’ll provide a realistic perspective on the bugs that were fixed.
🛡December 2022 Patch Tuesday: 10 Critical CVEs, One Zero-Day, One Under Active Attack(crowdstrike)
🛡Microsoft Patch Tuesday for December 2022 — Snort rules and prominent vulnerabilities(talos intelligence)
🛡The December 2022 Security Update Review(ZDI)
🛡Microsoft’s December 2022 Patch Tuesday Addresses 48 CVEs(tenable)
🛡Microsoft Patch Tuesday, December 2022 Edition(KrebsonSecurity)
🛡Patch Tuesday - December 2022(rapid7)
In this report, we’ll assess how critical the vulnerabilities really are and how commonplace the affected applications and services are, and we’ll provide a realistic perspective on the bugs that were fixed.
🛡December 2022 Patch Tuesday: 10 Critical CVEs, One Zero-Day, One Under Active Attack(crowdstrike)
🛡Microsoft Patch Tuesday for December 2022 — Snort rules and prominent vulnerabilities(talos intelligence)
🛡The December 2022 Security Update Review(ZDI)
🛡Microsoft’s December 2022 Patch Tuesday Addresses 48 CVEs(tenable)
🛡Microsoft Patch Tuesday, December 2022 Edition(KrebsonSecurity)
🛡Patch Tuesday - December 2022(rapid7)
This media is not supported in your browser
VIEW IN TELEGRAM
🔥🔥🔥 EntryBleed: Breaking KASLR under KPTI with Prefetch (CVE-2022-4543)
Recently, BitsByWill have discovered that Linux KPTI has implementation issues that can allow any unprivileged local attacker to bypass KASLR on Intel based systems. While technically only an info-leak, it still provides a primitive that has serious implications for bugs previously considered too hard to exploit and was assigned CVE-2022-4543. As you’ll see why from the writeup later on, he have decided to term this attack “EntryBleed.”
Recently, BitsByWill have discovered that Linux KPTI has implementation issues that can allow any unprivileged local attacker to bypass KASLR on Intel based systems. While technically only an info-leak, it still provides a primitive that has serious implications for bugs previously considered too hard to exploit and was assigned CVE-2022-4543. As you’ll see why from the writeup later on, he have decided to term this attack “EntryBleed.”
👍1
💥Precious Gemstones: The New Generation of Kerberos Attacks
In this blog, after a brief primer on relevant Kerberos terms and the attacks themselves, we discussed the privileges required to perform such attacks and the importance of monitoring different forged ticket attacks. Additionally, we examined possible detection ideas that might help cover Golden Ticket attacks as well as new attack methods. Forged ticket attacks might be hard to detect with a cursory glance, since they can initially appear to be legitimate. However, if enough information is collected about suspicious network activity, malicious tool usage, or Windows events, we might be able to detect some of the most effective Kerberos attacks.
In this blog, after a brief primer on relevant Kerberos terms and the attacks themselves, we discussed the privileges required to perform such attacks and the importance of monitoring different forged ticket attacks. Additionally, we examined possible detection ideas that might help cover Golden Ticket attacks as well as new attack methods. Forged ticket attacks might be hard to detect with a cursory glance, since they can initially appear to be legitimate. However, if enough information is collected about suspicious network activity, malicious tool usage, or Windows events, we might be able to detect some of the most effective Kerberos attacks.
👍1
🔥Win32k User-Mode Printer Drivers StartDoc UAF
(PoC included)
A vulnerability(CVE-2022-41050) in the way BoundClipRGNToSurface merges surfaces allows attackers to trigger a UAF due to a function that frees the used data and then access it. If the memory where the freed memory is properly prepared, the attacker can control the crash and cause it to execute arbitrary code.
(PoC included)
A vulnerability(CVE-2022-41050) in the way BoundClipRGNToSurface merges surfaces allows attackers to trigger a UAF due to a function that frees the used data and then access it. If the memory where the freed memory is properly prepared, the attacker can control the crash and cause it to execute arbitrary code.
👍1👻1
🦠Home Grown Red Team: Let’s Make Some Malware In C
That was a fun project, but let’s take it a step further and create a script that will replicate the process and obfuscate the functions within our malware template so we get a new, unsignatured EXE every time.
💾Part1
💾Part2
🔖Completed scripts for this project here
That was a fun project, but let’s take it a step further and create a script that will replicate the process and obfuscate the functions within our malware template so we get a new, unsignatured EXE every time.
💾Part1
💾Part2
🔖Completed scripts for this project here
👍2
PingPlant.zip
15.4 KB
🔥PingPlant is a Linux implant PoC that starts a custom listener for ICMP data, and parses the ethernet frame to check for a special payload.
If this payload is found, it will then initiate a callback to a defined IP. Even though I have this connect back with a reverse shell, you could edit this to have it execute anything on the infected system when the special payload is received.
Features:
💾Runtime process renaming
💾No listening ports
💾Written in Go, so almost all AV's will never pick this up
If this payload is found, it will then initiate a callback to a defined IP. Even though I have this connect back with a reverse shell, you could edit this to have it execute anything on the infected system when the special payload is received.
Features:
💾Runtime process renaming
💾No listening ports
💾Written in Go, so almost all AV's will never pick this up
👻2👍1
#exploit
1. CVE-2022-28672:
Foxit PDF Reader - UaF RCE Exploit
https://hacksys.io/blogs/foxit-reader-uaf-rce-jit-spraying-cve-2022-28672
]-> https://github.com/hacksysteam/CVE-2022-28672
2. CVE-2022-45451:
Acronis Cyber Protect/Home Cyber Protect - Arbitrary File Read
https://github.com/alfarom256/CVE-2022-45451
1. CVE-2022-28672:
Foxit PDF Reader - UaF RCE Exploit
https://hacksys.io/blogs/foxit-reader-uaf-rce-jit-spraying-cve-2022-28672
]-> https://github.com/hacksysteam/CVE-2022-28672
2. CVE-2022-45451:
Acronis Cyber Protect/Home Cyber Protect - Arbitrary File Read
https://github.com/alfarom256/CVE-2022-45451
#Offensive_security
1. How to Detect Malicious OAuth Device Code Phishing in M365
https://www.inversecos.com/2022/12/how-to-detect-malicious-oauth-device.html
2. It's all about Bypassing Android SSL Pinning and Intercepting Proxy Unaware applications
https://kishorbalan.medium.com/its-all-about-android-ssl-pinning-bypass-and-intercepting-proxy-unaware-applications-91689c0763d8
1. How to Detect Malicious OAuth Device Code Phishing in M365
https://www.inversecos.com/2022/12/how-to-detect-malicious-oauth-device.html
2. It's all about Bypassing Android SSL Pinning and Intercepting Proxy Unaware applications
https://kishorbalan.medium.com/its-all-about-android-ssl-pinning-bypass-and-intercepting-proxy-unaware-applications-91689c0763d8
👻2👌1
Traffers.pdf
5.3 MB
#Malware_analysis
"Traffers: a deep dive into the information stealer ecosystem", 2022.
"Traffers: a deep dive into the information stealer ecosystem", 2022.
#Threat_Research
1. Unusual Cache Poisoning between Akamai and S3 buckets
https://spyclub.tech/2022/12/14/unusual-cache-poisoning-akamai-s3
2. HTTP Request Smuggling Due to Incorrect Parsing of Multi-line Transfer-Encoding
https://hackerone.com/reports/1665156
1. Unusual Cache Poisoning between Akamai and S3 buckets
https://spyclub.tech/2022/12/14/unusual-cache-poisoning-akamai-s3
2. HTTP Request Smuggling Due to Incorrect Parsing of Multi-line Transfer-Encoding
https://hackerone.com/reports/1665156
AISY.pdf
727.7 KB
#Research
BlackHat Asia 2022:
"AISY - Deep Learning-based Framework for Side-channel Analysis".
]-> Repo: https://github.com/AISyLab/AISY_Framework
BlackHat Asia 2022:
"AISY - Deep Learning-based Framework for Side-channel Analysis".
]-> Repo: https://github.com/AISyLab/AISY_Framework
#Blue_Team_Techniques
Compromised Cloud Compute Credentials: Case Studies From the Wild
https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials
Compromised Cloud Compute Credentials: Case Studies From the Wild
https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials
Spamworld.php
24.1 KB
New mini shell :)
⚠️ Bypass All waf
📌 Non Encoded :::)))
⚠️ Bypass All waf
📌 Non Encoded :::)))
linux_injector.zip
5.5 KB
💉linux_injector is a simple ptrace-less shared library injector for x64 Linux(Most Linuxes that use glibc should be supported).
For control flow hijacking, this program needs a hijacking candidate. The code presented here uses malloc(), this can be changed by editing FUN_NAME and recompiling. Make sure the hooked function can run under 100ms, so that it won't be overwritten while it executes. This means calls like sleep or wait are bad candidates for the initial shellcode. The function in question also needs to be more than 0x50 long for the shellcode not to overwrite other functions.
Usage:
linux_injector <pid> <module>
Where pid is target process id & module is a module to inject, will be dlopened in the remote process
⚠️The code expects that the target uses the same libc as available to us. If it does not, then the remote symbols won't be found. This could be fixed by reading the remote libraries and scanning for our symbols in them.
For control flow hijacking, this program needs a hijacking candidate. The code presented here uses malloc(), this can be changed by editing FUN_NAME and recompiling. Make sure the hooked function can run under 100ms, so that it won't be overwritten while it executes. This means calls like sleep or wait are bad candidates for the initial shellcode. The function in question also needs to be more than 0x50 long for the shellcode not to overwrite other functions.
Usage:
linux_injector <pid> <module>
Where pid is target process id & module is a module to inject, will be dlopened in the remote process
⚠️The code expects that the target uses the same libc as available to us. If it does not, then the remote symbols won't be found. This could be fixed by reading the remote libraries and scanning for our symbols in them.
Forwarded from CYBER TRICKS ZONE 🇮🇳🚩 (𝙋𝙧𝙤𝙩𝙤𝙘𝙤𝙡 𝙉𝙞𝙘𝙠)
Linux Hacking Tools
Nessus– this tool can be used for Ubuntu hack, scan configuration settings, patches, and networks etc. it can be found at https://www.tenable.com/products/nessus
NMap. This tool can be used to monitor hosts that are running on the server and the services that they are utilizing. It can also be used to scan for ports. It can be found at https://nmap.org/
SARA – SARA is the acronym for Security Auditor’s Research Assistant. As the name implies, this tool can be used to audit networks against threats such as SQL Injection, XSS etc. it can be found at http://www-arc.com/sara/sara.html
The above list is not exhaustive; it gives you an idea of the tools available for Ubuntu hacking and hacking Linux systems.
Nessus– this tool can be used for Ubuntu hack, scan configuration settings, patches, and networks etc. it can be found at https://www.tenable.com/products/nessus
NMap. This tool can be used to monitor hosts that are running on the server and the services that they are utilizing. It can also be used to scan for ports. It can be found at https://nmap.org/
SARA – SARA is the acronym for Security Auditor’s Research Assistant. As the name implies, this tool can be used to audit networks against threats such as SQL Injection, XSS etc. it can be found at http://www-arc.com/sara/sara.html
The above list is not exhaustive; it gives you an idea of the tools available for Ubuntu hacking and hacking Linux systems.
Tenable®
Nessus Vulnerability Scanner: Network Security Solution
Find out more about Nessus - the trusted gold standard for vulnerability assessment, designed for modern attack surfaces - used by thousands of organizations.
#Malware_analysis
1. VidarStealer analysis
https://github.com/m4now4r/VidarStealer
2. Monster Libra (TA551/Shathak) pushes IcedID (Bokbot) with Dark VNC/Cobalt Strike
https://isc.sans.edu/diary/Monster+Libra+TA551Shathak+pushes+IcedID+Bokbot+with+Dark+VNC+and+Cobalt+Strike/28934
1. VidarStealer analysis
https://github.com/m4now4r/VidarStealer
2. Monster Libra (TA551/Shathak) pushes IcedID (Bokbot) with Dark VNC/Cobalt Strike
https://isc.sans.edu/diary/Monster+Libra+TA551Shathak+pushes+IcedID+Bokbot+with+Dark+VNC+and+Cobalt+Strike/28934
GitHub
GitHub - m4now4r/VidarStealer: Notes some analysis related to VidarStealer sample
Notes some analysis related to VidarStealer sample - m4now4r/VidarStealer