🔥Linux Kernel: Exploiting a Netfilter UAF in kmalloc-cg
We describe a method to exploit a UAF in the Linux kernel when objects are allocated in a specific slab cache, namely the kmalloc-cg series of SLUB caches used for cgroups. This vulnerability is assigned CVE-2022-32250 and exists in Linux kernel versions 5.18.1 and prior.
We describe a method to exploit a UAF in the Linux kernel when objects are allocated in a specific slab cache, namely the kmalloc-cg series of SLUB caches used for cgroups. This vulnerability is assigned CVE-2022-32250 and exists in Linux kernel versions 5.18.1 and prior.
❤2
💥In-Memory Execution in macOS: the Old and the New
As part of our work, it’s often interesting to try to find possible avenues of attack that bypass detections on EDR products. On macOS, EDR products specifically collect telemetry from fork and exec syscalls. macOS has alternative ways of executing code, which side-step these system calls by executing code directly in-memory.
In this writeup, we touch on all 3 aforementioned APIs and then create a PoC loader which uses NSCreateObjectFileImageFromFile and CFBundleCreate to load a bundle from disk and execute it.
As part of our work, it’s often interesting to try to find possible avenues of attack that bypass detections on EDR products. On macOS, EDR products specifically collect telemetry from fork and exec syscalls. macOS has alternative ways of executing code, which side-step these system calls by executing code directly in-memory.
In this writeup, we touch on all 3 aforementioned APIs and then create a PoC loader which uses NSCreateObjectFileImageFromFile and CFBundleCreate to load a bundle from disk and execute it.
|FORCEDENTRY, ты тут?|
🕵️♂️Думаю, что многие не забыли про сделавший много шума год назад data-only 0-click RCE сплойт FORCEDENTRY(CVE-2021-30860, integer overflow в JBIG2 реализации для xpdf в Apple (JBIG2Stream::readTextRegionSeg(), посредством программирования JBIG2 weird machine в парсере), что относится к CoreGraphics по сути) через iMessage от NSO Group. То есть прилетает тебе PDF файл, который якобы ".gif" и за счет того, что IMTranscoderAgent анализировал как раз такого рода самозванцев за пределами BlastDoor песочницы, израильтяне могли достичь SBX. В действительности эксплуатация была намного сложнее и можно почитать подробнее: на канале, тут и тут.
Причем исследователи из Google Project Zero не смогли установить точный след после IMTranscoderAgent SBX и как предположение выдвинули несколько сценариев эксплуатации:
1️⃣iMessage RCE ➡️ IMTranscoderAgent SBX ➡️ iOS kernel LPE
2️⃣iMessage RCE ➡️ IMTranscoderAgent SBX ➡️ some_service ➡️ iOS kernel LPE
Проблема для безопасников и по сей день стоит в том, что в публичном доступе до сих пор нет сэмплов(отсюда можем сделать вывод, что стандартными методами детектить не выйдет). В этом посте Мэтта помимо разбора атаки идет речь и о детектировании без испльзования регулярок или проверок имени процесса, в конечном итоге был представлен инструмент(ELEGANTBOUNCER) для анализа файлов non-fileless(data-only) атаки, причем не основываясь на сэмплах.
🔖Более подробно можно почитать в статье Мэтта.
🕵️♂️I think that many have not forgotten about the FORCEDENTRY exploit that made a lot of noise a year ago (CVE-2021-30860, integer overflow in the JBIG2 implementation for xpdf in Apple (JBIG2Stream::readTextRegionSeg(), by programming the JBIG2 weird machine in the parser), which refers to CoreGraphics in fact) via iMessage from NSO Group. That is, a PDF file arrives to you, which is allegedly ".gif" and due to the fact that IMTranscoderAgent analyzed just such impostors outside the BlastDoor sandbox, the Israelis could achieve SBX. In fact, the operation was much more complicated and you can read more: a on the channel, here and here.
Moreover, researchers from Google Project Zero were unable to establish an exact trace after IMTranscoderAgent SBX and, as an assumption, put forward several operating scenarios:
1️⃣iMessage RCE ➡️ IMTranscoderAgent SBX ➡️ iOS kernel LPE
2️⃣iMessage RCE ➡️ IMTranscoderAgent SBX ➡️ some_service ➡️ iOS kernel LPE
The problem for security guards to this day is that there are still no samples in the public domain (from here we can conclude that it will not be possible to detect using standard methods). In this post by Matt, in addition to analyzing the attack, we are talking about detecting without using regular expressions or checking the process name, eventually a tool for analyzing non-fileless(data-only) attack files was introduced, and not based on samples(ELEGANTBOUNCER).
🔖You can read more in Matt's article.
#NSO #PegasusSpyware #FORCEDENTRY #iOS #iMessage #forensics #security #expoitation #sbx #xpdf #weirdMachine #JBIG2
🕵️♂️Думаю, что многие не забыли про сделавший много шума год назад data-only 0-click RCE сплойт FORCEDENTRY(CVE-2021-30860, integer overflow в JBIG2 реализации для xpdf в Apple (JBIG2Stream::readTextRegionSeg(), посредством программирования JBIG2 weird machine в парсере), что относится к CoreGraphics по сути) через iMessage от NSO Group. То есть прилетает тебе PDF файл, который якобы ".gif" и за счет того, что IMTranscoderAgent анализировал как раз такого рода самозванцев за пределами BlastDoor песочницы, израильтяне могли достичь SBX. В действительности эксплуатация была намного сложнее и можно почитать подробнее: на канале, тут и тут.
Причем исследователи из Google Project Zero не смогли установить точный след после IMTranscoderAgent SBX и как предположение выдвинули несколько сценариев эксплуатации:
1️⃣iMessage RCE ➡️ IMTranscoderAgent SBX ➡️ iOS kernel LPE
2️⃣iMessage RCE ➡️ IMTranscoderAgent SBX ➡️ some_service ➡️ iOS kernel LPE
Проблема для безопасников и по сей день стоит в том, что в публичном доступе до сих пор нет сэмплов(отсюда можем сделать вывод, что стандартными методами детектить не выйдет). В этом посте Мэтта помимо разбора атаки идет речь и о детектировании без испльзования регулярок или проверок имени процесса, в конечном итоге был представлен инструмент(ELEGANTBOUNCER) для анализа файлов non-fileless(data-only) атаки, причем не основываясь на сэмплах.
🔖Более подробно можно почитать в статье Мэтта.
🕵️♂️I think that many have not forgotten about the FORCEDENTRY exploit that made a lot of noise a year ago (CVE-2021-30860, integer overflow in the JBIG2 implementation for xpdf in Apple (JBIG2Stream::readTextRegionSeg(), by programming the JBIG2 weird machine in the parser), which refers to CoreGraphics in fact) via iMessage from NSO Group. That is, a PDF file arrives to you, which is allegedly ".gif" and due to the fact that IMTranscoderAgent analyzed just such impostors outside the BlastDoor sandbox, the Israelis could achieve SBX. In fact, the operation was much more complicated and you can read more: a on the channel, here and here.
Moreover, researchers from Google Project Zero were unable to establish an exact trace after IMTranscoderAgent SBX and, as an assumption, put forward several operating scenarios:
1️⃣iMessage RCE ➡️ IMTranscoderAgent SBX ➡️ iOS kernel LPE
2️⃣iMessage RCE ➡️ IMTranscoderAgent SBX ➡️ some_service ➡️ iOS kernel LPE
The problem for security guards to this day is that there are still no samples in the public domain (from here we can conclude that it will not be possible to detect using standard methods). In this post by Matt, in addition to analyzing the attack, we are talking about detecting without using regular expressions or checking the process name, eventually a tool for analyzing non-fileless(data-only) attack files was introduced, and not based on samples(ELEGANTBOUNCER).
🔖You can read more in Matt's article.
#NSO #PegasusSpyware #FORCEDENTRY #iOS #iMessage #forensics #security #expoitation #sbx #xpdf #weirdMachine #JBIG2
Magnet Forensics
FORCEDENTRY: Detecting the Exploit With No Samples
This is a deep dive into the CVE-2021-30860 vulnerability, also known as FORCEDENTRY, and how to detect it with root cause analysis.
CVE-2020-6418-exploit.js
3.9 KB
🔥Deconstructing and Exploiting CVE-2020-6418 (exploit here)
This vulnerability lies in the V8 engine of Google Chrome, namely its optimizing compiler Turbofan. Specifically, the vulnerable version is in Google Chrome’s V8 prior to 80.0.3987.122. In this article, Daniel Toh Jing En will give a step-by-step analysis of the vulnerability, from the root cause to exploitation.
This vulnerability lies in the V8 engine of Google Chrome, namely its optimizing compiler Turbofan. Specifically, the vulnerable version is in Google Chrome’s V8 prior to 80.0.3987.122. In this article, Daniel Toh Jing En will give a step-by-step analysis of the vulnerability, from the root cause to exploitation.
exploit.c
5.7 KB
|CVE-2022-2602 Kernel Exploit|
🔥The vulnerability is an UAF that impacts the registered file descriptor functionality in the io_uring subsystem. It's possible to register a file in the io_uring context, free it from the Unix Garbage Collector(GC) and re-use it with the requested io_uring operation (for example, a writev operation). To exploit the bug, it was a matter of replace the freed file structure with a read-only file (e.g. /etc/passwd), in order to write into it, and achieve a good timing with a small race window.
🔥The vulnerability is an UAF that impacts the registered file descriptor functionality in the io_uring subsystem. It's possible to register a file in the io_uring context, free it from the Unix Garbage Collector(GC) and re-use it with the requested io_uring operation (for example, a writev operation). To exploit the bug, it was a matter of replace the freed file structure with a read-only file (e.g. /etc/passwd), in order to write into it, and achieve a good timing with a small race window.
poc_userfaultfd.c
4.1 KB
🔥CVE-2022-2602 Exploit using userfaultfd technique
poc_inode_locking.c
5 KB
🔥CVE-2022-2602 Exploit using inode locking technique.
📕DirtyCred: Escalating Privilege in Linux Kernel
🔖Blog posts:
DirtyCred Remastered: how to turn an UAF into Privilege Escalation
CVE-2022-2602: DirtyCred File Exploitation applied on an io_uring UAF
📕DirtyCred: Escalating Privilege in Linux Kernel
🔖Blog posts:
DirtyCred Remastered: how to turn an UAF into Privilege Escalation
CVE-2022-2602: DirtyCred File Exploitation applied on an io_uring UAF
👍1
💥Home Grown Red Team: Let’s Make Some Malware In C:
Part 3
This post is going to be all about the dll!
Part 3
This post is going to be all about the dll!
💥OWASSRF: CrowdStrike Identifies New Exploit Method for Exchange Bypassing ProxyNotShell Mitigations
CrowdStrike recently discovered a new exploit method (called OWASSRF) consisting of CVE-2022-41080 and CVE-2022-41082 to achieve remote code execution (RCE) through Outlook Web Access (OWA). The new exploit method bypasses URL rewrite mitigations for the Autodiscover endpoint provided by Microsoft in response to ProxyNotShell.
After initial access via this new exploit method, the threat actor leveraged legitimate Plink and AnyDesk executables to maintain access, and performed anti-forensics techniques on the Microsoft Exchange server in an attempt to hide their activity.
CrowdStrike recently discovered a new exploit method (called OWASSRF) consisting of CVE-2022-41080 and CVE-2022-41082 to achieve remote code execution (RCE) through Outlook Web Access (OWA). The new exploit method bypasses URL rewrite mitigations for the Autodiscover endpoint provided by Microsoft in response to ProxyNotShell.
After initial access via this new exploit method, the threat actor leveraged legitimate Plink and AnyDesk executables to maintain access, and performed anti-forensics techniques on the Microsoft Exchange server in an attempt to hide their activity.
#Analytics
Top 10 most exploited vulnerabilities in 2022
1. CVE-2022-30190: MS Office "Follina"
2. CVE-2021-44228: Apache Log4Shell
3. CVE-2022-22965: Spring4Shell
4. CVE-2022-1388: F5 BIG-IP
5. CVE-2022-0609: Google Chrome zero-day
https://blog.google/threat-analysis-group/countering-threats-north-korea
6. CVE-2017-11882: Old but not forgotten - MS Office bug
7. CVE-2022-41082, CVE-2022-41040: ProxyNotShell
8. CVE-2022-27925, CVE-2022-41352: Zimbra Collaboration Suite bugs
9. CVE-2022-26134: Atlassian Confluence RCE flaw
10. CVE-2022-30525: Zyxel RCE vulnerability
Top 10 most exploited vulnerabilities in 2022
1. CVE-2022-30190: MS Office "Follina"
2. CVE-2021-44228: Apache Log4Shell
3. CVE-2022-22965: Spring4Shell
4. CVE-2022-1388: F5 BIG-IP
5. CVE-2022-0609: Google Chrome zero-day
https://blog.google/threat-analysis-group/countering-threats-north-korea
6. CVE-2017-11882: Old but not forgotten - MS Office bug
7. CVE-2022-41082, CVE-2022-41040: ProxyNotShell
8. CVE-2022-27925, CVE-2022-41352: Zimbra Collaboration Suite bugs
9. CVE-2022-26134: Atlassian Confluence RCE flaw
10. CVE-2022-30525: Zyxel RCE vulnerability
Google
Countering threats from North Korea
On February 10, Threat Analysis Group discovered two distinct North Korean government-backed attacker groups exploiting a remote code execution vulnerability in Chrome, CVE-2022-0609.