News

• Summary: MTE As Implemented. Good series from Project Zero on ARM's new memory tagging extension coming to v9 chips. TLDR: memory exploitation is getting harder. However, just like pointer authentication in iOS/macOS, exploitation is of course still possible.
• Microsoft Bug Bounty Program Year in Review: $13.8M in Rewards. Maybe they should have spent more? Microsoft... The Truth Is Even Worse Than You Think.
• CVE-2023-35082 - MobileIron Core Unauthenticated API Access Vulnerability. Who needs ARM MTE when you can just browse to a link and get access to all the endpoints of an organization.
• Hackers exploit BleedingPipe RCE to target Minecraft servers, players. With huge user bases, games are becoming real targets for hackers.
• Your new best friend: Introducing BloodHound Community Edition. "On August 8, 2023, BloodHound CE will be made available in its entirety." Hyped!

Techniques and Write-ups

• Leaked Secrets and Unlimited Miles: Hacking the Largest Airline and Hotel Rewards Platform. Sam Curry doesn't miss - great web app hacking content.
• Analysis and Exploitation of CVE-2023-3519. The Citrix ADC RCE (exploit here) is possible because exploit mitigation from 1997 (stack canaries) are not present on network edge devices. Forget about ARM memory tagging, let's just do some basics.
• Breaking Fortinet Firmware Encryption. Some great cryptanalysis to decrypt firmware images. This feels like a CTF challenge in real life.
• Blindsiding auditd for Fun and Profit. Very legit post-ex Linux tools and great explanation.
• Attacking an EDR - Part 1. What if you found an allowlisted process and spawned it suspended and then injected. Turns out, it works!
• Universal and Transferable Adversarial Attacks on Aligned Language Models. Automated attacks on LLMs.
• Challenges In Post-Exploitation Workflows. My body is ready. Inject Nemesis (currently 404s) into my veins. Man I hope this delivers, but the gang at Specter Ops has a great track record.
• “PhishForce” — Vulnerability Uncovered in Salesforce’s Email Services Exploited for Phishing Facebook Accounts In-The-Wild. Any system that can send email will be used for phishing.
• Hook, Line, and Phishlet: Conquering AD FS with Evilginx. The EvilNginx hype continues. Phishing ADFS in your next assessment? This one's for you.
• [PDF] Evading EDR Chapter 6. One chapter of Matt Hand’s upcoming book is available now. It’s also open for early access, and rumor has it this blog gets a mention!
• [PDF] The LOLBAS Odyssey: Finding New LOLBAS, and How You Can, Too. We love LOLBAS and this paper proposes and interesting automation framework for finding them.
• What To Expect When You're “Expecting" — Purple Team Edition. A lot of talks recently about the different types of purple team engagements, the value of purple teaming, etc. Nice to see Cedric dropping some wisdom for us on execution of a purple team.
• Abusing app role assignment actions in Entra ID. This blog provides some insight into the potential security risks and implications associated with the new action in the Entra ID role. Who else is monitoring these changes? 🤔
• Guarding the Bridge: New Attack Vectors in Azure AD Connect. MITM or ADCS + Azure AD Connect can lead to NT hashes. Good summary from some existing work on attacking Azure AD Connect.

Tools and Exploits

• daphne - Proof-of-Concept to evade auditd by tampering via ptrace.
• apollon - Proof-of-Concept to evade auditd by writing /proc/PID/mem.
• web-check - 🌐 All-in-one OSINT tool for analyzing any website.
• grove - A Software as a Service (SaaS) log collection framework from Hashicorp.
• EmailFlare - Send emails from your domain through Cloudflare for free. Self host on your account.
• ACCD - Active C&C Detector. Includes a deck on how it works.
• RogueSliver - A suite of tools to disrupt campaigns using the Sliver C2 framework.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• CVE-2023-28130 - Command Injection in Check Point Gaia Portal. Seems rough for a firewall vendor to get RCE'd. Again. At least its authenticated this time?
• semgrep-rules-manager - Manager of third-party sources of Semgrep rules 🗂.
• Night_Walker
• Pywerview - A (partial) Python rewriting of PowerSploit's PowerView for when you’re proxing your traffic or operating from a linux device.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.