At the beginning of the year there is not much news, but we were able to collect a digest with the loudest and coolest news.
- Vulnerabilities: Zyxel fail, cool bug in Google docs and new side-channel attack, + it’s recommended to patch Nvidia drivers;
- Tools: Offensive staff only;
- News: Julian Assange, whatsapp transfers your data directly to facebook and malware/hacking;
- Research: High quality reports from bug hunters, red team materials and update for sysinternals.
Really short feedback -> here
Nvidia releases security update for high-severity graphics driver with 16 vulnerabilities. Vulnerabilities include data tampering, denial of service, and privilege escalation, but without RCE. Be care, patch it!
More than 100 thousand Zyxel devices ended up with a backdoor – firewalls, VPN gateways, etc. contain a hardcoded login-password for remote admin access. Login zyfwp and password “PrOw! AN_fXp”. An unauthenticated remote attacker could gain access to a vulnerable system via ssh or a web interface using hard-coded credentials and gain administrator privileges.
Cool bug in Google Docs allowed viewing other people’s private documents by intercepting screenshots. The researcher earned $ 3,133.70 through the bug bounty program after discovering a vulnerability in Google Docs. This is because Google’s feedback tool could have been used to steal sensitive information.
The researcher explains that when attaching a screenshot of the Google Docs window, rendering the image requires passing the RGB values of each pixel to google.com, which then redirects those values to the feedback domain, which ultimately creates an image and sends it back as Base64. The researcher found a bug in the way these messages are sent feedback.googleusercontent.com. The bug made it possible to make changes to the frame, directing content to an arbitrary external site, steal or intercept screenshots intended for uploading to Google servers.
Security researchers at NinjaLab have developed a new side-channel attack CVE-2021-3011 to clone ECDSA keys stored in USB tokens based on NXP chips. The attack was demonstrated for Google Titan two-factor authentication tokens based on the NXP A700X chip, but theoretically applies to Yubico and Feitian crypto tokens using the same chip.
Linux post-exploitation framework made by linux user. Try it out! Full info:
It is a local privilege escalation exploit that allows to escalate from a Service account (with SeImpersonatePrivilege) to Local System account if WinRM service is not running.
It is a command-line utility that is used to inject code and hook the entrypoint of ELF executables. It takes unmodified ELF executables as input and exports a modified ELF contianing an embedded user-supplied payload that executes at runtime.
OSINT (Open Source Intelligence) tool – gets data from services like shodan, censys etc. in one place.
London judge on January 4, 2021 rejected the U.S. demand for the extradition of Wikileaks founder Julian Assange. This decision can be appealed by the lawyers of the U.S. side. The U.S. extradition request was rejected due to concerns about Assange’s mental health, the judge said.
On February 8, 2021, the new Terms of Service will come into force for the WhatsApp messenger. On this day, the user must either agree to the transfer of data to the FB, or the user remains without an account.
Kawasaki Heavy Industries has reported a security incident that could have led to a leak of sensitive data.
On June 11, an internal audit revealed that unidentified hackers had compromised the company’s Thailand office network and gained access to one of their internal servers in Japan. Further investigation within a month revealed the compromise of the networks of three more overseas Kawasaki offices – in the Philippines, Indonesia and the United States.
Bypassing User-Mode Hooks and Direct Invocation of System Calls for Red Teams https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams
20% of Django websites are vulnerable to click-jacking, JS code execution and CSRF
Sometimes you have to do “post-exploitation” and show the obvious things.
Customizing C2 Frameworks for AV-Evasion: https://s3cur3th1ssh1t.github.io/Customizing_C2_Frameworks
The C2 Matrix – The goal of this site is to point you to the best C2 framework for your needs based on your adversary emulation plan and the target environment. Take a look at the matrix or use the questionnaire to determine which fits your needs.
New tools for process tampering detection in sysinternals update https://docs.microsoft.com/en-us/sysinternals“mapped image of a process doesn’t match the on-disk image file, or the image file is locked for exclusive access” should be really useful for spotting process hollowing.
Really short feedback -> here