ITSEC Newsletter
Posts
ITSEC Newsletter 2023-08-31

ITSEC Newsletter 2023-08-31

Red team is best team

Henrik Falk
August 31, 2023

Run My Code! (code injection on Windows)

The first time I realized it was possible to get a process to run some extra little code I had written, it felt like the ultimate cheat code. My first attempt was a little patch for Civilization 2 to fix some high CPU usage. Then I discovered that you could inject code at run-time. And when I discovered the ability to change how OS functions worked, it started to feel like I could do anything!

www.timdbg.com/posts/run-my-code

"Code injection gets used for many purposes, sometimes legitimate, sometimes nefarious. But how do you actually go about injecting code? When most people hear code injection, they think of things like buffer overflow attacks and return oriented programming. These rely on discovering vulnerabilities in some target program. What I often find more interesting are the ways that you can inject code into any process, regardless of security vulnerabilities."

Forget vulnerable drivers - Admin is all you need — Elastic Security Labs

Bring Your Own Vulnerable Driver (BYOVD) is an increasingly popular attacker technique whereby a threat actor brings a known-vulnerable signed driver alongside their malware, loads it into the kernel, then exploits it to perform some action within the kernel that they would not otherwise be able to do. Employed by advanced threat actors for over a decade, BYOVD is becoming increasingly common in ransomware and commodity malware.

www.elastic.co/security-labs/forget-vulnerable-drivers-admin-is-all-you-need

"As I discussed in my Black Hat Asia talk, MSRC has de-facto shown that they are unwilling to service admin-to-PPL and admin-to-kernel vulnerabilities and that it requires the existence of turnkey tooling on GitHub to motivate Microsoft to action. This led me to release the admin-to-PPL exploit PPLFault and admin-to-kernel exploit chain GodFault as easy-to-use tools on GitHub. For brevity, below we'll call them “PPL vulnerability” and “kernel vulnerability”, respectively."

Grave flaws in BGP Error handling

blog.benjojo.co.uk/post/bgp-path-attributes-grave-error-handling

"As many routers did not understand this attribute, this was no problem for them. They just took the information and propagated it along. However it turned out that Juniper routers running even slightly modern software did understand this attribute, and since the attribute was corrupted the software in its default configuration would respond by raising an error that would shut down the whole BGP session. Since a BGP session is often a critical part of being “connected” to the wider internet, this resulted in the small Brazilian network disrupting other networks’ ability to communicate with the rest of the internet, despite being 1000’s of miles away."