Hardcoded account in Zyxel, whatsapp user's data → facebook and news about Julian Assange

At the beginning of the year there is not much news, but we were able to collect a digest with the loudest and coolest news.

  • Vulnerabilities: Zyxel fail, cool bug in Google docs and new side-channel attack, + it's recommended to patch Nvidia drivers;
  • Tools: Offensive staff only;
  • News: Julian Assange, whatsapp transfers your data directly to facebook and malware/hacking;
  • Research: High quality reports from bug hunters, red team materials and update for sysinternals.

Really short feedback -> here


Vulnerabilities

Nvidia releases security update for high-severity graphics driver with 16 vulnerabilities. Vulnerabilities include data tampering, denial of service, and privilege escalation, but without RCE. Be care, patch it!

https://vulners.com/nvidia/NVIDIA:5142

CVE-2020-29583

More than 100 thousand Zyxel devices ended up with a backdoor - firewalls, VPN gateways, etc. contain a hardcoded login-password for remote admin access. Login zyfwp and password "PrOw! AN_fXp". An unauthenticated remote attacker could gain access to a vulnerable system via ssh or a web interface using hard-coded credentials and gain administrator privileges.

https://vulners.com/attackerkb/AKB:6B0BC493-ED21-4ADD-9DA2-FEF5F1292C4E

Cool bug in Google Docs allowed viewing other people's private documents by intercepting screenshots. The researcher earned $ 3,133.70 through the bug bounty program after discovering a vulnerability in Google Docs. This is because Google's feedback tool could have been used to steal sensitive information.

The researcher explains that when attaching a screenshot of the Google Docs window, rendering the image requires passing the RGB values of each pixel to google.com, which then redirects those values to the feedback domain, which ultimately creates an image and sends it back as Base64. The researcher found a bug in the way these messages are sent feedback.googleusercontent.com. The bug made it possible to make changes to the frame, directing content to an arbitrary external site, steal or intercept screenshots intended for uploading to Google servers.

https://vulners.com/thn/THN:5905DFC1A1111074AC19AD43B7D79855

Security researchers at NinjaLab have developed a new side-channel attack CVE-2021-3011 to clone ECDSA keys stored in USB tokens based on NXP chips. The attack was demonstrated for Google Titan two-factor authentication tokens based on the NXP A700X chip, but theoretically applies to Yubico and Feitian crypto tokens using the same chip.

https://vulners.com/thn/THN:950615F0205C84B3CD3CD174A078700C


Tools

Emp3R0R
Linux post-exploitation framework made by linux user. Try it out! Full info:
https://vulners.com/kitploit/KITPLOIT:3275186406797911565

RogueWinRM
It is a local privilege escalation exploit that allows to escalate from a Service account (with SeImpersonatePrivilege) to Local System account if WinRM service is not running.

https://vulners.com/kitploit/KITPLOIT:8514441941597848387

Drow
It is a command-line utility that is used to inject code and hook the entrypoint of ELF executables. It takes unmodified ELF executables as input and exports a modified ELF contianing an embedded user-supplied payload that executes at runtime.

https://vulners.com/kitploit/KITPLOIT:1687481440228117951

Sarenka
OSINT (Open Source Intelligence) tool - gets data from services like shodan, censys etc. in one place.

https://vulners.com/kitploit/KITPLOIT:491559930238488010


News

London judge on January 4, 2021 rejected the U.S. demand for the extradition of Wikileaks founder Julian Assange. This decision can be appealed by the lawyers of the U.S. side. The U.S. extradition request was rejected due to concerns about Assange's mental health, the judge said.

https://vulners.com/hackread/HACKREAD:EDF1861D0D663EDE3A99607471E51E49

On February 8, 2021, the new Terms of Service will come into force for the WhatsApp messenger. On this day, the user must either agree to the transfer of data to the FB, or the user remains without an account.

In a previous update, WhatsApp gave users the option to "not provide Facebook with your WhatsApp account information." In the latest update, WhatsApp dropped this option and users will have to accept the new terms and privacy policy if they want to continue using the messenger.

https://vulners.com/threatpost/THREATPOST:2F373FFFFB58CB8CDF4224CF73DD38FF

Kawasaki Heavy Industries has reported a security incident that could have led to a leak of sensitive data.

On June 11, an internal audit revealed that unidentified hackers had compromised the company's Thailand office network and gained access to one of their internal servers in Japan. Further investigation within a month revealed the compromise of the networks of three more overseas Kawasaki offices - in the Philippines, Indonesia and the United States.

https://vulners.com/threatpost/THREATPOST:C3AA314C117D9538E5F3A0C1B900B6AD


Research

Awesome-CobaltStrike: https://github.com/zer0yu/Awesome-CobaltStrike
Awesome-CobaltStrike-Defence: https://github.com/MichaelKoczwara/Awesome-CobaltStrike-Defence

Bypassing User-Mode Hooks and Direct Invocation of System Calls for Red Teams https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams

20% of Django websites are vulnerable to click-jacking, JS code execution and CSRF
https://dev.to/djangodoctor/20-of-django-websites-are-vulnerable-to-these-3-hacks-3fd1

Sometimes you have to do "post-exploitation" and show the obvious things.
https://medium.com/@valeriyshevchenko/10-000-for-a-vulnerability-that-doesnt-exist-9dbc63684e94

Customizing C2 Frameworks for AV-Evasion: https://s3cur3th1ssh1t.github.io/Customizing_C2_Frameworks

The C2 Matrix - The goal of this site is to point you to the best C2 framework for your needs based on your adversary emulation plan and the target environment. Take a look at the matrix or use the questionnaire to determine which fits your needs.
https://www.thec2matrix.com/matrix

New tools for process tampering detection in sysinternals update https://docs.microsoft.com/en-us/sysinternals"mapped image of a process doesn’t match the on-disk image file, or the image file is locked for exclusive access" should be really useful for spotting process hollowing.


Really short feedback -> here
d image of a process doesn’t match the on-disk image file, or the image file is locked for exclusive access" should be really useful for spotting process hollowing.


Really short feedback -> here