May 2024 [April showers bring May Privilege Escalation Vulns]

Summary

In this podcast, the hosts discuss the recent Patch Tuesday updates and vulnerabilities, focusing on privilege escalation and memory safety issues. They highlight the importance of these vulnerabilities in user-driven compromises and the need for exploit chaining. The conversation also touches on the release of updates by Apple and the increasing scrutiny on macOS security. Overall, the hosts emphasize the significance of continuous research and improvement in addressing these vulnerabilities.

Transcript

Tom Bowyer:  Hey everyone, happy May 14th. Cue that cheesy intro music Yeah. This is going to be on YouTube.

Jason Kikta:  What he's going to do is he's going to catch us fooling around and like play all that. And then he'll start the music.

Tom Bowyer:  This is a serious show We're straight shooters over here and security, you know All business anyway, welcome to Fix Tuesday Tuesday, May 14th

Mat Lee: Yeah, he had to have the b -roll. Obviously.

Jason Kikta:  I see.

That's right, that's right. All business.

Tom Bowyer:  Patch Tuesday, we made it to May. It's been quite the interesting year so far, but you know, May is shaping up to be rather quiet, surprisingly, given how hot and heavy the year started with all the XZ stuff and a lot of the other stuff that's going on. The, I was, no, of course not.

Jason Kikta:  Everyone took a break for RSA. They were just like, you know what? No, no threat acting this week. I'm going to be on my best behavior while everyone's just hanging out in San Francisco and having a good time.

Tom Bowyer:  Yeah, there's a... Yeah. Exactly. The APTs take a break when they see RSA. They're a... problem. For sure they were.

Jason Kikta:  Yeah.

Mat Lee: Maybe they were at RSA too. They just took a break and went to RSA.

Jason Kikta:  I mean, some were.

So my old friends from NSA, does that count? Like, I mean, technically there are threat, you know, Cyber Command, there are threat actors there. Yeah. The friendly ones, you know, Brits are probably around. Yeah.

Tom Bowyer:  Kind of, I guess. Let's not talk about those years.

Mat Lee: Yeah, no comment and yeah, in case they're listening to us right now, it's not.

Tom Bowyer:  Yeah, blink twice if you're safe, Jason.

Mat Lee: Yeah.

Tom Bowyer:  But cool stuff coming out of RSA, right? Like the CISA stuff, the memory safety pledge I thought was rather cool. You know, I've always been a big fan of those kind of you sign your name on the form type pledges because it really makes it real for a lot of people. And, you know, I'm really, really happy to see the memory safety stuff in there. I know it's a big part of.

Secure by design, but it's really cool to see the industry kind of take it a little bit more seriously And in years past but yeah Patch Tuesday. It's a pretty light one. There's a couple I think that really shine a light onto that memory safety issue and in Windows you know CVE 2024-30033 which is a Windows Search Service elevation of privilege, which we all kind of thought was a very interesting attack vector. So just curious your thoughts, Matt, on if you pop a box, how you would approach these types of elevation of privileges.

Mat Lee: Yeah, I think that one's an interesting one because I guess in my head, you know, search has access. I mean, it indexes your whole system, right? And so it knows about every single file. And so I think that's a really interesting attack vector where I know we were talking earlier, it's a maybe a special cheat code you do up, down, up, down, left, right, BA in the search bar and you get root privileges. But I'd be really curious to see if there's any.

Tom Bowyer:  Hahaha

Jason Kikta:  I'm going to go ahead and close the video.

Mat Lee: POCs for that come out because, yeah, that's just a kind of out of the box way. It's almost like the most obvious way you might want to do that, but it's interesting how that came about recently.

Tom Bowyer:  Yeah, I agree. I feel like just hitting that Windows key and then I assume they just mashed like a bunch of stuff in there, right? Like traditional overflow type attacks, you know, the patch notes are really light, but right. Like it's such a, like how would you weaponize that? You know, just, it's just one of those funny ones where you see in the patch notes, right?

Jason Kikta:  Well, I mean, it, you know, it's, it's, it's like anything that if you, you know, we, we tend to ooh and aah over, you know, remote, you know, R C right. Remote code execution is sort of the Holy grail. because it just allows you to grab that brass ring, and, and operate with a, you know,

fair degree of impunity. But, you know, even if you look at modern exploitation, actors are not shy about chaining together a number of vulnerabilities to do a single exploit. And so chaining together actual exploits is not a big deal, right? So if you're able to land on that box with user privilege, which is going to be the case,

Tom Bowyer:  Yeah.

Jason Kikta:  for a user driven compromise, either through phishing or watering hole attack or something similar. Okay, great. Now I've compromised Jason Kikta. I'm running in context as him, but to do what I really want to be able to do, I need to be an admin on this system. And so that's where your PrivEsc comes in. So will these get you...

owned by themselves No, you know, you need something to do that to get you that initial access, but it doesn't even have to be an exploit. Again, it can be, it can be, you know, straightforward user phishing. And, you know, that PrivEsc is where, you know, that's sort of the first step in the chain where you really need an exploit. You know, unless they're running as local admin, you're going to need that exploit.

So it's very helpful and it's helpful not just with that user, but maybe you're able to move over to a server within the network. Maybe the user isn't where you're interested in, whether you stay as the user on that endpoint system that you compromised or whether you privesc, you're going to move over to a server at some point. You're definitely going to want to PrivEsc there. And so having these things that will be running on Windows Server.

potentially are helpful as well. So these are valuable exploits to any actor.

Tom Bowyer:  Yeah, it reminds me a lot of the operation triangulation from a couple months ago where they had that five or six deep exploit chain. It started in the browser and then they overflowed some image readers on the Mac device and they changed it all the way through to get root on the host. These kinds of privilege escalation vulnerabilities are what...

Jason Kikta:  Yeah.

Tom Bowyer:  What I always think of nowadays is like those types of triangulation attacks or, you know, post -phish, post, I'm a user, how do I get to the system and how do I maintain persistence? And I think the next one, you know, CVE 2024 30018 plays along the same lines where it's in the Windows kernel itself. And it's funny because people don't, you know,

You think of a kernel, you always think of Linux land, right? And not a lot of people realize that,  know, Windows has its own kernel as well and it runs a kernel underneath, and it's just as susceptible to these types of attacks. So yeah, I find all of these and there's a ton in the notes, you know, the release, the release notes, this, this Patch Tuesday's lots and lots of privilege vulnerabilities. So, you know, keep an eye on those.

Jason Kikta:  Yeah, every OS does.

Mat Lee: And I think, I think also, I mean, I think we can all agree that most attacks are user compromised these days, right? Like it's pretty hard to get RCE on systems. So I would say most attacks are going to users, phishing, spear phishing. And so I think that's why these are particularly interesting is you get the right user. You ask what the privilege is, and then depending on who it is, they could have access to

a lot of stuff and then you can install whatever they want.

Jason Kikta:  Yeah, I think it's, you know, it's user driven exploitation is what you do the rest of the time, right? If there, if there is some RCE against a public facing, piece of infrastructure, you know, VPN appliance or load balancer or something, then, then you have your mass exploitation events that tend to run hot and fast and every one kind of

jumps on that bandwagon for a while. And then after that starts to fizzle out because people started patching or, you know, just multiple actors have fought over the same box and the things, you know, you know, kind of spoken for, then, then you go back to, to, you know, old dependable, which is users are going to use her because it's just, you know, it's just too easy to social engineer someone.

Tom Bowyer:  You

Yeah. And I think things have gotten a little, honestly, I think things have gotten a little more dangerous, right? In the Chrome patch that came out last week on Friday, right? Where use-after-free, no -own exploit, and a lot of the Chrome vulnerabilities, I think last year and this year have kind of followed that same pattern where there's a, it's just a...

You know, you go to a specifically crafted web page and it overflows the browser and you're able to execute arbitrary code. And, you know, there's, there was always like the, at least in the industry for a while, there was always that assumption of like, well, as long as they don't download the file, they're okay. Right. But I think a lot of that has changed in the last five years where, you know, there's been a lot of Zero Days in Chrome

that allow for arbitrary code execution or, you know, you trick the user to just clicking a link. It brings them to a specifically crafted webpage that allows for RCE. And that's kind of the nightmare scenario to a lot of us in the industry.

Jason Kikta:  Yeah, and again, I think this ties well. This Chrome vulnerability, CVE 2024-4671, ties very well to what we were just discussing, because what does Use After Free get you? Well, it gets you code execution. It may not, and I don't know particularly in this case, but it may not be code execution in the place that you want. You might be inside of a sandbox and not able to do a whole lot. And if that were the case here,

case for any use after free where you end up in a place that is not your ultimate desire, then you are going to need something like, again, on a traditional OS, you need a privilege escalation inside a browser, you need a sandbox breakout to really go after the things that you want to get.

Tom Bowyer:  Yeah. It's just... Yeah.

Mat Lee: And those are hard, too. Those sandbox breakouts, that's pretty complex. That's not just Joe Schmo. Yeah. It's not just some POC you find on GitHub. Well, it might be. But I think the complexity is just adding complexity there, too, which is, I guess, a good thing.

Tom Bowyer:  Hahaha

Jason Kikta:  Yeah. Good. Good.

Tom Bowyer:  Yeah, no kidding.

Yeah. And a lot of people hold those close to their chest, right? Like you don't want to burn your sandbox escape on some, you know, business email compromise thing where you're trying to funnel out $5-10,000 here and there, right? You're saving it for the big bang, you know? So.

Jason Kikta:  And if you do see somebody burning it on that, then you should really worry what else they got up their sleeve if they're going to burn it on something. On something simple. I'd be kind of alarmed. Way too good for what they're doing. That's not making me feel great.

Tom Bowyer:  That's true.

I got so many 0 Days here, I'm just gonna burn them. Yeah. Yeah. Just found this random thing on GitHub, gonna run it. Right? And it's like an O day or something.

Mat Lee: I'm mean, not gonna lie, we all do that in Hack the Box. We just searched for the CVID POC point shoot.

Jason Kikta:  Yep.

Tom Bowyer:  Yeah. And that's what a lot of these remind me of, right? Like a lot of these privilege escalation vulnerabilities, you know, they tend to, you know, sometimes they get weaponized, right? But a lot of them end up in the kind of a training realm where you search for, you know, yeah, they get, you know, they get weaponized and then, you know, they might have a brief window of exploitation, but you know, the industry patches them out and then they end up in like the training kind of pillar.

Jason Kikta:  Mm -hmm.

Tom Bowyer:  Right. Or you find a CVE, you find the POC on GitHub or wherever, and you, you, it might be a Metasploit, it might be a Metasploit module or something. And then you kind of, you're launching payloads against these compromised posts to learn. So, you know, part of that, that part of the industry is really kind of cool to see, you know, how the CVE is kind of their life cycle. Obviously like the big ones.

from 2017, 2016, all the Shadow Brokers stuff is a very popular training target a lot of the time, but yeah, it's funny how that life cycle is. But I've never seen, at least in any of the ones I've done, like a Chrome breakout where you have a vulnerable version of Chrome and you have to follow a specific exploitation path to compromise the system. So.

Jason Kikta:  Mm -hmm.

Tom Bowyer:  if you're a CTF vendor out there listening in, that'd be an interesting one to get into your system in my mind anyway. But yeah, Apple as well, you know, 14.5 came out just the other day and a lot of the same things kind of ring true in those as well. It's funny, you know, maybe...

Mat Lee: Yeah, cool one.

Jason Kikta:  Yeah.

Yep.

Tom Bowyer:  Is Apple trying to sync with Patch Tuesday because I think they just released 14.5 like just yesterday or?

Jason Kikta:  Yeah. Yeah. This is two months in a row where they were, they came out a little bit before Patch Tuesday. So.

Tom Bowyer:  close.

Mat Lee: And I mean, speaking of sandboxes, too, there is one line for print center where an app may be able to execute arbitrary code outside of its sandbox or with certain elevated privileges. So we've got to double whammy.

Jason Kikta:  Yeah, AppleAVD may be able to execute arbitrary code with kernel privileges, improve memory handling, right? It's just these themes that we see again and again. And of course, if you can't PrivEsc or play a memory game to execute out of bounds, then what are you going to do? Well, you're going to try and do things like...

Tom Bowyer:  Hahaha.

Yeah.

Jason Kikta:  downgrade and it's funny because AppleMobileFileIntegrity has three separate fixes and two of them are downgrade issues that needed additional code signing restrictions to prevent one was an access to a local attacker could access Keychain items and the other one was bypassing privacy preferences. So the, the good news for me at least is it

shows that, you know, I try to be optimistic about this stuff, but when you see certain themes come through, that means that it's getting a lot of attention in the research community. So it's getting beat up at the moment, but generally, especially with a vendor like Apple, they're smart enough to say, okay, well, there's, there's some "there" there, which is why they are spending their time on this subject. So.

Now I know what I need to do and I need to, you know, I need to work to not only systematically find and fix these, but also to try and avoid, you know, a little bit more effort on prevention would have saved them some work here.

Tom Bowyer:  Yeah. And I appreciate Apple being more transparent. You know, I think the last couple of years, they've really kind of stepped up their release notes. They've included lots more detail. and you know, sometimes the cadence is off, you know, which really sucks as a defender. And you have Patch Tuesday and then like a week later you have a release from Apple, but I get it.

Jason Kikta:  Mm -hmm.

Tom Bowyer:  And you know, it would be nice if we all sunk on just a single day and everyone releases their patches the same day, but I understand like some things are more pressing than others and releasing out of band patches is, you know, I prefer it if they needed to. But yeah, lots of memory issues in this 14.5 release. And like I said so many times on this podcast about how I feel like Apple has gotten a lot of scrutiny.

These last couple years and I really do hope that continues and the community continues to focus research on the Apple devices because I feel like everyone kind of jokes about those like Apple and Windows commercials from the early 2000s like, we don't get a virus. That's like the running joke still, right? But

Jason Kikta:  Thank you.

Mat Lee: Wait, so you're telling me that macOS does have viruses? There is malware?

Jason Kikta:  Believe it or not.

Tom Bowyer:  I'll have you know that in this day and age, there is lots of malware on the Mac. But in the SMB space, a lot of it still rings true where people still have that kind of...

I thought that Mac is kind of safe from a lot of that and it's completely untrue. At the end of the day, it's just under the hood, it's just the kernel written in C, I think, or whatever. I don't know what the kernel was written in, or Mac's anyway.

Jason Kikta:  It's, yeah.

Jason Kikta:  BSDs are probably C or C++. Yeah, and it just, it hums along and it has parsers and it's handling a lot of things and a lot of user interaction and trying to, in their case, really manage an ecosystem of devices. And so like, there's just a lot of touch points for attackers to find the level of complexity needed to be.

Tom Bowyer:  Yeah. 

Jason Kikta:  You know, fairly certain that there's going to be some vulnerabilities there and they just, they, they put in the work and they spend the time and they get it. And, you know, while you're less likely to see some of the low hanging fruit driven by business email compromise and, and a lot of ransomware tool kits out there, it doesn't mean that it's a world without threats. And, you know, the researchers are

that are, you know, continuing to drive all of these vendors to try and do better or, you know, hats off to them because it makes a difference.

Tom Bowyer:  Yeah, agreed. And your more privileged users are usually on a Mac as well. You know, your developers and your SRE types, right? They're always running a Mac because it kind of fits that lifestyle. So in my mind, I feel like that's the juicier target than kind of the Windows marketing person. So, yeah.

Jason Kikta:  Mm -hmm.

yeah.

Ha ha ha.

Right. If you want to steal the money, you go to finance. If you want to own the service, you go and hit the engineering.

Tom Bowyer:  Yeah, precisely. Well, cool. That's all we have today. Thanks everybody for tuning in, it is May, yes, May's iteration of Fix Tuesday. We appreciate your continued support. Jason has his own podcast. So if you want some really cool insights into the life of Jason Kikta and being a CISO and doing product.

Mat Lee: Sorry, May.

Tom Bowyer:  cool stuff, check out his podcast. If not, thanks for tuning in. We wish you a happy May. Hopefully it stays quiet in your realm and yeah, keep your stuff updated.

Mat Lee: And remember, April showers bring May PrivEsc vulnerabilities.

Jason Kikta:  Thanks everybody.

Tom Bowyer:  Yeah! Outro music. Contractually obligated to say it. Put it on YouTube. Send it.