Rich Warren

@buffaloverflow@infosec.exchange
851 Followers
83 Following
49 Posts
Red Team & Offensive Security Research
Bloghttps://rw.md
Twitterhttps://twitter.com/buffaloverflow
GitHubhttps://github.com/rxwx
Rich WarrenNov 26, 2024
@da_667 the slides have some details about what the original signer should be (SONICWALL INC.): https://github.com/AmberWolfCyber/presentations/blob/main/2024/Very%20Pwnable%20Networks%20-%20HackFest%20Hollywood%202024.pdf
presentations/2024/Very Pwnable Networks - HackFest Hollywood 2024.pdf at main · AmberWolfCyber/presentations

Public presentations by AmberWolf. Contribute to AmberWolfCyber/presentations development by creating an account on GitHub.

GitHub
Show threadRich WarrenFeb 24, 2024
@Rairii @GossiTheDog @wdormann I think the ICT is decrypted with packdecrypt (same as fw updates), whereas the results use configdecrypt. You’d need packencrypt (presumably) to encrypt a custom ICT, however afaik it’s not public since then you could also sign firmware! It does also use a static symmetric key but has an additional RSA signature check
Show threadRich WarrenFeb 24, 2024
@wdormann @Rairii @GossiTheDog yeah agreed it’s totally silly! Preventing inspection from third-party security solutions, marking your own homework and making life hard for good-faith security researchers is the opposite of building trust imo.
As for which binary, I believe configdecrypt is the one you’d need
Show threadRich WarrenFeb 24, 2024
@GossiTheDog @Rairii tbf it was actually the rxwx/pulse-meter project (which uses the same code) that got the complaint, but I took the gist down too to avoid further complaints. I believe there were other forks/projects though and the key (which the complaint was about), is in metasploit
Rich WarrenFeb 24, 2024
@GossiTheDog yep! Can’t think why anyone wouldn’t want users to know if they got hacked 🤷
Show threadRich WarrenFeb 24, 2024
@GossiTheDog not any more I’m afraid. GitHub made me take it down as they received a complaint.
Rich WarrenJan 17, 2024
@todb @GossiTheDog yeah they are different instances of the same mistake (using Popen/os.system with user controlled input). It will require independent fixes. That said, I can see how they might have ended up tracking under a single case, since they are all so similar
Show threadRich WarrenJul 11, 2023

Here is the advisory:

https://research.nccgroup.com/2023/07/03/technical-advisory-nullsoft-scriptable-installer-system-nsis-insecure-temporary-directory-usage/

Technical Advisory - Nullsoft Scriptable Installer System (NSIS) - Insecure Temporary Directory Usage

The NSIS uninstaller package did not enforce appropriate permissions on the temporary directory used during the uninstall process. Furthermore, it did not ensure that the temporary directory was removed before running executable content from it. This could potentially result in privilege escalation under certain scenarios.

NCC Group Research Blog
Show threadRich WarrenJul 10, 2023
If you have access to EDR/SIEM telemetry you can also search for instances of Un_[A-Z]\.exe (usually Un_A.exe) running as SYSTEM
Show threadRich WarrenJul 10, 2023

If you want to find vulnerable software, go onto GitHub or public sandboxes etc and look for software that has a service and (un)installs NSIS packages. Triggering an uninstall may be possible through RPC/COM methods or perhaps custom IPC. I’m sure you will find some 👀

Some example code to get started with a poc:

https://gist.github.com/rxwx/1717e95e5ec11bea12d33e93a3832508

Determine redirection path for SxS DotLocal DLL Hijacking

Determine redirection path for SxS DotLocal DLL Hijacking - GetSxsPath.cs

Gist