Last Week in Security (LWiS) - 2020-03-02

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-02-24 to 2020-03-02.

MITRE ATT&CK techniques are in brackets where appropriate.

News

Techniques

Tools and Exploits

  • ZyXEL NAS pre-authentication command injection in weblogin.cgi is a classic command injection in the username field. Adding a '; allows for command injection.
    • Affected devices: NAS326, NAS520, NAS540, NAS542 have patches available; NSA210, NSA220, NSA220+, NSA221, NSA310, NSA310S, NSA320, NSA320S, NSA325 and NSA325v2 are forever vulnerable. [T1190 Exploit Public-Facing Application]
  • Doh365 is a new Office365 email enumeration tool from pry0cc that uses the login.microsoftonline.com/common/GetCredentialType endpoint to enumerate emails. It's subject to throttling but appears to be effective. [T1087 Account Discovery]
  • vscode-language-aggressor is a Cobalt Strike Aggressor extension for Visual Studio Code, and should come in handy for anyone who has tried to write an Aggressor script using Perl syntax highlighting. It also comes with tons of useful snippets.
  • CVE-2020-0688: Remote Code Execution on Microsoft Exchange Server Through Fixed Cryptographic Keys is a very interesting bug where the use of static keys (the same across every install) leads to post-auth RCE as SYSTEM. [T1190 Exploit Public-Facing Application]
  • UDP Hunter is a new python UDP scanner that covers all the common UDP services. My favorite scanning tool rumble run has limited UDP service support, so UDP Hunter is a welcome addition. A blog post by the tool author Savan Gadhiya is here. [T1046 Network Service Scanning]
  • xfrm_poc is a PoC UAF 8-byte write in the XFRM subsystem for linux 3.x-5.x kernels that leads to privilege escalation. Interestingly only a binary and detailed technical report have been released at this time. Affected distributions below. [T1068 Exploitation for Privilege Escalation]
    • Ubuntu 14.04 / 16.04 Server 4.4 LTS kernels
    • CentOS 8 4.18 kernels
    • Red Hat Enterprise Linux 8 4.18 kernels
    • Ubuntu 18.04 Server LTS 4.15 kernels
  • CVE-2020-2551 is an exploit against Oracle Weblogic Server IIOP 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0. Yet another unauthenticated RCE against Weblogic. If you are unlucky enough to have Weblogic in your environment, patch and isolate it as much as possible. [T1190 Exploit Public-Facing Application]
  • Mouse Framework is an iOS and macOS post-exploitation framework that gives you a command line session with extra functionality between you and a target machine using only a simple Mouse Payload. Mouse gives you the power and convenience of uploading and downloading files, tab completion, taking pictures, location tracking, shell command execution, escalating privileges, password retrieval, and much more.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • goloader is a project that produces a binary capable of loading and running compiled golang code at runtime. It reuses its own runtime when loading compiled golang code, so the size stays small. I could see this being used for some very cool implants.
  • css.gg has 500+ minimalistic CSS icons for your web front ends. All icons are open source and availalbe under the MIT license!