Mar 02 2020 Last Week in Security (LWiS) - 2020-03-02

News

• Brandon Azad dropped an update to his Apple iOS 13.3 exploit that includes a PAC bypass [T1068 Exploitation for Privilege Escalation]
• Apple released their security bounty program details. With their recent Corellium kerfuffle, perhaps they are trying to get back into the good graces of security researches.
• Google released a technical writing course for free. As a technical person who writes a lot and has to edit writing from others, this is a great resource.
• Insider Risk Management is now available to all Microsoft Office 365 E5 ($35/user/month) subscribers. This tool uses ML and AI to identify insider threats while "ensuring employee privacy." [T1199 Trusted Relationship]

Techniques

• A Eulogy for Patch-Gapping Chrome delves deeply into a recent Chromium issue, from patch analysis to PoC, and discusses the impact of a weekly rerelease schedule for stable Chrome which started in February. TLDR: Rapid releases makes weaponizing Ndays or "patch-gapping" very hard. [T1189 Drive-by Compromise]
• Substitution fonts for phishing enables attackers to bypass filters that trigger on obvious words by mapping letters in a simple substitution cipher in a custom font file. [T1192 Spearphishing Link]
• Adam Chester (XPN) demonstrates how to use AWS Lambda serverless functions (Golang) as redirectors for Cobalt Strike. While AWS has disabled domain fronting via CloudFront, Lambda URLs still allow it! [T1172 Domain Fronting]
• CVE-2018-4184 writeup by Jakob Rieck is a new writeup about an old bug. This is a prime example of there being gold buried where no one has bothered to look; 94.2% of macOS apps at the start of 2018 could access the microphone, even though the App Store Sandbox was enabled for them. [T1123 Audio Capture]
• Veeamon is a writeup on the Veeam signed file system filter which enforces no ACL on its control device object, meaning anyone can use it to control IO operations on any file. This can be used to spoof requested data (file contents) and could be used as part of an exploit chain to escalate privileges or execute code. [T1068 Exploitation for Privilege Escalation]
• Evading WinDefender ATP credential-theft: kernel version uses a vulnerable driver to patch the Windows kernel to disable kernel patch protection, then patch Defender ATP to bypass lsass dumping detection, perform the dump, and patch everything back to prevent a BSOD. If you weren't a believer in the power of kernel level code execution, this post should convince you. [T1003 Credential Dumping]
• Securing Memory at EPYC Scale discusses cloudflare's benchmarks using AMD's transparent DRAM encryption. This feature adds yet another layer of security to remote bare-metal machines, and should provide more peace of mind for anyone with hardware in remote datacenters not directly under their control. [T1199 Trusted Relationship]
• Application Shimming gives a good overview and examples of the windows persistence method. [T1138 Application Shimming]
• Defeating a Laptop's BIOS Password shows the lengths it takes to get around a BIOS password. If you find yourself in a similar situation, its worth checking for a manufacturer backdoor (or the online version) before you start dumping flash.

Tools and Exploits

• ZyXEL NAS pre-authentication command injection in weblogin.cgi is a classic command injection in the username field. Adding a '; allows for command injection.

  • Affected devices: NAS326, NAS520, NAS540, NAS542 have patches available; NSA210, NSA220, NSA220+, NSA221, NSA310, NSA310S, NSA320, NSA320S, NSA325 and NSA325v2 are forever vulnerable. [T1190 Exploit Public-Facing Application]

• Doh365 is a new Office365 email enumeration tool from pry0cc that uses the login.microsoftonline.com/common/GetCredentialType endpoint to enumerate emails. It's subject to throttling but appears to be effective. [T1087 Account Discovery]
• vscode-language-aggressor is a Cobalt Strike Aggressor extension for Visual Studio Code, and should come in handy for anyone who has tried to write an Aggressor script using Perl syntax highlighting. It also comes with tons of useful snippets.

• CVE-2020-0688: Remote Code Execution on Microsoft Exchange Server Through Fixed Cryptographic Keys is a very interesting bug where the use of static keys (the same across every install) leads to post-auth RCE as SYSTEM. [T1190 Exploit Public-Facing Application]

  • Detection: Yara rule
  • PoC

• UDP Hunter is a new python UDP scanner that covers all the common UDP services. My favorite scanning tool rumble run has limited UDP service support, so UDP Hunter is a welcome addition. A blog post by the tool author Savan Gadhiya is here. [T1046 Network Service Scanning]

• xfrm_poc is a PoC UAF 8-byte write in the XFRM subsystem for linux 3.x-5.x kernels that leads to privilege escalation. Interestingly only a binary and detailed technical report have been released at this time. Affected distributions below. [T1068 Exploitation for Privilege Escalation]

  • Ubuntu 14.04 / 16.04 Server 4.4 LTS kernels
  • CentOS 8 4.18 kernels
  • Red Hat Enterprise Linux 8 4.18 kernels
  • Ubuntu 18.04 Server LTS 4.15 kernels

• CVE-2020-2551 is an exploit against Oracle Weblogic Server IIOP 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0. Yet another unauthenticated RCE against Weblogic. If you are unlucky enough to have Weblogic in your environment, patch and isolate it as much as possible. [T1190 Exploit Public-Facing Application]
• Mouse Framework is an iOS and macOS post-exploitation framework that gives you a command line session with extra functionality between you and a target machine using only a simple Mouse Payload. Mouse gives you the power and convenience of uploading and downloading files, tab completion, taking pictures, location tracking, shell command execution, escalating privileges, password retrieval, and much more.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

• goloader is a project that produces a binary capable of loading and running compiled golang code at runtime. It reuses its own runtime when loading compiled golang code, so the size stays small. I could see this being used for some very cool implants.
• css.gg has 500+ minimalistic CSS icons for your web front ends. All icons are open source and availalbe under the MIT license!