Last Week in Security (LWiS) - 2020-03-09

Android on an iPhone 7, an Intel Boot ROM exploit, a no-interaction wireless kernel memory access iOS 13 exploit, a Slack keylogger that itself has a SQLi, and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-03-02 to 2020-03-09. MITRE ATT&CK techniques are in brackets where appropriate.

News

  • Project Sandcastle is a release of android for iPhones (Just 7 and 7+ currently) from Corellium. I think it's one part cool tech demo, and one part middle finger to Apple due to their recent legal battles.
  • Strategic Cyber LLC sells to Helpsystems marking an end to the 8 year old purveyor of Cobalt Strike, founded by Raphael Mudge. Cobalt Strike will live on under helpsystems, and may get integrated or expanded as helpsystems also owns Core Impact. SpecterOps, the services company also founded by Mudge in 2017, will continue independent of him.
  • Let's Encrypt CAA Rechecking Bug is causing 3 million certificates to be revoked. If a certificate request contained multiple domains, and one of the domains was validated within 30 days, Let's Encrypt could fail to check for CAA records that prohibit issuance by Let's Encrypt within 8 hours of the renewal for all domains as required by the spec. On March 5th, the day of the revocation deadline, Let's Encrypt walked back the revocation plan to be only 1.7 million certificates, 445 of which had forbid issuance by Let's Encrypt but were issued anyway due to the bug.
  • Intel x86 Root of Trust: loss of trust discloses a boot ROM bug that enables an attacker to get code execution inside of Intel's Converged Security and Management Engine (CSME). This is bad for lots of reasons, but the biggest are that being a ROM bug it is unfixable, and theoretically allows access to the chipset key allowing for hardware ID forgery, data decryption, etc. This is checkra1n (the iOS boot ROM exploit) for Intel chips, and effects every chipset besides 10th generation. Yikes. I imagine some people in windowless government offices are very excited by this news. Intel's official guidance: "End users should maintain physical possession of their platform." Thanks Intel. [T1200 Hardware Additions]
  • Mokes and Buerak distributed under the guise of security certificates. Attackers are turning a security control into a weapon, as users have been trained to click through certificate warnings in browsers. These attackers spoof the warning and deliver an executable when a user clicks to "Install (Recommended)." Well played.
  • Remote iOS/MacOS kernel heap corruption due to insufficient bounds checking in AWDL, what an innocuous title for such a monster bug. Ian Beer cements himself as a complete master of iOS/macOS bugs as he demonstrates the ability to wirelessly dump kernel memory from an iPad Pro on iOS 13.3 with no user interaction and AirDrop receiving off. The implication is that this can be turned into RCE, and that is truly terrifying. It's probably been quite a busy week in some other windowless government offices, as the ability to own modern iOS devices just by getting close to them is pretty much as good as it gets.

Techniques

Tools and Exploits

  • BinDiff 6 released with experimental support for Ghidra. Good to see the big name tools supporting Ghidra.
  • CVE-2020-8794 PoC was released. 5 years of OpenSMTPD are vulnerable to this relatively simple exploit. Luckily, it's a rarely used mailer. [T1190 Exploit Public-Facing Application]
  • export_TSv.py allows you to parse Cobalt Strike Teamserver logs to extract credentials, sessions, and targets. This prevents you from having to setup a Teamserver just to get at old data.
  • KsDumper is a tool for dumping a process without calling OpenProcess (developed to get around anti-cheat). This could be useful for dumping malware or other processes out of memory that have good anti-debugging features, and shows a concrete use case for the kernel driver exploit tools featured the past two weeks. [T1003 Credential Dumping]
  • PoC-in-Github is a bot that scrapes GitHub for CVE PoCs and catalogs them. Note: It does not fork the PoCs so they are subject to author take downs.
  • SlackAttack is a python script (can be pyinstaller'd into a binary) that automates the backdooring of the slack desktop client to insert a keylogger that POSTs keystrokes on enter to a server you control. Note that if the app is signed this won't work on macOS as modifying the asar bundle breaks the signature. Windows doesn't care, even if the app is signed (this has been an open issue with electron since 2017), and linux only cares if the checks are done externally (i.e. with AppImage's validate tool or appimaged). Put this in your post-exploitation toolbox, but beware, the server component has a classic SQL injection vulnerability. [T1056 Input Capture]
  • SecretServerSecretStealer is a Powershell script that decrypts the data stored within a Thycotic Secret Server, one of the more popular "enterprise" password managers. This doesn't exploit a weakness with Thycotic Secret Server per say, as once you have code running on the Secret Server itself, it's game over. [T1003 Credential Dumping]
  • ManageEngine Desktop Central FileStorage getChartImage Deserialization of Untrusted Data Remote Code Execution Vulnerability is a good old fashion 0day dropped with no vendor notification, no CVE, and no patch or mitigation. This one even provides remote unauthenticated code execution as SYSTEM. [T1190 Exploit Public-Facing Application]
  • FullPowers is a windows PoC to automatically recover the default privilege set of a service account including SeAssignPrimaryToken and SeImpersonate. This is useful when an exploit lands you as LOCAL SERVICE or NETWORK SERVICE and you need impersonation privileges to escalate to LOCAL SYSTEM. Detailed information on itm4n's blog. [T1134 Access Token Manipulation]