Last Week in Security (LWiS) - 2020-03-23

VMWare exploits including a macOS privesc, XPC abuse in macOS, the first WiFi kr00k PoC, and many great new tools like Invoke-SharpLoader in this week's Last Week in Security.

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-03-16 to 2020-03-23. MITRE ATT&CK techniques are in brackets where appropriate.

News

Techniques

Tools and Exploits

  • MSOLSpray is a password spraying tool for Microsoft Online accounts (Azure/O365). The script logs if a user cred is valid, if MFA is enabled on the account, if a tenant doesn't exist, if a user doesn't exist, if the account is locked, or if the account is disabled. [T1110 Brute Force]
  • r00kie-kr00kie is the first tool to exploit the Kr00k (CVE-2019-15126) WiFi attack where many chips set the packet encryption key to all zeros when de-authenticated, but still send all the packets in the send buffer. It is possible to leak a few packets from busy clients each time you de-auth them. Think of it as heart bleed for WiFi, but much more disruptive to the end user. The Hexway Blog has a detailed explanation.
  • MemProcFS evolves direct memory access (DMA) attacks to their GUI based final form by mounting memory contents as a virtual file system allowing you to use normal tools like hex editors on live memory. It even comes with Python and C/C++ API bindings. [T1200 Hardware Additions]
  • Egalito: Layout-Agnostic Binary Recompilation is an interesting presentation by David Williams-King on a binary recompiler that lifts linux (x86-64, aarch64, and experimental RISC-V) ELF binaries to an intermediate language, applies modifications (i.e. patches, function trampolines, etc), and recompiles back to a binary. The spirit of this project is for binary hardening and after the fact patching, but I can see it being the basis of an advanced binary obfuscator or a tool to repurpose existing binary malaware automatically. All the code is GPL-3 and on GitHub.
  • LDAPFragger: Command and Control over LDAP attributes introduces a tool for C2 via LDAP to use in environments where LDAP queries to a shared AD are allowed from both an isolated network and network with internet access. The C# project is available on GitHub. [T1094 Custom Command and Control Protocol]
  • PDBRipper is a utility for extract an information from PDB-files, the Program Database multi-stream symbol file which contains lots of useful information about a binary.
  • LeakLooker-X is a GUI for discovering, browsing, and monitoring databases that leverages Binary Edge. [TA0007 Discovery]
  • gTunnel is a new tunneling solution written in golang. It may be useful as a base for how to implement tunneling in a custom golang access tool. [T1090 Connection Proxy]
  • Invoke-SharpLoader loads encrypted and compressed C# Code from a remote Webserver or from a local file straight to memory and executes it there. Very useful AV/EDR evasion tool. [T1500 Compile After Delivery]

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • dsdump is an improved nm + objective-d/swift class-dump. If you have worked with macOS or iOS binaries and tried to use the various forms of class dump, you know the issues with the change from objective-c to swift had on their output. dsdump has fixed these issues and provided even more options and output! Derek Selander provides a very in depth writeup on the inner workings as well.