Apr 06 2020 Last Week in Security (LWiS) - 2020-04-06

News

• Zoom issues. With great marketshare comes great responsibility to not be a dumpster fire of security. Lest we forget last year when their macOS app installed a web server that listened on localhost and allowed for remote code execution and did not uninstall with the app. Thankfully that has been corrected and the issues discovered recently are less severe.

  • The 'S' in Zoom, Stands for Security. The macOS whisperer Patrick Wardle goes over past issues and digs into the current installer's "tricks" that are also seen in a lot of macOS malware. Pro tip: after clicking "Launch meeting" twice for a Zoom meeting in Chrome it will give the option to "Continue in browser." No client software required.
  • Elon Musk's SpaceX bans Zoom over privacy concerns. Not an unexpected move given all the news here. The most troubling quote is from a Zoom blog post: "Zoom has always strived to use encryption to protect content in as many scenarios as possible, and in that spirit, we used the term end-to-end encryption." End-to-end encryption is a technical term, not something you can have "in spirit."
  • ‘War Dialing’ Tool Exposes Zoom’s Password Problems. A new tool called zWarDial is able to find a surprising number of Zoom meetings without passwords by brute forcing meeting IDs. Regardless of your conferencing solution, use a strong password!
  • Zoom’s Encryption Is “Not Suited for Secrets” and Has Surprising Links to China, Researchers Discover. 5 out of 73 Key managment servers are in China and are used for some calls that have no nexus in China and makes questionable encryption choices (128 AES in ECB mode?!).
  • There has been some press over Zoom "allowing" UNC paths to "leak windows password hashes" which in my opinion is a stretch at best. Zoom is opening the links correctly, and it is Windows that is sending hashes. To me, this is not a Zoom issue.
  • Zoom seems to be taking this all quite well, and have made concrete steps and promises to improve.
  • Jitsi Meet a more secure and self-hostable option for video conferencing (a good install and comparison to Big Blue Button here). Signal also is a great choice for everyday use and 1 on 1 video calls.

• ATT&CK with Sub-Techniques — What You Need to Know. MITRE releases a new version of the ATT&CK matrix with sub-techniques! Check out the new matrix here.
• Facebook tried to buy NSO iOS tool Pegasus (see point 10). NSO goes nuclear in their latest court filing by claiming that Facebook tried to pay them to hack iOS users for data collection. Extraordinary claims require extraordinary evidence, as NSO is certainly in a position to gain from bad press about Facebook given the pending Whatsapp lawsuit.
• Introducing 1.1.1.1 for Families. Cloudflare, one of the few (only?) audited DNS resolvers introduced two new options, 1.1.1.2 will not resolve known malware domains, and 1.1.1.3 will not resolve known malware domains or "adult content." DNS filters are by no means a full filtering solution, but if all it takes to block some malware is a DNS entry change and the provider has a track record of privacy, it may be a good option for average users.

Techniques

• Attacking HelpDesks Part 1: RCE Chain on DeskPro, with Bitdefender as a Case Study is a wild ride that chains a few bugs to get RCE on BitDefender's infrastructure. Well done redforce and I look forward to the next few posts on other help desk software. [T1190 Exploit Public-Facing Application]
• NTLM Relay might be the most comprehensive resource for NTLM relay attack details I have come across. This will be come a reference for future NTLM questions. [T1171 LLMNR/NBT-NS Poisoning and Relay]
• Webcam Hacking - The story of how I gained unauthorized Camera access on iOS and macOS. Buckle up for a bumpy ride into iOS and macOS internals and the eventual creative bug chain that allows camera access to a malicious website. [T1125 Video Capture]
• CVE-2020-10560 - OSSN Arbitrary File Read. An authentication bypass via custom crypto, to eventually get arbitrary file read. Interesting web app pen-testing process presented here. [T1190 Exploit Public-Facing Application]

Tools and Exploits

• EyeWitness - Looking Sharp introduces the C# version of the EyeWitness website screenshot tool for use with Cobalt Strike or other C# implants. [T1046 Network Service Scanning]
• nuclei - Project Discovery keeps the hits coming with nuclei, a fast tool for configurable targeted scanning based on templates offering massive extensibility and ease of use. Think of it as an open source Nessus. Be sure to grab the templates too. [T1046 Network Service Scanning]
• dirscan is a high performance tool for summarizing large directories or drives. Written in rust, this cross platform tool is blazing fast and works on local and network drives. If you need to quickly get a handle on where things are on a machine, this could be your new best friend. [T1005 Data from Local System]
• magnifier0day is this week's Windows local privilege escalation exploit. This one requires a writable path in %PATH% but after that it is as easy as two hotkeys to a SYSTEM shell. [T1068 Exploitation for Privilege Escalation]

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

• phpggc is a library of PHP unserialize() payloads along with a tool to generate them, from command line or programmatically.
• pulsar is an automated network footprint scanner for Red Teams, Pentesters and Bounty Hunters. It's focused on discovery of an organization's public facing assets with minimal knowledge about its infrastructure. [T1046 Network Service Scanning]

This post is cross-posted on SIXGEN's blog.