Last Week in Security (LWiS) - 2020-04-27

iOS and Android remote RCEs, owning centrally managed Firefox by @jfmeee, a great series on malware development from @0xPat, @sirus turn a GPU into a radio to steal data, and a few Windows LPEs for good measure.

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-04-20 to 2020-04-27. MITRE ATT&CK techniques are in brackets where appropriate.

News

  • BSides LV and DEF CON skytalks announce their cancellation for 2020.
  • Rumble.run announces free tier. Rumble is a scanning and asset identification product from HD Moore, founder of the Metasploit project. I have been using Rumble since the beta and it has proven to be the best tool for enumeration on engagements. The free tier gives you enough room to experiment and use on small engagements or bug bounties. After a few uses, you'll only go back to masscan and nmap for very specific scans. [T1046 Network Service Scanning]
  • COVID-19’s impact on Tor. Tor cut 13 of its staff and are down to 22 employees due to the lack of donations. Donate here to help keep this privacy resource funded.
  • Mobile Bugs
  • Another 1-line NPM package breaks javascript development. is-promise has 3,433,289 dependencies and even had a bug. The early lack of a good standard library (modern Javascript has fixed this) has caused an ecosystem of tiny packages that are maintained by unvetted developers. Let this be another reminder to vendor your dependencies which might work!
  • Python releases 2.7.18 the last release of Python 2, despite it going out of support January 1st 2020. Python 3 has been available since 2008, but if for some reason you can't upgrade, PyPy and RedHat have said they will continue supporting Python 2.

Techniques

Tools and Exploits

This post is cross-posted on SIXGEN's blog.