Last Week in Security (LWiS) - 2020-04-27
iOS and Android remote RCEs, owning centrally managed Firefox by @jfmeee, a great series on malware development from @0xPat, @sirus turn a GPU into a radio to steal data, and a few Windows LPEs for good measure.
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-04-20 to 2020-04-27. MITRE ATT&CK techniques are in brackets where appropriate.
News
- BSides LV and DEF CON skytalks announce their cancellation for 2020.
- Rumble.run announces free tier. Rumble is a scanning and asset identification product from HD Moore, founder of the Metasploit project. I have been using Rumble since the beta and it has proven to be the best tool for enumeration on engagements. The free tier gives you enough room to experiment and use on small engagements or bug bounties. After a few uses, you'll only go back to masscan and nmap for very specific scans. [T1046 Network Service Scanning]
- COVID-19’s impact on Tor. Tor cut 13 of its staff and are down to 22 employees due to the lack of donations. Donate here to help keep this privacy resource funded.
- Mobile Bugs
- You’ve Got (0-click) Mail! ZecOps shows details on two different iOS mail based 0days (patched in the latest beta). The details on how they were being exploited in the wild are fuzzy but the bugs are certainly real. Close the Mail app and kill it in the background until the next iOS version drops, or update to the beta. If you are jailbroken, multiple patches are available.
- CVE-2020-0022 an Android 8.0-9.0 Bluetooth Zero-Click RCE – BlueFrag Android 8 and 9 (demoed on a Galaxy S10e) can be shelled without user interaction over Bluetooth. Requires and attacker to be in Bluetooth range and know the Bluetooth MAC and phone version but is very impressive.
- iOS crashes with a two character text string. Not a good look for "the world's most advanced mobile operating system."
- Another 1-line NPM package breaks javascript development. is-promise has 3,433,289 dependencies and even had a bug. The early lack of a good standard library (modern Javascript has fixed this) has caused an ecosystem of tiny packages that are maintained by unvetted developers. Let this be another reminder to vendor your dependencies which might work!
- Python releases 2.7.18 the last release of Python 2, despite it going out of support January 1st 2020. Python 3 has been available since 2008, but if for some reason you can't upgrade, PyPy and RedHat have said they will continue supporting Python 2.
Techniques
- Exploiting (Almost) Every Antivirus Software explains a race condition between detection and file deletion that affects nearly every AV on Windows, macOS, and Linux. This allows an unprivileged user to purposely tigger the AV, then link the bad file to a different file (perhaps a file critical to the AV itself) before it is deleted. The AV fill follow this link and delete whatever it finds, perhaps changing permissions of the file or directory as well. This warrants further research (see the last entry of this section for ideas).
- Abusing Firefox in Enterprise Environments. @jfmeee presents his research on centrally managed Firefox and how they can be abused to achieve arbitrary file and registry writes. Even in environments with sandboxed configurations, Daniel has a way around that too.
- Windows DLL Hijacking (Hopefully) Clarified @itm4n takes a break from publishing Windows local privilege escalation vulnerabilities to write an in-depth article breaking down exactly what DLL Hijacking is (and isn't). [T1038 DLL Search Order Hijacking]
- Azure AD introduction for red teamers. As more companies move to "the cloud" Azure AD is being seen more and more. Get familiar with how it compares to on-prem AD (less than you'd think).
- TEMPEST@Home - Finding Radio Frequency Side Channels. If you thought last week's covert exfiltration via vibrations using case fans was tricky, Duo labs turns a GPU into a radio by changing the frequency of the shader clock. Here is a demo of them demodulating the GPU signals into AM. [T1011 Exfiltration Over Other Network Medium]
- Kontra releases free application security training. High quality mini-courses on common application vulnerabilities that only require a browser. Great stuff!
- Malware Development (parts 1-3) from @0xPat is a detailed write up on how to minimize AV detections with C++, execute arbitrary shellcode, and persist. [TA0005 Defense Evasion]
- From directory deletion to SYSTEM shell is a (now deleted) post on how to turn an arbitrary file deletion bug into a SYSTEM shell on Windows using the Windows Error Reporting Service (WER) to do the dirty work. Code here. [T1068 Exploitation for Privilege Escalation]
Tools and Exploits
- SierraOne is a simple shared reverse shell over Discord. Another example of 3rd-party command and control. [T1102 Web Service]
- pathchecker checks if folders in PATH are writable. A good quick check for privilege escalation on Windows. [T1068 Exploitation for Privilege Escalation]
- SocksOverRDP adds the capability of a SOCKS proxy to Terminal Services (or Remote Desktop Services). It uses a Dynamic Virtual Channel that enables communication over an open RDP connection without the need to open a new socket, connection, or a port on a firewall. [T1090 Connection Proxy]
- gau fetches known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, and Common Crawl. Use this as part of domain enumeration. [TA0007 Discovery]
- sitrep is intended to provide a lightweight, extensible host triage alternative. Checks are loaded dynamically at runtime from stand-alone files. This allows operators to quickly modify existing checks, or add new checks as required. This is a great tool that gives you a quick overview of a new target. [TA0007 Discovery]
- Windows Local Privilege Escalation Exploits [T1068 Exploitation for Privilege Escalation]
- EOP Exploit POC for atillk64.sys by @h0mbre_
- CVE-2020-0624 - Win32k component fails to properly handle objects in memory
- Cisco AnyConnect Privilege Elevation through Path Traversal - The update functionality of the Cisco AnyConnect Secure Mobility Client for Windows is affected by a path traversal vulnerability that allows local attackers to create/overwrite files in arbitrary locations. Successful exploitation of this vulnerability allows the attacker to gain SYSTEM privileges. A Powershell PoC is shown but not provided.
This post is cross-posted on SIXGEN's blog.