May 04 2020 Last Week in Security (LWiS) - 2020-05-04

News

• iOS Sandbox escape "Psychic Paper" 0day released. It turns out having 4 custom XML parsers leads to trivial sandbox escape. The patch ironically adds two additional parsers. I would hope Apple is screening App Store apps to prevent this from being abused.
• Beware of the GIF: Account Takeover Vulnerability in Microsoft Teams. Subdomain takeover combined with the way Teams includes GIFs allowed the Cyberark team to exfiltrate user's json web tokens which allows them to scrape messages if a user views their GIF. This is extra powerful because the JWT also allows the attacker to impersonate the victim and send the GIF to all contacts, essentially making this vulnerability wormable. [T1193 Spearphishing Attachment]
• FCC Scrutinizes Four Chinese Government-Controlled Telecom Entities. The FFC issues show cause orders to China Telecom Americas, China Unicom Americas, Pacific Networks, and ComNet demanding explanation of why the FCC should not initiate proceedings to revoke their authorizations. These Telecoms have 30 days to prove their operations and subsidiaries are "not subject to the influence and control of the Chinese government."
• #OBTS v3.0 Talks & Photos All the slides from the macOS security conference "Objective by the Sea" have been posted.

• Other "Weeks"

  • This Week in Malware - day by day malware news.
  • Week in OSINT - your weekly dose of OSINT sites and tools!
  • Last Week in AWS - weekly newsletter focused excessively on AWS.

• Sysmon v11 Released and includes file delete monitoring and archive to help responders capture attacker tools and adds an option to disable reverse DNS lookup. This will be huge for defenders allowing them to easily get samples of malware that only exists on disk for a short period of time.

Techniques

• Would You Have Fallen for This Phone Scam? This article details a complex vishing attack that fooled a security expert. Always hang up and call your bank back if contacted. [T1199 Trusted Relationship]
• Restoring Picroma Plasma Without Patching it is a detailed writeup of the entire process of creating a license server for vector image editor (Picroma). The reverse engineering concepts are generally applicable.
• CVE-2020-0932: Remote Code Execution on Microsoft SharePoint Using TypeConverters is an echo of last spring's SharePoint remote code execution vulnerability. Zero Day Initiative breaks it down in this post. Proof of Concept on Github. [T1190 Exploit Public-Facing Application]
• Open-AudIT v3.3.1 Remote Command Execution (CVE-2020-12078) shows the process of auditing a PHP application, finding a remote command execution vulnerability, and writing an exploit. [T1190 Exploit Public-Facing Application]
• Tutorial: Creating a custom full featured implant is a nice tutorial on using the Nuages C2 framework to bootstrap an implant quickly. [T1094 Custom Command and Control]
• What is old is new again: The Relay Attack discusses additions to ntlmrelayx.py allowing multi-relay attacks, i.e. using just a single connection to attack several targets. On top of this, Secure Auth added the capability of relaying connections for specific target users. [T1171 LLMNR/NBT-NS Poisoning and Relay]

Tools and Exploits

• Windows Local Privilege Escalation [T1068 Exploitation for Privilege Escalation]

  • Printer Spoofer - Abusing Impersonation Privileges on Windows 10 and Server 2019 is another great post from @itm4an that enables local service to SYSTEM escilation as long as SeImpersonatePrivilege is enabled. Don't have SeImpersonatePrivilege? No problem. This means that any exploit that lands you as local service now gets you SYSTEM on Windows 10 or Server 2016/2019. What a time to be alive. Code here, Powershell here.
  • Trident Z Lighting Control Driver Local Privilege Escalation. Another gaming driver provides local privilege escalation.

• CursedChrome is a Chrome-extension implant that turns victim Chrome browsers into fully-functional HTTP proxies, allowing you to browse sites as your victims. To defend against this, use ChromeGalvanizer. [T1176 Browser Extensions and T1185 Man in the Browser]
• intercept is a stupidly easy to use, small footprint Policy as Code subsecond command-line scanner that leverages the power of the fastest multi-line search tool to scan your codebase. It can be used as a linter, guard rail control or simple data collector and inspector. Consider it a cross-platform weaponized ripgrep. I could see this being used to audit large amounts of code for similar vulnerabilities.
• BoringSSLKeys allows the extraction of BoringSSL keys from jailbroken iOS devices to enable the decryption of pcaps of collected from apps.
• Ninjasploit is meterpreter extension for applying hooks to avoid windows defender memory scans. Details on the F-Secure Blog. [T1066 Indicator Removal from Tools]
• SharpHose is an asynchronous Password Spraying Tool in C# for Windows Environments. It can be executed via Cobalt Strikes execute-assembly (or your in-memory C# loader of choice).

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

• ParamSpider helps discover http parameters by mining parameters from the dark corners of Web Archives.
• wxHexEditor is a great cross platform free and open source hex editor.
• DbgShell is a PowerShell front-end for the Windows debugger engine.
• ysoserial fork is a fork of the official great ysoserial project with some improvements added to create payloads for the Burp Suite plugin Java Deserialization Scanner and more generally to speed-up and improve the detection and the exploitation of Java serialization issues with ysoserial.

This post is cross-posted on SIXGEN's blog.