Last Week in Security (LWiS) - 2020-05-11
Evil-Maid attacks make a comeback thanks to @0Xiphorus, 2FA interception by @0x09AL, new .NET C2 by @_RastaMouse, a simple but powerful trick from @tiraniddo to disable any protected service on Windows, and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-05-04 to 2020-05-11. MITRE ATT&CK techniques are in brackets where appropriate.
News
- ALU/Nokia GPON Admin and WIFI keygen. While default WiFi credentials have gotten much better in the last decade, some suppliers are still using bad algorithms to generate default passwords. In this case Nokia is using the OUI and serial number. The full background, device teardown, and keygen is in the git readme.
- Samsung Android multiple interactionless RCEs and other remote access issues in Qmage image codec built into Skia is as bad as it sounds. With enough malformed images, an attacker can leak address space layout randomization (ASLR) offsets and create a payload image that will provide a remote code execution. While the demo shows lots of alerts for incoming messages, think if this was productized or conducted while the victim is asleep and then cleaned. If you have or manage Samsung devices, ensure they are updated with the May 2020 update. Demo here. [TA0001 Initial Access]
- Github Code Spaces is a hosted Visual Studio Code for Github. Great for quick edits or perhaps remote development. It remains to be seen how it will handle files not in git (secrets, .env, etc) and what it will cost.
- Huawei HKSP Introduces Trivially Exploitable Vulnerability. Huawei manages to royally screw up its custom kernel protection mechanism which turns out is exploitable with a 10 line PoC.
- Matrix enables end-to-end encryption by default. The go-to choice for privacy respecting chat services just enabled end-to-end encryption by default after a long beta period. For federated, self-hostable, encrypted messaging and chat rooms Matrix + Riot is the way to go. For ease of use, Signal wins for now.
- Thunderspy: When Lightning Strikes Thrice: Breaking Thunderbolt 3 Security is an evolution to Thunderbolt Direct Memory Access (DMA) attacks that re-flashes the Thunderbolt controller flash to allow classic DMA attacks. This enables an attacker with physical access to a running, locked Windows or Linux machine (macOS has additional protections that are not bypassed), even with full disk encryption, to be accessed in under 5 minutes. Some laptops produced after 2019 have mitigations, but many do not. Take 5 minutes to watch the demo and think twice about leaving your running laptop unattended. Full paper here. [T1200 Hardware Additions]
Techniques
- POWER-SUPPLaY manages to use the power supply of a computer to transmit data ultrasonically at 50bit/sec by manipulating the internal switching frequency of the power supply, controlling the sound waveforms generated from its capacitors and transformers. [T1011 Exfiltration Over Other Network Medium]
- T1111: Two Factor Interception, RSA SecurID Software Tokens. Rio Sherri demonstrates how to extract RSA SecureID Tokens silently, without process injection, or suspect API calls, just COM. Code here. [T1111 Two-Factor Authentication Interception]
- COM Hijacking for Lateral Movement. Given credentials and the need to move latterly, this tool enables remote registry and uses COM hijacking to get code running on remote systems. While it will probably bypass most anti-virus or other detections, it could fail catastrophically (major registry modifications), so use with care. Demo here, tool here. [T1175 Component Object Model and Distributed COM]
- Using TrustedInstaller to disable Protect Process Light services. Normally, even Administrator cannot disable a Protected Service, but this trick uses TrustedInstaller to allow an Administrator to disable Windows Defender (or any other protected service). Extra points for its simplicity. [T1089 Disabling Security Tools]
Tools and Exploits
- Windows loaders [T1066 Indicator Removal from Tools]
- NetLoader loads any C# binary in memory, patching AMSI, and bypassing Windows Defender. It includes tons of C# tools and an MSBuld payload.
- FALCONSTRIKE a stealthy, targeted Windows Loader for delivering second-stage payloads (shellcode) to the host machine undetected. Blog post here.
- SharpC2 is a new .NET C2 framework "proof of concept" that looks fairly polished. It has a modular design, supports many "advanced" features (port forwarding, PPID spoofing, ETW patching), and has a nice web UI on the server side. Code here. [T1071 Standard Application Layer Protocol]
- drow is a command-line utility that is used to inject code and hook the entrypoint of ELF executables (post-build). It takes unmodified ELF executables as input and exports a modified ELF containing an embedded user-supplied payload that executes at runtime. This is the linux "easy button" of stealthy persistence. Find a binary that runs on boot or on a schedule and infect it with drow to run your implant as well as its normal job. Be sure to fork or inject to allow the process to function normally (don't block). [TA0003 Persistence]
- NetworkServiceExploit is a self contained binary to escalate from Network Service to SYSTEM on windows when a SYSTEM token is available. Use this with last week's Print Spoofer if FullPowers isn't working for you. I suspect next week we will see a tool that combines all three of these in a "one click to SYSTEM" binary. [T1068 Exploitation for Privilege Escalation]
- slack-watchman monitors your (or your target's) Slack workspaces for sensitive information. Given a Slack API key this tool will search for sensitive files (API keys, certificates, passwords, etc) and generate a report. Useful for both red and blue teams.
- CVE-2020-0674-Exploit is a UAF exploit for the x64 version of IE 8, 9, 10, and 11 on Windows 7 that was patched in January 2020 after it was found being exploited in the wild as an 0day. This could be handy when targeting legacy workstations in a corporate environment (out of date and forced to use IE). [T1192 Spearphishing Link]
- Minimalistic-offensive-security-tools are short but useful powershell scripts that can be used in VDI or other restricted environments where you may have to manually recreate your security tools.
- whoogle-search is a self-hosted, ad-free, privacy-respecting proxy for Google search. Think of it as a first step to search privacy. The next step is searx.
- itool is an easy iOS and composable device management command line interface. It was made to simplify and automate common development and provisioning tasks, but could be used to assist with iOS app hacking as well.
- rbcd-attack is a practical attack against Kerberos Resource-Based Constrained Delegation in a Windows Active Directory Domain.
- CLRvoyance is a shellcode kit that supports bootstrapping managed assemblies into unmanaged (or managed) processes. It provides three different implementations of position independent shellcode for CLR hosting, as well as a generator script for quickly embedding a managed assembly in position independent shellcode.
New to Me
This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!
- Kernel-Bridge is a Windows kernel hacking framework, driver template, hypervisor, and API written on C++ but the magic is that it is a signed kernel driver that is allowed in SecureBoot and allows all kinds of kernel tampering. It seems strange that Microsoft allows this.
- pwncat - netcat on steroids with Firewall, IDS/IPS evasion, bind and reverse shell, and port forwarding magic; fully scriptable with Python.
- Beekeeper Studio is a cross platform open source SQL editor and Database manager that works with MySQL/MariaDB, Postgres, SQLite, SQL Server, and Amazon Redshift.
- DRAKVUF Sandbox is an automated black-box malware analysis system with DRAKVUF engine under the hood, which does not require an agent on guest OS.
- faxhell is a bind shell using the Fax service and a DLL hijack based on Ualapi.dll. A good base for stealthy persistence in Windows.
This post is cross-posted on SIXGEN's blog.