Last Week in Security (LWiS) - 2020-06-15

A new tunneling tool from @shantanukhande, new rootkit tradecraft and kernel mode payload from @zerosum0x0, XSS via copy and paste by @securitum_com, @ZecOps drops a Windows 10 unauth RCE, and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-06-08 to 2020-06-15. MITRE ATT&CK techniques are in brackets where appropriate.



Tools and Exploits

  • penglab - Abuse of Google Colab for fun and profit. Google Colab is a free cloud service based on Jupyter Notebooks for machine-learning education and research. It provides a runtime fully configured for deep learning and free-of-charge access to a robust GPU. I'm surprised it took this long to get abused.

  • Windows Local Privilege Escalation [T1068 Exploitation for Privilege Escalation]

    • Windows: Insecure CSharedStream Object EoP The great @tiraniddo develops his 8 month old "Won't Fix" Windows local privilege escalation bug into a full blown normal user to SYSTEM PoC. Expect to see this weaponized and in use in by next week and have a long shelf life.
    • VirtToPhys is a small PoC to demonstrate how you can calculate the physical address for a kernel virtual address when exploiting driver bugs that allow you to map physical memory. VirtToPhys uses MsIo.sys, a WHQL signed driver that gives you colorful lights on your RAM (yes, seriously), CVE-2019-18845.
    • SuRestore.cpp - If you find yourself in the Backup Operators group, this little gem based on older research may be able to get you a SYSTEM shell.
    • spoolsystem is a CNA script for Cobalt Strike which uses @itm4n Print Spooler named pipe impersonation trick (LWiS 2020-05-18) to gain SYSTEM privileges without creating any new process or relying on cross-process shellcode injection (if the selfinject method is used).
  • libimobiledevice is a collection of projects that allow for cross-platform protocol library to access iOS devices. This is the first release after a three year hiatus, and sees the release of two new tools, libirecovery and idevicerestore.

  • SearchOutlook is a C# tool to search through a running instance of Outlook for keywords.

  • choose is a human-friendly and fast alternative to cut and (sometimes) awk. This may prove useful for cleaner pipelines for automated reconnaissance, etc.

  • SharpBlock is a method of bypassing EDR's active projection DLL's by preventing entry point execution. Blog post here.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • UtahFS is an encrypted storage system that provides a user-friendly FUSE drive backed by cloud storage in Go by CloudFlare. Use this to store things securely in the cloud - think DropBox but encrypted locally before upload.
  • Atlas is an open source tool that can suggest sqlmap tampers to bypass WAF/IDS/IPS. The tool is based on returned status code.
  • urlcrazy generates and tests domain typos and variations to detect and perform typo squatting, URL hijacking, phishing, and corporate espionage.
  • PowerSharpPack is many useful offensive CSharp Projects wrapped into Powershell for easy usage.
  • revp is a C++ reverse HTTP proxy that works on Linux, Windows, and macOS.

This post is cross-posted on SIXGEN's blog.