Last Week in Security (LWiS) - 2020-06-29
1,566 hijackable DLLs in Windows 10 from @Wietze, a Bitdefender RCE from visiting a website by @WPalant, CobaltStrike Beacon Object File implementations start dropping (like @ilove2pwn_'s), a Docker Desktop for Windows LPE from @spaceraccoonsec, and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-06-22 to 2020-06-29. MITRE ATT&CK techniques are in brackets where appropriate.
News
- Cobalt Strike 4.1 – The Mark of Injection. The beacon object files feature teased last week has been released along with improved safe-inject and more tunable SMB and TCP traffic parameters to defeat signature based detections.
- bof-NetworkServiceEscalate is one of the first useful Beacon Object File implementations released. Expect more soon!
- 2020 Worldwide Developers Conference. Apple announced a lot, but the big news was the 2-year transition of macOS to custom ARM chips. iOS exploit developers just got a whole new target space! The A12X powered Developer Transition Kits (ARM based Mac Mini) have started to arrive, and it's only a matter of time before security researchers get their hands on some.
- WireGuard Merged Into OpenBSD. Get ready for native WireGuard in the kernel in pfSense and OPNSense firewalls.
- Moroccan Journalist Targeted With Network Injection Attacks Using NSO Group’s Tools. "Network Injection" attacks and rouge cell towers, this thorough report from Amnesty International lays out in detail how NSO Group assisted the Moroccan government in performing exploitation of journalists. The evidence of NSO Group willfully ignoring how its products are used is mounting, and I wouldn't be surprised if they are next up on Phineas Fisher's hit list.
Techniques
- MSBuild: A Profitable Sidekick! If you aren't familiar with MSBuild for application whitelisting bypass this post shows its power and gives a real-life example of its usage in a network.
- Zoom In: Emulating 'Exploit Purchase' in Simulated Targeted Attacks. The title buries the lead; the team at context found a local privilege escalation 0day in a Zoom service installed by default on Windows, effectively exploited it, and responsibly disclosed it. The post shares details of how they found the 0day but cuts off before they give any juicy details of how they weaponized it. [T1068 Exploitation for Privilege Escalation]
- Hijacking DLLs in Windows. DLL Hijacking is nothing new, but this post shows how useful it still is. Windows 10 v1909 has 1,566 potentially hijackable entries for a base install. Impressive. @Wietze also includes prevention and detection steps. [T1574.001 Hijack Execution Flow: DLL Search Order Hijacking]
- Exploiting Bitdefender Antivirus: RCE from any website. Antivirus programs are basically benevolent rootkits, and this post shows what happens when insecure coding practices meet privileged applications. In this case, Bitdefender sometimes injects responses into all browsers on the host (no plugin required), for features such as "SafeSearch." This mechanism relies on HTTP headers (sent to any site) and can be used to spawn the Bitdefender "Safepay" browser without user interaction which is then exploited via command injection - all by just visiting a malicious site. I think its time antivirus companies left the browser work to browser companies.
- Using Shell Links as zero-touch downloaders and to initiate network connections. LNK files on Windows have been used for malicious purposes for a while (at least as far back as 2010 with Stuxnet). This post is a good overview of what they can do. Recently a double-free bug (CVE-2020-1299) was found that could lead to remote code execution if a users clicks a LNK.
- How Your Red Team “HID” in Your Readers - ESPKey Attacks. If you perform physical assessments HID attacks are likely a major part of your work. Direct Defense skips the badge cloning and goes straight for the reader with a tiny microcontroller (ESPKey) that allows badge and pin data collection and replay.
Tools and Exploits
- ChopChop is a CLI for scanning endpoints and identifying exposition of services/files/folders through the webroot. Add this to your tool list for web assessments or bug bounties.
- Max is a command line tool to interact with the Neo4j database that powers BloodHound. This tool allows easy access to users and groups with lots of good built in filters. It also allows raw Cypher queries against the database for advanced users. [T1087.002 Account Discovery: Domain Account]
- SharpHungarian is a rough proof of concept that uses comments on a VirusTotal file for command and control. [T1102.002 Web Service: Bidirectional Communication]
- FileSearcher is an unmanaged assembly file searcher for when a fully interactive beacon session is not opsec safe enough. Find those Passwords.txt or Passwords.xlsx files easily with this tool. [T1005 Data from Local System]
- Clippi-B is an unmanaged assembly clipboard stealer for use with CobaltStrike or any other unmanaged CLR loader (i.e. shad0w). [T1115 Clipboard Data]
- pencode is a tool that helps you to create payload encoding chains. It has been designed to be used in automation wherever it is required to apply multiple encodings to a payload (and possibly inserting the payload to a template in between). This will be helpful for web application penetration testers or bug bounties.
- browsertunnel is a tool for exfiltrating data from the browser using the DNS protocol. It achieves this by abusing dns-prefetch, a feature intended to reduce the perceived latency of websites by doing DNS lookups in the background for specified domains. DNS traffic does not appear in the browser's debugging tools, is not blocked by a page's Content Security Policy (CSP), and is often not inspected by corporate firewalls or proxies, making it an ideal medium for smuggling data in constrained scenarios. [T1071.004 Application Layer Protocol: DNS]
- CVE-2020-10665 is a proof of concept for Docker Desktop Local Privilege Escalation on Windows. This is the same researcher from last week's Starbucks writeup. Well done! [T1068 Exploitation for Privilege Escalation]
- CVE-2020-1054 is a proof of concept for a Windows 7 kernel vulnerability that leads to local privilege escalation. Blog post with details here. [T1068 Exploitation for Privilege Escalation]
- BananaPhone is a pure-go implementation of using direct syscalls in the spirit of HellsGate (LWiS 2020-06-08). [T1027.005 Obfuscated Files or Information: Indicator Removal from Tools]
New to Me
This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!
- aviary.sh is a minimal distributed configuration management in bash. Each host periodically fetches the latest version of the inventory to see what roles it should be performing. If you have struggled with Ansible, Chef, Puppet, or Salt in the past or they were just too much for a simple configuration management job, give aviary.sh a shot. Need slightly more power but don't wan't to step all the way up to the "major" configuration managers? pyinfra might be what you are looking for.
- Flatseal is a graphical utility to review and modify basic permissions from your Flatpak applications. If last week's news about Flatpak security got you worried, Flatseal can help audit applications or modify them for malicious redistribution during an assessment.
This post is cross-posted on SIXGEN's blog.