Last Week in Security (LWiS) - 2020-08-03

A ton of macOS exploits and techniques from @xorrior, @A2nkF_, @mattshockl, and @vladimir_metnew, Zoom meeting bruteforce by @TomAnthonySEO, Windows driver fun by @brsn76945860, a burp technique from @n00py1, and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-07-27 to 2020-08-03. MITRE ATT&CK techniques are in brackets where appropriate.

News

  • United States of America v. Nima Fazeli. Some really bad OPSEC on display from the teen that hacked Twitter a few weeks ago. The voice phishing combined with the 2FA bypass was very well executed, but the same cannot be said for post-exploitation actions.
  • New 'unpatchable' exploit allegedly found on Apple’s Secure Enclave chip, here’s what it could mean. Physical access is required, and it was patched on newer devices (A12/A13 based devices) but still an interesting development for iOS security.
  • There's a hole in the boot. Another week, another named and logo'd vulnerability. This one takes advantage of the fact that the YY_FATAL_ERROR() function of the Grub bootloader simply prints a message and then returns to the calling function, instead of actually being a fatal error that halts loading. This allows a heap buffer overflow in the config parser if an attacker can control the grub.cfg file. This one will be very hard to effectively mitigate, as blocking vulnerable versions of Grub will break existing deployments, but without blocking vulnerable versions downgrade attacks would be effective against patched machines. Update Grub and then update the revocation list to close this hole.
  • Attack Detection Fundamentals. F-Secure puts out great free workshops for red and blue teamers.

Techniques

  • Exploiting popular macOS apps with a single “.terminal” file.. The quarantine attribute is not correctly set by third party applications with file transfer capabilities (i.e. Slack) for .terminal files, which can lead to single click compromise of macOS endpoints.
  • CVE-2020–9934: Bypassing the macOS Transparency, Consent, and Control (TCC) Framework for unauthorized access to sensitive user data. Setting the $HOME variable in launchctl allowed Matt Shockley to modify the TCC database without disabling system integirty protection and give himself every entitlement without prompting the end user. This is a great find, and the post includes a simple script to acomplish this. If you perfer a compiled Swift binary, that is available as well.
  • Sparkling Payloads. GateKeeper on macOS can be a challenge for getting payloads to run in certain cases (i.e. they are downloaded by a browser by a user). This post shows how to use a well established update framework to get benign code past Apple's review, and "update" it to a malicious payload after delivery.
  • Removing Kernel Callbacks Using Signed Drivers. Kernel exploits on Windows have been featured a few times in LWiS (2020-07-20, 2020-05-11), and this post is another good example of the power of kernel level execution on Windows. Blue teams should be closely monitoring driver loads on all endpoints by this point, but if they aren't use the techniques presented in this post to bypass any/all AV. Code here.
  • bunk_bot is built on Python and its main purpose is to attend your online classes for you. I've included it here despite it not being directly relevant to security because the techniques it uses to accomplish its goals can be applied to security problems. Think automating user creation or automating AV/EDR testing.
  • Zoom Security Exploit – Cracking private meeting passwords. 6 digit passwords and no rate limiting. What could possibly go wrong? The technique of simply removing the CSRF header surprisingly worked, and goes to show that you can never assume that because a control appears to be in place it is actually being enforced without checking.
  • The Curious Case of Aspnet_Compiler.exe. This post explores code execution with the Microsoft signed executable aspnet_compiler.exe. Another LOLBin!
  • Password Spraying Secure Logon for F5 Networks shows how to use a macro in burp suite to handle custom session rules. This method of request modification is generally applicable to lots of scenarios when brute forcing web logins.
  • Active Directory Computer Account SMB Relaying Attack. "SMB relaying is old hat" I hear you saying, which is true, but this specific flavor is new. With only unprivileged domain creds, an attacker can use the print spooler on one victim machine to authenticate to an attacker controlled relay which in turn allows attacker access as system to the second victim - assuming the first victim has admin rights to the second. The workhorse of this attack is this script.
  • One Click to Compromise -- Fun With ClickOnce Deployment Manifests. This was presented at BlackHat last year but just like the author, I missed it as well. One click + a security dialog = RCE. Test this out and it might become a new phishing technique to add to your toolkit.

Tools and Exploits

  • Unauthd - Logic bugs FTW. Security researcher Ilias Morad aka @A2nkF_, describes a lovely exploit chain, composed of several security vulnerabilities he uncovered in macOS. This chain creates a local privilege escalation (LPE), from user all the way to the kernel! Code here. [T1068 Exploitation for Privilege Escalation]
  • SharpAppLocker is a C# port of the Get-AppLockerPolicy PS cmdlet. [T1082 System Information Discovery]
  • hvmi - Hypervisor Memory Introspection. The main purpose of this project is to provide unmatched security from outside the virtual machine, by leveraging the hardware isolation provided by Intel VT-x. This is a super powerful capability, and a good post explaining how it works and what can be done with is is available here.
  • DSA-2020-128: iDRAC Local File Inclusion Vulnerability. If your iDRAC isn't on a locked down subnet with monitored access, you're doing it wrong. This vulnerability will likely bear fruit on internal assessments for years to come. No PoC yet.
  • freki is a self-hosted malware analysis tool which is able to quickly statically analyze malware, integrate with VirusTotal, and perform pattern matching with Yara rules.
  • C_Shot is an offensive security tool written in C which is designed to download, inject, and execute shellcode in memory - either its own process or a child process using parent process spoofing. The blog post shows how it can evade advanced EDR like CrowdStrike Falcon. I'm a bit surprised that it wasn't detected as it uses standard API calls to do APC process injection (VirtualAlloc, WriteProcessMemory, QueueUserAPC, ResumeThread). Pair this with direct syscalls for a likely more effective bypass. [T1055.004 Process Injection: Asynchronous Procedure Call]
  • Winstrument is a framework of modular scripts to aid in instrumenting Windows software using Frida for reverse engineering and attack surface analysis. Winstrument makes analyzing Windows apps easy, helping you quickly identify application functionality that might be insecure or warrant further review and could be useful on your next app assessment, or for finding a vulnerability in a Windows application on your next network assessment. Blog post here.
  • CVE-2020-1313. You thought there would be a LWiS without a Windows LPE? This is a proof of concept for an "older" (patched June 2020) vulnerability in the Windows Update Orchestrator Service. It won't give you an instant win, but will execute at 2320 or within 3 days.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • festin is a tool for discovering open S3 Buckets starting from a domain.
  • Mística is a tool that allows to embed data into application layer protocol fields, with the goal of establishing a bi-directional channel for arbitrary communications. Currently, encapsulation into HTTP, DNS and ICMP protocols has been implemented, but more protocols are expected to be introduced in the near future. [T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol]
  • ATTPwn is a computer security tool designed to emulate adversaries. The tool aims to bring emulation of a real threat into closer contact with implementations based on the techniques and tactics from the MITRE ATT&CK framework.
  • Ventoy is an open source tool to create bootable USB drive for ISO files. Stop formatting the same USB over and over for the OS you need at the time, and just store and boot from a list of ISOs.
  • portmaster is a privacy app that at its core simply intercepts all your network connections. Think of a pi-hole for your computer. Or an ad-blocker that blocks ads on your whole computer, not only on your browser. This is an open-source version of Little Snitch or GlassWire. Still in alpha, but something to keep an eye on.
  • Hacking with environment variables is a quick post showing some little known environment variables that can be used to execute code in unexpected places.
  • Ciphey is a fully automated decryption tool using natural language processing & artificial intelligence, along with some common sense.

This post is cross-posted on SIXGEN's blog.