Aug 31 2020 Last Week in Security (LWiS) - 2020-08-31

Prevent .NET exit in loaded code by @domchell, file delete to SYSTEM PoC by @404death, @Tesla is targeted for insider ransomware recently (failed) and was completely owned in 2017, @djhohnstein shows how to load Go modules in memory, great new features in Octopus 1.2 from @mohammadaskar2, and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-08-24 to 2020-08-31.

News

Tesla and FBI prevented $1 million ransomware hack at Gigafactory Nevada. If offered $1,000,000 to introduce malware into your computer systems, how many of your employees would report it like the Tesla employee did? Insider threats just got a new poster child.
The Big Tesla Hack: A hacker gained control over the entire fleet, but fortunately he’s a good guy. More Tesla news last week, with a full network compromise starting with a salvaged car. Impressive/frightening ability to scan and move laterally undetected once in the network as well. With this state of security at Tesla, is anyone lining up to have a different company run by Elon Musk implant your brain and control it via Bluetooth?
A grim outlook on the future of browser add-ons. The war on browser extensions is already in its second act. Another strike against mobile comes with Firefox limiting which add-ons are allowed on mobile. While Google Says It Isn't Killing Ad Blockers - Ad Blockers Disagree was the first salvo, mobile is the latest battleground.
The State of Exploit Development: 80% of Exploits Publish Faster than CVEs. No surprise, 80% of the exploits on Exploit-DB were published before their corresponding CVE with an average 23 day lead time. If you only rely on CVEs being issued before you patch, you're behind the curve.
Remote Code Execution in Slack desktop apps + bonus. This is a critical vulnerability in Slack's desktop client with a PoC that netted the research $1,750 for the ability to execute code on client machines by just sending a message to a user and having them click a preview. SecuriTeam claim they will pay $10,000 for such a bug. Either way, Slack got off easy with this one and most researchers agree the payout was much too low.

Techniques

delete2SYSTEM - Weaponizing for Arbitrary Files/Directories Delete bugs to Get NT AUTHORITYSYSTEM. This tool uses Windows Error Reporting to load a DLL.
Bypassing Credential Guard. This post builds on earlier work to enable wdigest on Windows machines with Credential Guard enabled, all from memory. The PoC is a bit rough and not OPSEC safe, but would be a great foundation for a custom implementation.
app-password-persistence shows how to use Microsoft 365 app passwords for persistent access to a compromised account, even if MFA is enabled.
Grafana 6.4.3 Arbitrary File Read. The use of LOAD DATA INFILE and a rogue MySQL server can lead to arbitrary file read when adding a data source in Grafana.
Fault Injection Reference Model (FIRM). Fault Injection, or "Glitching" as it's commonly called, has been responsible for a number of high profile hardware hacks recently (Nintendo Switch and PS3). This post is a good primer on what fault injection is and how it can expose vulnerabilities.
Malware Development Pt. 1: Dynamic Module Loading in Go. If you are writing tools in Go, this is a good source of ideas on how to execute Go dynamically in memory. Code here.
Massaging your CLR: Preventing Environment.Exit in In-Process .NET Assemblies. This post shows a technique to patch .NET assemblies to prevent them from calling exit and exiting whatever tool you used to load them.

Tools and Exploits

USO_Info_Leak contains two 0day heap address leak bugs in the usosvc service. The author claims to have 44 more Windows 10 elevation of privilege bugs that have been submitted to Microsoft but not handled well. I'll be following them closely to see if more are released.
Octopus isn't new but v1.2 sees a host of new features including: shellcode generation for x86 and x64, spoofed arguments, word macro generation, better AV evasion, and an indicator to show privileged user shells. More info here.
jwt-hack is a swiss-army knife for JSON web tokens, to include a dictionary attack.
RunasCs isn't new but v1.3 brings the ability to redirect stdout, stdin, and stderr to a remote host as well as other new features and fixes.
sonarhawk is a tool to create precise maps of WiFi networks using commodity GPS hardware and a portable computer. Supports Linux, MacOS, and Windows. Useful for mapping WiFi networks while on physical red team engagements or wardriving/warwalking. Similar to the Kismet plugin Kestrel.
gdb_2_root is a script for rooting x86_64 Google Play Android 10 images in an emulator.
LazyGhidra adds convenience functions to Ghidra like LazyIDA does for IDA Pro.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

iblessing is an iOS security exploiting toolkit, it mainly includes application information collection, static analysis and dynamic analysis. It can be used for reverse engineering, binary analysis and vulnerability mining.
bluescan is a powerful Bluetooth scanner for scanning BR/LE devices, LMP, SDP, GATT and vulnerabilities!
Hack-Tools is the all-in-one Red Team extension for Web Pentester. Useful features include: Dynamic Reverse Shell generator (PHP, Bash, Ruby, Python, Perl, Netcat), XSS Payloads, SQLi payload, LFI payloads, Base64 encoder/decoder, hash generator, and more.
monsoon is a fast HTTP enumerator that allows you to execute a large number of HTTP requests, filter the responses and display them in real-time.

This post is cross-posted on SIXGEN's blog.